Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Start windows 7 notepad.exe fail #44

Closed
wch1618 opened this issue Jun 6, 2022 · 2 comments
Closed

Start windows 7 notepad.exe fail #44

wch1618 opened this issue Jun 6, 2022 · 2 comments

Comments

@wch1618
Copy link

wch1618 commented Jun 6, 2022
edited by hasherezade
Loading

Here is code,

    size_t v_size = 0;
    LPCTSTR pe_path = "C:\\windows\\notepad.exe";
    BYTE* my_pe = peconv::load_pe_executable(pe_path, v_size);

    if (!my_pe) {
        return -1;
    }

    peconv::set_main_module_in_peb((HMODULE)my_pe);
    
    peconv::run_tls_callbacks(my_pe, v_size);
    
    DWORD ep_rva = peconv::get_entry_point_rva(my_pe);
    if (!ep_rva) {
        return -2;
    }
    ULONG_PTR ep_va = ep_rva + (ULONG_PTR) my_pe;

    int (*new_main)() = (int(*)())ep_va;

    return new_main();

Thanks
@hasherezade
Copy link
Owner

hasherezade commented Aug 12, 2022
edited
Loading

Hi @wch1618 ! sorry for the late response, I am nowadays very busy.

So, there are two main problems with notepad.exe:
First of all, it uses Delayload Imports in additional to the casual imports, but this can be resolved easily with libPeConv, just add this fragment after the PE loading:

// load delayed imports (if present):
const ULONGLONG loadBase = (ULONGLONG)g_Payload;
peconv::load_delayed_imports(g_Payload, loadBase);

But there is a second thing, a bit more problematic - notepad it sensitive to the path it is loaded from. Even if you copy the original notepad.exe on the Desktop, it won't run.
You may ask, where does it come from?
There is a function LoadAcceleratorsW called (for the version that I analyzed, on Windows 10 64 bit, they are at RVA0x13807 and 0x13824) in the Notepad, which basically loads some GUI properties (including the menu), but if the application name is different than expected, the proper accelerator table cannot be found, so the Notepad exits.

load_acc

It happens because those acceletators are loaded from the MUI file, not from the notepad.exe itself.

mui_file

accelerators

And for the MUI file to be loaded, the path must match the expected one.

What are the workarounds for this? The simplest is to hook those functions / patch the checks, and make the notepad load even without the menu.
I guess the proper, solid solution would be to load the appropriate MUI, and set it into AlternateResourceModules, so that the function LdrpGetFromMUIMemCache that is called underneath can reference it. Or, maybe hooking LdrFindResource_U.
I will experiment with it a bit more when I get some time.

I managed to run notepad with the help of this loader:

@hasherezade hasherezade mentioned this issue Aug 12, 2022
Open
@wch1618
Copy link
Author

wch1618 commented Aug 29, 2022

Thank you very much.

@wch1618 wch1618 closed this as completed Aug 29, 2022
@kevoreilly kevoreilly mentioned this issue Jan 20, 2023
Closed
5 tasks
@hasherezade hasherezade mentioned this issue Mar 5, 2023
Open
@hasherezade hasherezade mentioned this issue Nov 20, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hasherezade @wch1618