PDA

View Full Version : /Section help


Swimmer
June 1st, 2007, 18:31
I used the search here but couldn't find anything.

I am looking for an example(preferably assembly)
of using /SECTION argument for link.exe for some sort
of minor code protection.

What about VirtualAlloc with readwrite permissions for the code and using VirtualProtect to turn on readonly + execute ?

Thanks.

squidge
June 2nd, 2007, 05:12
Well, changing some code to "ro+x" would be fine until someone loaded the exe into something like Ollydbg, and clicked "Set Access" -> "Full Access".

Swimmer
June 2nd, 2007, 07:17
Thanks for the feedback. I now know a feature of Olly that I wasn't familar with. :-)

Take care.

Swimmer
June 2nd, 2007, 08:56
I can't find Set Access in Ollydbg. I have version 1.10.

Thanks.

squidge
June 2nd, 2007, 11:40
...

disavowed
June 2nd, 2007, 12:21
Swimmer, keep in mind that someone could do this without a debugger as well -- they could call VirtualProtectEx(...).
Don't rely on "ro-x" for anti-reversing purposes. (However, if the purpose is to deter buffer overflow exploitation, etc., then that's fine.)

Swimmer
June 2nd, 2007, 12:38
Thanks to both.

Someone suggested the ro-x because they thought I wanted it for anti-malware purposes.

I realize the best method is to not have all the features in a program to begin with. Can't create what isn't there.

I have some 16 bit code that confuses IDA Pro, at least on
it's initial dissassembly.

There are other things I am looking at like inserted a fake
signature for a file compressor and then using brand
G on it.

Also found a handy program that makes a com file
out of small .exes. That may have some potential as well.

LLXX
June 5th, 2007, 03:31
Quote:
[Originally Posted by Swimmer;66117]I used the search here but couldn't find anything.

I am looking for an example(preferably assembly)
of using /SECTION argument for link.exe for some sort
of minor code protection.

What about VirtualAlloc with readwrite permissions for the code and using VirtualProtect to turn on readonly + execute ?

Thanks.
That won't do anything in the way of protection.

As for an example, I use
Code:
/section:.text,EWR
for all access after I've merged all the sections together.