Today a smart colleague of mine raised an interesting question. In order to hijack execution at the beginning of a PE32 executable… why don’t we just change the EntryPoint?
I assumed there would be problems, since this is quite an important PE header and there might be dependencies (it could be used later on in the program or it could be referenced somewhere else, etc.)
Anyway he got a point and I decided to check it out. After consulting the amazing Corkami PE documentation it was clear that the specification leaves some room to do *crazy shit* with this parameter.
So I rolled my sleeves and tinkered a bit with putty.exe changing the EntryPoint in the PE32 header and redirecting execution to a shellcode that pops a MessageBox with the text “pwnd :)”.
I know. Not thrilling at all but hey, it’s a proof of concept :P
In the screenshot below you can see how after being loaded in Immunity Debugger, it stops execution at the EntryPoint, which now points to our little shellcode. After this gets executed, the flow is redirected to the “original” EntryPoint and everything looks fine :)
This has the advantage that there aren’t any funny JMP instructions at the beginning of the code and therefore, it could fool some heuristic-based antivirus products.
The modified putty.exe is here (Windows XP SP3 only, since I have hardcoded some addresses :-/)
Neat, isn’t it?