News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

load file as PE-loader

Started by Dimarik__, February 26, 2012, 12:46:12 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions

Dimarik__

#15
March 04, 2012, 07:47:04 AM
Quote from: donkey on March 03, 2012, 04:14:40 PM
RVA or Relative Virtual Address is a memory offset from an unknown base. Generally it is added to the load address of the PE resulting in the actual virtual memory address of a particular peice of data. For example the first entry in the DATA section might have an RVA of 0x1000, if the PE is loaded at 0x400000, the actual VA (Virtual Address) is 0x401000. It is a method of allowing each section to be relocated in memory without have too much to fix up by the PE loader. The file offset is simply the number of bytes from the beginning of the file.
Thank you very much.
Sorry for my bad English. Please, speak simply. I'm from Russia.

Vortex

#16
March 04, 2012, 09:31:12 AM
Hi Dimarik,

Here is a project to create a simple PE loader :

Loading and running EXEs and DLLs from memory

Dimarik__

#17
March 05, 2012, 05:26:52 AM
Quote from: Vortex on March 04, 2012, 09:31:12 AM
Hi Dimarik,

Here is a project to create a simple PE loader :

Loading and running EXEs and DLLs from memory
Thank you for the reference.
Sorry for my bad English. Please, speak simply. I'm from Russia.

dedndave

#18
March 05, 2012, 06:39:47 AM
Erol always has nice stuff   :bg
check out his site for some great tools
http://www.vortex.masmcode.com/

Dimarik__

#19
March 05, 2012, 08:32:41 AM
I found some interesting about linkers and loaders and I'm going to read this. If you want you can view this article. I uploaded it here http://zalil.ru/32821967
Sorry for my bad English. Please, speak simply. I'm from Russia.

vanjast

#20
March 05, 2012, 10:42:59 AM
looks interesting..  :U

Dimarik__

#21
March 05, 2012, 12:34:37 PM
Quote from: vanjast on March 05, 2012, 10:42:59 AM
looks interesting..  :U
When I was searcing this information, I wanted to find algorithm where describes, how Windows loads PE-file into the memory. But... I understood that Vortex's theme and his code is more useful for me that my article. Thank you))) I'll study this information by your code=)
Sorry for my bad English. Please, speak simply. I'm from Russia.

Dimarik__

#22
March 05, 2012, 04:34:02 PM
Quote from: Vortex on March 04, 2012, 09:31:12 AM
Hi Dimarik,

Here is a project to create a simple PE loader :

Loading and running EXEs and DLLs from memory
Thank you for code. It is the best material which I've ever seen by this theme.
But I didn't understand one comment in your code:
Code Select
mov   [ecx+eax*4], edi                  ;<----- Save API address at IAT
It's in the file import.asm
Please, explain, what is the IAT?
Sorry for my bad English. Please, speak simply. I'm from Russia.

dedndave

#23
March 06, 2012, 03:00:51 AM
Import Address Table

typically, when the OS loads an exe, the functions called are referenced in the IAT
the OS fills in the addresses of the actual code

it might looks something like this before it is loaded
Code Select
00401DB4: FF2534234000 jmp dword[00402334 ->00002398 GetStdHandle] ;call kernel32.GetStdHandle
00401DBA: FF2540234000 jmp dword[00402340 ->000023C2 ExitProcess]  ;call kernel32.ExitProcess
00401DC0: FF2544234000 jmp dword[00402344 ->000023D0 ReadFile]     ;call kernel32.ReadFile
00401DC6: FF2548234000 jmp dword[00402348 ->000023DC CloseHandle]  ;call kernel32.CloseHandle
00401DCC: FF2574234000 jmp dword[00402374 ->00002494 WriteFile]    ;call kernel32.WriteFile

when your program calls a function, it actually calls a jmp in the IAT

sometimes, a program may use LoadModule and GetProcAddress to get the address of a function
in such cases, a "fake" entry can be made in the code or data section to emulate the IAT

here is a simple example by Erol (Vortex)
http://www.masm32.com/board/index.php?topic=11772.msg89003#msg89003

Dimarik__

#24
March 06, 2012, 08:55:16 AM
I read this article and saw that the autor had recommended to read one article.
QuoteI highly recommend reading Russell Osterlund's article in this issue which describes the steps that the Windows loader takes.
Can you tell me where I can find this article or where I can find similar article?
Sorry for my bad English. Please, speak simply. I'm from Russia.

dedndave

#25
March 06, 2012, 09:54:52 AM
http://www.smidgeonsoft.prohosting.com/

http://www.smidgeonsoft.prohosting.com/documentation.html

QuoteI highly recommend reading Russell Osterlund's article in this issue which describes the steps that the Windows loader takes.

where did you see that reference ?

here we go - try this...
http://msdn.microsoft.com/en-us/magazine/cc301727.aspx

Dimarik__

#26
March 06, 2012, 06:29:12 PM
Quote from: dedndave on March 06, 2012, 09:54:52 AM
http://www.smidgeonsoft.prohosting.com/

http://www.smidgeonsoft.prohosting.com/documentation.html

QuoteI highly recommend reading Russell Osterlund's article in this issue which describes the steps that the Windows loader takes.

where did you see that reference ?

here we go - try this...
http://msdn.microsoft.com/en-us/magazine/cc301727.aspx
I saw it here http://msdn.microsoft.com/en-us/magazine/cc301808.aspx
Sorry for my bad English. Please, speak simply. I'm from Russia.
Print
Go Up Pages 1 2
User actions