Flag: Tornado! Hurricane!

 Forums >>  Brainstorms - General  >>  Problem changing the entry point of PE file

Topic created on: March 15, 2013 05:34 CDT by bombard .

Hi,
I am trying to write the code which can change the Address Of Entry point and further, overwrite the code section. Following is the code:
#include "stdio.h"
#include <windows.h>


int _tmain(int argc, _TCHAR* argv[])
{
TCHAR szPath[MAX_PATH]=TEXT("C:\\cmd.exe");
PIMAGE_DOS_HEADER ptrDosHeader;
PIMAGE_NT_HEADERS ptrNTHeader;
IMAGE_OPTIONAL_HEADER opHeader;
IMAGE_SECTION_HEADER iSH[10];
HANDLE hMapObject,hFile;
LPVOID lpBase;
unsigned char* fake;

//Open existing file
hFile = CreateFile(szPath,GENERIC_READ|GENERIC_WRITE|GENERIC_EXECUTE,FILE_SHARE_READ,NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if ( !hFile || hFile == INVALID_HANDLE_VALUE )
{
printf("\nERROR : Could not open the file specified\n");
return 0;
}

//Create the file mapping
hMapObject = CreateFileMapping(hFile,NULL,PAGE_EXECUTE_READWRITE | SEC_COMMIT,0,0,NULL);
if (hMapObject == NULL)
{
printf("\nERROR : Could not create file mapping\n");
return 0;
}

//Map view of file
lpBase = MapViewOfFile(hMapObject,FILE_MAP_ALL_ACCESS,0,0,0);
if (lpBase == NULL)
{
printf("\nERROR : Could not map a view of file mapping\n");
return 0;
}


ptrDosHeader = (PIMAGE_DOS_HEADER)lpBase;

//Verify that PE file is valid
if(ptrDosHeader->e_magic == IMAGE_DOS_SIGNATURE)
{
printf("\n\nValid Dos Exe File\n------------------\n");
}

//Now move to PE header/IMAGE_NT_HEADERS
//Here we are typecasting the pointer to dword, because we need to add value to pointer(location)
ptrNTHeader = (PIMAGE_NT_HEADERS)((DWORD)(ptrDosHeader) + (ptrDosHeader->e_lfanew));

//Get number of sections
WORD numSections = ptrNTHeader->FileHeader.NumberOfSections;
printf("numbr of sections %d", numSections);
//Change the number of sections
//ptrNTHeader->FileHeader.NumberOfSections = 4;


if(ptrNTHeader->Signature == IMAGE_NT_SIGNATURE)
{
printf("PE signature is valid");
}

//Move to optional header
opHeader = (IMAGE_OPTIONAL_HEADER)ptrNTHeader->OptionalHeader;
//Entry point
DWORD EP = opHeader.AddressOfEntryPoint;
printf("\nEntry point 0x%x", EP);
opHeader.AddressOfEntryPoint = opHeader.AddressOfEntryPoint + 1;
FlushViewOfFile((LPCVOID)&opHeader,200);
printf("\nNew Entry point 0x%x", opHeader.AddressOfEntryPoint);
//Preferred load address or Image base
DWORD imgBase = opHeader.ImageBase;
printf("\nPrferred load address of PE file 0x%x", imgBase);
//Size of headers, which is equivalent to offset of the first section
DWORD sizeHeaders = opHeader.SizeOfHeaders;
printf("\nSize of headers 0x%x", sizeHeaders);

//Change the characteristics and make all sections writable
//Now, we will add the shellcode at the Image base + Entry Point= VA
DWORD infectionStartAddress = imgBase + EP;



for(WORD i=0; i<numSections; i++)
{
iSH[i].Characteristics = 0x200000000 | 0x40000000 | 0x80000000;
FlushViewOfFile((LPCVOID)&iSH[i],200);
}

UnmapViewOfFile(lpBase);
CloseHandle(hMapObject);
CloseHandle(hFile);
MessageBox(NULL,(LPCWSTR)"Done",(LPCWSTR)"Done",0);
return 0;

}

Problem: In the line
opHeader.AddressOfEntryPoint = opHeader.AddressOfEntryPoint + 1;
I am trying to modify the EP, it is happening within the memory. However, the changes are not taking place on the disk. However, if I try to modify the "MZ" part(starting of the PE file), it works fine. Unable to understand the issue. Please help

  codeinject     March 18, 2013 03:22.58 CDT
If you create a pastebin for your code dump. I'll give it a look :)

  bombard   March 18, 2013 12:34.47 CDT
Hi codeinject,
Thanks for the response :). Here is the pastebin link:
http://pastebin.com/RHC3jHuP

  codeinject     March 19, 2013 03:26.07 CDT
Quickly analysed your code.
Few things, debug in assembler and you'll know what is going on. Second. use indenting.

The clue on how to fix should be in here:
http://pastebin.com/QSkJNz8U

Give it a go, if you can't figure it out let me know and I'll show you the way to enlightenment. :)

  bombard   March 19, 2013 07:40.27 CDT
Hi Codeinject,
I think I am near. Its related to memory of opHeader. Tryingout ;)

  bombard   March 19, 2013 09:17.29 CDT
I think I got the answer. I am tying to operate over variable "opHeader". When I do assign the value for opHeader, the memory allocation takes place, and I am trying to modify that memory (LOLS :D). I think there are two solutions: 1. Directly work with pointers. Avoid using variables.  2.Work with only one pointer, i.e. lpBase. This is the one which points to the file.  Correct me if wrong :)

  codeinject     March 19, 2013 10:08.36 CDT
Well, I'd work with one pointer like so:
&ptr[offset] or iterate over it like so ((*itr)++)

Something you might like for your studies:
#define DEBUGGER()          do{ExitProcess(0);}while(0)
#define ISDEBUGGERPRESENT() do{if(IsDebuggerPresent()){DEBUGGER();}}while(0)
#define ISDEBUGGED()        do{if(((char*)get_peb())[2]){DEBUGGER();}}while(0)
#define NTGLOBALFLAGS()     do{if((((char*)get_peb())[0x68]) & 0x70){DEBUGGER();}}while(0)
#define SSTRACERTRAP()      do{__asm{push ss}__asm{pop ss}__asm{nop}}while(0)
#define NOP                 do{__asm{nop};}while(0)
#define JUNK_BYTE           do{__asm{_emit  0xeb}__asm{_emit  0x01}__asm{_emit  0x2d}__asm{_emit  0x90}}while(0)
inline void *get_peb()      {__asm{mov eax, fs:[0x30]}}

  bombard   March 20, 2013 07:31.53 CDT
Thanks codeinject for the help :) and also for the further studies links

  codeinject     March 21, 2013 02:36.28 CDT
Anytime, just remember.
Learn how to write malware to combat it, with great power comes great responsibility. etc etc.

Just don't be a bother to other internet users. :)

Note: Registration is required to post to the forums.

There are 31,055 total registered users.


Recently Created Topics
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Immunity Debugger Re...
Aug/03


Recent Forum Posts
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack


Recent Blog Entries
crystalwade
Jul/20
test

nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit