Guys,

 

Got a question about the following.

I have a .exe I want to debug using my own tool.

My tool runs the process using CreateProcess, than injects a DLL which sets up a Vectored Exception Handler.

Than I can set breakpoints and such and let the DLL trace through the code.

 

Now I am wondering if it is possible to make an exact copy of a .exe and map it into memory.

So I can trace through a buffer instead of creating the process and injecting a DLL.

 

What I tried so far:

 

1. CreateFile

2. CreateFileMapping

3. MapViewOfFile and MapViewOfFileEx.

 

The problem I am facing here is that the rva's inside the .exe are not pointing to the proper memory location when you map a file into memory.

Like the Import Table is not pointing to the real imported API's but instead has an RVA.

 

Anyone got any ideas or code to share on how to map the .exe into memory and fix the RVA's so I am able to trace through an allocated memory buffer

instead of tracing through the real code at runtime?

If you plan to map file it's like combination of virtualalloc and readfile. You get random memory address so you will always have wrong RVA. But you can convert RVA to file offset and this way get what you want.

Now I am wondering if it is possible to make an exact copy of a .exe and map it into memory.

Yes, it's possible. Google "RunPE".

No, it's not a good idea. Not even for debugging purposes.

maybe you can check this out : http://board.b-at-s.info/index.php?showtopic=8780

 

It's a Class to load a native DLL from resources into Memory and mapping it correctly using C#

 

It works fine so far but I still have to add support for DLLs which have imports by Ordinal not by name.