Computer, Electron and Technology

Search Box

Buzz

Categories

• c/c++/c#
• comic
• design
• doc
• java
• life
• linux
• mobile
• mtk
• other
• php
• protocol
• python
• ria
• software & hardware
• video & audio
• web

Meta

• Register
• Log in
• Main Entries Rss
• Comments Rss
• Wordpress Themes
• Seobilgi

Blogroll

• 33367.com 电子书网站
• Andi Gutmans
• AV No.1 Blog
• AVMate
• Boost 中文站
• BT影视天堂
• CakePHP
• co哥的BLOG - 产品人员的思考
• Def Leppard
• depthCORE
• Deviantart
• dodoLook IM.tv网站
• dodoLook官方网站
• EmuZone
• Engadget
• Feed Shark
• FleaPHP
• G66
• Gnome Look
• Groove Coverage
• Harrie’s Blog
• InterfaceLIFT
• JavaEye
• JOJO热情领域
• JunJun
• KKBLUE
• Kync.com
• Lighty ROR
• Limodou
• LUPA开源社区
• Max’s HOME
• MemCached
• NetFox SEO
• Nikon Discover
• Pear 中文站
• Podchains
• Prototype 学习手册
• Python.org
• Requirements for WCAG 2.0
• Rico
• ROR
• Ruby
• Ruby Central
• Ruby CN
• RubyForge
• Russell Watson
• Scriptaculous
• Shania Twain
• Sipo Blog
• STL 中文站
• SVN BOOK
• Symfony
• Taobao.com UI Team
• W3POP
• Web内容可访问性指南 1.0
• Ying wang’s Blog
• Zamzar
• ^.^我要ωo倖福~~~
• 【卯】
• 丁贝莉BLOG
• 丁贝莉官方网站
• 伊伊的BLOG
• 信迷网
• 在线看情书、X-Man
• 夕照街
• 大米动漫-海贼王论坛
• 她在美国
• 安布勇气
• 宣言的博客
• 小斌哥
• 悠视网
• 情书、X-Man 全部音乐
• 戈叶的BLOG
• 搜索引擎优化排名
• 搞笑的BLOG，可爱的画风
• 摄影网站精选
• 新浪韩娱
• 无忧团购网
• 日文、韩文翻译
• 杨生音响实验室
• 林肯公园
• 林肯公园中文网站
• 比特影视帝国
• 油茶研究会
• 洛·可可花园
• 漫漫看
• 牛奶@咖啡
• 物志
• 皓仔 | Haozi - 李皓
• 秃头大狮子
• 穿青族女子。笑楚
• 童话里的精灵
• 美丽、善良的 Wing
• 美女黄小楼
• 艾瑞市场咨询
• 蓝色理想
• 视觉复杂度
• 酷酷房 - DIY的geek网站，很不错。
• 韩娱圈
• 韩娱家园
• 韩娱帝国
• 韩娱快线
• 韩娱杂志
• 飞扬新锐

RSS Feed

subscribe to the rss feed

Popular Tags

优化 动态加载 女人 女生 嵌入式 平台 开发 手机 技术 流媒体 测试 漫画 生活 男人 男生 类 缓存 芯片 arm audio blog cache class debug flash google html j2me java javascript Joke linux lua mobile mtk php python ror ruby server shell stream unix web windows

一对普通夫妻的欲望人生！

Posted by dengwei

两人欲望的一生开始了~



出娘胎

我是BABY我怕谁？

奇怪的声音

男人是个坏小孩

我爱幼儿园

父母总是唧唧歪歪

我心跳的像鼓

漂亮的胸衣

放学路上的初吻

单车上的爱情

原来你也是个流氓

我的阳光在别处

冬夜冰凉的梦

礼物

象牙塔里的渴望
被窝里的秘密


他的手伸进我上衣里

人见人爱的大贼船



爱上我的老师

初夜

我怀念和你的初吻，以及那第一夜的秋凉。

终于要毕业了，大家每天都沉浸在饭局和泪水之中。借着酒力，我和每一个曾经有过好感的男生拥抱，仿佛他们今生不会再出现在我的生活。马上要离开这个给了我欢喜和忧愁的校园，未知的世界在等着我，未知的男人也在等着我。

我在北方，你在南方，你说我们的日子还很长，我们读着彼此想念的信，却在别处上着别人的床。人在江湖，蛋不由己，我学会了千奇百怪的姿势，一到晚上就鸡巴瞎忙，谁知道明天会遇到什么姑娘。

我们从这时开始建立起一种以快乐为宗旨的关系。我们像所有的情人一样，相互交换和分享着快乐、痛苦、失望和期望。谁也没有想过将来要怎么样。我的身体很
好，可是我很喜欢笑着谈论“死”的话题。有一天我说，如果我死了，我只要你一滴眼泪。他笑着捏我的鼻子，说，和我在一起，你怎么会死呢？然后吻我，不让我
说下去。这段关系以我的意外怀孕而告终。当我躺在手术台上结束孩子的生命时，对自己说：“别怕，他会站在手术室外拥抱我的。”但是，他没有出现。我删掉了
他的电话号码，他没必要再出现。

我参加了众多朋友的婚礼，有男有女，每个人脸上都画着希望，据说大学6班的那个荡妇嫁给了一个荣誉军人，而我上铺的兄弟逢人便说娶了一个黄花姑娘。还有几个不断离婚不断再婚的酒友，一边比着谁的年轻老婆更为败家，一边打着没有输赢的上楼麻将。




有一天，我喝了不少酒，打开家门口时已经头疼欲裂，突然有个人在身后出现，一把搂住了我，然后是令我喘不过
气来的强吻。……醉酒之后的**恍如梦中进行的一般，你知道对方在干什么，但是感受是那么的不真实，他进入的时候，我只有被动地接受，一下，两下，三
下……他的动作干脆利落，使我有种被猎获的耻辱感，但是我没法动弹，我不能再给他一个耳光……最后，当克制不住的快感使我颤抖之时，当我忍无可忍终于叫出
声的时候，他狠狠地咬了我一口，然后我听到他说了句：“我爱你。”

我只想说：偷来的性高潮，尤其快乐。但是快乐过后的空虚，让我忽然很想念和男人过去的时光。我抽了好几只烟，才放任自己给男人打了一个电话——我说：“我要回到你身旁……”。他竟然答应了，电话那边的声音有点模糊，是他哭了么？

于是，我们走入婚姻的殿堂，父母的笑容，丈母娘的眼泪，同学的唏嘘，前女友的漠然，一切都进行的顺理成章。婚礼上的你我衣冠楚楚，婚纱照上的你我一脸迷茫。那个晚上我们做了很久，我问你是哪里来的人鱼，于是那个夜晚就像童话一样漫长。
　　我们结婚了，所有的婚姻的开始都简单而俗气，嗯，就是这样。只有那个夜晚让我铭记。

黎明时传来噩耗，我们结婚时，上铺的兄弟死于布达拉宫边上的澡堂，他死在拉萨的一个姑娘身上，全身赤裸，五指伸长，据说他的灵魂可以得到宽恕，因为他在高潮中离去的时候，双眼正仰望着那湛蓝的天堂。
　　男人的好哥们儿伴着快感死去，或许他是幸福的，我望着身边的这个男人，会不会有一天他也这样离去？

