views:

63

answers:

3

I have the location/offset of a particular function present inside an executable. Would it be possible to call such a function (while suppressing the CRT's execution of the executable's entry point, hopefully) ?

+4  A: 

In effect, you can simulate the Windows loader, assuming you run under Windows, but the basics should be the same on any platform. See e.g. http://msdn.microsoft.com/en-us/magazine/cc301805.aspx.

  1. Load the file into memory,
  2. Replace all relative addresses of functions that are called by the loaded executable with the actual function addresses.
  3. Change the memory page to "executable" (this is the difficult and platform-dependent part)
  4. Initialize the CRT in order to, e.g., initialize static variables.
  5. Call.

However, as the commenters point out correctly, this might only be practical as an exercise using very simple functions. There are many, many things that can go wrong if you don't manage to emulate the complete OS loader.

PS: You could also ask the Google: http://www.cultdeadcow.com/tools/pewrap.html

PPS: You may also find helpful advice in the "security" community: https://www.blackhat.com/presentations/bh-usa-07/Harbour/Whitepaper/bh-usa-07-harbour-WP.pdf

Sebastian
Good description, the only potential issue I can see is that if the CRT isn't initialised, the call may fail in interesting ways.
Timo Geusch
@Abyx I've extended my answer in that respect.
Sebastian
A: 

Yes, you can call it, if you will initialize all global variables which this function uses. Probably including CRT global variables. As alternative way, you can hook and replace all CRT functions that callee uses. See disassembly of that function to get right solution.

Abyx
A: 

1) Take a look at the LoadLibraryEx() API. It has some flags that could be able to do all the dirty work described by Sebastian.

2) Edit the executable. Several modified bytes will do the job. Here is some documentation on the file format: http://docsrv.sco.com:507/en/topics/COFF.html

ruslik