Databases
StackOverflow2013
Postsdbo
POImagebase error in Delphi EXE
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POImagebase error in Delphi EXE
    text
    copied!<p>I am writing an EXE wrapper (sort of packer) to protect my EXE and in turn it will get executed directly into memory. The below sample shows executing Calculator into memory.</p> <pre><code>{$R *.dfm} procedure TForm1.Button1Click(Sender: TObject); var i: Integer; begin FS := TFileStream.Create('calc.exe', fmOpenRead or fmShareDenyNone); SetLength(eu, FS.Size); FS.Read(eu[0], FS.Size); FS.Free; SInfo.cb := Sizeof(TStartupInfo); CreateProcess(nil, Pchar(paramstr(0)), nil, nil, FALSE, CREATE_SUSPENDED, nil, nil, SInfo, PInfo); IDH := @eu[0]; INH := @eu[IDH^._lfanew]; imgbase := DWORD(VirtualAllocEx(PInfo.hProcess, Ptr(INH^.OptionalHeader.ImageBase), INH^.OptionalHeader.SizeOfImage, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE)); ShowMessage(IntToHex(imgbase, 8)); WriteProcessMemory(PInfo.hProcess, Ptr(imgbase), @eu[0], INH^.OptionalHeader.SizeOfHeaders, SIZE_T(btsIO)); for i := 0 to INH^.FileHeader.NumberOfSections - 1 do begin ISH := @eu[IDH^._lfanew + Sizeof(TImageNtHeaders) + i * Sizeof(TImageSectionHeader)]; WriteProcessMemory(PInfo.hProcess, Ptr(imgbase + ISH^.VirtualAddress), @eu[ISH^.PointerToRawData], ISH^.SizeOfRawData, SIZE_T(btsIO)); end; CONT.ContextFlags := CONTEXT_FULL; GetThreadContext(PInfo.hThread, CONT); CONT.Eax := imgbase + INH^.OptionalHeader.AddressOfEntryPoint; WriteProcessMemory(PInfo.hProcess, Ptr(CONT.Ebx + 8), @imgbase, 4, SIZE_T(btsIO)); ShowMessage('Press ok on ENTER'); SetThreadContext(PInfo.hThread, CONT); ResumeThread(PInfo.hThread); CloseHandle(PInfo.hThread); CloseHandle(PInfo.hProcess); end; </code></pre> <p>I changed the code to include an extra resource. At this point, to my surprise, the Imagebase becomes zero! </p> <pre><code> {$R *.dfm} {$R test.res} //extra resourse added procedure TForm1.Button1Click(Sender: TObject); var i: Integer; begin FS := TFileStream.Create('calc.exe', fmOpenRead or fmShareDenyNone); SetLength(eu, FS.Size); FS.Read(eu[0], FS.Size); FS.Free; SInfo.cb := Sizeof(TStartupInfo); CreateProcess(nil, Pchar(paramstr(0)), nil, nil, FALSE, CREATE_SUSPENDED, nil, nil, SInfo, PInfo); IDH := @eu[0]; INH := @eu[IDH^._lfanew]; imgbase := DWORD(VirtualAllocEx(PInfo.hProcess, Ptr(INH^.OptionalHeader.ImageBase), INH^.OptionalHeader.SizeOfImage, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE)); ShowMessage(IntToHex(imgbase, 8)); ..... ..... </code></pre> <ul> <li>In the first example, i got Imagebase = 01000000 (code works perfectly)</li> <li>In the second example (where I added an extra resourse to my project) I am getting Imagebase = 00000000 (Code fails..)</li> </ul> <p>Can Anyone please explain me why it is so..?</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload