Jump to content

Recommended Posts

Posted

thank you for your reply but my need is a bit different, i just want to know that which section contain IMAGE_SCN_CNT_CODE,

anyways i got the code from Code Project

VC:
if( pSectionHeader->VirtualAddress <= dwEntryPoint &&
    dwEntryPoint < pSectionHeader->VirtualAddress +
                     pSectionHeader->Misc.VirtualSize )
{ break; }

AutoIt :
Local $VA = DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualAddress")
Local $VSZ = DllStructGetData($tIMAGE_SECTION_HEADER, "UnionOfData")
Local $AddressOfEntryPoint = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "AddressOfEntryPoint")
If ($VA <= $AddressOfEntryPoint) And $AddressOfEntryPoint < ($VA+$VSZ) Then
   ConsoleWrite("Execution Starts at SEC# "&$i&" :"&$Section&@CRLF)
EndIf
Nice one. I like that.

♡♡♡

.

eMyvnE

  • 2 weeks later...
Posted

I want more! I've been using this as a general pe-explorer for a while now (since I realized it could) and since I know you're an expert with these files I expect more cool functions :)

Broken link? PM me and I'll send you the file!

Posted

I want more! I've been using this as a general pe-explorer for a while now (since I realized it could) and since I know you're an expert with these files I expect more cool functions :)

Me too! Can't wait for modifying / compileing EXE files to come....

0x616e2069646561206973206c696b652061206d616e20776974686f7574206120626f64792c20746f206669676874206f6e6520697320746f206e657665722077696e2e2e2e2e

  • 1 month later...
Posted

I was thinking of some IAT adding/modifying capabilities.

Oh and some x64 support would be nice :D

So that custom dll could be plugged-in for example, or to make a ground point for native exe compressor?

I think it would be hard to keep the validity of the modified app. It shouldn't be difficult to actually add new function, but other sly modifications - that could be tricky.

Clear goal and necessary discussion on the subject is needed.

As for 64 bit support. I have limited access to 64-bit systems. This fact makes me unsuitable for the job. But I guess I could add some more support for 64-bit modules to _PopulateMiscTreeView() function.

♡♡♡

.

eMyvnE

Posted

My thinking is this:

I like to add/correct functionality on apps running on my system. Do to this I usually inject dll's into them during runtime.

However this requires an extra exe running and waiting for the process to exist and then injecting it. I would much rather be able to just modify the IAT on the target exe so my dll get's loaded during target exe's startup.

Broken link? PM me and I'll send you the file!

Posted

My thinking is this:

I like to add/correct functionality on apps running on my system. Do to this I usually inject dll's into them during runtime.

However this requires an extra exe running and waiting for the process to exist and then injecting it. I would much rather be able to just modify the IAT on the target exe so my dll get's loaded during target exe's startup.

So, let's say this happens...

I compile AutoIt script. This new app will import different functions from different dlls.

Two of them will be CopyFileW and MoveFileW.

My compiled script uses this code:

FileCopy("FullPathToSomething", @DesktopDir)

If I run it what would happen? It will copy something to @DesktopDir.

But what would happen if I would manipulate IAT and replace CopyFileW with MoveFileW? One thing is sure, my app would import two MoveFileW functions from kernel32.dll.

Will the code copy or move that "FullPathToSomething" to @DesktopDir afterwards?

I'm gonna speculate and say later would happen.

What if I have MyApp.exe that imports "X", "Y", "Z" functions from user32.dll. What if I make user33.dll and export "X", "Y" and "Z" functions from it. What if "X" and "Y" functions are just redirections to "X" and "Y" from user32.dll and "Z" is my function (the way I like it). What if I simply replace name "user32.dll" from IAT of MyApp.exe with "user33.dll" and place my user33.dll where it should be placed for windows to find it when loading MyApp.exe. Would that work? What do you think?

♡♡♡

.

eMyvnE

Posted

So, let's say this happens...

I compile AutoIt script. This new app will import different functions from different dlls.

Two of them will be CopyFileW and MoveFileW.

My compiled script uses this code:

FileCopy("FullPathToSomething", @DesktopDir)

If I run it what would happen? It will copy something to @DesktopDir.

But what would happen if I would manipulate IAT and replace CopyFileW with MoveFileW? One thing is sure, my app would import two MoveFileW functions from kernel32.dll.

Will the code copy or move that "FullPathToSomething" to @DesktopDir afterwards?

I'm gonna speculate and say later would happen.

Strictly speaking it would crast since MoveFile and CopyFile doesn't have the same amount of paramaters. But in theory I would say that the would be moved (unless MoveFile is using CopyFile and we get an internal unbreakable eternal loop, but that's irrelevant.)

