Index
> Windows > Self modifying PE code |
| Author |
|
|
OzzY 26 Aug 2005, 14:30
Hi people! I know how to make some self-modifying code under DOS executables. But how to do it with windows PE files? Do you have some example code?
Thanks! |
|||
26 Aug 2005, 14:30 |
|
|
comrade 26 Aug 2005, 14:42
mark your code section is writable and write to it
|
|||
|
26 Aug 2005, 14:42 |
|
|
comrade 26 Aug 2005, 17:18
do you want to overwrite your own executable?
|
|||
|
26 Aug 2005, 17:18 |
|
|
OzzY 26 Aug 2005, 18:18
yes... i did it with DOS .com files... but I don't know how to do with PE because of the headers and maybe it's needed to alloc some memory...
any ideas? |
|||
|
26 Aug 2005, 18:18 |
|
|
comrade 26 Aug 2005, 19:02
no, it is not because of PE headers
it is because while the program is running, its EXE file is locked by the OS, and you cannot write to it |
|||
|
26 Aug 2005, 19:02 |
|
|
r22 26 Aug 2005, 19:07
The easiest way is to.
Have EXE1 create a new version of itself as a separate file, run that file and terminate itself. Now EXE2 deletes EXE1's file and renames itself to whatever the proper name should be. |
|||
|
26 Aug 2005, 19:07 |
|
|
OzzY 26 Aug 2005, 20:30
The problem with PE headers is that:
Code: format PE GUI 4.0 include '%fasminc5\win32a.inc' start: invoke MessageBox,0,msg,msg,0 ret msg db 'Hi!',0 eof: see? if I try to reading beggining at start and with size of eof-start it will read only the code, not the header. That's my problem, not if the exe is able to overwrite itself. With .com files it was easy: Code: org 100h start: mov ah,09h mov dx,msg int 21h ret msg db 'Hi!',0 eof: here the full code would be written to the EXE2, cause there's no header. even if i try to do what r22 said i'll write to EXE2 only the code without the PE header. How can I change the code from EXE1 in memory, read the entire code in a buffer and write this changed version to EXE2 in disk without missing header? |
|||
|
26 Aug 2005, 20:30 |
|
|
Reverend 26 Aug 2005, 21:56
Maybe you meant to modify one PE with another program? Then you must have a basic knowledge of how the PE is structured. You'd have to do as follows:
Code: filename db '1.exe', 0 hfile dd ? hmapping dd ? hmap dd ? CODE_SECTION_INDEX = 1 ;which section contains code (counting from 1) invoke CreateFile, filename, GENERIC_READ, 0, 0, OPEN_EXISTING, 0, 0 mov [hfile], eax invoke CreateFileMapping, eax, 0, PAGE_READONLY, 0, 0, 0 mov [hmapping], eax invoke MapViewOfFile, eax, FILE_MAP_READ, 0, 0, 0 mov [hmap], eax ; mov eax, [hmap] add eax, [eax+IMAGE_DOS_HEADER.e_lfanew] movzx ecx, [eax+IMAGE_NT_HEADERS.FileHeader.SizeOfOptionalHeader] lea eax, [eax+ecx+sizeof.IMAGE_FILE_HEADER+4] lea eax, [(sizeof.IMAGE_SECTION_HEADER-1)*CODE_SECTION_INDEX] ; comment the following line if you loaded the file via LoadLibrary ; in all other cases don't change it stdcall rva2off, [eax+IMAGE_SECTION_HEADER.VirtualAddress] add eax, [hmap] ; here eax contains pointer to the code exactly ret ;================================ proc rva2off _rva mov eax, [hmap] add eax, [eax+IMAGE_DOS_HEADER.e_lfanew] movzx ecx, [eax+IMAGE_NT_HEADERS.FileHeader.NumberOfSections] movzx edx, [eax+IMAGE_NT_HEADERS.FileHeader.SizeOfOptionalHeader] lea eax, [eax+edx+sizeof.IMAGE_FILE_HEADER+4] rva2off_loop: mov edx, [eax+IMAGE_SECTION_HEADER.PointerToRawData] cmp [_rva], edx jl @F mov edx, [eax+IMAGE_SECTION_HEADER.VirtualAddress] add edx, [eax+IMAGE_SECTION_HEADER.SizeOfRawData] cmp [_rva], edx jae @F mov edx, [_rva] sub edx, [eax+IMAGE_SECTION_HEADER.VirtualAddress] add edx, [eax+IMAGE_SECTION_HEADER.PointerToRawData] xchg eax, edx ret @@: add eax, sizeof.IMAGE_SECTION_HEADER loop rva2off_loop xor eax, eax ret endp If you don't know which section contains code you must add some kind of loop to check current section attributes. Hope it is what you meant 
|
|||||||||||
|
26 Aug 2005, 21:56 |
|
|
OzzY 26 Aug 2005, 22:35
Yes! It was what I meant, but modifying itself and overwriting in disk... but too hard to do... i give up...
 |
|||
|
26 Aug 2005, 22:35 |
|
|
comrade 26 Aug 2005, 23:30
you can check SelfSafe sample on my page (check my signature)
|
|||
|
26 Aug 2005, 23:30 |
|
|
OzzY 27 Aug 2005, 00:38
comrade, where's your page? I can't see.
|
|||
|
27 Aug 2005, 00:38 |
|
|
f0dder 27 Aug 2005, 01:35
|
|||
|
27 Aug 2005, 01:35 |
|
|
comrade 27 Aug 2005, 01:41
My bureau is the greatest page of all time. How dare you disrespect?
|
|||
|
27 Aug 2005, 01:41 |
|
< Last Thread | Next Thread > |
Forum Rules:
|