Results 1 to 4 of 4

Thread: revealing the consumption of PE's by Windows.

  1. #1
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4

    revealing the consumption of PE's by Windows.

    So I guess I'm a in-betweener, where as I love code and use RE to get whats needed done, so this lands me with quite a few ppl,but being a hobbyist with no real education in these area's, I still dont grasp it all yet..

    So what I would like to discuss is the area that both share,
    where coding is used to Produce a PE and RE is used to analyze that PE..

    I remeber a paper about dawn to dusk, execution of a exe..

    Is there a dawn to dusk analysis of the consumption of a PE before and after execution ?

    I ask this cause there is a special case in ntdll for handling SecServ.dll loading and reading specific segments, but that was the rabbit, not the hole.

    Ok, in the future I will post the reference to 'background' materials. ..
    Last edited by BanMe; January 2nd, 2011 at 17:40.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,067
    Blog Entries
    5
    Quote Originally Posted by BanMe View Post
    I remeber a paper about dawn to dusk, execution of a exe..

    Yeah I remember that. For reference:

    http://www.cs.miami.edu/~burt/journal/NT/processinit.html

  3. #3
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,067
    Blog Entries
    5
    What kind of thing are you looking for (Last edited by) BanMe? I mean, I'm sure you know about the Windows Research Kernel. So I'm thinking.. use it plus maybe that article and any others to map out all the known steps that can be picked out from PE inception -> PE death.

    Then use Windbg or Softice to delve in/around/under/behind the various areas in search of your quest. Easier written than done of course, but other than that I have no clue..

    Please define "consumption of a PE before and after execution"

  4. #4
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    hahaha, good answer
    This is what I've been doing(just lost the fire for bit, it got very cold) and dont think Sin32 has died, its been rewritten into asm(ive removed all traces of boomerang as that made it more complicated then I could handle..I'm in productive testing of the data the that is returned by GpParse Routine(in GCBE by indy))... To add to my tls expedition,the Ldr routines for TlsData expect the .tls to look like the actual PE directory though the '.tls' section can be of any size only the initial portion of it is examined if present..to accuratly inform the Ldr of TlsData.. but what matters even more now is the call to LdrpInitializeTlsForThread, and controlling the values passed to it.

    "The consumption of a PE"

    Means that a PE is broken down into multiple sections that describe certain aspects of that specific File, as described above with tls, some circumstances require further information from the PE,like image relocations which seem to be of interest atm, but theres gotta be other things, where the PE is examined and parts are used in order to complete other tasks.

    lol at my false assumptions just upon reading the PE docs... thats some good stuff.. thank you.

    Finally about to answer the ' define "consumption of a PE before and after execution" '

    Well I view it as in a 'process' we have a address space the main logic to the startup of the program. This file on disc is loaded by the windows loader,what is the neccessary path be to take advantage of these features.This is my goal, the means I use to accomplish my goals arent conventional..nor are they 'safe' or even correct at times.. But live,learn,love..this be my 'ends'.
    Last edited by BanMe; January 18th, 2011 at 14:24.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

Similar Threads

  1. Rebootless Windows Updates (Ksplice for Windows) and AutoDiff
    By Piotr Bania Chronicles in forum Blogs Forum
    Replies: 0
    Last Post: December 30th, 2010, 09:17
  2. Windows Windows Debuging Tools 6.8.4.0
    By JMI in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: October 20th, 2007, 15:08
  3. x64 Windows
    By bruffellz in forum OllyDbg Support Forums
    Replies: 6
    Last Post: September 4th, 2006, 22:31
  4. Windows NT DDK Kit
    By thandermax in forum Off Topic
    Replies: 3
    Last Post: April 19th, 2005, 15:29
  5. Changing a Windows XP software to run under Windows NT
    By peterg70 in forum The Newbie Forum
    Replies: 2
    Last Post: April 26th, 2004, 06:04

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •