Writes a new entry point for a target executable using Keystone as the assembler.
Table of Contents
Why does this exist
I found it difficult to find a portable executable patcher that handles a random base address and doesn't use inline assembly for the copied instructions. It was also difficult to find a patcher that does not store compiled x86 or x86-64 machine code in the source.
Creates a new section marked as executable. The program's entry point is modified with the new section's virtual address. A new entry point is assembled with the original entry point (oep) using Keystone. Consideration is given with address space layout randomisation (ASLR) for the base address.
Two approaches for ASLR base address:
- Using the PEB (
gs[60h]) -> loader data structure -> base address + oep. Based on this post.
- Add new entries to relocation table.
The newly added section's code jumps to the original oep allowing normal execution of the program.
How to compile
- Ensure that you have Cmake installed.
- A directory called "build" will be created that contains the compiled program