[ C ] Entry Point Hook
This was an idea that I used in the Rootkit idea below, when I was thinking of ways of executing a hidden application at start-up and this is what I came up with:
This works by finding null space within the program that is of sufficient size for our payload code.
It then copies the payload into this space, locates the PE structure, saves the entry point address and changes this address
to the base address of our code. A “jmp” instruction in our payload code is then placed at the end to return to the normal program entry point. Our payload simply contains crude (0×00) shellcode which calls WinExec() for us.
Any version specific API address’s, and WinExec() arguments are also inserted in the ModifyPayload() function.
As the victim file is mapped with write flags, changes made to victim files are permanent.
Unmodified program shown in PE Explorer.
Unmodified programs entry point shown in ollydbg
Modified program shown in PE Explorer:
Modified programs entry point shown in ollydbg: