Developing PE file packer step-by-step. Step 3. Unpacking

Previous step is here.

Let’s continue! It’s time to write an unpacker, this is what we are going to do during this step. We will not process import table for now, because we have some other things to do at this lesson.

We will begin from the following thing. To operate, the unpacker definitely needs two WinAPI functions: LoadLibraryA and GetProcAddress. In my old packer (that I’ve written once) I developed unpacker stub in MASM32 without creating import table at all. I looked for these function addresses in kernel, which is rather complicated and hardcore, besides that, this may cause serious antivirus suspicions. This time, let’s create import table and make loader to tell us these function addresses. Of course, set of these two functions in import table is as suspicious as their total absence, but nothing prevents us from adding more random imports from different .dll files in future. Where will the loader store these two function addresses? It’s time to expand our packed_file_info structure!

Continue reading “Developing PE file packer step-by-step. Step 3. Unpacking”

Scripts for task automation in Windows. Cool WSH features


Probably many people know, that Windows 98 and later includes Windows script host (WSH) by default, which allows to run VBScript and JScript code, but few ones used it at least once. In this article I am going to show you useful WSH snippets and script examples and convince you that this feature is really worthwhile. I will also tell you about very useful and cool WSH features, which are almost unknown, and therefore it is not easy to find information about them on the Internet.

Continue reading “Scripts for task automation in Windows. Cool WSH features”