0

Is there a specific null char or a sequence of bytes which would not corrupt the executable if added in FRONT of the file? I tried adding NUL (00 hex) but it corrupts the executable every time. Is there some bytecode for NOP (no operation) or something similar?

Long story short, I want to mess up a "hack" that modifies a value in memory at &process+fixed offset. Pushing the memory stack up would (or so I think) prevent it from working.

cen
  • 2,873
  • 3
  • 31
  • 56
  • Actually that won't have any effect since the section directory will still have the original offsets. What you want is much more complicated than just shifting bytes since you are going to mess up all memory references in the binary. Why nor just recompile the binary after making an innocuous change. – Raymond Chen Aug 30 '12 at 02:51

2 Answers2

2

No, the PE file format that Windows executables use has a very specific header. See http://en.wikipedia.org/wiki/Portable_Executable for more details.

You can try using ASLR to make your code more resistant to in-memory patching.

Jonathan Potter
  • 36,172
  • 4
  • 64
  • 79
  • And if it isn't your own code, look into Microsoft's Enhanced Mitigation Experience Toolkit (EMET). – Harry Johnston Aug 30 '12 at 01:30
  • Thank you for the link. Surfing down to references I found this: http://www.phreedom.org/research/tinype/. Looks like quite a few stuff can be taken out of PE header without breaking it so I will try with removing instead of adding. – cen Aug 30 '12 at 01:35
1

You'd have to parse it completely into it's different sections and segment, modify the one you are looking for, but you won't be able to INSERT code before any code segment: you'd better had a segment that will be executed first, then will jump to the old start segment.

At the end you will have to recreate a new complete executable file.

Parallelis
  • 699
  • 3
  • 6