Jump to content
Tuts 4 You

when executed text section


ahmadmansoor

Recommended Posts

ahmadmansoor
Posted

is there a Good code (function is better ) to know when the exe file executed from text section ...in access or write

no problem if it is ASM or C++ Or VB6.0

many thanks

GamingMasteR
Posted

Hello my friend ahmed :)

What do you mean with "executed from text section" ??

Do you mean "Entry Point located in text section" ??

ahmadmansoor
Posted
Hello my friend ahmed :)

What do you mean with "executed from text section" ??

Do you mean "Entry Point located in text section" ??

Many Thanks for u replay my friend ,yse I need like this "Entry Point located in text section" :thumbsup: ... or anything like it ....

Many Thanks Arabic Team :wub:

GamingMasteR
Posted

here's a sample code ... i did nothing, just used apis :D

#include "stdafx.h"
#include <stdio.h>
#include <windows.h>
#include <imagehlp.h>#pragma comment ( lib, "imagehlp.lib" );
int _tmain(int argc, _TCHAR* argv[])
{
//first we map the file ... any file
HANDLE hFile = CreateFile( "EP Location.exe", GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0 );
HANDLE hMap = CreateFileMapping( hFile, 0, PAGE_READONLY, 0, 0, 0 );
PVOID pFile = MapViewOfFile( hMap, FILE_MAP_READ, 0, 0, 0 ); //get the NT_HEADER address
PIMAGE_NT_HEADERS nt = ImageNtHeader( pFile ); // get the entry point value
DWORD EntryPoint = nt->OptionalHeader.AddressOfEntryPoint; // get the section contains this rva
PIMAGE_SECTION_HEADER sec = ImageRvaToSection( nt, pFile, EntryPoint ); // print the section name ... remember that it's a 8 byte array not a null-terminated string
// so you must precise it's size
printf( "%.8s", sec->Name );
// unmap the file
UnmapViewOfFile( pFile );
CloseHandle( hMap );
CloseHandle( hFile ); //just to keep alive :p
getchar(); return 0;
}

project in attachments

EP_Location.rar

Posted (edited)

Ahmed... If you by any chance mean that you need a function that serves as an automated possible OEP detector, for unpacking purposes, i would suggest trying Human's, deroko's or UsAr's OEP finders...

Trick is to set PAGE_GUARD attribute on the .text section, and check if EIP is within range whille debugging your target ...

http://deroko.phearless.org./rce.html

http://usar.pp.ru/download/

http://www.exetools.com/forum/showthread.php?t=8841

Edited by HVC
ahmadmansoor
Posted (edited)

I don't know what i can say many Thanks for (GamingMasteR ,HVC,sdy100 ) ,many thanks for ur fast replay :flowers:

i appreciate ur help .......Thanks in adv ;)

i will try it

Edited by ahmadmansoor

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...