portable-executable

How to add a (SEH) exception handler dynamically for a 64-bit function?

淺唱寂寞╮ 提交于 2019-12-09 05:11:27
Say, if I have a function that is injected into another 64-bit process (for instance, using CreateRemoteThread ) and I want to implement Structured Exception Handling in that function (otherwise done via __try , __except , __finally blocks), can I add the SEH handler/filter dynamically? PS. The reason I'm asking is because SEH is no longer implemented via a stack frame in 64-bit processes (as it used to be in x86.) All SEH entries are now in the PE header of the target process image file. 来源: https://stackoverflow.com/questions/48675663/how-to-add-a-seh-exception-handler-dynamically-for-a-64

Save data in executable

一曲冷凌霜 提交于 2019-12-09 04:45:04
问题 I have a portable executable that saves data to a file in the same folder as the executable. Is there any way that I can save data into the executable itself when I close the app? This maybe weird, but taking the data with me and only have one file for the exe and data would be great. Would prefer if this was made with C#, but is not a requisite. 回答1: You cannot modify your own EXE to contain stored data in anything approaching an elegant or compact way. First off, the OS obtains a lock on

How to add a (SEH) exception handler dynamically for a 64-bit function?

允我心安 提交于 2019-12-08 05:23:25
问题 Say, if I have a function that is injected into another 64-bit process (for instance, using CreateRemoteThread) and I want to implement Structured Exception Handling in that function (otherwise done via __try , __except , __finally blocks), can I add the SEH handler/filter dynamically? PS. The reason I'm asking is because SEH is no longer implemented via a stack frame in 64-bit processes (as it used to be in x86.) All SEH entries are now in the PE header of the target process image file. 来源:

How to put configuration information inside the executable?

狂风中的少年 提交于 2019-12-07 14:01:16
问题 If we want to store critical information, like passwords and server addresses, inside the executable file generated by the Delphi compiler, how can we do that, without knowing the final executable size and binary structure, like at the end of the file for example? Side note: The text to be stored is already encrypted; and in some computers the windows don't give access to write in the registry, specially when the user is not administrator, and there are hacks to monitor registry changes and

Names of PE directories

北城以北 提交于 2019-12-07 10:58:59
问题 I'm working on a PE dissector and came across something rather unusual. The names and order of directories in the PE format seem to differ depending on where you look: From PEReader (perdr): #define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory #define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory #define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory #define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory #define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security

What is “Alignment” field in binary formats? Why is it needed?

北城以北 提交于 2019-12-07 09:38:52
问题 In ELF file format we have an Alignment field in Segment Header Table aka Program Header Table . In case of Windows PE file format they take it to next level the Sections have two alignment values, one within the disk file and the other in memory. The PE file header specifies both of these values. I didn't understand a thing about this alignment. What do we need it for? How & Where is it used? Again, I don't know what is alignment in binary file format context but why do we need it? 回答1: Well

How do I read the PE header of a module loaded in memory?

两盒软妹~` 提交于 2019-12-07 05:22:16
问题 I'm experimenting with memory access in .NET. At the moment, I have a managed program that starts an unmanaged process and retrieves the BaseAddress of one of its loaded modules (a DLL). What I would like to do is somehow read the PE header of the loaded module so that I can later retrieve the addresses of its exports. Unfortunately, I can't find any good information about this. Any ideas? 回答1: This is a good starting point for the PE file format. You can P/Invoke ReadProcessMemory from the

Calculating the file offset of a entry point in a PE file

倖福魔咒の 提交于 2019-12-07 03:09:26
问题 In http://en.redinskala.com/finding-the-ep/ there is information about how to find the file offset of the entry point in a exe-file. Here I can read that EP (File) = AddressOfEntryPoint – BaseOfCode + .text[PointerToRawData] + FileAlignment However, when I have been calculating this myself (I used a couple of different exe files) I have came to the conclusion that Offset of entry point in EXE file = AddressOfEntryPoint + .text[PointerToRawData] - .text[VirtualAddress] Where

Sandbox Virtual Machine for an Application (concept)

旧街凉风 提交于 2019-12-06 09:43:50
I'd like to write a sandbox virtual machine for executing a compiled program. My goal is to isolate that program from the rest of operating system and control its execution so that it can't do anything harmful to a host computer. I assume that: executed program is compiled to Portable Executable format and it's in machine code, not in any kind of byte code or for CLR, executed program is not allowed to communicate with peripherals like printer, scanner, and doesn't use any GUI, executed program's main task is to process some data stored in a local file (eg. calculations), and put its results

Detect a digital signature without WinVerifyTrust

醉酒当歌 提交于 2019-12-06 09:04:28
问题 I have a large number of EXE files and need to figure out which ones have digital signatures. Does anyone know if there is a way to check without access to WinVerifyTrust (they're all on a Unix server). I can't seem to find any information on where the digital signature actually is inside the EXE. If I could find out where it is I might be able to open the file and fseek to a location to test. I don't need to do "real" verification on the certificate, I just want to see if a digital signature
订阅 portable-executable