Announcement

Collapse
No announcement yet.

1-byte patch to PE exe that makes it run hidden? Steve Hutchesson whered u put it? :)

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    1-byte patch to PE exe that makes it run hidden? Steve Hutchesson whered u put it? :)

    Sometime (i think earlier this year if not late last year) Steve Hutchesson (who else!) posted a tiny little PB source that opened an exe file, patched 1 byte somewhere in the exe file, and then when you run that exe it runs invisible -- particularly useful for console programs created with PB/CC.
    I wasnt able to locate it with POFFS2 even after checking virtually all of Steve's posts!
    Does anybody know where that forum thread is, or have the source for that patch?
    Thanks!


    ------------------
    -
    Tags: None
  • #2
    It was called NoCons:

    http://www.powerbasic.com/support/fo...-7-000147.html

    ------------------
    Lance
    PowerBASIC Support
    mailto:[email protected][email protected]</A>
    Lance
    mailto:[email protected]

    Comment

    • #3
      Ah, Steve didn't post it, Marc van den Dikkenberg did, but "Thanks to Steve Hutchesson for discovering this gem!"
      No wonder I couldnt find it
      Thanks a million Lance!


      ------------------
      -

      Comment

      • #4
        Wayne,

        Its pretty simple stuff, if you set up the PE header in the appropriate
        structure once you open the file, all you are changing is whether
        the app is a console or GUI app so you just identify the correct
        structure member and change the attribute.

        In the structure "IMAGE_OPTIONAL_HEADER32", look for the "Subsystem"
        member and change it to what you require.

        Regards,

        [email protected]

        ------------------
        hutch at movsd dot com
        The MASM Forum - SLL Modules and PB Libraries
        http://www.masm32.com/board/index.php?board=69.0

        Comment

        • #5
          Wayne,

          Below is all I could find in a hurry on PE manipulation, its a
          research tool to split all of the PE sections into seperate files.

          For reasons that escape me at the moment, I rewrote and renamed
          the standard PE structures but I did leave the standard structure
          names documented in the include file.

          It would be easy enough for you to make a utility that opened the
          EXE file and read the NT header, displayed the current "Subsystem"
          attribute and laft the user with the choice of changing it.

          Regards,

          [email protected]

          filename = peimage.inc

          Code:
            ' ************************************
  ' Structures for PE file manipulation
  ' ************************************
  
  %IMAGE_SIZEOF_SECTION_HEADER      = 40
  
  ' ---------------------------------
  ' original name "IMAGE_DOS_HEADER"
  ' ---------------------------------
  TYPE IMAGE_DOS_HDR
    e_magic                       as WORD
    e_cblp                        as WORD
    e_cp                          as WORD
    e_crlc                        as WORD
    e_cparhdr                     as WORD
    e_minalloc                    as WORD
    e_maxalloc                    as WORD
    e_ss                          as WORD
    e_sp                          as WORD
    e_csum                        as WORD
    e_ip                          as WORD
    e_cs                          as WORD
    e_lfarlc                      as WORD
    e_ovno                        as WORD
    e_res(3)                      as WORD '  4 member WORD array
    e_oemid                       as WORD
    e_oeminfo                     as WORD
    e_res2(9)                     as WORD ' 10 member WORD array
    e_lfanew                      as LONG
  END TYPE
  
  ' ----------------------------------
  ' original name "IMAGE_FILE_HEADER"
  ' ----------------------------------
  TYPE IMAGE_FILE_HDR
    Machine                       as WORD
    NumberOfSections              as WORD
    TimeDateStamp                 as DWORD
    PointerToSymbolTable          as DWORD
    NumberOfSymbols               as DWORD
    SizeOfOptionalHeader          as WORD
    Characteristics               as WORD
  END TYPE
  
  ' --------------------------------------
  ' original name "IMAGE_DATA_DIRECTORY"
  ' --------------------------------------
  TYPE IMAGE_DATA_DIR
    VirtualAddress                as DWORD
    isize                         as DWORD
  END TYPE
  
  ' --------------------------------------
  ' original name "IMAGE_OPTIONAL_HEADER32"
  ' --------------------------------------
  TYPE IMAGE_OPTIONAL_HDR
    Magic                         as WORD 
    MajorLinkerVersion            as BYTE 
    MinorLinkerVersion            as BYTE 
    SizeOfCode                    as DWORD
    SizeOfInitializedData         as DWORD
    SizeOfUninitializedData       as DWORD
    AddressOfEntryPoint           as DWORD
    BaseOfCode                    as DWORD
    BaseOfData                    as DWORD
    ImageBase                     as DWORD
    SectionAlignment              as DWORD
    FileAlignment                 as DWORD
    MajorOperatingSystemVersion   as WORD 
    MinorOperatingSystemVersion   as WORD 
    MajorImageVersion             as WORD 
    MinorImageVersion             as WORD 
    MajorSubsystemVersion         as WORD 
    MinorSubsystemVersion         as WORD 
    Win32VersionValue             as DWORD
    SizeOfImage                   as DWORD
    SizeOfHeaders                 as DWORD
    CheckSum                      as DWORD
    Subsystem                     as WORD 
    DllCharacteristics            as WORD 
    SizeOfStackReserve            as DWORD
    SizeOfStackCommit             as DWORD
    SizeOfHeapReserve             as DWORD
    SizeOfHeapCommit              as DWORD
    LoaderFlags                   as DWORD
    NumberOfRvaAndSizes           as DWORD
    DataDirectory(15)             as IMAGE_DATA_DIR   ' 16 member array of structures
  END TYPE
  
  ' ---------------------------------
  ' original name "IMAGE_NT_HEADERS"
  ' ---------------------------------
  TYPE IMAGE_NT_HDR
    Signature                     as DWORD
    FileHeader                    as IMAGE_FILE_HDR
    OptionalHeader                as IMAGE_OPTIONAL_HDR
  END TYPE
  
  ' ---------------------------------------
  ' original name "IMAGE_EXPORT_DIRECTORY"
  ' ---------------------------------------
  TYPE IMAGE_EXPORT_DIR
    Characteristics               as DWORD
    TimeDateStamp                 as DWORD
    MajorVersion                  as WORD
    MinorVersion                  as WORD
    nName                         as DWORD
    nBase                         as DWORD
    NumberOfFunctions             as DWORD
    NumberOfNames                 as DWORD
    AddressOfFunctions            as DWORD
    AddressOfNames                as DWORD
    AddressOfNameOrdinals         as DWORD
  END TYPE
  
  UNION MISC
    PhysicalAddress               as DWORD
    VirtualSize                   as DWORD
  END UNION
  
  ' ---------------------------------------
  ' original name "IMAGE_SECTION_HEADER"
  ' ---------------------------------------
  TYPE IMAGE_SECTION_HDR
    Name1                         as STRING * 8
    Property                      as MISC
    VirtualAddress                as DWORD
    SizeOfRawData                 as DWORD
    PointerToRawData              as DWORD
    PointerToRelocations          as DWORD
    PointerToLinenumbers          as DWORD
    NumberOfRelocations           as WORD
    NumberOfLinenumbers           as WORD
    Characteristics               as DWORD
  END TYPE
          filename = petoy.bas

          Code:
            ' #########################################################################
  
      %NOPRINTDLG   = 1
  
      #COMPILE EXE
      #INCLUDE "PEIMAGE.INC"
      #INCLUDE "D:\PB6\WINAPI\WIN32API.INC"
      #INCLUDE "d:\pb6\winapi\COMDLG32.INC"
  
      GLOBAL hInstance    as DWORD
  
      GLOBAL sCount       as DWORD        ' section count
      GLOBAL nth          as DWORD        ' NT header
      GLOBAL sct          as DWORD        ' start of section headers
  
      GLOBAL mzl          as DWORD        ' MZ header length
      GLOBAL ntl          as DWORD        ' NT header length
      GLOBAL scl          as DWORD        ' SECTION header length
  
      GLOBAL FileImage$                   ' loaded file image string
      GLOBAL sta          as DWORD        ' loaded memory image start address
  
