Jump to content

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here. X
X


Photo

ResHacker project


  • Please log in to reply
175 replies to this topic

#121 trancexx

trancexx

    Queen F. Elizabeth MCXI

  • Active Members
  • PipPipPipPipPipPip
  • 6,246 posts

Posted 18 June 2009 - 06:40 PM

thank you for your reply but my need is a bit different, i just want to know that which section contain IMAGE_SCN_CNT_CODE,
anyways i got the code from Code Project

VC: if( pSectionHeader->VirtualAddress <= dwEntryPoint &&     dwEntryPoint < pSectionHeader->VirtualAddress +                      pSectionHeader->Misc.VirtualSize ) { break; } AutoIt : Local $VA = DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualAddress") Local $VSZ = DllStructGetData($tIMAGE_SECTION_HEADER, "UnionOfData") Local $AddressOfEntryPoint = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "AddressOfEntryPoint") If ($VA <= $AddressOfEntryPoint) And $AddressOfEntryPoint < ($VA+$VSZ) Then    ConsoleWrite("Execution Starts at SEC# "&$i&" :"&$Section&@CRLF) EndIf

Nice one. I like that.

          ......       ......
        .:oOOOOo:.   .:oOOOOo:.
      .:oOO:'':Oo:. .:oO:'':OOo:.
     .:oO:      'Oo:oO'      :Oo:.
     :oO:         'o'   
      :Oo:
     :oO:                     :Oo:
     ':oO:     OT9AO0IEDrk   :Oo:'
      ':oO:                 :Oo:'
        ':oO.             .Oo:'
          ':oO
.         .Oo:'
            ':oO.     .Oo:'
              ':oO. .Oo:'
                'oO:Oo'
                  'o' :kiss:



 

.
eMyvnE








#122 monoceres

monoceres

    idiot, slow down

  • MVPs
  • 4,047 posts

Posted 02 July 2009 - 01:04 AM

I want more! I've been using this as a general pe-explorer for a while now (since I realized it could) and since I know you're an expert with these files I expect more cool functions :)

Broken link? PM me and I'll send you the file!


#123 corgano

corgano

    Universalist

  • Active Members
  • PipPipPipPipPipPip
  • 844 posts

Posted 02 July 2009 - 01:14 AM

I want more! I've been using this as a general pe-explorer for a while now (since I realized it could) and since I know you're an expert with these files I expect more cool functions :)

Me too! Can't wait for modifying / compileing EXE files to come....
0x616e2069646561206973206c696b652061206d616e20776974686f7574206120626f64792c20746f206669676874206f6e6520697320746f206e657665722077696e2e2e2e2e

#124 monoceres

monoceres

    idiot, slow down

  • MVPs
  • 4,047 posts

Posted 31 August 2009 - 08:42 PM

Do you accept feature requests?

Broken link? PM me and I'll send you the file!


#125 trancexx

trancexx

    Queen F. Elizabeth MCXI

  • Active Members
  • PipPipPipPipPipPip
  • 6,246 posts

Posted 01 September 2009 - 05:29 AM

Sure.
What do you have in mind?

          ......       ......
        .:oOOOOo:.   .:oOOOOo:.
      .:oOO:'':Oo:. .:oO:'':OOo:.
     .:oO:      'Oo:oO'      :Oo:.
     :oO:         'o'   
      :Oo:
     :oO:                     :Oo:
     ':oO:     OT9AO0IEDrk   :Oo:'
      ':oO:                 :Oo:'
        ':oO.             .Oo:'
          ':oO
.         .Oo:'
            ':oO.     .Oo:'
              ':oO. .Oo:'
                'oO:Oo'
                  'o' :kiss:



 

.
eMyvnE


#126 monoceres

monoceres

    idiot, slow down

  • MVPs
  • 4,047 posts

Posted 01 September 2009 - 06:01 AM

I was thinking of some IAT adding/modifying capabilities.

Oh and some x64 support would be nice :D

Broken link? PM me and I'll send you the file!


#127 trancexx

trancexx

    Queen F. Elizabeth MCXI

  • Active Members
  • PipPipPipPipPipPip
  • 6,246 posts

Posted 01 September 2009 - 04:57 PM

I was thinking of some IAT adding/modifying capabilities.

Oh and some x64 support would be nice :D

So that custom dll could be plugged-in for example, or to make a ground point for native exe compressor?
I think it would be hard to keep the validity of the modified app. It shouldn't be difficult to actually add new function, but other sly modifications - that could be tricky.

Clear goal and necessary discussion on the subject is needed.

As for 64 bit support. I have limited access to 64-bit systems. This fact makes me unsuitable for the job. But I guess I could add some more support for 64-bit modules to _PopulateMiscTreeView() function.

          ......       ......
        .:oOOOOo:.   .:oOOOOo:.
      .:oOO:'':Oo:. .:oO:'':OOo:.
     .:oO:      'Oo:oO'      :Oo:.
     :oO:         'o'   
      :Oo:
     :oO:                     :Oo:
     ':oO:     OT9AO0IEDrk   :Oo:'
      ':oO:                 :Oo:'
        ':oO.             .Oo:'
          ':oO
.         .Oo:'
            ':oO.     .Oo:'
              ':oO. .Oo:'
                'oO:Oo'
                  'o' :kiss:



 

.
eMyvnE


#128 monoceres

monoceres

    idiot, slow down

  • MVPs
  • 4,047 posts

Posted 01 September 2009 - 05:18 PM

My thinking is this:

I like to add/correct functionality on apps running on my system. Do to this I usually inject dll's into them during runtime.

However this requires an extra exe running and waiting for the process to exist and then injecting it. I would much rather be able to just modify the IAT on the target exe so my dll get's loaded during target exe's startup.

Broken link? PM me and I'll send you the file!


#129 trancexx

trancexx

    Queen F. Elizabeth MCXI

  • Active Members
  • PipPipPipPipPipPip
  • 6,246 posts

Posted 02 September 2009 - 04:57 PM

My thinking is this:

I like to add/correct functionality on apps running on my system. Do to this I usually inject dll's into them during runtime.

However this requires an extra exe running and waiting for the process to exist and then injecting it. I would much rather be able to just modify the IAT on the target exe so my dll get's loaded during target exe's startup.

So, let's say this happens...
I compile AutoIt script. This new app will import different functions from different dlls.
Two of them will be CopyFileW and MoveFileW.
My compiled script uses this code:
FileCopy("FullPathToSomething", @DesktopDir)    

If I run it what would happen? It will copy something to @DesktopDir.
But what would happen if I would manipulate IAT and replace CopyFileW with MoveFileW? One thing is sure, my app would import two MoveFileW functions from kernel32.dll.
Will the code copy or move that "FullPathToSomething" to @DesktopDir afterwards?
I'm gonna speculate and say later would happen.

What if I have MyApp.exe that imports "X", "Y", "Z" functions from user32.dll. What if I make user33.dll and export "X", "Y" and "Z" functions from it. What if "X" and "Y" functions are just redirections to "X" and "Y" from user32.dll and "Z" is my function (the way I like it). What if I simply replace name "user32.dll" from IAT of MyApp.exe with "user33.dll" and place my user33.dll where it should be placed for windows to find it when loading MyApp.exe. Would that work? What do you think?

          ......       ......
        .:oOOOOo:.   .:oOOOOo:.
      .:oOO:'':Oo:. .:oO:'':OOo:.
     .:oO:      'Oo:oO'      :Oo:.
     :oO:         'o'   
      :Oo:
     :oO:                     :Oo:
     ':oO:     OT9AO0IEDrk   :Oo:'
      ':oO:                 :Oo:'
        ':oO.             .Oo:'
          ':oO
.         .Oo:'
            ':oO.     .Oo:'
              ':oO. .Oo:'
                'oO:Oo'
                  'o' :kiss:



 

.
eMyvnE


#130 monoceres

monoceres

    idiot, slow down

  • MVPs
  • 4,047 posts

Posted 02 September 2009 - 09:58 PM

So, let's say this happens...
I compile AutoIt script. This new app will import different functions from different dlls.
Two of them will be CopyFileW and MoveFileW.
My compiled script uses this code:

FileCopy("FullPathToSomething", @DesktopDir)    

If I run it what would happen? It will copy something to @DesktopDir.
But what would happen if I would manipulate IAT and replace CopyFileW with MoveFileW? One thing is sure, my app would import two MoveFileW functions from kernel32.dll.
Will the code copy or move that "FullPathToSomething" to @DesktopDir afterwards?
I'm gonna speculate and say later would happen.

Strictly speaking it would crast since MoveFile and CopyFile doesn't have the same amount of paramaters. But in theory I would say that the would be moved (unless MoveFile is using CopyFile and we get an internal unbreakable eternal loop, but that's irrelevant.)

What if I have MyApp.exe that imports "X", "Y", "Z" functions from user32.dll. What if I make user33.dll and export "X", "Y" and "Z" functions from it. What if "X" and "Y" functions are just redirections to "X" and "Y" from user32.dll and "Z" is my function (the way I like it). What if I simply replace name "user32.dll" from IAT of MyApp.exe with "user33.dll" and place my user33.dll where it should be placed for windows to find it when loading MyApp.exe. Would that work? What do you think?

It would be some kind of API hooking (but your example could provide a lot of difficulties since user32 is a pretty essential part of windows, it could screw up pretty bad). But yes, I think it would work. I mean, the IAT is just a table of addresses and functions. Editing it before execution shouldn't be much different from editing it during runtime (which I know you know I have done before).

Broken link? PM me and I'll send you the file!


#131 trancexx

trancexx

    Queen F. Elizabeth MCXI

  • Active Members
  • PipPipPipPipPipPip
  • 6,246 posts

Posted 02 September 2009 - 11:53 PM

Strictly speaking it would crast since MoveFile and CopyFile doesn't have the same amount of paramaters. But in theory I would say that the would be moved (unless MoveFile is using CopyFile and we get an internal unbreakable eternal loop, but that's irrelevant.)

No it wouldn't crash because MoveFileW takes two parameters and CopyFileW three. That means that MoveFileW will take what it needs from the stack leaving else. This is ok. Opposite situation could lead to a crash.
Let's take this code:
If $CmdLine[0] = 1 Then     If StringRight($CmdLine[1], 4) = ".au3" Then         Run('"' & @AutoItExe & '" /AutoIt3ExecuteScript "' & $CmdLine[1] & '"')     EndIf EndIf    

After compilation, to run some script with it we need to drop it on that exe.

If I write some new script (on the desktop) that goes like this:
DirCreate(@DesktopDir & "\SomeNewFolder") FileCopy(@ScriptFullPath, @DesktopDir & "\SomeNewFolder") If MsgBox(262144 + 32 + 4, "Copy or Move?", "Is " & StringRegExpReplace(@ScriptFullPath, ".*\\", "") & " on your deskop now?") = 7 Then     MsgBox(262144 + 64, "Great", "All works well.") Else     MsgBox(262144 + 64, "Failure", "Described idea sucs! Not working.")     DirRemove(@DesktopDir & "\SomeNewFolder", 1) EndIf    

... and drop it on previously compiled one there would be "Failure" scenario happening.
But if I make described intervention and update IAT of my app afterward, there should be "All works well." box displayed.
Unfortunately I'm not able to attach that exe (no more available space), but take my word for it - it works.

It would be some kind of API hooking (but your example could provide a lot of difficulties since user32 is a pretty essential part of windows, it could screw up pretty bad). But yes, I think it would work. I mean, the IAT is just a table of addresses and functions. Editing it before execution shouldn't be much different from editing it during runtime (which I know you know I have done before).

I'm not touching user32.dll.
Just changing reliance of MyApp.exe from user32.dll to user33.dll (one byte change).

Edited by trancexx, 04 September 2009 - 05:14 AM.

          ......       ......
        .:oOOOOo:.   .:oOOOOo:.
      .:oOO:'':Oo:. .:oO:'':OOo:.
     .:oO:      'Oo:oO'      :Oo:.
     :oO:         'o'   
      :Oo:
     :oO:                     :Oo:
     ':oO:     OT9AO0IEDrk   :Oo:'
      ':oO:                 :Oo:'
        ':oO.             .Oo:'
          ':oO
.         .Oo:'
            ':oO.     .Oo:'
              ':oO. .Oo:'
                'oO:Oo'
                  'o' :kiss:



 

.
eMyvnE


#132 monoceres

monoceres

    idiot, slow down

  • MVPs
  • 4,047 posts

Posted 04 September 2009 - 04:57 PM

Not sure where you're going here, but yeah, you're pretty much describing the behavior I want. Adding/Changing an exe's dependencies.

Broken link? PM me and I'll send you the file!


#133 trancexx

trancexx

    Queen F. Elizabeth MCXI

  • Active Members
  • PipPipPipPipPipPip
  • 6,246 posts

Posted 04 September 2009 - 07:14 PM

I'll make separate script for testing purposes to do that. Changing first, adding maybe later.
...will see how that works.

          ......       ......
        .:oOOOOo:.   .:oOOOOo:.
      .:oOO:'':Oo:. .:oO:'':OOo:.
     .:oO:      'Oo:oO'      :Oo:.
     :oO:         'o'   
      :Oo:
     :oO:                     :Oo:
     ':oO:     OT9AO0IEDrk   :Oo:'
      ':oO:                 :Oo:'
        ':oO.             .Oo:'
          ':oO
.         .Oo:'
            ':oO.     .Oo:'
              ':oO. .Oo:'
                'oO:Oo'
                  'o' :kiss:



 

.
eMyvnE


#134 trancexx

trancexx

    Queen F. Elizabeth MCXI

  • Active Members
  • PipPipPipPipPipPip
  • 6,246 posts

Posted 06 September 2009 - 06:56 PM

Ok, I have something.
There are few limitations. Some are deliberate, some not.

Try to brake it.

... just wait till I delete some attachment so I can upload this one.

edit:
Attached File  IATManipulate.au3   42.07KB   393 downloads

Edited by trancexx, 07 September 2009 - 09:01 AM.

          ......       ......
        .:oOOOOo:.   .:oOOOOo:.
      .:oOO:'':Oo:. .:oO:'':OOo:.
     .:oO:      'Oo:oO'      :Oo:.
     :oO:         'o'   
      :Oo:
     :oO:                     :Oo:
     ':oO:     OT9AO0IEDrk   :Oo:'
      ':oO:                 :Oo:'
        ':oO.             .Oo:'
          ':oO
.         .Oo:'
            ':oO.     .Oo:'
              ':oO. .Oo:'
                'oO:Oo'
                  'o' :kiss:



 

.
eMyvnE


#135 monoceres

monoceres

    idiot, slow down

  • MVPs
  • 4,047 posts

Posted 06 September 2009 - 08:13 PM

Working very well (as expected)!

My test:

Created an exe that displayed a profanity in a MessageBox.
Created an dll that exported a function that redirected to MessageBoxW but added a check for profanities before redirection.
Used your script to change the IAT of the exe to point to my dll and exported function.
Saved the modified exe as a new file.
Ran it and success :D

Test files included.
http://monoceres.se/Uploads/test_iat_mod.zip

Broken link? PM me and I'll send you the file!


#136 ptrex

ptrex

    Universalist

  • MVPs
  • 2,420 posts

Posted 06 September 2009 - 08:25 PM

@all

Maybe this is of any interest to you guys.

http://sandsprite.com/CodeStuff/IAT_Hooking.html

Rgds

ptrex

#137 Digisoul

Digisoul

    Universalist

  • Active Members
  • PipPipPipPipPipPip
  • 330 posts

Posted 06 September 2009 - 08:35 PM

Ok, I have something.
There are few limitations. Some are by deliberate, some not.

Try to brake it.

... just wait till I delete some attachment so I can upload this one.

edit:
Attached File  IATManipulate.au3   42.07KB   393 downloads

Nice Work trancexx. its Awesome :D
73 108 111 118 101 65 117 116 111 105 116 Posted Image

#138 MisterD

MisterD

    Seeker

  • New Members
  • 2 posts

Posted 06 September 2009 - 08:38 PM

Looks very good trancexx!! :D


;o :D

#139 trancexx

trancexx

    Queen F. Elizabeth MCXI

  • Active Members
  • PipPipPipPipPipPip
  • 6,246 posts

Posted 06 September 2009 - 09:25 PM

Working very well (as expected)!

My test:

Created an exe that displayed a profanity in a MessageBox.
Created an dll that exported a function that redirected to MessageBoxW but added a check for profanities before redirection.
Used your script to change the IAT of the exe to point to my dll and exported function.
Saved the modified exe as a new file.
Ran it and success :D

Test files included.
http://monoceres.se/Uploads/test_iat_mod.zip

Good.

Profanities are really fucked up now.

          ......       ......
        .:oOOOOo:.   .:oOOOOo:.
      .:oOO:'':Oo:. .:oO:'':OOo:.
     .:oO:      'Oo:oO'      :Oo:.
     :oO:         'o'   
      :Oo:
     :oO:                     :Oo:
     ':oO:     OT9AO0IEDrk   :Oo:'
      ':oO:                 :Oo:'
        ':oO.             .Oo:'
          ':oO
.         .Oo:'
            ':oO.     .Oo:'
              ':oO. .Oo:'
                'oO:Oo'
                  'o' :kiss:



 

.
eMyvnE


#140 corgano

corgano

    Universalist

  • Active Members
  • PipPipPipPipPipPip
  • 844 posts

Posted 07 September 2009 - 02:02 AM

Will this be added into the next release of this?
0x616e2069646561206973206c696b652061206d616e20776974686f7574206120626f64792c20746f206669676874206f6e6520697320746f206e657665722077696e2e2e2e2e




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users