How to change it to Winxp

Question

How to change it to Winxp

Opened this issue 7 years ago · 12 comments

Excuse me,I have read your code,But if I want to change it to WInxp,What should I do?

Answer 1 · 2018-01-08T13:12:34.000Z

No idea 😸

Basically, look at the PE specification for Windows XP, then use a debugger to run the code and debug it line by line.

I used OllyDBG, which is great and simple, as well as Hex Editor Neo, useful for reading the PE header sections as a human.

Also, 64 bit executables are different and slightly more complex than 32 bit executables that this code deals with, so you will need to adapt it for that as well if that is your case.

Generally, consider this project as a guide for your own project, as I have thoroughly commented the code line by line to keep track of what is doing what for what purpose.

I would be really glad to see the results if you mind sharing your code 😺

Answer 2 · 2018-01-09T07:41:58.000Z

Thank you ,I will try it.

Answer 3 · 2018-01-09T13:50:31.000Z

I have finsh the demo ,Thank you at all. IN xp ,the address static ，we can set getProcAddress and loadlibrary address. and we should change readfile and write file parameter。

Answer 4 · 2018-01-09T18:33:01.000Z

Do you mean that in Windows XP, getProcAddress and loadLibrary are not part of a shared library but statically mapped at a fixed address in memory, and thus their addresses can be hard-coded instead of being retrieved inside Kernel32.dll ?

Answer 5 · 2018-01-09T18:36:44.000Z

If you have finished your code I'd be curious to take a look at it 😸

Just to satisfy my curiosity (and you never know, having something that works on XP is always interesting )

Is it on GitHub, or do you prefer sharing it by another mean, or maybe later ?

Answer 6 · 2018-01-10T01:07:18.000Z

IT is a demo , the kernel32.dll's address in different xp version is different ,but is stastic, you can give me a email,i will share my demo with you,when i finished it i will pull it on github.

Answer 7 · 2018-01-10T01:36:12.000Z

In your code you have write sub ecx,4 is magic,in xp you have use it before on getprocess,It will work...magic offset

Answer 8 · 2018-01-10T08:53:15.000Z

I remember that offset that is there for no apparent reason. According to the PE specs there is supposed to be a one to one correspondance between symbol position and address position in the symbols and addresses arrays, the correspondance was indeed one to one for GetProcAddress but there was this weird one position jump seemingly out of nowhere for LoadLibrary.

Never understood why there was that mismatch, it took us a lot of headaches and random trials to finally figure out that it was not this address but the one next to it that was the right function.

But then again, Windowses are weird beasts, logic and consistency are not their forte in so many ways.

If you happen to find an explanation, I'm all ears 👂

Answer 9 · 2018-01-11T00:59:16.000Z

I don't have a good idea. first I think it is some problem about
'''
mov edi, [edx + ecx] ; edi -> symbol string name (RVA)
add edi, imageBase ; edi -> symbol string name (VA)
add ecx, sizeof dword
''''
when after compare,ecx is point to next,so i change it to
'''
xor ecx, ecx ; ecx = counter. Will contain the symbol's offset in the array.
sub ecx,4
browse_export_names:
add ecx, sizeof dword
mov edi, [edx + ecx] ; edi -> symbol string name (RVA)
add edi, imageBase ; edi -> symbol string name (VA)
'''
but i change it,it is wrong in wn7...

Answer 10 · 2018-01-13T02:44:55.000Z

I have pull my code on my girthub. url is https://github.com/letitbezh/PE-Injector.git

Answer 11 · 2018-01-14T10:25:56.000Z

Thanks !

Will take a look at it, but the fact that you commited the code changes in the same commit as the comments removal make it very hard to track what you actually have modified.

Btw, why remove the comments ?

Answer 12 · 2018-01-16T12:45:04.000Z

emmm.....It is my homework,I want to make trouble for my teacher。