Archive

Archive for the ‘PE’ Category

Delete version Info

December 30th, 2009 Cobein 4 comments

Simple module to delete version info from a PE file.

'---------------------------------------------------------------------------------------
' Module      : mDelRes
' DateTime    : 16/05/2009 18:53
' Author      : Cobein
' Mail        : cobein27@hotmail.com
' WebPage     : http://www.advancevb.com.ar
' Purpose     : Delete Version Info from a PE file
' Usage       : At your own risk
' Requirements: None
' Distribution: You can freely use this code in your own
'               applications, but you may not reproduce
'               or publish this code on any web site,
'               online service, or distribute as source
'               on any media without express permission.
'
' History     : 16/05/2009 First Cut....................................................
'               16/05/2009  Replace PADDING string Added...........................
'---------------------------------------------------------------------------------------
Option Explicit

Private Const RT_VERSION    As Long = 16
Private Const FINDTHIS      As String = "PADDINGXXPADDING"

Private Declare Function BeginUpdateResource Lib "kernel32" Alias "BeginUpdateResourceA" (ByVal pFileName As String, ByVal bDeleteExistingResources As Long) As Long
Private Declare Function EndUpdateResource Lib "kernel32" Alias "EndUpdateResourceA" (ByVal lUpdate As Long, ByVal fDiscard As Long) As Long
Private Declare Function UpdateResource Lib "kernel32" Alias "UpdateResourceA" (ByVal lUpdate As Long, ByVal lpType As Long, ByVal lpName As Long, ByVal wLanguage As Long, lpData As Any, ByVal cbData As Long) As Long
Private Declare Function GetFileVersionInfo Lib "Version.dll" Alias "GetFileVersionInfoA" (ByVal lptstrFilename As String, ByVal dwhandle As Long, ByVal dwlen As Long, lpData As Any) As Long
Private Declare Function GetFileVersionInfoSize Lib "Version.dll" Alias "GetFileVersionInfoSizeA" (ByVal lptstrFilename As String, lpdwHandle As Long) As Long
Private Declare Function VerQueryValue Lib "Version.dll" Alias "VerQueryValueA" (pBlock As Any, ByVal lpSubBlock As String, lplpBuffer As Any, puLen As Long) As Long
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (dest As Any, Source As Any, ByVal Length As Long)

Public Function DelVerInfoResource(ByVal sFile As String, Optional bReplacePadd As Boolean = True) As Boolean
    Dim lUpdate     As Long
    Dim lLangId     As Long

    lLangId = GetLangID(sFile)
    If Not lLangId = 0 Then
        lUpdate = BeginUpdateResource(sFile, False)
        If Not lUpdate = 0 Then
            If Not UpdateResource(lUpdate, RT_VERSION, 1, lLangId, 0, 0) = 0 Then
                If EndUpdateResource(lUpdate, False) Then

                    If bReplacePadd Then
                        Dim iFile       As Integer
                        Dim sBuff       As String
                        Dim sReplace    As String

                        sReplace = String$(Len(FINDTHIS), vbNullChar)
                        iFile = FreeFile
                        Open sFile For Binary Access Read Write As iFile
                        sBuff = Space(LOF(iFile))
                        Get iFile, , sBuff
                        sBuff = Replace(sBuff, FINDTHIS, sReplace)
                        Put iFile, 1, sBuff
                        Close iFile
                    End If

                    DelVerInfoResource = True
                    Exit Function
                End If
            End If
            Call EndUpdateResource(lUpdate, True)
        End If
    End If
End Function

Private Function GetLangID(ByVal sFile As String) As Long
    Dim lLen        As Long
    Dim lHandle     As Long
    Dim bvBuffer()  As Byte
    Dim lVerPointer As Long
    Dim iVal        As Integer

    lLen = GetFileVersionInfoSize(sFile, lHandle)

    If Not lLen = 0 Then
        ReDim bvBuffer(lLen)
        If Not GetFileVersionInfo(sFile, 0&, lLen, bvBuffer(0)) = 0 Then

            If Not VerQueryValue(bvBuffer(0), _
               "\VarFileInfo\Translation", _
               lVerPointer, _
               lLen) = 0 Then

                CopyMemory iVal, ByVal lVerPointer, 2
                GetLangID = iVal

            End If
        End If
    End If

End Function
Categories: Code, PE

PE machine type

November 20th, 2009 Cobein 9 comments

A pretty simple source to determine what type of machine is the PE compiled for. Its useful for instance if you are coding a crypter and you want to make sure the PE is not a 64 bit app.

