Index
> Windows > [PE Format] Getting offset insaid a file |
| Author |
|
|
mindcooler
Your loaded exe or some other?
|
|||
23 Nov 2011, 00:07 |
|
|
typedef
Code: mov eax,[400000h] eax = IMAGE_DOS_HEADER or GetModuleHandle(0) == 'PE' IMAGE_FILE_HEADER Traverse through that and find the entry point/start address of your code Last edited by typedef on 23 Nov 2011, 13:28; edited 1 time in total |
|||
|
23 Nov 2011, 10:13 |
|
|
marcinzabrze12
@mindcooler yes im loaded exe.
@typedef it is value of e_ip field im right ? |
|||
|
23 Nov 2011, 10:56 |
|
|
mindcooler
e_lfanew=60 is the ofset to the PE image. BaseOfCode is 44 bytes into PE structure, inside the optional header.
|
|||
|
23 Nov 2011, 11:15 |
|
|
DOS386
Quote: In this way i getting absolutely address in memory but i need to get offset of start label in file. You must look at both the section table and the directories to localize stuff inside PE. And you must carefully check every single value for validity: is the address inside any section ? is the section completely inside the file ? |
|||
|
23 Nov 2011, 13:54 |
|
|
marcinzabrze12
So what i do wrong in this code :
Code: format pe gui 4.0 entry start include 'win32ax.inc' section '.idata' import data readable library kernel32,'kernel32',user32,'user32' include 'api\kernel32.inc' include 'api\user32.inc' section '.data' data readable writeable textbuffer TCHAR 30 dup 0 section '.text' code readable executable start: mov ebx, 400000h ; EBX = IMAGE_DOS_HEADER add ebx, IMAGE_DOS_HEADER.e_lfanew ; [EBX] = is the offset to the PE image ; in this case = 80h mov eax, [ebx] add eax, 400000h ; EAX = IMAGE_NT_HEADERS32 add eax, IMAGE_NT_HEADERS32.OptionalHeader; EAX = IMAGE_OPTIONAL_HEADER32 add eax, IMAGE_OPTIONAL_HEADER32.AddressOfEntryPoint ; EAX = RVA (EntryPoint) = 3000h in this case add eax, 400000h ; EAX = VA (EntryPoint) cinvoke wsprintf, textbuffer, '%x', dword [eax] ; NOW IS CRASH stdcall msg, textbuffer invoke ExitProcess, 0 proc msg stdcall, message invoke MessageBox, 0, [message], '#PROGRAM INFO',0 ret endp |
|||
|
03 Dec 2011, 23:14 |
|
|
mindcooler
You're adding $400000 twice to address of entrypoint address.
Code: mov ebx, 400000h ; EBX = IMAGE_DOS_HEADER add ebx, 60 ; [EBX] = is the offset to the PE image ; in this case = 80h mov eax, [ebx] add eax, 400000h ; EAX = IMAGE_NT_HEADERS32 add eax, 44 mov eax,[eax] add eax, 400000h ; EAX = VA (EntryPoint) cinvoke wsprintf, textbuffer, '%x', eax ; NOW IS CRASH _________________ This is a block of text that can be added to posts you make. Last edited by mindcooler on 23 Dec 2011, 01:11; edited 1 time in total |
|||
|
04 Dec 2011, 03:24 |
|
|
typedef
here's a self hexing C code I wrote a while ago maybe you can look and pick something up from it
Code: #define BASE 0x400000 // base address of image #define ENTRY 0x4000A8 // offset to entry point (BASE + (int*)(0x400000)) #define PEHDR 0x400080 // address of pe header #define SIZE 0x40009C // size of code #define CBASE 0x4000AC // BaseOfCode #include <stdio.h> #define CODEBASE(base) \ __asm mov eax, [CBASE] \ __asm add eax, BASE \ __asm mov base, eax #define ENTRYPOINT(pointer) \ __asm mov eax, [ENTRY] \ __asm add eax, BASE \ __asm mov pointer, eax \ #define CODESIZE(size) \ __asm mov eax, [SIZE] \ __asm mov size, eax int main(int argc, char *argv[]) { int size; char * temp; char * dump; int EntryPoint; ENTRYPOINT(EntryPoint); CODESIZE(size); CODEBASE(dump); printf("size: %i\n",size); printf("Entry: 0x%P\n\n\nDumping code from Base of code: 0x400100\n\n",EntryPoint); for(int i =0; i < size; i++) { printf("%P: ",dump); temp = dump; for(int x = 0; x < 16; x++) { printf("%02X ",(unsigned char)temp[x]); } printf("\n"); dump+=16; getchar(); } return 0; } |
|||
|
04 Dec 2011, 04:14 |
|
|
marcinzabrze12
Ok, thanks i can understand it. I have just one more question:
How VA address converted to RAW ? On this same example We have VA (EntryPoint): Code: section '.text' code readable executable start: mov ebx, 400000h ; EBX = IMAGE_DOS_HEADER add ebx, IMAGE_DOS_HEADER.e_lfanew ; [EBX] = is the offset to the PE image ; in this case = 80h mov eax, [ebx] add eax, 400000h ; EAX = VA (IMAGE_NT_HEADERS32) add eax, 44 mov eax, [eax] add eax, 400000h ; EAX = VA (EntryPoint) cinvoke wsprintf, textbuffer, '%x', eax stdcall msg, textbuffer invoke ExitProcess, 0 I know that it is described on MSDN but my english is terrible ... most easy to understand for me is on the example Last edited by marcinzabrze12 on 05 Dec 2011, 04:05; edited 1 time in total |
|||
|
04 Dec 2011, 19:28 |
|
|
Overflowz
VA = RVA + ImageBase
RVA = VA - ImageBase ... |
|||
|
04 Dec 2011, 20:22 |
|
|
marcinzabrze12
sorry i think about RAW not RVA
|
|||
|
05 Dec 2011, 04:04 |
|
|
Overflowz
|
|||
|
05 Dec 2011, 07:30 |
|
|
marcinzabrze12
thanks overflowz i have everything now.
|
|||
|
05 Dec 2011, 17:59 |
|
< Last Thread | Next Thread > |
Forum Rules:
|