I recently posed a patch to inject an arbitrary metasploit payload into a win32 exe while attempting to not affect the behavior of the host exe. I’m not the best ruby ninja, but I do at least know a little about the PE format.
Payload is run in a separate thread. (so if you want to test it, use ExitThread not ExitProcess for your EXITFUNC)
It should be very useful in a social engineering or man-in-the-middle scenario. Having executable templates is awesome when trying to pass off a metasploit payload as a different program; it looks like the original in size and icon, etc. But that all goes away once it is run, the user obviously knows the original program didn’t do what it was supposed to. This should provide an “easy” way to implement an automatic attack scenario such as injecting a payload into all exe’s downloaded through a WPAD attack, or in a wireless scenario. The user may not even notice the original exe is modified.
It should work with most win32 exe’s, but will fail with UPX’d executables or some other executables that mess with the PE format. Programs that do some kind of self-verification will catch that something is wrong, but not before the payload is run.