From: profesor.fir@nospicedham.gmail.com
W dniu sobota, 19 sierpnia 2017 15:30:02 UTC+2 użytkownik firr napisał:
> W dniu sobota, 19 sierpnia 2017 14:44:58 UTC+2 użytkownik Alexei A. Frounze
napisał:
> > On Saturday, August 19, 2017 at 4:44:51 AM UTC-7, firr wrote:
> > > some times ago it was discussed and i know thet here are probably not
much many people knowing that things but maybe some
> > >
> > > if you load exe program into memory it is typically loaded under adress
0040_0000 (which is 4 MB skiping from begining)
> > >
> > > header is typically loaded under 0040_0000,
> > > code is typically loaded under 0040_1000, and data is loaded after that
(in small hello worlds it will be 0040_2000),
> > > consts after that, static empty ram area is reserved after that, then
imports and other sections also somewhere after that
> > >
> > > still i am not sure as to one thing.. in exe
> > > i think you dont necessary need relocations
> > > (or am i wrong?) So this would mean that in
> > > such exe adresses may be fixed (and they in fact would have some values
like 004x_xxxx and so on (may be obviously bigger but in small exe this kind
of values))
> > >
> > > is this really the case? no relocations and this kind of fixed values
there?
> >
> > Yep. 32-bit Windows/PE and Linux/ELF executables work
> > without relocations.
> >
> > > if realocations
are present are
> > > they only a list of adresses in ram where you need to add "base adress"
of image (as i heard) or yet something other to that?>
> >
> > In a nutshell, yes.
> >
> > Alex
>
> ok, then check my new question (should appear soon)
>
> fir
btw some my hack-n-dirty old code to flush some workable exe on disk (it is
old and need to be investigated - and then upbuild, but i my post it as its
usable by its simplicity and is tested to work)
#include
#include
int main()
{
FILE *file = fopen("result3.exe", "wb");
////////////////////////////////////////////////////
////////////////////// pe headers /////////////////////////////
IMAGE_DOS_HEADER dosHeader= {0};
dosHeader.e_magic = 0x5a4d; // MZ
dosHeader.e_lfanew = 0x00000040; //pe header offset in file
//0x40
IMAGE_NT_HEADERS ntHeader= {0};
ntHeader.Signature = 0x00004550; //PE 0 0
IMAGE_FILE_HEADER header= {0};
header.Machine = 0x014c; //i386
header.NumberOfSections = 3;
header.SizeOfOptionalHeader = 0x00e0; //not sure
header.Characteristics = 0x0002 + 0x0100; //executable +
32bit_machine
//0x58
IMAGE_OPTIONAL_HEADER opHeader= {0}; //Optional Header of PE files
present in NT Header structure
opHeader.Magic = 0x010b;
opHeader.AddressOfEntryPoint = 0x1000;
opHeader.ImageBase = 0x00400000;
opHeader.SectionAlignment = 0x1000;
opHeader.FileAlignment = 0x0200;
opHeader.MajorSubsystemVersion = 4;
opHeader.SizeOfImage = 4* 0x1000;
opHeader.SizeOfHeaders = 0x0200;
opHeader.Subsystem = 2; //2-gui, 3 - console
opHeader.NumberOfRvaAndSizes = 16;
//0x0138
opHeader.DataDirectory[1].VirtualAddress = 0x2000;
IMAGE_SECTION_HEADER secHeaderCode= {0};
secHeaderCode.Name[0] = '.';
secHeaderCode.Name[1] = 't';
secHeaderCode.Name[2] = 'e';
secHeaderCode.Name[3] = 'x';
secHeaderCode.Name[4] = 't';
secHeaderCode.Misc.VirtualSize = 0x1000;
secHeaderCode.VirtualAddress = 0x1000;
secHeaderCode.SizeOfRawData = 0x200;
secHeaderCode.PointerToRawData = 0x200;
secHeaderCode.Characteristics = 0x00000020 + 0x20000000 + 0x40000000;
IMAGE_SECTION_HEADER secHeaderImports= {0};
secHeaderImports.Name[0] = '.';
secHeaderImports.Name[1] = 'r';
secHeaderImports.Name[2] = 'd';
secHeaderImports.Name[3] = 'a';
secHeaderImports.Name[4] = 't';
secHeaderImports.Name[5] = 'a';
secHeaderImports.Misc.VirtualSize = 0x1000;
secHeaderImports.VirtualAddress = 2*0x1000;
secHeaderImports.SizeOfRawData = 0x200;
secHeaderImports.PointerToRawData = 2*0x200;
secHeaderImports.Characteristics = 0x00000040 + 0x40000000;
IMAGE_SECTION_HEADER secHeaderData= {0};
secHeaderData.Name[0] = '.';
secHeaderData.Name[1] = 'd';
secHeaderData.Name[2] = 'a';
secHeaderData.Name[3] = 't';
secHeaderData.Name[4] = 'a';
secHeaderData.Misc.VirtualSize = 0x1000 ;
secHeaderData.VirtualAddress = 3*0x1000 ;
secHeaderData.SizeOfRawData = 0x200;
secHeaderData.PointerToRawData = 3*0x200 ;
secHeaderData.Characteristics = 0x00000040 + 0x40000000 +0x80000000 ;
int fillup[20] = {0};
fwrite((char*)&dosHeader, 1, sizeof(dosHeader), file);
fwrite((char*)&ntHeader, 1, 4, file);
fwrite((char*)&header, 1, sizeof(header), file);
fwrite((char*)&opHeader, 1, sizeof(opHeader), file);
// fwrite((char*)dataDirectory, 1, sizeof(dataDirectory), file);
fwrite((char*)&secHeaderCode, 1, sizeof(secHeaderCode), file);
fwrite((char*)&secHeaderImports, 1, sizeof(secHeaderImports), file);
fwrite((char*)&secHeaderData, 1, sizeof(secHeaderData), file);
////////////////////////////////////////////////////
////////////////////// code /////////////////////////////
//align 512
fseek( file, 0x200, SEEK_SET );
char code[32] = {
0x6a, 0x00, //push 0
0x68, 0x00, 0x30, 0x40, 0x00, // push title
0x68, 0x1a, 0x30, 0x40, 0x00, // push caption
0x6a, 0x00, // push 0
0xff, 0x15, 0x70, 0x20, 0x40, 0x00, // call massageboxa
0x6a, 0x00, //push 0
0xff, 0x15, 0x68, 0x20, 0x40, 0x00, // call exit process
0x00,
0x00,
0x00,
0x00};
fwrite((char*)code, 1, sizeof(code), file);
///////////////////////IMPORTS /////////////////////////////
////////////////////// IAT /////////////////////////////
fseek( file, 0x400, SEEK_SET );
//0400
IMAGE_IMPORT_DESCRIPTOR kernel32desc= {0};
kernel32desc.OriginalFirstThunk = 0x203c; // ordinal-name pointer table
//
//
kernel32desc.Name = 0x2078; //dll name
kernel32desc.FirstThunk = 0x2068; //imp_pointers table
IMAGE_IMPORT_DESCRIPTOR user32desc= {0};
user32desc.OriginalFirstThunk = 0x2044; // ordinal-name pointer table
//
//
user32desc.Name = 0x2085; //dll name
user32desc.FirstThunk = 0x2070; //imp_pointers table
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