好景不长，一个叫儿子的东西钻出了女人的身体，六斤七两，蛋黑把长，你说这是我们爱的结晶，我想这或许又是噩梦一场，我的父母把弄着孙子的命根，抹着眼泪说咱家从今以后子孙满堂。

我美丽苗条的女人成了宽宽胖胖的孩儿他娘，每天防着儿子在房里叮当乱撞，工作和家庭让我筋疲力尽，每天只想赖在舒服的床。这孩子聪明得像是妖精，刚学会说话就看着电视上一张大脸喊出了张朝阳。





俗话说，女人三十如狼四十如虎，我的女人却像只猛犸象，她不再保持身材，却有着更辣更久的欲望，每当孩子入睡，她就把俺拽向炕角，夜幕下，那是一张略带恐怖的脸庞，只是兄弟我日渐萎靡，不惑之年，胯下已经不再是一杆神枪。





但随着孩子慢慢长大，我发现欲望就像蛇又回到我的身体，也许是因为孩子在身边，那件事显得有种隐蔽的刺激。我在无限的缠绵中体会婚姻最初的热情，却发现男人的热情好像在渐渐的溜走。是孩子改变了我的身体，或者，是岁月改变了一切？





上帝保佑，一度皱眉的女人开始再度温柔，因为她的儿子才上小学，那玩意就长得比iphone还长。家长会上，老师说你们的儿子越来越喜欢进女厕所，我亲爱的女人便怒斥他是个文盲。她把我晾在一边，越来越关心儿子在屋里的样子，因此隔三差五才能想起来让我交出公粮。





残阳如血的某个时刻，我冷冷地笑着，手里有一支抽了一半的香烟。墙上有一个巨大的吊钟，沉默地走着。我觉得有点冷，把男人的毛衣披到了身上。那曾经让我呛的快死过去的烟现在乖乖地呆在我的指尖。





收拾残躯，重整旗鼓，我所谓的事业突飞猛进，上班大奔，周末公羊，我剥削着500多个城市的白领民工，我买
的中石油终于勃起得硬硬邦邦。我的女人说老公不错，而后把我的钱全存进了她的私人银行。办公室招来了新的小蜜，名叫Janny，前凸后撅，很像我老婆当年
的长相，只是这狐狸精太过放肆，开着董事会都是一副怀春模样。我说着企业战略公司管理，可脑子里禁不住想着她的裙下春光，我像小学生那样坐立不安，我的心
像和女人的第一次那样莺飞草长。




电话铃声突然响了起来，一声声如同催命的丧钟。
　　 “对不起，我今天很忙。”他在电话里说，然后是沉默。
　　 “那你忙吧……”挂了电话。我失声痛哭，瘫倒在地毯上。

那天傍晚外边打雷，我在办公室看着云外的夕阳，对天发誓这绝不是预谋，因为今晚还要和老婆去逛商场。Janny不知何时走了进来，说要向我汇报情况，我问
为什么你还不回家，她说回了家也是一个人独守空房。古人云啥也别说了，我们在宽大的办公桌上开辟了战场，奔五张的我竟然梅花三弄金枪不倒，这20岁的姑都
说超爽超爽。

我开始爱上了洗衣服，我想洗去男人衬衫上的陌生香水味，使劲地洗，可总是洗不干净。我把它们放在夏天很刺眼的阳光下晒，可是最后还是会有香水的味道。你的
毛衣，我亲手织的毛衣啊，它们也沾上了永远洗不干净的口红印。这是什么牌子的口红？我想去买一管，因为它是如此的持久。而我的口红却总是在热吻之后消失。

镜子里我的头发仍然乌黑，可那地方的毛却变得花白，女人说显然小头比大头还要操劳，你在外边肯定是男盗女娼。过了60你就一只脚进了棺材，看哪天一条狐狸
把你拉进坟场。对毛主席发誓，我只有那一次意外的疯狂，那狐狸精早已被我赶到深圳，去当了一个做假证老板的新娘。我的前列腺开始出现毛病，看见美女再不会
心荆荡漾。那曾经困惑的欲望终于莫名衰退，估计一年也弄不出精液半两。

除了丈夫和儿子，我有了第3个男人，一个有艺术气质的男人。我们每周约会，然后在潮湿的拥抱中小睡，然后回家。

我的儿子在重复着我的故事，只是他比我当年要厉害百倍，才干工作两年就换了七八个姑娘。他娘说小流氓随了老流氓，我说和谐社会年轻人都在成长。儿子不愿听我们老掉牙的故事，他说这年头女人只认钱，其他的都是逢场作戏嘿咻一场。

我56岁，丈夫开始变乖，除了应酬之外，不再有风花雪月的风流韵事。与此同时，19儿子也有了女朋友和性的秘密。

那天夜里，我的前列腺疼得要死，我无助地望着透入窗帘的月光，我的眼泪洒在我满是皱纹的手，我的女人却打着呼噜睡在梦乡。我的事业已经让我感到乏味，工商
税务天天把我折腾的神经紧张，我怀念和上铺的兄弟在街边啃煎饼的岁月，我怀念在女生宿舍前哭泣的时光。那一晚我带着眼泪入睡，黑白色的梦里，一树梨花正盛
开在无边的海棠上。

我经常在下午心跳加速，脸上燥热。我知道，自己即将告别卵子这个老朋友。这事儿悄悄来临，就像当年的月经初潮。我无法抗拒，不由得感到一些伤感。丈夫给我买了一些药。随着衰老的到来，他对我的体贴增加。遗憾的是，我们再也无法回到当年的激情。

我老了，不可思议地老了，很多人管我叫大爷，我再也不认为是在骂人。女护士在我身上绑了一个起搏器，我说能否给我下半身也装一个电香肠，小护士说老大爷你
色性难改，我那在轮椅上的老婆说他也就是说说装相。每一个夜晚我都怀疑明天能否醒来，每一个早晨女人都要伏在我的胸膛，他说你可不能走在我的前面，否则夜
里这张床上就会太过冰凉。

他会在我睡着的午后，静静地看着我，然后在阳光下读一本书。而我则经常在他睡着之后，用手抚摸他的额头。

我的朋友们接二连三地死去，我的儿子仍然在隔三差五地换着姑娘。那一天我看见女人银色的发，在昏黄的灯下
发着晶莹的光，我突然发现我是如此爱着这个女人，我突然后悔没有把所有的激情都留给她的欲望。如今我只能每天抚摸着她干枯的手和银色的发，问她是否喜欢那
风雨后宁静的阳光。

19岁的儿子去大学住校前，我最后一次给儿子洗内裤。阳光下，上面的存留物质闪闪发亮。那东西有着特殊的气味，在每个人的鼻子下，是不一样的。这是我的告别礼。

儿子终于有了他的合法配偶，她长得像卖人肉包子的孙二，女人整天在偷偷哭泣，说她心疼咱们的儿子，怎么他就取回来这么个蛮横糟糠。我倒不觉得儿子是吃错了药，那女人一定在床上特别擅长，他们的生活犹如黄钟大吕，整天把席梦思整的兵兵邦邦。

62岁，儿子结婚了，而我开始信仰宗教。《圣经》是一本有趣的书。因为它不仅仅是关于神的，其实，也是关于性的。性让亚当和夏娃繁衍了人类；淫亵的性让上
帝毁灭了人类；luanlun的性让罗得的女儿们延续了人类……只要有人的地方，有男女的地方，必然有性。我虽然已经逐渐告别性生活，但我却发现了有趣的
性理论。尤其当我从《圣经》感受到宗教对于性的神秘诠释之后，觉得无比欢喜。我要赞美主，赞美神，赞美生活，赞美……性。也许这就是人生，当你告别一件东
西，才越发觉出它的美好。

好在这媳妇还算踏实，很快就生出一个孩子，女人上前翻了半天，脸色阴沉，跟我说她的心拔凉拔凉。这孩子再不会蛋黑把长，因为她根本就没长出那么个鸟样。

68岁的我，当了祖母。那个时候我正在家里煮着鸡汤，丈夫在客厅接了电话，儿子告诉他，我们刚刚有了第三
代。我迫不及待地赶去医院，满心欢喜地要看看他的把儿有多长，可事实却让我那么的失望，虽然她也长得像天使一样可爱。然而，这孩子却不再蛋黒把长，真的，
别怪我重男轻女，那是不一样的滋味。

经常路过我家门口的那只老猫再没出现，想必是不知老死在哪个垃圾场。我连下床都变得艰难，可我亲爱的女人竟然又能下地，她说她梦见了少年时的我，拉着她跑过一片片红色的高粱。

我们都老了，我明显地觉得腿脚不如从前，爬楼的时候是那么的吃力，而我的男人连下床都很困难。我爱上了回忆，无论是白天还是梦里，我想着男人，也想着记忆中曾经说过爱我的那些男人，偶尔竟然会有想要的欲望。

那天她帮我洗澡，在温暖的浴缸里，她的手温柔地抚过我的身体，我惊讶地发现那个东西竟然翘起，我浑身都有要飞的轻畅。女人说你个老鬼还不正经，当心摧毁你
那脆弱的心脏。我笑着答看来杨振宁也不过如此，没准我是比他还要好使的一把老枪。女人爱抚地摸着那个东西，眼角竟有了淡淡的泪光，她说如果你愿意，我们就
玩儿命再干上最后一场。

男人已经一周没有洗澡，我搀扶他坐进浴缸，摸着他依然厚实的肩膀，内心里多了些许的感伤，这是我守了大半辈子的男人，可总有一天我们要各自奔天堂。男人不顾死活地要重拾起他那把老枪，而这一次也成就了我们一生的最难忘。

那最后一次的激情险些要了我的老命，可我们的行为却遭到了儿女的强烈表扬，儿子说老爸你真了不起，都站不起来了竟还能跃马拧枪。媳妇说你们真是夫妻楷模，
应该上CCTV说一下事后感想。这疯狂的代价是在医院半年的休养，等出院时，我已经离不开手上那根难看的拐杖。女人问我后不后悔，我说这是我一辈子最高兴
的时光，如果那一天我真的去了，我也会笑着走进满是美女的天堂。

男人住院了，毕竟已是70几岁的人，哪经得住那样的疯狂。儿孙每日奔波于医院和家，而我也会为他煲上一锅汤。我依然终日沉浸在回忆之中，不久于世的伤感让
我渴望听到那些曾经跟我耳鬓厮磨过的声音。颤抖地拿起电话，一通、两通、三通…那些给过我高潮的男人们却都已经离开了这个美丽的人间。

我终于彻底死心，全心全意地迎接我出院归来的男人。我们又仿佛回到少年时的模样，每天拉着手慢慢地走在路上，说着只有我俩才懂的情伤。

从此我们再无遗憾，我们每天拉着手，满意地坐在门口的摇椅上，门口来了新的小猫，它喜欢抱着我们的腿，舔着我们的手，扑着天空里飞舞的豆娘。

不知不觉我们的孙女又生了一个大胖小子，我们家竟然已经四世同堂。已经要瞎眼的女人大声说赶紧看看那玩意儿究竟什么成色，孙女婿说是白花花的一串，有点像
老头花生的怪样。女人嘟囔着说这小子不是男人，将来很可能窝窝囊囊。我说你干吗操这一百年后的心，眼都瞎了还惦记着那玩意多黑多长。

92岁，我有了重孙子，我们家竟然已经四世同堂。但是我已经看不清那孩子什么模样。孩子刚学会走路不久，男人在一次踏青中脑溢血住进了重症病房。

那天我们依然在一起晒着太阳，刚会走路的重孙子向我伸出小手，我猜是他想让我帮他撒尿，就挣扎起来要把他抱上。我的眼前突然发黑，然后跟着掠起一片白光。醒来时我已经躺倒在地，孩子的温暖的尿正呲在我的脸上，我想喊我的女人，可却不忍打搅她的梦乡。

我知道这颗心脏就要停止跳动，可我宁愿如此，默默地去寻找传说中的天堂。那孩子哭着叫着，我只微笑着看着他颤巍巍的小鸡鸡，轻声说孩子别怕，老爷爷就此去了，你的路还有很长，很长……

男人终于弃我而去。作为一个女人，我的一生如此丰富。有激情，有痛苦，有欢乐，有眼泪。作为一个女人，我也许不是规矩和忠诚的。但我忠于自己的身体，和自
己的欲望；我对得起自己，也不想伤害别人。如果我做的不够好，请原谅。我，只是个最普通不过的女人而已。说不定，如我这样的女人，应该也可以上天堂。

这是一个美好的春天，但我想我该走了——病房里洁白安静，空气里有消毒水的芬芳。我翻阅着记忆的相册，想起，想起我的男人，想起经济系男生、艺术史老师、想起我的那个他不曾知道，而且永远也不会知道了的情人……

Posted in: life Comments(0) October 2008

GTA:SA 全部秘籍收藏

Posted by dengwei

LXGIWYL = 暴徒武器
KJKSZPJ = 专业武器
UZUMYMW = 疯狂武器
HESOYAM = 生命、护甲满，加25万美圆
OSRBLHH = 增加两星通缉度
ASNAEB = 清除通缉程度
AFZLLQLL = 万里无云
ICIKPYH = 阳光明媚
ALNSFMZO = 阴云密布
AUIFRVQS = 阴雨绵绵
CFVFGMJ = 大雾弥漫
YSOHNUL = 时钟加快
PPGWJHT = 操控加快
LIYOAAY = 操控减慢
AJLOJYQY = 行人互相攻击，得到高尔夫球杆
BAGOWPG = 得到一大笔奖励
FOOOXFT = 行人全副武装
AIWPRTON = 刷新一辆坦克
CQZIJMB = 刷新一辆Bloodring Banger
JQNTDMH = 刷新一辆Rancher
PDNEJOH = 刷新一辆Racecar
VPJTQWV = 刷新一辆Racecar
AQTBCODX = 刷新一辆Romero
KRIJEBR = 刷新一辆Stretch
UBHYZHQ = 刷新一辆Trashmaster
RZHSUEW = 刷新一辆Caddy
CPKTNWT = Cars所有车辆爆炸
XICWMD = 隐行车辆
PGGOMOY = 完美操控
SZCMAWO = 自杀
ZEIIVG = 交通信号灯变绿
YLTEICZ = 司机有攻击性
LLQPFBN = 所有车辆变粉色
IOWDLAC = 所有车辆变黑色
AFSNMSMW = 船只飞行
BTCDBCB = 主角变胖
JYSDSOD = 主角肌肉值最大
KVGYZQK = 主角变得皮包骨
ASBHGRB = 行人变成猫王
BGLUAWML = 行人用武器攻击你，得到火箭发射器
CIKGCGX = 海滩聚会
MROEMZH = 到处都是黑帮
BIFBUZZ = 黑帮控制街道
AFPHULTL = 忍者模式
BEKKNQV = 吸引女
BGKGTJH = 通工具慢速
GUSNHDE = 交通工具快速
RIPAZHA = 汽车飞行
JHJOECW = 超级兔子跳
JUMPJET = 刷新一辆Hydra
KGGGDKP = 刷新一辆Vortex Hovercraft
JCNRUAD = 汽车一击必炸
COXEFGU = 所有车辆得到一氧化二氮加速剂
BSXSGGC = 车辆被撞击时会漂浮
XJVSNAJ = 永远是午夜
OFVIAC = 永远是晚上9点
MGHXYRM = 雷暴天气
CWJXUOC = 沙尘暴天气
LFGMHAL = 超级跳跃
BAGUVIX = 无限生命
CVWKXAM = 无限氧气
AIYPWZQP = 得到降落伞
BAGUVIX = 无限生命
AEZAKMI = 永远不会被通缉
WANRLTW = 无限弹药，不用换弹夹
IAVENJQ = 超级攻击
JCNRUAD = 汽车一击必炸

