Erasing dll entry point and PE header
nefarearworm opened this issue · 0 comments
Hi! I an not good at programming, just learning how it works and trying modify ur code. I want to find another way to erase dll entry point and PE header. I implemented it like this in "WinMain":
NtWriteVirtualMemory(ProcessHandle, TargetBase, ZeroBuffer, 4096, nullptr);
NtWriteVirtualMemory(ProcessHandle, (BYTE*)TargetBase + ImageOptionalHeader->AddressOfEntryPoint, ZeroBuffer, 32, nullptr);
Is this a correct way?
Also I discovered that I can erase PE header like this in the end of Loader function:
MappingData->DllEntryFunction(MappingData->TargetBase, DLL_PROCESS_ATTACH, nullptr);
MappingData->ModuleHandle = reinterpret_cast<HINSTANCE>(MappingData->TargetBase);
int i = 1024;
unsigned char* ptr = (unsigned char*)MappingData->TargetBase;
while (i-- > 0) //working
{
*ptr++ = 0;
}
while (ImageOptionalHeader->SizeOfHeaders-- > 0) //also working
{
*ptr++ = 0;
}
unsigned char* ptr = (unsigned char*)MappingData->TargetBase;
int i = ImageOptionalHeader->SizeOfHeaders;
while (i-- > 0) //dont work
{
*ptr++ = 0;
}
Its just memset implemention. By bruteforce method I found "1024" which erases all page and target working correctly. But sadly I cant understand how its working. When I pass "4096" my target crashes. The same situation with entry point erasing with the same memset method. Do u see the problem?
Then I made this to erase address of entry point:
//TargetBase is PVOID
register unsigned char* ptr1 = (unsigned char*)(BYTE*)MappingData->TargetBase + ImageOptionalHeader->AddressOfEntryPoint;
int SizeOfAddressOfEntryPoint = 32;
while (SizeOfAddressOfEntryPoint-- > 0)
{
*ptr1++ = 0;
}
Program not crushes but how can I check that entry point was erased?
Another question is how to calculate number of bytes to erase in address of dll entry point? Why its "32" size? Unfortunately I not found any information about this.
I will be gratefull for any answer! Thank you!