Step by step read data from exe file to memory.

**JoBlack** · 06-23-2012

Hello everyone.

I have exe-file which I want manually map to memory.

I open a file with: HANDLE hFile = CreateFileA("Test.exe", GENERIC_READ, 0, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);

Now I want to read data from exe file to memory step by step:

- allocate necessary memory region with VirtualAlloc function

- read from file FILE_HEADER using ReadFile to buffer (will be a variable from VirtualAlloc)

- allocate necessary memory region with VirtualAlloc function

- read from file FILE_SECTIONS using ReadFile to buffer (will be a variable from VirtualAlloc)

As I understand I should somewhere in code made a SectionAlignment, but I don't know how.

Please help me with this simple example of code. Thank you.

**Rodaxoleaux** · 06-23-2012

Starting at the address given by allocating (VirtualAlloc) memory from the Imagebase at EBX + 8, copy the separate sections to the "new" process memory that has been unmapped. I also noticed that when running from the self executable, I had to make a workaround for a failure in copying the .bss section (which didn't exist).

Code:

IMAGE_DOS_HEADER     DH;
    IMAGE_NT_HEADERS     NH;
    IMAGE_SECTION_HEADER SH;

bool bssFail = false; //.bss executable section could not be written
    int copyiterator = 0; //holds the true iterator just in case of a .bss fail


    for (int i = 0; i < NH.FileHeader.NumberOfSections;++i)
    {
        PIMAGE_SECTION_HEADER PSH = &SH;
        CopyMemory(PSH, (PIMAGE_SECTION_HEADER)((DWORD)data + DH.e_lfanew + sizeof(IMAGE_NT_HEADERS) + sizeof(IMAGE_SECTION_HEADER) * copyiterator),sizeof(IMAGE_SECTION_HEADER));
        if(WriteProcessMemory(pinfo.hProcess,(PVOID)((DWORD)StartingAddr + SH.VirtualAddress), (LPCVOID)&data[SH.PointerToRawData], SH.SizeOfRawData) == 0)
        {
            cout << "Error: " << "Writeprocmem-inloop: " << i << " Error: " << GetLastError() << endl;
            if (strcmp((char*)PSH->Name,".bss") == 0) //A fail-safe just in case this section contains no data and no pointer
            {
                cout << "WriteProcessMemory failed at the \".bss\" section. Reverting counter." << endl;
                bssFail = true;


                ++copyiterator;
                CopyMemory(PSH, (PIMAGE_SECTION_HEADER)((DWORD)data + DH.e_lfanew + sizeof(IMAGE_NT_HEADERS) + sizeof(IMAGE_SECTION_HEADER) * copyiterator),sizeof(IMAGE_SECTION_HEADER));
                WriteProcessMemory(pinfo.hProcess,(PVOID)((DWORD)StartingAddr + SH.VirtualAddress), (LPCVOID)&data[SH.PointerToRawData], SH.SizeOfRawData);
            }
        }
        ++copyiterator;


    }

Then set the entry point and context back and resume the thread.

Also, I would highly suggest giving the reason for what you're doing, because hijacking process memory space is a well-known malware technique, and most people here wouldn't care much to help someone trying to hack. I helped you because I've been there and done that, and I haven't caused and never had the intention to cause harm.

Thread: Step by step read data from exe file to memory.

Thread Tools

Search Thread

Display

Step by step read data from exe file to memory.

Similar Threads

Skipping loops in step-by-step debug without skipping rest of function

multiplying step by step

Next step...

why does the memory increase step by step?

How to open, write data to and close a new file for each step of a loop.