32_Bit --> 64_bit PE Header

1. //http://waleedassar.blogspot.com
2. //http://www.twitter.com/waleedassar
3. #include "stdafx.h"
4. #include "windows.h"
5. #include "stdio.h"
6. #include "resource.h"
7.  
8. typedef void(__stdcall *FUNC)(char*);
9.  
10.  
11. extern "C"
12. {
13.       IMAGE_NT_HEADERS* __stdcall RtlImageNtHeader(unsigned long ImageBase);
14. void __stdcall walied(char* string)
15. {
16.     printf("Hey %s\r\n",string);
17. }
18.  
19. }
20.  
21. void ConvertHeader(IMAGE_NT_HEADERS* pNT)
22. {
23.     pNT->FileHeader.Machine=0x8664; //Change Machine
24.     unsigned long numSections=pNT->FileHeader.NumberOfSections;
25.     unsigned long szOptional=pNT->FileHeader.SizeOfOptionalHeader;
26.  
27.     IMAGE_OPTIONAL_HEADER* pOpt32=&(pNT->OptionalHeader);
28.     IMAGE_SECTION_HEADER*  pSec=(IMAGE_SECTION_HEADER*)(((unsigned char*)(pOpt32))+szOptional);
29.     IMAGE_DATA_DIRECTORY*  pDD =(IMAGE_DATA_DIRECTORY*)((unsigned char*)pOpt32+0x60);
30.     //---------Backup Data Directories------------
31.     unsigned long szDD=((char*)pSec)-((char*)pDD);
32.     IMAGE_DATA_DIRECTORY* pBDD=(IMAGE_DATA_DIRECTORY*)LocalAlloc(LMEM_ZEROINIT,szDD);
33.     memcpy(pBDD,pDD,szDD);
34.     //---------Backup section table---------------
35.     unsigned szSections=numSections*sizeof(IMAGE_SECTION_HEADER);
36.     IMAGE_SECTION_HEADER* pBSections=(IMAGE_SECTION_HEADER*)LocalAlloc(LMEM_ZEROINIT,szSections);
37.     memcpy(pBSections,pSec,szSections);
38.     //---------------------------------------------
39.     pOpt32->Magic=0x020B;
40.     pOpt32->BaseOfData=pOpt32->ImageBase;
41.     pOpt32->ImageBase=0;
42.     unsigned long StkRsv=(pOpt32->SizeOfStackReserve);
43.     unsigned long StkCmt=(pOpt32->SizeOfStackCommit);
44.     unsigned long HpRsv=(pOpt32->SizeOfHeapReserve);
45.     unsigned long HpCmt=(pOpt32->SizeOfHeapCommit);
46.     unsigned long LoaderFlags=pOpt32->LoaderFlags;
47.     unsigned long NumberRVAs=pOpt32->NumberOfRvaAndSizes;
48.     IMAGE_OPTIONAL_HEADER64* pOpt64=(IMAGE_OPTIONAL_HEADER64*)pOpt32;
49.     *(unsigned long*)(&(pOpt64->SizeOfStackReserve))=StkRsv;
50.     *(unsigned long*)(&(pOpt64->SizeOfStackCommit)) =StkCmt;
51.     *(unsigned long*)(&(pOpt64->SizeOfHeapReserve)) =HpRsv;
52.     *(unsigned long*)(&(pOpt64->SizeOfHeapCommit))  =HpCmt;
53.     *(((unsigned long*)(&(pOpt64->SizeOfStackReserve)))+1)=0;
54.     *(((unsigned long*)(&(pOpt64->SizeOfStackCommit)))+1)=0;
55.     *(((unsigned long*)(&(pOpt64->SizeOfHeapReserve)))+1)=0;
56.     *(((unsigned long*)(&(pOpt64->SizeOfHeapCommit)))+1)=0;
57.     pOpt64->LoaderFlags=LoaderFlags;
58.     pOpt64->NumberOfRvaAndSizes=NumberRVAs;
59.     //---------------------------------------------
60.     memcpy(((char*)pDD)+0x10,pBDD,szDD);
61.     memcpy(((char*)pSec)+0x10,pBSections,szSections);
62.     //---------------------------------------------
63.     LocalFree(pBSections);
64.     LocalFree(pBDD);
65. }
66.  
67. int main(int argc, char* argv[])
68. {
69.     unsigned long IB=(unsigned long)GetModuleHandle(0);
70.     unsigned long old;
71.     VirtualProtect((void*)IB,0x1000,PAGE_READWRITE,&old);
72.     //memset((void*)IB,0x0,0x1000);
73.     ConvertHeader(RtlImageNtHeader(IB));
74.     VirtualProtect((void*)IB,0x1000,old,&old);
75.     //----------------------To make sure PE header is usable-------------
76.     FUNC walied_=(FUNC)GetProcAddress((HMODULE)IB,"walied");
77.     char String1[0x100]={0};
78.     LoadString((HINSTANCE)IB,IDS_STRING1,String1,0x101);
79.     walied_(String1);
80.     memset(String1,0,0x100);
81.     LoadString((HINSTANCE)IB,IDS_STRING2,String1,0x101);
82.     walied_(String1);
83.     //-------------------------------------------------------------------
84.     int i=0;
85.     while(9)
86.     {
87.         printf("walied %x\r\n",i++);
88.         Sleep(1000);
89.     }
90.     return 0;
91. }