Hello! Everyone,

Can anyone tell me where do i get started to create my own Portable Executable Loaders (PEL).

I already have read PE.txt and understood the PE structure but i dont get it how to store and call the imported

functions from the target 'exe'. Also how do i execute the Exe from the memory itself?:stupid:

Thankx!
Posted on 2004-04-21 13:04:30 by telophase
Get this one as well: http://www.microsoft.com/whdc/hwdev/hardware/pecoffdown.mspx

The loading part is sorta easy. Check if image is MZ+PE and has relocations. If not, error. If it does, go on.

VirtualAlloc a buffer with size peheader.SizeOfImage. Loop through the section table, load RawSize bytes to your membuf+section.RVA.

Fix imports, can be a bit tricky because of things like bound imports, and that old borland linkers were pretty bugged.

Fix relocations - has a slightly weird format, but should be easy enough to work out from the pecoff doc.

Then you should be able to jump/call entrypoint, or look through the exports of the module. There's a bunch of gotcha's with this approach, though. If the EXE calls ExitProcess, you main program terminates as well. The EXE cannot use resources...
Posted on 2004-04-21 13:20:07 by f0dder

The EXE cannot use resources...


Maybe you can try using resource templates for your executables.
Posted on 2004-04-21 15:11:33 by Vortex


quote:
--------------------------------------------------------------------------------
Originally posted by f0dder
The EXE cannot use resources...
--------------------------------------------------------------------------------




FindResource and LoadResource is pretty easy to implement yourself

I did it for my dos win32 emulation
Posted on 2004-04-22 02:04:18 by japheth
I wanted to keep it simple, japheth :). But yes, it *can* be handled, and you can make the loaded PE use them too by fixing it's IAT with your routines (and handle ExitProcess that way too).

But I didn't want to confuse telophase too much before he has something up and running :)
Posted on 2004-04-22 17:59:11 by f0dder
you can check z0mbies code or y0das INCONTEXT thing (http://y0da.cjb.net) includes both. The executable has to have A) Relocations or B) must have position indpendent code cause your not going to be able to map it at its desired base like 0x400000 cuz youll be using VirtualAlloc. Other than that its simple patching and setting up TLS and stuff, PECOFF spec pretty much hits it on the head. I think y0da hooks ExitProcess by using his HOKO package but you can set reserve on ExitProcess and set it to internal handling routine when it calls it.
Posted on 2004-04-22 19:24:05 by archphase