What if I have MyApp.exe that imports "X", "Y", "Z" functions from user32.dll. What if I make user33.dll and export "X", "Y" and "Z" functions from it. What if "X" and "Y" functions are just redirections to "X" and "Y" from user32.dll and "Z" is my function (the way I like it). What if I simply replace name "user32.dll" from IAT of MyApp.exe with "user33.dll" and place my user33.dll where it should be placed for windows to find it when loading MyApp.exe. Would that work? What do you think?

It would be some kind of API hooking (but your example could provide a lot of difficulties since user32 is a pretty essential part of windows, it could screw up pretty bad). But yes, I think it would work. I mean, the IAT is just a table of addresses and functions. Editing it before execution shouldn't be much different from editing it during runtime (which I know you know I have done before).

Broken link? PM me and I'll send you the file!

Posted (edited)

Strictly speaking it would crast since MoveFile and CopyFile doesn't have the same amount of paramaters. But in theory I would say that the would be moved (unless MoveFile is using CopyFile and we get an internal unbreakable eternal loop, but that's irrelevant.)

No it wouldn't crash because MoveFileW takes two parameters and CopyFileW three. That means that MoveFileW will take what it needs from the stack leaving else. This is ok. Opposite situation could lead to a crash.

Let's take this code:

If $CmdLine[0] = 1 Then
    If StringRight($CmdLine[1], 4) = ".au3" Then
        Run('"' & @AutoItExe & '" /AutoIt3ExecuteScript "' & $CmdLine[1] & '"')
    EndIf
EndIf

After compilation, to run some script with it we need to drop it on that exe.

If I write some new script (on the desktop) that goes like this:

DirCreate(@DesktopDir & "\SomeNewFolder")
FileCopy(@ScriptFullPath, @DesktopDir & "\SomeNewFolder")

If MsgBox(262144 + 32 + 4, "Copy or Move?", "Is " & StringRegExpReplace(@ScriptFullPath, ".*\\", "") & " on your deskop now?") = 7 Then
    MsgBox(262144 + 64, "Great", "All works well.")
Else
    MsgBox(262144 + 64, "Failure", "Described idea sucs! Not working.")
    DirRemove(@DesktopDir & "\SomeNewFolder", 1)
EndIf

... and drop it on previously compiled one there would be "Failure" scenario happening.

But if I make described intervention and update IAT of my app afterward, there should be "All works well." box displayed.

Unfortunately I'm not able to attach that exe (no more available space), but take my word for it - it works.

It would be some kind of API hooking (but your example could provide a lot of difficulties since user32 is a pretty essential part of windows, it could screw up pretty bad). But yes, I think it would work. I mean, the IAT is just a table of addresses and functions. Editing it before execution shouldn't be much different from editing it during runtime (which I know you know I have done before).

I'm not touching user32.dll.

Just changing reliance of MyApp.exe from user32.dll to user33.dll (one byte change).

Edited by trancexx

♡♡♡

.

eMyvnE

Posted

Not sure where you're going here, but yeah, you're pretty much describing the behavior I want. Adding/Changing an exe's dependencies.

Broken link? PM me and I'll send you the file!

Posted

Working very well (as expected)!

My test:

Created an exe that displayed a profanity in a MessageBox.

Created an dll that exported a function that redirected to MessageBoxW but added a check for profanities before redirection.

Used your script to change the IAT of the exe to point to my dll and exported function.

Saved the modified exe as a new file.

Ran it and success :D

Test files included.

http://monoceres.se/Uploads/test_iat_mod.zip

Broken link? PM me and I'll send you the file!

Posted

Ok, I have something.

There are few limitations. Some are by deliberate, some not.

Try to brake it.

... just wait till I delete some attachment so I can upload this one.

edit:

IATManipulate.au3

Nice Work trancexx. its Awesome :D

73 108 111 118 101 65 117 116 111 105 116

Posted

Working very well (as expected)!

My test:

Created an exe that displayed a profanity in a MessageBox.

Created an dll that exported a function that redirected to MessageBoxW but added a check for profanities before redirection.

Used your script to change the IAT of the exe to point to my dll and exported function.

Saved the modified exe as a new file.

Ran it and success :D

Test files included.

http://monoceres.se/Uploads/test_iat_mod.zip

Good.

Profanities are really fucked up now.

♡♡♡

.

eMyvnE

Posted

Will this be added into the next release of this?

0x616e2069646561206973206c696b652061206d616e20776974686f7574206120626f64792c20746f206669676874206f6e6520697320746f206e657665722077696e2e2e2e2e

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...