Option trading explained layman's terms23 comments
Kami broker dagangan binari
It might be, you demand to comprehend the ways a virus program injects its procedure in to the interior of a portable executable file and corrupts it, or you are interested in implementing a packer or a protector for your specific intention to encrypt the data of your portable executable PE file.
This article is committed to represent a brief intuition to realize the performance which is accomplished by EXE tools or some kind of mal-wares. You can employ the source code of this article to create your custom EXE builder. It could be used to make an EXE protector in the right way, or with a wrong intention, to pullulate a virus. However, my purpose of writing this article has been to gaze on the first application, so I will not be responsible for the immoral usage of these methods.
There are no specific mandatory prerequisites to follow the topics in this article. The Portable Executable file format was defined to provide the best way for the Windows Operating System to execute code and also to store the essential data which is needed to run a program, for example constant data, variable data, import library links, and resource data.
These data let you remember the first days of developing the Windows Operating System, the days. Can you believe, it refers to the name of " Mark Zbikowski ", one of the first Microsoft programmers?
I do not know why the Microsoft team has forgotten to provide some comment about this structure in the MSDN library! I have provided a program to obtain the header information from an EXE file and to display it to you. To use the program, just try:. PE Viewer Download source files - Kb. Hence, if you assume that the pMem pointer relates the start point of the memory space for a selected portable executable file, you can retrieve the MS-DOS header and also the Windows NT headers by the following lines, which you also can perceive in the PE viewer sample pelib.
It seems to be very simple, the retrieval of the headers information. You can observe clearly, the main purpose of these values, and their role when the internal virtual memory space allocated for an EXE file by the Windows task manager if you pay attention to their explanations in MSDN library, so I am not going to repeat the MSDN annotations here. When you come to survey the Optional header through the Windows NT information, you will find that there are 16 directories at the end of the Optional Header, where you can find the consecutive directories, including their Relative Virtual Address and Size.
The last one 15 was reserved for use in future; I have not yet seen any purpose to use it even in PE For instance, if you desire to perceive the relative virtual address RVA and the size of the resource data, it is enough to retrieve them by:.
To comprehend more regarding the significance of data directories, I forward you to section 3. We will discuss the section's advantage subsequently. While developing an EXE packer, you should be clever enough to play with them. Otherwise, you will corrupt your target EXE file and it will never run. Moreover, you should pay attention to the section names, you can know the purpose of each section by its name.
I will just forward you to section 6: I believe, it represents the totality of sections by their names, Table 2. To comprehend the section headers and also the sections, you can run the sample PE viewer. In this part, you will become familiar with the necessary and essential equipments to develop your PE tools. The first essential prerequisite, to become a PE tools developer, is to have enough experience with bug tracer tools. Furthermore, you should know most of the assembly instructions.
To me, the Intel documents are the best references. It implements process tracing by using kernel mode method debugging without applying Windows debugging application programming interface API functions. In addition, I am going to introduce one perfect debugger in user mode level. These API functions have been provided by Microsoft teams, inside the Windows Kernel32 library, to trace a specific process, by using Microsoft tools, or perhaps, to make your own debugger!
Some of those API functions inlude: It was in ; Frank Grossman and Jim Moskun decided to establish a company called NuMega Technologies in Nashua, NH, in order to develop some equipments to trace and test the reliability of Microsoft Windows software programs. Now, it is a part of Compuware Corporation and its product has participated to accelerate the reliability in Windows software, and additionally in Windows driver developments.
Currently, everyone knows the Compuware DriverStudio which is used to establish an environment for implementing the elaboration of a kernel driver or a system file by aiding the Windows Driver Development Kit DDK. It bypasses the involvement of DDK to implement a portable executable file of kernel level for a Windows system software developer.
For us, only one instrument of DriverStudio is important, SoftICE , this debugger can be used to trace every portable executable file, a PE file for user mode level or a PE file for kernel mode level.
It was about 4 years ago, that I first saw this debugger by chance. I found that this debugger supported all kinds of Windows versions. Therefore, I started to learn it very fast, and now it is my favorite debugger for the Windows OS.
It is a debugger that can be used to trace all kinds of portable executable files except a Common Language Infrastructure CLI file format in user mode level, by using the Windows debugging API. Oleh Yuschuk , the author, is one of worthiest software developers I have seen in my life.
He is a Ukrainian who now lives in Germany. I should mention here that his debugger is the best choice for hacker and cracker parties around the world! It is a freeware! You can try it from OllyDbg Homepage. I have introduced two debuggers without talking about how you can employ them, and also which parts you should pay attention more.
Regarding using debuggers, I refer you to their instructions in help documents. However, I want to explain shortly the important parts of a debugger; of course, I am talking about low-level debuggers, or in other words, machine-language debuggers of the x86 CPU families.
When you want to trace a PE file, you should mostly consider these five subdivisions. Furthermore, every debugger comprises of some other useful parts; you should discover them by yourself. We can consider OllyDbg and SoftICE as excellent disassemblers, but I also want to introduce another disassembler tool which is famous in the reverse engineering world. Proview or PVDasm is an admirable disassembler by the Reverse-Engineering-Community ; it is still under development and bug fixing.
You can find its disassmbler source engine and employ it to create your own disassembler. W32DASM can disassemble both 16 and 32 bit executable file formats. In addition to its disassembling ability, you can employ it to analyze import, export and resource data directories data. It can illustrate the assembly source of a portable executable file by using colored graphics and tables, and is very useful for any newbie in this area.
Furthermore, it has the capability to trace an executable file inside the user mode level in the same way as OllyDbg. A good PE tools developer is conversant with the tools which save his time, so I recommend to select some appropriate instruments to investigate the base information under a portable executable file. LordPE by y0da is still the first choice to retrieve PE file information with the possibility to modify them. PE iDentifier is valuable to identify the type of compilers, packers, and cryptors of PE files.
As of now, it can detect more than different signature types of PE files. Resource Hacker can be employed to modify resource directory information; icon, menu, version info, string table, and etc. WinHex , it is clear what you can do with this tool. NET file , a resource modifier, and much more facilities which can not be found in others, just try and discover every unimaginable option by hand.
We are ready to do the first step of making our project. So I have provided a library to add a new section and rebuild the portable executable file. And you will observe a scene similar to Figure 3. DynLoader , in loader. Unfortunately, this source can only be applied for the sample test file.
I have accomplished it in Step 2 Section 5. Furthermore, AddNewSection is employed to create the new section, the important step. Nevertheless, the data of the new section is created by DynLoader in loader. We use the CPECryptor class to enter this data in to the new section, and also some other stuff. You can comprehend the difference between incremental link and no-incremental link by looking at the following picture:. DynLoader in the incremental link, but by no-incremental link, the real virtual address is gained by the following code:.
This setting is more critical in the incremental link when you try to find the beginning and ending of the Loader , DynLoader , by CPECryptor:: The new function, CPECryptor:: CopyData1 , will implement the copy of the Image Base value and the Offset of Entry Point value into 8 bytes of free space in the loader.
It is important to recover the Original Context of the thread. We have not yet done it in the DynLoader Step 2 source code. We can modify the source of DynLoader to repossess the first Context. Nevertheless, in the following code, I have accomplished the loader code by a simple trick to reach OEP in addition to redecorating the stack.
An exception is generated when a program falls into a fault code execution and an error happens, so in such a special condition, the program immediately jumps to a function called the exception handler from exception handler list of the Thread Information Block. Besides the assembly code of this code, it elucidates the structured exception handler installation, the raise of an exception, and the exception handler function. This program runs the exception expression, printf "3: You can employ other kinds of exception too.
We desire to construct a structured exception handler in order to reach OEP. Now, I think you have distinguished the SEH installation, the exception raise, and the exception expression filter, by foregoing the assembly code. To establish our exception handler approach, we need to comprise the following codes:. To understand them, refer to the try - except statement description in the MSDN library.
Microsoft Windows 32 bit uses the FS segment register as a pointer to the data block of the main thread. In this part, we effectuate our performance by accomplishing the OEP approach. We change the Context of the thread and ignore every simple exception handling, and let the thread continue the execution, but in the original OEP! When an exception happens, the context of the processor during the time of the exception is saved in the stack. By the following code, we have accomplished the main purpose of coming to OEP by the structured exception handler:.