Log in

View Full Version : Read Write Execute..!

jackall
November 8th, 2010, 12:11
Two executables build from (abc.c) and (abp.cpp)
The initialized data normally, to be found in (.data) section as seen in the dumpbin output of abc.exe.

SECTION HEADER #3
.data name
C0000040 flags
Read Write
Code:
0040C000: 65 6E 74 65 72 20 70 61 73 73 77 6F 72 64 2E 2E  enter password..

0040C010: 0A 2E 2E 61 73 20 6B 72 69 73 0A 00 6B 72 69 73  ...as kris..kris

0040C020: 0A 00 00 00 77 72 6F 6E 67 2E 2E 20 70 61 73 73  ....wrong.. pass

0040C030: 77 6F 72 64 2E 2E 0A 00 70 61 73 73 77 6F 72 64  word....password


However, the same initialized data in (abp.cpp) is not found in (.data) section, but was in (.rdata) section.

SECTION HEADER #2
.rdata name
40000040 flags
Read Only
Code:
004131A0: 0A 65 6E 74 65 72 20 70 61 73 73 77 6F 72 64 2E  .enter password.

004131B0: 2E 0A 2E 2E 61 73 20 6B 72 69 73 0A 00 00 00 00  ....as kris.....

004131C0: 6B 72 69 73 00 00 00 00 0A 77 72 6F 6E 67 20 70  kris.....wrong p

004131D0: 61 73 73 77 6F 72 64 2E 2E 00 00 00 70 61 73 73  assword.....pass

004131E0: 77 6F 72 64 20 4F 4B 0A 0A 00 00 00 69 6F 73 5F  word OK.....ios_


1-why the initialized data, is shifted from read write section as in (C), to read only section in (C++)...?

2-is there a console utility to filter (to show the string in an executable)...! A small utility like dumpbin..!

3-how to make the code section (write)able in addition to its default (execute read) attributes..?

4- how to create another custom data section and move any desired data to it..?

thank you..!
Darkelf
November 8th, 2010, 14:12
Hi,

I'll try to answer your question as good as I can, but don't be angry if something is wrong.

1. I guess the C++ compiler is a bit smarter, as the data we are talking about IS read-only. So putting it in a read-only section makes sense.
But the main reason may be the string pooling switch is enabled by default (Enable String Pooling: Yes (/GF))

2. http://technet.microsoft.com/en-us/sysinternals/bb897439.aspx

3. Under Windows have a look at VirtualProtect: http://msdn.microsoft.com/en-us/library/aa366898%28VS.85%29.aspx

4. edit:formerly here was one of the most stupid sentences I've ever written. (FYI: I suggested creating a new section with LordPE and using placement_new afterwards) The only excuse I have is way too much alcohol

Hope that helps.

Regards
darkelf
Elenil
November 8th, 2010, 18:50
hi question 1 is a bit nonsence to me but thats kind of the protection system do lern more read about the PROTECTED MODE (and why it has been created) it should make more clear why this is done
some more information where you have the state read/write you also can execute

to 2 : console utility ? try programs called hex-editors other things what can do this are debuggers

to 3 : call the win api function VirtualProtect with "PAGE_EXECUTEREADWRITE"
other option would be to edit the PE header (in win98 you can write to the code/text section without any functions)

to 4 : i dont know the visual c++ 2010 can do that ?
but you can add sections manual after you compiled the exe in the PE header if that helps
dELTA
November 8th, 2010, 21:38
Quote:
[Originally Posted by jackall;88152]1-why the initialized data, is shifted from read write section as in (C), to read only section in (C++)...?
Because your particular linker feels like it. Remember that such things absolutely don't have to be "language specific", but rather "linker specific". Such things might be for a reason inherent in the language though, e.g. smarter string handling in C++ than in C.


Quote:
[Originally Posted by jackall;88152]2-is there a console utility to filter (to show the string in an executable)...! A small utility like dumpbin..!
Your question is a bit unclear, but if my mind reading skills are working well, you might like the "strings" utility shipped with most Linux versions, and cloned also for Windows.

More here: http://lmgtfy.com/?q=strings+executable&l=1


Quote:
[Originally Posted by jackall;88152]3-how to make the code section (write)able in addition to its default (execute read) attributes..?


The other suggestions above only makes it writable by execution of other code, here is how you make it writable from the start, directly in the executable:

http://lmgtfy.com/?q=make+pe+code+section+writable&l=1
(it even gives you the answer to the question below too, as a bonus!)


Quote:
[Originally Posted by jackall;88152]4- how to create another custom data section and move any desired data to it..?


http://lmgtfy.com/?q=adding+sections+to+executable&l=1
jackall
November 9th, 2010, 01:19
Quote:
[Originally Posted by Darkelf;88153]Hi,
I'll try to answer your question as good as I can, but don't be angry if something is wrong.
4. Make a new section with -for instance- LordPE and use placement_new to place your data in it.
Hope that helps.
Regards
darkelf


Darkelf..hi..!

the enthusiasm to share your knowledge with others , is what i consider more important, than the actual trueness of the information itself...so the issue of ‘get angry’ does not arise at all...i value your eagerness, the information provided is right or not, is up to those who really need it, to learn and then validate it..!

thank you for sharing...!
regards..!
jackall
November 9th, 2010, 04:45
Quote:
[Originally Posted by dELTA;88157]Because your particular linker feels like it. Remember that such things absolutely don't have to be "language specific", but rather "linker specific". Such things might be for a reason inherent in the language though, e.g. smarter string handling in C++ than in C.


seems to me, to be a very precise answer..
thank you...

Quote:
your question is a bit unclear, but if my mind reading skills are working well, you might like the "strings" utility shipped with most linux versions, and cloned also for windows.

ha...haha....’your reading skill is working well’...
its my deficiency in communication proficiency, conditioned by the lack of clarity in the area,
that is probably to be blamed...sorry for the previous rather poor unclear account...

now, its more like this:

i want to make the executable file making its code section writable, while compiling itself.
And by doing so, i hope to save the data (say for example, the address of the function,
the ExitProcess () in code the section), and calling it later on, to terminate the program..

simply put it, calling a function by its address..!
thank you for the links provided...iam sure i would find the answers, in the links...

regards..!
.
Darkelf
November 9th, 2010, 10:10
Hi jackall,

first of all, I'm really sorry for writing such crap as "add a section with LordPE..." above. I guess I was out of my senses. Let my at least answer question 4 now.
You can define your own custom section with:

#pragma section("sectionname", attributes)

and put your data in it with:

__declspec(allocate("sectionname") theData;

See the slightly rewritten source you provided:

Code:




#include<iostream>

#include<string.h>

using namespace std;



#pragma section("rwdata",read,write)

__declspec(allocate("rwdata") char password[] = "kris";

#define length 100



int main()

{

char buff[length];



cout<<"\nenter password..\n..as kris\n";

cin>> buff;



if(strcmp(&buff[0],password ))

cout<<"\nwrong password..";

else

cout<<"password OK\n\n";

return 0;

}


The password is now in your own, read-write section.

I really hope this is what you are looking for.
If not, I will crawl back under my stone

Regards
darkelf
jackall
November 9th, 2010, 12:38
Quote:
[Originally Posted by Darkelf;88166]
The password is now in your own, read-write section.
I really hope this is what you are looking for.
Regards darkelf


darkelf..!

creating a new section, say for example in (1.exe) was, one question mark...!
altering the section attributes, say in (2.exe) was, another doubt altogether.

i was not meaning to combine both the tasks in one and the same file... but i seem
to have succeeded in messing up, by mentioning simultaneously both, in the same post.

my apologies..!
you sure have expended, a lot of effort to come up with that code..!

(1.asm):
this is the code i stole from Kaspersky, with the sole purpose of creating a new segment...
i had tried it earlier, but failed to create a new section with it...
Code:
#include <stdio.h>

#include <string.h>

#define SIZE 100

#define PASSWORD      "abc\n"



int main ()

{

int count=0;

 

#pragma data_seg (."newSection"

char passwd[ ]=PASSWORD;

#pragma data_seg ()



char buff [SIZE]=" ";

for (;

{                             

printf ("enter password:";

fgets (&buff [0], SIZE,stdin); 



if (strcmp(&buff[0] , &passwd[0]))

printf ("wrong password\n";          

else break;

if (++count>2) return -1;

}

printf ("password ok\n";

}

iam sure, i err somewhere, i would be very grateful if someone could point out, the point where iam erring..!

thank you..!
.
Darkelf
November 9th, 2010, 15:36
Hi again,

Quote:
[Originally Posted by jackall;88167]
#pragma data_seg (."newSection"
char passwd[ ]=PASSWORD;
#pragma data_seg ()
.


The dot needs to be part of the string (or you drop the dot completely).

#pragma data_seg (".newSection"

It will compile pretty fine then.
jackall
November 10th, 2010, 04:09
Quote:
[Originally Posted by Darkelf;88170]Hi again,
The dot needs to be part of the string (or you drop the dot completely).


darkelf..!

you are simply excellent..!
being able to connect the dots, and to conclude
that, the dot has to be a part of the string..!

dump of file dot.exe
file type: executable image

1000 .darkelf
3000 .data
3000 .rdata
1000 .reloc
8000 .text

yes..! it does make a new section..

and it looks as usual, so ridiculously simple.!
as it always use to look, once it is resolved..!

many more thanks..!
regards..
.