      GLOBAL dhdr         as IMAGE_DOS_HDR
      GLOBAL nthd         as IMAGE_NT_HDR
      GLOBAL shdr         as IMAGE_SECTION_HDR
      GLOBAL section()    as IMAGE_SECTION_HDR
  
      GLOBAL secdata()    as STRING       ' string buffer for section data
  
      DECLARE FUNCTION MemCopyD(ByVal src as DWORD, _
                                ByVal dst as DWORD, _
                                ByVal ln  as DWORD) as DWORD
  
      DECLARE SUB GetPEinfo(fname$)
      DECLARE SUB WriteRawSections(sname$)
      DECLARE FUNCTION GetFileName(hParent as LONG,Caption$,filepatn$) as STRING
  
  ' #########################################################################
  
  FUNCTION PbMain() as LONG
  
      fname$ = lcase$(GetFileName(0,"Select PE file","*.*"))
      If fname$ = "" Then
        EXIT FUNCTION
      End If
  
      sname$ = left$(fname$,len(fname$)-4)
      
      GetPEinfo fname$
  
      WriteRawSections sname$
  
      MsgBox "Data Written",0,"PE Toy"
  
  END FUNCTION
  
  ' #########################################################################
  
  FUNCTION MemCopyD(ByVal src as DWORD, _
                    ByVal dst as DWORD, _
                    ByVal ln  as DWORD) as DWORD
  
      #REGISTER NONE
  
        ! cld
  
        ! mov esi, src
        ! mov edi, dst
        ! mov ecx, ln
  
        ! shr ecx, 2
        ! rep movsd
  
        ! mov ecx, ln
        ! and ecx, 3
        ! rep movsb
  
      FUNCTION = 0
  
  END FUNCTION
  
  ' #########################################################################
  
  SUB GetPEinfo(fname$)
  
      LOCAL ln        as LONG     ' file length
      LOCAL src       as LONG
      LOCAL dst       as LONG
      LOCAL sln       as LONG     ' hrd len
  
      Open fname$ for binary as #1
        ln = lof(1)
        Get$ #1,ln,FileImage$
      Close #1
  
      sta = StrPtr(FileImage$)        ' file image start address
  
    ' --------------
    ' get MZ header
    ' --------------
  
      mzl = sizeof(dhdr)              ' MZ header length
  
      src = sta                       ' start of MZ header
      dst = VarPtr(dhdr)
      sln = mzl
      MemCopyD src, dst, sln
  
    ' --------------
    ' get NT header
    ' --------------
  
      ntl = sizeof(nthd)              ' NT header length
  
      nth = sta + dhdr.e_lfanew       ' start of NT header from DOS hdr
      src = nth
      dst = VarPtr(nthd)
      sln = ntl
      MemCopyD src, dst, sln
  
      sCount = nthd.FileHeader.NumberOfSections
  
    ' ---------------------------------
    ' dimension an array of structures
    ' ---------------------------------
      redim section(sCount - 1) as IMAGE_SECTION_HDR  ' array of structures
      redim secdata(sCount - 1) as STRING             ' string array for data
  
    ' ---------------------------------
    ' get section header start address
    ' ---------------------------------
      sct = sta + dhdr.e_lfanew + sln ' start of section header
  
    ' ---------------------------------------------------
    ' loop through reading each section into a structure
    ' ---------------------------------------------------
  
      scl = 40                        ' section header length
  
      rf& = 0
      While rf& < sCount
        src = sct                     ' section start address
        dst = VarPtr(section(rf&))    ' structure start address
        sln = scl                     ' structure is 40 bytes
        MemCopyD src, dst, sln        ' copy data into structure
  
        va& = section(rf&).VirtualAddress   ' loaded memory adress
        sd& = section(rf&).SizeOfRawData    ' section size
        lp& = section(rf&).PointerToRawData ' disk file address
  
      ' -----------------
      ' display sections
      ' -----------------
        ! pushad
        rva$ = "VirtualAddress(mem)"+hex$(va&,8)+chr$(13,10)+_
               "SizeOfRawData(datasize)"+hex$(sd&,8)+chr$(13,10)+_
               "PointerToRawData(disk)"+hex$(lp&,8)
  
        MsgBox rva$,0,rtrim$(section(rf&).name1)
        ! popad
      ' -----------------
  
        If sd& <> 0 Then                      ' don't write empty section
          secdata(rf&) = space$(sd&)          ' allocate the buffer
          dst          = StrPtr(secdata(rf&)) ' get its start address
  
          MemCopyD sta + lp&, dst, sd&
  
        End If
  
        ! inc rf&         ' increment loop counter
        ! add sct, 40     ' increment start address by structure length
      Wend
  
  END SUB
  
  ' #########################################################################
  
  SUB WriteRawSections(sname$)
  
      LOCAL PE_len as DWORD
      LOCAL src    as DWORD
      LOCAL dst    as DWORD
      LOCAL ln     as DWORD
  
      PE_len = dhdr.e_lfanew + ntl + (sCount * 40)
      hdr$   = left$(FileImage$,PE_len)                       ' complete PE header
  
    ' --------------------------
    ' write MZ header to string
    ' --------------------------
      mzh$   = space$(mzl)
      src    = VarPtr(dhdr)
      dst    = StrPtr(mzh$)
  
      MemCopyD src, dst, mzl
  
    ' --------------------------
    ' write NT header to string
    ' --------------------------
      nthr$  = space$(ntl)
      src    = VarPtr(nthd)
      dst    = StrPtr(nthr$)
  
      MemCopyD src, dst, ntl
  
      kill sname$+".pe"
      kill sname$+".mz"
      kill sname$+".nt"
  
      Open sname$+".pe" for Binary as #1
        Put$ #1, hdr$
      Close #1
  
      Open sname$+".mz" for Binary as #1
        Put$ #1, mzh$
      Close #1
  
      Open sname$+".nt" for Binary as #1
        Put$ #1, nthr$
      Close #1
  
      rf& = 0
  
      kill sname$+".sh?"
      kill sname$+".sd?"
  
      While rf& < sCount
        sect$ = space$(scl)
        src   = VarPtr(section(rf&))
        dst   = StrPtr(sect$)
  
        MemCopyD src, dst, scl
  
      ' ---------------------
      ' write section header
      ' ---------------------
        Open sname$+".sh"+ltrim$(str$(rf&)) for Binary as #1
          Put$ #1, sect$
        Close #1
  
      ' -------------------
      ' Write section data
      ' -------------------
        If secdata(rf&) <> "" Then
          Open sname$+".sd"+ltrim$(str$(rf&)) for Binary as #1
            Put$ #1, secdata(rf&)
          Close #1
        End If
  
        ! inc rf&
      Wend
  
  END SUB
  
  '##########################################################################
  
  FUNCTION GetFileName(hParent as LONG,Caption$,filepatn$) as STRING
  
      test$ = filepatn$
  
      rv& = OpenFileDialog(hParent, _             ' parent window
                           Caption$, _            ' caption
                           filepatn$, _           ' filename
                           "", _                  ' start directory
                           filepatn$, _           ' filename filter
                           "", _                  ' default extension
                           %OFN_PATHMUSTEXIST or _
                           %OFN_LONGNAMES or _
                           %OFN_FILEMUSTEXIST or _
                           %OFN_HIDEREADONLY)     ' flags
  
      If filepatn$ = test$ Then
        FUNCTION = ""
      Else
        FUNCTION = filepatn$
      End If
  
  END FUNCTION
  
  ' #########################################################################
          ------------------
          hutch at movsd dot com
          The MASM Forum - SLL Modules and PB Libraries
          http://www.masm32.com/board/index.php?board=69.0

          Comment

          • #6
            *drool* sensational, cheers Steve this'll keep me busy for hours


            ------------------
            -

            Comment

            Previous template Next
            Working...
            X

            We process personal data about users of our site, through the use of cookies and other technologies, to deliver our services, and to analyze site activity. For additional details, refer to our Privacy Policy.

            By clicking "I AGREE" below, you agree to our Privacy Policy and our personal data processing and cookie practices as described therein. You also acknowledge that this forum may be hosted outside your country and you consent to the collection, storage, and processing of your data in the country where this forum is hosted.

            I Agree