1,088 questions
6
votes
0
answers
280
views
Local static variables are not initialized if app is loaded as dll
We have sandbox.exe, app.exe and app.dll. If users want to run the not sandboxed application, they run app.exe. If users want to run the application in the sandbox, they run sandbox.exe that loads app....
- 42.9k
0
votes
1
answer
62
views
How can I pad the bytes in a section defined by a pragma directive?
So I have these two macros
#define ESTART \
_Pragma("optimize(\"\", off)") \
_Pragma("section(\".secure\", execute, read, write)") \
_Pragma("...
- 7
0
votes
0
answers
29
views
nasm, windows PE WriteFile in kernel.dll causes program to stop [duplicate]
When I run this program in cmd, it instantly ends without printing anything and doesn't even reach the loop "wat2: jmp wat2" right after WriteFile. if I place the wat2 loop before WriteFile, ...
- 43
2
votes
2
answers
169
views
Replace-Files Powershell
I'm having some struggles with my PowerShell script. I am trying to make an Automated Script that will Perform the Utilman.exe Hack. The script has menus and options: Load, Unload, List Disk and ...
- 21
2
votes
1
answer
333
views
x64 Reflective DLL Injector (translate C++ to Delphi)
I need an x64 Reflective DLL Injector written in Delphi.
I found a C version that works fine (compiled with DevC++ with 64bit app support). I made a Delphi version that compiles fine and without any ...
- 316
1
vote
0
answers
31
views
Why don't I get the correct function RVA from the PE export table in my loader code?
I'm writing a minimal PE loader that parses the export table to locate functions by name, in my hypervisor. However, when I try to retrieve the RVA of a function, the value seems incorrect. Here's the ...
3
votes
1
answer
80
views
Read variable value from PE file
I got following C code compiled with GCC on Windows
#include <stdio.h>
#include <conio.h>
int main() {
int a = 68639977;
printf("int: %d", a);
getch();
a++;
...
- 43
1
vote
0
answers
139
views
Why the type of `e_lfanew` field in struct IMAGE_DOS_HEADER(winnt.h) is LONG?
struct IMAGE_DOS_HEADER from Win11 SDK:
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
WORD e_magic; // Magic number
WORD e_cblp; // ...
- 35
0
votes
0
answers
32
views
Compile source files to PE object files instead of COFF
From what I read, although PE format is used mostly for executable files it can also be used for object files.
And usually, on Windows systems classic COFF format is used for object files.
Is there a ...
- 344
3
votes
0
answers
141
views
How can I set an icon for a Windows .exe from Linux?
I am trying to export a Godot project in a CI/CD pipeline on GitHub Actions. Godot doesn't offer functionality for adding icons to the exported Windows .exe out of the box and uses rcedit instead. ...
- 285
2
votes
1
answer
213
views
Is it possible to write a valid PE file from memory to disk?
I'm working on a project where I want to create a new executable file by copying the sections of a running PE (Portable Executable) file from memory to disk using C on Windows. However, I'm running ...
- 33
0
votes
1
answer
345
views
How to detect if a Windows PE executable is for native code vs managed code? [duplicate]
I've been analysing Windows PE executables' binary file format.
I know how to differentiate PE32 (32 bit) vs PE32+ (64 bit) and how to differentiate x86 vs x64.
But I know that managed code uses the ...
- 17.3k
0
votes
1
answer
107
views
Listing imported functions from a Windows PE file
I am trying to recover the imported functions from a PE file. The code looks for call instructions in the disassembled .text section and then checks the call destination address against the function ...
0
votes
1
answer
104
views
Wrong slice reference to PE file in manually added section
I'm making a packer in Rust. packer/src/main.rs:
#[link_section = ".pe"]
#[used]
static mut PE: &[u8] = &[];
fn main() {
unsafe {
rspe::reflective_loader(common::...
- 545
0
votes
0
answers
175
views
Adding custom section to PE with gcc (mingw)
I use gcc (mingw) on Windows and I want to add a custom section into the PE file similar to the way this is discussed for ELF in https://stackoverflow.com/a/30617411/1630083
But I did not find a way ...
- 954
0
votes
1
answer
32
views
Cl source compilation stripped of any debug information
I've been looking for a certain cl flag that would generate me an executable without any additional debug information, I need to optimize the space I am using as much as possible for my project ...
0
votes
1
answer
741
views
IDA detects a file as both a Windows and an MS-DOS program
Okay, I have one rather suspicious file that is even taking some control over my PC. However, I need it, so I decided to decompile it and see if it was harming my PC and can I cut it out?
I've used a ...
0
votes
1
answer
312
views
Why is it said that IMAGE_OPTIONAL_HEADER doesn't have a fixed size?
There are many sources including Microsoft documents that say "Optional header doesn't have fixed size and its size is stored at FileHeader.SizeOfOptionalHeader".
But the ...
- 71
1
vote
0
answers
181
views
How can I extract raw bytes of DOS stub using python's pefile library?
I want to extract raw bytes of DOS stub using pefile library. Does pefile have a feature for this?
If it doesn't then I have to do it manually. I guess DOS stub always starts at offset 0x40 but where ...
- 11
0
votes
0
answers
77
views
Trying to convert MASM into C equivalent, but getting different result
I was trying to convert this MASM code
.386
.model flat, stdcall
.stack 4096
assume fs:nothing
.code
main proc
mov eax, [fs:30h] ; Pointer to PEB (https://en.wikipedia.org/...
- 47
0
votes
1
answer
601
views
PE Loader with Relocation
I'm trying to learn PE format and how PE loaders work, I took this repository as an example, https://github.com/TheD1rkMtr/FilelessPELoader.
The FilelessPELoader doesn't support relocation. Right now ...
- 59
0
votes
1
answer
232
views
Getting the forwarded function name
I was tried this code:
HMODULE hModule = LoadLibrary(argv[1]);
PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)hModule;
PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)((DWORD_PTR)...
- 331
2
votes
1
answer
2k
views
Extract/parse resources from Portable Executable (PE) file
I want to install Edge in Windows programmatically using the official
MSI Edge installer (151 MB) but avoid the use of administrator permissions, and place the extracted files in a custom folder (not ...
- 4,878
0
votes
0
answers
132
views
What is the Initial Values of IAT (Import Address Table) Stand for?
In PE header, there are import directory which describes where the loader should bind the imported symbols. More precisely:
typedef struct _IMAGE_IMPORT_DESCRIPTOR {
union {
DWORD ...
- 328
0
votes
1
answer
403
views
interpreting the fs register in a 32-bit binary running on a windows 64-bit system
I have found the following code in a 32-bit binary running on a windows 64-bit system :
mov eax,dword ptr fs:[18]
mov ecx,dword ptr [eax+F70]
mov eax,dword ptr [ecx+78]
ret
it seems that it returns ...
- 43