Re: some questions

randyhyde@xxxxxxxxxxxxx wrote:
¬a\/b wrote:
Do you know how one program can to see if it
is running on a debug program?

With some debuggers, yes. But with a good virtual machine
implementation, no.

Unless you resort to some really extreme code, which might end up breaking
for whatever reasons. On the somewhat less extreme front, you can do VMWare
detection pretty easily (dunno about qemu, virtualpc, bochs) - but again,
that can probably be patched too, without too much bother.

What assembly instruction can i use for see if
my program is loaded, from a debug program
(or loaded from the OS)?

Under Windows, there is a call you can make, IIRC. But that's easy
enough to circumvent.

There's a call and there's a location at FS:xx, but both are unreliable
since they're (very) easily handled by user-mode code - infact, there's
plugins for OllyDbg to hide this detection vector.

Can i build a PE that appear like this
*snip*

I think you believe that the program loader loads the PE header into
memory. It doesn't have to do this (and usually doesn't). Therefore,
that space you're calling the "PE HEADER" doesn't exist when your
program executes. Assuming, of course, that I understand your
question.

Now, I didn't care to read all the way through the following randy<->betov
exchange, so I don't know if the question has been properly answered. But
windows does infact usually load the PE header to memory. Or, rather, the
way the PE loader handles stuff is to set up a filemapping (nt section
object) and lets the pagefault-driven demand-loader handle more or less the
rest.

You can use GetModuleHandle(0) to get your image load address (it isn't
documented that it works this way, though, so that might break in the
future) - right at your base address you'll find the PE header. At least
that's the way it works with all imagebase:0x400000 executable I've seen.

With a PE program that has not static data>
Do could it run if i "jmp first instruction"?
have a good summer

Again, the program loader doesn't simply load all the bytes of a PE
file into memory. It reads the meta data into local storage (inside
the loader) and then moves the important code and data to an
appropriate location in the new memory space it creates for the user.

Wrong :)


.

Relevant Pages

  • Re: dll load address
    ... I'm pretty sure Windows CE doesn't load the PE header into memory like ... a DLL loads at the same address in all processes. ...
    (microsoft.public.windowsce.platbuilder)
  • Re: Problem with ASP on Webserver
    ... Entrek's TOOLBOX is a lot better for memory stuff. ... the script we sometimes ... (Accept-Language:) ...
    (microsoft.public.windowsce.platbuilder)
  • Re: Memory limit reached with Windows Mobile
    ... That would explain the memory problem - you just can't do that. ... You have to load stuff when it's ... All native DLLs get loaded ...
    (microsoft.public.pocketpc.developer)
  • Re: Memory limit reached with Windows Mobile
    ... That would explain the memory problem - you just can't do that. ... Once I reached the 12 Mb limit, I cannot load any DLLs, yet if I ... Actually, simply by loading our 18 Native DLLs, we reduce the Virtual ...
    (microsoft.public.pocketpc.developer)
  • Re: Generating one table with a terabyte of data
    ... Take any simple string matching issues and run them as external C code on the files before loading. ... not match the job but can be adjusted for greater performance by changing memory type or adjusting IO layouts. ... them after a bulk load. ... Another thing is to split the updates across file sets. ...
    (microsoft.public.sqlserver.dts)