Go Back   Exetools > General > General Discussion


Thread Tools Display Modes
Old 10-02-2006, 12:28
Posts: n/a
How to execute a snippet of code before the main execution!

I just want to know if there is a way to execute a snippet of code before the windows loader tries to load the image of the code section into memory and use the address of EIP to execute the main program.
If so,let me know how you would do this whether by sharing a source code or
giving some explanation.

Also if it's not possible,share some points about how to run a thread before running the main thread which is strictly attached to the main process.

Also let me know which option with assembly Linker should be used to add
a checksum in the PE file header.

Reply With Quote
Old 10-02-2006, 16:04
Posts: n/a
hi Android, can you explain what exactly you need, i meen i am litle bit comfused
you cannot something do before its loaded intro memory, but i think that you can loader
that load thread in suspended mode, patch some bytes,dword etc... and after just resume thread
but you can also i think copy executed code intro buffer and then emulate or execute part that you want

you can also use wait for inputhandle etc...

i was uploaded part from win32hlp file:

try to create in Suspended_Mode and then just ResumeThread
i hope that this is the right ansver for your question

best regards
Reply With Quote
Old 10-02-2006, 17:52
Posts: n/a
Before trying to hack your OS by modifying some kernel parts to jump somewhere else, you should try the second idea you thought of. (I assume you only used the wrong words and you don't want to execute something before Windows loads the executable into memory)

Just create the process with CREATE_SUSPENDED, which will prevent it from running. Then do what ever you want to do with it either from your loader process or with CreateRemoteThread. Then you can resume the process.
Reply With Quote
Old 10-02-2006, 20:23
Archer's Avatar
Archer Archer is online now
Join Date: Aug 2005
Posts: 234
Rept. Given: 1
Rept. Rcvd 46 Times in 19 Posts
Thanks Given: 3
Thanks Rcvd at 383 Times in 54 Posts
Archer Reputation: 46
Take a look at the TLS callback, used in Execryptor and some crackmes, maybe this trick can help.
Reply With Quote
Old 10-02-2006, 22:46
Shub-Nigurrath's Avatar
Shub-Nigurrath Shub-Nigurrath is offline
Join Date: Mar 2004
Location: Obscure Kadath
Posts: 878
Rept. Given: 56
Rept. Rcvd 395 Times in 90 Posts
Thanks Given: 40
Thanks Rcvd at 243 Times in 85 Posts
Shub-Nigurrath Reputation: 300-399 Shub-Nigurrath Reputation: 300-399 Shub-Nigurrath Reputation: 300-399 Shub-Nigurrath Reputation: 300-399
the TLS is meant for this.

Try the attached example code (C++),

Anyway consider that the TLS is not the only option, the same result is obtained putting your code into the DllMain of a dll added to the import table. The Dll is loaded by the system loader and the import table resolved. The DllMain of each dll is called at this stage.

This latter approach requires an external dll anyway, but a solution to this is to add an export to your own program and adding itself to the export table doing a circular reference to itself.
Attached Files
File Type: zip tlscallback.zip (25.1 KB, 45 views)
Ŝħůb-Ňìĝùŕřaŧħ ₪)
There are only 10 types of people in the world: Those who understand binary, and those who don't
Reply With Quote
Old 10-02-2006, 23:37
Vrane Vrane is offline
Join Date: Jan 2006
Location: Croatia
Posts: 104
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 3 Times in 3 Posts
Vrane Reputation: 0
if u need here's tlscallback in asm..
Attached Files
File Type: rar TLS-CallBack in asm.rar (1.9 KB, 45 views)
Reply With Quote
Old 10-03-2006, 06:08
ricnar456 ricnar456 is offline
Join Date: May 2002
Posts: 290
Rept. Given: 1
Rept. Rcvd 28 Times in 10 Posts
Thanks Given: 0
Thanks Rcvd at 52 Times in 40 Posts
ricnar456 Reputation: 28
if the program have dlls of it own, each oep of each dll is executed before the program reach the entry point,so you can inject some routine in the dll some lines next to the oep of the dll.

Reply With Quote
Old 10-03-2006, 22:23
Posts: n/a
Thanks all for your help and responses.
I don't know C++ so I can't understand it.
About the asm code it seems that I need SO special info about PE files.
Can anybody share this specific info with me?
Thanks in advance.
Reply With Quote
Old 10-04-2006, 01:22
Posts: n/a
You don't need any special info about PE files. You just need to read the source code, since it clearly says what you need to do in order to use TLS callbacks. (it even lists the tools you can use)
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Code snippet for Base34 Encoding TempoMat General Discussion 11 03-29-2020 17:58
Code timing snippet Git Developer Section 5 01-05-2018 02:05
Load and Execute unsigned code into kernel in Windows 10x64 TechLord General Discussion 1 03-12-2017 16:30
Any ideas about executing phpinfo() in this code snippet XnHandt General Discussion 0 12-28-2012 00:46

All times are GMT +8. The time now is 14:51.

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2022 )