It understand that this loader loads and then stops the file through int3:

HANDLE hFile = CreateFile(argv[1], GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);

...

PBYTE lpFile = (PBYTE)VirtualAlloc(NULL, dwFileSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

...

__asm
{
pushad
mov eax,lpFile
int 3
call eax
popad
}

Can someone point me to a good tutorial on loaders (in non-asian language -- I already read http://www.woodmann.net/forum/showthread.php?t=7587&highlight=loader ). TIA.

Have you used Google?? or searched this board fully??? There is an announcement about tutorials on creating loaders that was posted not too long ago -

http://www.woodmann.com/forum/showthread.php?t=7758&highlight=loader ("http://www.woodmann.com/forum/showthread.php?t=7758&highlight=loader")

SiGiNT

Actually, I did use google. For more than an hour. The only thing I found is the loader from the developer of PELock (see above) and a loader from TheTruth (which is for Windows PreBoot environments only). But maybe I did not use the right terms for my search? Also the board search did not help.

What I am looking for is a basic understanding of a generic PE loader (but not the Windows PE loader).

For instance, I would like to understand enough about PE loaders so that I can patch the above loader so that it does not trigger an interrupt anymore but simply loads and executes the file. (I admit that this does not make much sense (yet) but at least it will some kind of a goal.)

Thank you for the link! I will have a close look.

EDITED: I had a look and I think that this is not what I need. These tuts mainly deal with copyprotection mechanisms. (I do not want to bypass any copyprotection mechanisms (yet;-)). This is still too complicated for me. What I need is a very basic understanding of a simple generic loader.

Here's what helped me when I was in the same boat as you. Search for Win32 DebugAPI on google, and read until your heart's content. It'll explain the concepts of create suspended, using INT3, etc. It's REALLY not that hard. Also, I'd recommend running IDA through the "Risc Process Patcher", as it's pretty straight forward code, and might answer some questions for you.

Thanks sigint33 & Frank. I am (slowly) beginning to understand.

I found this one most helpful: http://www.codebreakers-journal.com/CodeBreakersMagazine/article/download/4/4

well during my initial days i found this article by detten to be pretty good intro to a loader

http://www.reversing.be/article.php?story=20050305202101960

Very helpful!! Thanks.

Now that I understand CreateProcess ... are there any alternatives to using CreateProcess API?

I don't know that you'd NEED an alternative. It has worked fine for me!

Oh, one just popped into my head, you can attach to an already running thread, but for the purposes of a LOADER, you'd want to be in from the beginning, not jumping in at some random point.

Parse the PE header, allocate the memory, load sections and imports, and jump into the entrypoint directly? This would essentially be emulating the functionality of the exec*() system calls available on UNiX, which replace the current process with a new one.

@LLXX Thanks. Do you know whether this has ever been done before (on a Windows machine)?

Hi

I too am curious why you'd need to be looking for an alternative. There are ring 0 methods of intercepting process startup and modifying the memory, but in general the standard loader techniques should suffice. Unless you've got something specific you're trying to accomplish?

Kayaker

I'm not sure how close it is to what you want, but Morphine is a PE encryptor - though rather than modifying the host file, it encrypts it and stores it in the body of the decryptor. This code essentially decrypts and loads the host file as the Windows loader would (allocate memory, load sections, do load time linking, call TLS callbacks, etc).

If you ignore all the polymorphic junk stuff, the source code can be quite informative, and is found at Holy Father's site:

http://hxdef.org/download.php

Other packers/encryptors may take this approach (I have come across a device driver packer that does), but I haven't seen anything designed to do what you want.

One other thing - as each process has its own address space, most (if not all) executable files are built to load only at their prefered imagebase (normally 400000h). Any loader doing the job 'manually' will have to take this into account, and have its own IB either sufficiently below the host IB, or above the host IB plus the SizeOfImage.

Thank you. But I have decided that this is still too difficult for me

Need to look for another project ...

OK, that being the case (it's too hard), tell us what it was!

It was a rather stupid idea: I thought it might be nice to disable the CreateProcess API via an API hook and use a custom loader to start any "trusted" applications on my computer. This would greatly reduce the possibility that any malicous programmes are executed.

I know that this approach does not really make sense. The main purpose of my inquiry was to improve my skills/knowledge.

That's not stupid! Back in the DOS days, I had a tool that allowed me to take over INT's 25 & 13 so that nothing could write to my HD. I wasn't afraid to run ANYTHING, as it couldn't DO anything. (No e-mail, so viruses only wanted to propagate via modifying .exes. )

The problem with my idea is that it will probably not protect you from buffer overflows/browser exploits and, more importantly, it's a little bit impractical for the average user ;-)

I've been tempted to do something similar by hooking process creation and injecting a vectored exception handler to try and pick up deliberate exceptions caused by unpackers (unpackers using SEH often being used to pack something a bit naughty). If you're still interested in this project, Anton Bassov has a nice article and source code about hooking process creation using a device driver at Codeproject:

http://www.codeproject.com/system/soviet_protector.asp

Depends. You might create a very limited user (or more than one, cyclic) and turn application execution to be run from inside that user. You lose the ability to deal with your custom Document folder, but you can eavesdrop it anyway.
Most of insecurity comes from executing code at admin level, as most of winusers are. From limited account, windows will take care of protecting things.

Regards,
Maximus