Patch my code

[Magnum]

before you spend a lot of time on this, Andy....

i think windows 7 will bark if you alter an executable file
i know that some AV's will flag it as infected

maybe you can make an entry in the registry or alter an INI file that is hidden away someplace   :t

I am not worried about it running on windows 7. I will insert code to check on Windows 7, and then give a message saying condolences for spending money on it.  :t

There is one well known flaw that is present in Vista and Win 7, but not on earlier Windows versions.

[Magnum]

Mein Freund,

My code for my project is 32 bit, unless you are talking your older code being run on XP.

Future project is a nanomite.

Andy

Vergessen Sie nicht die 5 Ps. Die richtige Planung verhindert schlechte Ergebnisse.

[dedndave]

in that case, you want to read the EXE header in and parse it
there is an MZ section, which has a pointer to the PE section
then, in the PE section is a table that has offsets into the file of the different PE sections
once you find the .DATA section (if that's the one you want), you can go from there with a data offset

what you want is the PE/COFF version 8 spec, which Hutch converted into a nice PDF someplace   :P

[Magnum]

Is the data offset one of these ?

Characteristics               0xc0000040
  SCN_CNT_INITIALIZED_DATA    0x40
  SCN_MEM_READ                0x40000000
  SCN_MEM_WRITE               0x80000000
PointerToRawData              2048  (0x800)
VirtualAddress                0x403000
VirtualSize                   100  (0x64)
SizeOfRawData                 512  (0x200)

[dedndave]

in this pic, you can see the DOS MZ header, followed by the DOS "stub"
at the end of the MZ header, is an offset to the PE header (00000080h, in this case)
i think it's always at offset 3Ch
following the "PE" marker are some offsets to the different section descriptors
if you follow this link, it will give you more details, i think...

http://mirror.sweon.net/madchat/vxdevl/papers/winsys/pefile/pefile.htm

[Magnum]

If I understand correctly, I am looking for the offset to the .data section.

Andy

[dedndave]

yes look at the spec - or that link i posted
after the PE marker, there is a location that will give you an offset (PE-relative) to the section table
there is also an entry that tells you how many sections you have
then, you have to parse to find the .data section header
after the text ".data", there is an offset and size

if you wanted to know where it winds up when loaded, you'd have to calculate the RVA
but, i don't think you have to do that to locate it in the PE file

[hutch--]

Andy,

If its a file on disk, the easiest way to locate the section you want to write into is to build the executable with markers in it. Now this can be either data or code sections, for data you make an entry that has a recognisable content, "XXXXXXXXXXXXXXXXXXXXXXXX" etc .... then when you open the file on disk to patch it, you just scan for the marker. If it in the code section that you want to patch then you need to make a jump over a location but the same logic holds, place a marker in a DB block them look for it when patching the EXE.

If its "in memory" patching, we may think you are trying to do something naughty. 

[Magnum]

Thanks Hutch.

From a previous post I made, I thought it was clear enough to understand.

I have never written nor solicited any code that would harm anyone.

There are some, who know me well, know I can be trusted and have helped me thru PMs.

<I just want my program, based on what is in one particular register and in one memory location,  to change a few things in my data section <and replace a few statements in one procedure and then write it back to disk.

Andy

happynews.com

[Gunther]

Andy,

I have never written nor solicited any code that would harm anyone.

I've no doubts about that, because you're a serious coder. I think that Steve made a little joke. 

Gunther

[dedndave]

we're not worried about you Andy
at least, not for that   :P

[qWord]

If I understand correctly, I am looking for the offset to the .data section.

You can find this information is the section header (IMAGE_SECTION_HEADER.PointerToRawData). See the example in the attachment.

[Magnum]

I am having problems with the code.

When I saw inkey, I thought it was a console program.

I have tried assembling it as a console and as a GUI.

I am going to take a break from coding.

Andy

[qWord]

I am having problems with the code.

OK

I have tried assembling it as a console and as a GUI.

It is a console application that also use a dialog for selecting the file.

I am going to take a break from coding.

[hfheatherfox07]

@qWord
I am getting errors as well ......

Code Select Expand

C:\Masm32\Bin\ML.EXE /c /coff /Cp /nologo /I"C:\Masm32\Include" "C:\PE.asm"
Assembling: C:\PE.asm
C:\PE.asm(131) : error A2008: syntax error : &
fn(5): Macro Called From
  C:\PE.asm(131): Main Line Code
C:\PE.asm(144) : error A2008: syntax error : &
rv(5): Macro Called From
  C:\PE.asm(144): Main Line Code
C:\PE.asm(145) : error A2008: syntax error
C:\PE.asm(146) : error A2008: syntax error : cbSize
C:\PE.asm(147) : error A2008: syntax error
C:\PE.asm(158) : fatal error A1011: directive must be in control block

Make error(s) occured.
Total compile time 234 ms

Do you have a modified macro.asm by any chance?