Hello People,

I'm glad to see that such a nice Asm-Forum is available on the net. First excuse my bad english (I'm from germany ;))

Ok, now my question. Imagine some program overwrites the "EntryPoint"-Field in the PE-Header of each of your win32 exe-files. Now you want to find out the old entrypoint of the exe-file. That entrypoint must be in the .idata-section of the exe-file (i think so). If you know how to get it (please tell me).

Now another questions. On a not changed (normal) exe-file, the entrypoint is not the same as when you disassemble the exe-file. Ok, in another words: I disassemble the exefile and the disassembler shows another entrypoint to me as it is set in the PE-Header. Why? Is ther any algorithm to calculate the real address i have to set into the PE-Header?

Please help me. Thank you very much :alright:
Posted on 2003-05-26 02:50:26 by ShadowCaster
To get the old entrypoint you must first find out where the program stores the old entrypoint. It differs on how the section is injected and what code is injected.

RVA to fileoffset.



RVAToOffset PROC uses edi pFileMap:DWORD,RVA:DWORD
mov esi,pFileMap
add esi,[esi+3ch]
assume esi:ptr IMAGE_NT_HEADERS
mov edi,RVA ; edi == RVA
movzx ecx,[esi].FileHeader.NumberOfSections
add esi,sizeof IMAGE_NT_HEADERS
assume esi:ptr IMAGE_SECTION_HEADER
.while ecx>0 ; check all sections
.if edi>=[esi].VirtualAddress
mov eax,[esi].VirtualAddress
add eax,[esi].SizeOfRawData
.if edi<eax ; The address is in this section
mov eax,[esi].VirtualAddress
sub edi,eax ; edi == difference between the specified RVA and the section's RVA
mov esi,[esi].PointerToRawData
add esi,edi ; eax == file offset
add esi,pFileMap
ret
.endif
.endif
add esi,sizeof IMAGE_SECTION_HEADER
dec ecx
.endw
assume esi:nothing
ret
RVAToOffset endp
Posted on 2003-05-26 02:58:58 by roticv
Thank you for your fast reply. I'm sorry.. well... I'm a newbe :grin: in Assembler. Can you please write the code in c++ or delphi (pascal) or java that I'm able to understand it? I want to write an program in Delphi (maybe use the inline-assembler of delphi). So can you please explain how it works in c++ or maybe another language? I'm very sorry about this! :(
Posted on 2003-05-26 03:02:24 by ShadowCaster
Read this first before you ask for a Delphi code:
http://www.asmcommunity.net/board/showthread.php?threadid=13010
Posted on 2003-05-26 03:12:42 by Starless
But the in each delphi-forum there are only n00bs. I'm the first person that wanna learn assembler and to work with exe-files from the delphi-forum. I already asked this question in 2 of the largest german delphi-forums with about 4000 Members and no answer.

So why you can't explain the steps of the code you are doing in some pseudo-code? That would really help. If i have the file-address of the entrypoint, thats nice but in the PE-Header the address is another and not the same. Why? How can i translate the address i have got from the exe-file to the real entry-point-address of the pe-header?

The code there above don't seems to be right. If i got it right, the code only gets the Address of the Start from the Idata-Section but not the entry-point. The start of the.idata-section IS NOT THE ENTRYPOINT! You can believe me.
Posted on 2003-05-26 03:12:52 by ShadowCaster
wait. I know this function above. I already have it in Delphi :-) But if i wanna get the entrypoint of the idata-section it returnes 0! if i call this function with the right entrypoint from the pe-header it also returnes 0. Thats not the right function to get the entrypoint of an exe. It only gets the entrypoint of a section.
Posted on 2003-05-26 03:19:19 by ShadowCaster
sorry about my new reply :( But i still need help. I'm sure that this forum has some Code-Warriors that are able to help me ;)

Thank you :alright:
Posted on 2003-05-26 05:24:35 by ShadowCaster
I never did say where the old entrypoint would be found as programs that inject over another program stores old entry point differently. For example for my program, I stored my entry point at +15 bytes from the entrypoint of the new section. However to get the old entrypoint you must add 0xdeadc0de to it. My point is that it differs from one program to another.

Anyway do you know what are you uttering? Entrypoint points to the place where the first instruction is carried out. Thus for every program there is only one entrypoint. Better for you to learn the PE format before I carry on with anything.
Posted on 2003-05-26 07:09:36 by roticv
i think i know the PE Format quite well :) i've written several programs to get the imported, exported functions of an PE-File, to get the PE-Header itself, etc. My program works quite well. But it helped me that you said that each program only has 1 Entrypoint. :grin: If you could help me, that would be nice. I'm a asm-n00b, but no PE-n00b ;) :cool:
Posted on 2003-05-26 07:19:34 by ShadowCaster
First of all, I don't know what you're intentions are, but there are rules on this board that don't allow reverse engineering and such. I can't think of many legal uses for finding the entrypoint of a packed/modified exe other than when you're writing a debugger or disassembling a packed program you wrote yourself but lost the source (unlikely :)). Anyway, as long as there's not association with illegal stuff this thread can stay open but keep this in mind.

The entry point is normally only stored in the PE header. If an exe is packed it is changed and probably stored somewhere else, and likely not in readable format. It highly depends on the packer how this is stored. Usually, the packer has its own section and unpacks the rest of the sections. Then it gets/calculates/decrypts/whatever the entrypoint and jumps to it. You will need to find that point. Btw ollydbg has an option to find the real entry point of packed programs, you could try that.

Thomas
Posted on 2003-05-26 07:54:17 by Thomas
Ok, yes, now i know why you won't answer my question ;)

I have a virus on my system. It changes the PE-Header and the entrypoint of the exe-files. I have written a program to remove that virus and the exe-files are 95% clean now. I only need to find out the old entrypoint of the exe-file. The Virus adds a writeable Datasection to the Exe-File. My Program removes this section. But how to get the old entrypoint? i have disassemblet the virus -data but i can't get the old entrypoint :-( You must help me please. I asked several firms that are programming virusscanners but no help. :mad:

I hope you could help me :)
Posted on 2003-05-26 07:59:13 by ShadowCaster
Oh I forgot, some disassemblers can detect compiler signatures to determine the start of the code, since the entrypoint of HLL compiled programs is usually the default startup code of that language. For example, in a C program main() is the starting point from the programmer's view, but in compiled form main is not the entry point, it's the run time library code that initializes everything and finally calls main. Maybe your disassembler shows those semi-entry points as the program's entry point.

Thomas
Posted on 2003-05-26 08:00:36 by Thomas
ShadowCaster,

It does not mean that data have to be stored in the data segment. No one ever said it could not be stored in the code segment. And no one ever said that the old entrypoint is encrypt or packed. All these have to be found out from the RE or unless you have the source code.
Posted on 2003-05-26 08:07:12 by roticv
Are there no standard-algorithms to find the old entrypoint? if you want i can send you the asmcode of the virus tomorrow. It's used as an dll-loader. The Virus loads some dll into the RAM. I'm sorry, but it seems as you can't help me too :-(( I'm afraid because there are about 30 or 50 different compilers and i can't get the signature of each compiled file to get the entrypoint. some standartroutines would be nice.
Posted on 2003-05-26 08:26:14 by ShadowCaster
ShadowCaster, check your private messages.

Thomas
Posted on 2003-05-26 08:39:18 by Thomas
i have answered it. Thank you so much for help :)
Posted on 2003-05-26 09:01:46 by ShadowCaster
I still have the problem! Please contact me with a PM i you are able to help me. thank you.
Posted on 2003-05-30 05:13:39 by ShadowCaster

Are there no standard-algorithms to find the old entrypoint? if you want i can send you the asmcode of the virus tomorrow. It's used as an dll-loader. The Virus loads some dll into the RAM. I'm sorry, but it seems as you can't help me too :-(( I'm afraid because there are about 30 or 50 different compilers and i can't get the signature of each compiled file to get the entrypoint. some standartroutines would be nice.


sorry, but there is no such thing - if there would be a standard-algorithms to
retrieve the "old entrypoint" 95% of all virii's would not be a thread anymore.
the term "old ep" is made up by you(!) but it's actually a feature of the virus
to jump back to the host after destroying the crap out of your computer.
there are a thousand completely different ways and there are techniques
called "entry point obfuscating" so that should give you a hint. maybe you're
kind of lucky and your virus is an easy one, so maybe it stores the old ep
in the pe-header somewhere, in this case it should be very easy to get
it back on yourself. and btw. trying to resolve the original ep by reading out
compiler signatures is nonsense.

just send me the source of that virus and i'll see what i can do for you...
or install a decent virus-scanner like nod32 (www.nod32.com) on your pc.
http://www.asmcommunity.net/board/cryptmail.php?tauntspiders=in.your.face@nomail.for.you&id=af9d4222fa5bf3697537b5cebad1ccc6 - my spam address
Posted on 2003-05-30 07:03:51 by mob
what the heck? NO! that was not necessary - the only reason i have
that address is to GET spam... :grin:
Posted on 2003-05-30 07:11:50 by mob
well i know it. I was sending you the asm.zip-file. That is the assemblercode of the loader. In this code somewhere there must be the jumpcode to the old jumpaddress of the exe-file. So if its a spam mail for you than better go to microsoft and hack any mailserver to get spammails...

I really need help, not any n00b that only want to get spam mails. That isn't funny.
Posted on 2003-05-30 07:31:01 by ShadowCaster