Index
> Windows > Need help, how to copy PE file manually in memory. |
| Author |
|
|
revolution 22 Oct 2011, 15:56
VirtualAlloc is mostly the key here.
It is no big deal to copy the 512 byte file alignment format into the 4k byte memory alignment format. Even the relocations are pretty simple to do, if the file still have them included, so you don't even have to run at the predefined base address. |
|||
22 Oct 2011, 15:56 |
|
|
Overflowz 22 Oct 2011, 16:08
I know about VirtualProtect/Alloc/Free API calls. I need to copy PE file from disk to memory. as I know, PE on hard disk drive != PE in memory.
I need basic steps how to do it. Here's where I stuck. Code: 1) fill IMAGE_NT_HEADERS32 structure 2) allocate space for new executable with VirtualAlloc at address IMAGE_NT_HEADERS32.OptionalHeader.ImageBase 3) allocate IMAGE_NT_HEADERS32.OptionalHeader.SizeOfImage bytes 4) and then copy step by step but I don't know how to start. |
|||
|
22 Oct 2011, 16:08 |
|
|
MHajduk 22 Oct 2011, 17:09
|
|||
|
22 Oct 2011, 17:09 |
|
|
Overflowz 22 Oct 2011, 18:59
MHajduk
I understand Russian but I don't understand xinvoke macro. I'm noob at macroses. |
|||
|
22 Oct 2011, 18:59 |
|
|
Akujin 22 Oct 2011, 19:14
|
|||
|
22 Oct 2011, 19:14 |
|
|
MHajduk 22 Oct 2011, 19:18
As far as I understood, xinvoke macro is made for calling API functions from the import table which may be shifted by some "delta" vector in memory. This is a standard invoke macro modified a little.
Code: macro xinvoke proc,[arg] { common if ~ arg eq reverse pushd arg common end if call [ebx+_#proc-_delta] } |
|||
|
22 Oct 2011, 19:18 |
|
|
Overflowz 22 Oct 2011, 20:18
Akujin
I have that example already, translated into FASM. Thanks anyway 
MHajduk I was playing with that macro and I don't understand something.. I was debugging this app and I'll explain problems. Code: _msgbox dd ? msgaddr db "hello world!",0 start: invoke LoadLibrary,<"user32.dll",0> invoke GetProcAddress,eax,<"MessageBoxA",0> mov [_msgbox],eax call delta .delta: pop ebp sub ebp,.delta ;EBP = 0, what the point using it? mov eax,ebp add eax,msgaddr ;equals to mov eax,msgaddr - no point. push 0 push eax push eax push 0 call [ebp+_msgbox] ret strange is that, without .delta things, it doesn't work. Can someone explain me better what is happening here ? or what I'm doing wrong ? Thank you. |
|||
|
22 Oct 2011, 20:18 |
|
|
MHajduk 22 Oct 2011, 20:31
To me it has sense when you copy whole body of the ".delta" procedure somewhere else in the memory and then try to call it from the new location. Then ebp initially preserves the return address.
... and accordingly to the address stored in ebp we calculate proper begin of the message string and address of the MessageBox procedure. All these things are done to make executable code independent from the addresses calculated while compilation. |
|||
|
22 Oct 2011, 20:31 |
|
|
Overflowz 22 Oct 2011, 20:48
and if I need to execute compiled file in memory, is it same ?
|
|||
|
22 Oct 2011, 20:48 |
|
|
MHajduk 22 Oct 2011, 20:55
Overflowz wrote: and if I need to execute compiled file in memory, is it same ? |
|||
|
22 Oct 2011, 20:55 |
|
|
Overflowz 22 Oct 2011, 20:58
Well, I'm going to study on that now. Thank you very much!
 |
|||
|
22 Oct 2011, 20:58 |
|
|
MHajduk 22 Oct 2011, 21:00
Well, I hope I've helped you a bit.
|
|||
|
22 Oct 2011, 21:00 |
|
< Last Thread | Next Thread > |
Forum Rules:
|