EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 10-02-2006, 12:28
Android
 
Posts: n/a
How to execute a snippet of code before the main execution!

Hi,
I just want to know if there is a way to execute a snippet of code before the windows loader tries to load the image of the code section into memory and use the address of EIP to execute the main program.
If so,let me know how you would do this whether by sharing a source code or
giving some explanation.

Also if it's not possible,share some points about how to run a thread before running the main thread which is strictly attached to the main process.

Also let me know which option with assembly Linker should be used to add
a checksum in the PE file header.


Thanks.
Android.
Reply With Quote
  #2  
Old 10-02-2006, 16:04
giga
 
Posts: n/a
hi Android, can you explain what exactly you need, i meen i am litle bit comfused
you cannot something do before its loaded intro memory, but i think that you can loader
that load thread in suspended mode, patch some bytes,dword etc... and after just resume thread
but you can also i think copy executed code intro buffer and then emulate or execute part that you want

you can also use wait for inputhandle etc...

i was uploaded part from win32hlp file:
hxxp://rapidshare.de/files/35189691/part.txt.html

try to create in Suspended_Mode and then just ResumeThread
i hope that this is the right ansver for your question

best regards
Reply With Quote
  #3  
Old 10-02-2006, 17:52
MarkusO
 
Posts: n/a
Before trying to hack your OS by modifying some kernel parts to jump somewhere else, you should try the second idea you thought of. (I assume you only used the wrong words and you don't want to execute something before Windows loads the executable into memory)

Just create the process with CREATE_SUSPENDED, which will prevent it from running. Then do what ever you want to do with it either from your loader process or with CreateRemoteThread. Then you can resume the process.
Reply With Quote
  #4  
Old 10-02-2006, 20:23
Archer's Avatar
Archer Archer is offline
retired
 
Join Date: Aug 2005
Posts: 222
Rept. Given: 1
Rept. Rcvd 30 Times in 18 Posts
Thanks Given: 2
Thanks Rcvd at 297 Times in 32 Posts
Archer Reputation: 30
Take a look at the TLS callback, used in Execryptor and some crackmes, maybe this trick can help.
Reply With Quote
  #5  
Old 10-02-2006, 22:46
Shub-Nigurrath's Avatar
Shub-Nigurrath Shub-Nigurrath is offline
VIP
 
Join Date: Mar 2004
Location: Obscure Kadath
Posts: 794
Rept. Given: 44
Rept. Rcvd 391 Times in 86 Posts
Thanks Given: 17
Thanks Rcvd at 59 Times in 24 Posts
Shub-Nigurrath Reputation: 300-399 Shub-Nigurrath Reputation: 300-399 Shub-Nigurrath Reputation: 300-399 Shub-Nigurrath Reputation: 300-399
the TLS is meant for this.

Try the attached example code (C++),

Anyway consider that the TLS is not the only option, the same result is obtained putting your code into the DllMain of a dll added to the import table. The Dll is loaded by the system loader and the import table resolved. The DllMain of each dll is called at this stage.

This latter approach requires an external dll anyway, but a solution to this is to add an export to your own program and adding itself to the export table doing a circular reference to itself.
Attached Files
File Type: zip tlscallback.zip (25.1 KB, 45 views)
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪)
There are only 10 types of people in the world: Those who understand binary, and those who don't
http://www.accessroot.com
Reply With Quote
  #6  
Old 10-02-2006, 23:37
Vrane Vrane is offline
Friend
 
Join Date: Jan 2006
Location: Croatia
Posts: 104
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
Vrane Reputation: 0
if u need here's tlscallback in asm..
Attached Files
File Type: rar TLS-CallBack in asm.rar (1.9 KB, 45 views)
Reply With Quote
  #7  
Old 10-03-2006, 06:08
ricnar456 ricnar456 is offline
Friend
 
Join Date: May 2002
Posts: 290
Rept. Given: 1
Rept. Rcvd 28 Times in 10 Posts
Thanks Given: 0
Thanks Rcvd at 14 Times in 11 Posts
ricnar456 Reputation: 28
if the program have dlls of it own, each oep of each dll is executed before the program reach the entry point,so you can inject some routine in the dll some lines next to the oep of the dll.

Ricardo
Reply With Quote
  #8  
Old 10-03-2006, 22:23
Android
 
Posts: n/a
Hi,
Thanks all for your help and responses.
I don't know C++ so I can't understand it.
About the asm code it seems that I need SO special info about PE files.
Can anybody share this specific info with me?
Thanks in advance.
Regards,
Android.
Reply With Quote
  #9  
Old 10-04-2006, 01:22
MarkusO
 
Posts: n/a
You don't need any special info about PE files. You just need to read the source code, since it clearly says what you need to do in order to use TLS callbacks. (it even lists the tools you can use)
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Code timing snippet Git Developer Section 5 01-05-2018 02:05
Load and Execute unsigned code into kernel in Windows 10x64 TechLord General Discussion 1 03-12-2017 16:30
Any ideas about executing phpinfo() in this code snippet XnHandt General Discussion 0 12-28-2012 00:46
Execution Code by using real CPU! no Emulation!! vodu General Discussion 6 07-01-2005 19:21


All times are GMT +8. The time now is 18:31.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX