
These are the binaries associated with a previous paper i did 
available here.

http://sandsprite.com/CodeStuff/add_function.html

Their sources are in the download package of 
the article mentioned above. 

for this demo, we are going to use lord pe to add the dll,
to the import table, and cavewriter to implant the new code.

Read the article above for background..this quick bit
is just about implementation details.

Step 1 add our dll to the import table using lordPE.

Open it in the lordpe editor, goto directories dialog
and click on the ... next to Import table. 

Now right click on the top entry and select add import
from the menu. Enter the our dll name and the function
name GUIConfirmPID. Click + to add the import and close
out LordPE. Open it again and list import table, you should
see the new dll and api there.

Now we can get to the modifications..from the article above
we have already enumerated the changes we need to make.

first we are modifying:

.text:004010C5  mov     eax, [ebp+varC] ;place it in eax register
.text:004010C8  push    eax             ;push onto stack as arg
.text:004010C9  call    normal          ;call function normal()
.text:004010CE  xor     eax, eax


to be:

      mov     eax, [ebp+varC] ;place it in eax register
      push    eax             ;push onto stack as arg
      jmp     our_patch       ;this was the call normal()
back:
      xor     eax, eax
      ..blah blah..


our_patch:
	call GUIConfirmPID
	push eax
	call normal
	jmp back


So, in the article, we found a suitable cave for the patch here:

00005E50   C0 74 06 0F B6 45 0B C9  C3 83 C8 FF C9 C3 00 00   t..E.Ã..
00005E60   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00005E70   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00005E80   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................

This one occurs at the padding between the end of the code section and
start of the next. So lets embed our new code at file offset 5e70.

Technically, our .text section ends at 5e60 because of a virtual size of 4E5E
(starting from file offset 1000 which means ends at offset 5E5E). 

To keep everything in line, change the virtual size = raw size in lord pe 
for this section.

As it turns out it will work with out this mod..although it might not on 
different platforms..

also the rva to file offset calcs in cavewriter check virtual size and 
will give you an error if this offset falls outside of a mapped virtual address 
range.

Before we use cave writer we have to make notes of a couple things..for the case
of this patch..

we have to know
	Virtual address to place our new code - (calc from file offset 5e70) = 405e70
	virtual address of the back: label...in this case it is 4010CE (from disasm)
        virtual address of function normal()..in this case 40108A (from disasm)

What cave writer will do:
	know how to call GUIConfirmPID from api name
	assemble to correct opcodes for given VA address
	embed these opcodes into the binary at the proper address you specify.

What you will have to do after:
	Dont forget to change the original call normal to jmp our_patch
        (this canbe in cavewriter too)

So..onto the mods...

fire up cavewriter, and drag and drop our modded exe into the top textbox.
It will load all apis to the left treeview. 

A label at teh bottom will show you the asm it will use when you enter
the call apiname.

So, first..fill in the address we want to embed our code at..here 405e70
and hit tab. The assemble button should enable.

Now we enter our asm..because the labels back: and normal dont exist in
the raw binary we have to use the addresses we found above from disasmmbly 
(either a disasm tool or debugger). WIth that our asm code will look like this:


call GUIConfirmPID
push eax
call 40108A
jmp  4010CE

Click the assemble button and you should see a stream of hex bytes (opcodes)
appear in the bottom textbox and the embed button should be come active.
Click embed to embed the new code block to the file.

Now, the modified code is implanted..but not yet active. There is one step 
left..namely changign the original call normal to be jmp our_patch.

Thinking about it...we can actually do that with cave writer too, or whatever
tool you want to use. 

Both the call we are replacing..and the jmp we are replacing it with are both
5 byte opcode sequences. So we can safely replace them directly without corrupting
any other commands.

To apply this patch in cavewriter, changed the embed at address to that of the original
call normal.. 004010C9 then for the new asm..enter

jmp 405e70

Click assemble, then click embed..the new code should now be activly executed 
when its run.

Give the exe a double click and try it out.




