urbanyoung Posted January 27, 2009 Posted January 27, 2009 Hey,I'm trying to dump a dll in memory using c++, the actual dumping is fine but I'm looking for help in fixing he virtual addresses. At the moment I am dumping the virtual addresses but need to change them to the offset (i think that's right). I know I'm not being very clear, so I'll post some code.01E5102A A1 1444E901 MOV EAX,DWORD PTR DS:[1E94414]Of course because I'm not changing the virtual address code, the dump will crash when run (because it will try to mov 1E94414 into eax, which is an invalid address). I'd really appreciate some help, I looked around the forum but couldn't find anything that helped.
Killboy Posted January 27, 2009 Posted January 27, 2009 Well you still need to fix relocations.The general approach would be to load the dll twice (different names!) so you have it at two different bases.You can compare the difference between the two dumps and build a relocation table based on it. Either assemble it on your own or use some tool like Relox. But since you try to code your own dump thingy you probably want to code it yourself.Read up on how reloc tables work and how to build one, coding it up shouldnt be too hard then.Second way would be to go the packer specific way, find a place where it stores the info on what to relocate (it has to fix up relocations for the dll to work) and try to grab a working reloc table or go the way above, given the needed offsets to relocate.
urbanyoung Posted January 27, 2009 Author Posted January 27, 2009 (edited) Well you still need to fix relocations.The general approach would be to load the dll twice (different names!) so you have it at two different bases.You can compare the difference between the two dumps and build a relocation table based on it. Either assemble it on your own or use some tool like Relox. But since you try to code your own dump thingy you probably want to code it yourself.Read up on how reloc tables work and how to build one, coding it up shouldnt be too hard then.Second way would be to go the packer specific way, find a place where it stores the info on what to relocate (it has to fix up relocations for the dll to work) and try to grab a working reloc table or go the way above, given the needed offsets to relocate.To get the file code (code that should be there once dumped), once I find the modifications, do I just subtract the base from the virtual address?Using a hex editor I can find this:8B0D 24 46 04 10 which, when loaded with a data base of 2912000 will equal: 028D1040 8B0D 24469102 MOV ECX,DWORD PTR DS:[2914624]. If I read the data in the file, it would be 10042624, then add it to the base (2919000) and it doesn't equal 2914624, it equals 12954624 Edited January 27, 2009 by urbanyoung
Killboy Posted January 27, 2009 Posted January 27, 2009 Not sure what youre trying to accomplish with the calculation above :?Basically you compare the two dumps and just build a reloc table based on the offsets that differ. If you take a look at the reloc table implementation you'll see you don't need to subtract anything. The dumps stays the way it is, you just build the reloc table so Windows knows where to patch the dll for it to work on a base other than it was dumped at.
urbanyoung Posted January 27, 2009 Author Posted January 27, 2009 Not sure what youre trying to accomplish with the calculation above :?Basically you compare the two dumps and just build a reloc table based on the offsets that differ. If you take a look at the reloc table implementation you'll see you don't need to subtract anything. The dumps stays the way it is, you just build the reloc table so Windows knows where to patch the dll for it to work on a base other than it was dumped at.What I was trying to do in my previous post was to convert 8B0D 24 46 91 02 MOV ECX,DWORD PTR DS:[2914624] into 8B0D 24 46 04 10, which is what that command is in the file. I thought that subtracting the base from the virtual address would work, however I was mistaken.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now