Page 1 of 2 12 LastLast
Results 1 to 15 of 25

Thread: Dynamical byte manipulation of win32 executables

  1. #1
    Harakiri
    Guest

    Dynamical byte manipulation of win32 executables

    Hello,

    i dont know if this belongs to here but i figured those in-the-known could probably help.

    Problem

    I need to manipulate a precompiled win32.exe on a *nix system - the tools i have is just byte wise manipulation (no recompile, no c or anything). I want to dynamically change one data field (variable) of the win32 executeable - however the pitfall i currently face is that the data length i change is dynamically too.

    Failed Theoretical Example

    I created a simple hello world C program with a global var data as char. I preset the value of the variable as "hello world" - after compiling i open up a hex editor found the offset and could dynamically change the string - however i could only replace the string with a value that has the same length (and bit wise) size.

    Therefor i made the variable static and said lets allocate 1000000000 bytes - well now my exe is always that big (tons of zeroes) so this aint an option too.

    Question
    Anyone has a good idea how i can dynamically change my data variable using byte manipulation ?


    Background

    The win32 exe will implement some sort of symmetric encryption - i will use one precompiled template for the exe file without any encrypted data - after that i will move it to a *nix server and dynamically manipulate the data of the encrypted content using Java. After the change a win32 user should be able to just execute this file and enter a password and will receive my dynamically generated data (decrypted).
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2

    Thumbs up

    you either need to append a new data section to the PE file, or expand a section. If you are adding a section on the *nix system, you may need to parse the executable from itself to find the section, get it's offset, and size...

    Perhaps A better solutioin would be to add a new section at compile/link time. In the new section, have an UINT and a small byte array full of zeroes. Now enlarge this section (it should be the last section in your PE) on your *nix system and fill it with your data starting at the beginning of your byte array. Store the size of the bytes that you have placed into the new section into the UINT (or larger if necessary) variable.
    Last edited by goggles99; April 3rd, 2006 at 15:28.

  3. #3
    Harakiri
    Guest
    First, thank you for your reply and helpful insight.

    add a new section at compile/link time ..[..]... have an UINT and a small byte array full of zeroes

    Q: I've searched for some UINT references on google but i have to admit - im not a c expert. Could you supply a helpful page about the approach you are suggesting. (im using visual c for linking currently)

    Store the size of the bytes that you have placed into the new section into the UINT (or larger if necessary) variable

    Q: Given the above - i guess the UINT offset will be always at the same offset - right ? So i should have no trouble manipulating its value.

    Thanks
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    oops, I forgot it will be written in java (which does not have unsigned integers) uint is "unsigned integer" in C++.

    The "or larger if necessary" only meant that if the section size was larger than an integer can handle, you could use something larger EX:long. I only suggested the integer variable to store the size of the data for easy parsing and decryption.

    This method may produce a limitation of sorts. I think that any given PE section cannot exceed 4 megabytes or something like that (I could be wrong about this). If your data will exceed that, you may just want to append the data to the end of the normal PE file. It should stull run fine. I don't think that it will be mapped into memory, but you can read it off of the disk. Perhaps just prepend and append your data with unique delimiters, have the executable read the entire file and search for these delimiters. Read and decrypt the data in-between them.
    Last edited by goggles99; April 3rd, 2006 at 18:52.

  5. #5
    Harakiri
    Guest
    My data will exceed 4MB but probably not 10-20 MB...

    To summarize your points :
    (pseudo code)

    win32exec.c
    Code:
    // start with some value
    uint numBytes = 10;
    
    // declare a field with my uint value
    byte[] myData = new byte[numBytes];
    
    // allocate memory
    myData = malloc(numBytes * sizeof(byte));
    
    // do decrypt stuff
    [..]
    ------

    manipulate.java

    Code:
    File f = new File("win32exec.exe"));
    
    // wrap a stream for reading the data
    ByteArrayInputStream bis = new ByteArrayInputStream(f);
    
    // let the stream read all data
    while(bis.read() !=0)) {
    }
    
    byte[] myWin32Exec = bis.toByteArray();
    
