Embedded Files
We don't display ads so we rely on your Bitcoin donations to 1KWEk9QaiJb2NwP5YFmR24LyUBa4JyuKqZ
Post date: Jun 8, 2010 9:07:33 PM
This little snippet written by steve10120 of hackhound.org, shows you how to set a PE entry point to 00000000.
Tested and working on VB, ASM, Delphi compiled applications.
The code details a jmp, push edx, and inc ebp(MZ - dec ebp/pop edx) to telling it to go to the real entry point. A possible use of such code would be an anti reversing trick.
function ZeroEntryPoint(szFilePath:string):Boolean;var hFile: DWORD; dwNull: DWORD; IDH: TImageDosHeader; INH: TImageNtHeaders; dwJmpAddr: DWORD;const bPushEdxOp: Byte = $52; bIncEbpOp: Byte = $45; bJmpOp: Byte = $E9;begin Result := FALSE; hFile := CreateFile(PChar(szFilePath), GENERIC_READ or GENERIC_WRITE, FILE_SHARE_READ or FILE_SHARE_WRITE, nil, OPEN_EXISTING, 0, 0); if hFile <> INVALID_HANDLE_VALUE then begin SetFilePointer(hFile, 0, nil, FILE_BEGIN); ReadFile(hFile, IDH, 64, dwNull, nil); if IDH.e_magic = IMAGE_DOS_SIGNATURE then begin SetFilePointer(hFile, IDH._lfanew, nil, FILE_BEGIN); ReadFile(hFile, INH, 248, dwNull, nil); if INH.Signature = IMAGE_NT_SIGNATURE then begin if INH.OptionalHeader.AddressOfEntryPoint > 0 then begin dwJmpAddr := INH.OptionalHeader.AddressOfEntryPoint - 9; SetFilePointer(hFile, 2, nil, FILE_BEGIN); WriteFile(hFile, bPushEdxOp, 1, dwNull, nil); SetFilePointer(hFile, 3, nil, FILE_BEGIN); WriteFile(hFile, bIncEbpOp, 1, dwNull, nil); SetFilePointer(hFile, 4, nil, FILE_BEGIN); WriteFile(hFile, bJmpOp, 1, dwNull, nil); SetFilePointer(hFile, 5, nil, FILE_BEGIN); WriteFile(hFile, dwJmpAddr, 4, dwNull, nil); INH.OptionalHeader.AddressOfEntryPoint := 0; SetFilePointer(hFile, IDH._lfanew, nil, FILE_BEGIN); WriteFile(hFile, INH, 248, dwNull, nil); Result := TRUE; end; end; end; CloseHandle(hFile); end;end;Google Sites
Report abuse