ahmadmansoor Posted May 26, 2008 Share Posted May 26, 2008 is there a Good code (function is better ) to know when the exe file executed from text section ...in access or write no problem if it is ASM or C++ Or VB6.0 many thanks Link to comment
GamingMasteR Posted May 26, 2008 Share Posted May 26, 2008 Hello my friend ahmed What do you mean with "executed from text section" ?? Do you mean "Entry Point located in text section" ?? Link to comment
ahmadmansoor Posted May 26, 2008 Author Share Posted May 26, 2008 Hello my friend ahmed What do you mean with "executed from text section" ?? Do you mean "Entry Point located in text section" ?? Many Thanks for u replay my friend ,yse I need like this "Entry Point located in text section" ... or anything like it .... Many Thanks Arabic Team Link to comment
GamingMasteR Posted May 26, 2008 Share Posted May 26, 2008 here's a sample code ... i did nothing, just used apis #include "stdafx.h"#include <stdio.h>#include <windows.h>#include <imagehlp.h>#pragma comment ( lib, "imagehlp.lib" );int _tmain(int argc, _TCHAR* argv[]){ //first we map the file ... any file HANDLE hFile = CreateFile( "EP Location.exe", GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0 ); HANDLE hMap = CreateFileMapping( hFile, 0, PAGE_READONLY, 0, 0, 0 ); PVOID pFile = MapViewOfFile( hMap, FILE_MAP_READ, 0, 0, 0 ); //get the NT_HEADER address PIMAGE_NT_HEADERS nt = ImageNtHeader( pFile ); // get the entry point value DWORD EntryPoint = nt->OptionalHeader.AddressOfEntryPoint; // get the section contains this rva PIMAGE_SECTION_HEADER sec = ImageRvaToSection( nt, pFile, EntryPoint ); // print the section name ... remember that it's a 8 byte array not a null-terminated string // so you must precise it's size printf( "%.8s", sec->Name ); // unmap the file UnmapViewOfFile( pFile ); CloseHandle( hMap ); CloseHandle( hFile ); //just to keep alive :p getchar(); return 0;} project in attachments EP_Location.rar Link to comment
HVC Posted May 26, 2008 Share Posted May 26, 2008 (edited) Ahmed... If you by any chance mean that you need a function that serves as an automated possible OEP detector, for unpacking purposes, i would suggest trying Human's, deroko's or UsAr's OEP finders... Trick is to set PAGE_GUARD attribute on the .text section, and check if EIP is within range whille debugging your target ...http://deroko.phearless.org./rce.htmlhttp://usar.pp.ru/download/http://www.exetools.com/forum/showthread.php?t=8841 Edited May 26, 2008 by HVC Link to comment
sdy100 Posted May 26, 2008 Share Posted May 26, 2008 http://www.joestewart.org/ollybone/http://www.woodmann.com/forum/showthread.php?t=9317 Link to comment
ahmadmansoor Posted May 26, 2008 Author Share Posted May 26, 2008 (edited) I don't know what i can say many Thanks for (GamingMasteR ,HVC,sdy100 ) ,many thanks for ur fast replay i appreciate ur help .......Thanks in adv i will try it Edited May 26, 2008 by ahmadmansoor Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now