Posted May 26, 200817 yr is there a Good code (function is better ) to know when the exe file executed from text section ...in access or write no problem if it is ASM or C++ Or VB6.0 many thanks
May 26, 200817 yr Hello my friend ahmed What do you mean with "executed from text section" ?? Do you mean "Entry Point located in text section" ??
May 26, 200817 yr Author Hello my friend ahmed What do you mean with "executed from text section" ?? Do you mean "Entry Point located in text section" ?? Many Thanks for u replay my friend ,yse I need like this "Entry Point located in text section" ... or anything like it .... Many Thanks Arabic Team
May 26, 200817 yr here's a sample code ... i did nothing, just used apis #include "stdafx.h"#include <stdio.h>#include <windows.h>#include <imagehlp.h>#pragma comment ( lib, "imagehlp.lib" );int _tmain(int argc, _TCHAR* argv[]){ //first we map the file ... any file HANDLE hFile = CreateFile( "EP Location.exe", GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0 ); HANDLE hMap = CreateFileMapping( hFile, 0, PAGE_READONLY, 0, 0, 0 ); PVOID pFile = MapViewOfFile( hMap, FILE_MAP_READ, 0, 0, 0 ); //get the NT_HEADER address PIMAGE_NT_HEADERS nt = ImageNtHeader( pFile ); // get the entry point value DWORD EntryPoint = nt->OptionalHeader.AddressOfEntryPoint; // get the section contains this rva PIMAGE_SECTION_HEADER sec = ImageRvaToSection( nt, pFile, EntryPoint ); // print the section name ... remember that it's a 8 byte array not a null-terminated string // so you must precise it's size printf( "%.8s", sec->Name ); // unmap the file UnmapViewOfFile( pFile ); CloseHandle( hMap ); CloseHandle( hFile ); //just to keep alive :p getchar(); return 0;} project in attachments EP_Location.rar
May 26, 200817 yr Ahmed... If you by any chance mean that you need a function that serves as an automated possible OEP detector, for unpacking purposes, i would suggest trying Human's, deroko's or UsAr's OEP finders... Trick is to set PAGE_GUARD attribute on the .text section, and check if EIP is within range whille debugging your target ...http://deroko.phearless.org./rce.htmlhttp://usar.pp.ru/download/http://www.exetools.com/forum/showthread.php?t=8841 Edited May 26, 200817 yr by HVC
May 26, 200817 yr http://www.joestewart.org/ollybone/http://www.woodmann.com/forum/showthread.php?t=9317
May 26, 200817 yr Author I don't know what i can say many Thanks for (GamingMasteR ,HVC,sdy100 ) ,many thanks for ur fast replay i appreciate ur help .......Thanks in adv i will try it Edited May 26, 200817 yr by ahmadmansoor
Create an account or sign in to comment