Modify PE executable files (3) patch PE files

-------- Patch PE files --------
We all know that there are many gaps in PE files, so we may patch PE files.
The practice is to insert our patch code in the gap.
In the following example, I want to teach you how to fill in the notepad.exe (Notepad) Program of win97.
Ding, run my pach.exe program at notepad.exeruntime:
1.insert in section gap of notepad.exe
ShellExecute (0, "open", "pach.exe", 5) APIFunction call
2. Add JMP old_begin later to jump back to the original program startup point and execute the original code.
3. modify the program entry point to a new entry point.
After completing the three steps, you add a patch to the notepad.exeprogram, and then execute notepad.exe every time.
The pach.exe program will be executed first.
It sounds very simple. It is difficult to do. Let's take a look at how it works'
First, you must use debug.exeto modify the content of the notepad.exe program.
You don't have to worry about it. Of course you need to analyze the structure of the PE file and its disassembly commands.
A dumppe.exe program is a free program provided by the masm32 assembler. It is powerful.
The format and the disassembly code are used. It doesn't matter if you don't have this program. If you want it, download it from here.
Http://njhhack.top263.net/dumppe.zipof course we still need a win97's operating system, because
We patch another notepad.exe program.
After completing the preceding steps, copy notepad.exe to C:/n.exe, C:/n.
First, we analyze the internal structure of n.exe and use dumppe-disasm n.exe> n.txt
Well, n.txt contains all the information we need. Of course, we are only interested in the following content:
------------------------------------------------
Address of entry point 00001000
-------------------------------------------------
01. Text virtual address 00001000
Virtual size required 3a9b
----------------------------------------------------
00402e20 ff1578734000 call dword ptr [shellexecutea]
-----------------------------------------------------------------
What are the meanings of the above three parts?
1. Where address of entry point 00001000
It indicates that the entry point of the program is 1000. This is very important because we need to jump back to this entry point after the program is executed,
2. 01. Text virtual address 00001000
Virtual size required 3a9b
It indicates that the virtual address of the code segment starts from 1000 and the size is 3a9b. This is also important because I know
Section is aligned with 200, and the current size is 3a9b, which is less than 3c00 after alignment. Therefore, we can
Insert your own code here. The gap size is 3c00-3a9b = 165, which is enough,
3. Among them, 00402e20 ff1578734000 call dword ptr [shellexecutea]
It is a disassembly code. We know that the machine code of the shellexecutea call is ff1578734000,
With the above three important information, we started the most difficult work:
========================================================== ============================================
1. modify the code segment size and change the value of virtual size from 3a9b to 3c00.
Our code can be loaded into the memory. Because the virtual size value has a 180 location, we can do this:
Debug n
-F280 L2 0, 3C
-W
-Q
In this way, the size of the code segment is changed.
2. Modify the entry address of the program to 3a9d + 1000 = 4a9d. The method is as follows:
This is because the entry address is in the A8 location.
Debug n
-F1a8 L2 9d, 4A
-W
-Q
In this way, we have modified the entry address.
3. The last step is the most difficult: design the assembly code. Come on, Spirit'

-------------------------------------------------------
Memory Address machine code assembly command
-------------------------------------------------------
00404a9d 6a05 Push 5
00404a9f 6a00 push 0
00404aa1 6a00 push 0
00404aa3 68e04b4000 push 404be0h
00404aa8 68f04b4000 push 404bf0h
00404aad 6a00 push 0
00404aaf ff1578734000 call dword ptr [shellexecutea]
00404ab5 e941010000 JMP loc_00404bfb

00404be0 6861636b2e657865 DB "pach.exe", 0
00404bf0 6f70656e DB "open", 0
00404bfb e900c4ffff JMP loc_00401000
--------------------------------------------------------------
This is all the Assembly commands we want to write. It's not long, but you need to understand its principles. Okay, let's analyze it.
The
Push 5
Push 0
Push 0
Push 404be0h
Push 404bf0h
Push 0
6 parameters are pushed to the stack for use by the ShellExecute Function. For the parameter structure of this function, see the description of win32.hlp.
Then call dword ptr [shellexecutea]. This function is called, and the effect is equivalent to the following C language format.
Shellexecutea (0, "open", "pach.exe", 0, 0, 5 );
That is to say, the parameters first pushed into the stack are on the rightmost side of the function, where "open" and "pach.exe" are equivalent to 404be0h and 404bf0h respectively.
These two memory addresses, because in this function, the passing of string parameters is the passed string address, so
00404be0 6861636b2e657865 DB "pach.exe", 0
00404bf0 6f70656e DB "open", 0
The above two lines define two strings in the memory.
00404ab5 e941010000 JMP loc_00404bfb
The above line jumps to the address 00404bfb after the call function is completed.
00404bfb e900c4ffff JMP loc_00401000
This line jumps back to the original entry address 1000 and runs the original program.
-----------------------------------------------------------------
Well, the principle is over. At last, we need to put these commands into the code segment. Of course, we need to put the machine code in.
Method:
Because the code segment is located at 400, and our new entry is located at 3b9d, the number of places where the code segment starts to be put is 100 + 400 + 3a9d = 3f9d
The 100 in the preceding example is the base address of DEBUG in the memory. The method is as follows:
Debug n
-F3f9d l1d 6a, 5, 6a, 0, 6a, E0, 4B, 40, 0, 68, F0, 4B, 40, 0, 6a, 0, FF, 15, 78, 40, 0, E9, 41,1, 0, 0
-F40e0 maid "pach.exe", 0
-F40f0 L5 "open", 0
-F40fb L5 E9, 0, C4, FF, FF
-W
-Q
After completing the most difficult tasks, we can see the results and use n.exe to replace n.exe by copying n n.exeto open n.exe.
We found that when we started the program, we opened the program pach.exe at the same time.
To see the results, download njhhack.top263.net/pach.zip, which is not a Trojan, but a demo program.
---------------------------------------------------
In the same way, you can patch any program, as long as it calls ShellExecute, winexec, CreateProcess ,...
For example, if we can patch er.exe, we can automatically run the pach.exe program when starting the computer.
You can also patch a lot of such programs, as long as you want.