Posted in: life Comments(0) May 2007

[超长篇] Inject Your Code to a Portable Executable File

Posted by dengwei

转至: http://www.codeguru.com/cpp/w-p/system/misc/article.php/c11393

Downloads

Windows NT 3.51 (I mean, Win3.1, Win95, Win98 were not perfect OSs). The MS-DOS data causes that your executable file to have the performance inside MS-DOS and the MS-DOS Stub program lets it display: "This program can not be run in MS-DOS mode" or "This program can be run only in Windows mode", or some things like these comments when you try to run a Windows EXE file inside MS-DOS 6.0, where there is no footstep of Windows. Thus, this data is reserved for the code to indicate these comments in the MS-DOS operating system. The most interesting part of the MS-DOS data is "MZ"! Can you believe, it refers to the name of "Mark Zbikowski", one of the first Microsoft programmers?

0 Preface

You might demand to comprehend the ways a virus program injects its procedure into the interior of a portable executable file and corrupts it, or you are interested in implementing a packer or a protector to encrypt the data of your portable executable (PE) file. This article is committed to represent a brief discussion to realize the performance that is accomplished by EXE tools or some kinds of mal-ware.

You can employ this article’s source code to create your custom EXE builder. It could be used to make an EXE protector in the right way, or with the wrong intention, to spread a virus. However, my purpose of writing this article has been the first application, so I will not be responsible for the immoral usage of these methods.

1 Prerequisites

There are no specific mandatory prerequisites to follow the topics in this article. If you are familiar with a debugger and also the portable file format, I suggest you to drop to Sections 2 and 3; the whole of these sections has been made for people who don’t have any knowledge regarding the EXE file format or debuggers.

2 Portable Executable File Format

The Portable Executable file format was defined to provide the best way for the Windows Operating System to execute code and also to store the essential data that is needed to run a program—for example constant data, variable data, import library links, and resource data. It consists of MS-DOS file information, Windows NT file information, Section Headers, and Section images, as shown in Table 1.

2.1 The MS-DOS data

These data let you remember the first days of developing the Windows Operating System. You were at the beginning of a way to achieve a complete Operating System such as

To me, only the offset of the PE signature in the MS-DOS data is important, so I can use it to find the position of the Windows NT data. I just recommend that you take a look at Table 1, and then observe the structure of IMAGE_DOS_HEADER in the <winnt.h> header in the <Microsoft Visual Studio .net path>\VC7\PlatformSDK\include\ folder or the <Microsoft Visual Studio 6.0 path>\VC98\include\ folder. I do not know why the Microsoft team has forgotten to provide some comment about this structure in the MSDN library!

typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header "MZ"    WORD   e_magic;                // Magic number    WORD   e_cblp;                 // Bytes on last page of file    WORD   e_cp;                   // Pages in file    WORD   e_crlc;                 // Relocations    WORD   e_cparhdr;              // Size of header in                                   // paragraphs    WORD   e_minalloc;             // Minimum extra paragraphs                                   // needed    WORD   e_maxalloc;             // Maximum extra paragraphs                                   // needed    WORD   e_ss;                   // Initial (relative) SS                                   // value    WORD   e_sp;                   // Initial SP value    WORD   e_csum;                 // Checksum    WORD   e_ip;                   // Initial IP value    WORD   e_cs;                   // Initial (relative) CS                                   // value    WORD   e_lfarlc;               // File address of relocation                                   // table    WORD   e_ovno;                 // Overlay number    WORD   e_res[4];               // Reserved words    WORD   e_oemid;                // OEM identifier                                   // (for e_oeminfo)    WORD   e_oeminfo;              // OEM information;                                   // e_oemid specific    WORD   e_res2[10];             // Reserved words    LONG   e_lfanew;               // File address of the new                                   // exe header  } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;

e_lfanew is the offset that refers to the position of the Windows NT data. I have provided a program to obtain the header information from an EXE file and to display it to you. To use the program, just try:

PE Viewer

(Full Size Image)

(Full Size Image)

This sample is useful for the whole of this article.

Table 1: Portable Executable file format structure

00000000  ASCII "MZ"00000002  DW 009000000004  DW 000300000006  DW 000000000008  DW 00040000000A  DW 00000000000C  DW FFFF0000000E  DW 000000000010  DW 00B800000012  DW 000000000014  DW 000000000016  DW 000000000018  DW 00400000001A  DW 00000000001C  DB 00b&b&0000003B  DB 000000003C  DD 000000F0

00000040  ..B:..B4.C!B8\LC!This program canno00000060  t be run in DOS mode....$.......

000000F0  ASCII "PE"

000000F4  DW 014C000000F6  DW 0003000000F8  DD 3B7D8410000000FC  DD 0000000000000100  DD 0000000000000104  DW 00E000000106  DW 010F

00000108  DW 010B0000010A  DB 070000010B  DB 000000010C  DD 0001280000000110  DD 00009C0000000114  DD 0000000000000118  DD 000124750000011C  DD 0000100000000120  DD 0001400000000124  DD 0100000000000128  DD 000010000000012C  DD 0000020000000130  DW 000500000132  DW 000100000134  DW 000500000136  DW 000100000138  DW 00040000013A  DW 00000000013C  DD 0000000000000140  DD 0001F00000000144  DD 0000040000000148  DD 0001D7FC0000014C  DW 00020000014E  DW 800000000150  DD 0004000000000154  DD 0000100000000158  DD 001000000000015C  DD 0000100000000160  DD 0000000000000164  DD 00000010

000001E8  ASCII".text"000001F0  DD 000126B0000001F4  DD 00001000000001F8  DD 00012800000001FC  DD 0000040000000200  DD 0000000000000204  DD 0000000000000208  DW 00000000020A  DW 00000000020C  DD 60000020    CODE|EXECUTE|READ

00000210  ASCII".data"; SECTION00000218  DD 0000101C ; VirtualSize = 0x101C0000021C  DD 00014000 ; VirtualAddress = 0x1400000000220  DD 00000A00 ; SizeOfRawData = 0xA0000000224  DD 00012C00 ; PointerToRawData = 0x12C0000000228  DD 00000000 ; PointerToRelocations = 0x00000022C  DD 00000000 ; PointerToLineNumbers = 0x000000230  DW 0000     ; NumberOfRelocations = 0x000000232  DW 0000     ; NumberOfLineNumbers = 0x000000234  DD C0000040 ; Characteristics =                        INITIALIZED_DATA|READ|WRITE00000238  ASCII".rsrc"; SECTION00000240  DD 00008960 ; VirtualSize = 0x896000000244  DD 00016000 ; VirtualAddress = 0x1600000000248  DD 00008A00 ; SizeOfRawData = 0x8A000000024C  DD 00013600 ; PointerToRawData = 0x1360000000250  DD 00000000 ; PointerToRelocations = 0x000000254  DD 00000000 ; PointerToLineNumbers = 0x000000258  DW 0000     ; NumberOfRelocations = 0x00000025A  DW 0000     ; NumberOfLineNumbers = 0x00000025C  DD 40000040 ; Characteristics =                        INITIALIZED_DATA|READ

00000400  EA 22 DD 77 D7 23 DD 77  C*"C.wC.#C.w00000408  9A 18 DD 77 00 00 00 00  E!.C.w....00000410  2E 1E C7 77 83 1D C7 77  ..C.wF..C.w00000418  FF 1E C7 77 00 00 00 00  C?.C.w....00000420  93 9F E7 77 D8 05 E8 77  b.E8C'wC..C(w00000428  FD A5 E7 77 AD A9 E9 77  C=B%C'w­B)C)w00000430  A3 36 E7 77 03 38 E7 77  B#6C'w.8C'w00000438  41 E3 E6 77 60 8D E7 77  AC#C&w`BC'w00000440  E6 1B E6 77 2B 2A E7 77  C&.C&w+*C'w00000448  7A 17 E6 77 79 C8 E6 77  z.C&wyC.C&w00000450  14 1B E7 77 C1 30 E7 77  ..C'wC.0C'wb&

b&0001BF00  63 00 2E 00 63 00 68 00  c...c.h.0001BF08  6D 00 0A 00 43 00 61 00  m...C.a.0001BF10  6C 00 63 00 75 00 6C 00  l.c.u.l.0001BF18  61 00 74 00 6F 00 72 00  a.t.o.r.0001BF20  11 00 4E 00 6F 00 74 00  ..N.o.t.0001BF28  20 00 45 00 6E 00 6F 00   .E.n.o.0001BF30  75 00 67 00 68 00 20 00  u.g.h. .0001BF38  4D 00 65 00 6D 00 6F 00  M.e.m.o.0001BF40  72 00 79 00 00 00 00 00  r.y.....0001BF48  00 00 00 00 00 00 00 00  ........0001BF50  00 00 00 00 00 00 00 00  ........0001BF58  00 00 00 00 00 00 00 00  ........0001BF60  00 00 00 00 00 00 00 00  ........0001BF68  00 00 00 00 00 00 00 00  ........0001BF70  00 00 00 00 00 00 00 00  ........0001BF78  00 00 00 00 00 00 00 00  ........

2.2 The Windows NT data

As mentioned in the preceding section, e_lfanew storage in the MS-DOS data structure refers to the location of the Windows NT information. Hence, if you assume that the pMem pointer relates the start point of the memory space for a selected portable executable file, you can retrieve the MS-DOS header and also the Windows NT headers by the following lines, which you also can perceive in the PE viewer sample (pelib.cpp, PEStructure::OpenFileName()):

IMAGE_DOS_HEADER        image_dos_header;IMAGE_NT_HEADERS        image_nt_headers;PCHAR pMem;b&memcpy(&image_dos_header, pMem,       sizeof(IMAGE_DOS_HEADER));memcpy(&image_nt_headers,       pMem+image_dos_header.e_lfanew,       sizeof(IMAGE_NT_HEADERS));

IMAGE_NT_HEADERS structure definition. It makes it possible to grasp what the image NT header maintains to execute a code inside the Windows NT OS. Now, you are conversant with the Windows NT structure; it consists of the "PE" Signature, the File Header, and the Optional Header. Do not forget to take a glimpse at their comments in the MSDN Library and in Table 1.

It seems to be very simple, the retrieval of the headers information. I recommend inspecting the MSDN library regarding the

One the whole, I consider merely, in most circumstances, the following cells of the IMAGE_NT_HEADERS structure:

FileHeader->NumberOfSectionsOptionalHeader->AddressOfEntryPointOptionalHeader->ImageBaseOptionalHeader->SectionAlignmentOptionalHeader->FileAlignmentOptionalHeader->SizeOfImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]              ->VirtualAddressOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]              ->Size

You can observe the main purpose of these values clearly, and their role when the internal virtual memory space allocated for an EXE file by the Windows task manager if you pay attention to their explanations in MSDN library, so I am not going to repeat the MSDN annotations here.

I should make a brief comment regarding the PE data directories, or OptionalHeader-> DataDirectory[], because I think there are a few aspects of interest concerning them. When you come to survey the Optional header through the Windows NT information, you will find that there are 16 directories at the end of the Optional Header, where you can find the consecutive directories, including their Relative Virtual Address and Size. I just mention here the notes from <winnt.h> to clarify these information:

// Export Directory#define IMAGE_DIRECTORY_ENTRY_EXPORT          0// Import Directory#define IMAGE_DIRECTORY_ENTRY_IMPORT          1// Resource Directory#define IMAGE_DIRECTORY_ENTRY_RESOURCE        2// Exception Directory#define IMAGE_DIRECTORY_ENTRY_EXCEPTION       3// Security Directory#define IMAGE_DIRECTORY_ENTRY_SECURITY        4// Base Relocation Table#define IMAGE_DIRECTORY_ENTRY_BASERELOC       5// Debug Directory#define IMAGE_DIRECTORY_ENTRY_DEBUG           6// Architecture Specific Data#define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE    7// RVA of GP#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR       8// TLS Directory#define IMAGE_DIRECTORY_ENTRY_TLS             9// Load Configuration Directory#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG    10// Bound Import Directory in headers#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT   11// Import Address Table#define IMAGE_DIRECTORY_ENTRY_IAT            12// Delay Load Import Descriptors#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT   13// COM Runtime descriptor#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14

The last one (15) was reserved for use in the future; I have not yet seen any purpose for it, even in PE64.

For instance, if you want to perceive the relative virtual address (RVA) and the size of the resource data, it is enough to retrieve them by:

DWORD dwRVA  = image_nt_headers.OptionalHeader->   DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE]->VirtualAddress;DWORD dwSize = image_nt_headers.OptionalHeader->   DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE]->Size;

To comprehend more regarding the significance of data directories, I forward you to Section 3.4.3 of the Microsoft Portable Executable and the Common Object File Format Specification document by Microsoft, and furthermore Section 6 of this document, where you discern the various types of sections and their applications. You will see the section’s advantage subsequently.

