// p44.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <windows.h>
#include <malloc.h>
#define ShellCodeIen 0x12
#define MessageBoxAdder 0x77D507EA
BYTE ShellCode[]=
{
0x6A,00,0x6A,00,0x6A,00,0x6A,00,
0xE8,00,00,00,00,
0xE9,00,00,00,00
};
DWORD ReadPEFile(LPVOID *ppFileBuffer)
{
FILE* pFile = NULL;
DWORD SizeFileBuffer = 0;
pFile = fopen("C:\\WINDOWS\\system32\\notepad","rb");
if(!pFile)
{
printf("文件打开失败!\n");
return 0;
}
fseek(pFile,0,SEEK_END);
SizeFileBuffer = ftell(pFile);
fseek(pFile,0,SEEK_SET);
if(!SizeFileBuffer)
{
printf("读取文件大小失败\n");
return 0;
}
*ppFileBuffer = malloc(SizeFileBuffer);
if(!*ppFileBuffer)
{
printf("kai pi kong jian shi bai\n");
fclose(pFile);
return 0;
}
size_t n = fread(*ppFileBuffer,SizeFileBuffer,1,pFile);
if(!n)
{
printf("fu zhi shu ju shi bai\n");
free(*ppFileBuffer);
fclose(pFile);
return 0;
}
fclose(pFile);
return SizeFileBuffer;
}
DWORD FileBufferToImageBuffer(LPVOID pFileBuffer,LPVOID* ppImageBuffer)
{
PIMAGE_DOS_HEADER pDosHeader = NULL;
PIMAGE_NT_HEADERS pNTHeader = NULL;
PIMAGE_FILE_HEADER pPEHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 pOptionalHeader = NULL;
PIMAGE_SECTION_HEADER pSectionHeader = NULL;
if(!pFileBuffer)
{
printf("han shu diao yong shi bai\n");
return 0;
}
printf("pFileBuffer is %x\n",pFileBuffer);
pDosHeader = (PIMAGE_DOS_HEADER)pFileBuffer;
if(pDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
{
printf("not MZ signal");
return 0;
}
pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pFileBuffer+pDosHeader->e_lfanew);
if(pNTHeader->Signature!=IMAGE_NT_SIGNATURE)
{
printf("not PE signal");
return 0;
}
pPEHeader = (PIMAGE_FILE_HEADER)(((DWORD)pNTHeader)+4);
pOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)(((DWORD)pPEHeader)+20);
printf("SizeOfImage is %x\n",pOptionalHeader->SizeOfImage);
*ppImageBuffer = malloc(pOptionalHeader->SizeOfImage);
if(!*ppImageBuffer)
{
printf("kai pi nei cun shi bai\n");
return 0;
}
memset(*ppImageBuffer,0,pOptionalHeader->SizeOfImage);
printf("SizeOfHeader is %x\n",pOptionalHeader->SizeOfHeaders);
memcpy(*ppImageBuffer,pDosHeader,pOptionalHeader->SizeOfHeaders);
pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionalHeader+pPEHeader->SizeOfOptionalHeader);
printf("NumberOfSections are %x\n",pPEHeader->NumberOfSections);
for(int i=0;i<pPEHeader->NumberOfSections;i++,pSectionHeader++)
{
memcpy((LPVOID)((DWORD)*ppImageBuffer+pSectionHeader->VirtualAddress),(LPVOID)((DWORD)*ppImageBuffer+pSectionHeader->PointerToRawData),(DWORD)pSectionHeader->SizeOfRawData);
}
printf("finish coping!");
return pOptionalHeader->SizeOfImage;
}
LPVOID shellCode(LPVOID pImageBuffer)
{
PIMAGE_DOS_HEADER pDosHeader = NULL;
PIMAGE_NT_HEADERS pNTHeader = NULL;
PIMAGE_FILE_HEADER pPEHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 pOptionalHeader = NULL;
PIMAGE_SECTION_HEADER pSectionHeader = NULL;
PBYTE ShellCodeBegin = NULL;
if(!pImageBuffer)
{
printf("pImageBuffer han shu diao yong shi bai\n");
return 0;
}
pDosHeader = (PIMAGE_DOS_HEADER)pImageBuffer;
pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pImageBuffer+pDosHeader->e_lfanew);
pPEHeader = (PIMAGE_FILE_HEADER)(((DWORD)pNTHeader)+4);
pOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)(((DWORD)pPEHeader)+20);
pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionalHeader+pPEHeader->SizeOfOptionalHeader);
/* for(int j=0;j<pPEHeader->NumberOfSections;j++)
{
if((pSectionHeader[j].SizeOfRawData - pSectionHeader[j]Misc.VirtualSize) < shellCodeIen)
{
printf("第%d个节表空间不足\n",j);
free(pImageBuffer);
return 0;
}
} */
if((pSectionHeader->SizeOfRawData - pSectionHeader->Misc.VirtualSize) < ShellCodeIen)
{
printf("节表空间不足\n");
free(pImageBuffer);
return 0;
}
printf("SizeOfRaw=%x\n",pSectionHeader->SizeOfRawData);
printf("VirtualSize=%x\n",pSectionHeader->Misc.VirtualSize);
printf("nei cun chong zu");
if(pOptionalHeader->SectionAlignment == pOptionalHeader->FileAlignment)
{
printf("SectionAlignment == FileAlignment\n");
ShellCodeBegin=(PBYTE)(pSectionHeader->VirtualAddress+pSectionHeader->Misc.VirtualSize+(DWORD)pImageBuffer);
if(!memcpy(ShellCodeBegin,ShellCode,ShellCodeIen))
{
printf("dai ma chu bu jia ru shi bai\n");
return 0;
}
printf("代码初步加入成功!\n");
//E8
DWORD CallAdd = (DWORD)((DWORD)MessageBox-((DWORD)pOptionalHeader->ImageBase+(DWORD)ShellCodeBegin+0xD-(DWORD)pImageBuffer));
if(!CallAdd)
{
printf("ERROR E8\n");
return 0;
}
*(PDWORD)(ShellCodeBegin+0x9) = CallAdd;
printf("E8 ok\n");
//E9
DWORD JmpAdd=(DWORD)((DWORD)pOptionalHeader->AddressOfEntryPoint-((DWORD)ShellCodeBegin+ShellCodeIen-(DWORD)pImageBuffer));
if(!JmpAdd)
{
printf("ERROR E9\n");
return 0;
}
*(PDWORD)(ShellCodeBegin+0xE) = JmpAdd;
printf("E9 ok\n");
pOptionalHeader->AddressOfEntryPoint = (DWORD)ShellCodeBegin -(DWORD)pImageBuffer;
printf("OEP=%x\n",pOptionalHeader->AddressOfEntryPoint);
printf("OEP ok\n");
printf("finish");
return pImageBuffer;
}
else
{
printf("SectionAlignment != FileAlignment\n");
pSectionHeader=(PIMAGE_SECTION_HEADER)((DWORD)pOptionalHeader+pPEHeader->SizeOfOptionalHeader);
ShellCodeBegin=(PBYTE)(pSectionHeader->VirtualAddress+pSectionHeader->Misc.VirtualSize+(DWORD)pImageBuffer);
if(!memcpy(ShellCodeBegin,ShellCode,ShellCodeIen))
{
printf("dai ma chu bu jia ru shi bai\n");
return 0;
}
printf("代码初步加入成功!\n");
//E8
DWORD CallAdd = (DWORD)((DWORD)MessageBox-((DWORD)pOptionalHeader->ImageBase+(DWORD)ShellCodeBegin+0xD-(DWORD)pImageBuffer));
if(!CallAdd)
{
printf("ERROR E8\n");
return 0;
}
*(PDWORD)(ShellCodeBegin+0x9) = CallAdd;
printf("E8 ok\n");
DWORD JmpAdd=(DWORD)((DWORD)pOptionalHeader->AddressOfEntryPoint-((DWORD)ShellCodeBegin+ShellCodeIen-(DWORD)pImageBuffer));
if(!JmpAdd)
{
printf("ERROR E9\n");
return 0;
}
*(PDWORD)(ShellCodeBegin+0xE) = JmpAdd;
printf("E9 ok\n");
pOptionalHeader->AddressOfEntryPoint = (DWORD)ShellCodeBegin -(DWORD)pImageBuffer;
printf("OEP=%x\n",pOptionalHeader->AddressOfEntryPoint);
printf("OEP ok\n");
printf("finish");
return pImageBuffer;
}
}
DWORD ImageBufferToFileBuffer(LPVOID pImageBuffer,LPVOID *ppBuffer)
{
PIMAGE_DOS_HEADER pDosHeader = NULL;
PIMAGE_NT_HEADERS pNTHeader = NULL;
PIMAGE_FILE_HEADER pPEHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 pOptionalHeader = NULL;
PIMAGE_SECTION_HEADER pSectionHeader = NULL;
if(!pImageBuffer)
{
printf("error");
return 0;
}
pDosHeader = (PIMAGE_DOS_HEADER)pImageBuffer;
pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pImageBuffer+pDosHeader->e_lfanew);
pPEHeader = (PIMAGE_FILE_HEADER)(((DWORD)pNTHeader)+4);
pOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)(((DWORD)pPEHeader)+20);
pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionalHeader+pPEHeader->SizeOfOptionalHeader);
DWORD SizeOfBuffer = pSectionHeader->PointerToRawData+pSectionHeader->SizeOfRawData;
*ppBuffer=malloc(SizeOfBuffer);
if(!*ppBuffer)
{
printf("malloc fail\n");
return 0;
}
printf("SizeOfBuffer=%x",SizeOfBuffer);
memset(*ppBuffer,0,SizeOfBuffer);
memcpy(*ppBuffer,pImageBuffer,pOptionalHeader->SizeOfHeaders);
for(int j=1;j<=pPEHeader->NumberOfSections;j++,pSectionHeader++)
{
memcpy((LPVOID)((DWORD)*ppBuffer+pSectionHeader->PointerToRawData),(LPVOID)((DWORD)pImageBuffer+pSectionHeader->VirtualAddress),pSectionHeader->SizeOfRawData);
}
printf("cpy success\n");
return SizeOfBuffer;
}
BOOL MemeryToFile(LPVOID pBuffer,DWORD SizeOfBuffer)
{
FILE* fpw = fopen("C:\\WINDOWS\\system32\\note","wb");
if(!fpw)
{
printf("fpw error");
return false;
}
if(!fwrite(pBuffer,1,SizeOfBuffer,fpw))
{
printf("fpw fwrite fail");
return false;
}
fclose(fpw);
fpw = NULL;
printf("success\n");
return true;
}
int main()
{
LPVOID pFileBuffer=NULL;
LPVOID* ppFileBuffer=&pFileBuffer;
LPVOID pImageBuffer=NULL;
LPVOID* ppImageBuffer=&pImageBuffer;
DWORD SizeOfFileBuffer=0;
DWORD SizeOfImageBuffer=0;
DWORD SizeOfBuffer=0;
LPVOID pBuffer=NULL;
LPVOID* ppBuffer=&pBuffer;
//调用filebuffer函数
SizeOfFileBuffer=ReadPEFile(ppFileBuffer);
if(!SizeOfFileBuffer)
{
printf("FileBuffer函数调用失败 \n");
return 0;
}
pFileBuffer=*ppFileBuffer;
printf("fail");
//调用FileBufferToImageBuffer函数
SizeOfBuffer=FileBufferToImageBuffer(pFileBuffer,ppImageBuffer);
if(!SizeOfBuffer)
{
printf("调用FileBufferToImageBuffer函数失败");
return 0;
}
//调用ShellCode函数
pImageBuffer=shellCode(pImageBuffer);
//调用ImageBufferToBuffer
SizeOfBuffer=ImageBufferToFileBuffer(pImageBuffer,ppBuffer);
pBuffer=*ppBuffer;
if(!SizeOfBuffer)
{
printf("SizeOfBuffer error");
return 0;
}
//调用MemeryToFile
if(MemeryToFile(pBuffer,SizeOfBuffer)==false)
{
printf("end");
return 0;
}
return 0;
}
