Programming Forums > Application Development > C

Mad_guy · Sep 11th, 2005, 11:23 AM

Over the past... Hour or two, I have been making something in order to test a few concepts on my system, memory mapped files, the PE header, etc. etc.. Anyway, I eventually got to my program, PEval. It's a simple program that pokes around an executable for data, gives you info over sections, yada yada. It's exceptionally simple, and I made it out of boredom, but I really really really really REALLY wanted to fuck around with IMAGE_DOS_HEADER and IMAGE_NT_HEADERS and check out the PE file.

I got a lot of coded based off this EPO heuristics scanner, as you should be able to see. While this absolutely awesome book by Matt Pietrek, "Windows 95 Systems Programming Secrets" covers a lot about the PE header, I had to take some concepts from Piotr Bania to get it to work. I'm sure there was an MSDN article/journal entry I could have read to get the exact same info though (probably where piotr got that info himself

)

When the application was 'done' for lack of a better word, I hit a snag that really pissed me off, I put:

pSecHdr = (PIMAGE_SECTION_HEADER)(((DWORD)pMapview + pDosHdr->e_elfanew)+sizeof(PIMAGE_SECTION_HEADERS));

Instead of:

pSecHdr = (PIMAGE_SECTION_HEADER)(((DWORD)pMapview + pDosHdr->e_elfanew)+sizeof(IMAGE_NT_HEADERS));

The first one would just go like 4 bytes ahead (since PIMAGE means it's a pointer) while the other one would jump over the PE header since I'm giving it an absolute value of a structure. So it'd give me garbage for names like 'dk' or 'L' instead of '.tls' or '.rsrc'. That really made me mad. But it's fixed now, and I now know to go back and reference RVAs appropriately and never add something to a sizeof with a pointer as a parameter, ick.

I also hit another snag with somehow corrupting PE files, I don't know why either, I attempt to copy a string ("void") into a sections name if it had no name, and it somehow corrupted it, odd. Oh well, that was an easy fix and I suspected that's where it was happening because it's the only place where I write to the process itself instead of just referencing crap.

Anyway, now it's done. If you would like the source it is here, and if you are too lazy to compile and would like a binary copy, that can be found here.

Also, please do not post in this thread about how it 'crashes when you try it on a .jpg' or something of that sort, I already know about that, and I figured it out when I planned to have it originally scan a tmp file as opposed to your real executable to avoid corruption, but when I tried scanning the PE signature on the tmp file, something went wrong. Yes, I know about it.

Sep 11th, 2005, 11:23 AM	#1
Mad_guy Hobbyist Programmer Join Date: Oct 2004 Location: Sandstorm, Techno Club Posts: 239 Rep Power: 4	PEval Over the past... Hour or two, I have been making something in order to test a few concepts on my system, memory mapped files, the PE header, etc. etc.. Anyway, I eventually got to my program, PEval. It's a simple program that pokes around an executable for data, gives you info over sections, yada yada. It's exceptionally simple, and I made it out of boredom, but I really really really really REALLY wanted to fuck around with IMAGE_DOS_HEADER and IMAGE_NT_HEADERS and check out the PE file. I got a lot of coded based off this EPO heuristics scanner, as you should be able to see. While this absolutely awesome book by Matt Pietrek, "Windows 95 Systems Programming Secrets" covers a lot about the PE header, I had to take some concepts from Piotr Bania to get it to work. I'm sure there was an MSDN article/journal entry I could have read to get the exact same info though (probably where piotr got that info himself ) When the application was 'done' for lack of a better word, I hit a snag that really pissed me off, I put: pSecHdr = (PIMAGE_SECTION_HEADER)(((DWORD)pMapview + pDosHdr->e_elfanew)+sizeof(PIMAGE_SECTION_HEADERS)); Instead of: pSecHdr = (PIMAGE_SECTION_HEADER)(((DWORD)pMapview + pDosHdr->e_elfanew)+sizeof(IMAGE_NT_HEADERS)); The first one would just go like 4 bytes ahead (since PIMAGE means it's a pointer) while the other one would jump over the PE header since I'm giving it an absolute value of a structure. So it'd give me garbage for names like 'dk' or 'L' instead of '.tls' or '.rsrc'. That really made me mad. But it's fixed now, and I now know to go back and reference RVAs appropriately and never add something to a sizeof with a pointer as a parameter, ick. I also hit another snag with somehow corrupting PE files, I don't know why either, I attempt to copy a string ("void") into a sections name if it had no name, and it somehow corrupted it, odd. Oh well, that was an easy fix and I suspected that's where it was happening because it's the only place where I write to the process itself instead of just referencing crap. Anyway, now it's done. If you would like the source it is here, and if you are too lazy to compile and would like a binary copy, that can be found here. Also, please do not post in this thread about how it 'crashes when you try it on a .jpg' or something of that sort, I already know about that, and I figured it out when I planned to have it originally scan a tmp file as opposed to your real executable to avoid corruption, but when I tried scanning the PE signature on the tmp file, something went wrong. Yes, I know about it.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)