I am currently working on a personal project: a 32 bits PE loader.
I did a lot of research and followed some very interesting tutorials such as :
https://bidouillesecurity.com/tutorial-writing-a-pe-packer-part-1/
https://0xrick.github.io/win-internals/pe8/#initparse
Very quickly, the main goal of my project is to load and execute into memory a 32 bits PE.
To do so, I have done the following steps:
- allocate an amount of memory equivalent to the size of the image (SizeOfImage) of my 32 bits PE (calc.exe in my case)
- load in memory the headers of my PE
- load in memory the sections of my PE
- load the dll functions used by my PE
- perform the relocation
- put the right permissions on each section
- execute the entry point of my PE
I followed the two links above, but I get an error and it's impossible for me to run calc.exe ("C:\Windows\SysWOW64\calc.exe").
After several hours of investigation, I realized that I could not get the address of several functions exported from the msvcrt.dll. Indeed, the GetProcAddress function returns me the error code 127 for three of them. Here they are:
- __p__fmode
- __p__commode
- _except_handler4_common
Thanks to the Microsoft documentation, I realized that these functions are Internal CRT functions and function macros. I have to admit that I didn't fully understand what they were used for and if there was a real link with my problem.
Source: https://learn.microsoft.com/en-us/cpp/c-runtime-library/internal-crt-globals-and-functions?view=msvc-170
PS: I am under windows 11, I code on visual studio 2022 and I did not change the default compilation options.