• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

VERY interresting assignment in C++

L

Lazy8s

Golden Member
I'm taking a grad level network security course. We are discussing programs that alter the PE header to change the size of the executable file. I have done alot of research on the PE header file and I have found a LOT of information about it's structure but nothing about how to gain access to it.

We just got our first project assigned and we have to alter the PE header for the project using C++ in a windows (XP if it matters) environment. Does anyone know any resource for me to take a look at? I have found plenty about the values store and what they are used for but nothing about how to alter them. At http://msdn.microsoft.com/msdnmag/issues/02/02/PE/ it describes how to find the Relative Virtual Address and how to find the real address based on the RVA and the actual load address. I'm assuming the key here is to find the actual load address and then use the offset to alter the correct memory locations but I am a Java programmer and I have almost no experience in C++. If anyone has a good resource or anything ANY help would be great. Thanks in advance.

Feel free to PM or post any questions.
 
Look though the ImageHlp reference at MSDN.

If you have a PE file loaded into memory already, you could also do something like this:

IMAGE_DOS_HEADER *dosStub = (IMAGE_DOS_HEADER*)(file);
IMAGE_NT_HEADERS *header = (IMAGE_NT_HEADERS*)(file + dosStub->e_lfanew);
IMAGE_SECTION_HEADER *sectionTable = (IMAGE_SECTION_HEADER*)((BYTE*)&header->OptionalHeader + header->FileHeader.SizeOfOptionalHeader);

where "file" can be a buffer pointing to the loaded file, or the HINSTANCE/HMODULE of the currently-running executable. However, there may be an ImageHlp function that does this for you, so I strongly suggest reading through the documentation.
 
That looks like a great resource I will read it over as I have time between classes. Basically our assignment is to make a program that changes it's size every time it's run. This is extremely basic if the program recompiles itself but that's not the technically correct way to do that. We are supposed to have the program change the zero byte fields in the PE header but that was all the instructions we got so I was pretty lost without any knowledge of C++ (or the PE type).

It seems that there's alot of online sources that explain the PE header but don't really talk about how to work with it. If anyone else finds anything please feel free to PM/post it. Thanks again Venix.
 
Ok, I have to admit I am a complete noob here. First off, I cannot for the LIFE of me figure out what your code is doing or why it is doing it. I tried:

cout << &IMAGE_FILE_HEADER::SizeOfOptionalHeader;

and all kinds of stuff and it just kept printing out "1" and I have no clue why. I then put in your code:


int _tmain(int argc, _TCHAR* argv[])
{
HINSTANCE thisprog = GetModuleHandle(NULL);
IMAGE_DOS_HEADER *dosStub = (IMAGE_DOS_HEADER*)(thisprog);
IMAGE_NT_HEADERS *header = (IMAGE_NT_HEADERS*)(thisprog + dosStub->e_lfanew);
IMAGE_SECTION_HEADER *sectionTable = (IMAGE_SECTION_HEADER*)((BYTE*)&header->OptionalHeader + header->FileHeader.SizeOfOptionalHeader);
cout << & sectionTable << '\n';
cout << sectionTable << '\n';
return 0;
}

(EDIT: I know the & goes next to sectionTable with no spaces but or some reason the forums changes that to §ionTable, kinda odd)

and the output I get is:

0012FF1C
00400398
Press any key to continue...


I can say with 100% honesty I have absolutely no idea what any of this output means. It looks like a memory address and possibly what is stored there but like I said....no idea. I am VERY new to C++ (days old) and in java we never messed with actual memory addresses or what was in them. I tried assigning values (just to see what would happen) by:

*sectionTable=0 or 00400777

but it kept throwing out errors. Can you take the time to explain what is going on here to me? This is supposed to be over my class' head and this is all for extra credit but I want to go that extra mile and understand it. I swear I spent almost 5 hours tonight googling and I do understand alot more but most of my time was spent trying to figure out what a DWORD and all that was to see if there was an easy way to get/manipulate values.

Sorry to be such a noob but that's where I'm at. If you or anyone else is willing to spend the time explaining this to me that would be great. If not I'll keep looking on my own. Thanks in advance.


EDIT: I just tried


int _tmain(int argc, _TCHAR* argv[])
{
HINSTANCE thisprog = GetModuleHandle(NULL);
IMAGE_DOS_HEADER *dosStub = (IMAGE_DOS_HEADER*)(thisprog);
IMAGE_NT_HEADERS *header = (IMAGE_NT_HEADERS*)(thisprog + dosStub->e_lfanew);
IMAGE_SECTION_HEADER *sectionTable = (IMAGE_SECTION_HEADER*)((BYTE*)&header->OptionalHeader + header->FileHeader.SizeOfOptionalHeader);
cout << &sectionTable << '\n';
cout << sectionTable << '\n';
cout << header->FileHeader.SizeOfOptionalHeader;
header->FileHeader.SizeOfOptionalHeader = 1;
return 0;
}

and it crashes my program. Why is that? I tried 0 and 1. Is it an illegal thing to do or am I screwing up what's in memory? Sorry to ask 800 questions but this stuff is REALLY interresting!!
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top