Need help, how to copy PE file manually in memory.

Index > Windows > Need help, how to copy PE file manually in memory.

Author

Thread

Overflowz

Joined: 03 Sep 2010
Posts: 1044

Overflowz 22 Oct 2011, 15:40

hi, I'm trying to copy executable in memory manually, like windows loader does. I had already created new thread before, but it was based on relocations. Now, I'm trying to do that, which will be based on base address. for example, if normal program runs with base address of 0x400000, then I would copy all it's contents to memory step by step at 0x400000 address and will launch successful. The problem is which steps should I do first ? I'm trying to understand PE file format deeper, but I don't understand a lot. I'm learning it everyday, trying to understand what I missed before and trying to play with them. I need only method how should I do it, not the source code. Thank you Smile

22 Oct 2011, 15:40

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20685
Location: In your JS exploiting you and your system

revolution 22 Oct 2011, 15:56

VirtualAlloc is mostly the key here.

It is no big deal to copy the 512 byte file alignment format into the 4k byte memory alignment format. Even the relocations are pretty simple to do, if the file still have them included, so you don't even have to run at the predefined base address.

22 Oct 2011, 15:56

Overflowz

Joined: 03 Sep 2010
Posts: 1044

Overflowz 22 Oct 2011, 16:08

I know about VirtualProtect/Alloc/Free API calls. I need to copy PE file from disk to memory. as I know, PE on hard disk drive != PE in memory.
I need basic steps how to do it. Here's where I stuck.

Code:

1) fill IMAGE_NT_HEADERS32 structure
2) allocate space for new executable with VirtualAlloc at address IMAGE_NT_HEADERS32.OptionalHeader.ImageBase
3) allocate IMAGE_NT_HEADERS32.OptionalHeader.SizeOfImage bytes
4) and then copy step by step but I don't know how to start.

22 Oct 2011, 16:08

MHajduk

Joined: 30 Mar 2006
Posts: 6113
Location: Poland

MHajduk 22 Oct 2011, 17:09

If you speak Russian this article may help you:

http://www.wasm.ru/article.php?article=memfile

22 Oct 2011, 17:09

Overflowz

Joined: 03 Sep 2010
Posts: 1044

Overflowz 22 Oct 2011, 18:59

MHajduk
I understand Russian but I don't understand xinvoke macro. I'm noob at macroses.

22 Oct 2011, 18:59

Akujin

Joined: 11 Oct 2011
Posts: 26
Location: Exile

Akujin 22 Oct 2011, 19:14

http://www.masm32.com/board/index.php?topic=3150.0

22 Oct 2011, 19:14

MHajduk

Joined: 30 Mar 2006
Posts: 6113
Location: Poland

MHajduk 22 Oct 2011, 19:18

As far as I understood, xinvoke macro is made for calling API functions from the import table which may be shifted by some "delta" vector in memory. This is a standard invoke macro modified a little.

Code:

macro xinvoke proc,[arg]                    
  {                                         
    common
      if ~ arg eq
    reverse
      pushd arg
    common
      end if
    call [ebx+_#proc-_delta]
  }

All these "magic" directives preceding "call [ebx+_#proc-_delta]" are there only for proper management of the various number of the procedure arguments (when the given procedure has no parameters then we get only "call [ebx+_#proc-_delta]" but when number of arguments is non-zero we push them all in the reversed order before the procedure call).

22 Oct 2011, 19:18

Overflowz

Joined: 03 Sep 2010
Posts: 1044

Overflowz 22 Oct 2011, 20:18

Akujin
I have that example already, translated into FASM. Thanks anyway Wink

MHajduk
I was playing with that macro and I don't understand something.. I was debugging this app and I'll explain problems.

Code:

_msgbox dd ?
msgaddr db "hello world!",0
start:
invoke LoadLibrary,<"user32.dll",0>
invoke GetProcAddress,eax,<"MessageBoxA",0>
mov [_msgbox],eax 
call delta
.delta:
pop ebp
sub ebp,.delta ;EBP = 0, what the point using it?
mov eax,ebp
add eax,msgaddr ;equals to mov eax,msgaddr - no point.
push 0
push eax
push eax
push 0
call [ebp+_msgbox]
ret

strange is that, without .delta things, it doesn't work. Can someone explain me better what is happening here ? or what I'm doing wrong ? Thank you.

22 Oct 2011, 20:18

MHajduk

Joined: 30 Mar 2006
Posts: 6113
Location: Poland

MHajduk 22 Oct 2011, 20:31

To me it has sense when you copy whole body of the ".delta" procedure somewhere else in the memory and then try to call it from the new location. Then ebp initially preserves the return address.

... and accordingly to the address stored in ebp we calculate proper begin of the message string and address of the MessageBox procedure.

All these things are done to make executable code independent from the addresses calculated while compilation.

22 Oct 2011, 20:31

Overflowz

Joined: 03 Sep 2010
Posts: 1044

Overflowz 22 Oct 2011, 20:48

and if I need to execute compiled file in memory, is it same ?

22 Oct 2011, 20:48

MHajduk

Joined: 30 Mar 2006
Posts: 6113
Location: Poland

MHajduk 22 Oct 2011, 20:55

Overflowz wrote:

and if I need to execute compiled file in memory, is it same ?

In the article I have mentioned above such a relocatable code is used because code loaded from a file and then executed may destroy the original program, so the extractor's procedures have to be relocated in memory to some "safe" place and then run from this new location.

22 Oct 2011, 20:55

Overflowz

Joined: 03 Sep 2010
Posts: 1044

Overflowz 22 Oct 2011, 20:58

Well, I'm going to study on that now. Thank you very much! Smile

22 Oct 2011, 20:58

MHajduk

Joined: 30 Mar 2006
Posts: 6113
Location: Poland

MHajduk 22 Oct 2011, 21:00

Well, I hope I've helped you a bit. Wink

22 Oct 2011, 21:00

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum