Daily Dose of Assembly

[Jakor]

I will assume we are now talking using code caves to create permanent changes to an application (no need for a dll/loader makes it easy to use).

While you are correct, there is tons of excess space in the PE Header

The PE Header contains a few deprecated pieces, but overall is based off arrays with pointers. Finding space in here is not a good idea (unless you are removing the dos stub which isn't always a good idea either). You never know what data will be looked at and needs to still be zero. This is why writing to the .code section (which shouldn't need to be read under normal circumstances) is the "right" way (without adding sections).

and as long as your careful not to overflow that memory region it's safe.

It's easier to add a section than do all the checks to make sure you are not overstepping the bounds in a PE header.

Although, generally you can just load your own library into the target's address space containing the code you wish to execute opposed to writing a code-cave.

That's what I said he should do a tutorial on at some point.

Seeing as this is an assembly tutorial that would be irrelevant though.

I don't see how it would be irrelevant. I do it all the time and only use "assembly".

Even if you can only push a couple bytes in(chances of this are really low, as there is, like I said, tons of excess space) you can always call APIs to reallocate more memory.

this defeats the purpose, unless you are using an external exe to allocate the memory. But then why not make it easy on your self and write a loader (less updating for one thing). A code cave to a VirtualAlloc would still need to copy the code in to execute at some point.

Code:

blah
blah
jmp codecave
leftoff:
blah
blah
..
codecave:
overwritten blah
virtualalloc,NULL,commit/reserve/page read-write-exe
push eax
copymem from????????, to-eax,lengthof from?????????
pop eax
call eax
jmp leftoff

this extra code is useless unless you are adding in a larger amount of code and want to write all the filemapping for a bin(non-pe) module file into an allocated memory area and call that.... however for something that big, again... why not a dll...

[radnomguywfq3]

I will assume we are now talking using code caves to create permanent changes to an application (no need for a dll/loader makes it easy to use).

The PE Header contains a few deprecated pieces, but overall is based off arrays with pointers. Finding space in here is not a good idea (unless you are removing the dos stub which isn't always a good idea either). You never know what data will be looked at and needs to still be zero. This is why writing to the .code section (which shouldn't need to be read under normal circumstances) is the "right" way (without adding sections).


It's easier to add a section than do all the checks to make sure you are not overstepping the bounds in a PE header.


That's what I said he should do a tutorial on at some point.


I don't see how it would be irrelevant. I do it all the time and only use "assembly".


this defeats the purpose, unless you are using an external exe to allocate the memory. But then why not make it easy on your self and write a loader (less updating for one thing). A code cave to a VirtualAlloc would still need to copy the code in to execute at some point.

Code:

blah
blah
jmp codecave
leftoff:
blah
blah
..
codecave:
overwritten blah
virtualalloc,NULL,commit/reserve/page read-write-exe
push eax
copymem from????????, to-eax,lengthof from?????????
pop eax
call eax
jmp leftoff

this extra code is useless unless you are adding in a larger amount of code and want to write all the filemapping for a bin(non-pe) module file into an allocated memory area and call that.... however for something that big, again... why not a dll...

First, let me start by saying the PE Header contains offsets used to load an application, infact, most applications completely wipe\corrupt the PE Header as a security messure after loading due to this very fact.

I'd be damned if we managed to overwrite a whole page(and write "out of bounds'' of the page) with a code cave. You shouldn't even be writing the much data to the target anyway.

I'm not saying you shouldn't use a dll, or an executable, I do mean in this, there is no right or wrong way, using a DLL versus using an executable(in this context, I.e writing memory to the target).