flat assembler
Message board for the users of flat assembler.
Index
> Windows > Easy way of adding new section to a pe file ?????? Goto page 1, 2 Next |
Author |
|
shism2 12 Oct 2005, 18:20
Does anyone have any fasm examples of adding a section to a pe file.
|
|||
12 Oct 2005, 18:20 |
|
LocoDelAssembly 12 Oct 2005, 18:29
http://flatassembler.net/examples/quetannon.zip <- Here there is an example of a program using winsock and this program defines sections. That was that you are looking for?
|
|||
12 Oct 2005, 18:29 |
|
shism2 12 Oct 2005, 18:43
no. I want to add a new section to ANOTHER executable.
|
|||
12 Oct 2005, 18:43 |
|
shism2 15 Oct 2005, 01:06
Code: macro m2m dest,src { push src pop dest } ;--------------------- Strings problem db " File Error",0 error db "Error",0 protected db "File has been protected",0 protected1 db "Protected",0 sName db "shism",0 ;------------ data hFile dd 0 fsize dd 0 temp dd 0 memptr dd 0 nthdr IMAGE_NT_HEADERS hSection dd 0 proc ProtectFile LPSTR, hWnd invoke CreateFile,[LPSTR],GENERIC_WRITE + GENERIC_READ,FILE_SHARE_WRITE + FILE_SHARE_READ,\ NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0 cmp eax,INVALID_HANDLE_VALUE jz peError@ mov [hFile],eax invoke GetFileSize,[hFile],0 cmp eax,0 jz peError@ mov [fsize],eax invoke CreateFileMapping,[hFile],0,PAGE_READWRITE,0,0,0 test eax, eax jz peError@ mov [temp],eax invoke MapViewOfFile,[temp],FILE_MAP_ALL_ACCESS,0,0,0 test eax, eax jz peError@ mov [memptr], eax mov esi, eax add esi, dword [esi+03ch] mov edi, nthdr mov ecx,sizeof.IMAGE_NT_HEADERS cld rep movsb .if [nthdr.OptionalHeader.DataDirectory.VirtualAddress],ne,0 mov [nthdr.OptionalHeader.DataDirectory.VirtualAddress], NULL mov [nthdr.OptionalHeader.DataDirectory.Size], NULL .endif ;Prepare my section struct invoke VirtualAlloc, NULL, sizeof.IMAGE_SECTION_HEADER, MEM_COMMIT, PAGE_READWRITE mov [hSection], eax mov eax, [hSection] invoke lstrcpy, eax,sName mov eax, hSection ASSUME eax : IMAGE_SECTION_HEADER m2m [eax.Misc.VirtualSize], [nthdr.OptionalHeader.SectionAlignment] m2m [eax.SizeOfRawData], [nthdr.OptionalHeader.FileAlignment] m2m [eax.PointerToRawData], [fsize] m2m [eax.VirtualAddress], [nthdr.OptionalHeader.SizeOfImage] mov [eax.Characteristics], 20000060h ;<-- code/read/execute ret endp peError@: invoke MessageBox, NULL,problem,error, MB_ICONSTOP invoke CloseHandle,[memptr] protected@: invoke MessageBox,NULL,protected,protected1,0 This is some code , that I converted from masm to fasm ( by comrade).. I get these errors ASSUME eax : IMAGE_SECTION_HEADER error: illegal instruction. flat assembler version 1.64 C:\WinAsm\Assemblers\fasm\INCLUDE\APIA\kernel32.inc [1]: import kernel32,\ C:\WinAsm\Assemblers\fasm\INCLUDE\macro/import32.inc [50] import [22]: label dd RVA _label error: symbol already defined. And another problem with the macro saying .. Illegal opperand. need some help here |
|||
15 Oct 2005, 01:06 |
|
Ancient One 15 Oct 2005, 02:27
ASSUME eax : IMAGE_SECTION_HEADER
is MASM specific. remove this line and change code that use eax. with eax + IMAGE_SECTION_HEADER. |
|||
15 Oct 2005, 02:27 |
|
shism2 15 Oct 2005, 03:38
I now get out of memory.......I even assigned 100 mb to fasm and still out of memory..
I did restart my computer and nothing... |
|||
15 Oct 2005, 03:38 |
|
Reverend 15 Oct 2005, 12:07
Change it like this:
Code: ; ASSUME eax : IMAGE_SECTION_HEADER m2m [eax+IMAGE_SECTION_HEADER.Misc.VirtualSize], [nthdr.OptionalHeader.SectionAlignment] m2m [eax+IMAGE_SECTION_HEADER.SizeOfRawData], [nthdr.OptionalHeader.FileAlignment] m2m [eax+IMAGE_SECTION_HEADER.PointerToRawData], [fsize] m2m [eax+IMAGE_SECTION_HEADER.VirtualAddress], [nthdr.OptionalHeader.SizeOfImage] mov [eax+IMAGE_SECTION_HEADER.Characteristics], 20000060h ;<-- code/read/execute |
|||
15 Oct 2005, 12:07 |
|
Tomasz Grysztar 15 Oct 2005, 13:34
You can also use this macro to make your original code assembly without problems:
Code: macro ASSUME expr { match reg:struc, expr \{ local ..label virtual at reg reg equ ..label reg struc restore reg end virtual \} } (but note you also need to have IMAGE_SECTION_HEADER structure definition, as I recall it's not yet in the official includes) |
|||
15 Oct 2005, 13:34 |
|
JMGK 15 Oct 2005, 15:57
bah,
on new section: * VirtualSize must be your code size aligned to SectionAlign, not just SectionAlign (your added code can be more than 1000h) * SizeofRawData must be your code size, not just FileAlign (your added code can be more than 1000h) * PointerToRawData must be previous section´s SizeOfRawData+PointerToRawData aligned to FileAlign (files can have overlays) * VirtualAddress must be previous section´s VirtualAddress+VirtualSize aligned to SectionAlign (SizeOfImage is sometimes bad calculated) if you want code a virus (coz it look so), check some virus source code to see how they do jmgk ps: i am amazed how nobody complain about the fact shism2 is clearly trying to code a virus (or what else can be?) |
|||
15 Oct 2005, 15:57 |
|
Tomasz Grysztar 15 Oct 2005, 16:32
Quote:
Even though the most probably you're right, there really are some other applications for inserting a new section - for example adding resources to the executable that doesn't have one (some resource linkers are able to do it), or adding other kind of custom information. |
|||
15 Oct 2005, 16:32 |
|
shism2 15 Oct 2005, 16:35
Quote:
He is a known virus writer.... Last edited by shism2 on 15 Oct 2005, 16:39; edited 1 time in total |
|||
15 Oct 2005, 16:35 |
|
shism2 15 Oct 2005, 16:39
Tomasz ... I'm still recieving the problem with compiling. I get out of memory problem.
|
|||
15 Oct 2005, 16:39 |
|
comrade 15 Oct 2005, 17:44
Quote: He is a known virus writer.... what comrade would that be? and that certainly does not look like my code... i have several projects that add sections to PE file reimport - adds a new section to PE file, and writes a new import table there. Command-line use: Usage: reimport.exe <input.exe> <output.exe> <hook.dll> <library::procedure> ... For example, if you run: reimport.exe game.exe newgame.exe nocd.dll kernel32::GetDriveTypeA kernel32::CreateFileA kernel32::GetVolumeInformation This will create a copy of game.exe into newgame.exe, with the above 3 API functions rerouted to nocd.dll, instead of kernel32.exe. That means newgame.exe would import GetDriveTypeA, CreateFileA, and GetVolumeInformation from nocd.dll instead of kernel32. patch - adds a new section to PE file, sets it as new entrypoint. the code in the new section loads a DLL file, and then jumps to original entrypoint. Command-line: Usage: patch.exe <input.exe> <output.exe> <loader.dll> A new file called output.exe will be created, which will be the same as input.exe, except it will contain a new code section which will load loader.dll before it jumps to original entrypoint. This is a way to inject a DLL into a process before it runs, the hard-way. For other ways to inject a DLL, see http://board.flatassembler.net/topic.php?p=30001#30001.
|
|||||||||||||||||||||
15 Oct 2005, 17:44 |
|
shism2 15 Oct 2005, 17:57
I guess a different one
|
|||
15 Oct 2005, 17:57 |
|
comrade 15 Oct 2005, 17:58
show me
|
|||
15 Oct 2005, 17:58 |
|
shism2 15 Oct 2005, 18:04
|
|||
15 Oct 2005, 18:04 |
|
comrade 15 Oct 2005, 19:39
Serbian c0mrade... cool!
|
|||
15 Oct 2005, 19:39 |
|
shism2 15 Oct 2005, 20:00
lol......???
|
|||
15 Oct 2005, 20:00 |
|
Reverend 16 Oct 2005, 09:14
comrade: patch is a great tool, nice work. But did you think of implementing a cavity search procedure, ie. searching for gaps between sections large enough to contain the attaching code? It would be nice feature imho.
|
|||
16 Oct 2005, 09:14 |
|
Goto page 1, 2 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.