http://www.openrce.org/rss/feeds/blog OpenRCE: The Open Reverse Code Engineering Community Tue, 30 Dec 2008 09:48:16 -0600 https://www.openrce.org/blog/view/1333/Guidelines_to_MFC_reversing Pnluck <email-suppressed@example.com> http://quequero.org/Basic_MFC_Reversing(eng) Mon, 03 Mar 2008 15:23:29 -0600 https://www.openrce.org/blog/view/1073/Armadillo_v.5_x64_Unpacking_tutorial Pnluck <email-suppressed@example.com> I believe, I'm the first one who write a tutorial about x64 unpacking: <a href="http://quequero.org/Armadillo5_x64_Unpacking">http://quequero.org/Armadillo5_x64_Unpacking</a>.<br /> With the article there's a demo of my ItRebuilder x64: I'm developping it for myself (at least for the start) an ImpRec-like software for Win x64, so for PE+ files, which I should release soon.<br /> <br /> I hope to be useful. Wed, 05 Dec 2007 12:29:53 -0600 https://www.openrce.org/blog/view/985/.NET_Class_0.6(beta) Pnluck <email-suppressed@example.com> I continue the developping of this C++ class for .NET PE:<br /> I added a support for PE+ (aka PE for x64 executable) and fixed some bugs.<br /> <br /> http://pnluck.netsons.org/soft/NET_class.zip<br /> <br /> Report bugs or bad codes.<br /> <br /> That's all! Fri, 14 Sep 2007 03:48:42 -0500 https://www.openrce.org/blog/view/894/C++_class_to_read_PE.NET Pnluck <email-suppressed@example.com> I'm coding a C++ Class in order to read PE.NET executables: by now, it can read some PE.NET, but it work fine. hXXp://quequero.org/uicwiki/images/NET_class.zip<br /> You can use it to extract the .NET resources, or to make a tool to remove the StrongNameSignature.<br /> <br /> Please report to me every PE.NET which my class doesn't read. Sun, 05 Aug 2007 07:58:36 -0500 https://www.openrce.org/blog/view/844/How_to_hide_dll Pnluck <email-suppressed@example.com> Time ago I wrote a little function, which called at the DLL_PROCESS_ATTACH in the DllMain, allowed to hide the dll itself.<br /> <code><br /> BOOL APIENTRY DllMain( HMODULE hModule, DWORD&nbsp;&nbsp;ul_reason_for_call, LPVOID lpReserved )<br /> {<br /> if(ul_reason_for_call == DLL_PROCESS_ATTACH)<br /> {<br /> HideDll((ULONG_PTR)hModule);<br /> }<br /> return TRUE;<br /> }<br /> </code><br /> The function hooks the LDR_MODULE structure (it is accessible from PEB), as you can see:<br /> <code><br /> bool HideDll(ULONG_PTR DllHandle)<br /> {<br /> ULONG_PTR ldr_addr;<br /> PEB_LDR_DATA* ldr_data;<br /> LDR_MODULE&nbsp;&nbsp;*modulo, *prec, *next;<br /> <br /> __try<br /> {<br /> <br /> /*<br /> typedef struct _PEB {<br /> BOOLEAN InheritedAddressSpace; <br /> BOOLEAN ReadImageFileExecOptions; <br /> BOOLEAN BeingDebugged; <br /> BOOLEAN Spare; <br /> HANDLE Mutant; <br /> PVOID ImageBaseAddress; <br /> PPEB_LDR_DATA LoaderData;<br /> ...<br /> } PEB<br /> */<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;//The asm code is only for IA-32 architecture<br /> __asm mov eax, fs:[0x30]&nbsp;&nbsp;//get il PEB ADDR<br /> __asm add eax, 0xc&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;__asm mov eax,[eax]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;//get LoaderData ADDR<br /> __asm mov ldr_addr, eax<br /> <br /> ldr_data = (PEB_LDR_DATA*)ldr_addr ;&nbsp;&nbsp;//init PEB_LDR_DATA struct.<br /> <br /> modulo = (LDR_MODULE*)ldr_data-&gt;InLoadOrderModuleList.Flink;<br /> <br /> while(modulo-&gt;BaseAddress != 0)<br /> {<br /> if( (ULONG_PTR)modulo-&gt;BaseAddress == DllHandle)<br /> {<br /> if(modulo-&gt;InInitializationOrderModuleList.Blink == NULL) return false;<br /> <br /> //Get the precedent and the successive struct according to the initialization order<br /> prec = (LDR_MODULE*)(ULONG_PTR)((ULONG_PTR)modulo-&gt;InInitializationOrderModuleList.Blink - 16);<br /> next = (LDR_MODULE*)(ULONG_PTR)((ULONG_PTR)modulo-&gt;InInitializationOrderModuleList.Flink - 16);<br /> <br /> //And change values <br /> prec-&gt;InInitializationOrderModuleList.Flink = modulo-&gt;InInitializationOrderModuleList.Flink;<br /> next-&gt;InInitializationOrderModuleList.Blink = modulo-&gt;InInitializationOrderModuleList.Blink;<br /> &nbsp;&nbsp; <br /> &nbsp;&nbsp;&nbsp;&nbsp;//Now change&nbsp;&nbsp;InLoad e InMem normally<br /> prec = (LDR_MODULE*)modulo-&gt;InLoadOrderModuleList.Blink;<br /> next = (LDR_MODULE*)modulo-&gt;InLoadOrderModuleList.Flink;<br /> <br /> //Precedent struct<br /> prec-&gt;InLoadOrderModuleList.Flink = modulo-&gt;InLoadOrderModuleList.Flink;<br /> prec-&gt;InMemoryOrderModuleList.Flink = modulo-&gt;InMemoryOrderModuleList.Flink;<br /> <br /> //Successive struct<br /> next-&gt;InLoadOrderModuleList.Blink = modulo-&gt;InLoadOrderModuleList.Blink;<br /> next-&gt;InMemoryOrderModuleList.Blink = modulo-&gt;InMemoryOrderModuleList.Blink;<br /> <br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;//Now if you want: memset(modulo,0,sizeof(LDR_MODULE));<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br /> return true;<br /> }<br /> modulo = (LDR_MODULE*)modulo-&gt;InLoadOrderModuleList.Flink;<br /> }<br /> <br /> }<br /> __except(EXCEPTION_EXECUTE_HANDLER)<br /> {<br /> return false;<br /> }<br /> </code><br /> <br /> Structures used are:<br /> <code><br /> #ifndef UNICODE_STRING<br /> typedef struct _UNICODE_STRING {<br /> &nbsp;&nbsp;USHORT&nbsp;&nbsp;Length;<br /> &nbsp;&nbsp;USHORT&nbsp;&nbsp;MaximumLength;<br /> &nbsp;&nbsp;PWSTR&nbsp;&nbsp;Buffer;<br /> } UNICODE_STRING, *PUNICODE_STRING;<br /> #endif<br /> <br /> #ifndef LDR_MODULE<br /> typedef struct _LDR_MODULE {<br /> LIST_ENTRY InLoadOrderModuleList;&nbsp;&nbsp;//&lt;-- InLoad points here<br /> LIST_ENTRY InMemoryOrderModuleList; //&lt;-- PInMem points here<br /> LIST_ENTRY InInitializationOrderModuleList;&nbsp;&nbsp;//&lt;-- InInitia points here<br /> PVOID BaseAddress; <br /> PVOID EntryPoint; <br /> ULONG SizeOfImage; <br /> UNICODE_STRING FullDllName; <br /> UNICODE_STRING BaseDllName; <br /> ULONG Flags; <br /> SHORT LoadCount; <br /> SHORT TlsIndex; <br /> LIST_ENTRY HashTableEntry; <br /> ULONG TimeDateStamp;<br /> } LDR_MODULE, *PLDR_MODULE;<br /> #endif<br /> <br /> #ifndef PEB_LDR_DATA<br /> typedef struct _PEB_LDR_DATA<br /> {<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG Length;<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UCHAR Initialized;<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; PVOID SsHandle;<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LIST_ENTRY InLoadOrderModuleList;<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LIST_ENTRY InMemoryOrderModuleList;<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LIST_ENTRY InInitializationOrderModuleList;<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; PVOID EntryInProgress;<br /> } PEB_LDR_DATA, *PPEB_LDR_DATA;<br /> #endif<br /> </code><br /> <br /> That's all!