Hi!

(well i'll try it in english this time *g*)

Last week I checked out some of my 'old' programms. This programms normaly got some pieces from the .data section (where the vars normaly are) and used it like normal instrcution code or jumped directly into this piece to execute parts of it. Well, normaly. But XP is not normaly.
Since I use XP all of this kind can't be executed, well it can, but an error appears during start. memory read error - memory can't be 'read' at this location.. <-- well i think it will be the location where i try to enter the 'data' section...

Anybody knows how to handle this in XP? Any known sources?

Thank's alot
Posted on 2002-10-05 18:14:05 by Genscher
Hmm.. strange!
The .data section is write enabled so it should be possible to execute code from it shouldn't it?!
Are you really sure it's when you trying to execute in .data section the error code occurs, maybe it's something else...
Just a suggestion. I don't know. I'm sure it's possible on xp to execute in .data section, it's no problem, I tried it, worked ok.
Posted on 2002-10-07 17:36:41 by david
Coded a test, works excelent for me just now, on WIndows xp build2600



.486
.model flat, stdcall
option casemap:none

include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib


.data

pMessageBox dd 0
szNameOfLib db "USER32.dll",0
szNameOfApi db "MessageBoxA",0

disassembly db 6ah, 30h ; push MB_OK or MB_ICONEXCLAMATION
db 0e8h, 07h, 00h, 00h, 00h ; call _1
db "hello!",0
db 0e8h, 1ch, 00h, 00h, 00h ; _1: call _2
db "I'm in the code-section! =)",0
db 6ah, 00h ; _2: push NULL
db 0ffh, 0d0h ; call eax
db 0c3h ; ret

.code

start:

invoke LoadLibrary, addr szNameOfLib
invoke GetProcAddress, eax, addr szNameOfApi
lea ebx,OFFSET disassembly
call ebx

invoke ExitProcess, 0

end start


hope it helps, it just jumps to code section and produce a msgbox from there and return.
:-)
Posted on 2002-10-07 19:55:00 by david
I have a question in same topic as this, it's this:

I run XP too, and is exploring PE-file format doing some various testing programs, and I mainly read Luevelsmeyer's doc on PE.
Although it's excellent I think it may not cover XP-specific things if any.

I found one thing while struggling with a bug:

SizeOfImage in Optional header has to be aligned to 4000h, else program will just end up as unvalid PE, in XP.
I don't know if this is the same case with NT/2k because I don't have the oppurtunity to try on these versions, but I would be happy for info on this!!!

I got winME on my other drive, but any SizeOfImage size runs ok there.

Anybody knows of some other XP-specific detail of PE's?
Posted on 2002-10-07 20:34:20 by david

SizeOfImage in Optional header has to be aligned to 4000h, else program will just end up as unvalid PE, in XP.

that's not true. for example, try to compress one of your executables with upx, you will most likely get a sizeofimage value that is not aligned to 4000h.
Posted on 2002-10-08 09:55:23 by Tola
Hi,

PE with SizeOfImage in Optional Header not aligned to 4000h, it still works properly on my computer. My computer is win2k and i checked it out with my pe program.
Posted on 2002-10-08 10:23:05 by roticv
Hi, thank for your replies which helps me a lot!


that's not true. for example, try to compress one of your executables with upx, you will most likely get a sizeofimage value that is not aligned to 4000h.


Every single application I compacked with upx has SizeOfImage aligned to a multiple of 4000h (!)
Strange huh! Perhaps you could upload an upx-compressed file which does not have that in a post, and I would like to test/see it.
This would help me!! =)

BIG EDIT::: I just found some info on msdn, I was very wrong (not first time =), SizeOfImage must always be a multiple of SectionAlignment!!!!!! And this is true to my upx-files and all others I tested!!!

Hi Roticv, thank you for that valuable info, as I can not test it myself!!! =)

( OFFTOPIC: How can I post a quote so that the author of the quote is included, now I just write quote in brackets and paste the quote within.. thanks )
Posted on 2002-10-08 20:53:07 by david