flat assembler
Message board for the users of flat assembler.

Index > Windows > Need help, how to copy PE file manually in memory.

Author
Thread Post new topic Reply to topic
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 22 Oct 2011, 15:40
hi, I'm trying to copy executable in memory manually, like windows loader does. I had already created new thread before, but it was based on relocations. Now, I'm trying to do that, which will be based on base address. for example, if normal program runs with base address of 0x400000, then I would copy all it's contents to memory step by step at 0x400000 address and will launch successful. The problem is which steps should I do first ? I'm trying to understand PE file format deeper, but I don't understand a lot. I'm learning it everyday, trying to understand what I missed before and trying to play with them. I need only method how should I do it, not the source code. Thank you Smile
Post 22 Oct 2011, 15:40
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 22 Oct 2011, 15:56
VirtualAlloc is mostly the key here.

It is no big deal to copy the 512 byte file alignment format into the 4k byte memory alignment format. Even the relocations are pretty simple to do, if the file still have them included, so you don't even have to run at the predefined base address.
Post 22 Oct 2011, 15:56
View user's profile Send private message Visit poster's website Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 22 Oct 2011, 16:08
I know about VirtualProtect/Alloc/Free API calls. I need to copy PE file from disk to memory. as I know, PE on hard disk drive != PE in memory.
I need basic steps how to do it. Here's where I stuck.
Code:
1) fill IMAGE_NT_HEADERS32 structure
2) allocate space for new executable with VirtualAlloc at address IMAGE_NT_HEADERS32.OptionalHeader.ImageBase
3) allocate IMAGE_NT_HEADERS32.OptionalHeader.SizeOfImage bytes
4) and then copy step by step but I don't know how to start.    
Post 22 Oct 2011, 16:08
View user's profile Send private message Reply with quote
MHajduk



Joined: 30 Mar 2006
Posts: 6115
Location: Poland
MHajduk 22 Oct 2011, 17:09
If you speak Russian this article may help you:

http://www.wasm.ru/article.php?article=memfile
Post 22 Oct 2011, 17:09
View user's profile Send private message Visit poster's website Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 22 Oct 2011, 18:59
MHajduk
I understand Russian but I don't understand xinvoke macro. I'm noob at macroses.
Post 22 Oct 2011, 18:59
View user's profile Send private message Reply with quote
Akujin



Joined: 11 Oct 2011
Posts: 26
Location: Exile
Akujin 22 Oct 2011, 19:14
Post 22 Oct 2011, 19:14
View user's profile Send private message Visit poster's website Reply with quote
MHajduk



Joined: 30 Mar 2006
Posts: 6115
Location: Poland
MHajduk 22 Oct 2011, 19:18
As far as I understood, xinvoke macro is made for calling API functions from the import table which may be shifted by some "delta" vector in memory. This is a standard invoke macro modified a little.
Code:
macro xinvoke proc,[arg]                    
  {                                         
    common
      if ~ arg eq
    reverse
      pushd arg
    common
      end if
    call [ebx+_#proc-_delta]
  }    
All these "magic" directives preceding "call [ebx+_#proc-_delta]" are there only for proper management of the various number of the procedure arguments (when the given procedure has no parameters then we get only "call [ebx+_#proc-_delta]" but when number of arguments is non-zero we push them all in the reversed order before the procedure call).
Post 22 Oct 2011, 19:18
View user's profile Send private message Visit poster's website Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 22 Oct 2011, 20:18
Akujin
I have that example already, translated into FASM. Thanks anyway Wink
MHajduk
I was playing with that macro and I don't understand something.. I was debugging this app and I'll explain problems.
Code:
_msgbox dd ?
msgaddr db "hello world!",0
start:
invoke LoadLibrary,<"user32.dll",0>
invoke GetProcAddress,eax,<"MessageBoxA",0>
mov [_msgbox],eax 
call delta
.delta:
pop ebp
sub ebp,.delta ;EBP = 0, what the point using it?
mov eax,ebp
add eax,msgaddr ;equals to mov eax,msgaddr - no point.
push 0
push eax
push eax
push 0
call [ebp+_msgbox]
ret    

strange is that, without .delta things, it doesn't work. Can someone explain me better what is happening here ? or what I'm doing wrong ? Thank you.
Post 22 Oct 2011, 20:18
View user's profile Send private message Reply with quote
MHajduk



Joined: 30 Mar 2006
Posts: 6115
Location: Poland
MHajduk 22 Oct 2011, 20:31
To me it has sense when you copy whole body of the ".delta" procedure somewhere else in the memory and then try to call it from the new location. Then ebp initially preserves the return address.

... and accordingly to the address stored in ebp we calculate proper begin of the message string and address of the MessageBox procedure.

All these things are done to make executable code independent from the addresses calculated while compilation.
Post 22 Oct 2011, 20:31
View user's profile Send private message Visit poster's website Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 22 Oct 2011, 20:48
and if I need to execute compiled file in memory, is it same ?
Post 22 Oct 2011, 20:48
View user's profile Send private message Reply with quote
MHajduk



Joined: 30 Mar 2006
Posts: 6115
Location: Poland
MHajduk 22 Oct 2011, 20:55
Overflowz wrote:
and if I need to execute compiled file in memory, is it same ?
In the article I have mentioned above such a relocatable code is used because code loaded from a file and then executed may destroy the original program, so the extractor's procedures have to be relocated in memory to some "safe" place and then run from this new location.
Post 22 Oct 2011, 20:55
View user's profile Send private message Visit poster's website Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 22 Oct 2011, 20:58
Well, I'm going to study on that now. Thank you very much! Smile
Post 22 Oct 2011, 20:58
View user's profile Send private message Reply with quote
MHajduk



Joined: 30 Mar 2006
Posts: 6115
Location: Poland
MHajduk 22 Oct 2011, 21:00
Well, I hope I've helped you a bit. Wink
Post 22 Oct 2011, 21:00
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.