Read more…

Categories: PE

Lazy way to rebase a PE

September 12th, 2009 Cobein 3 comments

A small snippet showing basically how to rebase a PE file the lazy way. The PE must have a Relocation Table in order to be rebased.

'---------------------------------------------------------------------------------------
' Module      : mReBaseImage
' DateTime    : 20/03/2009 21:32
' Author      : Cobein
' Mail        : cobein27@hotmail.com
' WebPage     : http://www.advancevb.com.ar
' Purpose     : Change PE Base Address
' Usage       : At your own risk
' Requirements: None
' Distribution: You can freely use this code in your own
'               applications, but you may not reproduce
'               or publish this code on any web site,
'               online service, or distribute as source
'               on any media without express permission.
'
' Reference   : http://msdn.microsoft.com/en-us/library/aa363364(VS.85).aspx
'
' History     : 20/03/2009 First Cut....................................................
'---------------------------------------------------------------------------------------
Option Explicit

Private Declare Function ReBaseImage Lib "imagehlp.dll" (ByVal CurrentImageName As String, ByVal SymbolPath As String, ByVal fReBase As Long, ByVal fRebaseSysfileOk As Long, ByVal fGoingDown As Long, ByVal CheckImageSize As Long, ByVal OldImageSize As Long, ByVal OldImageBase As Long, ByVal NewImageSize As Long, ByVal NewImageBase As Long, ByVal TimeStamp As Long) As Long

'---------------------------------------------------------------------------------------
' Procedure : ReBase
' Purpose   : Change base address
' Parameters:
'               [in] sFile: File Path
'               [in] lNewBase: new base address (from &H1000000 and &H80000000 steps of &H10000 according to vbAccelerator info)
'               [out] ReBase: True on seccess
'---------------------------------------------------------------------------------------
Public Function ReBase(ByVal sFile As String, ByVal lNewBase As Long) As Boolean
    Dim lNewSize As Long
    Dim lOldBase As Long
    Dim lOldSize As Long

    Call ReBaseImage(sFile, vbNullString, 1, 1, 0, 0, _
       VarPtr(lOldSize), VarPtr(lOldBase), _
       VarPtr(lNewSize), VarPtr(lNewBase), 0)

    ReBase = Not (lNewSize = 0)

    Debug.Print "OldBase: 0x" & Hex(lOldBase), "OldSize: 0x" & Hex(lOldSize)
    Debug.Print "NewBase: 0x" & Hex(lNewBase), "NewSize: 0x" & Hex(lNewSize)

End Function
Categories: Code, PE

Read Exe Details

August 11th, 2009 Cobein No comments

I was needeing this code for a prog I was doing, not a hax0r thing, I google for it without much luck so I coded it and Ill share it for anyone who need it. This is a module to read PE detals (Company Name, Version Info, Description, etc)

mExeDetails

Categories: PE

Cloaking libraries in a remote process

July 23rd, 2009 Cobein No comments

Recycling some source I created a small module to cloak libraries in a remote process, similar to what some game cheats does.

Brief explanation:

Basically what we do is first use NtQueryInformationProcess to obtain the PEB address on the remote process, this structure contans a lot of useful information but, we gonna use just LoaderData (a pointer to a PEB_LDR_DATA structure) PEB_LDR_DATA points to 3 linked lists that holds the loaded libraries, at this point we just scan that linked list and remove our dll by changing the flink and blink pointers.

Cloaking DLLS

Categories: PE

RunPe and CallAPIByName

July 5th, 2009 Cobein 9 comments

A classs module for exe injection and API execution,  using only compymemory, the project must be compiled in P-Code to run due to a problem in the kernel base code, tested on XP and Vista

RunPE

Categories: PE

Get/Set ModuleFileName

June 26th, 2009 Cobein No comments

Just a small example showing how to get or set ModuleFileName AKA App. Path, thanks to Karcrack for the original example.

Get-Set ModName

Categories: PE

PE Realign

June 25th, 2009 Cobein No comments

A small module to realign PE sections.

PE_Realign

Categories: PE

Walking the EAT (updated 6/16)

June 13th, 2009 Cobein 1 comment

This is a simple function to emulate GetProcAddress, it reads the EAT (Export Adress Table) and returns the memory address of the desired API. It uses only RtlMoveMemory.

Added suppor for forwarded exports.

Walk Export Fix

Categories: PE

Update PE Checksum

June 12th, 2009 Cobein 3 comments

The checksum is a value located in the PE header (see structure below), this value is used to check the integrity of the file at load time and is calculated by the linker when the file is created.  Since this value is calculated based on the contents of the PE file we need to update it every time we make a change on the file to reflect the new checksum. Read more…

Categories: PE