Results 1 to 15 of 15

Thread: How to find code of type:map?

  1. #1

    How to find code of type:map?

    Hi there,

    I have a tiny problem today. I wonder, how I can find the original destination of code, that is marked as "map" in Olly's Memory Map window. It looks like this:

    Code:
    Memory map, item 205
     Address=01610000
     Size=     00080000 (524288.)
     Owner=  01610000 (itself)
     Section=
     Type=Map  00041020
     Access= R E
     Initial access=R E
    I have some problems with this.
    1. I cannot change the accessflag. Neither by right-clicking in Olly (set access->full access) nor by using VirtualProtect.
    2. I don't know how this mapping is done. It doesn't use MapViewOfFile nor VirtualAlloc nor WriteProcessMemory and it's already present when Olly stops at the EP (It's not present if I stop at System Breakpoint, but I can't find the mapping procedure then)
    3. I don't know where to find the code of this section if I load the file not in Olly but in IDA.
    4. I don't know where to look for information on this topic. So I kindly ask for some help

    Thank you very much in advance.

    Best regards
    darkelf
    Last edited by Darkelf; October 29th, 2008 at 06:16.

  2. #2
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Is the file packed? If it uses TLS callbacks, it could unpack before OllyDbg reaches the entry point.

    It could also come from a packed DLL I guess.

    A packer could also theoretically subvert any breakpoints for the memory allocation routines, so I wouldn't be so sure that these aren't used if I were you.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  3. #3
    Thanks dELTA for your answer.

    Unfortunately, the file isn't packed and so aren't the involved dll's. It's all just plain Mickeysoft VC8.0.
    Some other proposal? I'm really running out of ideas.

    Thank you.

    Best regards
    darkelf

  4. #4
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Trace the loading of all (statically) imported DLLs (they will be loaded/executed before the entry point is reached in OllyDbg), and see when the memory region is created?
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  5. #5
    Hmm, that's what I've neglected so far (lazy me :-) ). I guess you're right and it must be done this way. Nevertheless, do you have any idea, why I can't set the accessflag the way I want?

    Thanks again

  6. #6
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    About the access flag, I would suspect either a protector interfering with you, or a bug in OllyDbg (or that you're doing it plain wrong ).
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  7. #7
    OK, I found out, that it is done via ZwMapViewOfSection. I guess thats also why I can't modify the access flag.
    I have to dig really deep to understand what is going on there. See me come back sweaty :-)

  8. #8
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,525
    Blog Entries
    15
    those regions are RegionIs Usage Vad

    the maps of VirtualAddress Descriptors

    mostly your 1610000 gets created after User32!DllInitialize where it initializes gdi

    while you stop on system startup breakpoint
    try seeting a break on gdi32!NtGdiInit

    and look at memory map you may not find that map

    NtGdiInit is a System call

    step with f8 4 times and notice the memory map

    you will find a map

    they are made in kernel land with PAGE_NO_ACCESS protection

    for example you can confirm this by using windbg on the same executable
    and doing

    !vadump
    or !address

    0:000> !address 1570000
    01570000 : 01570000 - 000c7000
    Type 00040000 MEM_MAPPED
    Protect 00000020 PAGE_EXECUTE_READ
    State 00001000 MEM_COMMIT
    Usage RegionUsageIsVAD


    Memory map, item 25
    Address=01570000
    Size=000C7000 (815104.)
    Owner= 01570000 (itself)
    Section=
    Type=Map 00041020
    Access=R E
    Initial access=R E


    you can get to know what this region means from windbg help file

    RegionUsageIsVAD

    The "busy" region. This region includes all virtual allocation blocks, the SBH heap, memory from custom allocators, and all other regions of the address space that fall into no other classification.

    btw if you go after NtGdiInit in win32k.sys you will see it is almost Dummy Function dont ask me why that function creates this map :P kernel voodoo

    lkd> .shell -ci "dps win32k!W32pServiceTable l?poi(win32k!W32pServiceLimit)" findstr NtGdiInit
    bf997970 bf8e59cc win32k!NtGdiInit
    bf997974 bf8a2d87 win32k!NtGdiInitSpool
    .shell: Process exited
    lkd> uf win32k!NtGdiInit
    win32k!NtGdiInit:
    bf8e59cc 33c0 xor eax,eax
    bf8e59ce 40 inc eax
    bf8e59cf c3 ret

  9. #9
    Thanks blabberer, you were right.

    I found out where the map has been created. Nevertheless I still wondered how this map could contain all strings that the program uses. I took me a bit of time to notice, that I was faced with managed code. Then I found all the information I needed.

    Thank you all very much for your help.
    I learned a lot within the past week.

    Best regards
    darkelf

  10. #10
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,525
    Blog Entries
    15
    I found out where the map has been created. Nevertheless I still wondered how this map could contain all strings that the program uses. I took me a bit of time to notice, that I was faced with managed code. Then I found all the information I needed

    well we could use some of the information too :P

    a brief (may be obfuscated generalized if it cant be specific) account of what you looked for and how you managed to get what you looked for and how the answers above played some part in your findidngs could be usefull for future searchers

  11. #11
    Oooops, sorry - of course I will give the information how I reached my goal.
    I will redo what I did and take some notes this time, because I'm somtetimes a bit uhmm, unorganized . I will do my very best to make it in notime.
    I will edit this post then.

    Best regards
    darkelf

  12. #12
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Is notime really longer than 5 days?
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  13. #13
    Uhhmmmm, let me think eternity minus 5 days equals

    No, serious I'm sorry again. I've been awfully busy these days. I promise I will collect all the information on this problem as soon as I have a bit of time. So cut me some slack please (with sugar on top).

    Best regards
    darkelf

  14. #14
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    I'm not sure about the sugar, but I guess a few more days than the already passed 13 days will be acceptable...
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  15. #15
    Just to let you know - I haven't forgot that.
    Right now, I'm busy with something different, but I will get back to that ASAP.

    darkelf

Similar Threads

  1. How to find code generating known data?
    By nomatter in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: September 10th, 2010, 04:10
  2. where can i find tutorial for ida pseudo code
    By alim2201 in forum The Newbie Forum
    Replies: 3
    Last Post: April 9th, 2010, 14:51
  3. can't find hex code in exe file
    By nilom in forum The Newbie Forum
    Replies: 9
    Last Post: September 21st, 2004, 15:00
  4. I need to find compression type (Data files)
    By Aquatic in forum The Newbie Forum
    Replies: 20
    Last Post: July 7th, 2004, 14:45
  5. Where can find VB4+ p-code format ?
    By smith in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: June 8th, 2001, 11:56

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •