Hi there,

found what i'm looking for. _IMAGE_NT_HEADERS is already
defined as IMAGE_NT_HEADERS in win32api.inc

Ralph

------------------

Uumm...

I have a stupid question; What is PE and what does it stand for?

Regards, Jules

Portable Executable

Sorry only answer half your question the first time round.

PE files are the executables for windows and it setup the format and the
structure of the file. where sections begin and end and where and what
kind of data is in the file, that sort of thing.

There are also LE (Forgot what that stands for) and those are mostly
Driver files.

There is also ME (Which is the initials of the person who created that format)
And those are DOS files. they are also embedded into PE and LE files and
prints the message "This program requires windows" or something like
that.

There are also other formats used by UNIX and Be and other systems.
But those are the main one for Windows.

------------------
mailto:[email protected][email protected]</A>


[This message has been edited by KevinVoell (edited July 19, 2000).]

for an example of extracting and using pe information have a look
at http://www.powerbasic.com/support/pb...ad.php?t=22797

cheers

florent

------------------

Ralph,

Portable Executable file format is the native format in 32 bit windows,
LE (linear executable) was the last Microsoft attempt in 16 bit before
it was abandoned and VxD files are in that older format from 16 bit
windows.

The MZ header at the start of a PE file is the DOS stub that prevents the
program from crashing if it is started in DOS. It is not all that commonly
known but the instance handle is the start address of the PE memory image
in memory and with the windows 32 bit format, everything is loaded into
memory including the DOS stub. If you read the first 2 bytes at the address
of the instance handle, it will be MZ.

The memory is normally readable so you can read it and write it to disk to
have a look at how the image load. You will notice that the image is split
into sections and that they are aligned. If you want to get the image of
another EXE file, it is a sequence of CreateProcess() ReadProcessMemory().

PE files normally load at &H400000 so if you are interested, you can get
the loaded image of another process and write it to disk. It tends to be
useful in decompressing PE files or decrypting them as they must do this
to load in memory.

Regards,

[email protected]


------------------

Ralph,

Please could you answer to my private emails, thank you.


------------------
Patrice Terrier
mailto[email protected][email protected]</A>

It's still clear as mud to me.

Thanks any everyone!
Regards, Jules

Somebody knows, if to read (Pb) exe by LoadLibrary, it possible to find in memory whole/part of Exe image on HDD ?
For example, I want to correct some bytes in Exe ("control sum").

General scheme is following.
I start a program (x.bas) from IDE. Program understands that it's not patched, defines offsets for control
(CodePtr(Label1) - hInstance ... CodePtr(Label2) - hInstance) and calls Patch.Exe.
Patch.Exe loads x.exe by LoadLibrary, calculates changes, corrects x.exe on HDD and restarts it.

Patched x.exe (for customers) during execution will test itself to avoid "gifts".



[This message has been edited by Semen Matusovski (edited July 23, 2000).]

The following piece of code shows how to get information from the loaded
image of your own running application. PowerBASIC EXE files are of the
Portable Executable (PE) type which loads the DOS stub as well as the
application code. The trick is that the instance handle for the application
is actually the start address in memory of your application's image.

If I understand what Semen wants to do, just know what the offset from the
start of the disk file is that you wish to check and then read it directly
in memory to test it and do what you need with the test later. If you need
to access specific parts of the PE header, you will need to use the
appropriate structures to get the correct member and this must be referenced
from the beginning of the PE header.

Regards,

[email protected]

------------------