XP notepad is spam by PE

Author: qiweixue

Let my Xp notepad open only one example. It's boring to see a notepad full of screens.
An API function is used. find0000wa checks whether the notebook case exists. IsDebuggerPresent checks the NT debugger. At the same time, it checks the existence of OD with find0000wa and opens htt with ShellExecuteA: the URL www.pediy.com is used to open a local OUTlook. You can view the snow at the same time, send an email, and edit the text (but no one wants to pay for it. If you are interested, let's do it by yourself.) It's very simple. What do you mean? There are not many codes.
I used API functions in Notepad. I will not declare them here,
The find0000wa and LoadLibraryA GetProcAddress ShellExecuteA MessageBoxA statements are used to find their declarations on www.baidu.com;

Tool: lordpe, od, Hex workshop
Author: QiWeiXue
Statement: You can enhance your debugging capability, which is beneficial (not known )···
Step 1: first use lordpe to add the function we want to introduce
Step 2: Use od to write code;

As mentioned below, not many codes are written;

Step 1:
You can use lordpe to add the function you want. (You can also use hex to write the input table and introduce the function.) I will not talk about it anymore;
By the way, first clear the BoundImport table in Notepad 0 (do not bind the input, so we can introduce the function), and lordpe open notepad
Select the ImportTable table, add import table, add a USER32.DLL library, and add find1_wa and MessageBoxA
Select the view always Firstthunk as follows:
ThunkRva ThunkOFfset ThunkValue Hint APIName
00013027 00010227 0001300b 0000 find0000wa
0001302b 0001022b 00013019 0000 MessageBoxA
Add another kernel32.dll library, add an ExitProcess, API

ThunkRVA Thunkoffset ThunkValue Hint APIName
0001304e 0001024e 00013040 0000 ExitProcess
00013083 0001024e 0001024e 0000 LoadLibraryA
00013087 0001024e 0001024e 0000 GetProcAddress

Good storage. ThunkRva (record the RVA of the introduced function) is useful to us and will be used later;

Step 2:
Open the od modification entry, let the command jump to our code, and find a gap. below is my timely OEP, which should be retained and used after modification;
01006AE0 N> $ 6A 70 push 70
01006AE2. 68 88180001 push NOTEPAD.01001888
01006AE7. E8 BC010000 call notepad2131006ca8
01006AEC. 33DB xor ebx, ebx
01006AEE. 53 push ebx;/pModule => NULL
01006AEF. 8B3D 4C110001 mov edi, dword ptr ds: [<& KERNEL32.GetModuleHandl>; | kernel32.GetModuleHandleA
01006AF5. FFD7 call edi; GetModuleHandleA

Well, you have not changed the oep. you need to use it after the change;

I am looking for the first fast gap, and the gap is very easy to find. I can see that most of them are 0000, not all of them;
01007D71 00 db 00
01007D72 00 db 00
01007D73 00 db 00
01007D74 00 db 00
01007D75 00 db 00
01007D76 00 db 00
01007D77 00 db 00
01007D78 00 db 00
01007D79 00 db 00
01007D7A 00 db 00
01007D7B 00 db 00
01007D7C 00 db 00
01007D7D 00 db 00
01007D7E 00 db 00

Here I have modified all the code and modified the OEP.
After I changed the entry:
01006AE0 N> $60 pushad
01006AE1. 9C pushfd
01006AE2. E9 8A120000 jmp notepad00001007d71 jump to the found gap
01006AE7> E8 BC010000 call notepad1_1006ca8
01006AEC. 33DB xor ebx, ebx
01006AEE. 53 push ebx; e
01006AEF. 8B3D 4C110001 mov edi, dword ptr ds: [<& KERNEL32.GetModuleHandl>;
01006AF5. FFD7 call edi;

The gap is too big to be found. For the first time, I was short of gaps. It was very serious ~ I added the physical address size of the new block to 1000, which is large enough ~~ In fact, they are all wasted: = () The following is the code I wrote in the Gap:
01007D71> 6A 00 push 0;/Title = NULL
01007D73. 68 E0810001 push NOTEPAD.010081E0; | Class = "Notepad"
01007D78. FF15 27300101 call dword ptr ds: [<& user32.find0000wa>]; find0000wa
01007D7E. 83F8 00 cmp eax, 0
01007D81. 74 1D je short notepad1_1007da0
01007D83. 90 nop
01007D84. 6A 00 push 0;/Style = MB_ OK | MB_APPLMODAL
01007D86. 68 F0810001 push notepad1_10081f0; | Title = "Only Run One ;"
01007D8B. 68 00820001 push notepad00001008200 &