Skip to main content
Reverse Engineering

All Questions

Ask Question
Tagged with
10 questions
Newest Active Bountied Unanswered
0 votes
1 answer
113 views

Create exe that jumps directly into main()-function from C

I am using x64dbg to explore image files on Windows. After the computer finishes prowling ntdll.dll it jumps to OptionalHeader.AddressOfEntryPoint. But this is not my main()-function. What is this ...
AirToTec's user avatar
AirToTec
  • 3
0 votes
1 answer
698 views

PE FILE section read in C

I need to read PE file. I need to search word in PE file. Search is required to cover only the sections with the “executable” flag. And I need to specify the section where the word found. How can I do ...
sadMarry's user avatar
sadMarry
  • 9
1 vote
1 answer
269 views

Why is Visual Studio compiling my EXE file with an entry point that is not in the file?

So I am trying to open my test app EXE file in ollydbg to study the assembly, the stack, registers and all that stuff for educational purposes and it gives me this message saying that the entry point ...
EmexNatera's user avatar
EmexNatera
  • 11
-1 votes
1 answer
116 views

Why I get 0xc00000005?

I'm trying to use RunPE technique (For learning). First, I tried it on Windows XP(32-bit) and no error occurs but, the injected code for(HelloWorld) didn't run. Then, I tried to use it on Windows 7 ...
Raafat's user avatar
Raafat
  • 163
2 votes
0 answers
265 views

What is the meaning of call ds:ApiName[registry*constant] in IDA .asm files?

I have a dataset of .ASM files generated by IDA (dont have the corresponding file) ‌And there are a lot of calls like this : .text:00637114 5F pop edi .text:...
OneAndOnly's user avatar
OneAndOnly
  • 518
1 vote
1 answer
761 views

Injecting exe file into process fails on windows 7 but works on windows 10 / Execution library function fails, access denied

I'm trying to inject my executable payload into remote process. I allocated memory in remote process, I converted raw payload using RVA addressing. I applied relocations and imports table. When I'm ...
bielu000's user avatar
bielu000
  • 133
3 votes
3 answers
2k views

Exports that redirects to other library

I'm writing an analog of GetProcAddress function. When looking inside the export table I see the exports like this in advapi32.dll for example: .text:4C362BAA aEventregister db 'EventRegister',0 ;...
CrispyCrunchyStuff's user avatar
CrispyCrunchyStuff
  • 33
2 votes
1 answer
2k views

Retrieving the contents of PE file sections

I am trying to get the contents of the .text section of a file (notepad.exe) using the following code: #define SECHDROFFSET(a) ((LPVOID) ( (LPBYTE) a + \ ((...
Sebi's user avatar
Sebi
  • 153
5 votes
2 answers
7k views

How to hook the entry point of a DLL?

I have written a C API with support for static import hooking via overwriting the corresponding IAT entry of an exported function. It works nicely for older simple applications, but for more modern ...
CaptainObvious's user avatar
CaptainObvious
  • 398
1 vote
2 answers
378 views

Does MSVCXXX.dll means that the PE file is compiled by Microsoft Visual C?

While viewing the PE headers and imported functions of some programs designed with visual C. I found that they all include one of these functions: MSVCRT.DLL MSVCR80.DLL MSVCR90.DLL MSVCR100D.DLL ...
Ahmed's user avatar
Ahmed
  • 135