News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

hidden PE header information

Started by thomas_remkus, April 21, 2006, 02:43:16 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

thomas_remkus

April 21, 2006, 02:43:16 PM
When working with Depends.exe (the depency walker) i noticed that some of the very old VC that we have does not show anything. When talking with co-workers it was discussed that this might be because it was 16-bit or because the PE header did not require such information. Either way, we discussed that with newer applications it actually might be nice to compile without having this information available to others. Possible security issue depending on what or how it's done.

Is there a way to link so the PE header does not have this information? Is there a way to remove this information from an already existing image? And really, what good is that information??

P1

#1
April 21, 2006, 05:17:36 PM
'Search' for LoadLibrary on the board.

QuoteIs there a way to link so the PE header does not have this information?
It's a programming option.  Not using the normal dependencies of programming.

It has always been an option to manually load libraries and all the coding that goes with it.  But then again they don't call it DLL HELL for nothing.  You are responsible for loading the right version of the library for your program.  To me, not worth the trouble as a normal programming technique.  I do use my high level functions in ML code.

QuoteIs there a way to remove this information from an already existing image?
Basicly, No. 

QuoteAnd really, what good is that information??
Simply tells the OS what libraries to load with the image.  But thought was, that common runtime functions would reduced the over memory need ( code sharing ) of supportting a program.

Regards,  P1  :8)

Tedd

#2
April 25, 2006, 11:14:43 AM
You can remove (most of) the dll imports by using LoadLibrary, and then GetProcAddress to get the address of each required function -- this is exactly what is done for you by the loader when you start your program anyway.
The strings giving the dll and function names are then inside your data section, rather than being imports, so simple dependency walking won't show them (except for LoadLibrary and GetProcAddress which are required). Of course, a little lookup will easily track them down.
However, since the strings are yours, this means you can then hide or encrypt them or whatever to make it a little more difficult, but still it comes down to finding where GetProcAddres is called and spying its parameters -- hence the use of exe packers.
...ie. it's not worth the hassle :lol
No snowflake in an avalanche feels responsible.
Print
Go Up Pages1
User actions