How to change image base of exe file?

January 16, 2014

Hi all,

we can change the image base of executable file while linking with /BASE option.

i.e.



Link /BASE:0x600000

but is there any way to change the image base after linking?

we may use PE editor to change the ImageBase value! but the problem raises when building import table!



00601060    FF25 08104000   JMP DWORD PTR DS:[401008]

00601066    FF25 00104000   JMP DWORD PTR DS:[401000]

jump addresses must change to their appropriate values! any idea?

Regards.

January 16, 2014

If your executable has relocations, you can use "editbin.exe" from Microsoft Visual Studio SDK. Something like this:



editbin.exe /rebase -b:0x12340000 target.exe

If your executable doesn't have relocations, there is no real way to know which addresses should be updated and which shouldn't.

January 16, 2014

Alternatively you can also try the Relocation builder by ghandi on this board which is useful if you want to build a relocation data without the source code

January 17, 2014

Hi all,

we can change the image base of executable file while linking with /BASE option.

i.e.
Link /BASE:0x600000

but is there any way to change the image base after linking?

we may use PE editor to change the ImageBase value! but the problem raises when building import table!
00601060 FF25 08104000 JMP DWORD PTR DS:[401008]
00601066 FF25 00104000 JMP DWORD PTR DS:[401000]

jump addresses must change to their appropriate values! any idea?

Regards.

thats the whole point in reversing PE tables and editing.. adding new sections and whatnot..

http://www.sunshine2k.de/reversing.html

is how i really got into PE snooping.. its tricky.. real tricky

January 17, 2014

Hi,

I want do it with coding not tools! I searched the web and no source code was suitable! there is good procedures in UPX source code for making relocation and will use it after getting permission!

Regs.

January 17, 2014

You don't want to use tools but you're about to mod up a packing tool UPX;

Look use tools like PeEditors and "manually" modify your EXE files, until you completely understand it

Then once you get the idea, you can create your own tool to snoop through the EXE and modify/add imports exports etc..

Your imagebase gets your virtual address

I.e: I want to explain how we can plainly change

the Offset of Entry Point (OEP) in our sample file, CALC.EXE of Windows XP. First, by using a PE Tool, and also using our PE

Viewer, we find OEP,0x00012475, and Image Base,0x01000000. This value of OEP is the Relative Virtual Address, so the Image Base

value is used to convert it to the Virtual

Address.

Virtual_Address = Image_Base + Relative_Virtual_Address

www.codeproject.com/Articles/12532/Inject-your-code-to-a-Portable-Executable-file

So if you change that imagebase AFTER you compile, then all your imports and exports need to have their RvA and VA changed too...

Ps: I have a bunch of stuff I'm sporadically working on; but I'll try to create a Hello World EXE , change the imagebase around, and try to help u understand..

Edited January 17, 2014 by JMC31337

January 17, 2014

Kao is right about reloc. relocation table sections: its what keeps your program from loading in another programs space.. but for the most part i created a simple win32 hello messagebox

before changing the image base ollydbg shows this:



CPU Disasm

Address   Hex dump                  Command                                               Comments

00401220  /.  55                    PUSH EBP

00401221  |.  89E5                  MOV EBP,ESP

00401223  |.  83EC 08               SUB ESP,8

00401226  |.  C70424 01000000       MOV DWORD PTR SS:[LOCAL.2],1

0040122D  |.  FF15 E8504000         CALL DWORD PTR DS:[<&msvcrt.__set_app_type>]

CALL the API @ 004050E8

so changing my imagebase to 500000 ollydbg shows this:



CPU Disasm

Address   Hex dump                  Command                                               Comments

00501220   .  55                    PUSH EBP

00501221   .  89E5                  MOV EBP,ESP

00501223   .  83EC 08               SUB ESP,8

00501226   .  C70424 01000000       MOV DWORD PTR SS:[ESP],1

0050122D      FF                    DB FF

0050122E      15                    DB 15

0050122F      E8                    DB E8

00501230      50                    DB 50                                                 ; CHAR 'P'

00501231      40                    DB 40                                                 ; CHAR '@'

yup completely screwed, so even steping into this will throw violations... manually changing the code in ollydbg:

binary edit 0050122D .. uncheck keep size and change it to

FF 15 E8 50 50

we get:



CPU Disasm

Address   Hex dump                  Command                                               Comments

00501220   .  55                    PUSH EBP

00501221   .  89E5                  MOV EBP,ESP

00501223   .  83EC 08               SUB ESP,8

00501226   .  C70424 01000000       MOV DWORD PTR SS:[ESP],1

0050122D      FF15 E8505000         CALL DWORD PTR DS:[<&msvcrt.__set_app_type>]

have fun with that.. look for PE snoopers (good ones allow you to get the API offset info real nice) and you can fig it out in time

Edited January 17, 2014 by JMC31337

Sign In

How to change image base of exe file?

Recommended Posts

Mr.reCoder

kao

Lostin

JMC31337

Mr.reCoder

JMC31337

JMC31337

Create an account or sign in to comment

Create an account

Sign in

Community

Search