OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Tuesday, December 30 2008 09:48.16 CST

Direct Link, View / Make / Edit Comments

Guidelines to MFC reversing

Author:

Pnluck

# Views: 5808

http://quequero.org/Basic_MFC_Reversing(eng)

Created: Monday, March 3 2008 15:23.29 CST

Modified: Monday, March 3 2008 15:51.29 CST

Direct Link, View / Make / Edit Comments

Armadillo v.5 x64 Unpacking tutorial

Author:

Pnluck

# Views: 15780

I believe, I'm the first one who write a tutorial about x64 unpacking: http://quequero.org/Armadillo5_x64_Unpacking.
With the article there's a demo of my ItRebuilder x64: I'm developping it for myself (at least for the start) an ImpRec-like software for Win x64, so for PE+ files, which I should release soon.

I hope to be useful.

Created: Wednesday, December 5 2007 12:29.53 CST

Direct Link, View / Make / Edit Comments

.NET Class 0.6(beta)

Author:

Pnluck

# Views: 5518

I continue the developping of this C++ class for .NET PE:
I added a support for PE+ (aka PE for x64 executable) and fixed some bugs.

http://pnluck.netsons.org/soft/NET_class.zip

Report bugs or bad codes.

That's all!

Created: Friday, September 14 2007 03:48.42 CDT

Modified: Friday, September 14 2007 03:56.43 CDT

Direct Link, View / Make / Edit Comments

C++ class to read PE.NET

Author:

Pnluck

# Views: 5681

I'm coding a C++ Class in order to read PE.NET executables: by now, it can read some PE.NET, but it work fine. hXXp://quequero.org/uicwiki/images/NET_class.zip
You can use it to extract the .NET resources, or to make a tool to remove the StrongNameSignature.

Please report to me every PE.NET which my class doesn't read.

Created: Sunday, August 5 2007 07:58.36 CDT Modified: Sunday, August 5 2007 08:00.37 CDT

Direct Link, View / Make / Edit Comments

How to hide dll

Author:

Pnluck

# Views: 22821

Time ago I wrote a little function, which called at the DLL_PROCESS_ATTACH in the DllMain, allowed to hide the dll itself.



BOOL APIENTRY DllMain( HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved )

{

if(ul_reason_for_call == DLL_PROCESS_ATTACH)

{

	HideDll((ULONG_PTR)hModule);

}

 return TRUE;

}

The function hooks the LDR_MODULE structure (it is accessible from PEB), as you can see:



bool HideDll(ULONG_PTR DllHandle)

{

	ULONG_PTR ldr_addr;

	PEB_LDR_DATA* ldr_data;

	LDR_MODULE  *modulo, *prec, *next;



 __try

 {

 

	/*

	typedef struct _PEB {

	BOOLEAN InheritedAddressSpace; 

	BOOLEAN ReadImageFileExecOptions; 

	BOOLEAN BeingDebugged; 

	BOOLEAN Spare; 

	HANDLE Mutant; 

	PVOID ImageBaseAddress; 

	PPEB_LDR_DATA LoaderData;

	...

	} PEB

	*/

       

        //The asm code is only for IA-32 architecture

	__asm mov eax, fs:[0x30]  //get il PEB ADDR

	__asm add eax, 0xc        

        __asm mov eax,[eax]      //get LoaderData ADDR

	__asm mov ldr_addr, eax



	ldr_data = (PEB_LDR_DATA*)ldr_addr ;  //init PEB_LDR_DATA struct.



	modulo = (LDR_MODULE*)ldr_data->InLoadOrderModuleList.Flink;



	while(modulo->BaseAddress != 0)

	{

		if( (ULONG_PTR)modulo->BaseAddress == DllHandle)

		{

			if(modulo->InInitializationOrderModuleList.Blink == NULL) return false;

			

			//Get the precedent and the successive struct according to the initialization order

			prec = (LDR_MODULE*)(ULONG_PTR)((ULONG_PTR)modulo->InInitializationOrderModuleList.Blink - 16);

			next = (LDR_MODULE*)(ULONG_PTR)((ULONG_PTR)modulo->InInitializationOrderModuleList.Flink - 16);



			//And change values 

			prec->InInitializationOrderModuleList.Flink = modulo->InInitializationOrderModuleList.Flink;

			next->InInitializationOrderModuleList.Blink = modulo->InInitializationOrderModuleList.Blink;

	   

		    //Now change  InLoad e InMem normally

			prec = (LDR_MODULE*)modulo->InLoadOrderModuleList.Blink;

			next = (LDR_MODULE*)modulo->InLoadOrderModuleList.Flink;

			

			//Precedent struct

			prec->InLoadOrderModuleList.Flink = modulo->InLoadOrderModuleList.Flink;

			prec->InMemoryOrderModuleList.Flink = modulo->InMemoryOrderModuleList.Flink;

			

			//Successive struct

			next->InLoadOrderModuleList.Blink = modulo->InLoadOrderModuleList.Blink;

			next->InMemoryOrderModuleList.Blink = modulo->InMemoryOrderModuleList.Blink;



                        //Now if you want: memset(modulo,0,sizeof(LDR_MODULE));

            

			return true;

		}

		modulo = (LDR_MODULE*)modulo->InLoadOrderModuleList.Flink;

	}



 }

 __except(EXCEPTION_EXECUTE_HANDLER)

 {

	 return false;

 }

Structures used are:



#ifndef UNICODE_STRING

typedef struct _UNICODE_STRING {

  USHORT  Length;

  USHORT  MaximumLength;

  PWSTR  Buffer;

} UNICODE_STRING, *PUNICODE_STRING;

#endif



#ifndef LDR_MODULE

typedef struct _LDR_MODULE {

	LIST_ENTRY InLoadOrderModuleList;  //<-- InLoad points here

	LIST_ENTRY InMemoryOrderModuleList; //<-- PInMem points here

	LIST_ENTRY InInitializationOrderModuleList;  //<-- InInitia points here

	PVOID BaseAddress; 

	PVOID EntryPoint; 

	ULONG SizeOfImage; 

	UNICODE_STRING FullDllName; 

	UNICODE_STRING BaseDllName; 

	ULONG Flags; 

	SHORT LoadCount; 

	SHORT TlsIndex; 

	LIST_ENTRY HashTableEntry; 

	ULONG TimeDateStamp;

} LDR_MODULE, *PLDR_MODULE;

#endif



#ifndef PEB_LDR_DATA

typedef struct _PEB_LDR_DATA

{

         ULONG Length;

         UCHAR Initialized;

         PVOID SsHandle;

         LIST_ENTRY InLoadOrderModuleList;

         LIST_ENTRY InMemoryOrderModuleList;

         LIST_ENTRY InInitializationOrderModuleList;

         PVOID EntryInProgress;

} PEB_LDR_DATA, *PPEB_LDR_DATA;

#endif

That's all!

Archived Entries for Pnluck

Subject	# Views	Created On
ASPack Offline Unpacker Extension for CFF	3721	Thursday, July 19 2007
Explorer Suite II	1886	Thursday, July 19 2007
Aspack Analyzing: part one	1937	Tuesday, May 29 2007

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit