If I worked at it hard enough, I think I could do something I need to do by wading back through the PE stuff I did some time ago as what I want is the relocation address of where the instance handle is stored in what is usually the .rdata section.

I wondered if anyone has a reliable quick and dirty method of doing this on a disk image of a loaded PE file.


Posted on 2003-01-15 02:47:00 by hutch--
I don't fully understand what you're after, do you want the loaded image address of a certain file offset? If you could explain a bit more I might be able to help you out.

Posted on 2003-01-15 14:37:40 by Thomas
hrm, "reliable" and "quick and dirty" in the same sentence? :P
Posted on 2003-01-15 16:02:21 by f0dder

let me explain, I already have the toys written to dump PE images and save them to disk which is no big deal. I want to test out storing this dumped image as a file or within another EXE file and loading it into allocated memory to run it from within the EXE that stores it. The address of the allocated memory will of course not be 400000h so the start address needs to be changed to reflect the address of the allocated memory.

If I remember correctly, as long as the EXE file still has the relocation section, this can be changed so that it will reference the correct address. I guess I can set up the various PE structures to get the ofset of the relocation area and try and do it that way but what I asked was if someone had a quick and dirty way that worked OK.


Posted on 2003-01-15 17:18:03 by hutch--
find pe header. find reloc information ofs/size in the pe directory table
(do NOT just search for a section called ".reloc"). the relocation information
is simple enough to parse. you will handle ABSOLUTE and HIGHLOW reloc
items, and ignore the rest. import table is also simple to parse. you may
want to convert the PE image to your own easier-to-load format rather
than having a fully fledge PE loader. all simple stuff, really.
Posted on 2003-01-15 18:01:35 by f0dder
Vasily Pupkin's peloader handles relocs, you can get the source here: http://www.code.game-deception.com/downloads/peloader.zip

Posted on 2003-01-16 05:59:29 by stormix
Didn't Qweerdy do something like that to merge a process inside another? IIRC he had written a proc to relocate an image based on the relocation section.

Posted on 2003-01-16 10:41:00 by Thomas