Thread: Can I move Entry Point to the middle of the codz ?
View Single Post
  #1  
Old 11-22-2005, 03:12
tbone
 
Posts: n/a
If you're just trying to insert some of your own code into the program to run before the program does, there's several ways of getting there. Since you're just starting out, you probably don't want to try to write a loader just yet, but there's still plenty of ways to do it.

The simplest method goes like this:
  1. Replace the instructions at the entry point with:

    PUSHAD
    JMP xxxxxxxx

    where xxxxxxxx is some free space in the module where you've stuck your own code (more on that later).

    At xxxxx:
  2. execute whatever code you want to run
  3. POPAD
  4. Execute any instructions that you wiped out in step 1.
  5. Jump back to the original program's instructions at whichever one would have followed the last instruction at step 4.

Or in short, save the processor's "state", jump away, do stuff, restore the processor's state, execute anything that you blew away, and jump back.

The free space where you stick your "code cave" can come from several sources. It could be unused space in the original executable file, or you could overwrite some code that *know* will never be executed. You can also expand the size of the last section with a PE editor, per diablo2002's suggestion. Or you could add a whole new section with a PE editor and have all the empty space that you want.

Of course, many programs have ways of checking if they've been modified like this, so you can't just run around modifying some programs without also removing the protection checks. But non-protected programs and simple-minded protection schemes will never know the difference.

Loaders work a lot like debuggers. They load the target application as a debugged process or as a child process, and then modify the file at runtime before and/or during the execution of the target. They're more flexible and powerful than static binary modification, but they're also a more advanced topic. Loaders not only have to avoid the anti-modification checks in the target, but also have to avoid being detected. ARTeam and others have written some good tutorials on how to write loaders when you get to that point.
Reply With Quote