Creating an export table

Well, what do u think the Export Table Values in the PE-Header are for?
You can patch in an Export table,but i guess you wont be able to get hold of any Exports that easy then..

Why dont u put your stuff in some DLL and inject some code to load that DLL instead?
This would enable you to code all stuff you need in your dll without any relying on the original code, just create the proc and inject some pseudo dll-loader code in the apps context..

cheers

[Nacho_dj]

Thank you NtSC:

Maybe that is the only one thing I could do to perform what the code is doing in the process.

I have to test it. I am trying now to code all that the original program does in that routine of my interest, but it is a little bit hard.

Cheers

Nacho_dj

i happened to remeber some thing i read vaguely but now i neither can find a link or google for it
but have you tried to use those NtCreateSection ZwMapViewOfSection
and load of other undocumented API
the article i speak of was a pdf and it happened to do some thing like
loading a file from memory (included some linux mmap routines too not from disc)
using the above apis

[Nacho_dj]

Hello JuneMouse:

It seems that all those functions are related to files. But when talking about processes in memory...

I have found these links:
http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Section/NtCreateSection.html

http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Section/NtMapViewOfSection.html

http://www.sysinternals.com/Information/NativeApi.html

The last URL shows api's that could perform tasks of loading sections of file, but I cannot find any speaking about loading "pieces of code" in memory from another process in the loader process.

Anyway, many thanks for your suggestion

Cheers

Nacho_dj

i just found the pdf its called remote library injection
authours are skape and jt

you should find it in nologin.org papers section
i am not providing a direct link because i would also like you to
take a look on other papers there as well
some just run above head but neverthless a good read

hope you get together some ideas from there

Maybe you could create an additional Section. Then change the EP to this section. You can create a structured Exception Handler there. After you have done this you can set int3's into the unpacking code and then jump back to the EP. You gain control of the code whenever a int3 ist reached. Of course you could also place other illegal Instructions like XOR EAX, EAX - MOV [EAX], EAX, but int3s are much smaller and you don't need to write so much code back. If the programm creates structured Exception Handlers itself it is much more difficult to find the right places to patch.

EDIT: It is also possible to change the values of the registers or on the stack.

[Nacho_dj]

Hello:

Junemouse, I just have downloaded the pdf, I will take a slow reading of it.

Messer, it seems interesting, and a new good point of view, but I have never read anything about "structured Exception Handler". Do you know a good document to work on it?

Thanks for your help

Nacho_dj