Annex point



  • The entry point(s) of the main file (*exe)/module of the side application, how do you know? Is it possible without an injection?

    To better understand: alt text



  • http://emanual.ru/download/1298.html

    From the very beginning of the exterior, there's a MZ-heading in which we can find a shift in the beginning of the PE-head. There's a field in the PE heading 'Entry point RVA', that's the address of the entry point.

    UPD. Specifically, RVA is a relative virtual address. To get the address of the entry point, we need to add the meaning of the 'Entry point RVA' to the field 'Image Base'.

    UPD. 2 Shorter, as I understand it, the question of "the point of entry" is the ImageBase field, which is usually (possibly always) equal to 0x4000. How can an e-searson load himself into some kind of "random" address is not clear yet.

    UPD.3 and last WinXP was not able to download the exeshnik at an arbitrary base address, Win7 is good (most Vista and Win8, too), provided that the relocation table is available in the exterior. You have to start the program and somehow recognize the basic loading address. Injackt or I can't say, because this area is not familiar.


Log in to reply
 


Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2