一、流程
1、File-> FileBuffer
2、FileBuffer->ImageBuffer
3、判断空闲区是否有足够的空间存储ShellCode代码
4、将ShellCode代码复制到空闲区
5、修正E8、E9
6、修正OEP(入口程序)
7、ImageBuffer->NewBuffer
8、NewBuffer->文件
二、演示
1、看上篇
2、看上篇
3、判断空闲区是否有足够的空间存储ShellCode代码
#define SHELLCODELENGTH 0x12
#define MESSAGEBOXADDR 0x77D5050B
BYTE ShellCode[] =
{
0x6A,00,0x6A,00,0x6A,00,0x6A,00,
0xE8,00,00,00,00,
0xE9,00,00,00,00
};
pDosHeader = (PIMAGE_DOS_HEADER)pImageBuffer;
pOptionHeader = (PIMAGE_OPTIONAL_HEADER32)(((DWORD)pImageBuffer + pDosHeader->e_lfanew) + 4 + IMAGE_SIZEOF_FILE_HEADER);
pSectionHeader = (PIMAGE_SECTION_HEADER)(((DWORD)pImageBuffer + pDosHeader->e_lfanew) + 4 + IMAGE_SIZEOF_FILE_HEADER + IMAGE_SIZEOF_NT_OPTIONAL32_HEADER);
DWORD i = 2;
if((((pSectionHeader+i)->SizeOfRawData) - (pSectionHeader+i)->Misc.VirtualSize) < SHELLCODELENGTH)
{
printf("代码空间不够");
free(pFileBuffer);
free(pImageBuffer);
return;
}
4、将ShellCode代码复制到空闲区
//将代码复制到空闲区
CodeBegin = (PBYTE)((DWORD)pImageBuffer + (pSectionHeader+i)->VirtualAddress + (pSectionHeader+i)->Misc.VirtualSize);
memcpy(CodeBegin,ShellCode,SHELLCODELENGTH);
5、修正E8、E9
//修正E8
DWORD CallAddr = (MESSAGEBOXADDR - (pOptionHeader->ImageBase + ((DWORD)(CodeBegin + 0xD) - (DWORD)pImageBuffer)));
*(PDWORD)(CodeBegin + 9) = CallAddr;
//修正E9
DWORD JmpAddr = (pOptionHeader->ImageBase + pOptionHeader->AddressOfEntryPoint) - (pOptionHeader->ImageBase + (pSectionHeader+i)->VirtualAddress + (pSectionHeader+i)->Misc.VirtualSize + SHELLCODELENGTH);
*(PDWORD)(CodeBegin + 0xE) = JmpAddr;
6、修正OEP(入口程序)
//修改OEP
pOptionHeader->AddressOfEntryPoint = (DWORD)CodeBegin - (DWORD)pImageBuffer;
(pSectionHeader+i)->Misc.VirtualSize = (pSectionHeader+i)->Misc.VirtualSize + SHELLCODELENGTH;
7、看上篇
8、看