Changing some data in the data section

[Magnum]

It looks like offset 0 is the beginning of my data with 6Ah being the j character.

I would like to start with writing over parts of the .data section and then learn how to write over
a small part of my code WHILE my program is running or in memory AND write a new executable.

Andy

C:\masm32\SOURCE>PE
Section: .data, raw data:
Offset +0 +1 +2 +3 +4 +5 +6 +7 | ASCII
------------------------------ | --------
000000 6A 70 53 D9 84 8A 2A D9 | jpS┘ è ┘
000008 BC E2 DF 50 AC F3 49 E9 |  Γ▀P ≤IΘ
000010 00 20 00 00 00 00 00 00 |
000018 00 00 00 00 00 00 00 00 |
000020 00 00 00 00 00 00 00 00 |
000028 00 00 00 00 00 00 00 00 |
000030 00 00 00 00 00 00 00 00 |
000038 00 00 00 00 00 00 00 00 |
000040 00 00 00 00 00 00 00 00 |
000048 00 00 00 00 00 00 00 00 |

[x64Core]

to write in the .text section need to use VirtualProtect +  PAGE_EXECUTE_READWRITE to enable writeable into it.

regarding to .data section it's very easy but I guess you need something like this:
Get base address of the executable via FS resgiter ( it's a way very easy )

MOV EAX,FS:[30h]
MOV EAX,[EAX+08h]

then walk on the structures: IMAGE_DOS_HEADER,IMAGE_NT_HEADERS, up to the IMAGE_SECTION_HEADER of the .data section
checking the data section: ".data", get the VirtualAdress member and add your offset

[P1]

There are very few times, I needed to go around OS protection.  Most of those were killing off unwanted malicious software.

I would like to start with writing over parts of the .data section and then learn how to write over
a small part of my code WHILE my program is running or in memory AND write a new executable.

There must be a legitimate reason to go outside normal programming techniques here(Going around OS protection measures.), please share your programming goal ???

Regards,  P1   8)

[Magnum]

Nothing malicious or harmful.

My programming goal is to change MY code at runtime if certain conditions are met while my program is running.

A very simplistic example:

push 0
push 4
push eax
push 1fh
push -1

A very specific condition has been met while my code is running.

Then my program would change push -1 to push 0.

Then my program would write a new copy to disk with the new instruction.

I hope that was clear ?

Andy

[qWord]

You can't modify the executables image while it runs. You can only modify the code that is loaded into memory. The approach is the same as manipulating the image, except that - as RHL points out-  the Virtual* fields in the PE header are used.

[Magnum]

I've seen code that writes out a new program. I will search for more details as it has been awhile since I looked at it.

I have some code that would delete the original program.

Andy

[hutch--]

Andy,

What you are trying to do could be done in the DOS real mode era but later protected mode operating systems have specific protection mechanisms to prevent what you are trying to do. and it is primarily to increase the difficulty level of running malicious software. Now we know that you are OK but the questions you are asking are the types of things that virus and trojan writers want to know.

Now if needing to change an executable is what you want to do after a specific condition, there are other ways to do it, use an external patcher that can only be used when your EXE is not running and if necessary delete the patcher with your executable once it is run again. If you know what you are doing you can even store the patcher IN your executable, write it to disk and run it but you cannot change the disk image of an executable that is running.

[Magnum]

Hutch,

Your idea would help me achieve a goal.

I especially like storing the patcher in the executable.

If a specific condition occurs while my program is running, then and only then would my program create the patcher program.

Andy

[hutch--]

Andy,

To store an exe in another exe, look at the masm32 tool fda32.exe. You can also use the command line version, fda.exe. It creates an object module AND an include file so you know the length of the file. You write the data to disk with normal file IO.

To run the patcher you MUST shut down the exe you want to patch first, your patcher can restart it AFTER it has patched the original.

[Magnum]

I have stored an .exe in the past.

The patcher is what I will need to learn how to make.

[Magnum]

Found some code to give me a start with a patcher.

I have about 30 compilers errors to fix first.  :t

=> Open File with GetOpenFileName

=> Get the size of the file (GetFileSize)

=> Reserve the neccessary memory to load the file into memory (GlobalAlloc)

=> Load file in memory (ReadFile)

=> Search for the given string when button is pressed, and if a string has been inserted.

=> Output message (MessageBox)

=> Close file, free the used memory again, and close program.

[hfheatherfox07]

Found some code to give me a start with a patcher.

I have about 30 compilers errors to fix first.  :t

=> Open File with GetOpenFileName

=> Get the size of the file (GetFileSize)

=> Reserve the neccessary memory to load the file into memory (GlobalAlloc)

=> Load file in memory (ReadFile)

=> Search for the given string when button is pressed, and if a string has been inserted.

=> Output message (MessageBox)

=> Close file, free the used memory again, and close program.

I was waiting to see how long it would take you to Google ...... 2005 long ago this stuff was available
May I suggest looking up on that same site his first tut , that would explain better what you are asking to do !
Now you will see that Step one-- is to do a binary edit with your debugger (so called patch my own code only)
All a patcher does is write your new bytes to your exe .....
Which is why that raises some eye brows ....The only purpose of a patcher is for some one who wants to modify an exe and has the know how, to make that modification available to others who just " press a button " to modify an exe
If you read  "End-User Licence Agreement (EULA)"  you will see that doing so is against the law
we are not saying that you are up to that ....but we can not have people get that source here ....
can you imagine that they use it for other purposes and get caught ....say they leaned that here ?

If all you want to do is to modify your own PE ...there is no need for a patcher! Step one is to modify that code in the debugger yourself ....Step Two is to make a patcher so every body can modify that particular exe

That is how all patchers work!


I am not suggesting that you are up to no good .... but if say some one did find that source here and modified even one byte in an app protected by "End-User Licence Agreement (EULA)"  .... it would make an unpleasant day for us.

Also there are dozens of sites that are glad to participate in such en devours

[Magnum]

I respect your opinion, but I am not coming close to violating ANY laws.

I had already planned that I will NOT be posting the source here.

I may post very small snips in another language to get help as well as dummy code.

Have a beer and relax. 

I sometimes think the worst in situations.

Andy

[hutch--]

 

> The only purpose of a patcher is for some one who wants to modify an exe and has the know how, to make that modification available to others who just " press a button " to modify an exe

Mah, there has been many reasons to make binary patchers over time, for many years Microsoft and other companies used to use patchers to upgrade software, this was done with earlier versions of ML.EXE for example. Then some exe files store their settings directly in their own address space and have an external patcher to change the settings. One of my editors does that. Binary modification does not belong to the bad guys, its been part of programming since computers were first around.

[hfheatherfox07]

I agree Hutch that patchers started out that way....and I apologize to Magnum
I am personally have not made any app yet that I distributed on mass that needs patching
I am just now starting on hopefully making tiny utilities (open source)that might be of some use
To some one (I hope)

Can you please clarify if we are allowed to have patch sources on an open forum?
For example .... I know the source that Magnum is taking about .... I have repaired that source years ago
If Magnum needs help can we post ?


Thank you ,