A new crazy idea

[HellOfMice]

Salut,

I should like to know if the following is a good idea:

1-A program loads in memory an *.exe file.
2-It copies the Import Directory table
3-For each entries of this new table it calls GetProcAddress and replace the VirtualAddress with the new real one
4-It replaces the address into the IAT with address into the code (Loader)
5-It calls the entry-point of the program

When the loaded program calls a dll function the loaded program calls the loader which stores the input registers and calls the original DLL function
When the DLL returns the loader stores the registers values and returns

The ideal should be to modify the IAT when the program already is memory but I don't know how to do.

Have you any idea?

PhR

[HellOfMice]

No HOOK
The antivirus could block the program
I don't know if the antivirus could block a program modifying  the IAT or the bound import directory
The program there could have is that the two programs have not the same HINSTANCE parameter
The idea behind all that is to know if datas are going out my computer or if a connection has been established on my pc using internet other than windows update.

[Vortex]

Hi Philippe,

Loading and running EXEs and DLLs from memory :

https://masmforum.com/board/index.php/topic,3150.0.html

[HellOfMice]

Very interesting.
That's an idea, I don't ,know if I will do it. Actually I am working on my program. I have the disassembler to do, the reading of import and export data directories.


I was wondering if an exe could have an export table? Why not but the exported function will only be available when the exe is running.
In the import table windows does not store the full path what would arrived if two dlls export two functions with the same names?

[Vortex]

Hi Philippe,

The second page of the same Masm Forum thread mentions about an EXE exporting functions.

[HellOfMice]

UI have read. I don't know why but I have in my head a call to VirtualProtect.

[TimoVJL]

Just another crazy idea ?
OS loader do it safe way ?

[HellOfMice]

No, I am reading how to get the import functions, some ideas, as crazy than I, came to my head.
I have read too much things, and I don't know where I am between import/export/IAT/Bound it a great melting pot

[TimoVJL]

program loader for virus scanner or sandbox purposes are interesting.
for other purpose finding functions can be interesting too.
for disassembler have to find function names to make output easier to understand.
Pelle's pope.exe is a good program for checking binaries.

[HellOfMice]

Hi Timo

I use Pope all the days, many times a day.

I am rewriting the data directories and sections parts because I want to be sure to disassemble the good section. Resources disassembly is not a good idea!

I have problems with Bound Import and IAT I think I don't need to disassemble them but they have not the same size.
Actually I have loaded sqlite3.dll I join my results.