View Full Version : PE Attributes changable after loading?
shadow110
30th March 2004, 16:17
Hello.
I have a little question about PE attributes.
Is it possible to change an attribut from a section after the program is loaded?
I would like to change from: 40000040 to C0000040
If I change the PE header directly (before loading) it works (sure. *G) but I would like to change it, after loading.. Any idea?
EDIT: Ok, if I make my hack with Game Trainer Studio 1.5 i donīt need to change the section attributes... i only need to write my code there and thatīs it. all works fine.
Greetings
Shadow110
bf194lover
30th March 2004, 22:42
Greets,
i dont see the point in modifying PE section permissions in memory (except to dump them - but even that can be changed offline by using PE editor).
If you need to write code/data to certain "readonly/code only" memory, simply use WriteProcessMemory API which implicitly bypasses the page protection attrs.
If that doesnt work use VirtualProtect(Ex) to change page permissions explicitly.
Anyway ... writing code to section begin (or simply use PE header as code cave) is not a good idea at all.
FYI pb reads initial bytes of each module section (0x8000 or fewer is section is smaller) while doing global and local memory scan.
>dump bfv_process_scan_map
Address | Length | possible Module
--------------------------------------------------
...
omitted for brevity
...
00400000 | 1000 | BfVietnam.exe
00401000 | 8000 | BfVietnam.exe
00AEF000 | 8000 | BfVietnam.exe
00C40000 | 3000 | BfVietnam.exe
00C43000 | 3000 | BfVietnam.exe
00C46000 | 4000 | BfVietnam.exe
00C4A000 | 2000 | BfVietnam.exe
00C4C000 | 1000 | BfVietnam.exe
00C4D000 | 8000 | BfVietnam.exe
00C55000 | 3000 | BfVietnam.exe
00C58000 | 1000 | BfVietnam.exe
00C59000 | 3000 | BfVietnam.exe
00C5C000 | 8000 | BfVietnam.exe
00C64000 | 1000 | BfVietnam.exe
00C65000 | 3000 | BfVietnam.exe
00C68000 | 8000 | BfVietnam.exe
00C70000 | 4000 | BfVietnam.exe
00C74000 | 1000 | BfVietnam.exe
00C75000 | 1000 | BfVietnam.exe
00C76000 | 1000 | BfVietnam.exe
00C77000 | 1000 | BfVietnam.exe
00C78000 | 7000 | BfVietnam.exe
00C7F000 | 1000 | BfVietnam.exe
00C80000 | 1000 | BfVietnam.exe
00C81000 | 1000 | BfVietnam.exe
00C82000 | 1000 | BfVietnam.exe
00C83000 | 4000 | BfVietnam.exe
00C87000 | 3000 | BfVietnam.exe
00C8A000 | 5000 | BfVietnam.exe
00C8F000 | 1000 | BfVietnam.exe
00C90000 | 6000 | BfVietnam.exe
00C96000 | 2000 | BfVietnam.exe
00C98000 | 4000 | BfVietnam.exe
00C9C000 | 8000 | BfVietnam.exe
00CA7000 | 2000 | BfVietnam.exe
00CA9000 | 2000 | BfVietnam.exe
00CAB000 | 1000 | BfVietnam.exe
00CAC000 | 7000 | BfVietnam.exe
00CB3000 | 1000 | BfVietnam.exe
00CB4000 | 1000 | BfVietnam.exe
00CB5000 | 5000 | BfVietnam.exe
00CBA000 | 8000 | BfVietnam.exe
00CC2000 | 3000 | BfVietnam.exe
00CC5000 | 1000 | BfVietnam.exe
00CC6000 | 3000 | BfVietnam.exe
00CC9000 | 8000 | BfVietnam.exe
00CD6000 | 8000 | BfVietnam.exe
00DB2000 | 1000 | BfVietnam.exe
00DB3000 | 1000 | BfVietnam.exe
...
omitted for brevity
...
You could use spare memory in section ends (if large enough) or private pages using VirtualAlloc(Ex).
Regards
shadow110
31st March 2004, 00:35
Hello.
Thanks for the info.. I only used the wrong function to write my code into memory... Now it works.
How do you scan for the scanned memory areas from pb?
Greetings
Shadow110
bf194lover
31st March 2004, 01:21
>How do you scan for the scanned memory areas from pb?
1) by hooking up the right APIs
2) by using virtual memory page guards (requires to implement a mini-debugger (loop) = one shot memory breakpoints)
Regards
shadow110
31st March 2004, 02:11
...
I think that is to complicated for me at the moment. *G I have to learn....many things..
Greetings
Shadow110
caliber1942
31st March 2004, 08:35
bf194lover scares me....... heh
MarlonB
31st March 2004, 11:44
It's even easier ... disable the pb scanners ;)
shadow110
31st March 2004, 12:07
What do you mean with disable PB Scanners?
vBulletin® v3.8.4, Copyright ©2000-2009, Jelsoft Enterprises Ltd.