Hijacking EntryPoint for fun and…

Today a smart colleague of mine raised an interesting question. In order to hijack execution at the beginning of a PE32 executable… why don’t we just change the EntryPoint?

I assumed there would be problems, since this is quite an important PE header and there might be dependencies (it could be used later on in the program or it could be referenced somewhere else, etc.)

Anyway he got a point and I decided to check it out. After consulting the amazing Corkami PE documentation it was clear that the specification leaves some room to do *crazy shit* with this parameter.

So I rolled my sleeves and tinkered a bit with putty.exe changing the EntryPoint in the PE32 header and redirecting execution to a shellcode that pops a MessageBox with the text “pwnd :)”.

I know. Not thrilling at all but hey, it’s a proof of concept :P

In the screenshot below you can see how after being loaded in Immunity Debugger, it stops execution at the EntryPoint, which now points to our little shellcode. After this gets executed, the flow is redirected to the “original” EntryPoint and everything looks fine :)



This has the advantage that there aren’t any funny JMP instructions at the beginning of the code and therefore, it could fool some heuristic-based antivirus products.

The modified putty.exe is here (Windows XP SP3 only, since I have hardcoded some addresses :-/)

Neat, isn’t it?


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s