    // offset of the uint
    int offSetNumSize = ??????;
    
    // offset of the array
    int offSetDataArray = ??????;
    
    String randomString = "encrypted_data";
    
    byte[] encryptedData = randomString.getBytes();
    
    // assign new field length to offset of uint
    myWin32Exec[offSetNumSize] = encryptedData.length;
    
    // assign new data to array
    
    for(int i=0;  i < encryptedData.length; i++) {
    myWin32Exec[offsetDataArray + i] = encryptedData[i];
    }
    
    // done save the file
    [..]

    Is that what you mean ? Or does the c program has to have static fields - how do i figure out the offsets of both the uint and mydata - can i just keep writing my encrypted_data from the beginning offset of mydata even if the file has no more bytes anyway ?

    Thanks
    Last edited by Harakiri; April 4th, 2006 at 05:41.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    I've never used java and I'm having trouble understanding what you want to do...

    In your java code it looks like you're opening the win32 executable from disk (to all intents and purposes it's just a big data file to the java app), seeking through to position P and reading N bytes, then using N to find the offset to your data in the win32exe and reading that?

    The problem with this is how you've coded the C app. The new and malloc statements allocate space on the heap at runtime, but your java code is expecting the space to be allocated inside the win32exe at build time, I think?

    But in your first post you state:

    Therefor i made the variable static and said lets allocate 1000000000 bytes - well now my exe is always that big (tons of zeroes) so this aint an option too.
    So I'm a bit confused about how you're trying to do this. You have some data of an unknown length which needs to be stored in the win32exe, but without preallocating any space in the win32exe for it? If you want to store it, it's going to take up room...

    The only way I can see this working is if you add another PE section as goggles99 suggests. Append a PE section to your exe and put the static allocation in it - byte mydata[1], for example. Then when you need more than 1 byte stored in the win32exe simply write the extra bytes to the section (ie: emulate byte mydata[N]) and modify the PE header as appropriate.
    Still here...

  7. #7
    hi,

    i am just thinking, what you probably need to do is to parse the pe header and "act accordingly". like extend the section for your data, and possibly manipulate the symbol table if you want to relocate the data.
    I am not really into PE but do this on ELF which share a common base.

    A possible better idea is - if you r/o this mem, to setup a pointer in your C prog to point to the data which is an appended section. If you need to have the size of it available, put it into your code - ie: size = 0xbeef;

    Then in the process of adding the section, overwrite locate 0xbeef and change it to the size.

    regards, 0xf001

  8. #8
    Harakiri
    Guest
    Thanks for the responses guys..

    Quote Originally Posted by Silver
    In your java code it looks like you're opening the win32 executable from disk (to all intents and purposes it's just a big data file to the java app), seeking through to position P and reading N bytes, then using N to find the offset to your data in the win32exe and reading that?
    correct that was my initial idea together with using a static c variable

    Quote Originally Posted by Silver
    The problem with this is how you've coded the C app. The new and malloc statements allocate space on the heap at runtime, but your java code is expecting the space to be allocated inside the win32exe at build time, I think?

    So I'm a bit confused about how you're trying to do this. You have some data of an unknown length which needs to be stored in the win32exe, but without preallocating any space in the win32exe for it? If you want to store it, it's going to take up room...
    Yes i know it will take room - but my problem is that i do not know how i can modify that "room" for the data in the win32exe

    Quote Originally Posted by Silver
    The only way I can see this working is if you add another PE section as goggles99 suggests. Append a PE section to your exe and put the static allocation in it - byte mydata[1], for example. Then when you need more than 1 byte stored in the win32exe simply write the extra bytes to the section (ie: emulate byte mydata[N]) and modify the PE header as appropriate.
    Ok, this is why i posted my pseudo code - i need a little bit more elaboration on this point.

    How can i append a PE section to my exe in c ? Is this a linker option or already done at compile time ? I posted something like this :

    byte mydata[numSize] - now you said initially numSize would be 1 - how should i declare this in a c program ?

    just :

    Code:
    static byte mydata[1]
    ? And given that - i could just manipulate the data like i posted in my java program or is there another approach ?


    Quote Originally Posted by 0xf001
    A possible better idea is - if you r/o this mem, to setup a pointer in your C prog to point to the data which is an appended section. If you need to have the size of it available, put it into your code - ie: size = 0xbeef;
    This is a nice idea, however my c knowledge is limited - do you mean i should just statically create a pointer which should always look inside the exe starting from offset 0xbeef ? right ?
    And then again, in my java program i just append everything after 0xbeef with my data ?

    Will this have any impact on the exe itself ? I mean i know the headers for an exe is important but isnt there some crc or can i just append random data to the end of the binary as long as i would like ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    hi,

    no i meant that is the size of your data. easy to find and so you know the offset where to patch your file where it references the size.

    i am confused now what you want to achieve - it has not really to do with C - you told you have a C program. now does that use the size of your data? if yes - set that to 0xbeef or anything was what i meant - to help you figuring the offset of the access of the size initially, so your UX prog knows where to fill in the new size (could be multiple times, too i dont know your win C prog)

    its like a help you do for you when compiling the C program on windows. only an idea.

    well now to all else: look at exactly 1 thread before yours, it contains all you need (PE header docs)

    cheers, 0xf001

  10. #10
    Harakiri
    Guest
    Quote Originally Posted by 0xf001
    hi,

    no i meant that is the size of your data. easy to find and so you know the offset where to patch your file where it references the size.

    i am confused now what you want to achieve - it has not really to do with C - you told you have a C program. now does that use the size of your data? if yes - set that to 0xbeef or anything was what i meant - to help you figuring the offset of the access of the size initially, so your UX prog knows where to fill in the new size (could be multiple times, too i dont know your win C prog)
    I will look at the PE documentation - however im still unsure how the concept will work.

    The question for me still is :

    The win32 program will load the data from itself - is the data internally declared as static - or do i even need to free memory - what has this to do with a PE declaration ?

    If it is static, and using your initial size of 0xbeef for the data field - i would be able to manipulate the size after it has been compiled - correct ? then, i would be able to replace the data of my data field - however im still unsure where or how i can replace the data (given that i know that i can just manipulate the size of the data array).

    Sorry if i explained it unclear.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    hehe,

    you confuse me, too. i thought you yourself will create the C program under win.
    Once compiled, you want to change the size of this data, right (w/o recompiling)?
    And you want to do that on an UX system, right?

    If yes - then prepare the C program so either it puts the data in an own and last section of the PE, that would make it easiest but without C and compiler knowledge a bit hard.

    Once the PE (.exe) is compiled you cant simply add or remove or resize sthg, it needs to be reflected in the tables of the PE headers which are used to load your prog by the loader which is part of the OS.

    That is why i suggested to study the PE header - the manipulation is probably not too difficult but must follow some rules.

    All is highly dependent on how you access the data from within your C prog, and how you layout that file. are there requirements? what C program is that?

    cheers, 0xf001

  12. #12
    ok,

    i read your 1st post again. So this C program is your test, the other one you will not have the src to recompile I understand. In that case ... its maybe the best you lean back, and study
    how a process under win gets executed, how the OS loads your program, what are sections and all that. You will need a proper understanding of how a PE file is structured,
    good to know would be also how a C compiler works, esp with datestructures.

    You will then better see why this section stuff etc is involved.

    I am a bit curious why you use unix then when you code java - it could run on win, too.

    so long,

    0xf001

  13. #13
    Harakiri
    Guest
    Quote Originally Posted by 0xf001
    ok,

    i read your 1st post again. So this C program is your test, the other one you will not have the src to recompile I understand. In that case ... its maybe the best you lean back, and study
    how a process under win gets executed, how the OS loads your program, what are sections and all that. You will need a proper understanding of how a PE file is structured,
    good to know would be also how a C compiler works, esp with datestructures.

