How to Inject Code Into Notepad
- 1). Create a folder on your computer called "Test." Save it to a place that's easy to find, such as your desktop. Locate the file "notepad.exe" on your hard drive, and copy it to your "Test" folder. Start a debugging software program that's compatible with your system and open the copied "notepad.exe" file in the debugging program.
- 2). Locate a "code cave" in the notepad.exe file where there is a break in the code by finding a number of consecutive rows with "00" and "DB 00" in the second and third columns of the notepad.exe file within your debugging screen.
- 3). Select about two dozen lines within the second column of the code cave you identified and click on "options" from the top menu followed by "Binary" and "Edit."
- 4). Enter a phrase into the "ASCII" field such as "Injected Notepad Code" into the pop up window that appears. In the bottom field marked "HEX + 10" type "49 4E 4A 45 43 54 45 44 20 4E 4F 54 45 50 41 44 00 00 00 00 00 00 00 00 00 00" and click "OK."
- 5). Verify that red code has been inserted into the code cave section you isolated earlier. Press your "Ctrl" or control button and the letter "A" to reanalyze the code and observe that the number sequence appears in the second column and the words "ASCII 'Injected Notepad'" appears in the third column of the field where the code cave originally was.
- 6). Create a bit of ASM java-based code to enter into Notepad at the proper jump point to tell the program to accept the code you just injected. Look at the far left column and note the eight-digit number where your code begins. Look again at the far left column and find the eight-digit number where you see the phrase "PUSH 0" appear on the far right.
- 7). Click on "Options" from the top menu followed by "Go to" and "Origin" to locate the first line of the code that will be executed in Notepad. Copy 11 lines of code from what appears on the screen, beginning with the phrase "PUSH 70" on the far right column. Press "Options" then "Copy" and "To clipboard."
- 8). Paste the text into a new Notepad screen and toggle your screen back to your debugging program. Double click on the line marked "PUSH 70" and enter "JMP" followed by a space and the eight digit number that you wrote down which was associated with the phrase "PUSH 0"; check the box in the window marked "Fill with NOP's" and click "Assemble."
- 9). Observe a three-line series of red code in your debugger window and note the eight digit number associated with the fourth line (or first black line) after your injected jump code which will have the phrase "CALL NOTEPAD.########". Write down the eight-digit number located in the left column on this line. Compare these four lines of your "new origin" with the beginning of the 11-line original origin sequence you copied and pasted into Notepad. Identify the lines that were overwritten in the new origin sequence.
- 10
Copy these overwritten lines and paste them into your debugger program at the line beneath the phrase "CALL USER32.MessageBoxA" in the far right column. Save your changes by clicking "Options" then "Copy to executable" and "All modifications." Press "Copy All" on the pop up window that appears. Wait for a new window with the ASM code to appear then close that window, leaving your debugging program open. Click "Save" and give your session a file name. Click "Options" followed by "Run" and wait for a window to appear with your file name in it. Click "OK" and wait for Notepad to start normally.
