LIEF icon indicating copy to clipboard operation
LIEF copied to clipboard
verified publisher icon lief-project

simple parse and rebuild of calc.exe

Open joemikhailgwu opened this issue 6 years ago • 9 comments

Following the tutorial directions, I cannot do a simple parse and rebuild of calc.exe and other binaries.

self.fileParsed = lief.parse(theFile) builder = lief.PE.Builder(self.fileParsed) # Configure it to rebuild and patch the imports builder.build_imports(True).patch_imports(True) # Build ! builder.build() # Save the result builder.write(outputname)

the rebuilt exe generates a windows error message: Windows Calculator has stopped working.

joemikhailgwu avatar Nov 14 '19 20:11 joemikhailgwu

Hello @joemikhailgwu Does it still fail if you set builder.build_imports(False).patch_imports(False) ?

romainthomas avatar Nov 16 '19 12:11 romainthomas

Yes it does fail.

Joe

Sent from my iPhone

On Nov 16, 2019, at 7:59 AM, Romain [email protected] wrote:

Hello @joemikhailgwu Does it still fail if you set builder.build_imports(False).patch_imports(False) ?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

joemikhailgwu avatar Nov 16 '19 15:11 joemikhailgwu

any updates?

joemikhailgwu avatar Dec 14 '19 18:12 joemikhailgwu

@joemikhailgwu which Calculator? The Windows 10 modern application usually found here: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1910.0.0_x64__8wekyb3d8bbwe\Calculator.exe?

0xeb avatar Jan 23 '20 19:01 0xeb

Calc.exe in system32

Sent from my iPhone

On Jan 23, 2020, at 2:46 PM, Elias Bachaalany [email protected] wrote:

@joemikhailgwu which Calculator? The Windows 10 modern application usually found here: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1910.0.0_x64__8wekyb3d8bbwe\Calculator.exe?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

joemikhailgwu avatar Jan 23 '20 19:01 joemikhailgwu

I have not tried your case exactly but I suspect the problem is that when patch_imports is used, then LIEF hardcodes the addresses to the import stubs w/o adding proper relocation information.

Try deleting the relocations or disabling ASLR and see if that works:

# Disable ASLR
binary.optional_header.dll_characteristics &= ~lief.PE.DLL_CHARACTERISTICS.DYNAMIC_BASE

0xeb avatar Jan 23 '20 20:01 0xeb

I have checked the source code of the imports patcher and I see no sign for relocation adding for the import trampoline pointers. If I have time, I might fix the code but maybe @romainthomas has it already.

0xeb avatar Jan 23 '20 20:01 0xeb

@joemikhailgwu @0xeb I didn't look at this issue yet but if you have a fix I can do a review.

romainthomas avatar Jan 27 '20 06:01 romainthomas

same problem for me.

waruqi avatar May 28 '20 14:05 waruqi