comrade's bureau

home | projects | documents | sources | guestbook | contact
comments?

PE Tools

On this page, you will find a collection of various tools I made over years to deal with portable executables and Windows processes.

Download

petools.rar (22 KB)
The tools are released under the BSD license.
Source code is included. To recompile the files, you will need FASM (at least v1.67.26) and the additional include files from this page.

Inject Tool

Inject is a tool that injects a DLL into a running process. Its command-line usage is as follows:

  1. Inject C:\hook.dll into pid 1234: inject.exe 1234 C:\hook.dll
  2. Inject C:\hook.dll into process notepad.exe (if multiple notepads are running, then whichever one is picked is undefined): inject.exe -p *notepad.exe C:\hook.dll
  3. Inject C:\hook.dll into running process C:\myprogram.exe: inject.exe -p C:\myprogram.exe C:\hook.dll
  4. Inject C:\hook.dll into process with a window named "Untitled - Notepad": inject.exe -w "Untitled - Notepad" C:\hook.dll
  5. Inject C:\hook.dll into process with a window class Notepad: inject.exe -c Notepad C:\hook.dll
Note that in all uses, you should specify the full path to the injected DLL.

Loader Tool

Loader is a tool that injects a DLL before launching a process. Its command-line usage is as follows:

  1. Load notepad.exe and inject C:\hook.dll into it: loader.exe notepad.exe C:\hook.dll
Note that you should specify the full path to the injected DLL.

Patch Tool

Patch is a tool that adds a new section to the executable. The new section becomes the new entrypoint, and contains code to load a particular DLL, and then jump back to the original entrypoint. This can be used to create static patches that behave similar to the Loader tool.
The tool's command-line usage is as follows:

  1. Patch original.exe to load C:\hook.dll before execution; save the patched executable to patched.exe: patch.exe original.exe patched.exe C:\hook.dll

Reimport Tool

Reimport is a tool that redirects certain entries of an executable's import table to another DLL. For example, running reimport.exe game.exe newgame.exe nocd.dll kernel32.dll::GetDriveTypeA kernel32.dll::CreateFileA kernel32.dll::GetVolumeInformation will create a copy of game.exe into newgame.exe, with the above 3 API functions rerouted to nocd.dll, instead of kernel32.dll. That means newgame.exe would import GetDriveTypeA, CreateFileA, and GetVolumeInformation from nocd.dll instead of kernel32.dll.

created 30.07.2008, updated 03.08.2008

Comments

reply (2008-08-03 00:17:17) E7R wrote:
first
reply (2008-08-22 14:42:34) E8R wrote:
2nd :D
reply (2008-08-29 11:25:07) E9R wrote:
3rd oO
reply (2008-09-02 16:49:07) EAR wrote:
4th -.-
reply (2008-09-12 10:10:32) EBR wrote:
5th :O
reply (2008-09-14 12:25:40) ECR wrote:
6th =)
reply (2008-09-17 16:30:39) EDR wrote:
Faggots stfu.
reply (2008-09-21 05:11:02) Burp wrote:
I farted.
reply (2008-11-25 04:01:54) penang wrote:
thanks ! ... and I haven't fart yet. :)
reply (2008-11-30 13:39:27) idiots wrote:
Perfect tool, helped me alot :)
reply (2008-12-15 10:36:43) TeNsIOn wrote:
Amazing thanx
reply (2009-01-04 12:12:05) (anonymous) wrote:
thanks a lot
reply (2009-06-17 08:26:46) anonymous wrote:
Instead of the Patch tool's "inject code to load a dll", why not just add another entry into the import table?
reply (2009-08-18 06:20:30) comrade replied:
1) That is not as reliable - when the DLL is loaded by the import table, the process may not be fully initialized and other DLLs may not have been loaded yet. When loading a DLL via a new section, all the executable's DLLs have already been loaded and their DLLMain routines run.
2) Typically resizing and adding a new descriptor into the import table is not as easy as adding a new section. Look at the sources for the reimport tool - see how much extra work needs to be done to work with the import table.
reply (2009-09-09 13:36:10) (anonymous) wrote:
Using the reimport tool and putting the ord name of dll function to be replaced, it'll works fine?
reply (2009-09-16 04:35:13) comrade replied:
Ordinal names are not supported. If it thats important to you, I can add it... it would probably take me a year to get to it though.
reply (2009-09-20 17:22:20) (anonymous) replied:
Thanks, but that's not important to me, I just wanted to know.. Thanks anyway :D
reply (2009-12-28 22:21:33) Vegard wrote:
Thank you very much for a great tool! Ive used the reimport thingie to retool several games now, and its an impressive little piece of technology :)
reply (2010-01-03 00:41:34) (anonymous) wrote:
Hm, still detectable for almost all antivirus... but nice work!

Post a comment


Allowed HTML tags: <b> for bold, <i> for italics, <u> for underline, <pre> for code.