[ C ] Entry Point Hook

This was an idea that I used in the Rootkit idea below, when I was thinking of ways of executing a hidden application at start-up and this is what I came up with:

[ .rar ] Project files
[ C – Source ] PEInfect

This works by finding null space within the program that is of sufficient size for our payload code.
It then copies the payload into this space, locates the PE structure, saves the entry point address and changes this address
to the base address of our code. A “jmp” instruction in our payload code is then placed at the end to return to the normal program entry point. Our payload simply contains crude (0x00) shellcode which calls WinExec() for us.
Any version specific API address’s, and WinExec() arguments are also inserted in the ModifyPayload() function.
As the victim file is mapped with write flags, changes made to victim files are permanent.

Unmodified program shown in PE Explorer.

Unmodified programs entry point shown in ollydbg

Our payload:

Modified program shown in PE Explorer:

Modified programs entry point shown in ollydbg:


~ by Rhys Mossom on January 30, 2009.

2 Responses to “[ C ] Entry Point Hook”

  1. This isn’t bad and well structured code but this is not a real PE INFECTOR. It just insert winexec “whateverexe” to the program flow. It would be nice if you could modify this to be a pe appender code which able to append itself to the end of the executables and do something similar.
    Of course then it’s not enough to insert a single instruction like WinExec in this case.
    Also there will be problems with selfextractors, checksum, timedate, reinfection, verinfo record, icon etc.

    Your code is picked up by 2 antiviruses as well.

  2. The code was more intended as an idea rather than a fully functional application. What you’re suggesting could be fairly easily by using the same idea. Anyone who this code is going to mean anything to, like yourself, will be able to intelligently expand upon it to suit your own needs. This website and collection of source-code was never intended for anything else.

    This source code is fairly dated now (1.2+ years?). At the time Im pretty sure that it was not detected. The code I wrote this for (the rootkit) was not detected at the stage I left it at (yet again, ideas, rather than completed code).

    As I have been out of programming since roughly this post, to mainly pursue my flying career, I have no idea how any of the OS’s differ from what I was, and still am using, Win XP sp3.

    Thanks for your post though, nice to know that at least it gets some reasonable attention from someone who knows something. Constructive criticism goes along way.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: