Hi,

I have a PE file which runs on Win9x without problems but gives error "zugriff verweigert" (I guess thats same as "access denied") on XP.
I must admit that I have modified this exe, changed the stub with a selfwritten tool. But this worked well with other executables and I am unable to see whats special with this one file.

Heres an excerpt from dumpbin



OPTIONAL HEADER VALUES
10B magic #
2.23 linker version
42200 size of code
10400 size of initialized data
1D000 size of uninitialized data
42F00 RVA of entry point
7000 base of code
4A000 base of data
400000 image base
1000 section alignment
200 file alignment
1.00 operating system version
0.00 image version
3.10 subsystem version
0 Win32 version
7A000 size of image
600 size of headers
608C5 checksum
3 subsystem (Windows CUI)
0 DLL characteristics
8000 size of stack reserve
8000 size of stack commit
100000 size of heap reserve
1000 size of heap commit
0 loader flags
10 number of directories
0 [ 0] RVA [size] of Export Directory
72000 [ 51A] RVA [size] of Import Directory
0 [ 0] RVA [size] of Resource Directory
0 [ 0] RVA [size] of Exception Directory
0 [ 0] RVA [size] of Certificates Directory
73000 [ 6414] RVA [size] of Base Relocation Directory
0 [ 0] RVA [size] of Debug Directory
0 [ 0] RVA [size] of Architecture Directory
0 [ 0] RVA [size] of Special Directory
0 [ 0] RVA [size] of Thread Storage Directory
0 [ 0] RVA [size] of Load Configuration Directory
0 [ 0] RVA [size] of Bound Import Directory
0 [ 0] RVA [size] of Import Address Table Directory
0 [ 0] RVA [size] of Delay Import Directory
0 [ 0] RVA [size] of Reserved Directory
0 [ 0] RVA [size] of Reserved Directory


Japheth
Posted on 2003-12-15 01:51:55 by japheth
Can you attach a small executable that demonstrates this problem?
I can't see anything immediately wrong just from the headers, though the low OS/Subsystem version numbers do smell a bit fishy.
Posted on 2003-12-15 08:52:43 by f0dder
Hi f0dder,

regretably not, since its currently the only file which doesnt work. In fact, its the old 16 bit linker from MS, LINK.EXE version 5.60, which I have modified. It comes with the pharlab tnt dos extender in its stub. But this doesnt seem to be the problem, since the modified 16-bit LIB.EXE runs on XP and it had this pharlab extender stub as well.

Ive attached the zipped file (160 kb)


I was wrong. Neither LINK nor LIB runs on XP. So now I attached LIB.EXE (40 kB)
Posted on 2003-12-15 10:22:59 by japheth
link 16-bit does work on xp.
Posted on 2003-12-15 10:42:21 by evil__donkey
here are the files i have
Posted on 2003-12-15 10:56:01 by evil__donkey
evil____________donkey,

thanks for your reply, but please read my post carefully. I havent claimed the standard 16-bit link.exe doesnt work.

Japheth
Posted on 2003-12-15 14:29:09 by japheth
I finally found out what the problem was.

My tool to change the stub modified not only the "rawdata" pointers in the object table, but as well the SizeOfHeaders field in the NT header struct.

In the case described above with LINK.EXE I replaced a large stub with size 6680h by one with size 200h. While this is no problem for Win9x, winxp fails, I guess it doesnt like the "hole" in the virtual address space, because the first sections RVA is 7000h (and wasnt changed by the tool of course).

By leaving the SizeOfHeaders field unchanged (it obviously is somewhat superfluous) the modified exe runs with 9x and XP. Possibly new errors arise if - in a case not tested yet - the SizeOfHeader field is larger than
the file size of the PE as a whole.
Posted on 2003-12-22 10:13:03 by japheth
Interesting! I thought SizeOfHeaders was ignored :)
Guess it shows that you have to be pretty careful when modifying PE files. SizeOfImage was one of my first puzzling experiences, but at least that one makes sense...
Posted on 2003-12-22 10:22:11 by f0dder
You can determine pe header format conformity by running dumppe or peview on a pe executable with a modified pe header. In fact there is a even a tool for this purpose available on the protools site but I don't think it has been updated lately.
Posted on 2003-12-22 22:13:02 by Poimander
Hi Poimander,

I think I used dumppe with my faulting exe, but it reported no errors IIRC.

Japheth
Posted on 2003-12-23 08:23:04 by japheth
Hi Japheth,

Some pe dumpers are less sensitive to certain irregularities than others.
You could have tried using pedump or some other tool which may have
reported an error. The perfect pe dumpper has yet to be written!
Posted on 2003-12-23 16:57:47 by Poimander
The tool I refered to above available on the protools site is called pevalidator.
Posted on 2003-12-23 21:32:45 by Poimander