.Hi,
I am trying to write the code which can change the Address Of Entry point and further, overwrite the code section. Following is the code:
#include "stdio.h"
#include <windows.h>
int _tmain(int argc, _TCHAR* argv[])
{
TCHAR szPath[MAX_PATH]=TEXT("C:\\cmd.exe");
PIMAGE_DOS_HEADER ptrDosHeader;
PIMAGE_NT_HEADERS ptrNTHeader;
IMAGE_OPTIONAL_HEADER opHeader;
IMAGE_SECTION_HEADER iSH[10];
HANDLE hMapObject,hFile;
LPVOID lpBase;
unsigned char* fake;
//Open existing file
hFile = CreateFile(szPath,GENERIC_READ|GENERIC_WRITE|GENERIC_EXECUTE,FILE_SHARE_READ,NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if ( !hFile || hFile == INVALID_HANDLE_VALUE )
{
printf("\nERROR : Could not open the file specified\n");
return 0;
}
//Create the file mapping
hMapObject = CreateFileMapping(hFile,NULL,PAGE_EXECUTE_READWRITE | SEC_COMMIT,0,0,NULL);
if (hMapObject == NULL)
{
printf("\nERROR : Could not create file mapping\n");
return 0;
}
//Map view of file
lpBase = MapViewOfFile(hMapObject,FILE_MAP_ALL_ACCESS,0,0,0);
if (lpBase == NULL)
{
printf("\nERROR : Could not map a view of file mapping\n");
return 0;
}
ptrDosHeader = (PIMAGE_DOS_HEADER)lpBase;
//Verify that PE file is valid
if(ptrDosHeader->e_magic == IMAGE_DOS_SIGNATURE)
{
printf("\n\nValid Dos Exe File\n------------------\n");
}
//Now move to PE header/IMAGE_NT_HEADERS
//Here we are typecasting the pointer to dword, because we need to add value to pointer(location)
ptrNTHeader = (PIMAGE_NT_HEADERS)((DWORD)(ptrDosHeader) + (ptrDosHeader->e_lfanew));
//Get number of sections
WORD numSections = ptrNTHeader->FileHeader.NumberOfSections;
printf("numbr of sections %d", numSections);
//Change the number of sections
//ptrNTHeader->FileHeader.NumberOfSections = 4;
if(ptrNTHeader->Signature == IMAGE_NT_SIGNATURE)
{
printf("PE signature is valid");
}
//Move to optional header
opHeader = (IMAGE_OPTIONAL_HEADER)ptrNTHeader->OptionalHeader;
//Entry point
DWORD EP = opHeader.AddressOfEntryPoint;
printf("\nEntry point 0x%x", EP);
opHeader.AddressOfEntryPoint = opHeader.AddressOfEntryPoint + 1;
FlushViewOfFile((LPCVOID)&opHeader,200);
printf("\nNew Entry point 0x%x", opHeader.AddressOfEntryPoint);
//Preferred load address or Image base
DWORD imgBase = opHeader.ImageBase;
printf("\nPrferred load address of PE file 0x%x", imgBase);
//Size of headers, which is equivalent to offset of the first section
DWORD sizeHeaders = opHeader.SizeOfHeaders;
printf("\nSize of headers 0x%x", sizeHeaders);
//Change the characteristics and make all sections writable
//Now, we will add the shellcode at the Image base + Entry Point= VA
DWORD infectionStartAddress = imgBase + EP;
for(WORD i=0; i<numSections; i++)
{
iSH[i].Characteristics = 0x200000000 | 0x40000000 | 0x80000000;
FlushViewOfFile((LPCVOID)&iSH[i],200);
}
UnmapViewOfFile(lpBase);
CloseHandle(hMapObject);
CloseHandle(hFile);
MessageBox(NULL,(LPCWSTR)"Done",(LPCWSTR)"Done",0);
return 0;
}
Problem: In the line
opHeader.AddressOfEntryPoint = opHeader.AddressOfEntryPoint + 1;
I am trying to modify the EP, it is happening within the memory. However, the changes are not taking place on the disk. However, if I try to modify the "MZ" part(starting of the PE file), it works fine. Unable to understand the issue. Please help
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}