Custom PE Loader

bozo · July 22, 2008, 10:44:28 PM

Hey, anyone here ever had to use a custom PE loader?
Got source code or know of a project/website hosting such an idea?
I don't know why Microsoft couldn't add this feature to LoadLibrary() since it would be quite useful for various tasks.

BlackVortex · July 22, 2008, 11:17:41 PM

You mean true PE loading ? It isn't possible I believe !

But by using packer/protector technology I guess you can deflate the wrapped PE the way you want it in memory, manually create the import table, load the dlls manually, apply relocations/fixups to the code, do anything you want, then jump,call, or ret to the real EP.

EDIT: Check this out, googled a bit, sounds impressive :
http://www.scriptlance.com/projects/1209017682.shtml?ref=indofreelancer
(oops, says the project is cancelled)

bozo · July 23, 2008, 03:19:40 AM

it can be done, but i've not seen any useable library or routines to help with it which is a pity.
InConEx by Y0da and another example by some guy called Z0MBiE both use in-memory execution.

even if there was some way to load a DLL but change the base of the image, so that its loaded multiple times, it'd be useful - to me atleast.

maybe i'll write a library.

BlackVortex · July 23, 2008, 05:34:22 AM

Could you provide links to the 2 projects you referred to ?

Both y0da and zombie are really interesting coders !
googling didn't help

Although I don't understand why you'd need to load an exe/dll manually, what would be the advantages ? There may be better ways to achieve whatever you're thinking about. For example, you can CreateProcess the executable with debugging privileges, you can start juggling around with it as early as the "system breakpoint" event. Maybe you can redirect the code execution flow to your code and circumvent windows ?

bozo · July 23, 2008, 05:57:45 AM

the advantage for me would be writing multi-core code.

imagine having a procedure inside a DLL file which you want to run as a thread, there would be a problem if it accessed global data when running multiple threads..

if there was some way to load the DLL multiple times, but with a different base address, each thread can access its own private global memory space.

i know thats what TLS is for, but using the method i describe wouldn't require api calls.

i'll get links for you later..

BlackVortex · July 23, 2008, 08:33:17 AM

Maybe you can somehow rebase dlls before loading them.

Vortex · July 23, 2008, 10:01:52 AM

Here, you can find my attempt to create a Custom PE Loader :

Loading and running EXEs and DLLs from memory

bozo · July 23, 2008, 11:15:41 PM

nice one :8) Vortex, i'll check this out at home later.
BlackVortex: i would have posted some links to the other guys material, but its against the forum rules, so i'll just say 29a :wink

bozo · July 24, 2008, 12:03:53 AM

i just got a quick look at the sources, where is the page of chetnik??

if you're interested, InConEx can now only be found in old 29a e-zine #7, and an article by Z0MBiE about in-memory execution is in release #6.

BlackVortex · July 24, 2008, 01:02:09 AM

Thanks, I have all 29A issues, they are on my "to-read" list anyway. Unbelievable stuff in there.

Be aware that you may have the original issue #7, which afair was faulty, there is a fixed+full edition on their site.

bozo · July 24, 2008, 03:34:38 AM

Quote...and an article by Z0MBiE about in-memory execution is in release #6.

after reading source of Z0MBiE's code again, which was written back in 2001, i'm gonna have to say it looks like
Chetniks code is based off it.But i'm open to correction there..

InConEx by Y0da is based on Z0MBiE's example, but more advanced and easier to use.

BlackVortex: Yes, despite its negative image, there is quite alot of useful ideas/code in those e-zines for constructive purposes also.
i'm sure not everyone agrees of course, but this "exe/dll in memory execution" is useful.

News:

Custom PE Loader