How to find OEP when the address of entry point is zero in PE header?

Question

I want to analyze a file in OllyDbg, however, the "address of entry point" in this file is 0x0000. So it will run the MZ signature as beginning part of the ASM code.

Most debuggers are also unable to debug it directly.
How could I find the original entry point to modify the header?

I am sure it is an exe file, that's why I need to find the OEP to modify the header. — Likak, Jan 16 '17 at 23:39
@zx485 - for DLL is valid not have entry point (0 in `AddressOfEntryPoint`) but EXE **must** have not zero `AddressOfEntryPoint` — RbMm, Jan 16 '17 at 23:44
may be in your case exe have Tls callbacks ? and in this callback it set exception handler (VEX) for hook execution ? — RbMm, Jan 16 '17 at 23:49

score 5 · Accepted Answer · edited Nov 13 '18 at 10:36

5

If AddressOfEntryPoint in EXE set to 0 - so EXE and have no this entry point. In this case, for not crash EXE must have the TLS callbacks - look for IMAGE_TLS_DIRECTORY (IMAGE_DIRECTORY_ENTRY_TLS) and AddressOfCallBacks must be not 0. So this is real entry point(s) of this EXE - no other option, otherwise EXE will crashes.

Most debuggers are also unable to debug it directly.

This happens if debugger set breakpoint on entrypoint. In this case "entrypoint" will be on MZ - and when debugger set breakpoint (0xcc opcode) here - damage MZ signature. As result in process initialization was exception (user32.UserClientDllInitialize -> ntdll.CsrClientConnectToServer -> RtlImageNtHeaderEx (error because MZ damaged by breakpoint) )

But if debugger has not set a breakpoint on entrypoint - no problem in debugging.

So solution is to look for IMAGE_DIRECTORY_ENTRY_TLS.AddressOfCallBacks or set breakpoint to LdrpCallTlsInitializers

really this was CLR (.NET) image - in this images type entry point is formal and not used after xp. system ignore it and call _CorExeMain in mscoree.dll as entry point.

But if you try to debug this with the debugger which auto set breakpoint to entrypoint (how debugger thinks) - the MZ (IMAGE_DOS_HEADER) is damaged. as result RtlImageNtHeader[Ex] return 0 (error) for EXE and application crashed (under this debugger)

edited Nov 13 '18 at 10:36

Ajay

18,086
12
59
105

answered Jan 17 '17 at 00:34

RbMm

31,280
3
35
56

I searched for TLS Directory. 'TLS directory RVA' and 'TLS directory size' they both are set to zero. In this case again TLS structure is in MZ? – Likak Jan 17 '17 at 19:01
@bahare - in this case no TLS in exe. are this exe at all executed ? – RbMm Jan 17 '17 at 19:03
Very surprisingly yes! It runs properly. Sounds it runs the MZ as instruction code. Because when I open it in IDA the after two push and pop, inc and dec, there is a jump (located at 0x00400004) to 0x004139EF. So I believe 0x139EF is the RVA of original entry point. – Likak Jan 17 '17 at 19:33
Perhaps a load-time dependency DLL is modifying the process in memory (in its DllMain) so that by the time the loader is ready to jump to the entry point, a nonzero value is present? Try stepping through the loader code by using "System breakpoint" in OllyDbg. – byteptr Jan 17 '17 at 20:11
Can you list the first 16 or 32 bytes of the MZ header? – byteptr Jan 17 '17 at 20:15
@bahare - hard say exactly without view this `exe` what happens, if you can share it - will very easy view what exactly happens. this is not `CLR` exe and it not have own private DLLs ? – RbMm Jan 17 '17 at 20:59
`Sounds it runs the MZ as instruction code` - PE header is read-only and not executable memory. so it must crash on systems with DEP – RbMm Jan 17 '17 at 21:01
@byteptr `00400000 dec ebp 00400001 pop edx 00400002 push edx 00400003 inc ebp 00400004 jmp loc_4139EF 00400004 __ImageBase endp 00400009 align 4 0040000C db 0FFh 0040000D db 0FFh 0040000E db 0 0040000F db 0 00400010 db 0B8h ;` – Likak Jan 17 '17 at 21:19
@bahare - this "instructions" - only interpret of `MZ` - really never executed. not give any info. if you can share exe - i can easy debug it and exactly say what happens. this is not CLR exe ? it have no private DLLs ? – RbMm Jan 17 '17 at 21:23
@RbMm you are right, it is hard to say without having the actual file to look at, I'm afraid I can not share the sample we are working on. By looking at import table, I don't see any private DLL. – Likak Jan 17 '17 at 21:25
@bahare it not CLR ? – RbMm Jan 17 '17 at 21:27
@RbMm the packer of the sample was in .NET, however I am not sure about the sample. PEID doesn't show anything concerning the language and IDA applies vcseh signature. How could I check if it is CLR? – Likak Jan 17 '17 at 21:32
1

@bahare - `.NET` == `CLR` now understand. really entry point in `.NET` executables not used at all. so all clear here. – RbMm Jan 17 '17 at 21:35
1

@bahare - real ep in .net (clr) is `_CorExeMain` in mscoree.dll – RbMm Jan 17 '17 at 21:38

score 0 · Answer 2 · edited Nov 13 '18 at 12:09

0

0x00000000 is valid value for Address of entry point in PE file, malware uses this trick to make its debugging hard.

Visual Studio can debug a binary that have EP == 0.

edited Nov 13 '18 at 12:09

bobbyrne01

6,295
19
80
150

answered Jun 20 '17 at 11:54

MGhule

31
5

How to find OEP when the address of entry point is zero in PE header?

2 Answers2