section flag to not writeable in asm

[Yoshi]

how to set a section flag to not writeable in asm coding? i dont want to change it with tools but need to do it manually.

 

i got a pe32 which is writeable but i want to change this flag to not writeable.

 

i wrote already a piece of code which change it to not writeable but for x reason the code has not acces because it crashes when it trys to write the flag to not writeable

assume edx: ptr IMAGE_SECTION_HEADER
mov [edx].Characteristics, 60000040h 

Edited September 30, 2013 by Yoshi

[LCF-AT]

Hi,

so you have to set the PE Header to writeable if you want to change some datas in the PE Header.Use Virtualprotect API and then change what you wanna change in PE.

Also if you want to change any section flag then do not simple write 60000040.Just read the original flag and check whether its already set to writeable or not and if not and you want to change it to writebale etc then just calc and add/sub the need byte counts to set the right half byte to writable.This is a little trickly if you need to handle half bytes instead of normal bytes.So you can work with the registers [and / shr / shl commands] to AL and then check and add and the create a new DWORD also in register and then copy it into PE Header.

If you don't know what I mean then just load any file in LordPE choose a section / edit section header / press flag button and see first block list so this is using the first half byte from 0 [all disabled] till F [all enabled].The Writable attribute has a minimum value of 8 hex if its enabled.So this means if the first half byte is lower than 8 [0 till 7]= not writeable.If its 8 or higher = writeable.If its lower then you just need to add 8 bytes on the first half byte.

Set say you check this in your code then just move this first half byte to AL = 07 for exsample and now check whether is higher than 7 and if not then add 8 bytes to AL = 08.So dont forget that you now have again to use the half AL only later and the full AL value .... "0|>> 8 <<".

Also the same if you want to set the flag to not writeable then just sub 8 bytes from the first half byte.

00 00 00 00 <-- DWORD = 8 HBs00 00       <-- WORD  = 4 HBs00          <-- BYTE    2 HBs0           <-- Half Byte [There are no ASM command which can handle HBytes]

Just try a little.

[Yoshi]

ty for explanation but that is too complicated. virtualprotect does the job indeed but i dont want to use that api either tools.

all i want to do is manually changing the section flag to non writeable.

 

the section i want to set to not writeable called ..rdata and the flag is right now is writeable.

 

the code is posted in the first message is locating the section header of the .rdata section and then change its flag to not writable. this should work but it doesnt

[LCF-AT]

So the question is what you wanna do now.Do you want just to change the flag of any file + saving the file with the new flag or do you just want to change the flag in PE Header in realtime / exe modded PE itself durring run?So you can only change the flag a extern mode before the file gets loaded [same like if you change flag with any PE tool and save it and then run the file],so in realtime if the target was already loaded and you need to set your section to writeable then it makes no sens to change the flag now in PE so this will not have any effect so in this case you can only set the section itself to writeable or not writeable etc via using the API VirtualProtect.

Lets say you have your xy target where you want to change this section to "not" writeable so then you can create a litte patch which you can use as exsample.I wrote it in MultiASM plugin so if you have it then just paste the code into and enter any address at the top where you want to make this patch.

<00930000> ; <--- Enter here the address where you want this patch..@SECTION_TO_PATCH:;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"\x03" ; <--- Enter section 1 First section 2 second section etc... ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;@MARKER_SIGN:"*\0" @VP_STRING:"VirtualProtect\0";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;@TOP:  ; <--- Enter TOP in Olly expression window to reach the startpushadcall @SHORT@SHORT:pop edi@FIND_SIGN:dec edicmp byte [edi], 2Ajne short @FIND_SIGNmov eax,  [edi-1]and eax, 000000FFmov [esp-10], eaxadd edi,2mov DWORD [esp-14], ediMOV EBX,DWORD PTR FS:[30]MOV EBX,DWORD PTR DS:[EBX+C]MOV EBX,DWORD PTR DS:[EBX+14]MOV EBX,DWORD PTR DS:[EBX]MOV EBX,DWORD PTR DS:[EBX]MOV EBX,DWORD PTR DS:[EBX+10]MOV EBP,EBXADD EBX,DWORD PTR DS:[EBX+3C]MOV EBX,DWORD PTR DS:[EBX+78]ADD EBX,EBPMOV EDX,EBXMOV ESI,DWORD PTR DS:[EBX+20]ADD ESI,EBPSUB EBX,EBXCLD@LOOP_1:INC EBXLODS DWORD PTR DS:[ESI]ADD EAX,EBPPUSH ESIMOV ESI,EAXMOV EDI, DWORD [ESP-10],  ; VirtualProtect stringMOV ECX,0E                ; API String LenghtREPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]POP ESIJNZ SHORT @LOOP_1cmp byte [eax+E], 00       ; Test 0 byte after API string in exportsjne short @LOOP_1DEC EBXMOV EAX,EDXMOV EAX,DWORD PTR DS:[EAX+24]ADD EAX,EBPMOVZX EAX,WORD PTR DS:[EAX+EBX*2]MOV EBX,EDXMOV EBX,DWORD PTR DS:[EBX+1C]ADD EBX,EBPMOV EBX,DWORD PTR DS:[EBX+EAX*4]ADD EBX,EBPMOV EBP,DWORD PTR FS:[18]MOV EBP,DWORD PTR DS:[EBP+30]MOV EBP,DWORD PTR DS:[EBP+8]nop              ; ImageBase via PEB of Target in EBP (exe files!)mov ecx, [ebp+3C]add ecx, ebpMOVZX esi, [ecx+6]MOVZX EDX,BYTE PTR DS:[ECX+14]LEA EDX,DWORD PTR DS:[ECX+EDX+18] ; First section topmov eax, [esp-10]or eax, eaxjne short @SECCHECK@SECTION_PROBLEM:ret ; <-------- Problem!You did not enter any custom section 1,2,3,etc!!!nop@SECCHECK:cmp eax, esijb short @SECCHECK2je short @SECCHECK2jmp short @SECTION_PROBLEM@SECCHECK2:lea edx, [edx+28]dec eaxor eax,eaxjne short @SECCHECK2sub edx, 28mov eax, [edx+C]add eax, ebpmov ecx, [ecx+28]add ecx, ebp ; EP in ecx (TLS check extra if you need!)mov [esp-60], ecxmov ecx, [edx+8] ; VirtualSizesub esp, 4push esp  ; <---- For win 7 - 8 use not the stack if stack protecion is used!push 20   ;  PAGE_EXECUTE_READ or 2 = PAGE_READONLY etcpush ecxpush eaxcall ebxadd esp, 4popanopjmp [esp-80] ; Jump to EP if you neednop

Just load your target or others in Olly then paste this code and just fill the section 1,2,3,etc which you want to set to not writeable at the label "@SECTION_TO_PATCH" \x03 = 3. section.So if your section .rdata is section not section 3 and its maybe section 4 then enter \x04 on the label then let assemble it and thats all and you dont need to enter something else to make it easier for you.Now execute from this code and it will patch your section using VirtualProtect API reading from the PEB.

So this code for exsample you could use for any exe files you load in Olly for a realtime check.If you want to use it in your target at OEP or added section etc then you have to adjust the last command jmp [esp-80] to jmp address [no adjusting needed for byte count commands like direct jump and calls] to prevent a jump back to EP again = loops endless.Just try it so maybe this is what you need.

greetz

[EvOlUtIoN]

If you put not writeable in .rdata section the most probably thing you will have is a crash of application. Remember thet the section normally contains the IT pointers and some other data that are not fixed.

[EvOlUtIoN]

If you put not writeable in .rdata section the most probably thing you will have is a crash of application. Remember thet the section normally contains the IT pointers and some other data that are not fixed.

[EvOlUtIoN]

If you put not writeable in .rdata section the most probably thing you will have is a crash of application. Remember thet the section normally contains the IT pointers and some other data that are not fixed.

[ragdog]

No he have added a section and write a stub to this section this is writetable.

 

Now try Yoshi to change the flag from writetable to a other flag but i think that it not works.

 

Why this stub contain  variables and the stub code cannot write to it and crash

 

The other way set the stub variables to writetable @runtime with VirtualProtect

before you fill the variables

 

 

 

Yoshi let it Writetable

 

 

Greets,

Edited October 1, 2013 by ragdog

[Yoshi]

thanks you very much for the script!

 

indeed evolution, when i do not set the .rdata section back the not writeable the file causes a "Floating point error".

 

and ragdog you are right but i dont want to use VirtualProtect because this will causes false positives then my game injector is not fud anymore.

 

 

let me explain the problem

 

i need to inject a pe32 game so i need to set the .rdata section to writeable. this is working succesfully after injecting

but after injecting the file causes "floating point error".

 

so after injecting i putted the flag back to not writeable with a pe-tool and then the game runs fine.

so the problem here is i need to set the flag back at runtime to non writeable. this code is located at the new section stub

 

any ideas?

Edited October 1, 2013 by Yoshi

[kao]

i need to set the flag back at runtime to non writeable.

The only way to do that in runtime, is to use VirtualProtect or related function (VirtualProtectEx/NtProtectVirtualMemory). There is no other way.

[LCF-AT]

Hi again,

so first you should maybe more explain what the goal is.So what exactly you wanna do now?If I understand you right then you have any exe file which includes your PE32 Game and now you exe does inject this game where?So is your PE32 Game no single working exe file like "Game.exe" which you can start normaly via mouseclicks?So you said you change the flag of the game via PE tool and all is working fine so then all is already ok or not?

So if you only need to change the flag [flag check in target itself] or if you need to change the full section to writeable or not writeable then just inject a code into memory which does check and patch it in realtime.

Would be maybe better if you could send a exsample file [if its only has some 1,2 or5 MB only] to check this in real to get this problem so on this way it would be better to check the problem and find a solution for it etc.Just a idea of course.

greetz

[Yoshi]

lcf-at the pe32 is > 10 mb but if it is correct what kao says then i have to use virtualprotect. thank you lcf-at kao and ragdog and evolution