[Code-Crunchers] TinyPE Yet Again
Gil Dabah
arkon at ragestorm.net
Thu Jan 24 00:39:45 CST 2008
Well I don't care much for 9x, but it would be cool if the code would
have run there. About Vista, it seems it recognizes the PE as a DOS file
and opens NTVDM. To be accurate I think some validation of the PE header
itself doesn't pass and they run the PE as an MZ... still need to see
why. Any hint is welcome, of course.
Oh and by the way, I still need the ".dll" extension in my filename, now
this is a nasty trick. Since I use export forwarding which loads an
export by "f.dll", it will parse it as a filename "f" and a function
name "dll". Then it will loadlibrary "f" + ".dll" and look for the
function named "dll" and fail (which I don't care cause the code is
running by now). Yet if it were only a LoadLibraryA on "f." that would
have worked (no ext is needed), but it concatenates the extension for me
in my case...bammer. I can't see of how to get rid off it. The "f.dll"
string is used for downloading the file as the local name of the file,
and is used as mentioned above, as the name of the export forward, and
is used as part of a longer string of the whole URL.
About the "xchg eax, ecx" thingy, and "mov cl, xx". These can be changed
to simple "push xx" and "pop ecx".
The more irritating part is that I get the entry point address from the
stack and then I have to change bl to point to some string, which
overall can be replaced by a "mov ebx, full_addr"...
Peter Ferrie wrote:
> Before I forget - eax is non-zero again in Vista (and not eip like in 9x).
> That's probably why your code won't run there.
>
> _______________________________________________
> Code-Crunchers mailing list
> Code-Crunchers at whitestar.linuxbox.org
> http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
>
>
More information about the Code-Crunchers
mailing list