We don't display ads so we rely on your Bitcoin donations to 1KWEk9QaiJb2NwP5YFmR24LyUBa4JyuKqZ
Post date: Jun 8, 2010 9:07:33 PM
This little snippet written by steve10120 of hackhound.org, shows you how to set a PE entry point to 00000000.
Tested and working on VB, ASM, Delphi compiled applications.
The code details a jmp, push edx, and inc ebp(MZ - dec ebp/pop edx) to telling it to go to the real entry point. A possible use of such code would be an anti reversing trick.
function ZeroEntryPoint(szFilePath:string):Boolean;
var
hFile: DWORD;
dwNull: DWORD;
IDH: TImageDosHeader;
INH: TImageNtHeaders;
dwJmpAddr: DWORD;
const
bPushEdxOp: Byte = $52;
bIncEbpOp: Byte = $45;
bJmpOp: Byte = $E9;
begin
Result := FALSE;
hFile := CreateFile(PChar(szFilePath), GENERIC_READ or GENERIC_WRITE, FILE_SHARE_READ or FILE_SHARE_WRITE, nil, OPEN_EXISTING, 0, 0);
if hFile <> INVALID_HANDLE_VALUE then
begin
SetFilePointer(hFile, 0, nil, FILE_BEGIN);
ReadFile(hFile, IDH, 64, dwNull, nil);
if IDH.e_magic = IMAGE_DOS_SIGNATURE then
begin
SetFilePointer(hFile, IDH._lfanew, nil, FILE_BEGIN);
ReadFile(hFile, INH, 248, dwNull, nil);
if INH.Signature = IMAGE_NT_SIGNATURE then
begin
if INH.OptionalHeader.AddressOfEntryPoint > 0 then
begin
dwJmpAddr := INH.OptionalHeader.AddressOfEntryPoint - 9;
SetFilePointer(hFile, 2, nil, FILE_BEGIN);
WriteFile(hFile, bPushEdxOp, 1, dwNull, nil);
SetFilePointer(hFile, 3, nil, FILE_BEGIN);
WriteFile(hFile, bIncEbpOp, 1, dwNull, nil);
SetFilePointer(hFile, 4, nil, FILE_BEGIN);
WriteFile(hFile, bJmpOp, 1, dwNull, nil);
SetFilePointer(hFile, 5, nil, FILE_BEGIN);
WriteFile(hFile, dwJmpAddr, 4, dwNull, nil);
INH.OptionalHeader.AddressOfEntryPoint := 0;
SetFilePointer(hFile, IDH._lfanew, nil, FILE_BEGIN);
WriteFile(hFile, INH, 248, dwNull, nil);
Result := TRUE;
end;
end;
end;
CloseHandle(hFile);
end;
end;