mint77
December 15th, 2012, 20:51
I am looking for a program that will let you change some of the values in the PE Optional Header.
Is there a program available?
Thanks
Is there a program available?
Thanks
View Full Version : Edit PE Optional header
blabberer
December 16th, 2012, 00:08
Quote:
| Is there a program available |
are you sure you mean what you ask ?
google says it has About 2,240,000 results for editing pe header
though there is no program that explicitly states i can edit only optional header
every pe header editing programs claims to have the ability to edit optional header as well
didnt lordpe,studpe, cffexplorer, ollydbg , hxd, hiew xxd 010 ..........
all that is shown in first google page help you ?
do they refuse to edit optional header ?
shall we sue them all in a class / mass / whatever action suit ?
bilbo
December 16th, 2012, 01:23
...and besides Google, Woodmann's Collaborative RCE Tool Library comes into help!
http://www.woodmann.com/collaborative/tools/Category:PE_Executable_Editors ("http://www.woodmann.com/collaborative/tools/
/Category:PE_Executable_Editors")
http://www.woodmann.com/collaborative/tools/Category:PE_Executable_Editors ("http://www.woodmann.com/collaborative/tools/
/Category:PE_Executable_Editors")
Aimless
December 16th, 2012, 07:17
Har, Har!!!
Have Phun
Have Phun
mint77
December 16th, 2012, 08:34
I used CFF Explorer to do the editing.
This no longer works in Olly or IDA.
BoNus: Another small trick to block debuggers and Dasm's
Load the bug.exe in Olly.What?Cannot be loaded.Try to see it's contents in WinDasm.What?
Cannot see the API calls.Now check the header using a hex editor,and see those two values:
LoaderFlags: EDABDDCA
NumberOfRvaAndSizes: BBDCBDFA
Well,because of those two values that are false,the tools are being confused.Change them
to LoaderFlags=0 and NumberOfRvaAndSizes=10h (common values for almost all exe's) and the exe
loads just fine in Olly and Dasm now shows the API calls.File was not packed or any other
kind protected as u may have assumed at first.This works by changing BOTH of them.
This no longer works in Olly or IDA.
BoNus: Another small trick to block debuggers and Dasm's
Load the bug.exe in Olly.What?Cannot be loaded.Try to see it's contents in WinDasm.What?
Cannot see the API calls.Now check the header using a hex editor,and see those two values:
LoaderFlags: EDABDDCA
NumberOfRvaAndSizes: BBDCBDFA
Well,because of those two values that are false,the tools are being confused.Change them
to LoaderFlags=0 and NumberOfRvaAndSizes=10h (common values for almost all exe's) and the exe
loads just fine in Olly and Dasm now shows the API calls.File was not packed or any other
kind protected as u may have assumed at first.This works by changing BOTH of them.
disavowed
December 17th, 2012, 19:12
Quote:
| [Originally Posted by mint77;93861]Try to see it's contents in WinDasm.What? Cannot see the API calls. |
WHAT?! Do you mean to tell us that a 15 year old tool doesn't work correctly when handling a binary injected with junk data?? I don't believe it!!
Zaderostam
December 18th, 2012, 03:06
Try PPEE (puppy) it's robust against malformed PE files.
http://www.woodmann.com/collaborative/tools/PPEE_(puppy) ("http://www.woodmann.com/collaborative/tools/PPEE_(puppy)")
http://www.woodmann.com/collaborative/tools/PPEE_(puppy) ("http://www.woodmann.com/collaborative/tools/PPEE_(puppy)")
mint77
December 18th, 2012, 08:54
You are misunderstanding my post.
Do some more research. :-)
I found something that confuses the newest Olly.
Do some more research. :-)
I found something that confuses the newest Olly.
Kayaker
December 18th, 2012, 12:03
Er, that trick (LoaderFlags/NumberOfRvaAndSizes) first surfaced here in SOTM 33 back in 2004, at least.
Do some more research. :-)
http://old.honeynet.org/scans/scan33/
Do some more research. :-)
http://old.honeynet.org/scans/scan33/
mint77
December 18th, 2012, 14:00
You are right, it was a bit old.
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.