Page 1 of 2 12 LastLast
Results 1 to 15 of 20

Thread: Understanding a loader ...

  1. #1
    N8di8
    Guest

    Understanding a loader ...

    It understand that this loader loads and then stops the file through int3:

    HANDLE hFile = CreateFile(argv[1], GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);

    ...

    PBYTE lpFile = (PBYTE)VirtualAlloc(NULL, dwFileSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

    ...

    __asm
    {
    pushad
    mov eax,lpFile
    int 3
    call eax
    popad
    }

    Can someone point me to a good tutorial on loaders (in non-asian language -- I already read http://www.woodmann.net/forum/showthread.php?t=7587&highlight=loader ). TIA.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    Have you used Google?? or searched this board fully??? There is an announcement about tutorials on creating loaders that was posted not too long ago -

    http://www.woodmann.com/forum/showthread.php?t=7758&highlight=loader

    SiGiNT
    Last edited by SiGiNT; May 6th, 2006 at 10:27.
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  3. #3
    N8di8
    Guest
    Actually, I did use google. For more than an hour. The only thing I found is the loader from the developer of PELock (see above) and a loader from TheTruth (which is for Windows PreBoot environments only). But maybe I did not use the right terms for my search? Also the board search did not help.

    What I am looking for is a basic understanding of a generic PE loader (but not the Windows PE loader).

    For instance, I would like to understand enough about PE loaders so that I can patch the above loader so that it does not trigger an interrupt anymore but simply loads and executes the file. (I admit that this does not make much sense (yet) but at least it will some kind of a goal.)

    Thank you for the link! I will have a close look.

    EDITED: I had a look and I think that this is not what I need. These tuts mainly deal with copyprotection mechanisms. (I do not want to bypass any copyprotection mechanisms (yet;-)). This is still too complicated for me. What I need is a very basic understanding of a simple generic loader.
    Last edited by N8di8; May 6th, 2006 at 11:05.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Here's what helped me when I was in the same boat as you. Search for Win32 DebugAPI on google, and read until your heart's content. It'll explain the concepts of create suspended, using INT3, etc. It's REALLY not that hard. Also, I'd recommend running IDA through the "Risc Process Patcher", as it's pretty straight forward code, and might answer some questions for you.

  5. #5
    N8di8
    Guest
    Thanks sigint33 & Frank. I am (slowly) beginning to understand.

    I found this one most helpful: http://www.codebreakers-journal.com/index.php/CodeBreakersMagazine/article/download/4/4
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,511
    Blog Entries
    15
    well during my initial days i found this article by detten to be pretty good intro to a loader

    http://www.reversing.be/article.php?story=20050305202101960

  7. #7
    N8di8
    Guest
    Very helpful!! Thanks.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    N8di8
    Guest
    Now that I understand CreateProcess ... are there any alternatives to using CreateProcess API?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    I don't know that you'd NEED an alternative. It has worked fine for me!

    Oh, one just popped into my head, you can attach to an already running thread, but for the purposes of a LOADER, you'd want to be in from the beginning, not jumping in at some random point.

  10. #10
    Quote Originally Posted by N8di8
    Now that I understand CreateProcess ... are there any alternatives to using CreateProcess API?
    Parse the PE header, allocate the memory, load sections and imports, and jump into the entrypoint directly? This would essentially be emulating the functionality of the exec*() system calls available on UNiX, which replace the current process with a new one.

  11. #11
    N8di8
    Guest
    @LLXX Thanks. Do you know whether this has ever been done before (on a Windows machine)?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,124
    Blog Entries
    5
    Quote Originally Posted by N8di8
    ... are there any alternatives to using CreateProcess API?
    Hi

    I too am curious why you'd need to be looking for an alternative. There are ring 0 methods of intercepting process startup and modifying the memory, but in general the standard loader techniques should suffice. Unless you've got something specific you're trying to accomplish?

    Kayaker

  13. #13
    Quote Originally Posted by N8di8
    Now that I understand CreateProcess ... are there any alternatives to using CreateProcess API?
    I'm not sure how close it is to what you want, but Morphine is a PE encryptor - though rather than modifying the host file, it encrypts it and stores it in the body of the decryptor. This code essentially decrypts and loads the host file as the Windows loader would (allocate memory, load sections, do load time linking, call TLS callbacks, etc).

    If you ignore all the polymorphic junk stuff, the source code can be quite informative, and is found at Holy Father's site:

    http://hxdef.org/download.php

    Other packers/encryptors may take this approach (I have come across a device driver packer that does), but I haven't seen anything designed to do what you want.

    One other thing - as each process has its own address space, most (if not all) executable files are built to load only at their prefered imagebase (normally 400000h). Any loader doing the job 'manually' will have to take this into account, and have its own IB either sufficiently below the host IB, or above the host IB plus the SizeOfImage.
    Last edited by autarky; May 8th, 2006 at 04:35.

  14. #14
    N8di8
    Guest
    Thank you. But I have decided that this is still too difficult for me

    Need to look for another project ...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    OK, that being the case (it's too hard), tell us what it was!

Similar Threads

  1. Understanding Assembly Code
    By Unity in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: June 6th, 2013, 20:05
  2. Reversing & Understanding a File Format
    By tonixxr in forum The Newbie Forum
    Replies: 8
    Last Post: February 20th, 2013, 07:28
  3. Understanding Maya 2010 keygen
    By james in forum The Newbie Forum
    Replies: 9
    Last Post: August 26th, 2009, 15:34
  4. Replies: 0
    Last Post: February 23rd, 2009, 14:17
  5. Understanding something about why a compiler does this
    By Technomancer in forum The Newbie Forum
    Replies: 15
    Last Post: May 19th, 2006, 05:39

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •