#include "openfile.h"
#include <stdio.h>
#include <malloc.h>
#include <memory.h>
#include <Windows.h>
#define MASSAGEBOXAADDR 0x757A7E60
#define IMAGE_SIZEOF_DOS_HEADER 0x40
BYTE shellCode[] = {
0x6A,0x00,0x6A,0x00,0x6A,0x00,0x6A,0x00,
0xE8,0x00,0x00,0x00,0x00,
0xE9,0x00,0x00,0x00,0x00
};
BYTE SectionName[] = { 0x2e,0x74,0x74,0x74,0,0,0,0 };
BYTE NewExportFileName[] = "NewTestDll.dll";
BYTE DllName[] = "injectDll.dll";
BYTE APIName[] = "_Run@0";
//新建INT表
typedef struct _NEW_INT_TABLE {
DWORD VirtualAddress;
DWORD OverAddress;
}NEW_INT_TABLE,*PNEW_INT_TABLE;
//新建IAT表
typedef struct _NEW_IAT_TABLE {
DWORD VirtualAddress;
DWORD OverAddress;
}NEW_IAT_TABLE, *PNEW_IAT_TABLE;
//读取文件返回fileBuffer
LPVOID ReadPEFile(LPSTR lpszFole)
{
FILE* pFile = NULL;
DWORD fileSize = 0;
LPVOID pFileBuffer = NULL;
//读取文件
pFile = fopen(lpszFole, "rb");
if (!pFile)
{
printf("打开EXE文件失败\n");
return NULL;
}
//把下标移动到文件最后
fseek(pFile, 0, SEEK_END);
//获取文件大小
fileSize = ftell(pFile);
//恢复文件下标到最开始
fseek(pFile, 0, SEEK_SET);
//分配缓冲区
pFileBuffer = malloc(fileSize);
if (!pFileBuffer)
{
printf("分配空间失败\n");
free(pFileBuffer);
return NULL;
}
size_t n = fread(pFileBuffer, 1, fileSize, pFile);
if (!n)
{
printf("文件读取失败\n");
free(pFileBuffer);
fclose(pFile);
return NULL;
}
//关闭文件
fclose(pFile);
return pFileBuffer;
}
//拉伸fileBuffer返回ImageBuffer
LPVOID CopyFileBufferToImageBuffer(LPSTR lpszFole)
{
LPVOID pFileBuffer = NULL;
LPVOID pImageBuffer = NULL;
PIMAGE_DOS_HEADER pe_dos_header = NULL;
PIMAGE_FILE_HEADER pe_file_header = NULL;
PIMAGE_OPTIONAL_HEADER32 pe_option_header_32 = NULL;
PIMAGE_NT_HEADERS pe_nt_header = NULL;
PIMAGE_SECTION_HEADER pe_section_header = NULL;
pFileBuffer = ReadPEFile(lpszFole);
if (!pFileBuffer)
{
printf("打开文件失败\n");
return NULL;
}
if (*((PWORD)pFileBuffer)!=IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标记\n");
free(pFileBuffer);
return NULL;
}
pe_dos_header = (PIMAGE_DOS_HEADER)pFileBuffer;
//printf("********************打印DOS头****************************\n");
//printf("MZ标志 %x\n", pe_dos_header->e_magic);
//printf("PE偏移 %x\n", pe_dos_header->e_lfanew);
if (*((PDWORD)((DWORD)pFileBuffer+pe_dos_header->e_lfanew))!=IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志\n");
free(pFileBuffer);
return NULL;
}
pe_nt_header = (PIMAGE_NT_HEADERS)((DWORD)pFileBuffer + pe_dos_header->e_lfanew);
//printf("PE标志 %x\n", pe_nt_header->Signature);
pe_file_header = (PIMAGE_FILE_HEADER)((DWORD)pe_nt_header + 4);
//printf("********************标准PE头****************************\n");
//printf("运行平台: %x\n", pe_file_header->Machine);
//printf("节的数量: %x\n", pe_file_header->NumberOfSections);
//printf("编译器生成的时间戳: %x\n", pe_file_header->TimeDateStamp);
//printf("可选PE头大小: %x\n",pe_file_header->SizeOfOptionalHeader);
//printf("PE特征: %x\n", pe_file_header->Characteristics);
pe_option_header_32 = (PIMAGE_OPTIONAL_HEADER32)((DWORD)pe_file_header + IMAGE_SIZEOF_FILE_HEADER);
//printf("********************可选PE头****************************\n");
//printf("文件类型: %x\n", pe_option_header_32->Magic);
//printf("代码节的和: %x\n", pe_option_header_32->SizeOfCode);
//printf("已初始化数据大小的和: %x\n", pe_option_header_32->SizeOfInitializedData);
//printf("未初始化数据大小的和: %x\n", pe_option_header_32->SizeOfUninitializedData);
//printf("程序入口: %x\n", pe_option_header_32->AddressOfEntryPoint);
//printf("代码开始的基址: %x\n", pe_option_header_32->BaseOfCode);
//printf("数据开始的基址: %x\n", pe_option_header_32->BaseOfData);
//printf("内存镜像基址: %x\n", pe_option_header_32->ImageBase);
//printf("内存对齐: %x\n", pe_option_header_32->SectionAlignment);
//printf("文件对齐: %x\n", pe_option_header_32->FileAlignment);
//printf("内存中整个PE文件映像的尺寸: %x\n", pe_option_header_32->SizeOfImage);
//printf("所有头+节表按照文件对齐后的大小: %x\n", pe_option_header_32->SizeOfHeaders);
//printf("效验和: %x\n", pe_option_header_32->CheckSum);
//printf("初始化保留的栈的大小: %x\n", pe_option_header_32->SizeOfStackReserve);
//printf("初始化时实际提交的栈的大小: %x\n", pe_option_header_32->SizeOfStackCommit);
//printf("初始化时保留的堆的大小: %x\n", pe_option_header_32->SizeOfHeapReserve);
//printf("初始化时实际提交的堆的大小: %x\n", pe_option_header_32->SizeOfHeapCommit);
//printf("目录项数目: %x\n", pe_option_header_32->NumberOfRvaAndSizes);
pImageBuffer = malloc(pe_option_header_32->SizeOfImage);
if (!pImageBuffer)
{
printf("分配空间失败\n");
free(pFileBuffer);
return NULL;
}
memset(pImageBuffer, 0, pe_option_header_32->SizeOfImage);
memcpy(pImageBuffer, pFileBuffer, pe_option_header_32->SizeOfHeaders);
//printf("%p\n", pImageBuffer);
pe_section_header = (PIMAGE_SECTION_HEADER)((DWORD)pe_option_header_32 + pe_file_header->SizeOfOptionalHeader);
//printf("********************节表****************************\n");
for (size_t i = 0; i < pe_file_header->NumberOfSections; i++)
{
//printf("NAME: %s\n", pe_section_header->Name);
//printf("MISC: %x\n", pe_section_header->Misc);
//printf("节区在内存中的偏移地址: %x\n", pe_section_header->VirtualAddress);
//printf("节在文件中对齐后的尺寸: %x\n", pe_section_header->SizeOfRawData);
//printf("节区在文件中的偏移: %x\n", pe_section_header->PointerToRawData);
//printf("节的属性: %x\n", pe_section_header->Characteristics);
memcpy(((CHAR*)(DWORD)pImageBuffer) + pe_section_header->VirtualAddress,
((CHAR*)(DWORD)pFileBuffer) + pe_section_header->PointerToRawData,
pe_section_header->SizeOfRawData);
pe_section_header = (PIMAGE_SECTION_HEADER)((DWORD)pe_section_header + IMAGE_SIZEOF_SECTION_HEADER);
}
free(pFileBuffer);
return pImageBuffer;
}
//给节表添加E8E9硬编码,返回ImageBuffer
LPVOID AddImageBufferShellCode(LPSTR lpszFole)
{
LPVOID pImageBuffer = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTHeader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader32 = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
DWORD NumberOfSection = 4;
DWORD SizeOfSection = 0;
pImageBuffer = CopyFileBufferToImageBuffer(lpszFole);
if (!pImageBuffer)
{
printf("分配空间失败\n");
free(pImageBuffer);
return NULL;
}
if (*(PWORD((DWORD)pImageBuffer))!=IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标记\n");
free(pImageBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)((DWORD)pImageBuffer);
if (*(PDWORD)((DWORD)pImageBuffer + ImageDosHeader->e_lfanew) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标记\n");
free(pImageBuffer);
return NULL;
}
ImageNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pImageBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTHeader + 4);
ImageOptionalHeader32 = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
PIMAGE_SECTION_HEADER ImageSectionHeader_text = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader32 + ImageFileHeader->SizeOfOptionalHeader);
//保存可执行的Characteristics
DWORD executableCharacteristics = ImageSectionHeader_text->Characteristics;
if (NumberOfSection > ImageFileHeader->NumberOfSections)
{
printf("超出节的数量\n");
free(pImageBuffer);
return NULL;
}
if (NumberOfSection > 1)
{
SizeOfSection = IMAGE_SIZEOF_SECTION_HEADER * (NumberOfSection - 1);
}
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader_text + SizeOfSection);
if ((DWORD)(ImageSectionHeader->SizeOfRawData- ImageSectionHeader->Misc.VirtualSize) < sizeof(shellCode))
{
printf("剩余的节区空间不足\n");
free(pImageBuffer);
return NULL;
}
if (ImageSectionHeader->Misc.VirtualSize > ImageSectionHeader->SizeOfRawData)
{
printf("VirtualSize超出SizeOfRawData最大范围不能写入\n");
free(pImageBuffer);
return NULL;
}
//PDWORD code = (PDWORD)shellCode;
*((PDWORD)(shellCode + 0x9)) = (DWORD)MASSAGEBOXAADDR - (DWORD)(ImageOptionalHeader32->ImageBase + (ImageSectionHeader->VirtualAddress + ImageSectionHeader->Misc.VirtualSize + 0xD));
*((PDWORD)(shellCode + 0xe)) = (DWORD)(ImageOptionalHeader32->ImageBase + ImageOptionalHeader32->AddressOfEntryPoint) - (DWORD)(ImageOptionalHeader32->ImageBase + (ImageSectionHeader->VirtualAddress + ImageSectionHeader->Misc.VirtualSize + 0x12));
ImageSectionHeader->Characteristics = (ImageSectionHeader->Characteristics | executableCharacteristics);
DWORD addTheAddressOfTheCode = (DWORD)pImageBuffer + ImageSectionHeader->VirtualAddress + ImageSectionHeader->Misc.VirtualSize;
memcpy((CHAR*)addTheAddressOfTheCode, &shellCode, sizeof(shellCode));
//DWORD E8Code = (DWORD)MASSAGEBOXAADDR - (DWORD)(ImageOptionalHeader32->ImageBase + (ImageSectionHeader->VirtualAddress + ImageSectionHeader->Misc.VirtualSize + 0xD));
//memcpy(((CHAR*)addTheAddressOfTheCode + 0x9), &E8Code, sizeof(E8Code));
//DWORD E9Code = (DWORD)(ImageOptionalHeader32->ImageBase + ImageOptionalHeader32->AddressOfEntryPoint) - (DWORD)(ImageOptionalHeader32->ImageBase + (ImageSectionHeader->VirtualAddress + ImageSectionHeader->Misc.VirtualSize + 0x12));
//memcpy(((CHAR*)addTheAddressOfTheCode + 0xe), &E9Code, sizeof(E9Code));
ImageOptionalHeader32->AddressOfEntryPoint = ImageSectionHeader->VirtualAddress + ImageSectionHeader->Misc.VirtualSize;
return pImageBuffer;
}
DWORD GetdwRVA(LPSTR lpszFole,DWORD offset)
{
LPVOID pFileBuffer = NULL;
LPVOID pImageBuffer = NULL;
DWORD TrueLocation = NULL;
DWORD dwRVA = NULL;
PIMAGE_DOS_HEADER pe_dos_header = NULL;
PIMAGE_FILE_HEADER pe_file_header = NULL;
PIMAGE_OPTIONAL_HEADER32 pe_option_header_32 = NULL;
PIMAGE_NT_HEADERS pe_nt_header = NULL;
PIMAGE_SECTION_HEADER pe_section_header = NULL;
pFileBuffer = ReadPEFile(lpszFole);
if (!pFileBuffer)
{
printf("打开文件失败\n");
return NULL;
}
if (*((PWORD)pFileBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标记\n");
free(pFileBuffer);
return NULL;
}
pe_dos_header = (PIMAGE_DOS_HEADER)pFileBuffer;
if (*((PDWORD)((DWORD)pFileBuffer + pe_dos_header->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志\n");
free(pFileBuffer);
return NULL;
}
pe_nt_header = (PIMAGE_NT_HEADERS)((DWORD)pFileBuffer + pe_dos_header->e_lfanew);
pe_file_header = (PIMAGE_FILE_HEADER)((DWORD)pe_nt_header + 4);
pe_option_header_32 = (PIMAGE_OPTIONAL_HEADER32)((DWORD)pe_file_header + IMAGE_SIZEOF_FILE_HEADER);
pImageBuffer = malloc(pe_option_header_32->SizeOfImage);
if (!pImageBuffer)
{
printf("分配空间失败\n");
free(pFileBuffer);
return NULL;
}
memset(pImageBuffer, 0, pe_option_header_32->SizeOfImage);
memcpy(pImageBuffer, pFileBuffer, pe_option_header_32->SizeOfHeaders);
pe_section_header = (PIMAGE_SECTION_HEADER)((DWORD)pe_option_header_32 + pe_file_header->SizeOfOptionalHeader);
TrueLocation = offset - (DWORD)pImageBuffer;
for (size_t i = 0; i < pe_file_header->NumberOfSections; i++)
{
memcpy(((CHAR*)(DWORD)pImageBuffer) + pe_section_header->VirtualAddress,
((CHAR*)(DWORD)pFileBuffer) + pe_section_header->PointerToRawData,
pe_section_header->SizeOfRawData);
if (TrueLocation > pe_section_header->VirtualAddress && TrueLocation < (pe_section_header->VirtualAddress + pe_section_header->Misc.VirtualSize))
{
dwRVA = TrueLocation - pe_section_header->VirtualAddress;
}
pe_section_header = (PIMAGE_SECTION_HEADER)((DWORD)pe_section_header + IMAGE_SIZEOF_SECTION_HEADER);
}
free(pFileBuffer);
free(pImageBuffer);
return dwRVA;
}
//创建新的ImageBuffer
LPVOID CopyImageBufferToNewImageBuffer(LPSTR srcFile)
{
LPVOID ImageBuffer = NULL;
LPVOID NewImageBuffer = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
ImageBuffer = CopyFileBufferToImageBuffer(srcFile);
if (!ImageBuffer)
{
printf("分配空间失败\n");
return NULL;
}
if (*((PWORD)(DWORD)ImageBuffer)!=IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志\n");
free(ImageBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)ImageBuffer;
if (*((PDWORD)((DWORD)ImageBuffer + ImageDosHeader->e_lfanew))!=IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志");
free(ImageBuffer);
return NULL;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)ImageBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader);
NewImageBuffer = malloc(ImageOptionalHeader->SizeOfImage + 0x1000);
if (!NewImageBuffer)
{
printf("NewImageBuffer分配空间失败\n");
free(ImageBuffer);
return NULL;
}
memset(NewImageBuffer, 0, ImageOptionalHeader->SizeOfImage + 0x1000);
memcpy(NewImageBuffer, ImageBuffer, ImageOptionalHeader->SizeOfImage);
return NewImageBuffer;
}
//获取内存对齐或文件对齐
DWORD GetSectionAlignmentOrFileAlignment(DWORD currentNumber, DWORD Alignment)
{
if (currentNumber % Alignment != 0)
{
currentNumber = currentNumber + 0x1;
return GetSectionAlignmentOrFileAlignment(currentNumber, Alignment);
}
return currentNumber;
}
//合并节
LPVOID MergeSection(LPSTR srcFile)
{
LPVOID NewImageBuffer = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER LastImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER NextImageSectionHeader = NULL;
NewImageBuffer = CopyImageBufferToNewImageBuffer(srcFile);
if (!NewImageBuffer)
{
printf("分配空间失败\n");
return NULL;
}
if (*((PWORD)(DWORD)NewImageBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志\n");
free(NewImageBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)NewImageBuffer;
if (*((PDWORD)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志");
free(NewImageBuffer);
return NULL;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader);
LastImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((DWORD)(ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER));
DWORD MAX = LastImageSectionHeader->SizeOfRawData > LastImageSectionHeader->Misc.VirtualSize ? LastImageSectionHeader->SizeOfRawData : LastImageSectionHeader->Misc.VirtualSize;
ImageSectionHeader->Misc.VirtualSize = ImageSectionHeader->SizeOfRawData = (MAX + LastImageSectionHeader->VirtualAddress) - GetSectionAlignmentOrFileAlignment(ImageOptionalHeader->SizeOfHeaders,ImageOptionalHeader->SectionAlignment);
for (INT i = 0; i < (ImageFileHeader->NumberOfSections - 1); i++)
{
NextImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + IMAGE_SIZEOF_SECTION_HEADER);
ImageSectionHeader->Characteristics = ImageSectionHeader->Characteristics | NextImageSectionHeader->Characteristics;
}
ImageFileHeader->NumberOfSections = 1;
return NewImageBuffer;
}
//提升FILE头OPTIONAL头节表信息
LPVOID LiftHeaderInfo(LPSTR srcFile)
{
LPVOID NewImageBuffer = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER LastImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER NewImageSectionHeader = NULL;
NewImageBuffer = CopyImageBufferToNewImageBuffer(srcFile);
if (!NewImageBuffer)
{
printf("分配空间失败\n");
return NULL;
}
if (*((PWORD)(DWORD)NewImageBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志\n");
free(NewImageBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)NewImageBuffer;
if (*((PDWORD)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志");
free(NewImageBuffer);
return NULL;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader);
LastImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((DWORD)(ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER));
//提升头
memcpy((PNZCH)((DWORD)NewImageBuffer + IMAGE_SIZEOF_DOS_HEADER), (PNZCH)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew), (4 + IMAGE_SIZEOF_FILE_HEADER + ImageFileHeader->SizeOfOptionalHeader + (ImageFileHeader->NumberOfSections * IMAGE_SIZEOF_SECTION_HEADER)));
