EXE Header

ToastEater · Post by **ToastEater** » Tue Aug 08, 2006 10:22 pm

Not sure if i've posted the right place, but please bare over with me if i didnt :roll:
The thing is im trying to make a file appender to a executeable.
The first thing i was searching for was EXE header, but then i got lot of crap about infecting files with vira and not what im up to

second of all i didnt quite get the header, I have program a bit asm so i know very sliencely about it.
i was finding several pages while searching on google. But this one make my interest
http://www.itee.uq.edu.au/~cristina/stu ... 96/bff.htm
The thing i dont get much of this, I know there is a value in the Exe Header where it save the bytes of the whole program, how much to execute when to exit and all that. But cant find it ?
How do i may access this? i see two ways, Pointers(but donno to where :S) and read the file and seek to the place for the bytes.

Sorry for my crappy english

and thanks for the help

traumatic · Post by **traumatic** » Tue Aug 08, 2006 11:27 pm

If it's just about appending data to an executable file there's
no need to delve into the PE file format.

Maybe the following thread already fulfills your needs?
http://www.purebasic.fr/english/viewtopic.php?t=12878

ToastEater · Post by **ToastEater** » Tue Aug 08, 2006 11:37 pm

i know

i've allready dont this long time ago in some called AutoIt(script/executeable files), I dont wanna change the EXE Header i wanna get it, so it wont be nesscy to save the length at the end of the file but instead you can work with it directly

Im Begging for info for "humans/not so geekish persons" about EXE Headers.

Not meant as offence

traumatic · Post by **traumatic** » Wed Aug 09, 2006 8:41 am

Non-geek-infos-on-pe ? Forget it!

Still Matt Pietrek's article is one of the best sources IMHO:
http://msdn.microsoft.com/msdnmag/issues/02/02/PE/

thefool · Post by **thefool** » Wed Aug 09, 2006 11:03 am

I wrote a small program to erase the pe section names wich also shows how to get the info; here we go:

Code: Select all

;Code by thefool


#IMAGE_SIZEOF_SHORT_NAME = 8
Structure IMAGE_SECTION_HEADER
  Name.b[#IMAGE_SIZEOF_SHORT_NAME]
  StructureUnion
    PhysicalAddress.l
    VirtualSize.l
  EndStructureUnion
  VirtualAddress.l
  SizeOfRawData.l
  PointerToRawData.l
  PointerToRelocations.l
  PointerToLinenumbers.l
  NumberOfRelocations.w
  NumberOfLinenumbers.w
  Characteristics.l
EndStructure

OpenFile(1,"prot.exe") ;here you open the file you want to read!
flen=Lof(1)
*mybuf=AllocateMemory(flen) 
ReadData(1,*mybuf,flen)        ;Smack it to the memory.
CloseFile(1)

;**HERE WE DECLARE SOME STUFF**
*dosheader.IMAGE_DOS_HEADER
*dosheader=*mybuf

*ntheader.IMAGE_NT_HEADERS
*ntheader=*dosheader\e_lfanew

*fileheader.IMAGE_FILE_HEADER
*fileheader=*mybuf+*ntheader\FileHeader

*optheader.IMAGE_OPTIONAL_HEADER
*optheader=*mybuf+*ntheader\OptionalHeader

Debug *optheader\BaseOfCode
Debug *optheader\SizeOfCode

;This is basically how you read from the pe header! Look in the iczelions
;pe tutorial and see what sections there are. Here you can get the vals ;)

;YOU CAN CHANGE THEM! and then just save it; go look on the further part..



;**Here i smack in the image sectionheader part.
*PESections.IMAGE_SECTION_HEADER
*pesections=*mybuf+(*dosheader\e_lfanew + SizeOf(image_nt_headers))




;**********CLEAR PE SECTION NAMES**********

For i=1 To *fileheader\NumberOfSections ;<-- here i read the number of sections.

For a=0 To 8
PokeB(*pesections+a,00) ;write 00 to the section names.
Next a

*PEsections = *PEsections + SizeOf(IMAGE_SECTION_HEADER)

Next i

;**********DONE CLEARING**********


CreateFile(2,"out.exe")
WriteData(2,*mybuf,flen) ;here we save the changed pe file!
CloseFile(2)

Now i told you how to read and change; here you can read up on what the things do:

http://win32assembly.online.fr/tutorials.html

And if you want to look and change the section headers without coding, and you want to do other cool stuff i can really recommend Lord PE:

http://scifi.pages.at/yoda9k/LordPE/info.htm
(grap Deluxe + Deluxe B micro update)

This is a small thing about adding sections to PE files; havent tried it yet though. but have a look:
http://www.woodmann.com/fravia/covert1.htm

ToastEater · Post by **ToastEater** » Wed Aug 09, 2006 9:19 pm

@Traumatic
I looks more how to make a assmbler/c++/c# :S

@TheFool
Nice code

i will try c/p it a bit and make my own, Thanks for sharing:D

traumatic · Post by **traumatic** » Wed Aug 09, 2006 9:47 pm

ToastEater wrote:@Traumatic
I looks more how to make a assmbler/c++/c# :S

huh?

ToastEater · Post by **ToastEater** » Thu Aug 10, 2006 12:56 pm

traumatic wrote:
ToastEater wrote:@Traumatic
I looks more how to make a assmbler/c++/c# :S
huh?

more huh

traumatic · Post by **traumatic** » Thu Aug 10, 2006 2:05 pm

ToastEater wrote:more huh

What do you mean? The link I posted is a really good explaination about
PE internals, thought you were looking for something like that.

Sorry if I got you wrong somehow.

ToastEater · Post by **ToastEater** » Thu Aug 10, 2006 9:46 pm

No need for sorry

i've try look it up its some like these i need

But there is no addressses?

like
(D) (H)
00 00 = mz
02 02 = ???

(D) = decimal
(H) = Hex

i wanna do like
*buffer = allocatememory(4)
ReadFile(0,ProgramFilename())
author.w = ReadData(0,*buffer,2) ; Will give MZ: Mark Zbikowski author of the first com executable file
; and etc how much to read? - not working just fast hand written.

Regardz

thefool · Post by **thefool** » Thu Aug 10, 2006 11:50 pm

Why not use the structures? I mean they are built for it.

Okay if you really want those addrs i suggest:

Get the size of the DOS header. In the structure viewer take a look at Image_Dos_Header and there you can see the lenghts of the things (then you can guess, that the addr of e_magic is 00, and its a word. The address of e_cp is then start+word+word)

This would work for all the other stuff. But again; its wise to use the structures; then everything falls in the right place. This would really be smart; and it allows you to CHANGE the propeties of the PE too

Dare · Post by **Dare** » Fri Aug 11, 2006 12:56 pm

More useful links (I found them so, anyway):

http://msdn.microsoft.com/library/defau ... owsdev.asp
(--> Technical articles --> under the hood ..)

http://msdn.microsoft.com/library/defau ... ndling.asp
(--> Technical Articles --> peering ..)

http://www.wotsit.org/search.asp?page=3&s=binary

http://www.delorie.com/djgpp/doc/coff/

Also Google:

Luevelsmeyer (Bernd)
Pietrek (Matt)

Btw, thanks for those links, thefool and traumatic.

ToastEater · Post by **ToastEater** » Sat Aug 12, 2006 7:48 am

Seems too compilcated for me :S im thinking i set this project on Standby for now. Thanks for good links/example but too comblicated,

Rescator · Post by **Rescator** » Sat Aug 12, 2006 1:49 pm

I guess you wanna find out the size of the exe itself and subtract that from the filesize?

If you plan to attach data to a exe and automatically get the filesize I would suggest you do it the way pretty much everyone does it.

At the end of the file (after having attached the data), add a few bytes.
Like a 32bit filesize integer (or quad even)
then a md5 or crc32 checksum of the file up to that point (not including the ckechsum)
and at the very end some form of id.

I.e the file structure would be:

EXE = x bytes
DATA = x bytes
DATASIZE = 4 or 8 bytes
CHECKSUM = 4 bytes if CRC32
ID = x bytes

If the exe extract the data from itself then you wont really need the id at all.

ToastEater · Post by **ToastEater** » Sat Aug 12, 2006 6:09 pm

Yea i know i did last time i did it in AutoIt3

its not so hard but its just not the right way doing it

PureBasic Forums - English

EXE Header

EXE Header

Re: EXE Header