i have injected small code in my exe. here is data

PUSH 144
PUSH 403000
PUSH 40301A
PUSH 0
Call 77D8050B <<<----MSG BOX API

So the problem is this. The code is working fine in my system but it is giving error in another system. I am able to see the msg box but when tested in another systm it got crash. I think all the parameters are correct so where is the probem??

The problem is that not all machines are running on the same kernel32.dll version, so if you use hardcoded calls, the risk of malfunctioning on different machines is enormous, since that function might start on a different address of the kernel.

So, you'd rather use references to functions as the import tables do, by the name of function, and let the system search the address of start of the function by its own when it loads your executable.

It would be very useful if you read something about how import table works. Please have a look a iczelion tutorials, especifically Import Table section, they are very complete...


Another useful use could be invoking LoadLibraryA/GetModuleHandle (depending if your module is loaded or not) and then GetProcAddress, to obtain the handle of the start of the function required and then, perform a call to that address...

Best regards

Nacho_dj

Nacho_dj is the man, when it comes to Import Tables. Not much I can add to his wisdom.

When a program is loaded into memory Windows looks up all the addresses for the imported functions (using the IAT).
This is why you see :



rather than



because all API functions are called through the IAT pointers that windows has fixedup

Alternatively you can use something along the lines of:

Hi Nacho_dj thanks for your idea. I read all the tutorials icelezion and they are good enough just because of that i am trying to play with real executable files by injecting own data.


I agree with D-Jester it needs to be like this call [xxxxxx] like which we normally get in application call to specific pointer which redirect it to api. I tried jester but it was giving error no idea why. Can you take a look over small test.exe on which i am doing this. might be you can guide me in right direction by looking at my code.

If you upload it to rapidshare, I'll take a look.

Thanks for the help jester, i just figured it out myself

Jst want to ask simple question. I want to get the size of codesection in wininet.dll which just load when i press f9... and basically i got info that size of codesection vary in different system. So if i want to get the size of any section of any module which api should be helpful in that case.

no one knows? ok

May i get some info about wininet.dll

PE header address
Code start address
Code end address
and size of code section in your pc.


Not having much frnds in reverse enginerring. So just need this info in another pc.

the only way u can do it is manually, coding your own runtime pe parser to get the information.
this sadly stems into the rootkit / malware area, and chances are relatively high that the thread will be closed

Oh I don't think so, though the answer is correct. That's pretty useful stuff that everyone should know. I'd suggest to Jo_ti to review the Iczelion tutorials again, all the information about getting those PE details are in there, and other examples are not difficult to find with a bit of background research.