PE File Run Fixedbase

Runs PE executables that have been created without relocation information by placing them into the loader executable buffer.

Runs a fixed-base PE executable by placing it into the beginning of the loader executable. This is possible by placing a special “dummy section” in front of all PE sections in the MSVC++ compiler. Doing so merges the module handles of both the loader and the executable, so we avoid having to patch internal Win32 structures.

Steps

  1. create a “.exebuf” code_seg section in-code and place a big char buffer into it (using __declspec(allocate()))
  2. create an empty “.newexe” code_seg section after it
  3. specify the linker option /MERGE=.text=.newexe
  4. disable Link Time Code Generation (prevents recreation of new .text section)
  5. disable Incremental Linking (gets rid of .textbss)
  6. verify in the main function that the address of the char buffer is ( GetModuleHandle( NULL ) - 0x1000 )
  7. load the custom executable and verify that it’s size is small enough to fit into the buffer
  8. resolve all executable references
  9. run the entry point

Drawbacks

The generated loader is bigger than the to-be-run executable due to MSVC Linker behavior.

Events