EXE's are they extractable?? 
Author Message
 EXE's are they extractable??

If you know the CS DS ES SS of an already loaded EXE, as well as the IP
address, is it possible to extract the entire program from memory and
rebuild it in it's original form??

Ian



Wed, 26 May 1999 03:00:00 GMT  
 EXE's are they extractable??

Quote:

> If you know the CS DS ES SS of an already loaded EXE, as well as the IP
> address, is it possible to extract the entire program from memory and
> rebuild it in it's original form??

Not really. An EXE file supports relocatable segement references that
are resolved (located) at load time. The segment relocation table
at the begining of the EXE file is discarded after the file has
been loaded into memory. So if you have a loaded EXE file image
in memory and know the current values of the segment registers
then that location is the only place the file will execute
correctly. The EXE file format also supports imbeded overlays.
This means that not all of the executable code needs to be in
memory at the initial load time.

Charles.



Wed, 26 May 1999 03:00:00 GMT  
 EXE's are they extractable??


#If you know the CS DS ES SS of an already loaded EXE, as well as the IP
#address, is it possible to extract the entire program from memory and
#rebuild it in it's original form??

Not in the general case, but perhaps close enough for your purposes.
The loader has allocated memory and fixed up relocatable addresses based
upon the information in the EXE header. You need to recreate this information
by subtracting the load address from all relocatable addresses. In some cases,
it is obvious where this needs to be done, but in other cases it can be quite
difficult.

Consider the instruction MOV AX,1C50.

Is this a relocatable value or a constant?
If the next instruction is MOV ES,AX then most likely it is a segment address.
However, if the next instruction is MOV [234],AX it could be anything.

-- Chuck



Fri, 28 May 1999 03:00:00 GMT  
 
 [ 3 post ] 

 Relevant Pages 

1. EXE's are they extractable from memory?

2. Splitting a big .exe in a smale.exe and many ddl's in C4b

3. TASM.EXE TLINK.EXE I 'm looking for

4. 'who am i' from unix

5. Converting Exe's to DLL's

6. LabView DLL's & EXE's

7. Reading compiled Summer '86 exe's

8. Wanted: 'sticker' source for EXE files

9. GNT's versus EXE's

10. Strange Attribute Errors from 'frozen' exe

11. 'exe' COM Servers from C++

12. I am not deaf, but am I mute?

 

 
Powered by phpBB® Forum Software