Log in

View Full Version : PE Rebuilding Topic


Bengaly
February 22nd, 2003, 12:30
heya,
some of you might find it usefull as much as me,
for now i am trying to code a simple PE rebuilder [ NOT a aligner]..
sadly no one really posted some usefull code and the rebuilding is quite more of a personal knowledge..
with rebuilding i mean: fix a dumped file [exe,dll..] and make it works like it was in the first place,
also dont take it wrong that it is another Revirgine/Imprec thingi,
all i mean is to take a normal runnnig process [not encrypted] i.e: notepad and just dump and fix it [kinda stupid thing to do, but its just for more of coding experience]

so far..by comparing through some pe rebuilders like: procdump/Lordpe iv came to bit of something:

tested on Win2k:
-------------------
FileAlignment = 4096 (1000h)
SizeOfHeaders = 4096 (1000h) (seems too big)
SizeOfRawData = VirtualSize
PointerToRawData = VirtualAddress

prob with SizeOfHeaders is that it calculated from the sum of all headers untill row of first section i think..so when dumping from memory
the dump will contain probably padded zeros (000000....) so you get a diff sizeofheaders than it should.
this trick is been used at LordPE as far as i'v noticed [ probably missed some more small stuff] and it doesn't reduce the dump's size, but it does work from time to time.
however procdump does reduce the image size by eliminating padded zeros, and didn't check more what it does..but not all dumps work =).
if some have more detailed way, tricks, good rebuild tuts please post it here...i really wanna have something that is actually public to all .

squidge
February 22nd, 2003, 15:11
You may find this helpful, it's a little process dumper thingy I started ages ago and never got around to continuing. It's quite basic still, but may give you something to use. Written in Borland C++ Builder 5.

(12kb download)

Bengaly
February 22nd, 2003, 16:56
hey,
thnx for the attachment!, ..though i don't code at borland c++ (so i can't compile your src).
but, i already have a dumper that i have done.
only thing is to collect nice tricks/examples to fix a bad dump.

squidge
February 22nd, 2003, 19:30
With your own dumper, did you list the processes in the same way as I have done? Just as there seems to be more than one way of doing so, and programs like LordPE seem to be able to get access to more processes than my own can. (My own prog gets Access Denied to a lot of the system processes, and I was just wondering how they get around this).

Thinking about dumper fixing however, if a PE file had a code section that contains nothing but several hundred Kb's worth of zero's, shouldn't it be possible to zero-ise out the RSize, but leave Roffset, Voffset and Vsize alone to have the end result of exactly the same thing in memory (Voff/Vsize not touched) but taking up no space on disk?

Bengaly
February 23rd, 2003, 01:32
Quote:
With your own dumper, did you list the processes in the same way as i have done?

well, i checked your src quickly, and i haven't done it the same.
i have done it like this way:
Code:

...
...
hProcess=OpenProcess(PROCESS_VM_READ, 1, PID);
....
// allocating enough bytes to put the memory into
MemoryData=(char *)malloc(sizeof(char)*hFileSize);
...
...
...
ReadProcessMemory(hProcess,(LPVOID)ProcessAddress,(LPVOID)MemoryData,hFileSize,NULL);
...
...
WriteFile(hFile,MemoryData,hFileSize,&MemWritten,NULL);
....


thats +- how i do it which seems to be working fine,
maybe u can't dump all process because you check VirtualQueryEx() and it prevens you from accessing it. (can't say really because i can't compile/debug)

anyway, as i have seen from procdump, it does kill padded zeros from the dumped image and correct the header.
thus, not all zeros are cuted down so it probably calculate how maby to kill, however this is not how lordPE does, because it doesn't care about the padded zeros and only fix the header.
which is in both cases sometimes work/doesn't work .

squidge
February 23rd, 2003, 09:08
Thanks for that, will have to experiment more (not that I want to dump system processes - just wondered why it was different to the way LordPE etc does it)

So, basically, all you want to do is write a program that will dump, say, notepad paused at EP, and then trim the image, and end up with a fully working file with the size closest as possible to the original (as the original will not be packed) ?

Bengaly
February 23rd, 2003, 14:38
yeah well, a more detailed explanation will come handy .
i know the +- lordPE/procdump dump fixed method though, mabye there are some other ways, or maby more stuff to know in order to make the dump better.
trying to delete the padded zeors is one way, but u can ignore it though (at least i think) as long as u fix the header's size,vsize..etc
you can deleted the padded zeros to match the original exe as its on the hdd (at least i think it would work)

sv
February 24th, 2003, 05:04
Hi Bengaly

I have coded a little dump2exe rebuilder.
To reduce exe size, i take Virtuall offset + VirtualSize and i check first non zero byte (i=i-1).
When found you have to round 200h and fix header (Raw offset & size).
If you find only zero byte, it's a BSS section.
It works fine.

Regards
SV

Bengaly
February 24th, 2003, 07:00
you mean checking's each section.
by setting a pointer at the raw offset, and walking untill you find non zero byte, and mean while calculate how many zeros to trim and the offset where the section starts in the dump (the non zero byte) +-
if not, mabye you can show a little demostration?

Bengaly
February 24th, 2003, 08:44
you can try my tool (see attachment).
its till wip, but if you use Win2k (didn't text XP yet) you will be able to dump the process and fix it in the pe editor (+- LordPE's way)
Win9x is not yet supported for dumping because i dont have it installed here (yet)

btw,
if it nags about dlls (VS errrr) its here:

-> http://www.geocities.com/shanytc/msvcp60.zip
-> http://www.geocities.com/shanytc/mfc4261.zip
-> http://www.geocities.com/shanytc/msvcrtd.zip

squidge
February 24th, 2003, 09:12
Seems like it's becoming a useful LordPE rip-off

Bengaly
February 24th, 2003, 10:32
hehe, i didn't wanted to make ugly look pe editor, so i just made it user friendly which looks like lordpe - not all though :P

sv
February 25th, 2003, 03:44
Hi Bengaly

Sorry if my post wasn't clear

Yes, for each section, point to virtual end, search non zero byte in ascending mode, when found round adresse (200h), fix sections infos (raw size and next section raw offset).

Regards

squidge
February 25th, 2003, 05:05
Shouldn't you get the FileAlignment value from the PE header and round on that rather than assuming 200h? Unless of course you update the header to your newly rounded value.

sv
February 25th, 2003, 08:49
Hi squidge

I think best value is less value.
I always have seen a file alignment of 512 bytes.
Humm ... for compatibility (W95) i don't think it can be less.

Regards

[NtSC]
February 25th, 2003, 12:22
I saw a few that didnt use 200h..
Before u run into trouble sometime,and dunno why..better grab the alignment info from the pe-header and calculate the correct value.. saves more time,than possible upcoming bughunting :P