waliedassar

32_Bit --> 64_bit PE Header

Oct 24th, 2012
185
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3. #include "stdafx.h"
  4. #include "windows.h"
  5. #include "stdio.h"
  6. #include "resource.h"
  7.  
  8. typedef void(__stdcall *FUNC)(char*);
  9.  
  10.  
  11. extern "C"
  12. {
  13.       IMAGE_NT_HEADERS* __stdcall RtlImageNtHeader(unsigned long ImageBase);
  14. void __stdcall walied(char* string)
  15. {
  16.     printf("Hey %s\r\n",string);
  17. }
  18.  
  19. }
  20.  
  21. void ConvertHeader(IMAGE_NT_HEADERS* pNT)
  22. {
  23.     pNT->FileHeader.Machine=0x8664; //Change Machine
  24.     unsigned long numSections=pNT->FileHeader.NumberOfSections;
  25.     unsigned long szOptional=pNT->FileHeader.SizeOfOptionalHeader;
  26.  
  27.     IMAGE_OPTIONAL_HEADER* pOpt32=&(pNT->OptionalHeader);
  28.     IMAGE_SECTION_HEADER*  pSec=(IMAGE_SECTION_HEADER*)(((unsigned char*)(pOpt32))+szOptional);
  29.     IMAGE_DATA_DIRECTORY*  pDD =(IMAGE_DATA_DIRECTORY*)((unsigned char*)pOpt32+0x60);
  30.     //---------Backup Data Directories------------
  31.     unsigned long szDD=((char*)pSec)-((char*)pDD);
  32.     IMAGE_DATA_DIRECTORY* pBDD=(IMAGE_DATA_DIRECTORY*)LocalAlloc(LMEM_ZEROINIT,szDD);
  33.     memcpy(pBDD,pDD,szDD);
  34.     //---------Backup section table---------------
  35.     unsigned szSections=numSections*sizeof(IMAGE_SECTION_HEADER);
  36.     IMAGE_SECTION_HEADER* pBSections=(IMAGE_SECTION_HEADER*)LocalAlloc(LMEM_ZEROINIT,szSections);
  37.     memcpy(pBSections,pSec,szSections);
  38.     //---------------------------------------------
  39.     pOpt32->Magic=0x020B;
  40.     pOpt32->BaseOfData=pOpt32->ImageBase;
  41.     pOpt32->ImageBase=0;
  42.     unsigned long StkRsv=(pOpt32->SizeOfStackReserve);
  43.     unsigned long StkCmt=(pOpt32->SizeOfStackCommit);
  44.     unsigned long HpRsv=(pOpt32->SizeOfHeapReserve);
  45.     unsigned long HpCmt=(pOpt32->SizeOfHeapCommit);
  46.     unsigned long LoaderFlags=pOpt32->LoaderFlags;
  47.     unsigned long NumberRVAs=pOpt32->NumberOfRvaAndSizes;
  48.     IMAGE_OPTIONAL_HEADER64* pOpt64=(IMAGE_OPTIONAL_HEADER64*)pOpt32;
  49.     *(unsigned long*)(&(pOpt64->SizeOfStackReserve))=StkRsv;
  50.     *(unsigned long*)(&(pOpt64->SizeOfStackCommit)) =StkCmt;
  51.     *(unsigned long*)(&(pOpt64->SizeOfHeapReserve)) =HpRsv;
  52.     *(unsigned long*)(&(pOpt64->SizeOfHeapCommit))  =HpCmt;
  53.     *(((unsigned long*)(&(pOpt64->SizeOfStackReserve)))+1)=0;
  54.     *(((unsigned long*)(&(pOpt64->SizeOfStackCommit)))+1)=0;
  55.     *(((unsigned long*)(&(pOpt64->SizeOfHeapReserve)))+1)=0;
  56.     *(((unsigned long*)(&(pOpt64->SizeOfHeapCommit)))+1)=0;
  57.     pOpt64->LoaderFlags=LoaderFlags;
  58.     pOpt64->NumberOfRvaAndSizes=NumberRVAs;
  59.     //---------------------------------------------
  60.     memcpy(((char*)pDD)+0x10,pBDD,szDD);
  61.     memcpy(((char*)pSec)+0x10,pBSections,szSections);
  62.     //---------------------------------------------
  63.     LocalFree(pBSections);
  64.     LocalFree(pBDD);
  65. }
  66.  
  67. int main(int argc, char* argv[])
  68. {
  69.     unsigned long IB=(unsigned long)GetModuleHandle(0);
  70.     unsigned long old;
  71.     VirtualProtect((void*)IB,0x1000,PAGE_READWRITE,&old);
  72.     //memset((void*)IB,0x0,0x1000);
  73.     ConvertHeader(RtlImageNtHeader(IB));
  74.     VirtualProtect((void*)IB,0x1000,old,&old);
  75.     //----------------------To make sure PE header is usable-------------
  76.     FUNC walied_=(FUNC)GetProcAddress((HMODULE)IB,"walied");
  77.     char String1[0x100]={0};
  78.     LoadString((HINSTANCE)IB,IDS_STRING1,String1,0x101);
  79.     walied_(String1);
  80.     memset(String1,0,0x100);
  81.     LoadString((HINSTANCE)IB,IDS_STRING2,String1,0x101);
  82.     walied_(String1);
  83.     //-------------------------------------------------------------------
  84.     int i=0;
  85.     while(9)
  86.     {
  87.         printf("walied %x\r\n",i++);
  88.         Sleep(1000);
  89.     }
  90.     return 0;
  91. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×