| View previous topic :: View next topic |
| Author |
Message |
Overload
Master Cheater
 Reputation: 0
Joined: 08 Feb 2008
Posts: 293
|
 Posted: Thu Mar 05, 2009 1:02 am Post subject: Finding the Entry Point of another program |
 |
|
Pretty much what the title says. I am using C.
My main goal is to find the entry point of another program, and change it to a specified point (probably an empty area of code). I am having problems with some of the other parts but I think I can figure them out. But I have no idea how to find the entry point of a program.
_________________
Blog
| Quote: | Rhys says:
you can be my maid
Rhys says:
ill buy you a french maid outfit
Tyler says:
Sounds good
Rhys says:
ill hold you to that |
|
|
| Back to top |
|
 |
Bizarro
I post too much
 Reputation: 0
Joined: 01 May 2007
Posts: 2648
|
| Posted: Thu Mar 05, 2009 1:04 am Post subject: |
|
|
PEiD
_________________
w8 baby.com Banner contest, Come join NOW!!
Check us out for Prize deatils |
|
| Back to top |
|
|
Overload
Master Cheater
Reputation: 0
Joined: 08 Feb 2008
Posts: 293
|
| Posted: Thu Mar 05, 2009 1:06 am Post subject: |
|
|
But I don't want to just hard code the address of the entry point. I need somehow to find it without the use of other programs (i.e PEiD). Otherwise I would've resorted to that a while ago 
_________________
Blog
| Quote: | Rhys says:
you can be my maid
Rhys says:
ill buy you a french maid outfit
Tyler says:
Sounds good
Rhys says:
ill hold you to that |
|
|
| Back to top |
|
|
HalfPrime
Grandmaster Cheater
![]() Reputation: 0
Joined: 12 Mar 2008
Posts: 532
Location: Right there...On your monitor
|
| Posted: Thu Mar 05, 2009 1:10 am Post subject: |
|
|
Are you try to make a program that can open up an exe and change the ep or are you jsut trying to change the ep of a program? If you're writing something, look into PE headers, if you need to just change something, Peid should let you.
_________________
|
|
| Back to top |
|
|
Overload
Master Cheater
Reputation: 0
Joined: 08 Feb 2008
Posts: 293
|
| Posted: Thu Mar 05, 2009 1:11 am Post subject: |
|
|
Basically I want to change the EP of the program to an empty space, execute code that will be there, then jump back.
_________________
Blog
| Quote: | Rhys says:
you can be my maid
Rhys says:
ill buy you a french maid outfit
Tyler says:
Sounds good
Rhys says:
ill hold you to that |
|
|
| Back to top |
|
|
sponge
I'm a spammer
 Reputation: 1
Joined: 07 Nov 2006
Posts: 6009
|
| Posted: Thu Mar 05, 2009 1:36 am Post subject: |
|
|
- PE header -> Change EP offset -> CreateProcess
- CreateProcess (SUSPEND) -> SetThreadContext -> ResumeThread
_________________
|
|
| Back to top |
|
|
tombana
Master Cheater
![]() Reputation: 2
Joined: 14 Jun 2007
Posts: 456
Location: The Netherlands
|
| Posted: Thu Mar 05, 2009 9:43 am Post subject: |
|
|
This is a part of my function I used to display stuff from the PE header:
| Code: |
LPVOID pMapping;
IMAGE_NT_HEADERS * pHeader;
BOOL __stdcall DoPEStuff(TCHAR * FileName){
HANDLE hFile, hMap;
hFile = CreateFile(FileName, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if( hFile == INVALID_HANDLE_VALUE )
MessageBox(hWindow, "Unable to open file!", Caption, MB_OK);
else{
hMap = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL);
if( !hMap )
MessageBox(hWindow, "Unable to create file mapping!", Caption, MB_OK);
else{
pMapping = MapViewOfFile(hMap, FILE_MAP_READ, 0, 0, 0);
if( !pMapping )
MessageBox(hWindow, "Unable to MapViewOfFile()!", Caption, MB_OK);
else{
if( ((IMAGE_DOS_HEADER*)pMapping)->e_magic != IMAGE_DOS_SIGNATURE )
MessageBox(hWindow, "Invalid DOS Signature", Caption, MB_OK);
else{
pHeader = (IMAGE_NT_HEADERS*)((LONG)pMapping+((IMAGE_DOS_HEADER*)pMapping)->e_lfanew);
if( pHeader->Signature != IMAGE_NT_SIGNATURE )
MessageBox(hWindow, "Invalid PE Signature", Caption, MB_OK);
else{
//The entry point:
(UINT)pHeader->OptionalHeader.AddressOfEntryPoint
}
}
}
}
}
return true;
}
|
|
|
| Back to top |
|
|
Overload
Master Cheater
Reputation: 0
Joined: 08 Feb 2008
Posts: 293
|
| Posted: Thu Mar 05, 2009 10:16 am Post subject: |
|
|
Awesome! Thanks tombana
_________________
Blog
| Quote: | Rhys says:
you can be my maid
Rhys says:
ill buy you a french maid outfit
Tyler says:
Sounds good
Rhys says:
ill hold you to that |
|
|
| Back to top |
|
|
Overload
Master Cheater
Reputation: 0
Joined: 08 Feb 2008
Posts: 293
|
| Posted: Thu Mar 05, 2009 7:01 pm Post subject: |
|
|
Awesome thank you so much Irwin. Answered all of my questions
Would you mind if I add you on msn?
