Explaining What This Code Does

**Geolingo** · 03-29-2004

I found an interesting chunk of code while browsing forums thismorning, and im wondering if somebody who is more versed in what it does could walk me through that its doing. Im just confused because it doesnt even use the second variable it asks for, and im not sure what it does with the data once its done doing what it does. It seems like the net effect of this function is zero, everything is the same before and after it runs.

Thx for your time.

Code:

bool CPoly::DoPoly(const char *szFile, const char *szOutFile)
{
	char *szBuffer;
	
	if(!MapFile(szFile, &szBuffer))
		return false;
		
	IMAGE_DOS_HEADER *iDosHeader=(IMAGE_DOS_HEADER*)szBuffer;

	if(iDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
	{
		UnmapFile(&szBuffer);
		return false;
	}

	char *pTemp=(char*)iDosHeader+iDosHeader->e_lfanew;
	DWORD *dwSignature=(DWORD*)pTemp;
	pTemp+=sizeof(DWORD);
	IMAGE_FILE_HEADER *iFileHead=(IMAGE_FILE_HEADER*)pTemp;
	pTemp+=sizeof(IMAGE_FILE_HEADER);
	IMAGE_OPTIONAL_HEADER *iOptHead=(IMAGE_OPTIONAL_HEADER*)pTemp;
	pTemp+=sizeof(IMAGE_OPTIONAL_HEADER);
	IMAGE_SECTION_HEADER *iSectHead=(IMAGE_SECTION_HEADER*)pTemp;
	if(*dwSignature!=IMAGE_NT_SIGNATURE)
	{
		UnmapFile(&szBuffer);
		return false;
	}

	int iSection;
	IMAGE_SECTION_HEADER *iSectPtr;
	for(iSection=0, iSectPtr=iSectHead; iSection<iFileHead->NumberOfSections; iSection++, iSectPtr++)
	{
		if(iSectPtr->Characteristics&IMAGE_SCN_CNT_CODE)
		{
			char *szBuf=(char*)malloc(iSectPtr->SizeOfRawData);
			memcpy(szBuf, (char*)szBuffer+iSectPtr->PointerToRawData, iSectPtr->SizeOfRawData);
			free(szBuf);
		}
	}

	UnmapFile(&szBuffer);
	return true;
}

The 2 functions it calls, mapfile and unmapfile are here.

Code:

bool CPoly::MapFile(const char *szFile, char **szBuffer)
{
	FILE *fp=fopen(szFile, "rb");
	
	if(!fp)
		return false;

	fseek(fp, 0, SEEK_END);
	int iFileSize=(int)ftell(fp);
	fseek(fp, 0, SEEK_SET);

	*szBuffer=(char*)malloc(iFileSize);

	if(!*szBuffer)
	{
		fclose(fp);
		return false;
	}
	if(fread(*szBuffer, sizeof(char), iFileSize, fp)<iFileSize)
	{
		fclose(fp);
		return false;
	}
	fclose(fp);
	return true;
}

void CPoly::UnmapFile(char **szBuffer)
{
	free(*szBuffer);
}

**Sebastiani** · 03-29-2004

Basically it's just trying to copy the code and place it in a file. It just falls short by not actually writing the output to file, but that could be fixed with a simple snippet of file I/O. If you wanted to be a little more efficient about it, you could just use memmove on the first buffer instead of allocating a second one. Then, provided all of the offsets were calculated correctly, you should be able to pull the file into DEBUG to view the assembly. The syntax for that would be something like:

n outfile.dat
l 0
u 0

**Geolingo** · 03-29-2004

I added a few lines of file IO for $H1T5 and giggles to see what it spit out, and i dont think its functioning properly. Is there any reason the file it creates would be of a different size than the one thats the source? I tried running the file it created (after renaming it) to see if it would propetuate and create another copy of itself and it does execute, however it doesnt appear to do anything. very odd. any input?

Code:

bool CPoly::DoPoly(const char *szFile, const char *szOutFile)
{
	char *szBuffer;
	
	if(!MapFile(szFile, &szBuffer))
		return false;
		
	IMAGE_DOS_HEADER *iDosHeader=(IMAGE_DOS_HEADER*)szBuffer;

	if(iDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
	{
		UnmapFile(&szBuffer);
		return false;
	}

	char *pTemp=(char*)iDosHeader+iDosHeader->e_lfanew;
	DWORD *dwSignature=(DWORD*)pTemp;
	pTemp+=sizeof(DWORD);
	IMAGE_FILE_HEADER *iFileHead=(IMAGE_FILE_HEADER*)pTemp;
	pTemp+=sizeof(IMAGE_FILE_HEADER);
	IMAGE_OPTIONAL_HEADER *iOptHead=(IMAGE_OPTIONAL_HEADER*)pTemp;
	pTemp+=sizeof(IMAGE_OPTIONAL_HEADER);
	IMAGE_SECTION_HEADER *iSectHead=(IMAGE_SECTION_HEADER*)pTemp;
	if(*dwSignature!=IMAGE_NT_SIGNATURE)
	{
		UnmapFile(&szBuffer);
		return false;
	}

	int iSection;
	IMAGE_SECTION_HEADER *iSectPtr;

	
	HANDLE OutFile;
	DWORD r=0, d=0;
	OutFile = CreateFile(szOutFile, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, 0);
	if (OutFile < (HANDLE)1) {
		  /**************************************/
		 /*** ERROR - FILE INTERACTION ERROR ***/
		/**************************************/
	}


	for(iSection=0, iSectPtr=iSectHead; iSection<iFileHead->NumberOfSections; iSection++, iSectPtr++)
	{
		if(iSectPtr->Characteristics&IMAGE_SCN_CNT_CODE)
		{
			char *szBuf=(char*)malloc(iSectPtr->SizeOfRawData);
			//memmove(szBuf, szBuffer+iSectPtr->PointerToRawData, iSectPtr->SizeOfRawData);
			memcpy(szBuf, (char*)szBuffer+iSectPtr->PointerToRawData, iSectPtr->SizeOfRawData);
			
			r = iSectPtr->SizeOfRawData;
			WriteFile(OutFile, szBuf, r, &d, NULL);
			d = d + iSectPtr->SizeOfRawData;

			free(szBuf);
		}
	}

	CloseHandle(OutFile);
	
	UnmapFile(&szBuffer);

	return true;
}

**Sebastiani** · 03-29-2004

No, no, no. The output file is *pure* code, ie: the input file stripped of all the PE headers, import/export tables, etc. You can't 'run' it!

Thread: Explaining What This Code Does

Thread Tools

Search Thread

Display

Explaining What This Code Does

Similar Threads

Code sippet needs explaining

Proposal: Code colouring

Values changing without reason?

Interface Question

Who will map the scan code (inserted by VKD_Force_keys) to virtual key code?