Skip to content
master
Switch branches/tags
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
src
 
 
 
 
 
 
 
 
 
 
 
 

README.md

pe_ep_intercept

Build Status

Writes a new entry point for a target executable using Keystone as the assembler.

Table of Contents

Why does this exist

I found it difficult to find a portable executable patcher that handles a random base address and doesn't use inline assembly for the copied instructions. It was also difficult to find a patcher that does not store compiled x86 or x86-64 machine code in the source.

Details

Creates a new section marked as executable. The program's entry point is modified with the new section's virtual address. A new entry point is assembled with the original entry point (oep) using Keystone. Consideration is given with address space layout randomisation (ASLR) for the base address.

Two approaches for ASLR base address:

  1. Using the PEB (fs[30h] or gs[60h]) -> loader data structure -> base address + oep. Based on this post.
  2. Add new entries to relocation table.

The newly added section's code jumps to the original oep allowing normal execution of the program.

How to compile

  1. Ensure that you have Cmake installed.
  2. Execute run_build.sh.
  3. A directory called "build" will be created that contains the compiled program

About

Experimental binary patching on executables with the keystone library.

Resources

Releases

No releases published

Packages

No packages published

Languages