flat assembler
Message board for the users of flat assembler.
![]() |
Author |
|
OzzY
Hi people! I know how to make some self-modifying code under DOS executables. But how to do it with windows PE files? Do you have some example code?
Thanks! |
|||
![]() |
|
comrade
mark your code section is writable and write to it
|
|||
![]() |
|
comrade
do you want to overwrite your own executable?
|
|||
![]() |
|
OzzY
yes... i did it with DOS .com files... but I don't know how to do with PE because of the headers and maybe it's needed to alloc some memory...
any ideas? |
|||
![]() |
|
comrade
no, it is not because of PE headers
it is because while the program is running, its EXE file is locked by the OS, and you cannot write to it |
|||
![]() |
|
r22
The easiest way is to.
Have EXE1 create a new version of itself as a separate file, run that file and terminate itself. Now EXE2 deletes EXE1's file and renames itself to whatever the proper name should be. |
|||
![]() |
|
OzzY
The problem with PE headers is that:
Code: format PE GUI 4.0 include '%fasminc5\win32a.inc' start: invoke MessageBox,0,msg,msg,0 ret msg db 'Hi!',0 eof: see? if I try to reading beggining at start and with size of eof-start it will read only the code, not the header. That's my problem, not if the exe is able to overwrite itself. With .com files it was easy: Code: org 100h start: mov ah,09h mov dx,msg int 21h ret msg db 'Hi!',0 eof: here the full code would be written to the EXE2, cause there's no header. even if i try to do what r22 said i'll write to EXE2 only the code without the PE header. How can I change the code from EXE1 in memory, read the entire code in a buffer and write this changed version to EXE2 in disk without missing header? |
|||
![]() |
|
Reverend
Maybe you meant to modify one PE with another program? Then you must have a basic knowledge of how the PE is structured. You'd have to do as follows:
Code: filename db '1.exe', 0 hfile dd ? hmapping dd ? hmap dd ? CODE_SECTION_INDEX = 1 ;which section contains code (counting from 1) invoke CreateFile, filename, GENERIC_READ, 0, 0, OPEN_EXISTING, 0, 0 mov [hfile], eax invoke CreateFileMapping, eax, 0, PAGE_READONLY, 0, 0, 0 mov [hmapping], eax invoke MapViewOfFile, eax, FILE_MAP_READ, 0, 0, 0 mov [hmap], eax ; mov eax, [hmap] add eax, [eax+IMAGE_DOS_HEADER.e_lfanew] movzx ecx, [eax+IMAGE_NT_HEADERS.FileHeader.SizeOfOptionalHeader] lea eax, [eax+ecx+sizeof.IMAGE_FILE_HEADER+4] lea eax, [(sizeof.IMAGE_SECTION_HEADER-1)*CODE_SECTION_INDEX] ; comment the following line if you loaded the file via LoadLibrary ; in all other cases don't change it stdcall rva2off, [eax+IMAGE_SECTION_HEADER.VirtualAddress] add eax, [hmap] ; here eax contains pointer to the code exactly ret ;================================ proc rva2off _rva mov eax, [hmap] add eax, [eax+IMAGE_DOS_HEADER.e_lfanew] movzx ecx, [eax+IMAGE_NT_HEADERS.FileHeader.NumberOfSections] movzx edx, [eax+IMAGE_NT_HEADERS.FileHeader.SizeOfOptionalHeader] lea eax, [eax+edx+sizeof.IMAGE_FILE_HEADER+4] rva2off_loop: mov edx, [eax+IMAGE_SECTION_HEADER.PointerToRawData] cmp [_rva], edx jl @F mov edx, [eax+IMAGE_SECTION_HEADER.VirtualAddress] add edx, [eax+IMAGE_SECTION_HEADER.SizeOfRawData] cmp [_rva], edx jae @F mov edx, [_rva] sub edx, [eax+IMAGE_SECTION_HEADER.VirtualAddress] add edx, [eax+IMAGE_SECTION_HEADER.PointerToRawData] xchg eax, edx ret @@: add eax, sizeof.IMAGE_SECTION_HEADER loop rva2off_loop xor eax, eax ret endp If you don't know which section contains code you must add some kind of loop to check current section attributes. Hope it is what you meant ![]()
|
|||||||||||
![]() |
|
OzzY
Yes! It was what I meant, but modifying itself and overwriting in disk... but too hard to do... i give up...
![]() |
|||
![]() |
|
comrade
you can check SelfSafe sample on my page (check my signature)
|
|||
![]() |
|
OzzY
comrade, where's your page? I can't see.
|
|||
![]() |
|
f0dder
|
|||
![]() |
|
comrade
My bureau is the greatest page of all time. How dare you disrespect?
|
|||
![]() |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.
Website powered by rwasa.