Flag: Tornado! Hurricane!

 Forums >>  Brainstorms - General  >>  Problem changing the entry point of PE file

Topic created on: March 15, 2013 05:34 CDT by bombard .

Hi,
I am trying to write the code which can change the Address Of Entry point and further, overwrite the code section. Following is the code:
#include "stdio.h"
#include <windows.h>


int _tmain(int argc, _TCHAR* argv[])
{
TCHAR szPath[MAX_PATH]=TEXT("C:\\cmd.exe");
PIMAGE_DOS_HEADER ptrDosHeader;
PIMAGE_NT_HEADERS ptrNTHeader;
IMAGE_OPTIONAL_HEADER opHeader;
IMAGE_SECTION_HEADER iSH[10];
HANDLE hMapObject,hFile;
LPVOID lpBase;
unsigned char* fake;

//Open existing file
hFile = CreateFile(szPath,GENERIC_READ|GENERIC_WRITE|GENERIC_EXECUTE,FILE_SHARE_READ,NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if ( !hFile || hFile == INVALID_HANDLE_VALUE )
{
printf("\nERROR : Could not open the file specified\n");
return 0;
}

//Create the file mapping
hMapObject = CreateFileMapping(hFile,NULL,PAGE_EXECUTE_READWRITE | SEC_COMMIT,0,0,NULL);
if (hMapObject == NULL)
{
printf("\nERROR : Could not create file mapping\n");
return 0;
}

//Map view of file
lpBase = MapViewOfFile(hMapObject,FILE_MAP_ALL_ACCESS,0,0,0);
if (lpBase == NULL)
{
printf("\nERROR : Could not map a view of file mapping\n");
return 0;
}


ptrDosHeader = (PIMAGE_DOS_HEADER)lpBase;

//Verify that PE file is valid
if(ptrDosHeader->e_magic == IMAGE_DOS_SIGNATURE)
{
printf("\n\nValid Dos Exe File\n------------------\n");
}

//Now move to PE header/IMAGE_NT_HEADERS
//Here we are typecasting the pointer to dword, because we need to add value to pointer(location)
ptrNTHeader = (PIMAGE_NT_HEADERS)((DWORD)(ptrDosHeader) + (ptrDosHeader->e_lfanew));

//Get number of sections
WORD numSections = ptrNTHeader->FileHeader.NumberOfSections;
printf("numbr of sections %d", numSections);
//Change the number of sections
//ptrNTHeader->FileHeader.NumberOfSections = 4;


if(ptrNTHeader->Signature == IMAGE_NT_SIGNATURE)
{
printf("PE signature is valid");
}

//Move to optional header
opHeader = (IMAGE_OPTIONAL_HEADER)ptrNTHeader->OptionalHeader;
//Entry point
DWORD EP = opHeader.AddressOfEntryPoint;
printf("\nEntry point 0x%x", EP);
opHeader.AddressOfEntryPoint = opHeader.AddressOfEntryPoint + 1;
FlushViewOfFile((LPCVOID)&opHeader,200);
printf("\nNew Entry point 0x%x", opHeader.AddressOfEntryPoint);
//Preferred load address or Image base
DWORD imgBase = opHeader.ImageBase;
printf("\nPrferred load address of PE file 0x%x", imgBase);
//Size of headers, which is equivalent to offset of the first section
DWORD sizeHeaders = opHeader.SizeOfHeaders;
printf("\nSize of headers 0x%x", sizeHeaders);

//Change the characteristics and make all sections writable
//Now, we will add the shellcode at the Image base + Entry Point= VA
DWORD infectionStartAddress = imgBase + EP;



for(WORD i=0; i<numSections; i++)
{
iSH[i].Characteristics = 0x200000000 | 0x40000000 | 0x80000000;
FlushViewOfFile((LPCVOID)&iSH[i],200);
}

UnmapViewOfFile(lpBase);
CloseHandle(hMapObject);
CloseHandle(hFile);
MessageBox(NULL,(LPCWSTR)"Done",(LPCWSTR)"Done",0);
return 0;

}

Problem: In the line
opHeader.AddressOfEntryPoint = opHeader.AddressOfEntryPoint + 1;
I am trying to modify the EP, it is happening within the memory. However, the changes are not taking place on the disk. However, if I try to modify the "MZ" part(starting of the PE file), it works fine. Unable to understand the issue. Please help

  codeinject     March 18, 2013 03:22.58 CDT
If you create a pastebin for your code dump. I'll give it a look :)

  bombard   March 18, 2013 12:34.47 CDT
Hi codeinject,
Thanks for the response :). Here is the pastebin link:
http://pastebin.com/RHC3jHuP

  codeinject     March 19, 2013 03:26.07 CDT
Quickly analysed your code.
Few things, debug in assembler and you'll know what is going on. Second. use indenting.

The clue on how to fix should be in here:
http://pastebin.com/QSkJNz8U

Give it a go, if you can't figure it out let me know and I'll show you the way to enlightenment. :)

  bombard   March 19, 2013 07:40.27 CDT
Hi Codeinject,
I think I am near. Its related to memory of opHeader. Tryingout ;)

  bombard   March 19, 2013 09:17.29 CDT
I think I got the answer. I am tying to operate over variable "opHeader". When I do assign the value for opHeader, the memory allocation takes place, and I am trying to modify that memory (LOLS :D). I think there are two solutions: 1. Directly work with pointers. Avoid using variables.  2.Work with only one pointer, i.e. lpBase. This is the one which points to the file.  Correct me if wrong :)

  codeinject     March 19, 2013 10:08.36 CDT
Well, I'd work with one pointer like so:
&ptr[offset] or iterate over it like so ((*itr)++)

Something you might like for your studies:
#define DEBUGGER()          do{ExitProcess(0);}while(0)
#define ISDEBUGGERPRESENT() do{if(IsDebuggerPresent()){DEBUGGER();}}while(0)
#define ISDEBUGGED()        do{if(((char*)get_peb())[2]){DEBUGGER();}}while(0)
#define NTGLOBALFLAGS()     do{if((((char*)get_peb())[0x68]) & 0x70){DEBUGGER();}}while(0)
#define SSTRACERTRAP()      do{__asm{push ss}__asm{pop ss}__asm{nop}}while(0)
#define NOP                 do{__asm{nop};}while(0)
#define JUNK_BYTE           do{__asm{_emit  0xeb}__asm{_emit  0x01}__asm{_emit  0x2d}__asm{_emit  0x90}}while(0)
inline void *get_peb()      {__asm{mov eax, fs:[0x30]}}

  bombard   March 20, 2013 07:31.53 CDT
Thanks codeinject for the help :) and also for the further studies links

  codeinject     March 21, 2013 02:36.28 CDT
Anytime, just remember.
Learn how to write malware to combat it, with great power comes great responsibility. etc etc.

Just don't be a bother to other internet users. :)

Note: Registration is required to post to the forums.

There are 31,310 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit