libpeconv icon indicating copy to clipboard operation
libpeconv copied to clipboard
verified publisher icon hasherezade

Start windows 7 notepad.exe fail

Open wch1618 opened this issue 3 years ago • 1 comments

Here is code,

    size_t v_size = 0;
    LPCTSTR pe_path = "C:\\windows\\notepad.exe";
    BYTE* my_pe = peconv::load_pe_executable(pe_path, v_size);

    if (!my_pe) {
        return -1;
    }

    peconv::set_main_module_in_peb((HMODULE)my_pe);
    
    peconv::run_tls_callbacks(my_pe, v_size);
    
    DWORD ep_rva = peconv::get_entry_point_rva(my_pe);
    if (!ep_rva) {
        return -2;
    }
    ULONG_PTR ep_va = ep_rva + (ULONG_PTR) my_pe;

    int (*new_main)() = (int(*)())ep_va;

    return new_main();

Thanks

wch1618 avatar Jun 06 '22 06:06 wch1618

Hi @wch1618 ! sorry for the late response, I am nowadays very busy.

So, there are two main problems with notepad.exe: First of all, it uses Delayload Imports in additional to the casual imports, but this can be resolved easily with libPeConv, just add this fragment after the PE loading:

// load delayed imports (if present):
const ULONGLONG loadBase = (ULONGLONG)g_Payload;
peconv::load_delayed_imports(g_Payload, loadBase);

But there is a second thing, a bit more problematic - notepad it sensitive to the path it is loaded from. Even if you copy the original notepad.exe on the Desktop, it won't run. You may ask, where does it come from? There is a function LoadAcceleratorsW called (for the version that I analyzed, on Windows 10 64 bit, they are at RVA0x13807 and 0x13824) in the Notepad, which basically loads some GUI properties (including the menu), but if the application name is different than expected, the proper accelerator table cannot be found, so the Notepad exits.

load_acc

It happens because those acceletators are loaded from the MUI file, not from the notepad.exe itself.

mui_file

accelerators

And for the MUI file to be loaded, the path must match the expected one.

What are the workarounds for this? The simplest is to hook those functions / patch the checks, and make the notepad load even without the menu. I guess the proper, solid solution would be to load the appropriate MUI, and set it into AlternateResourceModules, so that the function LdrpGetFromMUIMemCache that is called underneath can reference it. Or, maybe hooking LdrFindResource_U. I will experiment with it a bit more when I get some time.

I managed to run notepad with the help of this loader:

  • https://gist.github.com/hasherezade/657975ca7e988b4aa1538324ace87588 *but please keep in mind that this is a crude solution, that just replaces the original LoadAcceleratorsW function, and emulates its successful completion.

hasherezade avatar Aug 12 '22 15:08 hasherezade

Thank you very much.

wch1618 avatar Aug 29 '22 03:08 wch1618