flat assembler
Message board for the users of flat assembler.

Index > Heap > Strange Anti-Debugging Technique.

Goto page Previous  1, 2
Author
Thread Post new topic Reply to topic
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
I have read that documentation and I'm asking if I'm going well Smile Is that true what I did ? Because of 0 is offset of IAT and after doing something like this:
Code:
section '.idata' import data readable    

This means:
Code:
data 0 
   .OriginalFirstThunk  dd  0 
   .TimeDateStamp       dd  0  
   .ForwarderChain      dd  0  
   .Name                dd  dname  
   .FirstThunk          dd  iname 
end data    

I'm going well ?
import builds IAT structure and fills it with used API calls there. But I don't know what data does.. I mean: "import data readable writeable"
Post 11 Aug 2011, 18:44
View user's profile Send private message Reply with quote
Enko



Joined: 03 Apr 2007
Posts: 678
Location: Mar del Plata
Enko
You need to look again to the optional section header table. 0 is no the IAT.
Post 11 Aug 2011, 19:08
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
tells fasm to treat that space as data not code
Post 11 Aug 2011, 19:59
View user's profile Send private message Reply with quote
Enko



Joined: 03 Apr 2007
Posts: 678
Location: Mar del Plata
Enko
"data, end data" block is not the same as "section .... data redeable..."
Quote:

data directive begins the definition of special PE data, it should be followed by one of the data identifiers (export, import, resource or fixups) or by the number of data entry in PE header. The data should be defined in next lines, ended with end data
Post 11 Aug 2011, 20:36
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
Enko
Damn, sorry It's EAT.
If I would build that PE section manually with data directive, it would be do same as "section '.text'..."
typedef
what's the difference between data and code ? I can execute code in data section too without any problems.
Post 12 Aug 2011, 10:00
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
Section and data directory are two different things in PE structure. Data directory might reside in its own section or not, it often does, and that's what might be confusing to you. Try to build or at least study some PE from scratch.
Post 12 Aug 2011, 12:06
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
vid
Ok, thanks I'll study on it.
edit:
1 more question, is that possible to inject TLS to executable manually ? I did an experiment and I saw there was modified some code when added TLS callback.
Post 12 Aug 2011, 13:07
View user's profile Send private message Reply with quote
Enko



Joined: 03 Apr 2007
Posts: 678
Location: Mar del Plata
Enko
Yes, it should be possible to add a tls. You need to change the optional header to poin to the tls directory and then make the tls directory in some empty space.

Try using CFF EXPLORER. You can add sections, fill them with data and edit OPTIONAL HEADER.
Post 13 Aug 2011, 13:48
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
Enko
I'm already using CFF Explorer, it's best tool for working with PE files. Thanks, I'm going to try that.
P.S sorry for late reply, I was on holidays.. Smile
Post 16 Aug 2011, 09:52
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.