Index
> Macroinstructions > Adding struct does not work |
| Author |
|
|
baldr 16 Dec 2013, 14:42
DerTobi,
PE signature is a dword value, and it's not a part of IMAGE_FILE_HEADER structure (so you should add 4 before checking .Machine member). |
|||
16 Dec 2013, 14:42 |
|
|
DerTobi 16 Dec 2013, 16:32
baldr wrote: DerTobi, Thx baldr but instead of [esp+4], i want to write --> [esp+FileHeader.Machine], but i does not work. And finally I just want to read & save values from obtional header. NEW EXE +0 PE 4 WORD Machine; 6 WORD NumberOfSections; 8 DWORD TimeDateStamp; C DWORD PointerToSymbolTable; 10 DWORD NumberOfSymbols; 14 WORD SizeOfOptionalHeader; 16 WORD Characteristics |
|||
|
16 Dec 2013, 16:32 |
|
|
baldr 16 Dec 2013, 17:35
DerTobi,
So what's the problem? After add esi, [esi+IMAGE_DOS_HEADER.e_lfanew] you may either address those fields as [esi+4+IMAGE_FILE_HEADER.field_name], or use virtual directive to give some meaningful names for them: Code: add esi, [esi+IMAGE_DOS_HEADER.e_lfanew]; now esi points to PE virtual at esi pe_signature rd 1 file_hdr IMAGE_FILE_HEADER optional_hdr IMAGE_OPTIONAL_HEADER end virtual cmp [pe_signature], IMAGE_NT_SIGNATURE jne @SubExit cmp [file_hdr.Machine], IMAGE_FILE_MACHINE_I386 jne @SubExit ;and so on |
|||
|
16 Dec 2013, 17:35 |
|
|
DerTobi 16 Dec 2013, 20:14
Code: format PE GUI 4.0 entry start include 'win32ax.inc' IMAGE_MZ_SIGNATURE = 05A4Dh IMAGE_NT_SIGNATURE = 04550h IMAGE_FILE_MACHINE_I386 = 014Ch struct IMAGE_DOS_HEADER e_magic dw ? e_cblp dw ? e_cp dw ? e_crlc dw ? e_cparhdr dw ? e_minalloc dw ? e_maxalloc dw ? e_ss dw ? e_sp dw ? e_csum dw ? e_ip dw ? e_cs dw ? e_lfarlc dw ? e_ovno dw ? e_res rw 4 e_oemid dw ? e_oeminfo dw ? e_res2 rw 10 e_lfanew dd ? ends struct IMAGE_FILE_HEADER Machine dw ? NumberOfSections dw ? TimeDateStamp dd ? PointerToSymbolTable dd ? NumberOfSymbols dd ? SizeOfOptionalHeader dw ? Characteristics dw ? ends struct IMAGE_DATA_DIRECTORY VirtualAddress dd ? isize dd ? ends IMAGE_NUMBEROF_DIRECTORY_ENTRIES = 16 struct IMAGE_OPTIONAL_HEADER32 Magic dw ? MajorLinkerVersion db ? MinorLinkerVersion db ? SizeOfCode dd ? SizeOfInitializedData dd ? SizeOfUninitializedData dd ? AddressOfEntryPoint dd ? BaseOfCode dd ? BaseOfData dd ? ImageBase dd ? SectionAlignment dd ? FileAlignment dd ? MajorOperatingSystemVersion dw ? MinorOperatingSystemVersion dw ? MajorImageVersion dw ? MinorImageVersion dw ? MajorSubsystemVersion dw ? MinorSubsystemVersion dw ? Win32VersionValue dd ? SizeOfImage dd ? SizeOfHeaders dd ? CheckSum dd ? Subsystem dw ? DllCharacteristics dw ? SizeOfStackReserve dd ? SizeOfStackCommit dd ? SizeOfHeapReserve dd ? SizeOfHeapCommit dd ? LoaderFlags dd ? NumberOfRvaAndSizes dd ? DataDirectory rb (sizeof.IMAGE_DATA_DIRECTORY*IMAGE_NUMBEROF_DIRECTORY_ENTRIES) ends section '.data' data readable writeable pFileName db 'test.exe',0 pTitle db 'Error:',0 pMsg1 db 'File not found!',0 hFile dd ? pSize dd ? pBytesRead dd ? pBuffer rb 7000h dwSections dw ? dwSizeOfOptionalHeader dw ? ddAddressOfEntryPoint dd ? ddImageBase dd ? section '.idata' import data readable library kernel32,'KERNEL32.DLL',\ user32,'USER32.DLL' include 'api\kernel32.inc' include 'api\user32.inc' section '.text' code readable executable start: ; +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ; + Read file to buffer ; +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ invoke CreateFile, pFileName, GENERIC_READ, FILE_SHARE_READ Or FILE_SHARE_WRITE,0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0 .if eax = INVALID_HANDLE_VALUE invoke MessageBox,NULL, pMsg1, pTitle ,MB_ICONERROR invoke ExitProcess, 0 .endif mov [hFile], eax invoke GetFileSize, [hFile], 0 ; mov [pSize], eax invoke ReadFile, [hFile], pBuffer, [pSize], pBytesRead, 0 invoke CloseHandle, [hFile] call ReadPE @Exit: invoke ExitProcess, 0 ret proc ReadPE pushad mov esi,pBuffer xor edx, edx ; cmp word [esi],IMAGE_MZ_SIGNATURE ; MZ ; jnz @SubExit .if word [esi] <> IMAGE_MZ_SIGNATURE jmp @SubExit .endif ; ESI = MZ ; ++++++++++++++++++++++++++++++++++++++++++ add esi, [esi+IMAGE_DOS_HEADER.e_lfanew]; now esi points to PE virtual at esi pe_signature rd 1 file_hdr IMAGE_FILE_HEADER optional_hdr IMAGE_OPTIONAL_HEADER32 end virtual cmp [pe_signature], IMAGE_NT_SIGNATURE jne @SubExit cmp [file_hdr.Machine], IMAGE_FILE_MACHINE_I386 jne @SubExit ; does not work here! mov word [dwSections], word [file_hdr.NumberOfSections] ;works ;add ax ,word [file_hdr.NumberOfSections] ;mov [dwSections],ax nop @SubExit: popad ret end Next problem |
|||
|
16 Dec 2013, 20:14 |
|
|
baldr 16 Dec 2013, 20:56
DerTobi,
There is no mov mem32, mem32 instruction in Intel x86-32 set. Read CPU manuals. |
|||
|
16 Dec 2013, 20:56 |
|
< Last Thread | Next Thread > |
Forum Rules:
|