Page 1 of 2 12 LastLast
Results 1 to 15 of 22

Thread: Reconstruct PE file from process memory (and save to disk)

  1. #1

    Reconstruct PE file from process memory (and save to disk)

    Hello there,

    First of all I would like to say Im at the new to RCE and I want to learn more and more.Im currently curious is there any way we can save module from process memory to disk (and that should be valid PE file) and later load it (maybe with some custom loader) into our process and examine functions (exports - also using custom "GetProcAddress")?Also I would like to let you guys know that Im not familiar with Python at all and I also examined couple of solutions written in P, so C/C++ would be nice!

    Thanks,
    C

  2. #2
    Registered User
    Join Date
    Dec 2005
    Posts
    216
    Blog Entries
    5
    We call the process "Dumping" a file, or "exe dumping", "executable dumping"... The tools are referred to as "Exe Dumpers". I suggest you look into a tool called PETools.

    -rendari

  3. #3
    Thank you very much for your response rendari!
    I know for PE Tools alrady took a look at that.However I couldn't make it running on my Windows Server 2008 Enterprise machine, and as you already know its open source but in certain conditions ) Omg when I saw that I couldnt stop laughing...Correct me if Im woring but I have never seen (for almost 5 years of programming ) that someone is selling source code...

    Nevertheless I alrady tried TitanEngine and seems I could dump quite valid PE file but when I opende it in bin editor there were a lot of differences...(also dumped PE file is bigger, can not be loaded via LoadLibrary, exports can not be obtained via GetProcAddress)...So there are many related problems...And guys from www.reversinglabs.com didnt validated my email (for signup) for almost 30 hours so I can not join their forum so Im stuck...Thats why Im here asking you guys for help.


    Regards,
    C

  4. #4
    The differences could be caused by multiple things..like...

    File alignment
    Extra section used for imports (rebuilding) eg: From using imprec
    Compression used (upx for example) where the dumped image will contain the decompressed code / data (if dumped at the right time etc..)
    and many other reasons...

    Just dumping from memory is not the end of the job..at best the dump may run on your pc or another with a different os..but when run on another os it will probably crash..
    Nowadays with aslr etc theres a higher chance the dump probably won't work on the pc it was dumped from (especially after a reboot)..

    Generally the step is..

    Dump
    Rebuild imports
    Clean up PE file (remove crap, align etc.. )

    For other protections you might have to do more steps like..

    Dump and rebuild resources,
    Dump file(s) (if a file virtualiser is used.. Eg: molebox, starforce, securom dfa etc..) and maybe the same for any virtualised registry keys
    Rebuild functions that have been vm'ed
    Trip, catch and dump encrypted code functions (ccc's)
    Test, test and test some more...
    Last edited by evlncrn8; July 11th, 2011 at 14:25.

  5. #5
    evlncrn8 thank you very much for this response!! A lot of details I must admit!I will consider these steps and I would like to point out I was asking about a basic scenario (without packers etc.) some ordinary dll or executable found on system (to make things simpler).

    Once again thanks for responses!!

    Regards,
    C

  6. #6
    Civa, one thing that you might do to help us help you, is to run a tool like PEID, or DiE on the application that you want to dump, and report if it identifies any packers, or protections.

    Then, you'll get more specialized answers.

  7. #7
    Frank thanks for the reply!As I mentioned earlier I dont consider packed,compressed or special images.I just need step-by-step explanation how can process memory be dumped to hard disk (from process memory) assuming we are targeting some module (user32.dll for example) with valid base address and which have common data (very very basic scenario).

    However I examined a lot of source code lately and I just cant understand why I can not dump sections properly to disk(except TitanEngine and thats complex code for me I just wanted to make things clear with more simpler code).

    This is function which does dumping :

    Code:
    bool SaveToFile(const BE_MODULEINFO * modInfo,TCHAR * filename)
    {	
    	PIMAGE_NT_HEADERS pNTHeader = NULL;
    	ULONG_PTR plImageBase = (ULONG_PTR)modInfo->lpBaseOfDll;
    	TCHAR xml[MAX_PATH];
    	TCHAR dir[MAX_PATH];
    	char msg[4098];
    
    	// only dump executable images
    	__try {
            PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)plImageBase;
            if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE) {
                return false;
            }
    
            pNTHeader = (PIMAGE_NT_HEADERS)((PBYTE)pDosHeader +
                                                              pDosHeader->e_lfanew);
            if (pNTHeader->Signature != IMAGE_NT_SIGNATURE) {
                return false;
            }        
        } __except(EXCEPTION_EXECUTE_HANDLER) {
           return false;
        }
    	
    	int numSections = pNTHeader->FileHeader.NumberOfSections;
    
    	PIMAGE_SECTION_HEADER section = (PIMAGE_SECTION_HEADER)(pNTHeader + 1);		
    
    	// the section header ends here, from here to the start of the first section, we can fill zeros
    	PBYTE pLastSectionEnd = (PBYTE)(section + numSections); 
     
    	ULONG file_alignment = pNTHeader->OptionalHeader.FileAlignment;	
    
    	// write into a file
    	FILE* stream = fopen(filename, "w+b" );
    	if (stream == NULL ) {
    	   return false;
    	}			
    
    	sprintf(msg,"pbImageBase : 0x%x, first section starts at offset: 0x%x\n", plImageBase, section->PointerToRawData);
    	OutputDebugString(msg);
    
    	// write out header
    	DWORD headerLen = (DWORD)pLastSectionEnd-(DWORD)plImageBase;
    	DWORD numwritten = fwrite( (VOID*)plImageBase, 1, headerLen, stream );
    	if (numwritten != headerLen) {
    		sprintf(msg,"fwrite error, file: %s\n", filename);
    		OutputDebugString(msg);
    	}
    
    	// fill zeros upto the start of the first section
    	char zero = 0;
    	for (int i=headerLen; i<section->PointerToRawData; i++) { // roundUp(section->PointerToRawData, file_alignment)
    		fwrite( &zero, 1, 1, stream );
    	}
    
    	MEMORY_BASIC_INFORMATION mbi;
    	VirtualQuery((VOID*)plImageBase, &mbi, sizeof(mbi));
    	bool isMapped;
    	
    	isMapped = (mbi.Type == MEM_IMAGE);
    
    	// write each section 
           //I just dont get this part here : What should be done to make these sections fixed
    	for (int i=0; i<numSections; i++) {
    		ULONG_PTR buf;
    		if (isMapped) {
    			buf = plImageBase + section->VirtualAddress;
    		} else {
    			buf = plImageBase + section->PointerToRawData;					
    		}
    
    		sprintf(msg, "Writing section - Name: %s, buf: 0x%x, Size: 0x%x, PointerToRawData: 0x%x, Type: 0x%x\n", 
    			section->Name, buf, section->SizeOfRawData, section->PointerToRawData, mbi.Type);
    
    		OutputDebugString(msg);
    
    		numwritten = fwrite((VOID*)buf, 1, section->SizeOfRawData, stream);
    
    		if (numwritten != section->SizeOfRawData) {
    			sprintf(msg,"fwrite error, file: %s\n", filename);
    			OutputDebugString(msg);
    		}		
    
    		section ++;
    	}
    
           //rest of code ommited for clarity....
    }
    If someone can help me with this and provide some explanations at least for fixing sections before I write them to file and also point what is here wrong and what is correct...I will try to find out myself how to fix import, export table after extracting takes a place in order to have image on disk which can be examined further.

    Thank you very much!

    Regards,
    C

  8. #8
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,512
    Blog Entries
    15
    a bare minimum exe executed and a bare minimum patch done to a bare minimum dump of process memory

    exe used iczelions tut 02 msgbox.exe

    dumper is .writemem in windbg dumped the whole memory range as is where is

    patched some bare minimum bytes (3 bytes actually) (learn and seek what are they and why should they be patched) to make the exe run

    Code:
    civa:\>dir msg*
     Volume in drive C has no label.
     Volume Serial Number is 2C5E-367A
    
     Directory of C:\Program Files\Debugging Tools for Windows (x86)\civa
    
    07/13/2011  07:16 PM             2,560 msgbox.exe
    07/13/2011  11:15 PM            16,384 msgbox_dump.exe 
                   2 File(s)         18,944 bytes
                   0 Dir(s)  14,543,630,336 bytes free



    Code:
    C:\>cd "Program Files"
    
    C:\Program Files>cd "Debugging Tools for Windows (x86)"
    
    C:\Program Files\Debugging Tools for Windows (x86)>md civa
    
    C:\Program Files\Debugging Tools for Windows (x86)>cd civa
    
    C:\Program Files\Debugging Tools for Windows (x86)\civa>prompt civa:\$g
    
    civa:\>dir /b
    
    civa:\>copy c:\msgbox.exe .
            1 file(s) copied.
    
    civa:\>dir /b
    msgbox.exe
    
    civa:\>..\..\GnuWin32\bin\file msgbox.exe
    msgbox.exe; PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    
    civa:\>msgbox.exe
    
    civa:\>..\cdb.exe -c ".writemem msgbox_dump.exe 0x400000 L?4000;q" -pn msgbox.ex
    e
    
    Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
    Copyright (c) Microsoft Corporation. All rights reserved.
    
    *** wait with pending attach
    Symbol search path is: SRV*Z:\symbols\*
    Executable search path is:
    ModLoad: 00400000 00404000   C:\Program Files\Debugging Tools for Windows (x86)\
    civa\msgbox.exe
    ModLoad: 7c900000 7c9af000   C:\WINDOWS\system32\ntdll.dll
    ModLoad: 7c800000 7c8f6000   C:\WINDOWS\system32\kernel32.dll
    ModLoad: 7e410000 7e4a1000   C:\WINDOWS\system32\user32.dll
    ModLoad: 77f10000 77f59000   C:\WINDOWS\system32\GDI32.dll
    ModLoad: 5ad70000 5ada8000   C:\WINDOWS\system32\uxtheme.dll
    ModLoad: 77dd0000 77e6b000   C:\WINDOWS\system32\ADVAPI32.dll
    ModLoad: 77e70000 77f02000   C:\WINDOWS\system32\RPCRT4.dll
    ModLoad: 77fe0000 77ff1000   C:\WINDOWS\system32\Secur32.dll
    ModLoad: 77c10000 77c68000   C:\WINDOWS\system32\msvcrt.dll
    (520.2a4): Break instruction exception - code 80000003 (first chance)
    eax=7ffdf000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
    eip=7c90120e esp=008bffcc ebp=008bfff4 iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
    ntdll!DbgBreakPoint:
    7c90120e cc              int     3
    0:001> cdb: Reading initial command '.writemem msgbox_dump.exe 0x400000 L?4000;q
    '
    Writing 4000 bytes........
    quit:
    
    civa:\>dir /b
    msgbox.exe
    msgbox_dump.exe
    
    civa:\>copy c:\gpatch.exe .
            1 file(s) copied.
    
    civa:\>dir /b
    gpatch.exe
    msgbox.exe
    msgbox_dump.exe
    
    
    civa:\>gpatch.exe msgbox_dump.exe /i445 /h"10"
    GPATCH 2.0 - File Patching Utility
    Copyright (C) 2002-2010 by Greg Wittmeyer - All Rights Reserved
    
    Replaced 1 byte at index 445 in file "C:\Program Files\Debugging Tools for
    Windows (x86)\civa\msgbox_dump.exe" with "►"
    
    
    
    civa:\>gpatch.exe msgbox_dump.exe /i485 /h"20"
    GPATCH 2.0 - File Patching Utility
    Copyright (C) 2002-2010 by Greg Wittmeyer - All Rights Reserved
    
    Replaced 1 byte at index 485 in file "C:\Program Files\Debugging Tools for
    Windows (x86)\civa\msgbox_dump.exe" with " "
    
    civa:\>gpatch.exe msgbox_dump.exe /i525 /h"30"
    GPATCH 2.0 - File Patching Utility
    Copyright (C) 2002-2010 by Greg Wittmeyer - All Rights Reserved
    
    Replaced 1 byte at index 525 in file "C:\Program Files\Debugging Tools for
    Windows (x86)\civa\msgbox_dump.exe" with "0"
    
    
    civa:\>msgbox_dump.exe
    
    civa:\>

  9. #9
    Thanks blabberer !!

    I Like the way you formatted console & debugger output ))
    I will consider this of course!!

    Cheers,

    C

  10. #10
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,512
    Blog Entries
    15
    Code:
    C:\>systeminfo | findstr /b /i /c:"os name" /c:"os version"
    OS Name:                   Microsoft Windows XP Professional
    OS Version:                5.1.2600 Service Pack 3 Build 2600
    
    C:\>C:\WINDOWS\system32\cmd.exe /k C:\WinDDK\7600.16385.1\bin\setenv.bat C:\WinD
    DK\7600.16385.1\  fre x86 WLH
    OACR monitor running already
    
    C:\WinDDK\7600.16385.1>md civa & cd civa & prompt civa:\$g
    
    civa:\>dir /b & copy f:\masm32\icztutes\tute02\test\msgbox.asm . & dir /b
            1 file(s) copied.
    msgbox.asm
    
    civa:\>type msgbox.asm
    .386
    .model flat, stdcall
    option casemap:none
    include f:\masm32\include\windows.inc
    include f:\masm32\include\kernel32.inc
    include f:\masm32\include\user32.inc
    includelib f:\masm32\lib\user32.lib
    includelib f:\masm32\lib\kernel32.lib
    
    .data
    MsgCaption      db "Iczelion's tutorial no.2",0
    MsgBoxText      db "Win32 Assembly is Great!",0
    
    .code
    start:
            invoke MessageBox, NULL,addr MsgBoxText, addr MsgCaption, MB_OK
            invoke ExitProcess,NULL
    end start
    
    civa:\>ml /c /coff msgbox.asm
    Microsoft (R) Macro Assembler Version 9.00.30729.207 <--- brand new shiny ml 
    Copyright (C) Microsoft Corporation.  All rights reserved.
    
     Assembling: msgbox.asm
    f:\masm32\include\windows.inc(17530) : error A2138:invalid data initializer  get latest
     windows.inc from hutch and replace old (windows.inc is now 
    2 files look at masm32 subforum 
    
    civa:\>ml /c /coff msgbox.asm
    Microsoft (R) Macro Assembler Version 9.00.30729.207
    Copyright (C) Microsoft Corporation.  All rights reserved.
    
     Assembling: msgbox.asm
    
    civa:\>dir /b
    msgbox.asm
    msgbox.obj
    
    civa:\>Link /SUBSYSTEM:WINDOWS /ALIGN:4096 /FILEALIGN:4096 "msgbox.obj"
    Microsoft (R) Incremental Linker Version 9.00.30729.207
    Copyright (C) Microsoft Corporation.  All rights reserved.
    
    LINK : warning LNK4108: /ALIGN specified without /DRIVER; image may not run
    
    civa:\>dir /b
    msgbox.asm
    msgbox.exe
    msgbox.obj
    
    civa:\>dir msgbox.exe
     Volume in drive C has no label.
     Volume Serial Number is 9836-92E3
    
     Directory of C:\WinDDK\7600.16385.1\civa
    
    14/07/2011  11:11            16,384 msgbox.exe
                   1 File(s)         16,384 bytes
                   0 Dir(s)   3,541,442,560 bytes free
    
    civa:\>msgbox.exe
    
    civa:\>msgbox.exe
    
    civa:\>f:\windbg\cdb.exe -c ".writemem msgbox_dump.exe 0x400000 L?4000
    ;q" -pn msgbox.exe
    
    Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
    Copyright (c) Microsoft Corporation. All rights reserved.
    
    *** wait with pending attach
    Symbol search path is: SRV*F:\symbols*http://msdl.microsoft.com/download/symbols
    
    Executable search path is:
    ModLoad: 00400000 00404000   C:\WinDDK\7600.16385.1\civa\msgbox.exe
    ModLoad: 7c900000 7c9b2000   C:\WINDOWS\system32\ntdll.dll
    ModLoad: 7c800000 7c8f6000   C:\WINDOWS\system32\kernel32.dll
    ModLoad: 64d00000 64d34000   C:\Program Files\Alwil Software\Avast5\snxhk.dll
    ModLoad: 7e410000 7e4a1000   C:\WINDOWS\system32\user32.dll
    ModLoad: 77f10000 77f59000   C:\WINDOWS\system32\GDI32.dll
    ModLoad: 76390000 763ad000   C:\WINDOWS\system32\IMM32.DLL
    ModLoad: 77dd0000 77e6b000   C:\WINDOWS\system32\ADVAPI32.dll
    ModLoad: 77e70000 77f02000   C:\WINDOWS\system32\RPCRT4.dll
    ModLoad: 77fe0000 77ff1000   C:\WINDOWS\system32\Secur32.dll
    ModLoad: 5ad70000 5ada8000   C:\WINDOWS\system32\uxtheme.dll
    ModLoad: 77c10000 77c68000   C:\WINDOWS\system32\msvcrt.dll
    ModLoad: 74720000 7476c000   C:\WINDOWS\system32\MSCTF.dll
    ModLoad: 77b40000 77b62000   C:\WINDOWS\system32\apphelp.dll
    ModLoad: 755c0000 755ee000   C:\WINDOWS\system32\msctfime.ime
    ModLoad: 774e0000 7761d000   C:\WINDOWS\system32\ole32.dll
    ModLoad: 605d0000 605d9000   C:\WINDOWS\system32\mslbui.dll
    ModLoad: 77120000 771ab000   C:\WINDOWS\system32\OLEAUT32.DLL
    (c24.920): Break instruction exception - code 80000003 (first chance)
    eax=7ffdf000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
    eip=7c90120e esp=003effcc ebp=003efff4 iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
    ntdll!DbgBreakPoint:
    7c90120e cc              int     3
    0:001> cdb: Reading initial command '.writemem msgbox_dump.exe 0x400000 L?4000;q
    '
    Writing 4000 bytes........
    quit:
    
    civa:\>dir /b
    msgbox.asm
    msgbox.exe
    msgbox.obj
    msgbox_dump.exe
    
    civa:\>dir msgbox*.exe
     Volume in drive C has no label.
     Volume Serial Number is 9836-92E3
    
     Directory of C:\WinDDK\7600.16385.1\civa
    
    14/07/2011  11:11            16,384 msgbox.exe
    14/07/2011  11:14            16,384 msgbox_dump.exe
                   2 File(s)         32,768 bytes
                   0 Dir(s)   3,541,426,176 bytes free
    
    civa:\>fc /b msgbox.exe msgbox_dump.exe
    Comparing files msgbox.exe and MSGBOX_DUMP.EXE
    00002000: 76 12
    00002001: 20 CB
    00002002: 00 81
    00002003: 00 7C
    00002008: 5C EA
    00002009: 20 07
    0000200A: 00 45
    0000200B: 00 7E
    
    civa:\>msgbox_dump.exe
    
    civa:\>
    
     voila dump and run without any patch :)  btw why does it run even when there are obvious differences ? find answer 
    
    civa:\>cd ..
    
    civa:\>rd /s /q civa
    
    civa:\>
    have some more fun running a directly process memory dumped exe with no patches whatsoever
    Last edited by blabberer; July 25th, 2011 at 04:51. Reason: broke some long lines

  11. #11
    Brand new shiny ml.exe would be v10 would it not? :-)

  12. #12
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,512
    Blog Entries
    15
    yep may be v10 didnt realise vs 2010 might have a newer ml wdk for win7 had 9

    anyway

    does any one know how to make vs 2008 emit e8 and jump table instead of ff15 type of call ??

    see below for an example ml generates the inefficient type aka e8 and jump table
    vs emits call dword aka ff15 type of calls

    Code:
    F:\windbg\>cdb -c "u 401000 la ;q"  "f:\masm32\icztutes\tute02\msgbox.e
    xe" | findstr 4010.
    0:000> cdb: Reading initial command 'u 401000 la ;q'
    00401000 6a00            push    0
    00401002 6800304000      push    offset image00400000+0x3000 (00403000)
    00401007 6819304000      push    offset image00400000+0x3019 (00403019)
    0040100c 6a00            push    0
    0040100e e807000000      call    image00400000+0x101a (0040101a)
    00401013 6a00            push    0
    00401015 e806000000      call    image00400000+0x1020 (00401020)
    0040101a ff2508204000    jmp     dword ptr [image00400000+0x2008 (00402008)]
    00401020 ff2500204000    jmp     dword ptr [image00400000+0x2000 (00402000)]
    00401026 0000            add     byte ptr [eax],al
    
    F:\windbg\>cdb -c "u 401000 L10;q"  "c:\Documents and Settings\Admin\My
     Documents\Visual Studio 2008\Projects\VC8TEST\Release\VC8TEST.exe"  | findstr 0
    04010.
    00401000 6a00            push    0
    00401002 6800304000      push    offset image00400000+0x3000 (00403000)
    00401007 681c304000      push    offset image00400000+0x301c (0040301c)
    0040100c 6a00            push    0
    0040100e ff1508204000    call    dword ptr [image00400000+0x2008 (00402008)]
    00401014 6a00            push    0
    00401016 ff1500204000    call    dword ptr [image00400000+0x2000 (00402000)]
    0040101c cc              int     3
    0040101d 0000            add     byte ptr [eax],al
    0040101f 0000            add     byte ptr [eax],al
    00401021 0000            add     byte ptr [eax],al
    00401023 0000            add     byte ptr [eax],al
    00401025 0000            add     byte ptr [eax],al
    00401027 0000            add     byte ptr [eax],al
    00401029 0000            add     byte ptr [eax],al
    0040102b 0000            add     byte ptr [eax],al
    
    F:\windbg>
    also how to tell vs to align the char[] at 1 byte instead of 4 bytes ?

    notice 403019 and 40301c in listing

    Code:
    F:\windbg\>cdb -c "db 403000 l40 ;q"  "f:\masm32\icztutes\tute02\msgbox
    .exe" | findstr 4030.
    0:000> cdb: Reading initial command 'db 403000 l40 ;q'
    00403000  49 63 7a 65 6c 69 6f 6e-27 73 20 74 75 74 6f 72  Iczelion's tutor
    00403010  69 61 6c 20 6e 6f 2e 32-00 57 69 6e 33 32 20 41  ial no.2.Win32 A
    00403020  73 73 65 6d 62 6c 79 20-69 73 20 47 72 65 61 74  ssembly is Great
    00403030  21 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  !...............
    
    F:\windbg\>cdb -c "db 403000 L40;q"  "c:\Documents and Settings\Admin\M
    y Documents\Visual Studio 2008\Projects\VC8TEST\Release\VC8TEST.exe"  | findstr
    004030.
    00403000  49 63 7a 65 6c 69 6f 6e-27 73 20 74 75 74 6f 72  Iczelion's tutor
    00403010  69 61 6c 20 6e 6f 2e 32-00 00 00 00 57 69 6e 33  ial no.2....Win3
    00403020  32 20 41 73 73 65 6d 62-6c 79 20 69 73 20 47 72  2 Assembly is Gr
    00403030  65 61 74 21 00 00 00 00-00 00 00 00 00 00 00 00  eat!............
    
    F:\windbg\>

    the import section and .text section are fine

    Code:
    F:\windbg\>cdb -c "db 402000 La0;q"  "c:\Documents and Settings\Admin\M
    y Documents\Visual Studio 2008\Projects\VC8TEST\Release\VC8TEST.exe"  | findstr
    004020.
    00402000  12 cb 81 7c 00 00 00 00-ea 07 45 7e 00 00 00 00  ...|......E~....
    00402010  54 20 00 00 00 00 00 00-00 00 00 00 6a 20 00 00  T ..........j ..
    00402020  08 20 00 00 4c 20 00 00-00 00 00 00 00 00 00 00  . ..L ..........
    00402030  84 20 00 00 00 20 00 00-00 00 00 00 00 00 00 00  . ... ..........
    00402040  00 00 00 00 00 00 00 00-00 00 00 00 76 20 00 00  ............v ..
    00402050  00 00 00 00 5c 20 00 00-00 00 00 00 0e 02 4d 65  ....\ ........Me
    00402060  73 73 61 67 65 42 6f 78-41 00 55 53 45 52 33 32  ssageBoxA.USER32
    00402070  2e 64 6c 6c 00 00 19 01-45 78 69 74 50 72 6f 63  .dll....ExitProc
    00402080  65 73 73 00 4b 45 52 4e-45 4c 33 32 2e 64 6c 6c  ess.KERNEL32.dll
    00402090  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
    
    F:\windbg\>cdb -c "db 402000 la0 ;q"  "f:\masm32\icztutes\tute02\msgbox
    .exe" | findstr 4020.
    0:000> cdb: Reading initial command 'db 402000 la0 ;q'
    00402000  12 cb 81 7c 00 00 00 00-ea 07 45 7e 00 00 00 00  ...|......E~....
    00402010  54 20 00 00 00 00 00 00-00 00 00 00 6a 20 00 00  T ..........j ..
    00402020  08 20 00 00 4c 20 00 00-00 00 00 00 00 00 00 00  . ..L ..........
    00402030  84 20 00 00 00 20 00 00-00 00 00 00 00 00 00 00  . ... ..........
    00402040  00 00 00 00 00 00 00 00-00 00 00 00 76 20 00 00  ............v ..
    00402050  00 00 00 00 5c 20 00 00-00 00 00 00 9d 01 4d 65  ....\ ........Me
    00402060  73 73 61 67 65 42 6f 78-41 00 75 73 65 72 33 32  ssageBoxA.user32
    00402070  2e 64 6c 6c 00 00 80 00-45 78 69 74 50 72 6f 63  .dll....ExitProc
    00402080  65 73 73 00 6b 65 72 6e-65 6c 33 32 2e 64 6c 6c  ess.kernel32.dll
    00402090  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
    
    F:\windbg>
    Last edited by blabberer; July 25th, 2011 at 04:54.

  13. #13
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Quote Originally Posted by blabberer View Post
    does any one know how to make vs 2008 emit e8 and jump table instead of ff15 type of call ??
    http://msdn.microsoft.com/en-us/library/1b80826t(v=vs.80).aspx

  14. #14
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,512
    Blog Entries
    15
    ha i presume my question was wrongly formulated should have been more clearer
    like how to make cl.exe generate code that is same as ml.exe

    that is make cl generate

    Code:
    0040100E    E8 07000000    CALL    <JMP.&USER32.MessageBoxA>
    0040101A - FF25 08204000 JMP     NEAR DWORD PTR DS:[<&USER32.MessageBoxA>]
    instead of
    Code:
    0040100E  FF15 08204000  CALL    NEAR DWORD PTR DS:[<&USER32.MessageBoxA>]
    without any hacks just by using available compiler and or linker switches only

    Code:
    copy paste to a .txt rename it to .bat update cdb.exe path and run in a new folder 
    del disa.exe & del disa.obj & del disa.c & PING 1.1.1.1 -n 1 -w 3000 >NUL
    echo #include ^<windows.h^>						>>disa.c
    echo. 									>>disa.c
    echo char Msg[24]		= "Iczelion's tutorial no.2"; 				>>disa.c
    echo char Title[]		= "\0Win32 Assembly is Great!";			>>disa.c
    echo.									>>disa.c
    echo __declspec(naked) int WINAPI WinMain(	HINSTANCE hIstance,		>>disa.c
    echo						HINSTANCE hPrevInstance,	>>disa.c
    echo						LPSTR lpCmdLine,		>>disa.c
    echo						int nShowCmd		>>disa.c
    echo						) 			>>disa.c
    echo {									>>disa.c
    echo	MessageBox(NULL,^&Title[1],Msg, MB_OK);				>>disa.c
    echo.									>>disa.c
    echo		/*							>>disa.c
    echo		MessageBox(NULL,Title,Msg, MB_OK);			>>disa.c
    echo		ExitProcess(0);						>>disa.c
    echo		*/							>>disa.c
    echo.									>>disa.c
    echo		__asm							>>disa.c
    echo		{							>>disa.c
    echo			push MB_OK					>>disa.c
    echo			push OFFSET Msg				>>disa.c
    echo			push OFFSET Title	[1]				>>disa.c
    echo			push 0						>>disa.c
    echo			call MsgBox					>>disa.c
    echo			push 0						>>disa.c
    echo			call ExitProc					>>disa.c
    echo		MsgBox:							>>disa.c
    echo			jmp dword ptr [MessageBox]				>>disa.c
    echo 		Exitproc:							>>disa.c
    echo 		jmp dword ptr [ExitProcess]					>>disa.c
    echo		}							>>disa.c		
    echo }									>>disa.c
    
    "c:\Program Files\Microsoft Visual Studio 9.0\VC\bin\vcvars32.bat" & del *.obj & cl /O2 /c disa.c & link /ENTRY:WinMain disa.obj user32.lib kernel32.lib & f:\windbg\cdb -c "u 401000 L10;q" disa.exe | findstr 00401. & pause
    result
    Code:
    00401000 6a00            push    0
    00401002 6800304000      push    offset image00400000+0x3000 (00403000)
    00401007 6819304000      push    offset image00400000+0x3019 (00403019)
    0040100c 6a00            push    0
    0040100e ff1508204000    call    dword ptr [image00400000+0x2008 (00402008)]
    00401014 6a00            push    0
    00401016 6800304000      push    offset image00400000+0x3000 (00403000)
    0040101b 6819304000      push    offset image00400000+0x3019 (00403019)
    00401020 6a00            push    0
    00401022 e807000000      call    image00400000+0x102e (0040102e)
    00401027 6a00            push    0
    00401029 e806000000      call    image00400000+0x1034 (00401034)
    0040102e ff2508204000    jmp     dword ptr [image00400000+0x2008 (00402008)]
    00401034 ff2500204000    jmp     dword ptr [image00400000+0x2000 (00402000)]
    0040103a 0000            add     byte ptr [eax],al
    0040103c 0000            add     byte ptr [eax],al
    now tell me how to do this without __asm emits etc
    Last edited by blabberer; July 25th, 2011 at 04:55.

  15. #15
    Registered User
    Join Date
    Nov 2003
    Location
    .hr
    Posts
    40
    Quote Originally Posted by evlncrn8 View Post
    Brand new shiny ml.exe would be v10 would it not? :-)
    Nah, that would be JWASM :-)

    Quote Originally Posted by blabberer
    does any one know how to make vs 2008 emit e8 and jump table instead of ff15 type of call ??
    http://www.masm32.com/board/index.php?topic=6519.msg86461#msg86461
    I guess this is a hack . You could use your SED from gnuwin32 and hack it on the fly?

    Quote Originally Posted by blabberer
    also how to tell vs to align the char[] at 1 byte instead of 4 bytes ?
    In a structure? With "#pragma pack" http://msdn.microsoft.com/en-us/library/2e70t5y1(v=vs.80).aspx ( __declspec(align(x)) for "outer" alignment )

    on-topic:

    here's basic stuff that needs fixing (exe will execute on your machine):
    Code:
    int Fix()
    {
    	#define DumpAlign(dwValue)\
    	((dwValue-1|(pNth->OptionalHeader.FileAlignment)-1)+1)
    	#define PAGE_SIZE 0x1000
    
    	PIMAGE_DOS_HEADER pDosh=pImage;
    	PIMAGE_NT_HEADERS pNth;
    	PIMAGE_SECTION_HEADER pFirstSech;
    	
    	if (pDosh->e_magic!=IMAGE_DOS_SIGNATURE) return 0;
    	pNth=(PIMAGE_NT_HEADERS)((DWORD)pDosh+pDosh->e_lfanew);		
    	if (pNth->Signature!=IMAGE_NT_SIGNATURE) return 0;
    	DWORD NumSec=pNth->FileHeader.NumberOfSections;
    	
    	// fix size of headers
    	pNth->OptionalHeader.SizeOfHeaders=PAGE_SIZE;
    	
    	// zero out directories
    	pNth->OptionalHeader.FileAlignment=PAGE_SIZE;
    	pNth->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress=0;
    	pNth->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size=0;
    	pNth->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress=0;
    	pNth->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size=0;
    	
    	// fix raw=virtual
    	pFirstSech=(PIMAGE_SECTION_HEADER)((DWORD)pNth+sizeof(IMAGE_NT_HEADERS));
    	do {
    		pFirstSech->SizeOfRawData=DumpAlign(pFirstSech->Misc.VirtualSize);
    		pFirstSech->PointerToRawData=DumpAlign(pFirstSech->VirtualAddress);
    		pFirstSech++;
    	} while (NumSec--);
    
    	return 1;
    }

Similar Threads

  1. How to analyze the full dump memory file of a process
    By akovid in forum Advanced Reversing and Programming
    Replies: 8
    Last Post: August 13th, 2013, 10:31
  2. Mirroring a process in memory
    By Broomop in forum The Newbie Forum
    Replies: 2
    Last Post: January 18th, 2011, 00:53
  3. Debugger and process memory
    By Hex Blog in forum Blogs Forum
    Replies: 0
    Last Post: February 4th, 2008, 00:01
  4. unable to save changes in exe file by Ollydbg
    By blondakke in forum OllyDbg Support Forums
    Replies: 17
    Last Post: August 29th, 2006, 04:57
  5. Loading a second exe from memory(not from disk)
    By Piron in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: April 9th, 2003, 01:34

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •