How to Find Win32 Entry Point and Code Injection on Memory Preferably with Debug Apis?

Question

I know about sniffers, and i can write one by using win32 debug apis. But here i want to find the entypoint of an executable and inject code right there. Is this possible with debug apis? Or any other way to do with code, not with tools like olly.

Answer 1

You need to take a look at the Portable Executable file format, and understand it, here are some sources to help you get started:

• http://msdn.microsoft.com/en-us/library/ms809762.aspx
• http://msdn.microsoft.com/en-us/magazine/cc301805.aspx
• http://msdn.microsoft.com/en-us/magazine/cc301808.aspx
• http://tuts4you.com/download.php?view.235
• http://net.pku.edu.cn/~course/cs201/2003/mirrorWebster.cs.ucr.edu/Page_TechDocs/pe.txt - this is particularly useful.

For your use, the AddressOfEntryPoint pointer can be located in the IMAGE_OPTIONAL_HEADER structure, which is found in the IMAGE_FILE_HEADER structure, it is the RVA (Relative Virtual Address) to the first instruction to be executed. If you want to divert the flow of execution right from the start, you need to change the value in this field to a new RVA and the instruction at the new RVA will be executed first.