    You will then better see why this section stuff etc is involved.
    I figured it is not an easy task, but that it involves so much indeept knowledge of the system is frightening for a (for me as a programmer) theoretical easy task

    Quote Originally Posted by 0xf001
    I am a bit curious why you use unix then when you code java - it could run on win, too.
    so long,
    0xf001
    no, its a server task that will run only on unix servers and its written in java - the users which use the server are actually (mostly) windoze users therefor i wanted to create an executeable under unix which can be openend under windows - i know this my sound strange but it has to be like that... java is just the server language currently for the task - i wouldnt even mind doing some exec calls on the unix but i dont think that would help me in anyway since it all boils down to byte manipulation of the native exec
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    If you don't want to bother with PE manipulation (which after all is quite unnecessary in this case, despite everything said by all the show-offs in this thread ), simply append the data to the end of the exe-file, and then patch one single 32-bit integer constant inside the excutable to contain the length of this data.

    During runtime, let the win32.exe read the X bytes from the end of its own executable (where X is taken from the patched constant) into a memory buffer (or even better, memory map this section of the file, but since this thread has had enough showing off already, let's not bother that ). And bam, you're done.

    I could of course tell you about the method involving writing a kernel driver that uses the laser on your DVD drive to scan the contents of the screen through reflections in the eyes of the user, while flashing the contents of the data really fast on the screen with a DirectX shader model 3 program if you want, just let me know, but somehow I got the silly idea that you maybe wanted it done the easy way.

  15. #15
    Harakiri
    Guest
    Quote Originally Posted by dELTA
    During runtime, let the win32.exe read the X bytes from the end of its own executable (where X is taken from the patched constant) into a memory buffer (or even better, memory map this section of the file, but since this thread has had enough showing off already, let's not bother that ). And bam, you're done.
    thanks for the suggestion - so actually my reply about implementing :

    Quote Originally Posted by Harakiri
    do you mean i should just statically create a pointer which should always look inside the exe starting from offset 0xbeef ? right ?
    And then again, in my java program i just append everything after 0xbeef with my data ?
    [..] or can i just append random data to the end of the binary as long as i would like ?
    wasnt that far off - right ?

    Quote Originally Posted by dELTA
    and then patch one single 32-bit integer constant inside the excutable to contain the length of this data.
    so furthermore i dont even need to modify the patched constant for the data i figure right ? please check this pseudo code :

    Code:
    // after compile this file will be 1000 bits (guess)
    static int myWin32OriginalFileSize = 1000;
    main {
     // open in read mode - win32proc.exe is THIS program currently
    FILE *fp = fopen ("win32proc.exe", "rb");
    
    // seek to the original exec end
    fseek (fp, myWin32OriginalFileSize, SEEK_SET);
    
    
    int len;
    char buffer[1024];
    // the data i appended at the end of the file will be written to mydata.bin
    FILE *patchedData = fopen("mydata.bin","w");
    
    // read everything from original end of exe till the new end of the exec
    while((len = fread(buffer,1,sizeof(buffer),fp)) > 0)
    {
       // write to temp file mydata.bin for further processing
       fwrite(buffer,1,len,patchedData);
    }
    
    // done i now have my data original data in a file called mydata.bin
    
    }

    Question: I still have the unanswered question - can i just append binary data to a win32 exec (no matter if 1bit or 10MB) and not break it ?


    thanks
    Last edited by Harakiri; April 5th, 2006 at 16:09.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Paradox 10 executables
    By HBB in forum The Newbie Forum
    Replies: 1
    Last Post: July 11th, 2010, 09:39
  2. high score table manipulation
    By Naked2 in forum The Newbie Forum
    Replies: 24
    Last Post: November 28th, 2006, 08:44
  3. Specification of NE executables
    By dELTA in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: November 16th, 2004, 16:43
  4. 1 byte puzzle
    By evaluator in forum Mini Project Area
    Replies: 57
    Last Post: March 29th, 2004, 06:45
  5. Portable executables
    By Dreadnought in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: January 10th, 2001, 03:22

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •