Skip to content

Experimental binary patching on executables with the keystone library.

Notifications You must be signed in to change notification settings

raffclar/pe_ep_intercept

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

pe_ep_intercept

Build Status

Writes a new entry point for a target executable using Keystone as the assembler.

Table of Contents

Why does this exist

I found it difficult to find a portable executable patcher that handles a random base address and doesn't use inline assembly for the copied instructions. It was also difficult to find a patcher that does not store compiled x86 or x86-64 machine code in the source.

Details

Creates a new section marked as executable. The program's entry point is modified with the new section's virtual address. A new entry point is assembled with the original entry point (oep) using Keystone. Consideration is given with address space layout randomisation (ASLR) for the base address.

Two approaches for ASLR base address:

  1. Using the PEB (fs[30h] or gs[60h]) -> loader data structure -> base address + oep. Based on this post.
  2. Add new entries to relocation table.

The newly added section's code jumps to the original oep allowing normal execution of the program.

How to compile

  1. Ensure that you have Cmake installed.
  2. Execute run_build.sh.
  3. A directory called "build" will be created that contains the compiled program

About

Experimental binary patching on executables with the keystone library.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Languages