I try to understand something about executables to use it in a future application and now i'm stuck.
I try (for now) to insert a single NOP command in the executable code (in a compiled .exe file). When it will work, I'll try to inject more code in the exe file. Here's what I do:
I locate the .text section in the executable, I use a debugger to locate the right place for the command, I insert a 90h (NOP code) there, then remove a 00h from the end of the .text section to keep the sections aligned. The result is that the application seems valid (Explorer sees the resources - the icon is correct), but when executing, it doesn't run. The errors depend on the OS and on the program, from offering to send details to Microsoft to "there was an error when executing ..", but no "this is not a valid win32 application". I thought there is a problem with the checksum, I tried to fix it with an other utility, but the error persists.
If you have an idea or you can point me to a solution, please help.
Posted on 2004-08-13 00:55:12 by
If you *insert* rather than *overwrite* a byte, code and data references in the app will break. For example, let's look at these instructions:

[b]address opcode mnemonic[/b]
00000000 E802000000 call 000000007
00000005 8B10 mov edx,[eax]
00000007 8B82E8030000 mov eax,[edx+0000003E8]

Now, you insert a NOP after the call - this changes the addresses of all the following instructions. Let's see what is at address 0000007 now:

[b]address opcode mnemonic[/b]
00000007 108B82E80300 adc [ebx+00003E882],cl
0000000D 00 ???
Posted on 2004-08-13 02:32:56 by f0dder
Yes, you are absolutely right. Now, this raises a lot of new problems. Probably all the jumps and calls must be modified to accomodate the new code, a true re-linker. I wonder if there is a workaround or a HOWTO (:-)) about this, I'll think about it and I'll let you know.
Posted on 2004-08-13 03:00:43 by
Calls, jumps, data references. (forwards call/jump to code before the inserted byte will work, as well as backwards call/jump to stuff after the inserted byte, but that's not good enough :)).

To handle something like this, you'll need a dis+reassembler system... and it's not simple getting this done right (so you'll always get working output). It helps a lot if you have executables with relocation information present, btw.

Google the net for "mistfall" by z0mbie. I'm not going to put a direct link, as z0mbie messes a lot with viral code. The ideas in the mistfall engine are very useful outside the viral world, though (like code polymorphism in protectors).
Posted on 2004-08-13 03:17:55 by f0dder
Thank you very much!
Posted on 2004-08-13 03:26:44 by