五.解决-打造
[THIS IS JMP S2]
现在我们再回头整理一下整个过程...结合这张表:
这张PE文件数据图就是一个很大的"填空",除去重要的数据部分,我们可以随便写入数据的地方有2个(也就是两个大挂号挂起来的中间).
第一个是从地址00000002开始的,到地址0000003B结束的56字节.
第二个是从地址00000160开始的,到PE文件结尾的160字节.(也可以从000000158开始,这样就有168字节)
因为我们的程序很短,所以第二个168字节基本上可以满足要求全部,就不需要第一个56字节的数据了.把数据和在一起也方便呢,不是么?^_^.
那这些地方具体填写些什么东西呢?大致来说分为三个部分:
1.导入表,包括"URLDownloadToFile"这个函数的字符串和"URLMON.DLL"这个DLL的字符串.
2.文件的可执行机器码.
3.函数需要的数据.
首先是导入表,根据上一节说的那些,我们可以很容易的判断出这个"URLDownloadToFile"该填在"58 11 00 00"的位置.当然你可以改这个值,这个值只是我写的.总之你想吧这个导入表放在什么位置,这个"58 11 00 00"就要指向这个位置.于是我们在PE文件的00000158位置写入"31 00 URLDownloadToFile"字符串,前面两个16进制是序号是给转载器提供信息作为在DLL中导出地址的依据. <
[THIS IS JMP S2]
现在我们再回头整理一下整个过程...结合这张表:
| 代码 |
| Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000000 4D 5A 5B 00 00 00 00 00 00 00 00 00 00 00 00 00 MZ[............. 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000030 00 00 00 00 00 00 00 00 00 00 00 5D 40 00 00 00 ...........]@... 00000040 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 PE..L........... 00000050 00 00 00 00 70 00 0F 01 0B 01 00 00 00 02 00 00 ....p........... 00000060 00 00 00 00 00 00 00 00 79 01 00 00 00 00 00 00 ........y....... 00000070 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 ......@......... 00000080 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ................ 00000090 00 30 00 00 00 02 00 00 00 00 00 00 02 00 00 00 .0.............. 000000A0 00 01 00 00 00 00 00 00 00 01 00 00 00 10 00 00 ................ 000000B0 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................ 000000C0 28 11 00 00 28 00 00 00 00 00 00 00 00 00 00 00 (...(........... 000000D0 00 02 00 00 00 10 00 00 00 02 00 00 00 01 00 00 ................ 000000E0 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 60 ............`..` 000000F0 00 00 00 00 00 00 00 00 02 00 00 00 00 20 00 00 ............. .. 00000100 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000110 00 00 00 00 60 00 00 60 00 00 00 00 00 00 00 00 ....`..`........ 00000120 58 11 00 00 00 00 00 00 50 11 00 00 00 00 00 00 X.......P....... 00000130 00 00 00 00 6E 11 00 00 20 11 00 00 00 00 00 00 ....n... ....... 00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000150 58 11 00 00 00 00 00 00 5B 00 00 00 00 00 00 00 ........[....... 00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5D ...............] |
这张PE文件数据图就是一个很大的"填空",除去重要的数据部分,我们可以随便写入数据的地方有2个(也就是两个大挂号挂起来的中间).
第一个是从地址00000002开始的,到地址0000003B结束的56字节.
第二个是从地址00000160开始的,到PE文件结尾的160字节.(也可以从000000158开始,这样就有168字节)
因为我们的程序很短,所以第二个168字节基本上可以满足要求全部,就不需要第一个56字节的数据了.把数据和在一起也方便呢,不是么?^_^.
那这些地方具体填写些什么东西呢?大致来说分为三个部分:
1.导入表,包括"URLDownloadToFile"这个函数的字符串和"URLMON.DLL"这个DLL的字符串.
2.文件的可执行机器码.
3.函数需要的数据.
首先是导入表,根据上一节说的那些,我们可以很容易的判断出这个"URLDownloadToFile"该填在"58 11 00 00"的位置.当然你可以改这个值,这个值只是我写的.总之你想吧这个导入表放在什么位置,这个"58 11 00 00"就要指向这个位置.于是我们在PE文件的00000158位置写入"31 00 URLDownloadToFile"字符串,前面两个16进制是序号是给转载器提供信息作为在DLL中导出地址的依据. <
最低0.47元/天 解锁文章
5824
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