ImageDosHeader->e_lfanew = IMAGE_SIZEOF_DOS_HEADER;
return NewImageBuffer;
}
//增加一个新的节
LPVOID AddNewSection(LPSTR srcFile)
{
LPVOID NewImageBuffer = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER LastSectionHeader = NULL;
PIMAGE_SECTION_HEADER NewSectionHeader = NULL;
DWORD EntryPoint = 0;
DWORD PointerToRawData = 0;
NewImageBuffer = MergeSection(srcFile);
if (!NewImageBuffer)
{
printf("分配空间失败\n");
return NULL;
}
if (*((PWORD)(DWORD)NewImageBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志\n");
free(NewImageBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)NewImageBuffer;
if (*((PDWORD)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志");
free(NewImageBuffer);
return NULL;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader);
DWORD SizeOfImageDosHeaderToImageSectionHeader = ((DWORD)IMAGE_SIZEOF_DOS_HEADER + (ImageDosHeader->e_lfanew - ((DWORD)IMAGE_SIZEOF_DOS_HEADER) + 4 + IMAGE_SIZEOF_FILE_HEADER
+ ImageFileHeader->SizeOfOptionalHeader + (ImageFileHeader->NumberOfSections * IMAGE_SIZEOF_SECTION_HEADER)));
if ((ImageOptionalHeader->SizeOfHeaders - SizeOfImageDosHeaderToImageSectionHeader) < 0x50)
{
printf("剩余的节表空白区小于80个字节\n");
free(NewImageBuffer);
return NULL;
}
LastSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER));
//判断程序入口点
if (LastSectionHeader->Misc.VirtualSize > LastSectionHeader->SizeOfRawData)
{
EntryPoint = GetSectionAlignmentOrFileAlignment(LastSectionHeader->VirtualAddress + LastSectionHeader->Misc.VirtualSize, ImageOptionalHeader->SectionAlignment);
PointerToRawData = GetSectionAlignmentOrFileAlignment(LastSectionHeader->PointerToRawData + LastSectionHeader->Misc.VirtualSize, ImageOptionalHeader->FileAlignment);
}
else
{
EntryPoint = GetSectionAlignmentOrFileAlignment(LastSectionHeader->VirtualAddress + LastSectionHeader->SizeOfRawData, ImageOptionalHeader->SectionAlignment);
PointerToRawData = GetSectionAlignmentOrFileAlignment(LastSectionHeader->PointerToRawData + LastSectionHeader->SizeOfRawData, ImageOptionalHeader->FileAlignment);
}
//修改新增节表的数据
NewSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)LastSectionHeader + IMAGE_SIZEOF_SECTION_HEADER);
memcpy((PNZCH)(NewSectionHeader->Name), &SectionName, sizeof(SectionName));
NewSectionHeader->Misc.VirtualSize = 0x1000;
NewSectionHeader->VirtualAddress = EntryPoint;
NewSectionHeader->SizeOfRawData = 0x1000;
NewSectionHeader->PointerToRawData = PointerToRawData;
NewSectionHeader->PointerToRelocations = ImageSectionHeader->PointerToRelocations;
NewSectionHeader->PointerToLinenumbers = ImageSectionHeader->PointerToLinenumbers;
NewSectionHeader->NumberOfRelocations = ImageSectionHeader->NumberOfRelocations;
NewSectionHeader->NumberOfLinenumbers = ImageSectionHeader->NumberOfLinenumbers;
NewSectionHeader->Characteristics = 0x60000020;
//新增节表后补零
memset((PIMAGE_SECTION_HEADER)((DWORD)NewSectionHeader + IMAGE_SIZEOF_SECTION_HEADER), 0, IMAGE_SIZEOF_SECTION_HEADER);
*(PDWORD)(shellCode + 0x9) = (DWORD)MASSAGEBOXAADDR - (DWORD)(ImageOptionalHeader->ImageBase + (NewSectionHeader->VirtualAddress + 0xd));
*(PDWORD)(shellCode + 0xe) = ((DWORD)(ImageOptionalHeader->ImageBase + ImageOptionalHeader->AddressOfEntryPoint) - (DWORD)(ImageOptionalHeader->ImageBase + (NewSectionHeader->VirtualAddress + 0x12)));
memcpy(((CHAR*)NewImageBuffer + NewSectionHeader->VirtualAddress), &shellCode, sizeof(shellCode));
//修改节数量
ImageFileHeader->NumberOfSections = ImageFileHeader->NumberOfSections + 1;
//修改程序入口点
ImageOptionalHeader->AddressOfEntryPoint = EntryPoint;
//修改SizeOfImage大小
ImageOptionalHeader->SizeOfImage = ImageOptionalHeader->SizeOfImage + 0x1000;
return NewImageBuffer;
}
//扩大节
LPVOID AmplifySection(LPSTR srcFile)
{
LPVOID NewImageBuffer = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER LastImageSectionHeader = NULL;
NewImageBuffer = CopyImageBufferToNewImageBuffer(srcFile);
if (!NewImageBuffer)
{
printf("分配空间失败\n");
return NULL;
}
if (*((PWORD)(DWORD)NewImageBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志\n");
free(NewImageBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)NewImageBuffer;
if (*((PDWORD)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志");
free(NewImageBuffer);
return NULL;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader);
LastImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER));
if (LastImageSectionHeader->Misc.VirtualSize > LastImageSectionHeader->SizeOfRawData)
{
DWORD VirtualSize = GetSectionAlignmentOrFileAlignment(LastImageSectionHeader->Misc.VirtualSize, ImageOptionalHeader->SectionAlignment);
*(PDWORD)(shellCode + 0x9) = (MASSAGEBOXAADDR - ((DWORD)ImageOptionalHeader->ImageBase + LastImageSectionHeader->VirtualAddress + VirtualSize + 0xd));
*(PDWORD)(shellCode + 0xe) = (((DWORD)ImageOptionalHeader->ImageBase + ImageOptionalHeader->AddressOfEntryPoint) - ((DWORD)ImageOptionalHeader->ImageBase + LastImageSectionHeader->VirtualAddress + VirtualSize + 0x12));
memcpy((PNZCH)((DWORD)NewImageBuffer + LastImageSectionHeader->VirtualAddress + VirtualSize), &shellCode, sizeof(shellCode));
ImageOptionalHeader->AddressOfEntryPoint = (DWORD)(LastImageSectionHeader->VirtualAddress + VirtualSize);
}
else
{
DWORD SizeOfRawData = GetSectionAlignmentOrFileAlignment(LastImageSectionHeader->SizeOfRawData, ImageOptionalHeader->SectionAlignment);
*(PDWORD)(shellCode + 0x9) = (MASSAGEBOXAADDR - ((DWORD)ImageOptionalHeader->ImageBase + LastImageSectionHeader->VirtualAddress + SizeOfRawData + 0xd));
*(PDWORD)(shellCode + 0xe) = (((DWORD)ImageOptionalHeader->ImageBase + ImageOptionalHeader->AddressOfEntryPoint) - ((DWORD)ImageOptionalHeader->ImageBase + LastImageSectionHeader->VirtualAddress + SizeOfRawData + 0x12));
memcpy((PNZCH)((DWORD)NewImageBuffer + LastImageSectionHeader->VirtualAddress + SizeOfRawData), &shellCode, sizeof(shellCode));
ImageOptionalHeader->AddressOfEntryPoint = (DWORD)(LastImageSectionHeader->VirtualAddress + SizeOfRawData);
}
LastImageSectionHeader->Misc.VirtualSize = LastImageSectionHeader->Misc.VirtualSize + 0x1000;
LastImageSectionHeader->SizeOfRawData = LastImageSectionHeader->SizeOfRawData + 0x1000;
ImageOptionalHeader->SizeOfImage = ImageOptionalHeader->SizeOfImage + 0x1000;
LastImageSectionHeader->Characteristics = (LastImageSectionHeader->Characteristics | ImageSectionHeader->Characteristics);
return NewImageBuffer;
}
//复制ImageBuffer到新的FileBuffer,返回新的FileBuffer
LPVOID CopyImageBufferToNewBuffer(LPSTR lpszFole)
{
LPVOID pNewBuffer = NULL;
LPVOID pImageBuffer = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader32 = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER LastImageSectionHeader = NULL;
pImageBuffer = AddNewSection(lpszFole);
if (!pImageBuffer)
{
printf("空间分配失败\n");
free(pImageBuffer);
return NULL;
}
if (*((PWORD)pImageBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标记\n");
free(pImageBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)pImageBuffer;
if (*((PDWORD)((DWORD)pImageBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志\n");
free(pImageBuffer);
return NULL;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)pImageBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader32 = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader32 + ImageFileHeader->SizeOfOptionalHeader);
LastImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER));
pNewBuffer = malloc(LastImageSectionHeader->VirtualAddress + LastImageSectionHeader->SizeOfRawData);
if (!pNewBuffer)
{
printf("分配空间失败\n");
free(pImageBuffer);
return NULL;
}
memcpy(pNewBuffer, pImageBuffer, ImageOptionalHeader32->SizeOfHeaders);
printf("%x\n",LastImageSectionHeader->VirtualAddress);
printf("%x\n", LastImageSectionHeader->SizeOfRawData);
for (size_t i = 0; i < ImageFileHeader->NumberOfSections; i++)
{
memset((PNZCH)((DWORD)pNewBuffer + ImageSectionHeader->PointerToRawData), 0, ImageSectionHeader->SizeOfRawData);
memcpy((PNZCH)((DWORD)pNewBuffer + ImageSectionHeader->PointerToRawData), (PNZCH)((DWORD)pImageBuffer + ImageSectionHeader->VirtualAddress), ImageSectionHeader->SizeOfRawData);
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + IMAGE_SIZEOF_SECTION_HEADER);
}
free(pImageBuffer);
return pNewBuffer;
}
//新建文件保存新增的节到新的文件中
VOID CopyNewImageBufferToNewFile(LPSTR destFile, LPSTR srcFile)
{
FILE* NewFile = NULL;
LPVOID NewFileBuffer = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER LastSectionHeader = NULL;
NewFile = fopen(destFile, "wb");
if (!NewFile)
{
printf("打开文件失败\n");
return;
}
NewFileBuffer = CopyImageBufferToNewBuffer(srcFile);
if (!NewFileBuffer)
{
printf("分配空间失败\n");
return;
}
if (*((PWORD)(DWORD)NewFileBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志\n");
free(NewFileBuffer);
return;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)NewFileBuffer;
if (*((PDWORD)((DWORD)NewFileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志");
free(NewFileBuffer);
return;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)NewFileBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader);
LastSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER));
DWORD result = fwrite(NewFileBuffer, sizeof(char), (LastSectionHeader->PointerToRawData + LastSectionHeader->SizeOfRawData), NewFile);
if (result < (DWORD)(LastSectionHeader->PointerToRawData + LastSectionHeader->SizeOfRawData))
{
printf("文件写入失败\n");
free(NewFileBuffer);
fclose(NewFile);
return;
}
free(NewFileBuffer);
printf("文件写入完成\n");
}
//输出数据目录
LPVOID DataDirectory(LPSTR srcFile)
{
LPVOID FileBuffer = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL;
FileBuffer = ReadPEFile(srcFile);
if (!FileBuffer)
{
printf("空间分配失败\n");
return NULL;
}
if (*((PWORD)(DWORD)FileBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志\n");
free(FileBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)FileBuffer;
if (*((PDWORD)((DWORD)FileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志");
free(FileBuffer);
return NULL;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)FileBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
/*
//导出表
printf("导出表%p\n", ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]);
//导入表
printf("导出表%p\n", ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]);
//资源表
printf("资源表%p\n", ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE]);
//异常信息表
printf("异常信息表%p\n", ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXCEPTION]);
//安全证书表
printf("安全证书表%p\n", ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY]);
//重定位表
printf("重定位表%p\n", ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC]);
//调试信息表
printf("调试信息表%p\n", ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG]);
//版权所有表
printf("版权所有表%p\n", ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_ARCHITECTURE]);
//全局指针表
printf("全局指针表%p\n", ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_GLOBALPTR]);
//TLS表
printf("TLS表%p\n", ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS]);
//加载配置表
printf("加载配置表%p\n", ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG]);
//绑定导入表
printf("绑定导入表%p\n", ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT]);
//IAT表
printf("IAT表%p\n", ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT]);
//延迟导入表
printf("延迟导入表%p\n", ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT]);
//COM信息表
printf("COM信息表%p\n", ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR]);
*/
return FileBuffer;
}
//RVA转FOA
DWORD RVAToFOA(LPVOID FileBuffer, DWORD VirtualAddress)
{
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
DWORD FOA = NULL;
if (*((PWORD)(DWORD)FileBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志\n");
free(FileBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)FileBuffer;
if (*((PDWORD)((DWORD)FileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志");
free(FileBuffer);
return NULL;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)FileBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader);
if (VirtualAddress <= ImageOptionalHeader->SizeOfHeaders)
{
return VirtualAddress;
}
for (size_t i = 0; i < ImageFileHeader->NumberOfSections; i++)
{
if (VirtualAddress >= ImageSectionHeader->VirtualAddress && VirtualAddress < (ImageSectionHeader->VirtualAddress + ImageSectionHeader->Misc.VirtualSize))
{
FOA = ((DWORD)ImageSectionHeader->PointerToRawData + (VirtualAddress - ImageSectionHeader->VirtualAddress));
}
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + IMAGE_SIZEOF_SECTION_HEADER);
}
return FOA;
}
//FOA转RVA
DWORD FOAToRVA(LPVOID FileBuffer, DWORD VirtualAddress)
{
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
DWORD RVA = NULL;
if (*((PWORD)(DWORD)FileBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志\n");
free(FileBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)FileBuffer;
if (*((PDWORD)((DWORD)FileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志");
free(FileBuffer);
return NULL;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)FileBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader);
if (VirtualAddress <= ImageOptionalHeader->SizeOfHeaders)
{
return VirtualAddress;
}
for (size_t i = 0; i < ImageFileHeader->NumberOfSections; i++)
{
if (VirtualAddress >= ImageSectionHeader->PointerToRawData && VirtualAddress < (ImageSectionHeader->PointerToRawData + ImageSectionHeader->SizeOfRawData))
{
RVA = ((DWORD)ImageSectionHeader->VirtualAddress + (VirtualAddress - ImageSectionHeader->PointerToRawData));
}
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + IMAGE_SIZEOF_SECTION_HEADER);
}
return RVA;
}
//通过函数名获取函数地址
LPVOID GetFunctionAddrByName(LPVOID FileBuffer, LPSTR FunctionName)
{
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL;
IMAGE_DATA_DIRECTORY ExportTableVirtualAddress;
PIMAGE_EXPORT_DIRECTORY ImageExportDirectory = NULL;
PDWORD ResultAddressOfName = NULL;
LPVOID ResultAddressOfFunction = NULL;
WORD ResultAddressOfNameOrdinals = NULL;
DWORD IndexFunctionAddress = NULL;
if (*((PWORD)(DWORD)FileBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志\n");
free(FileBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)FileBuffer;
if (*((PDWORD)((DWORD)FileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志");
free(FileBuffer);
return NULL;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)FileBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
//导出表
ExportTableVirtualAddress = ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
DWORD ExportTableFOA = RVAToFOA(FileBuffer, ExportTableVirtualAddress.VirtualAddress);
ImageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((DWORD)FileBuffer + ExportTableFOA);
//获取函数名称偏移
PDWORD FuntionNameAddress = (PDWORD)((DWORD)FileBuffer + RVAToFOA(FileBuffer, ImageExportDirectory->AddressOfNames));
//获取函数序号偏移
PWORD AddressOfNameOrdinals = (PWORD)((DWORD)FileBuffer + RVAToFOA(FileBuffer, ImageExportDirectory->AddressOfNameOrdinals));
//获取函数偏移
PDWORD AddressOfFunctions = (PDWORD)((DWORD)FileBuffer + RVAToFOA(FileBuffer, ImageExportDirectory->AddressOfFunctions));
//获取函数名称下标
for (size_t i = 0; i < ImageExportDirectory->NumberOfNames; i++)
{
if (*((LPSTR)((DWORD)FileBuffer + RVAToFOA(FileBuffer, FuntionNameAddress[i]))) == *FunctionName)
{
ResultAddressOfNameOrdinals = AddressOfNameOrdinals[i];
IndexFunctionAddress = (DWORD)AddressOfFunctions[ResultAddressOfNameOrdinals];
ResultAddressOfFunction = (LPVOID)((DWORD)FileBuffer + RVAToFOA(FileBuffer, IndexFunctionAddress));
}
}
return ResultAddressOfFunction;
}
//通过序号获取函数地址
LPVOID GetFunctionAddrByOrdinals(LPVOID FileBuffer, DWORD Ordinals)
{
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL;
IMAGE_DATA_DIRECTORY ExportTableVirtualAddress;
PIMAGE_EXPORT_DIRECTORY ImageExportDirectory = NULL;
PDWORD ResultAddressOfName = NULL;
LPVOID ResultAddressOfFunction = NULL;
DWORD OrdinalsIndex = NULL;
DWORD FunctionAddressIndex = NULL;
if (*((PWORD)(DWORD)FileBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志\n");
free(FileBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)FileBuffer;
if (*((PDWORD)((DWORD)FileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志");
free(FileBuffer);
return NULL;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)FileBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
//导出表
ExportTableVirtualAddress = ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
DWORD ExportTableFOA = RVAToFOA(FileBuffer, ExportTableVirtualAddress.VirtualAddress);
ImageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((DWORD)FileBuffer + ExportTableFOA);
//获取函数名称偏移
PDWORD FuntionNameAddress = (PDWORD)((DWORD)FileBuffer + RVAToFOA(FileBuffer, ImageExportDirectory->AddressOfNames));
//获取函数序号偏移
PWORD AddressOfNameOrdinals = (PWORD)((DWORD)FileBuffer + RVAToFOA(FileBuffer, ImageExportDirectory->AddressOfNameOrdinals));
//获取函数偏移
PDWORD AddressOfFunctions = (PDWORD)((DWORD)FileBuffer + RVAToFOA(FileBuffer, ImageExportDirectory->AddressOfFunctions));
//获取函数下标
OrdinalsIndex = Ordinals - ImageExportDirectory->Base;
//通过下标获取指向的函数在内存中的地址
FunctionAddressIndex = AddressOfFunctions[OrdinalsIndex];
//通过FileBuffer获取函数编译
ResultAddressOfFunction = (LPVOID)((DWORD)FileBuffer + RVAToFOA(FileBuffer, FunctionAddressIndex));
return ResultAddressOfFunction;
}
//输出导出表
DWORD ExportTable(LPSTR srcFile)
{
LPVOID FileBuffer = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL;
IMAGE_DATA_DIRECTORY ExportTableVirtualAddress;
PIMAGE_EXPORT_DIRECTORY ImageExportDirectory = NULL;
FileBuffer = ReadPEFile(srcFile);
if (!FileBuffer)
{
printf("空间分配失败\n");
return NULL;
}
if (*((PWORD)(DWORD)FileBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志\n");
free(FileBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)FileBuffer;
if (*((PDWORD)((DWORD)FileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志");
free(FileBuffer);
return NULL;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)FileBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
//导出表
ExportTableVirtualAddress = ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
DWORD ExportTableFOA = RVAToFOA(FileBuffer,ExportTableVirtualAddress.VirtualAddress);
ImageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((DWORD)FileBuffer + ExportTableFOA);
printf("Characteristics->%x\n",ImageExportDirectory->Characteristics);
printf("TimeDateStamp->%x\n",ImageExportDirectory->TimeDateStamp);
printf("MajorVersion->%x\n",ImageExportDirectory->MajorVersion);
printf("MinorVersion->%x\n",ImageExportDirectory->MinorVersion);
printf("Name地址->%x\n",ImageExportDirectory->Name);
printf("Name名字->%s\n",((CHAR*)FileBuffer + RVAToFOA(FileBuffer, ImageExportDirectory->Name)));
printf("Base->%x\n",ImageExportDirectory->Base);
printf("NumberOfFunctions->%x\n",ImageExportDirectory->NumberOfFunctions);
printf("NumberOfNames->%x\n",ImageExportDirectory->NumberOfNames);
printf("AddressOfFunctions->%x\n",ImageExportDirectory->AddressOfFunctions);
printf("AddressOfNames->%x\n",ImageExportDirectory->AddressOfNames);
printf("AddressOfNameOrdinals->%x\n",ImageExportDirectory->AddressOfNameOrdinals);
return 0;
}
//输出重定位表
LPVOID RelocationTable(LPSTR srcFile)
{
LPVOID FileBuffer = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL;
IMAGE_DATA_DIRECTORY ImageDataDirctory;
PIMAGE_BASE_RELOCATION ImageBaseRelocation = NULL;
DWORD ImageDataDirctoryVirtualAddress = NULL;
PWORD RepairAddress = NULL;
int count = 1;
FileBuffer = ReadPEFile(srcFile);
if (!FileBuffer)
{
printf("空间分配失败\n");
return NULL;
}
if (*((PWORD)(DWORD)FileBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志\n");
free(FileBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)FileBuffer;
if (*((PDWORD)((DWORD)FileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志");
free(FileBuffer);
return NULL;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)FileBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
ImageDataDirctory = ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
ImageDataDirctoryVirtualAddress = RVAToFOA(FileBuffer, ImageDataDirctory.VirtualAddress);
ImageBaseRelocation = (PIMAGE_BASE_RELOCATION)((DWORD)FileBuffer + ImageDataDirctoryVirtualAddress);
RepairAddress = (PWORD)((DWORD)ImageBaseRelocation + 8);
while (ImageBaseRelocation->VirtualAddress!=0 && ImageBaseRelocation->SizeOfBlock!=0)
{
printf("第%d项\n",count);
for (size_t i = 0; i < ((ImageBaseRelocation->SizeOfBlock - 8) / 2); i++)
{
printf("RVA->%x-----属性->%x---FOA偏移->%p\n", (ImageBaseRelocation->VirtualAddress + (*RepairAddress & 0x0FFF)), ((*RepairAddress & 0xF000) >> 12), RepairAddress);
RepairAddress++;
}
ImageBaseRelocation = (PIMAGE_BASE_RELOCATION)((DWORD)ImageBaseRelocation + ImageBaseRelocation->SizeOfBlock);
RepairAddress = (PWORD)((DWORD)ImageBaseRelocation + 8);
count++;
}
return 0;
}
//创建FileBuffer增加0x1000长度
LPVOID CopyFileBufferToNewFileBuffer(LPSTR srcFile)
{
LPVOID FileBuffer = NULL;
LPVOID NewFileBuffer = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER LastImageSectionHeader = NULL;
DWORD SizeOfFileBuffer = NULL;
FileBuffer = ReadPEFile(srcFile);
if (!FileBuffer)
{
printf("空间分配失败\n");
return NULL;
}
if (*((PWORD)(DWORD)FileBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志\n");
free(FileBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)FileBuffer;
if (*((PDWORD)((DWORD)FileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志");
free(FileBuffer);
return NULL;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)FileBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader);
LastImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER));
SizeOfFileBuffer = ((DWORD)LastImageSectionHeader->PointerToRawData + LastImageSectionHeader->SizeOfRawData);
NewFileBuffer = malloc(SizeOfFileBuffer + 0x1000);
if (!NewFileBuffer)
{
printf("分配空间失败\n");
free(FileBuffer);
return NULL;
}
memset(NewFileBuffer, 0, SizeOfFileBuffer + 0x1000);
memcpy(NewFileBuffer, FileBuffer, SizeOfFileBuffer);
free(FileBuffer);
return NewFileBuffer;
}
//NewFileBuffer新增节
LPVOID AddSectionToNewFileBuffer(LPVOID NewFileBuffer)
{
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER LastImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER NewImageSectionHeader = NULL;
DWORD SizeOfFileBuffer = NULL;
if (!NewFileBuffer)
{
printf("空间分配失败\n");
return NULL;
}
if (*((PWORD)(DWORD)NewFileBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志\n");
free(NewFileBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)NewFileBuffer;
if (*((PDWORD)((DWORD)NewFileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志");
free(NewFileBuffer);
return NULL;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)NewFileBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader);
LastImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER));
SizeOfFileBuffer = ((DWORD)LastImageSectionHeader->PointerToRawData + LastImageSectionHeader->SizeOfRawData);
if ((ImageOptionalHeader->SizeOfHeaders - (IMAGE_SIZEOF_DOS_HEADER + (ImageDosHeader->e_lfanew - IMAGE_SIZEOF_DOS_HEADER) + 4 + IMAGE_SIZEOF_FILE_HEADER + ImageFileHeader->SizeOfOptionalHeader + (ImageFileHeader->NumberOfSections * IMAGE_SIZEOF_SECTION_HEADER))) < 0X50)
{
printf("剩余的空间大小不能添加新的节表");
free(NewFileBuffer);
return NULL;
}
NewImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)LastImageSectionHeader + IMAGE_SIZEOF_SECTION_HEADER);
memcpy(((PNZCH)NewImageSectionHeader->Name), &SectionName, sizeof(SectionName));
NewImageSectionHeader->Misc.VirtualSize = 0x1000;
NewImageSectionHeader->SizeOfRawData = 0x1000;
if (LastImageSectionHeader->Misc.VirtualSize > LastImageSectionHeader->SizeOfRawData)
{
NewImageSectionHeader->VirtualAddress = ((DWORD)LastImageSectionHeader->VirtualAddress +
GetSectionAlignmentOrFileAlignment(LastImageSectionHeader->Misc.VirtualSize,ImageOptionalHeader->SectionAlignment));
}
else
{
NewImageSectionHeader->VirtualAddress = ((DWORD)LastImageSectionHeader->VirtualAddress +
GetSectionAlignmentOrFileAlignment(LastImageSectionHeader->Misc.VirtualSize, ImageOptionalHeader->SectionAlignment));
}
NewImageSectionHeader->Characteristics = 0xE0000060;
NewImageSectionHeader->PointerToRawData = ((DWORD)LastImageSectionHeader->PointerToRawData + LastImageSectionHeader->SizeOfRawData);
NewImageSectionHeader->PointerToRelocations = ImageSectionHeader->PointerToRelocations;
NewImageSectionHeader->PointerToLinenumbers = ImageSectionHeader->PointerToLinenumbers;
NewImageSectionHeader->NumberOfRelocations = ImageSectionHeader->NumberOfRelocations;
NewImageSectionHeader->NumberOfLinenumbers = ImageSectionHeader->NumberOfLinenumbers;
memset((NewImageSectionHeader + IMAGE_SIZEOF_SECTION_HEADER), 0, 40);
ImageFileHeader->NumberOfSections = ImageFileHeader->NumberOfSections + 1;
ImageOptionalHeader->SizeOfImage = ImageOptionalHeader->SizeOfImage + 0x1000;
return NewFileBuffer;
}
//移动导出表
LPVOID MoveExportTable(LPVOID NewFileBuffer)
{
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER LastImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER NewImageSectionHeader = NULL;
PIMAGE_DATA_DIRECTORY ImageDataDirectory = NULL;
PIMAGE_EXPORT_DIRECTORY ImageExportDirectory = NULL;
PIMAGE_EXPORT_DIRECTORY NewImageExportDirectory = NULL;
if (!NewFileBuffer)
{
printf("空间分配失败\n");
return NULL;
}
if (*((PWORD)(DWORD)NewFileBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志\n");
free(NewFileBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)NewFileBuffer;
if (*((PDWORD)((DWORD)NewFileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志");
free(NewFileBuffer);
return NULL;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)NewFileBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader);
LastImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER));
ImageDataDirectory = (PIMAGE_DATA_DIRECTORY)&ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
ImageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((DWORD)NewFileBuffer + RVAToFOA(NewFileBuffer, ImageDataDirectory->VirtualAddress));
//复制AddressOfFunctions
memcpy((PNZCH)((DWORD)NewFileBuffer + LastImageSectionHeader->PointerToRawData), (PNZCH)((DWORD)NewFileBuffer + RVAToFOA(NewFileBuffer, ImageExportDirectory->AddressOfFunctions)),
(ImageExportDirectory->NumberOfFunctions * 4));
//复制AddressOfNameOrdinals
memcpy((PNZCH)((DWORD)NewFileBuffer + (LastImageSectionHeader->PointerToRawData + (ImageExportDirectory->NumberOfFunctions * 4))), (PNZCH)((DWORD)NewFileBuffer + RVAToFOA(NewFileBuffer, ImageExportDirectory->AddressOfNameOrdinals)),
(ImageExportDirectory->NumberOfNames * 2));
//复制AddressOfNames
memcpy((PNZCH)((DWORD)NewFileBuffer + (LastImageSectionHeader->PointerToRawData + ((ImageExportDirectory->NumberOfFunctions * 4) + (ImageExportDirectory->NumberOfNames * 2)))),
(PNZCH)((DWORD)NewFileBuffer + RVAToFOA(NewFileBuffer, ImageExportDirectory->AddressOfNames)),
(ImageExportDirectory->NumberOfNames * 4));
//复制函数名在新加节中的起始位置
DWORD FunctionNameStartAddress = ((DWORD)LastImageSectionHeader->PointerToRawData + ((ImageExportDirectory->NumberOfFunctions * 4) + (ImageExportDirectory->NumberOfNames * 2)
+ (ImageExportDirectory->NumberOfNames * 4)));
//FileBuffer中的原函数名的起始位置
PDWORD FunctionNameAddress = (PDWORD)((DWORD)NewFileBuffer + RVAToFOA(NewFileBuffer, ImageExportDirectory->AddressOfNames));
PDWORD NewFunctionNameAddress = (PDWORD)((DWORD)NewFileBuffer + (LastImageSectionHeader->PointerToRawData + (ImageExportDirectory->NumberOfFunctions*4) + (ImageExportDirectory->NumberOfNames*2)));
//计算FunctionNameAddress偏移
DWORD Offset = FunctionNameStartAddress - LastImageSectionHeader->PointerToRawData;
for (size_t i = 0; i < ImageExportDirectory->NumberOfNames; i++)
{
//取出原函数名的起始位置
PNZCH FunctionName = (PNZCH)(((DWORD)NewFileBuffer + RVAToFOA(NewFileBuffer, *FunctionNameAddress)));
memcpy((PNZCH)((DWORD)NewFileBuffer + FunctionNameStartAddress), FunctionName,strlen(FunctionName));
memset((PNZCH)((DWORD)NewFileBuffer + (FunctionNameStartAddress + strlen(FunctionName))), 0, 1);
*NewFunctionNameAddress = (DWORD)LastImageSectionHeader->VirtualAddress + Offset;
Offset = Offset + strlen(FunctionName) + 1;
FunctionNameStartAddress = FunctionNameStartAddress + strlen(FunctionName) + 1;
FunctionNameAddress = FunctionNameAddress++;
NewFunctionNameAddress = NewFunctionNameAddress++;
}
//修复新的导出表数据
NewImageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((DWORD)NewFileBuffer + (LastImageSectionHeader->PointerToRawData + Offset));
memcpy(NewImageExportDirectory, ImageExportDirectory, sizeof(IMAGE_EXPORT_DIRECTORY));
memcpy((PNZCH)((DWORD)NewFileBuffer + (LastImageSectionHeader->PointerToRawData + Offset) + sizeof(IMAGE_EXPORT_DIRECTORY)), NewExportFileName, sizeof(NewExportFileName));
NewImageExportDirectory->Name = (LastImageSectionHeader->VirtualAddress + (Offset + sizeof(IMAGE_EXPORT_DIRECTORY)));
NewImageExportDirectory->AddressOfFunctions = LastImageSectionHeader->VirtualAddress;
NewImageExportDirectory->AddressOfNameOrdinals = (LastImageSectionHeader->VirtualAddress + (NewImageExportDirectory->NumberOfFunctions * 4));
NewImageExportDirectory->AddressOfNames = (LastImageSectionHeader->VirtualAddress + (NewImageExportDirectory->NumberOfFunctions * 4) + (NewImageExportDirectory->NumberOfNames * 2));
ImageDataDirectory->VirtualAddress = ((DWORD)LastImageSectionHeader->VirtualAddress + Offset);
return NewFileBuffer;
}
//移动重定位表
LPVOID MoveRelocateTable(LPVOID NewFileBuffer)
{
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER LastImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER NewImageSectionHeader = NULL;
PIMAGE_DATA_DIRECTORY ImageDataDirectory = NULL;
PIMAGE_BASE_RELOCATION ImageBaseRelocation = NULL;
PIMAGE_BASE_RELOCATION NewImageBaseRelocationStartAddress = NULL;
if (!NewFileBuffer)
{
printf("空间分配失败\n");
return NULL;
}
if (*((PWORD)(DWORD)NewFileBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志\n");
free(NewFileBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)NewFileBuffer;
if (*((PDWORD)((DWORD)NewFileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志");
free(NewFileBuffer);
return NULL;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)NewFileBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader);
LastImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER));
ImageDataDirectory = (PIMAGE_DATA_DIRECTORY)(&ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC]);
ImageBaseRelocation = (PIMAGE_BASE_RELOCATION)((DWORD)NewFileBuffer + RVAToFOA(NewFileBuffer, ImageDataDirectory->VirtualAddress));
//新的重定位表起始地址
NewImageBaseRelocationStartAddress = (PIMAGE_BASE_RELOCATION)((DWORD)NewFileBuffer + LastImageSectionHeader->PointerToRawData);
while (ImageBaseRelocation->VirtualAddress!=0 && ImageBaseRelocation->SizeOfBlock !=0)
{
memcpy((PNZCH)NewImageBaseRelocationStartAddress, (PNZCH)ImageBaseRelocation, ImageBaseRelocation->SizeOfBlock);
NewImageBaseRelocationStartAddress = (PIMAGE_BASE_RELOCATION)((DWORD)NewImageBaseRelocationStartAddress + ImageBaseRelocation->SizeOfBlock);
ImageBaseRelocation = (PIMAGE_BASE_RELOCATION)((DWORD)ImageBaseRelocation + ImageBaseRelocation->SizeOfBlock);
}
ImageDataDirectory->VirtualAddress = LastImageSectionHeader->VirtualAddress;
return NewFileBuffer;
}
//移动重定位表并修改ImageBase
LPVOID MoveRelocateTableAndAlterImageBase(LPVOID NewFileBuffer)
{
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER LastImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER NewImageSectionHeader = NULL;
PIMAGE_DATA_DIRECTORY ImageDataDirectory = NULL;
PIMAGE_BASE_RELOCATION ImageBaseRelocation = NULL;
if (!NewFileBuffer)
{
printf("空间分配失败\n");
return NULL;
}
if (*((PWORD)(DWORD)NewFileBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志\n");
free(NewFileBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)NewFileBuffer;
if (*((PDWORD)((DWORD)NewFileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志");
free(NewFileBuffer);
return NULL;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)NewFileBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader);
LastImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER));
ImageDataDirectory = (PIMAGE_DATA_DIRECTORY)(&ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC]);
ImageOptionalHeader->ImageBase = 0x20000000;
ImageBaseRelocation = (PIMAGE_BASE_RELOCATION)((DWORD)NewFileBuffer + RVAToFOA(NewFileBuffer, ImageDataDirectory->VirtualAddress));
while (ImageBaseRelocation->VirtualAddress!=0&&ImageBaseRelocation->SizeOfBlock!=0)
{
PWORD StartDataAddress = PWORD((DWORD)ImageBaseRelocation + 8);
for (size_t i = 0; i < ((ImageBaseRelocation->SizeOfBlock-8)/2); i++)
{
WORD FourHigh = ((*StartDataAddress & 0xF000)>>12);
WORD LowBit = (*StartDataAddress & 0x0FFF);
if (FourHigh == 3)
{
*((PDWORD)((DWORD)NewFileBuffer + RVAToFOA(NewFileBuffer, ((DWORD)ImageBaseRelocation->VirtualAddress + LowBit)))) = *((PDWORD)((DWORD)NewFileBuffer + RVAToFOA(NewFileBuffer, ((DWORD)ImageBaseRelocation->VirtualAddress + LowBit)))) + 0x10000000;
}
StartDataAddress++;
}
ImageBaseRelocation = (PIMAGE_BASE_RELOCATION)((DWORD)ImageBaseRelocation + ImageBaseRelocation->SizeOfBlock);
}
return NewFileBuffer;
}
//打印导入表
VOID PrintImportTable(LPVOID FileBuffer)
{
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader32 = NULL;
PIMAGE_DATA_DIRECTORY ImageDataDirectory = NULL;
PIMAGE_IMPORT_DESCRIPTOR ImageImportDescriptor = NULL;
if (*((PWORD)FileBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标记\n");
free(FileBuffer);
return ;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)FileBuffer;
if (*((PDWORD)((DWORD)FileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志\n");
free(FileBuffer);
return ;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)FileBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader32 = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
ImageDataDirectory = (PIMAGE_DATA_DIRECTORY)&ImageOptionalHeader32->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
ImageImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)FileBuffer + RVAToFOA(FileBuffer, ImageDataDirectory->VirtualAddress));
while (ImageImportDescriptor->Characteristics != 0)
{
PNZCH DllName = (PNZCH)((DWORD)FileBuffer + RVAToFOA(FileBuffer, ImageImportDescriptor->Name));
printf("Dll名称->%s\n", DllName);
printf("-------------------------------------------\n");
printf("TimeDateStamp->%d\n", ImageImportDescriptor->TimeDateStamp);
printf("OriginalFirstThunk函数名或序号为\n");
PDWORD OriginalFirstThunk = (PDWORD)((DWORD)FileBuffer + RVAToFOA(FileBuffer, ImageImportDescriptor->OriginalFirstThunk));
PDWORD FirstThunk = (PDWORD)((DWORD)FileBuffer + RVAToFOA(FileBuffer, ImageImportDescriptor->FirstThunk));
while (*OriginalFirstThunk != 0)
{
DWORD OriginalFirstThunkBestHighBit = (*OriginalFirstThunk & 0x80000000) >> 31;
if (OriginalFirstThunkBestHighBit == 1)
{
DWORD OriginalFirstThunkSerialNumber = (*OriginalFirstThunk & 0x6FFFFFFF);
printf("序号为->%x\n", OriginalFirstThunkSerialNumber);
}
else
{
PIMAGE_IMPORT_BY_NAME OriginalFirstThunkFunctionName = (PIMAGE_IMPORT_BY_NAME)((DWORD)FileBuffer + RVAToFOA(FileBuffer, *OriginalFirstThunk));
printf("HIT为->%x\n", OriginalFirstThunkFunctionName->Hint);
printf("函数名为->%s\n", OriginalFirstThunkFunctionName->Name);
}
OriginalFirstThunk++;
}
printf("FirstThunk函数名或序号为\n");
while (*FirstThunk != 0)
{
DWORD FirstThunkBestHighBit = (*FirstThunk & 0x80000000) >> 31;
if (FirstThunkBestHighBit == 1)
{
DWORD FirstThunkSerialNumber = (*FirstThunk & 0x6FFFFFFF);
printf("序号为->%x\n", FirstThunkSerialNumber);
}
else
{
PIMAGE_IMPORT_BY_NAME FirstThunkFunctionName = (PIMAGE_IMPORT_BY_NAME)((DWORD)FileBuffer + RVAToFOA(FileBuffer, *FirstThunk));
printf("HIT为->%x\n", FirstThunkFunctionName->Hint);
printf("函数名为->%s\n", FirstThunkFunctionName->Name);
}
FirstThunk++;
}
ImageImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)ImageImportDescriptor + sizeof(IMAGE_IMPORT_DESCRIPTOR));
}
free(FileBuffer);
}
//打印绑定导入表
VOID PrintBoundImportTable(LPVOID FileBuffer)
{
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader32 = NULL;
PIMAGE_DATA_DIRECTORY ImageDataDirectoryToImportDescriptor = NULL;
PIMAGE_DATA_DIRECTORY ImageDataDirectoryToBoundImportDescriptor = NULL;
PIMAGE_IMPORT_DESCRIPTOR ImageImportDescriptor = NULL;
PIMAGE_BOUND_IMPORT_DESCRIPTOR ImageBoundImportDescriptor = NULL;
PIMAGE_BOUND_FORWARDER_REF ImageBoundForwarderRef = NULL;
DWORD FirstBoundImportDescriptorAddress = NULL;
if (*((PWORD)FileBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标记\n");
free(FileBuffer);
return;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)FileBuffer;
if (*((PDWORD)((DWORD)FileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志\n");
free(FileBuffer);
return;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)FileBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader32 = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
ImageDataDirectoryToImportDescriptor = (PIMAGE_DATA_DIRECTORY)&ImageOptionalHeader32->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
ImageImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)FileBuffer + RVAToFOA(FileBuffer, ImageDataDirectoryToImportDescriptor->VirtualAddress));
ImageDataDirectoryToBoundImportDescriptor = (PIMAGE_DATA_DIRECTORY)&ImageOptionalHeader32->DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT];
ImageBoundImportDescriptor = (PIMAGE_BOUND_IMPORT_DESCRIPTOR)((DWORD)FileBuffer + ImageDataDirectoryToBoundImportDescriptor->VirtualAddress);
FirstBoundImportDescriptorAddress = ((DWORD)FileBuffer + ImageDataDirectoryToBoundImportDescriptor->VirtualAddress);
while (ImageImportDescriptor->OriginalFirstThunk !=0 && ImageImportDescriptor->FirstThunk !=0)
{
if (ImageImportDescriptor->TimeDateStamp == -1)
{
printf("-------------------------------------------------------------------------\n");
printf("NAME->%s\n", (PNZCH)(FirstBoundImportDescriptorAddress + ImageBoundImportDescriptor->OffsetModuleName));
printf("-------------------------------------------------------------------------\n");
printf("OffsetModuleName->%x\n", ImageBoundImportDescriptor->OffsetModuleName);
printf("TimeDateStamp->%x\n", ImageBoundImportDescriptor->TimeDateStamp);
printf("NumberOfModuleForwarderRefs->%x\n", ImageBoundImportDescriptor->NumberOfModuleForwarderRefs);
if (ImageBoundImportDescriptor->NumberOfModuleForwarderRefs > 0)
{
size_t i = 1;
ImageBoundForwarderRef = (PIMAGE_BOUND_FORWARDER_REF)((DWORD)ImageBoundImportDescriptor + sizeof(IMAGE_BOUND_IMPORT_DESCRIPTOR));
for (i; i <= ImageBoundImportDescriptor->NumberOfModuleForwarderRefs; i++)
{
printf("引入的NAME->%s\n", (PNZCH)(FirstBoundImportDescriptorAddress + ImageBoundForwarderRef->OffsetModuleName));
printf("-------------------------------------------------------------------------\n");
printf("OffsetModuleName->%x\n", ImageBoundForwarderRef->OffsetModuleName);
printf("TimeDateStamp->%x\n", ImageBoundForwarderRef->TimeDateStamp);
ImageBoundForwarderRef++;
}
ImageBoundImportDescriptor = (PIMAGE_BOUND_IMPORT_DESCRIPTOR)((DWORD)ImageBoundImportDescriptor + (i * sizeof(IMAGE_BOUND_FORWARDER_REF)));
}
else
{
ImageBoundImportDescriptor++;
}
}
ImageImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)ImageImportDescriptor + sizeof(IMAGE_IMPORT_DESCRIPTOR));
}
}
//导入表注入
LPVOID InjectImportTable(LPVOID NewFileBuffer)
{
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER LastImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER NewImageSectionHeader = NULL;
PIMAGE_DATA_DIRECTORY ImageDataDirectory = NULL;
PIMAGE_IMPORT_DESCRIPTOR ImageImportDescriptor = NULL;
PIMAGE_IMPORT_DESCRIPTOR NewImageImportDescriptor = NULL;
PIMAGE_IMPORT_DESCRIPTOR LastImageImportDescriptor = NULL;
PIMAGE_IMPORT_BY_NAME NewImageImportByName = NULL;
PNEW_INT_TABLE NewINTTable = NULL;
PNEW_IAT_TABLE NewIATTable = NULL;
PDWORD NewAddSectionStartAddress = NULL;
int ImportTableCount = 0;
if (!NewFileBuffer)
{
printf("空间分配失败\n");
return NULL;
}
if (*((PWORD)(DWORD)NewFileBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志\n");
free(NewFileBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)NewFileBuffer;
if (*((PDWORD)((DWORD)NewFileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志");
free(NewFileBuffer);
return NULL;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)NewFileBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader);
LastImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER));
ImageDataDirectory = (PIMAGE_DATA_DIRECTORY)(&ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]);
ImageImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)NewFileBuffer + RVAToFOA(NewFileBuffer, ImageDataDirectory->VirtualAddress));
NewAddSectionStartAddress = (PDWORD)((DWORD)NewFileBuffer + LastImageSectionHeader->PointerToRawData);
//复制DLL名称
memcpy((PNZCH)NewAddSectionStartAddress, (PNZCH)&DllName, strlen((PNZCH)&DllName));
//复制函数名称
memcpy((PNZCH)((DWORD)NewAddSectionStartAddress + strlen((PNZCH)& DllName) + 3), (PNZCH)&APIName, strlen((PNZCH)& APIName));
while (ImageImportDescriptor->OriginalFirstThunk!=0&&ImageImportDescriptor->FirstThunk!=0)
{
memcpy((PNZCH)((DWORD)NewAddSectionStartAddress + (strlen((PNZCH)& DllName) + 3) + (strlen((PNZCH)& APIName) + 1) + (ImportTableCount* sizeof(IMAGE_IMPORT_DESCRIPTOR))), ImageImportDescriptor, sizeof(IMAGE_IMPORT_DESCRIPTOR));
ImportTableCount++;
ImageImportDescriptor++;
}
NewImageImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)NewAddSectionStartAddress + (strlen((PNZCH)& DllName) + 3) + (strlen((PNZCH)& APIName) + 1)
+ (ImportTableCount * sizeof(IMAGE_IMPORT_DESCRIPTOR)));
//最后一个导入表信息,并全部置0
LastImageImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)NewImageImportDescriptor + sizeof(IMAGE_IMPORT_DESCRIPTOR));
memset((PNZCH)LastImageImportDescriptor, 0, sizeof(IMAGE_IMPORT_DESCRIPTOR));
//添加INT表
NewINTTable = (PNEW_INT_TABLE)((DWORD)LastImageImportDescriptor + sizeof(IMAGE_IMPORT_DESCRIPTOR));
//添加IAT表
NewIATTable = (PNEW_IAT_TABLE)((DWORD)NewINTTable + sizeof(NEW_INT_TABLE));
//添加ImportByName表
NewImageImportByName = (PIMAGE_IMPORT_BY_NAME)((DWORD)NewAddSectionStartAddress + (strlen((PNZCH)& DllName) + 1));
//修复INT表
NewINTTable->VirtualAddress = (DWORD)LastImageSectionHeader->VirtualAddress + ((strlen((PNZCH)& DllName) + 1));
NewINTTable->OverAddress = 0;
//修复IAT表
NewIATTable->VirtualAddress = (DWORD)LastImageSectionHeader->VirtualAddress + ((strlen((PNZCH)& DllName) + 1));
NewIATTable->OverAddress = 0;
//修复新增导入表
NewImageImportDescriptor->FirstThunk = (DWORD)LastImageSectionHeader->VirtualAddress + ((DWORD)NewIATTable - ((DWORD)NewFileBuffer + LastImageSectionHeader->PointerToRawData));
NewImageImportDescriptor->OriginalFirstThunk = (DWORD)LastImageSectionHeader->VirtualAddress + ((DWORD)NewINTTable - ((DWORD)NewFileBuffer + LastImageSectionHeader->PointerToRawData));
NewImageImportDescriptor->TimeDateStamp = 0;
NewImageImportDescriptor->ForwarderChain = 0;
NewImageImportDescriptor->Name = (DWORD)LastImageSectionHeader->VirtualAddress;
//修复数据目录
ImageDataDirectory->VirtualAddress = (LastImageSectionHeader->VirtualAddress + (strlen((PNZCH)& DllName) + 3) + (strlen((PNZCH)& APIName) + 1));
ImageDataDirectory->Size = ((DWORD)ImageDataDirectory->Size + sizeof(IMAGE_IMPORT_DESCRIPTOR));
return NewFileBuffer;
}
//复制NewFileBuffer到新的文件中
VOID CopyNewFileBufferToNewFile(LPVOID NewFileBuffer, LPSTR DestFile)
{
FILE* NewFile = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER LastSectionHeader = NULL;
NewFile = fopen(DestFile, "wb");
if (!NewFile)
{
printf("打开文件失败\n");
return;
}
if (*((PWORD)(DWORD)NewFileBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志\n");
free(NewFileBuffer);
return;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)NewFileBuffer;
if (*((PDWORD)((DWORD)NewFileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志");
free(NewFileBuffer);
return;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)NewFileBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader);
LastSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER));
DWORD result = fwrite(NewFileBuffer, sizeof(char), (LastSectionHeader->PointerToRawData + LastSectionHeader->SizeOfRawData), NewFile);
if (result < (DWORD)(LastSectionHeader->PointerToRawData + LastSectionHeader->SizeOfRawData))
{
printf("文件写入失败\n");
free(NewFileBuffer);
fclose(NewFile);
return;
}
free(NewFileBuffer);
printf("文件写入完成\n");
}
