|
From: Tom H. <to...@co...> - 2006-11-17 18:42:16
|
In message <116...@ba...>
Stephen Torri <st...@to...> wrote:
> So for now I desire to load the suspect binary into its desire location
> (e.g. 0x4000000 for win32 programs). If I can I would like to recover
> the unpacking code from the suspect binary to analyze it to hopefully
> discover unique properties to unpacking programs. I would be able to use
> this information to create a better compressed binary detector. Also I
> would like to recover the original program instructions. So I would have
> two memory maps as output, unpacker code and original code.
>
> I know I need to create a PE file loader like valgrind has done for ELF
> programs. Right now the fundamental issue is how to locate the program
> and called DLLs at their desired location in memory if possible.
Ah, well Windows isn't really my area of expertise I'm afraid, but
it does have memory allocation APIs along the lines of mmap so there
shouldn't be any problem allocating the memory.
You just need to read the PE header and work out where each section
wants to load, then try and allocate the memory and read it in.
There are complications though, as if memory serves me right PE code
is not generally position independent (even when in a DLL) so if you
can't load it at the right address you may have to relocate it.
The same thing does apply to ELF, at least on x86 where the linker
will allow you to put non PIC code in a shared library, but we are
able to use the existing linux dynamic loader to do most of the work
and I don't know if the same thing would be possible on Windows?
Tom
--
Tom Hughes (to...@co...)
http://www.compton.nu/
|