2.3 The Section Headers and Sections

You currently observe how the portable executable files declare the location and the size of a section on a disk storage file and inside the virtual memory space allocated for the program with IMAGE_NT_HEADERS-> OptionalHeader->SizeOfImage by the Windows task manager, as well the characteristics to demonstrate the type of the section. To better understand the Section header as my previous declaration, I suggest having a brief look at the IMAGE_SECTION_HEADER structure definition in the MSDN library. For an EXE packer developer, VirtualSize, VirtualAddress, SizeOfRawData, PointerToRawData, and Characteristics cells have significant rules. When developing an EXE packer, you should be clever enough to play with them. There are somet hings to note when you modify them; you should take care to align the VirtualSize and VirtualAddress according to OptionalHeader->SectionAlignment, as well as SizeOfRawData and PointerToRawData in line with OptionalHeader->FileAlignment. Otherwise, you will corrupt your target EXE file and it will never run. Regarding Characteristics, I pay attention mostly to establish a section by IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE | IMAGE_SCN_CNT_INITIALIZED_DATA, I prefer that my new section has the ability to initialize such data during the running process, such as import table; besides, I need it to be able to modify itself by the loader with my settings in the section characteristics to read- and writeable.

Moreover, you should pay attention to the section names; you can know the purpose of each section by its name. I will just forward you to Section 6 of the Microsoft Portable Executable and the Common Object File Format Specification documents. I believe it represents the totality of sections by their names; this is also included in Table 2.

Table 2: Section names

To comprehend the section headers and also the sections, you can run the sample PE viewer. With this PE viewer, you can realize only the application of the section headers in a file image, so to observe the main significance in the Virtual Memory, you should try to load a PE file by a debugger. The next section represents the main idea of using the virtual address and size in the virtual memory by using a debugger. The last note is about IMAGE_NT_HEADERS-> FileHeader->NumberOfSections, that provides a number of sections in a PE file. Do not forget to adjust it whenever you remove or add some sections to a PE file. I am talking about section injection!

3 Debugger, Disassembler and some Useful Tools

In this part, you will become familiar with the necessary and essential equipment to develop your PE tools.

3.1 Debuggers

The first essential prerequisite to become a PE tools developer is to have enough experience with bug tracer tools. Furthermore, you should know most of the assembly instructions. To me, the Intel documents are the best references. You can obtain them from the Intel site for IA-32, and on top of that IA-64; the future belongs to IA-64 CPUs, Windows XP 64-bit, and also PE64!

• IA-32 Intel Architecture Software Developer’s Manuals
• Intel Itanium Architecture Assembly Language Reference Guide
• The Intel Itanium Processor Developer Resource Guide

To trace a PE file, SoftICE by Compuware Corporation, I knew it also as named NuMega when I was at high school, is the best debugger in the world. It implements process tracing by using the kernel mode method debugging without applying Windows debugging application programming interface (API) functions. In addition, I will introduce one perfect debugger in user mode level. It utilizes the Windows debugging API to trace a PE file and also attaches itself to an active process. These API functions have been provided by Microsoft teams, inside the Windows Kernel32 library, to trace a specific process, by using Microsoft tools, or perhaps, to make your own debugger! Some of those API functions inlude:

• CreateThread()
• CreateProcess()
• OpenProcess()
• DebugActiveProcess()
• GetThreadContext()
• SetThreadContext()
• ContinueDebugEvent()
• DebugBreak()
• ReadProcessMemory()
• WriteProcessMemory()
• SuspendThread()
• ResumeThread()

3.1.1 SoftICE

It was in 1987; Frank Grossman and Jim Moskun decided to establish a company called NuMega Technologies in Nashua, NH, to develop some equipment to trace and test the reliability of Microsoft Windows software programs. Now, it is a part of Compuware Corporation and its product has participated to accelerate the reliability in Windows software, and additionally in Windows driver developments. Currently, everyone knows the Compuware DriverStudio that is used to establish an environment for implementing the elaboration of a kernel driver or a system file by aiding the Windows Driver Development Kit (DDK). It bypasses the involvement of DDK to implement a portable executable file of kernel level for a Windows system software developer. For us, only one instrument of DriverStudio is important, SoftICE; this debugger can be used to trace every portable executable file, a PE file for user mode level or a PE file for kernel mode level.

Figure 1: SoftICE Window

3.1.2 OllyDbg

It was about four years ago that I first saw this debugger by chance. For me, it was the best choice; I was not wealthy enough to purchase SoftICE, and at that time, SoftICE only had good functions for DOS, Windows 98, and Windows 2000. I found that this debugger supported all kinds of Windows versions. Therefore, I started to learn it very fast, and now it is my favorite debugger for the Windows OS. It is a debugger that can be used to trace all kinds of portable executable files except a Common Language Infrastructure (CLI) file format in user mode level, by using the Windows debugging API. Oleh Yuschuk, the author, is one of worthiest software developers I have seen in my life. He is a Ukrainian who now lives in Germany. I should mention here that his debugger is the best choice for hacker and cracker parties around the world! It is freeware! You can try it from the OllyDbg Homepage.

Figure 2: OllyDbg CPU Window

Proview or PVDasm is an admirable disassembler by the Reverse-Engineering-Community; it is still under development and bug fixing. You can find its disassmbler source engine and employ it to create your own disassembler.

3.2.2 W32Dasm

W32DASM can disassemble both 16- and 32-bit executable file formats. In addition to its disassembling ability, you can employ it to analyze import, export, and resource data directories data.

3.2.3 IDA Pro

All reverse-engineering experts know that IDA Pro can be used to investigate, not only x86 instructions, but that of various kinds of CPU types like AVR, PIC, and so forth. It can illustrate the assembly source of a portable executable file by using colored graphics and tables, and is very useful for any newbie in this area. Furthermore, it has the capability to trace an executable file inside the user mode level in the same way as OllyDbg.

3.3 Some Useful Tools

A good PE tools developer is conversant with the tools that save his time, so I recommend that you select some appropriate instruments to investigate the base information under a portable executable file.

3.3.1 LordPE

LordPE by y0da is still the first choice to retrieve PE file information with the possibility to modify them.

3.3.2 PEiD

PE iDentifier is valuable to identify the type of compilers, packers, and cryptors of PE files. As of now, it can detect more than 500 different signature types of PE files.

3.3.3 Resource Hacker

Resource Hacker can be employed to modify resource directory information; icon, menu, version info, string table, and so on.

3.3.4 WinHex

WinHex, it is clear what you can do with this tool.

3.3.5 CFF Explorer

Eventually, CFF Explorer by Ntoskrnl is what you want to have as a PE Utility tool in your arsenal; it supports PE32/64, PE rebuild included Common Language Infrastructure (CLI) file. In other words, the .NET file, a resource modifier, and much more facilities which can not be found in others. Just try to discover every unimaginable option by hand.

4 Add a New Section and Change the OEP

You are ready to do the first step of making your project. I have provided a library to add a new section and rebuild the portable executable file. Before starting, I wnat you to get familiar with the headers of a PE file, by using OllyDbg. You should first open a PE file; that pops up a menu, View->Executable file. Again, you get a popup menu: Special->PE header. You will observe a scene similar to Figure 3. Now, come to the Main Menu View->Memory, and try to distinguish the sections inside the Memory map window.

Figure 3

00000000000000020000000400000006000000080000000A0000000C0000000E00000010000000120000001400000016000000180000001A0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C0000002D0000002E0000002F000000300000003100000032000000330000003400000035000000360000003700000038000000390000003A0000003B0000003C

 4D 5A 9000 0300 0000 0400 0000 FFFF 0000 B800 0000 0000 0000 4000 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F0000000

 ASCII "MZ" DW 0090 DW 0003 DW 0000 DW 0004 DW 0000 DW FFFF DW 0000 DW 00B8 DW 0000 DW 0000 DW 0000 DW 0040 DW 0000 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DD 000000F0

 DOS EXE Signature DOS_PartPag = 90 (144.) DOS_PageCnt = 3 DOS_ReloCnt = 0 DOS_HdrSize = 4 DOS_MinMem = 0 DOS_MaxMem = FFFF (65535.) DOS_ReloSS = 0 DOS_ExeSP = B8 DOS_ChkSum = 0 DOS_ExeIP = 0 DOS_ReloCS = 0 DOS_TablOff = 40 DOS_Overlay = 0 Offset to PE signature

I want to explain how you can plainly change the Offset of Entry Point (OEP) in your sample file, CALC.EXE of Windows XP. First, by using a PE Tool, and also using your PE Viewer, you find OEP, 0×00012475, and Image Base, 0×01000000. This value of OEP is the Relative Virtual Address, so the Image Base value is used to convert it to the Virtual Address.

DWORD OEP_RVA = image_nt_headers->   OptionalHeader.AddressOfEntryPoint ;// OEP_RVA = 0x00012475DWORD OEP_VA = image_nt_headers->   OptionalHeader.ImageBase + OEP_RVA ;// OEP_VA = 0x01000000 + 0x00012475 = 0x01012475

__stdcall void DynLoader(){_asm{//----------------------------------    DWORD_TYPE(DYN_LOADER_START_MAGIC)//----------------------------------    MOV EAX,01012475h // << Original OEP    JMP EAX//----------------------------------    DWORD_TYPE(DYN_LOADER_END_MAGIC)//----------------------------------}}

//----------------------------------------------------------------class CPELibrary{private:    //-----------------------------------------    PCHAR                   pMem;    DWORD                   dwFileSize;    //-----------------------------------------protected:    //-----------------------------------------    PIMAGE_DOS_HEADER       image_dos_header;    PCHAR                   pDosStub;    DWORD                   dwDosStubSize, dwDosStubOffset;    PIMAGE_NT_HEADERS       image_nt_headers;    PIMAGE_SECTION_HEADER   image_section_header[MAX_SECTION_NUM];    PCHAR                   image_section[MAX_SECTION_NUM];    //-----------------------------------------protected:    //-----------------------------------------    DWORD PEAlign(DWORD dwTarNum,DWORD dwAlignTo);    void AlignmentSections();    //-----------------------------------------    DWORD Offset2RVA(DWORD dwRO);    DWORD RVA2Offset(DWORD dwRVA);    //-----------------------------------------    PIMAGE_SECTION_HEADER ImageRVA2Section(DWORD dwRVA);    PIMAGE_SECTION_HEADER ImageOffset2Section(DWORD dwRO);    //-----------------------------------------    DWORD ImageOffset2SectionNum(DWORD dwRVA);    PIMAGE_SECTION_HEADER AddNewSection(char* szName,DWORD dwSize);    //-----------------------------------------public:    //-----------------------------------------    CPELibrary();    ~CPELibrary();    //-----------------------------------------    void OpenFile(char* FileName);    void SaveFile(char* FileName);    //-----------------------------------------};

4.2 Create data for the new section

Full Size Image)

You can comprehend the difference between incremental link and no-incremental link by looking at the following picture:

To acquire the virtual address of DynLoader(), you obtain the virtual address of JMP pemaker.DynLoader in the incremental link, but by no-incremental link, the real virtual address is gained by the following code:

DWORD dwVA= (DWORD) DynLoader;

This setting is more critical in the incremental link when you try to find the beginning and ending of the Loader, DynLoader(), by CPECryptor::ReturnToBytePtr():

void* CPECryptor::ReturnToBytePtr(void* FuncName, DWORD findstr){    void* tmpd;    __asm   {        mov eax, FuncName        jmp dfhjg:    inc eaxdf:     mov ebx, [eax]        cmp ebx, findstr        jnz hjg        mov tmpd, eax    }    return tmpd;}

In pecrypt.cpp, I have represented another class, CPECryptor, to comprise the data of the new section. Nevertheless, the data of the new section is created by DynLoader() in loader.cpp, DynLoader Step 1. You use the CPECryptor class to enter this data in to the new section, and also some other stuff.

CPECryptor Class Step 1

//----------------------------------------------------------------class CPECryptor: public CPELibrary{private:    //----------------------------------------    PCHAR pNewSection;    //----------------------------------------    DWORD GetFunctionVA(void* FuncName);    void* ReturnToBytePtr(void* FuncName, DWORD findstr);    //----------------------------------------protected:    //----------------------------------------public:    //----------------------------------------    void CryptFile(int(__cdecl *callback) (unsigned int,                                           unsigned int));    //----------------------------------------};//----------------------------------------------------------------

4.3 Some notes regarding creating a new PE file

• Align the VirtualAddress and the VirtualSize of each section by SectionAlignment:

  image_section_header[i]->VirtualAddress=    PEAlign(image_section_header[i]->VirtualAddress,    image_nt_headers->OptionalHeader.SectionAlignment);image_section_header[i]->Misc.VirtualSize=    PEAlign(image_section_header[i]->Misc.VirtualSize,    image_nt_headers->OptionalHeader.SectionAlignment);

• Align the PointerToRawData and the SizeOfRawData of each section by FileAlignment:

  image_section_header[i]->PointerToRawData =    PEAlign(image_section_header[i]->PointerToRawData,            image_nt_headers->OptionalHeader.FileAlignment);image_section_header[i]->SizeOfRawData =    PEAlign(image_section_header[i]->SizeOfRawData,            image_nt_headers->OptionalHeader.FileAlignment);

• Correct the SizeofImage by the virtual size and the virtual address of the last section:

  image_nt_headers->OptionalHeader.SizeOfImage =   image_section_header[LastSection]->VirtualAddress +   image_section_header[LastSection]->Misc.VirtualSize;

• Set the Bound Import Directory header to zero because this directory is not very important to execute a PE file:

  image_nt_headers->   OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].  VirtualAddress = 0;image_nt_headers->   OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_                                IMPORT].Size = 0;

4.4 Some notes regarding linking this VC Project

• Set Linker->General->Enable Incremental Linking to No (/INCREMENTAL:NO).

  
  (

5 Store Important Data and Reach the Original OEP

Right now, we save the Original OEP and also the Image Base in order to reach to the virtual address of OEP. I have reserved a free space at the end of DynLoader() to store them, DynLoader Step 2.

PE Maker - Step 2

Download the pemaker2.zip source files from the end of the article.

DynLoader Step 2

__stdcall void DynLoader(){_asm{//------------------------------------    DWORD_TYPE(DYN_LOADER_START_MAGIC)//------------------------------------Main_0:    PUSHAD    // get base ebp    CALL Main_1Main_1:    POP EBP    SUB EBP,OFFSET Main_1    MOV EAX,DWORD PTR [EBP+_RO_dwImageBase]    ADD EAX,DWORD PTR [EBP+_RO_dwOrgEntryPoint]    PUSH EAX    RETN // >> JMP to Original OEP//----------------------------------    DWORD_TYPE(DYN_LOADER_START_DATA1)//----------------------------------//----------------------------------    DWORD_TYPE(DYN_LOADER_END_MAGIC)//----------------------------------}}_RO_dwImageBase:                DWORD_TYPE(0xCCCCCCCC)_RO_dwOrgEntryPoint:            DWORD_TYPE(0xCCCCCCCC)

The new function, CPECryptor::CopyData1(), will implement the copy of the Image Base value and the Offset of Entry Point value into 8 bytes of free space in the loader.

5.1 Restore the first register’s context

It is important to recover the Original Context of the thread. You have not yet done it in the DynLoader Step 2 source code. You can modify the source of DynLoader() to repossess the first Context.

__stdcall void DynLoader(){_asm{//------------------------------------    DWORD_TYPE(DYN_LOADER_START_MAGIC)//------------------------------------Main_0:    PUSHAD// Save the registers context in stack    CALL Main_1Main_1:    POP EBP// Get Base EBP    SUB EBP,OFFSET Main_1    MOV EAX,DWORD PTR [EBP+_RO_dwImageBase]    ADD EAX,DWORD PTR [EBP+_RO_dwOrgEntryPoint]    MOV DWORD PTR [ESP+1Ch],EAX // pStack.Eax <- EAX    POPAD // Restore the first registers context from stack    PUSH EAX    XOR  EAX, EAX    RETN // >> JMP to Original OEP//----------------------------------    DWORD_TYPE(DYN_LOADER_START_DATA1)//----------------------------------_RO_dwImageBase:                DWORD_TYPE(0xCCCCCCCC)_RO_dwOrgEntryPoint:            DWORD_TYPE(0xCCCCCCCC)//----------------------------------    DWORD_TYPE(DYN_LOADER_END_MAGIC)//----------------------------------}}

5.2 Restore the original stack

You also can recover the original stack by setting the value of the beginning stack + 0×34 to the Original OEP, but it is not very important. Nevertheless, in the following code, I have accomplished the loader code by a simple trick to reach the OEP in addition to redecorating the stack. You can observe the implementation by tracing using OllyDbg or SoftICE.

__stdcall void DynLoader(){_asm{//----------------------------------    DWORD_TYPE(DYN_LOADER_START_MAGIC)//----------------------------------Main_0:    PUSHAD    // Save the registers context in stack    CALL Main_1Main_1:    POP EBP    SUB EBP,OFFSET Main_1    MOV EAX,DWORD PTR [EBP+_RO_dwImageBase]    ADD EAX,DWORD PTR [EBP+_RO_dwOrgEntryPoint]    MOV DWORD PTR [ESP+54h],EAX    // pStack.Eip <- EAX    POPAD    // Restore the first registers context from stack    CALL _OEP_Jump    DWORD_TYPE(0xCCCCCCCC)_OEP_Jump:    PUSH EBP    MOV EBP,ESP    MOV EAX,DWORD PTR [ESP+3Ch]    // EAX <- pStack.Eip    MOV DWORD PTR [ESP+4h],EAX     // _OEP_Jump RETURN pointer <- EAX    XOR EAX,EAX    LEAVE    RETN//----------------------------------    DWORD_TYPE(DYN_LOADER_START_DATA1)//----------------------------------_RO_dwImageBase:                DWORD_TYPE(0xCCCCCCCC)_RO_dwOrgEntryPoint:            DWORD_TYPE(0xCCCCCCCC)//----------------------------------    DWORD_TYPE(DYN_LOADER_END_MAGIC)//----------------------------------}}

5.3 Approach OEP by structured exception handling

try-except statement in C++ clarifies the operation of structured exception handling. Besides the assembly code of this code, it elucidates the structured exception handler installation, the raise of an exception, and the exception handler function.

An exception is generated when a program falls into a fault code execution and an error happens, so in such a special condition, the program immediately jumps to a function called the exception handler from exception handler list of the Thread Information Block.

The next example of a

#include "stdafx.h"#include "windows.h"void RAISE_AN_EXCEPTION(){_asm{    INT 3    INT 3    INT 3    INT 3}}int _tmain(int argc, _TCHAR* argv[]){    __try    {        __try{            printf("1: Raise an Exception\n");            RAISE_AN_EXCEPTION();        }        __finally        {            printf("2: In Finally\n");        }    }    __except( printf("3: In Filter\n"), EXCEPTION_EXECUTE_HANDLER )    {        printf("4: In Exception Handler\n");    }    return 0;}

; main()00401000: PUSH EBP00401001: MOV EBP,ESP00401003: PUSH -100401005: PUSH 00407160; __try {; the structured exception handler (SEH) installation 0040100A: PUSH _except_handler30040100F: MOV EAX,DWORD PTR FS:[0]00401015: PUSH EAX00401016: MOV DWORD PTR FS:[0],ESP0040101D: SUB ESP,800401020: PUSH EBX00401021: PUSH ESI00401022: PUSH EDI00401023: MOV DWORD PTR SS:[EBP-18],ESP;     __try {00401026: XOR ESI,ESI00401028: MOV DWORD PTR SS:[EBP-4],ESI0040102B: MOV DWORD PTR SS:[EBP-4],100401032: PUSH OFFSET "1: Raise an Exception"00401037: CALL printf0040103C: ADD ESP,4; the raise a exception, INT 3 exception; RAISE_AN_EXCEPTION()0040103F: INT300401040: INT300401041: INT300401042: INT3;     } __finally {00401043: MOV DWORD PTR SS:[EBP-4],ESI00401046: CALL 0040104D0040104B: JMP 004010800040104D: PUSH OFFSET "2: In Finally"00401052: CALL printf00401057: ADD ESP,40040105A: RETN;     }; }; __except( 0040105B: JMP 004010800040105D: PUSH OFFSET "3: In Filter"00401062: CALL printf00401067: ADD ESP,40040106A: MOV EAX,1 ; EXCEPTION_EXECUTE_HANDLER = 10040106F: RETN;     , EXCEPTION_EXECUTE_HANDLER ); {; the exception handler funtion00401070: MOV ESP,DWORD PTR SS:[EBP-18]00401073: PUSH OFFSET "4: In Exception Handler"00401078: CALL printf0040107D: ADD ESP,4; }00401080: MOV DWORD PTR SS:[EBP-4],-10040108C: XOR EAX,EAX; restore previous SEH0040108E: MOV ECX,DWORD PTR SS:[EBP-10]00401091: MOV DWORD PTR FS:[0],ECX00401098: POP EDI00401099: POP ESI0040109A: POP EBX0040109B: MOV ESP,EBP0040109D: POP EBP0040109E: RETN

Make a Win32 console project, and link and run the preceding C++ code, to perceive the result:

This program runs the exception expression, printf("3: In Filter\n");, when an exception happens—in this example, the INT 3 exception. You can employ other kinds of exception too. In OllyDbg, Debugging options->Exceptions, you can see a short list of different types of exceptions.

5.3.1 Implement Exception Handler

You want to construct a structured exception handler to reach OEP. Now, I think you have distinguished the SEH installation, the exception raise, and the exception expression filter, by foregoing the assembly co