The MASM Forum

64 bit assembler => 64 bit assembler. Conceptual Issues => Topic started by: phaap on June 05, 2012, 11:44:12 PM

Title: PE64-Header modification -> CreateWindowExA return 0
Post by: phaap on June 05, 2012, 11:44:12 PM
Hello,
after i erased the dos-stub and the 'rich-edit-header' and adapted the rva's, offsets, header- and filesize in all headers and tables/directories, createwindowexa returns always 0 - that seems the problem - no error message from windows and ida-debugger loads the executable without an error, too... ...also the alignment is the same(0x10) - the unmodified executable works fine(returns a hwnd and shows the window too)
have someone an idea?!?
greets phaap
Title: Re: PE64-Header modification -> CreateWindowExA return 0
Post by: qWord on June 05, 2012, 11:54:41 PM
Quote from: phaap on June 05, 2012, 11:44:12 PMhave someone an idea?!?
yes, do not modify the executable :idea:
Title: Re: PE64-Header modification -> CreateWindowExA return 0
Post by: dedndave on June 06, 2012, 12:00:49 AM
 :biggrin:

Patient: Doc, it hurts when i do "this".
Doctor: Then, don't do "that".

you could always try GetLastError
Title: Re: PE64-Header modification -> CreateWindowExA return 0
Post by: phaap on June 06, 2012, 12:42:24 AM
thanks for replies!
i know that modifying the pe-header(s) aren't the proper way  :biggrin:
...but this fact doesn't keep me away to do that  ::)
...yes dedndave, to call getlasterror also was my next idea - but i've to compile the sourcecode AND modify the executable by HAND via HexEditor  :icon_eek: - don't know if easier or possible at all to do that with 'cff explorer' from explorer suite (i'm not familiar with the capabilities) just use it to check the exec after modification.
furthermore i still did the same succesfully without this kind of 'error' even with nearly the same sourcecode.
but it seems i've to do the job and add 'getlasterror' - i'll report the result later this day...
regards phaap
Title: Re: PE64-Header modification -> CreateWindowExA return 0
Post by: phaap on June 06, 2012, 12:49:23 AM
[content removed]
Title: Re: PE64-Header modification -> CreateWindowExA return 0
Post by: qWord on June 06, 2012, 12:56:47 AM
So?
What are your intentions?
Title: Re: PE64-Header modification -> CreateWindowExA return 0
Post by: dedndave on June 06, 2012, 01:07:20 AM
i don't think his intentions matter

http://masm32.com/board/index.php?topic=4.msg5#msg5 (http://masm32.com/board/index.php?topic=4.msg5#msg5)
Title: Re: PE64-Header modification -> CreateWindowExA return 0
Post by: ragdog on June 06, 2012, 02:17:48 AM
Hi

You erase Dos Header and Microsoft Rich Signature? you Erase it not you over write it with Null bytes
And why erase it?? the filesize is same ::)

For Erase the Microsoft Rich Signature over write it not with Null bytes you can patch the linker

The Microsoft Rich Signature is a Double-Word key with xor encryption for store linker data

Title: Re: PE64-Header modification -> CreateWindowExA return 0
Post by: phaap on June 06, 2012, 04:28:41 AM
thanks for replies!
i solved the problem - no, the filesize is NOT the same - cause i don't overwrite it, i delete the stuff - small dos-stub is now located in the dos-header - not the same, but clear enough for dos-users  :eusa_boohoo:

@ragdog: can you tell me what you mean with 'patch the linker'?!?

@dedndave: why you linked me to the rules of the forum?!?

regards phaap
Title: Re: PE64-Header modification -> CreateWindowExA return 0
Post by: BogdanOntanu on June 06, 2012, 05:20:54 AM
Because The Rules of the forums DO NOT allow for such stuff ...

Quote
...
but there will be no viral or trojan technology allowed including technical data under the guise of AV technology, no cracking and similar activities in the guise of "Reverse Engineering", no hacking techniques or related technology
...

Now... please explain me what is the purpose of changing the PE headers this way ...eh?   :greensml: