Encoding/patching variable in other .exe - c++
I'm out of ideas how to do this :
You have one file, let's call it test.exe,
it has const int value = 5; in it, and all it does is cout << value;
I want to create other executable which patches the test.exe so it now outputs 10 instead of 5. I want this to be done before runtime.
I've tried turning off the ASLR, getting the address of that variable and then patching in, but addresses in disk and in memory differ AFAIK.
Sorry, this remark assumes you are working on a Windows System. If not, I'm sure that with other executable image formats you can follow similar method.
Assuming you are trying to ask how you alter data within a target and not how to, in this particular example, change the screens output...
Have you considered looking at the executable image's PE Header? You can translate the address of a particular piece of data once loaded into memory to its offset in the PE file but taking a look at the IMAGE_SECTION_HEADER structure inside of PE Header of the image in question.
First, calculate the RVA of your data in memory. This is the address of the data relative to the section it is located inside of.
Second, index through the IMAGE_SECTION_HEADER structures inside of the executable's PE header by reading the header from file into a buffer. Once you've loaded this header into a memory buffer, you can process it using pointers. Like so,
IMAGE_NT_HEADERS* pImageHeader = &peHeaderBuffer[0];
After finding the correct IMAGE_SECTION_HEADER that contains your data,you can access the PointerToRawData member of the structure which will give you the offset from the start of the PE file at which this section is, if you add the RVA, you will get the offset from the start of the file from which your data is located.
Obviously, my response doesn't explain how to index through the section headers as this is a fairly tedious task that would take a while to explain. I would suggest you take a look at an exectuable's PE header from within a simple debugger, like OllyDbg, and reference MSDN's documentations on the PE Header - which can be found here:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms680336%28v=VS.85%29.aspx
If all you want to do is reverse this information our of a target, it is very easy to do using OllyDbg. Just skim down the PE Header view until you see the section that corresponds to your data, and OllyDbg will list the PointerToRawData member there, which you can add to your RVA.
Find it by signature: get 8-16 bytes around your value 5 and then search for them in .exe binary.
Also note that usually const int values are inlined into the assembler code, so if you have 2 or more statements referencing to it you have to patch all of them.
Related
C++ force variables to a fixed memory location
I have written a C++ code for application, in which there are some variables that must have different values for every user will use it ( lets call it the variable X for simplicity) X have different values for different user. This (X)should be not changed and also embedded in the exe itself ( so I can't read it from a file or any other similar solution) I don't want to distribute the source code then compile. Instead, I want a method that makes me edit the final exe directly without need to compile ( it is just value of variable X which differs !) Is this possible ? My idea to do this is if I can force this (X) at a constant memory location, I can then edit its value easily from Hex-editor as example. ( I mean the same ideas when hackers writes cheat tool for a certain game ) Is the mechanism of fixed memory position possible? Is there any other idea to make what I want? I hope my question is clear enough
In this answer I'll use Visual Studio 2017 Community Edition because I wanted to be sure to a have a development environment fully compatible with Windows. I'll present five methods, from the most maintainable to the less. Of course the focus of this answer in strictly limited to the goal of "sharing" a C++ variable with an external tool. Security of such an operation is a different topic and ultimately a futile attempt anyway. Method 1 - Resources Windows APIs1 and the PE2 support embedding resources in an executable3. Resources are typically images, icons or localized strings but they can be anything - including raw binary data. With Visual Studio is quite easy to add a resource: In the Solution Explorer > Resource files > Add > New item > Resource > Resource file (.rc) This will open the Resource view, right-click on Resource.rc and select Add resource.... It's possible to create the standard resources but we need a Custom... type that we can call RAW. This will create a new binary resource, gives it an ID and makes a few files in the solution. Switching back to the Solution explorer we can see these new files and eventually edit the .bin file with a better hex editor than the VS's integrated one. Of particular interest is the resource.h file that we can include to have the definition for the resource id, in my case it was IDR_RAW1. After the bin file has been crafted we are ready to read it in the application, the pattern to use is the usual one - I don't feel like going over these API one more time a new answer so I'll link the Official documentation and provides a sample code: #include <Windows.h> #include "resource.h" int WINAPI WinMain(HMODULE hModule, HMODULE hPrevModule, LPSTR lpCmdLine, int showCmd) { //Get an handle to our resource HRSRC hRes = FindResource(hModule, MAKEINTRESOURCE(IDR_RAW1), "RAW"); //Load the resource (Compatibility reasons make this use two APIs) HGLOBAL hResData = LoadResource(hModule, hRes); LPVOID ptrData = LockResource(hResData); /* ptrData is out binary content. Here is assumed it was a ASCIIZ string */ MessageBox(NULL, (LPCSTR)ptrData, "Title", MB_ICONINFORMATION); return 0; } Resources are good because they allow for an easy integration with other automatic build tools: it's easy to add a build step before the resources are compiled to generate them on the fly. It is also very easy to alter them after the exe file as been generated - CFF Explorer III is a simple and effective tools to edit a PE module's resources. It's even possible to replace a resource entirely thereby not limiting ourselves to keeping the new resource the same size as the old one. Just open the module in CFF, select Resource editor, browse to the raw resource and edit/replace it. Then save. Method 2 - PE exports Executable are ordinary PE module just like Dlls, the difference is really a batter of a bit. Just like Dlls can exports functions and variables4 so can exes. With VC++ the way to tag a symbol as exported is __declspec(dllexport): #include <Windows.h> __declspec(dllexport) char var[30] = "Hello, cruel world!"; int WINAPI WinMain(HMODULE hModule, HMODULE hPrevModule, LPSTR lpCmdLine, int showCmd) { MessageBox(NULL, var, "Title 2", MB_ICONINFORMATION); return 0; } The C++ side of the matter is little affected. The editing of the PE module is less user friendly but still very easy for everyone to follow. With CFF open the export directory, all the exports will be listed. C++ compilers have to mangle variables names when they can be shared due to the C++ features they support - so you won't find a nice name like var in the exports but something like ?var##3PADA. The export name doesn't really fulfil any goal in this context but you must be able to identify the correct export. This should be easy since it's very likely to be only one. CFF will show you the function RVA, this is the RVA (relative to the image base) of the variable, you can easily convert it into a file offset or simply use the Address converted integrated in CFF. This will open an hex editor and points you at the right bytes. Method 3 - Map files If you don't want to have a PE exports pointing right at your variable you can tell VS to generate a MAP file. Map files will list all the symbols exported by an object file (note: an object file, not a PE module). So you must make sure a variable, in this case, is exported by your translation unit - this is the default case for "global" variables but make sure to remember to not attach the static linkage modified to it and eventually make it volatile to prevent the compiler from eliminating it during the constants folding step. #include "Windows.h" //extern is redundant, I use it only for documenting the intention //volatile is a hack to prevent constant folding in this simple case extern volatile int var2 = 3; int WINAPI WinMain(HMODULE hModule, HMODULE hPrevModule, LPSTR lpCmdLine, int showCmd) { //A simple use of an int return var2; } A MAP file will be generated in the output dir, along with the exe, inside it's present a row like this one: 0003:00000018 ?var2##3HC 00403018 Source.obj This gives you the VA of the variable (403018) that you can use in CFF Address translator. Method 4 - PE scan You can initialise the variable with an unique value. To be able to do so the variable size must be big enough that the probability that a random sequence of bits of equal size end up with the same value is negligible. For example, if the var is a QWORD the probability of finding, in the PE module, another QWORD with the same value is very low (one in 264) but if the var is a byte then the probability is just one in 256. Eventually, add a marker variable (I'd use a random array of 16 bytes) before the variable to mark it (i.e. act as the unique value). To modify the PE use an hex editor to look for that unique value, this will give you the offset of the var to edit. Method 5 - Reverse engineering After each release, reverse engine the application (this is easy as you can debug it with VS along with the sources) and look where the compiler allocated the variable. Take note of the RVA (nota bene: RVA not VA, the VA is variable) and then use CFF to edit the exe. This requires a reverse engineering analysis each time a new release is built. 1 To be correct, "Win32" APIs. 2 I strongly advice the reader to be at least accustomized with the PE file format as I must assume so to keep this answer in topic and short. Having no understanding of the PE file format will likely result in no understanding of the question as a whole. 3 Actually, in any PE module. 4 Symbols in general.
