Sign In
Create Account
//
//
Started By
sgwwt2425245f
, Mar 02 2019 04:22 PM
-
This topic is locked
#1
Posted 02 March 2019 - 04:22 PM
sgwwt2425245f
Offline
3067
Likes
Likes
-Inactive-
Posts: 5693
Threads: 732
Joined: Oct 13, 2016
Credits: 0
Seven years registered
#2
Posted 02 March 2019 - 04:24 PM
Metaverse
Offline
3616
Likes
Likes
Dogshit Coders™
Posts: 2052
Threads: 313
Joined: Sep 04, 2015
Credits: 0
Eight years registered
#2
Posted 02 March 2019 - 04:24 PM
https://github.com/n.../RemoveSignCode
Dunno if this will work.. But. 
Retired User - Checks in from time to time
#6
Posted 14 March 2019 - 10:18 PM
jamoofromafrica
Offline
8
Likes
Likes
Advanced Member
Posts: 124
Threads: 5
Joined: Jan 01, 2018
Credits: 0
Six years registered
#6
Posted 14 March 2019 - 10:18 PM
Do you mean in dnSpy?
It basically means it's packed. If thats what you mean with PE Headers
he is asking how to remove pe headers, not what they are
#7
Posted 14 March 2019 - 10:18 PM
FuseFire
Offline
1453
Likes
Likes
Veteran
Posts: 944
Threads: 161
Joined: Feb 01, 2019
Credits: 0
Five years registered
#7
Posted 14 March 2019 - 10:18 PM
he is asking how to remove pe headers, not what they are
If he knows what it is he can just unpack in with a tool from github you retard
#8
Posted 14 March 2019 - 10:54 PM
jamoofromafrica
Offline
8
Likes
Likes
Advanced Member
Posts: 124
Threads: 5
Joined: Jan 01, 2018
Credits: 0
Six years registered
#8
Posted 14 March 2019 - 10:54 PM
If he knows what it is he can just unpack in with a tool from github you retard
not sure why you are getting mad.
#9
Posted 23 March 2019 - 10:29 PM
EliteEmper0r
Offline
15
Likes
Likes
Releasing a Shop Soon...
Posts: 334
Threads: 16
Joined: Jun 20, 2018
Credits: 0
Deal with caution
User has an open scam report.
User has an open scam report.
Five years registered
#9
Posted 23 March 2019 - 10:29 PM
as FuseFire said PE Headers means the program is packed, if you would like to unpack you can most likely unpack it with MegaDump.
#10
Posted 26 March 2019 - 11:28 PM
Navix
Offline
62
Likes
Likes
🌿
Posts: 57
Threads: 25
Joined: Mar 09, 2019
Credits: 0
Five years registered
#10
Posted 26 March 2019 - 11:28 PM
The amount of bullshit people post here is ridiculous.
Either remove PE headers at runtime using RtlZeroMemory like this
[DllImport("Kernel32.dll", EntryPoint="RtlZeroMemory", SetLastError=false)]
public static extern void ZeroMemory(IntPtr dest, IntPtr size);
[DllImport("kernel32.dll", CharSet=CharSet.Auto)]
public static extern IntPtr GetModuleHandle(string lpModuleName);
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_DOS_HEADER
{
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)]
public char[] e_magic; // Magic number
public UInt16 e_cblp; // Bytes on last page of file
public UInt16 e_cp; // Pages in file
public UInt16 e_crlc; // Relocations
public UInt16 e_cparhdr; // Size of header in paragraphs
public UInt16 e_minalloc; // Minimum extra paragraphs needed
public UInt16 e_maxalloc; // Maximum extra paragraphs needed
public UInt16 e_ss; // Initial (relative) SS value
public UInt16 e_sp; // Initial SP value
public UInt16 e_csum; // Checksum
public UInt16 e_ip; // Initial IP value
public UInt16 e_cs; // Initial (relative) CS value
public UInt16 e_lfarlc; // File address of relocation table
public UInt16 e_ovno; // Overlay number
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
public UInt16[] e_res1; // Reserved words
public UInt16 e_oemid; // OEM identifier (for e_oeminfo)
public UInt16 e_oeminfo; // OEM information; e_oemid specific
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)]
public UInt16[] e_res2; // Reserved words
public Int32 e_lfanew; // File address of new exe header
private string _e_magic
{
get { return new string(e_magic); }
}
public bool isValid
{
get { return _e_magic == "MZ"; }
}
}
[StructLayout(LayoutKind.Explicit)]
public struct IMAGE_NT_HEADERS32
{
[FieldOffset(0)]
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
public char[] Signature;
[FieldOffset(4)]
public IMAGE_FILE_HEADER FileHeader;
[FieldOffset(24)]
public IMAGE_OPTIONAL_HEADER32 OptionalHeader;
private string _Signature
{
get { return new string(Signature); }
}
public bool isValid
{
get { return _Signature == "PE\0\0" && (OptionalHeader.Magic == PE.MagicType.IMAGE_NT_OPTIONAL_HDR32_MAGIC || OptionalHeader.Magic == PE.MagicType.IMAGE_NT_OPTIONAL_HDR64_MAGIC); }
}
}
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_FILE_HEADER
{
public UInt16 Machine;
public UInt16 NumberOfSections;
public UInt32 TimeDateStamp;
public UInt32 PointerToSymbolTable;
public UInt32 NumberOfSymbols;
public UInt16 SizeOfOptionalHeader;
public UInt16 Characteristics;
}
static void RemoveHeaders() {
var moduleBase = (IntPtr)GetModuleHandle(IntPtr.Zero);
var dosHeader = new IMAGE_DOS_HEADER();
Marshal.PtrToStructure(moduleBase, dosHeader);
var ntHeadersPtr = (IntPtr)(moduleBase + dosHeader.e_lfanew);
var ntHeaders = new IMAGE_NT_HEADERS32();
Marshal.PtrToStructure(ntHeadersPtr, ntHeaders);
UInt32 sizeHeaders = ntHeaders.FileHeader.SizeOfOptionalHeader;
ZeroMemory(moduleBase, sizeHeaders);
}
Or use a file handle and do the same thing.
Users browsing this thread:
