前言
看到PEID插件目录带的例子,试验了一下,等逆向出PEID算法扫描插件后,就可以直接在插件工程中写还原代码了.
PEID插件的调用约定是__cdecl.
试验记录
; @filename ReKanalPlugin.def
LIBRARY ReKanalPlugin
DESCRIPTION "Kanal pulgin RE project"
VERSION 0.1
EXPORTS
fnBuildTime @1
LoadDll @2
DoMyJob @3
// @file ReKanalPlugin.h
//
// The following ifdef block is the standard way of creating macros which make exporting
// from a DLL simpler. All files within this DLL are compiled with the REKANALPLUGIN_EXPORTS
// symbol defined on the command line. this symbol should not be defined on any project
// that uses this DLL. This way any other project whose source files include this file see
// REKANALPLUGIN_API functions as being imported from a DLL, wheras this DLL sees symbols
// defined with this macro as being exported.
#ifdef REKANALPLUGIN_EXPORTS
#define REKANALPLUGIN_API __declspec(dllexport)
#else
#define REKANALPLUGIN_API __declspec(dllimport)
#endif
REKANALPLUGIN_API int __cdecl fnBuildTime(void);
REKANALPLUGIN_API char* __cdecl LoadDll();
REKANALPLUGIN_API DWORD __cdecl DoMyJob(HWND hMainDlg, char* szFname, DWORD lpReserved, LPVOID lpParam);
// ReKanalPlugin.cpp : Defines the entry point for the DLL application.
//
#include "stdafx.h"
#include "ReKanalPlugin.h"
#define PROG_NAME "Kanal pulgin RE project"
BOOL APIENTRY DllMain(HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call) {
case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
REKANALPLUGIN_API int __cdecl fnBuildTime(void)
{
return 0x20161009;
}
REKANALPLUGIN_API char* __cdecl LoadDll()
{
return PROG_NAME;
}
REKANALPLUGIN_API DWORD __cdecl DoMyJob(HWND hMainDlg, char* szFname, DWORD lpReserved, LPVOID lpParam)
{
//hMainDlg: HWND of PEiD window
//szFname: Filename
//lpReserved: PEiD passes 'PEiD' as the value
//lpParam: NULL passed, for future use
// Write your main code here
const char* pPEID_Signature = "DiEP"; // "DiEP" means "PEID"
DWORD dwPeidSignature = lpReserved;
// PEID的作为宿主程序,为提供了2个功能
// * 加载插件DLL, 向插件要"插件名称", 显示插件菜单, 并提供菜单供用户点击
// * 向插件任务函数传进宿主窗口句柄和要分析的目标PE全路径名称
if (0 == memcmp((void*)pPEID_Signature, &dwPeidSignature, sizeof(DWORD))) {
::MessageBox(hMainDlg, (NULL != szFname) ? szFname : "", PROG_NAME, MB_OK);
}
return 1;
}