flat assembler
Message board for the users of flat assembler.
Index
> Windows > Adding code to section Goto page 1, 2 Next |
Author |
|
AssemblerX86 14 Sep 2015, 13:39
.removed.
Last edited by AssemblerX86 on 24 Sep 2015, 13:41; edited 1 time in total |
|||
14 Sep 2015, 13:39 |
|
AssemblerX86 14 Sep 2015, 17:39
revolution wrote: In the general case it won't work for a number of reasons. So the only way to inject new code (Into a PE without DLLs) is to put it in a code cave? |
|||
14 Sep 2015, 17:39 |
|
l_inc 14 Sep 2015, 23:57
AssemblerX86
As I already explained here you can relatively safely shift sections, if the executable has relocations. Otherwise you can add a section at the end, provided the executable does not have an overlay. Quote: I can't add the instructions to a code-cave since the hack wont work this way. Why not? P.S. Please, don't quote my whole post. _________________ Faith is a superposition of knowledge and fallacy |
|||
14 Sep 2015, 23:57 |
|
AssemblerX86 15 Sep 2015, 16:23
l_inc wrote: AssemblerX86 I have tried creating a new section and adding a JMP (0xE9) in .text to jump to the first byte of the new section, the PE crashes when I execute it. Can you give me the data in PE header I need to change so I can go over them? Also, no need to add 0x66 if I am jumping to a faraway address? I mean I need the address to be 4-byte long. |
|||
15 Sep 2015, 16:23 |
|
l_inc 15 Sep 2015, 18:19
AssemblerX86
Quote: The PE crashes when I execute it As I already told you, you did something wrong. My telepathy skills aren't good enough to guess without seeing the modified executable. Quote: Can you give me the data in PE header I need to change so I can go over them? I enumerated the fields here. There's no need to fix more in general. Quote: Also, no need to add 0x66 if I am jumping to a faraway address? As I already told you, $66 will crash the program, because it limits the destination address to 2 bytes. If you still put it, it's the reason for the program to crash. _________________ Faith is a superposition of knowledge and fallacy |
|||
15 Sep 2015, 18:19 |
|
revolution 15 Sep 2015, 23:36
You might want to alter the entry point.
Change the entry point to the beginning of your runtime patching code, and copy the previous entry point into your code to run the original startup code. |
|||
15 Sep 2015, 23:36 |
|
AssemblerX86 16 Sep 2015, 15:55
revolution wrote: You might want to alter the entry point. What startup code? You mean the 0xE9? If I leave the entry point unchanged how would it matter if the address of .text is not changed? I just put the first 5 bytes of .text to the 0xE9 instruction followed by the address of the new section which has the code .text had, is that right? |
|||
16 Sep 2015, 15:55 |
|
revolution 17 Sep 2015, 01:41
The fist 5 bytes of the .text section might not be the entry point.
|
|||
17 Sep 2015, 01:41 |
|
ACP 17 Sep 2015, 07:15
AssemblerX86, did you read this quite old article? https://msdn.microsoft.com/en-us/library/ms809762.aspx It explains a lot about basic PE structure and functionality. That would be a good starting point together with PE+ file format; the document is available for download from MSDN site.
|
|||
17 Sep 2015, 07:15 |
|
AssemblerX86 17 Sep 2015, 15:42
revolution wrote: The fist 5 bytes of the .text section might not be the entry point. Ohhh, OK now I get it, so the entry point is where I should add the code for JMP since its going to be executed there. And I get the entry point from the PE header. Will try that. ACP wrote: AssemblerX86, did you read this quite old article? https://msdn.microsoft.com/en-us/library/ms809762.aspx It explains a lot about basic PE structure and functionality. That would be a good starting point together with PE+ file format; the document is available for download from MSDN site. I didn't read this article but I have read and learned a lot about PE files from different resources, I also have a reference for each data in the header. Thanks anyways |
|||
17 Sep 2015, 15:42 |
|
revolution 17 Sep 2015, 15:55
AssemblerX86 wrote: Ohhh, OK now I get it, so the entry point is where I should add the code for JMP since its going to be executed there. And I get the entry point from the PE header. Will try that. |
|||
17 Sep 2015, 15:55 |
|
AssemblerX86 17 Sep 2015, 17:24
revolution wrote: I think you should change the entry point, not the code at the entry point. The code there could be anything, you can't simply assume it will be what you expect. Lets say I put the 0xE9 instruction in the PE entry point, how should I calculate the address to jump to? And should I jump to the entry point of the new section so it can be executable or the beginning of it? Currently I am doing: 0xE9 <((Entrypoint - .text virtual address) + .newsection virtual address) - (EntryPoint + 5)> I know mathematically EntryPoint will become 0, but that's just for explanation. |
|||
17 Sep 2015, 17:24 |
|
l_inc 17 Sep 2015, 17:31
revolution
Quote: The code there could be anything, you can't simply assume it will be what you expect. It's not that much of a problem to copy the overwritten executable code back in memory and pass control to it. In some cases this makes sense, cause some antiviral software might have a critical look at images with an entry point pointing to the last section, which is additionally a second executable section. _________________ Faith is a superposition of knowledge and fallacy |
|||
17 Sep 2015, 17:31 |
|
revolution 18 Sep 2015, 00:46
l_inc wrote: It's not that much of a problem to copy the overwritten executable code back in memory and pass control to it. In some cases this makes sense, cause some antiviral software might have a critical look at images with an entry point pointing to the last section, which is additionally a second executable section. |
|||
18 Sep 2015, 00:46 |
|
AssemblerX86 18 Sep 2015, 13:59
Guys I have done it and the code seems correct (Tried disassembling the code and seeing where JMP leads).
The problem is that, when I try a debugger, it says that it can't reach that address since its not loaded (radare2 JMPs to 0x00000000). |
|||
18 Sep 2015, 13:59 |
|
revolution 18 Sep 2015, 14:02
Show your code. We don't know what you did.
|
|||
18 Sep 2015, 14:02 |
|
AssemblerX86 18 Sep 2015, 14:32
revolution wrote: Show your code. We don't know what you did. Nevermind. How can I convert a virtual address in a section to be an equivalent address in another section? If I get this right I guess everything should work. Currently I am doing: (address - .text virtual address) + newsection virtual address Is that right? |
|||
18 Sep 2015, 14:32 |
|
revolution 18 Sep 2015, 15:00
JMP is relative so the absolute address is not needed.
Something like: (target RVA - source RVA) |
|||
18 Sep 2015, 15:00 |
|
l_inc 18 Sep 2015, 15:31
revolution
Quote: AVs also frown upon writing to an executable section. Writing to an executable section is too common (in particular among packers) to be suspicious about it. Besides detecting this requires code emulation. While detecting an entry point in the last section is a simple static analysis check. _________________ Faith is a superposition of knowledge and fallacy |
|||
18 Sep 2015, 15:31 |
|
Goto page 1, 2 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.