_________________
Blog
| Quote: | Rhys says:
you can be my maid
Rhys says:
ill buy you a french maid outfit
Tyler says:
Sounds good
Rhys says:
ill hold you to that |
|
|
| Back to top |
|
|
nwongfeiying
Grandmaster Cheater
![]() Reputation: 2
Joined: 25 Jun 2007
Posts: 695
|
| Posted: Thu Mar 05, 2009 7:53 pm Post subject: |
|
|
| It's the old-school batman symbol.
|
|
| Back to top |
|
|
BanMe
Master Cheater
![]() Reputation: 0
Joined: 29 Nov 2005
Posts: 375
Location: Farmington NH, USA
|
| Posted: Thu Mar 05, 2009 8:05 pm Post subject: |
|
|
yea to get it from Runtime you could get it from the PEB..
very simply without api.. ;p
sad.. to do it that way when you could do it on all os's with the proper code
PEB to PEB_LDR_DATA to LDR_MODULE LDR_MODULE[0] = exe.. you can and should do a string check for ".exe"
| Code: |
mov eax,[fs:0x30]// PEB XP NT
mov eax,[eax+0xc]
mov eax,[eax+0xc]
mov eax,[eax]
mov eax,0x14
ret
//PEB FOR VISTA...
..coming soon..
|
|
|
| Back to top |
|
|
BanMe
Master Cheater
![]() Reputation: 0
Joined: 29 Nov 2005
Posts: 375
Location: Farmington NH, USA
|
| Posted: Fri Mar 06, 2009 10:51 am Post subject: |
|
|
aww cause i didnt build it into a cute wil macro.. ;p
stfu..
maybe you would like me to build one that uses offsets based on OS version.. maybe you would like me to make it have SEH...bah fuck that shit..waste of time and code.. you want it fine, you do it. heres how.. ;p
if you want a PEB module enumerator without API for your OS.. simply find LdrEnumerateLoadedModules and dump it..ok ive done that now what you say..
well lets look for the Disgusting and stupid code.. that hurts you so badly.. ;p
and zomg i founds its...hmm can u sees IT.. ill highlightz it for you..
its NtCurrentTeb()->PPEB->LDR_DATA[0].LDR_MODULE
| Code: |
********************************************
7C9219C5 . 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
7C9219CB . 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30]
7C9219CE . 8B70 0C MOV ESI,DWORD PTR DS:[EAX+C]
7C9219D1 . 83C6 0C ADD ESI,0C
7C9219D4 . 8B3E MOV EDI,DWORD PTR DS:[ESI]
********************************************
|
OMGZ i foundz almost the same code as mine in ntdll.. hmm i wonder if i can find more...wow i guess microsoft uses the PEB and TEB in almost every function... thats strange... and poor lil me cant use it to avoid nasty lil API's that you cling to like some barrier...whats the matter cant code your own ...
ooo ooo ooo wait wait wait im not done yet..
i suppose you think i dont use LdrLockLoaderLock and thats why its disgusting and stupid... but then you would be wrong.. and i can just laugh at the stupidity of your comment.. though I highly value your code and your right to make a comment.. but at this juncture i feel that you can take your comment and stick it and your code up your ass..
regards BanMe
|
|
| Back to top |
|
|
BanMe
Master Cheater
![]() Reputation: 0
Joined: 29 Nov 2005
Posts: 375
Location: Farmington NH, USA
|
| Posted: Fri Mar 06, 2009 12:48 pm Post subject: |
|
|
aww thats so nice of you to bring up such an excellent argument as to why we should shy away from internal structures... thats a excellent idea.. lets just stop using api's altogether seeing how they use internal structures they must be bad and "unsupported"...or EVEN WORSE depreciated in the "HEADER" files to support a falling security system(vista failz im sorry..)...excellent, im on board how bout you?
maybe you should try using the new "macros" provided.. to do the required task.. and what did u say about x64 support.. im sorry my eyes seem to block out stupid..
http://msdn.microsoft.com/en-us/library/bb332189.aspx
heres that(coded by pnluck) on www.OpenRCE.org
| Code: |
void ListDll()
{
PEB_LDR_DATA* ldr_data;
LDR_MODULE *module;
ULONG_PTR *PEB;
__try
{
PEB = (ULONG_PTR *) (*(ULONG_PTR *) ( (ULONG_PTR) __readgsqword(0x30) + 0x60 ));
ldr_data = (PEB_LDR_DATA*) (*(ULONG_PTR *)((ULONG_PTR)PEB + 0x18));
module = (LDR_MODULE*)ldr_data->InLoadOrderModuleList.Flink;
//ora listo tutte le dll presenti
while(module->BaseAddress != 0)
{
_tprintf(TEXT("%08llx \t %s\n"),(ULONG_PTR)module->BaseAddress,module->BaseDllName.Buffer);
module = (LDR_MODULE*)module->InLoadOrderModuleList.Flink;
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return;
}
}
|
oh and i suppose you dont goto milw0rm.com and read shellcodes
for fun and knowledge, but heres a nice one that support(s) 98 up to XP
http://www.milw0rm.com/shellcode/747
and it was coded in 2005 but that doesnt matter..
what does matter is your conformance nonsense when you are on a forum for a tool that uses these same undocumented methods and structures to perform tasks.. and yet you in all your "glory" promote the use of documented methods and procedure... lets all just obey and stop digging into OS structures and internals when they provide a better method and is accessible in most systems.. so maybe asm isnt the 'supported' method of coding in VC++ 8.0 i dont care man.. use the new macros... at least you still have a base to work off of..
..in closing everybody just follow blindly the teachings and words of microsoft..let them document and secure there own shit, they wont hide anything important from you.. i swear... do it now or you wont get a cookie later..
regards BanMe
Last edited by BanMe on Fri Mar 06, 2009 1:16 pm; edited 1 time in total |
|
| Back to top |
|
|
DeletedUser14087
I post too much
![]() Reputation: 2
Joined: 21 Jun 2006
Posts: 3069
|
| Posted: Fri Mar 06, 2009 2:21 pm Post subject: |
|
|
| God damn, Irwin instead of fucking "owning" BanMe (he's a nice person) teach him the stuff he didn't know instead of screaming at him like that, do you know that when he'll read it he'll probably feel offended and will make him wanna leave ? is that what you want ? now i bet while you're reading this you're thinking in your head "i'm gonna fucking kill you Rot1" and you're about to move the mouse cursor to the "Quote" button and start tapping on the keyboard like a son of a ****.
|
|
| Back to top |
|
|
Flyte
Peanuts!!!!
 Reputation: 6
Joined: 19 Apr 2006
Posts: 1887
Location: Canada
|
| Posted: Fri Mar 06, 2009 2:43 pm Post subject: |
|
|
| Rot1 wrote: | | God damn, Irwin instead of fucking "owning" BanMe (he's a nice person) teach him the stuff he didn't know instead of screaming at him like that, do you know that when he'll read it he'll probably feel offended and will make him wanna leave ? is that what you want ? now i bet while you're reading this you're thinking in your head "i'm gonna fucking kill you Rot1" and you're about to move the mouse cursor to the "Quote" button and start tapping on the keyboard like a son of a ****. |
Your coding prowess matches that of your text formatting abilities. One would wonder if you actually try hard at being retarded. Though, of course everyone remembers that you do, indeed, have about as much intelligence as a used condom. Being this forum's bitch is your job. You learned it slow, and now, you know it by heart!
I'm still wondering whether or not you should be thrown away though.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