Correct way to extract array data from binary?
There is a classic way to embed resource files as a C language array into a binary file, so that we can store some external resource files such as .jpeg or .txt files into a binary. For example, in the header file we can define an array: const unsigned char xd_data[] = { 77,90,144,0,3,0,0,0,4,0,0,0,255,255,0,0,184,0,0,0,0,0,0,0,64,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,240,0,0, 0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114, 111,103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110, 32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36,0,0,0,0,0,0, 0,66,163,223,218,6,194,177,137,6,194,177,137,6,194,177,137,105,221,187, 137,13,194,177,137,133,222,191,137,3,194,177,137,105,221,181,137,4,194, 177,137,136,202,238,137,4,194,177,137,6,194,176,137,73,194,177,137,133, 202,236,137,13,194,177,137,48,228,187,137,11,194,177,137,193,196,183, 137,7,194,177,137,82,105,99,104,6,194,177,137,0,0,0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,0,0,80,69,0,0,76,1,4,0,65,162,32,86,0,0,0,0,0,0,0, 0,224,0,47,1,11,1,6,0,0,100,0,0,0,74,0,0,0,0,0,0,228,113,0,0,0,16,0,0, 0,128,0,0,0,0,64,0,0,16,0,0,0,2,0,0,4,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0, 224,0,0,0,4,0,0,0,0,0,0,2,0,0,0,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0, 0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,124,140,0,0,140,0,0,0,0,208,0,0,0,16,0 }; which contains the contents of the resource file, and it will be compile into the final binary. There are lots of tools and tutorials on the web about this old trick, such as: http://www.rowleydownload.co.uk/arm/documentation/index.htm?http://www.rowleydownload.co.uk/arm/documentation/embed.htm, https://www.fourmilab.ch/xd/ and http://gareus.org/wiki/embedding_resources_in_executables#c_include_method. However, looks like most of these pages are talking about how to embed the data into binary file using C style array. My question is, what is the correct way to find the start address of the resource files in the compiled binary in order to extract them? I.e., how can I find the start address of xd_data in the compiled binary?
If you mean finding the byte address in the file where a data block starts just like objdump does but programmatically, then you can use the Binary File Descriptor library (BFD), see here and here.
if you stored data for example an image and you want to load it (for printing or what ever you want) then if you have a function (library) that load it from memory, as example void loadResImage(void * mem); just do loadResImage(xd_data), if not but you have a function that load it from the file, in that case save it to a temp file eg: int fd=open("tmpfile"); int ret=write(fd,xd_data, sizeof(xd_data)); close(fd); loadImageFile("tmpfile"); but if you want to access the data outside the program itself (hex editor for example, or an other program), in that case you have to add a starting mark and optionally an ending mark or sizeof data. eg: const unsigned char xd_data[]={ ... 'M','A','G','I','C'}; in example above the end of the data is known, you just do a search to find it. same way, play around and find a suitable way to store the size of the data. but beware of the compiler optimizations.
Different _fileName values in Visual Studio debug watch
std::string filename; In this code:osg::Image* image = osgDB::readImageFile(filename + ".dicom"); osg::Image type variable: image gets wrong returned values from read file. And by debugging to the line above, the watch window shows as follows: The _fileName (std::string type) value indicated on the first and second lines are both "digest", but in the fourth line the value of _fileName turned out to be "iiiiii\x*6" with capacity equals to 0. According to my understanding, the _fileName of the fourth line in the watch window should indicate the same member variable of osg::Image as the _fileName on the first and second lines. Thus, I think all the _fileName in the debug watch window should have the same value. But, I am not sure why there are such differences.
MSVC++ implementation of std::string uses different storage strategies for short strings and for long ones. Short strings (16 bytes or less) are stored in a buffer embedded directly inside the std::string object (you will see it as _Bx._Buf in Raw View). Long strings are stored in an independently-allocated block of memory located elsewhere (pointed by _Bx._Ptr). If you violate the integrity of std::string object, you might easily end up in a situation as the one you describe. The objects thinks that the data should be stored in the external buffer, but in reality it is stored in the internal one and vice-versa. That might easily confuse the debugger as well. I suggest you open the Raw View of your std::string object and check what it shows in _Bx._Buf and _Bx._Ptr. If the current _Myres value is smaller or equal to the internal buffer size, then the data is [supposed to be] stored in the internal buffer. Otherwise, it is stored in the external memory block. See if this invariant really holds. If it doesn't, then there's your problem. Then you'll just have to find at which point it got broken.
For some reason your filename argument isn't getting .dicom attached to it when it becomes _filename ("digest" should become "digest.dicom"). OSG decides which plugin to use for file loading by extension, so it will have no idea how to load the current one. And so the second reference to _filename doesn't get intialized by any plugin. By the way, I don't think the dicom plugin is part of the standard OSG prebuilt package - you might have to gather the dependencies yourself and build the plugin.
Is it possible to store binary files inside an exe
Is it possible to do this: (for educational purpose). suppose I have a image file "image.jpg" I want to create a program when it executes it should create this image. That means the data of the image is stored in the exe. Is this possible to do? Something like this: link the image file from resource.rc then tell the compiler to get the data and store it (something like this unsigned char data_buffer[]="binary data of the image" then when the program is executed I can write this data to a file) (I'm using C++ with mingw compiler) Any help is highly appreciated.
There are several options: 1) Add it as a byte array in a source file. It is trivial to write an auxiliary program that reads the bytes from the files and writes the C source. E.g.: data_jpg.c: unsigned char data_jpg[] = {1,2,3... }; data_jpg.h: extern char data_jpg[]; const size_t data_jpg_size = 1000; 2) Add it as a binary resource to the executable. You said "exe", did you? So you are likely on Windows. Window EXE files can have binary resources, that can be located using the resource API. See the FindResource, LoadResource and GlobalLock, functions. resource.rc ID_DATA_JPG FILE "data.jpg" 3) Convert the binary file directly into a OBJ file and link it into the executable. In the old good days of turbo-c used to be a BINOBJ tool for that. And GNU tools can do it, AFAIk, but with MS tools, I really cannot tell.
With a PE file, you can add data(include bin data) to the PE file's tail as your resource. You just remember the PE file's size. But I'm not sure of that whether you need change the PE's checksum. And use VC++ Compiler to embed resources would be pretty much easy.
Embedding a file into a program
I want to embed a file in a program. It will be used for default configuration files if none are provided. I have realized I could just use default values, but I want to extract the file and place it on the disk so it can be modified.
By embedding do you mean distributing your program without the file? Then you can convert it to configuration initialization code in your build toolchain. Add a makefile step (or whatever tool you're using) - a script that converts this .cfg file into some C++ code file that initializes a configuration data structure. That way you can just modify the .cfg file, rebuild the project, and have the new values reflected inside. By the way, on Windows, you may have luck embedding your data in a resource file.
One common thing you can do is to represent the file data as an array of static bytes: // In a header file: extern const char file_data[]; extern const size_t file_data_size; // In a source file: const char file_data[] = {0x41, 0x42, ... }; // etc. const size_t file_data_size = sizeof(file_data); Then the file data will just be a global array of bytes compiled into your executable that you can reference anywhere. You'll have to either rewrite your file processing code to be able to handle a raw byte array, or use something like fmemopen(3) to open a pseudo-file handle from the data and pass that on to your file handling code. Of course, to get the data into this form, you'll need to use some sort of preprocessing step to convert the file into a byte array that the compiler can accept. A makefile would be good for this.
Embedded data are often called "resources". C++ provides no native support, but it can be managed in almost all executable file formats. Try searching for resource managers for c++.
If it's any Unix look into mapping the file into process memory with mmap(2). Windows has something similar but I never played with it.