flat assembler
Message board for the users of flat assembler.

Index > Windows > Self modifying PE code

Author
Thread Post new topic Reply to topic
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY 26 Aug 2005, 14:30
Hi people! I know how to make some self-modifying code under DOS executables. But how to do it with windows PE files? Do you have some example code?

Thanks!
Post 26 Aug 2005, 14:30
View user's profile Send private message Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1150
Location: Russian Federation
comrade 26 Aug 2005, 14:42
mark your code section is writable and write to it
Post 26 Aug 2005, 14:42
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY 26 Aug 2005, 14:50
Ok. I know how to change the code in memory, but how to change it in disk? Like a encrypted program that decrypts itself, run the code, use GetTickCount() to make a new random number and encrypt itself with this random number, saving this number to a variable and write everything to disk?
The problem is I can get the code and write to disk, but the PE header won't be written, just the code.
Post 26 Aug 2005, 14:50
View user's profile Send private message Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1150
Location: Russian Federation
comrade 26 Aug 2005, 17:18
do you want to overwrite your own executable?
Post 26 Aug 2005, 17:18
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY 26 Aug 2005, 18:18
yes... i did it with DOS .com files... but I don't know how to do with PE because of the headers and maybe it's needed to alloc some memory...
any ideas?
Post 26 Aug 2005, 18:18
View user's profile Send private message Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1150
Location: Russian Federation
comrade 26 Aug 2005, 19:02
no, it is not because of PE headers

it is because while the program is running, its EXE file is locked by the OS, and you cannot write to it
Post 26 Aug 2005, 19:02
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
r22 26 Aug 2005, 19:07
The easiest way is to.

Have EXE1 create a new version of itself as a separate file, run that file and terminate itself.
Now EXE2 deletes EXE1's file and renames itself to whatever the proper name should be.
Post 26 Aug 2005, 19:07
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY 26 Aug 2005, 20:30
The problem with PE headers is that:

Code:
format PE GUI 4.0
include '%fasminc5\win32a.inc'
start:
invoke MessageBox,0,msg,msg,0
ret
msg db 'Hi!',0
eof:
    

see? if I try to reading beggining at start and with size of eof-start it will read only the code, not the header. That's my problem, not if the exe is able to overwrite itself. With .com files it was easy:

Code:
org 100h
start:
mov ah,09h
mov dx,msg
int 21h
ret
msg db 'Hi!',0
eof:
    

here the full code would be written to the EXE2, cause there's no header.
even if i try to do what r22 said i'll write to EXE2 only the code without the PE header. How can I change the code from EXE1 in memory, read the entire code in a buffer and write this changed version to EXE2 in disk without missing header?
Post 26 Aug 2005, 20:30
View user's profile Send private message Reply with quote
Reverend



Joined: 24 Aug 2004
Posts: 408
Location: Poland
Reverend 26 Aug 2005, 21:56
Maybe you meant to modify one PE with another program? Then you must have a basic knowledge of how the PE is structured. You'd have to do as follows:
Code:
  filename                      db '1.exe', 0

  hfile                         dd ?
  hmapping                      dd ?
  hmap                          dd ?

        CODE_SECTION_INDEX      = 1 ;which section contains code (counting from 1)

        invoke  CreateFile, filename, GENERIC_READ, 0, 0, OPEN_EXISTING, 0, 0
        mov     [hfile], eax
        invoke  CreateFileMapping, eax, 0, PAGE_READONLY, 0, 0, 0
        mov     [hmapping], eax
        invoke  MapViewOfFile, eax, FILE_MAP_READ, 0, 0, 0
        mov     [hmap], eax

;       mov     eax, [hmap]
        add     eax, [eax+IMAGE_DOS_HEADER.e_lfanew]
        movzx   ecx, [eax+IMAGE_NT_HEADERS.FileHeader.SizeOfOptionalHeader]
        lea     eax, [eax+ecx+sizeof.IMAGE_FILE_HEADER+4]
        lea     eax, [(sizeof.IMAGE_SECTION_HEADER-1)*CODE_SECTION_INDEX]
;       comment the following line if you loaded the file via LoadLibrary
;       in all other cases don't change it
        stdcall rva2off, [eax+IMAGE_SECTION_HEADER.VirtualAddress]
        add     eax, [hmap]
;       here eax contains pointer to the code exactly
        ret

;================================
proc    rva2off                 _rva
        mov     eax, [hmap]
        add     eax, [eax+IMAGE_DOS_HEADER.e_lfanew]
        movzx   ecx, [eax+IMAGE_NT_HEADERS.FileHeader.NumberOfSections]
        movzx   edx, [eax+IMAGE_NT_HEADERS.FileHeader.SizeOfOptionalHeader]
        lea     eax, [eax+edx+sizeof.IMAGE_FILE_HEADER+4]
    rva2off_loop:
        mov     edx, [eax+IMAGE_SECTION_HEADER.PointerToRawData]
        cmp     [_rva], edx
        jl      @F
        mov     edx, [eax+IMAGE_SECTION_HEADER.VirtualAddress]
        add     edx, [eax+IMAGE_SECTION_HEADER.SizeOfRawData]
        cmp     [_rva], edx
        jae     @F
        mov     edx, [_rva]
        sub     edx, [eax+IMAGE_SECTION_HEADER.VirtualAddress]
        add     edx, [eax+IMAGE_SECTION_HEADER.PointerToRawData]
        xchg    eax, edx
        ret
    @@:
        add     eax, sizeof.IMAGE_SECTION_HEADER
        loop    rva2off_loop
        xor     eax, eax
        ret
endp  
    
And you need my 'pe.inc' include.

If you don't know which section contains code you must add some kind of loop to check current section attributes. Hope it is what you meant Smile


Description: Include for PE files
Download
Filename: PE.inc
Filesize: 3.26 KB
Downloaded: 326 Time(s)

Post 26 Aug 2005, 21:56
View user's profile Send private message Visit poster's website Reply with quote
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY 26 Aug 2005, 22:35
Yes! It was what I meant, but modifying itself and overwriting in disk... but too hard to do... i give up... Sad
Post 26 Aug 2005, 22:35
View user's profile Send private message Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1150
Location: Russian Federation
comrade 26 Aug 2005, 23:30
you can check SelfSafe sample on my page (check my signature)
Post 26 Aug 2005, 23:30
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY 27 Aug 2005, 00:38
comrade, where's your page? I can't see.
Post 27 Aug 2005, 00:38
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 27 Aug 2005, 01:35
Ozzy, click the "www" button? Smile

http://comrade64.cjb.net/
Post 27 Aug 2005, 01:35
View user's profile Send private message Visit poster's website Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1150
Location: Russian Federation
comrade 27 Aug 2005, 01:41
My bureau is the greatest page of all time. How dare you disrespect?
Post 27 Aug 2005, 01:41
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.