Databases
StackOverflow2013
Postsdbo
POImagebase error in Delphi EXE
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POImagebase error in Delphi EXE
    primarykey
    data
    text
    <p>I am writing an EXE wrapper (sort of packer) to protect my EXE and in turn it will get executed directly into memory. The below sample shows executing Calculator into memory.</p> <pre><code>{$R *.dfm} procedure TForm1.Button1Click(Sender: TObject); var i: Integer; begin FS := TFileStream.Create('calc.exe', fmOpenRead or fmShareDenyNone); SetLength(eu, FS.Size); FS.Read(eu[0], FS.Size); FS.Free; SInfo.cb := Sizeof(TStartupInfo); CreateProcess(nil, Pchar(paramstr(0)), nil, nil, FALSE, CREATE_SUSPENDED, nil, nil, SInfo, PInfo); IDH := @eu[0]; INH := @eu[IDH^._lfanew]; imgbase := DWORD(VirtualAllocEx(PInfo.hProcess, Ptr(INH^.OptionalHeader.ImageBase), INH^.OptionalHeader.SizeOfImage, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE)); ShowMessage(IntToHex(imgbase, 8)); WriteProcessMemory(PInfo.hProcess, Ptr(imgbase), @eu[0], INH^.OptionalHeader.SizeOfHeaders, SIZE_T(btsIO)); for i := 0 to INH^.FileHeader.NumberOfSections - 1 do begin ISH := @eu[IDH^._lfanew + Sizeof(TImageNtHeaders) + i * Sizeof(TImageSectionHeader)]; WriteProcessMemory(PInfo.hProcess, Ptr(imgbase + ISH^.VirtualAddress), @eu[ISH^.PointerToRawData], ISH^.SizeOfRawData, SIZE_T(btsIO)); end; CONT.ContextFlags := CONTEXT_FULL; GetThreadContext(PInfo.hThread, CONT); CONT.Eax := imgbase + INH^.OptionalHeader.AddressOfEntryPoint; WriteProcessMemory(PInfo.hProcess, Ptr(CONT.Ebx + 8), @imgbase, 4, SIZE_T(btsIO)); ShowMessage('Press ok on ENTER'); SetThreadContext(PInfo.hThread, CONT); ResumeThread(PInfo.hThread); CloseHandle(PInfo.hThread); CloseHandle(PInfo.hProcess); end; </code></pre> <p>I changed the code to include an extra resource. At this point, to my surprise, the Imagebase becomes zero! </p> <pre><code> {$R *.dfm} {$R test.res} //extra resourse added procedure TForm1.Button1Click(Sender: TObject); var i: Integer; begin FS := TFileStream.Create('calc.exe', fmOpenRead or fmShareDenyNone); SetLength(eu, FS.Size); FS.Read(eu[0], FS.Size); FS.Free; SInfo.cb := Sizeof(TStartupInfo); CreateProcess(nil, Pchar(paramstr(0)), nil, nil, FALSE, CREATE_SUSPENDED, nil, nil, SInfo, PInfo); IDH := @eu[0]; INH := @eu[IDH^._lfanew]; imgbase := DWORD(VirtualAllocEx(PInfo.hProcess, Ptr(INH^.OptionalHeader.ImageBase), INH^.OptionalHeader.SizeOfImage, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE)); ShowMessage(IntToHex(imgbase, 8)); ..... ..... </code></pre> <ul> <li>In the first example, i got Imagebase = 01000000 (code works perfectly)</li> <li>In the second example (where I added an extra resourse to my project) I am getting Imagebase = 00000000 (Code fails..)</li> </ul> <p>Can Anyone please explain me why it is so..?</p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USjimsweb
    1. USjimsweb
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POImagebase error in Delphi EXE
      1. This table or related slice is empty.
      1. VTDownMod
    1. COYou are aware that executing from memory is not supported?
      singulars
      1. POImagebase error in Delphi EXE
      1. USDavid Heffernan
    2. COThanks David for your comment. As far as I know it is legal and allowed. Look at way how UPX is executing compressed exe.. First, the original code is being decompressed into memory and then it gets executed. The same is true for most of the famous exe packers. ASPack also does the same, however, it has much better encryption and protection mechanism against crackers than what we have in UPX. Here we are not trying to execute a malicious code, instead we are trying to create a legal wrapper which works exactly same as UPX or ASPack. Hope this clarifies the scenario in a better way.
      singulars
      1. POImagebase error in Delphi EXE
      1. USjimsweb
    3. COWell, my point is just that MS does not support loading images from memory and code that does so is liable to break in the face of future releases or even OS updates. I understand why you want to do this I just wanted to make sure you knew that it was not supported to do it.
      singulars
      1. POImagebase error in Delphi EXE
      1. USDavid Heffernan
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload