Code:
DumpFileToDisk proc FileBuffer:DWORD, FilePath:DWORD, NewHeaderValues:DWORD, Native:BYTE
local written: DWORD
local PE: DWORD
local hFile: DWORD
local sections: WORD
pushad
;---fix OEP+ImageSize---------------------------------
mov ebx, NewHeaderValues
assume ebx:ptr NEW_IMAGE_NT_HEADER_VALUES
mov ecx, [ebx].OEP
mov edx, [ebx].ImageSize
mov eax, FileBuffer
assume eax:ptr IMAGE_DOS_HEADER
add eax, [eax].e_lfanew ; eax ptr to PE == IMAGE_NT_HEADERS struct
assume eax:ptr IMAGE_NT_HEADERS
mov [eax].OptionalHeader.AddressOfEntryPoint, ecx
.if edx != 00h ;optional
mov [eax].OptionalHeader.SizeOfImage, edx
.endif
;---fix OEP+ImageSize---------------------------------
;---IT+IAT--------------------------------------------
mov ecx, [ebx].IT
mov [eax].OptionalHeader.DataDirectory.VirtualAddress+sizeof IMAGE_DATA_DIRECTORY, ecx
mov ecx, [ebx].ITSize
mov [eax].OptionalHeader.DataDirectory.isize+sizeof IMAGE_DATA_DIRECTORY, ecx
mov ecx, [ebx].IAT
mov [eax].OptionalHeader.DataDirectory.VirtualAddress+sizeof IMAGE_DATA_DIRECTORY*12, ecx
mov ecx, [ebx].IATSize
mov [eax].OptionalHeader.DataDirectory.isize+sizeof IMAGE_DATA_DIRECTORY*12, ecx
;---IT+IAT--------------------------------------------
mov PE, eax
.if Native == TRUE
invoke CreateFile, FilePath, GENERIC_WRITE, 0, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0
mov hFile, eax
mov eax, PE
mov ebx, [eax].OptionalHeader.SizeOfHeaders
invoke WriteFile, hFile, FileBuffer, ebx, addr written, 0
mov eax, PE
mov bx, [eax].FileHeader.NumberOfSections
mov sections, bx
add PE, sizeof IMAGE_NT_HEADERS
.while sections > 0
mov eax, PE
assume eax:ptr IMAGE_SECTION_HEADER
mov ebx, [eax].VirtualAddress
add ebx, FileBuffer
mov ecx, [eax].SizeOfRawData
invoke WriteFile, hFile, ebx, ecx, addr written, 0
add PE, sizeof IMAGE_SECTION_HEADER
dec sections
.endw
.else
assume eax:ptr IMAGE_NT_HEADERS
mov bx, [eax].FileHeader.NumberOfSections
add eax, sizeof IMAGE_NT_HEADERS
assume eax:ptr IMAGE_SECTION_HEADER
.while bx > 0
mov ecx, [eax].Misc.VirtualSize
mov [eax].SizeOfRawData, ecx
mov ecx, [eax].VirtualAddress
mov [eax].PointerToRawData, ecx
add eax, sizeof IMAGE_SECTION_HEADER
dec bx
.endw
invoke CreateFile, FilePath, GENERIC_WRITE, 0, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0
mov hFile, eax
mov eax, PE
assume eax:ptr IMAGE_NT_HEADERS
mov ebx, [eax].OptionalHeader.SizeOfImage
invoke WriteFile, hFile, FileBuffer, ebx, addr written, 0
.endif
invoke CloseHandle, hFile
popad
assume eax:nothing
ret
DumpFileToDisk endp
Code:
NEW_IMAGE_NT_HEADER_VALUES struct
OEP DWORD ?
ImageSize DWORD ? ;optional
IT DWORD ?
ITSize DWORD ?
IAT DWORD ?
IATSize DWORD ?
NEW_IMAGE_NT_HEADER_VALUES ends
Code:
DumpFileToDisk PROTO : DWORD, : DWORD, : DWORD, : BYTE
DumpFileToDisk proc FileBuffer: DWORD, FilePath: DWORD, NewHeaderValues: DWORD, Native: BYTE
FileBuffer:
Pointer to a valid PE that is going to be dumped to disk.
FilePath:
Pointer to a null terminated buffer that contains the path whereto you want to dump the file.
NewHeaderValues:
The pointer to a NEW_IMAGE_NT_HEADER_VALUES structure
Native:
If set to TRUE ROffset & RSize will remain the same -> size stays the same
Return Value:
NONE
the above proc dumps a PE file to disk and can fix some things in the PE header before dumping.i advise you to read iczelion's tutorials about the PE file format.after having read them you should be able to imagine how to code your own process dumper/import rebuilder.here are the tuts http://win32asm.cjb.net/
Last edited by sHice; 07-08-2006 at 19:49.
|