"overlay"

[hfheatherfox07]

Hi, I downloaded the latest version of UPX and inside I found this definition for overlay:

Code Select Expand

Info: An "overlay" means auxiliary data attached after the logical end of an
executable, and it often contains application specific data (this is a common
practice to avoid an extra data file, though it would be better to use resource
sections).

Does any body know how to add an overlay using MASM ....So when you scan the file with PEiD for example you will see " MASM/TASM[OverLay]"

PEiD Download:

http://www.peid.info/getfile.php?id=1

or

http://www.megaupload.com/?d=XVYP6WM9

[dedndave]

much the same as a DLL, as i remember
an overlay is a special form of EXE
i am not sure it applies to 32-bit code, though
i have only ever seen them in 16-bit world

[hfheatherfox07]

I have seen a MASM example with Overly (No Source)....

I don't imagine I will ever need this for anything I just thought it would be cool to know....

Maybe hutch can feel us in on this....?

[hfheatherfox07]

much the same as a DLL, as i remember
an overlay is a special form of EXE
i am not sure it applies to 32-bit code, though
i have only ever seen them in 16-bit world

I know you can add overly to 32bit code... I have done it with exeinfo-> under "Tools menu" ( those 2 arrows ">>" ) -> using the "Overlay menu:" ....

You can actually save overlays from files with overlays and add them to other files  :U

exeinfo-Tool Download:

http://www.exeinfo.xwp.pl/

The person that makes this tool actually e mails me beta versions to test; how cool is that....

[qWord]

using an extra tool is IMO unnecessary: simply append the data to your EXE using CreateFile/WriteFile or use a hexeditor of your choice :bg
(for being on the save site requires to recalculate the PE's checksum)

[hfheatherfox07]

using an extra tool is IMO unnecessary: simply append the data to your EXE using CreateFile/WriteFile

Is that the way to add an overlay in an assembly with MASM, is there a way.... ?

[qWord]

What data are you addding to your exe? Wouldn't it be simpler to add them as resources?

[hfheatherfox07]

Nothing in particular just wanted to make an exe using MASM that had an overlay

[qWord]

masm can't do this - maybe there are some linkers that allows this, but I've never heard of this .

[clive]

What you've described is data OUTSIDE the scope of MASM and LINK. It is outside the PE sections and directories also, basically a binary blob.

You'd achieve it with an external binding tool, or COPY /B  FOO.EXE+MORECRAP.BIN  BAR.EXE

[dedndave]

back in the days of DOS, i do recall some larger programs that used overlays
one that comes to mind is AutoCAD
i always thought they could contain code and/or data
but - that was when the addressable physical address limit was 1 mb - normally 640 kb usable RAM
it made sense to move code/data in and out of memory in large chunks, to suit the task at hand

the overlays were essentially loaded as EXE files
the "calling program" could then access the contents as far segments

in most applications, this mechanism does not make much sense in the 32-bit flat world
you have 4 gb addressable space (2 gb usable) - and most modern machines have a minimum of 1 gb RAM

that doesn't mean it cannot be done, but CreateProcess or ShellExecute are likely used to load them

[hutch--]

You can use an overlay if you want to do this but it comes at the risk of AV programs flagging it as unsafe as some of the older viruses appended junk to the end of an EXE file. If its data you want to append, you are much safer writing the data to the data section and linking the module into your exe file. This way the EXE header information for the file length is correct and AV scanners have nothing to whine about.

[clive]

The overlay system in 16-bit DOS was a linker supported methodology of grouping multiple functions/objects together within the executable segments of the code, and caching/swapping in the groups of mutual exclusive functions on demand. In general it was not used for data, but that depends on the linker. Microsoft generally handled data issue using a temp/spill file on disc.

I'm not convinced that the structural integrity of a PE executable is sufficient to prevent AV scanners from flagging them, the flagging seems more to do with the perceived size of the file, code sequences, or packing methods.

I think michealw published a tool for converting binary data into PE objects, which a linker could combine in to their own section. Others have talked of resources, which is also potentially viable. In C I've inlined several megabytes of static binary data.

The overlays of binary data are more likely to look like self-extracting ZIP or CAB files, or installers. I can see plenty of reasons why a single EXE with data bound to it would be desirable. I've used it to pack an appliction EXE with VXD and SYS drivers to support both Win9x and WinNT class systems with kernel drivers.

[drizz]

Digital signature is an example of a legitimate overlay and virtual address in PE security directory is in fact a file offset.