entry point injection

Entry point: Every program has an entry point address, such as the main function.After our ntdll module is loaded, it will call this entry point address, and then start executing our code

Ask a question:

1. What needs to be done by codeRemoteArea

   task1:Load our injection module LoadLibraryW addressThere are two problems: A.CALL xxxx This address is invalid, why?resetB.push xxxx string address is wrongUsing the dynamic link library loading principle of window: Process A loads the xxx module * (runtime), and process B also needs to load the module xxx. In order to save memory, the OS will directlyUse the module address loaded by the A process.task2: Fix the code of 5 bytes whose entry point address is brokentask3: JMP entry point address

2. What data does the codeRemoteArea function need to execute?

1.Function pointer(LoadLibraryW ) module path (dllName)2.EntryPoint, store ** where the broken instruction ** (oldCode)

3. Who will populate this data?

task1: GetModuleHandleA+ offset address, assign toEntryPointtask2: save the corrupted instruction entry point address→oldCodetask3: destroys the entry point address JMP is going to address T

4. Who will build this data frame?

task1:alloc memory on the GameMemory