Packing DLL In Executable

[Broderick]

Lies, especially about code relocation. There are so many undocumented code relocation types and even more data structures. I had to go around to tons of windows REing communities to figure out how some of these structures worked.

At least relative to how MSDN documents their other APIs, the documentation of the PE format is poor.

What are you talking about relocations? From the v8 pecoff manual:



Doesn't get much more clear than that. And what else was I lying about?

[radnomguywfq3]

What are you talking about relocations? From the v8 pecoff manual:



Doesn't get much more clear than that. And what else was I lying about?

/dayum, that would've saved me tons of time. A lot of that isn't on the MSDN website. Thanks for pointing me to the manual though.

[Broderick]

/dayum, that would've saved me tons of time. A lot of that isn't on the MSDN website. Thanks for pointing me to the manual though.

Yeah MSDN itself doesn't deal overly much with the nitty-gritty of the PE/COFF specification, but to their credit, Microsoft did provide one hell of a document detailing pretty much everything about the PE/COFF specification. Of course, you're likely to need other sources to clarify a few issues and also to dumb-down some of the overwhelming amount of knowledge present in that document (Matt Pietrek is a life saver, basically strips out all the important parts of the PE that you need to know about).

[Jabberwock]

Right now, it just loads the library in to the local process. Making it do otherwise, is a simple manner of replacing memcpy with writeprocessmemory, virtualalloc with VirtualAllocEx, and the call with CreateRemoteThread, etc...

First, I did like to thank you, I'm really thankful you are helping me.

From my point it isn't simple as you say, although I'm too nooby to say that.

The things I understand now are:

1. With your code I don't need to write the file to the hard disk, that's because I can take the resource and write it to the current process memory, from that point PE Loader will do his work.
I do that with these functions: FindResource, LoadResource, CreateFile, CreateFileMapping, MapViewOfFile. With these to just close: UnmapViewOfFile, CloseHandle.
2. I need to change things in your code to make it write to a remote process cause now it just load the dll to the current process.

------------

I think I got it wrong in 1. Which functions do I actually need to use?

[radnomguywfq3]

First, I did like to thank you, I'm really thankful you are helping me.

From my point it isn't simple as you say, although I'm too nooby to say that.

The things I understand now are:

1. With your code I don't need to write the file to the hard disk, that's because I can take the resource and write it to the current process memory, from that point PE Loader will do his work.
I do that with these functions: FindResource, LoadResource, CreateFile, CreateFileMapping, MapViewOfFile. With these to just close: UnmapViewOfFile, CloseHandle.
2. I need to change things in your code to make it write to a remote process cause now it just load the dll to the current process.

------------

I think I got it wrong in 1. Which functions do I actually need to use?

I just woke up, I haven't released the final revision :X But its coming along.

[Jabberwock]

Lol, at time you wake up I'm going to sleep... That's sad.

You already writed most of the code, and I only have to change a part of it, but it saddens me that I'm unable to do even that.

The problem is that when I use google to find information it seem irrelevant, and MSDN isn't really user friendly.
What are your main websites you use to search for info?

[radnomguywfq3]

Lol, at time you wake up I'm going to sleep... That's sad.

You already writed most of the code, and I only have to change a part of it, but it saddens me that I'm unable to do even that.

The problem is that when I use google to find information it seem irrelevant, and MSDN isn't really user friendly.
What are your main websites you use to search for info?

No worries, here is the download to the later version (should work with remote injection from memory, what you need):
https://www.mpgh.net/forum/31-c-c-pro...ule-final.html

Most of my soures are from Peering Inside the PE: A Tour of the Win32 Portable Executable File Format and other articles I found around MSDN. As Jason suggested, you can also refer to the manual.

[Jabberwock]

Works perfectly fine and really well made!

Thanks a bunch. That's really awesome bro.