I am quite new to win32asm programming and would like to know where I can find more information (examples would be nice) on self-modifying code. Like, creating a program that will run one way, but if something is detected or something is checked, the program will 'self-modify'. I hope you understand what I am talking about. Just some examples or links to tutorials/documents on that (perhaps masm-specific? :) )


Posted on 2002-05-29 00:06:28 by frihz
have you tried google already? i bet you'll find thousands
of links and examples. in masm all you have to do is set
a few more linker options (Link.exe ... /SECTION:.text,RW ...)
thats because under normal circumstances you can't write
to your code section. after setting this up you can modify
what you what. however, google keywords would be
reverse-engineering, anti debugging and v*rus of course.
Posted on 2002-05-29 03:49:11 by mob
Maybe you could try a tool named "pewrite" or something like that, ( I don't remember exactly), it helps you to make the code section of your exes writable.
Posted on 2002-05-29 06:37:28 by Axial
Here I found a tool ! But I must warn you it's also a tool used for making viruses, so....

PS : I hope I won't get banned for this :)

EDIT by Readiosys : Attachment removed : please read the rules...
Posted on 2002-05-29 06:42:05 by Axial
did you post pwrsec.exe (the name was something like this)?
if yes then this tool is definatly NOT used to produce v*ruses.
it's used to set new section flags nothing more nothing less.
Posted on 2002-05-29 07:12:37 by mob
If you're using hutch--'s Masm32 package, you'll find a directory \Masm32\Example2\smc\ which deals with self-modifying code... the important part of this is in build.bat.

Take good care of self-modifying code, smc is potentially dangerous, but if you are careful it can be VERY much faster.

Typically self-modifying code is used when you have several versions of a routine (e.g. optimized for various processors), you can determine which routine you need at init-time and then link in the proper version, then throw away the unneeded versions.
Posted on 2002-05-29 07:21:41 by AmkG
I would suggest you to use VirtualProtect to temporarily make the
code section writable, instead of setting the PE flags. PE flags is
easy etc, but will leave your code permanently writable, which can
give some rather annoying to find bugs in case of pointer errors etc.
Of course if you do a lot of code modification all time, the linker way
of doing it is better - but doing lots of code modifications all the time
is very bad performance-wise.
Posted on 2002-05-29 07:25:45 by f0dder
I agree with f0dder, code modification should as much as possible be confined at init-time, at most at the init of a routine that needs speed. Also, more than likely an optimization guru can get you the needed speed without doing self-modifying code...

A thing peculiar to modern uproc's is that there is a code cache separate from the data cache, so that doing a lot of self-modifying code tends to flush the code cache too often. So confine your code mods at init-time.
Posted on 2002-05-29 07:42:35 by AmkG
okay, thanks for the info. I did try google before, but i found more complex samples and in other languages, and I really couldn't do much with it.

I am using hutch's masm, and i hadn't noticed that example, thanks :) Although it is quite small heh. But, yes, this is sort of what i was looking for.

Axial: your attached file was removed before I could check it out, though it sounds somewhat interesting - could you pm me the name of the file?

thnks :)

Posted on 2002-05-29 17:45:14 by frihz
i didn't needed such a tool for now but i was bored so
i wrote one, it renders the code section flags as readable/
writable. under normal circumstances i don't like to use
VirtualProtect and i don't see why my prog is now harder
to debug without this func.
Posted on 2002-05-30 03:31:47 by mob
i had a couple of upload problems...
Posted on 2002-05-30 03:49:53 by mob