-
Notifications
You must be signed in to change notification settings - Fork 181
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Process hiving - stripped relocs. #43
Comments
Hi @illnyang ! sorry for the late response, I am very busy nowadays. Is it that you have the full PE (the payload) mapped inside a section
You said that your problem is related with the relocations of the payload. What exactly is the thing that libpeconv doesn't do correctly? Or maybe you mean that libpeconv's API does not allow you to load a PE into the memory area that you specified, but instead, it does the allocation by itself, and therefore you cannot make it load to a predefined section? For example, this is how the loading function is implemented at the moment: /**
Loads full PE from the raw buffer in a way in which it can be directly executed: remaps to virual format, applies relocations, loads imports.
Allows for supplying custom function resolver.
*/
BYTE* load_pe_executable(BYTE* payload_raw, size_t r_size, OUT size_t &v_size, t_function_resolver* import_resolver=NULL); more details and alternative versions of this API here And in order to load it into a predefined section, the API should look like this: size_t load_pe_executable(BYTE* payload_raw, size_t r_size, BYTE* out_buffer, size_t out_size, t_function_resolver* import_resolver=NULL); Please let me know, and I will make the appropriate changes soon. Regarding the Linux support, it is another, long topic, and I will consider it as a direction of future development. |
I found a rather peculiar edge case, which is not currently handled by libpeconv (and if it is, I am too dumb to figure it out). Consider following scenario:
Payload is an executable PE with stripped relocs, its imagebase is 0x400000. My loader accounts for this with an explicit section layout, like so:
The loader maps EXE payload into the
.payload
section, patches what's needed and jumps to its OEP. This technique is calledProcess Hiving
, I believe. I'm using it as an alternative toDLL load order hijacking
method (aka proxy DLLs) in my game modding framework.If payload is not reloc-stripped, the loader will relocate it into the
.payload
section anyway.I do not call VirtualAlloc at all, VirtualProtect is used to set appropriate section flags before jumping to the OEP.
My long-term goal is to have per-game targeted Linux compat patches as well - stuff like replacing XInput/WndProc with SDL2, replacing d3d9 with dxvk, etc. It would be nice for libpeconv to support Linux as well. taviso/loadlibrary is Linux-only and it feels redundant to have two separate dependencies of identical nature.
Similar approach is used in the following projects
The text was updated successfully, but these errors were encountered: