另类DLL加载方法 —— PEAnalyais

最新推荐文章于 2022-06-20 19:57:46 发布
最新推荐文章于 2022-06-20 19:57:46 发布
阅读量3.9k 收藏 4
点赞数
分类专栏: ASM/WTL/MFC/QT
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/wangningyu/article/details/8716586
版权

本文详细介绍了PE文件解析方法,C++源码示例介绍如何解析PE文件从而打造自己的GetProcAddress,从资源文件中调用dll函数(无需释放文件)

转载请注明出处:http://blog.csdn.net/wangningyu/article/details/8716586

先看图:

代码如下:

1、测试DLL

BOOL __stdcall MsgBox(char *pszText,char *pszTitle)
{
	return ::MessageBoxA(NULL,pszText,pszTitle,MB_OK | MB_ICONINFORMATION);
}

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
					 )
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}

2、测试工程

      XPEAnalyais.h

//
// XPEAnalyais.h
// dll loader by Koma
// 感谢C++侦探、201724
// http://blog.csdn.net/wangningyu

#ifndef PEANALYSIS_H
#define PEANALYSIS_H

PIMAGE_NT_HEADERS AnalyaisImage(HMODULE hModule);
FARPROC __stdcall MyGetProcAddress(HMODULE hModule,LPCSTR name);
HMODULE LoadLibraryByFile(const char * pszDllPath);
HMODULE LoadLibraryByResource(WORD wResID,char *pszFileType);
DWORD GetPECodeEnd(HMODULE hModule);
DWORD GetPEImageEnd(HMODULE hModule);
DWORD GetPEImageSize(HMODULE hModule);
DWORD GetCodeSize(HMODULE hModule);

#endif
      XPEAnalyais.cpp 
//
// XPEAnalyais.cpp
// dll loader by Koma
// 感谢C++侦探、201724
// http://blog.csdn.net/wangningyu

#include "stdafx.h"
#include "XPEAnalyais.h"
#include <stdio.h>
#include <assert.h>

typedef BOOL (__stdcall * fnDllMain)(HINSTANCE hModule,DWORD dwReason,LPVOID lpvReserved);

PIMAGE_NT_HEADERS AnalyaisImage(HMODULE hModule)
{
	PBYTE pImage = (PBYTE)hModule;
	PIMAGE_DOS_HEADER pImageDosHeader;
	PIMAGE_NT_HEADERS pImageNtHeader;
	pImageDosHeader = (PIMAGE_DOS_HEADER)pImage;
	if(pImageDosHeader->e_magic==IMAGE_DOS_SIGNATURE)
	{
		pImageNtHeader = (PIMAGE_NT_HEADERS)&pImage[pImageDosHeader->e_lfanew];
		if(pImageNtHeader->Signature==IMAGE_NT_SIGNATURE)
		{
			return pImageNtHeader;
		}
	}
	return NULL;
}

FARPROC __stdcall MyGetProcAddress(HMODULE hModule,LPCSTR name)
{
	if(!hModule)
	{
		hModule = GetModuleHandle(0);
	}
	PBYTE pDest = (PBYTE)hModule;
	PIMAGE_DOS_HEADER pImageDosDest;
	PIMAGE_NT_HEADERS pImageNtDest;
	PIMAGE_DATA_DIRECTORY pDirectory;
	PIMAGE_EXPORT_DIRECTORY pExport;
	DWORD i, *nameRef;
	WORD *ordinal;
	int idx=-1;
	pImageDosDest = (PIMAGE_DOS_HEADER)pDest;
	pImageNtDest = (PIMAGE_NT_HEADERS)&pDest[pImageDosDest->e_lfanew];
	pDirectory = &pImageNtDest->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
	
	if(pDirectory->Size==0)
		return NULL;
	pExport = (PIMAGE_EXPORT_DIRECTORY)((DWORD)pDest + pDirectory->VirtualAddress);
	
	if(pExport->NumberOfNames == 0 || pExport->NumberOfFunctions == 0)
		return NULL;
	ordinal = (WORD *) ((DWORD)pDest + pExport->AddressOfNameOrdinals);
	if((DWORD)(name) < 0x10000)
	{
		if ((DWORD)name >= pExport->NumberOfFunctions+pExport->Base || (DWORD)name < pExport->Base)
			return NULL;
		idx = (DWORD)pDest+((DWORD*)((DWORD)pDest+pExport->AddressOfFunctions))[(DWORD)name-pExport->Base];
	}else
	{
		nameRef = (DWORD *) ((DWORD)pDest + pExport->AddressOfNames);
		for (i=0; i<pExport->NumberOfNames; i++, nameRef++, ordinal++) {
			if (strcmp(name, (const char *) ((DWORD)pDest + (*nameRef))) == 0) {
				idx = *ordinal;
				break;
			}
		}
	}
	if (idx == -1) {
		return NULL;
	}
	if ((DWORD)idx > pExport->NumberOfFunctions) {
		return NULL;
	}
	return (FARPROC) ((DWORD)hModule + (*(DWORD *) ((DWORD)hModule + pExport->AddressOfFunctions + (idx*4))));
}
void CopySection(PBYTE pSrc,PBYTE pDest)
{
	unsigned int i,size;
	PIMAGE_DOS_HEADER pImageDosSrc;
	PIMAGE_NT_HEADERS pImageNtSrc;
	PIMAGE_DOS_HEADER pImageDosDest;
	PIMAGE_NT_HEADERS pImageNtDest;
	PIMAGE_SECTION_HEADER pSection;
	pImageDosSrc = (PIMAGE_DOS_HEADER)pSrc;
	pImageNtSrc = (PIMAGE_NT_HEADERS)&pSrc[pImageDosSrc->e_lfanew];

	pImageDosDest = (PIMAGE_DOS_HEADER)pDest;
	pImageNtDest = (PIMAGE_NT_HEADERS)&pDest[pImageDosDest->e_lfanew];
	pSection = IMAGE_FIRST_SECTION(pImageNtDest);
	for(i=0;i<pImageNtDest->FileHeader.NumberOfSections;i++,pSection++)
	{
		if(pSection->SizeOfRawData == 0)
		{
			size = pImageNtSrc->OptionalHeader.SectionAlignment;
			if(size > 0)
			{
				pSection->Misc.PhysicalAddress = pSection->VirtualAddress + (DWORD)pDest;
				memset((PVOID)pSection->Misc.PhysicalAddress,0,size);
			}
			continue;
		}
		pSection->Misc.PhysicalAddress = pSection->VirtualAddress + (DWORD)pDest;
		memcpy((PVOID)pSection->Misc.PhysicalAddress, (PVOID)((DWORD)pSrc + pSection->PointerToRawData), pSection->SizeOfRawData);
	}
}
void GetImportInfo(DWORD imgbase,DWORD impoff)
{
	PIMAGE_IMPORT_DESCRIPTOR pImport = (PIMAGE_IMPORT_DESCRIPTOR)(imgbase+impoff);
	HMODULE hModuleSys;
	DWORD i,p;
	PIMAGE_THUNK_DATA32 pimpthunk;
	PIMAGE_IMPORT_BY_NAME pimpname;
	FARPROC* pimpwrite;
	FARPROC pFunc;
	for(i=0;pImport[i].Characteristics!=0;i++)
	{	
		hModuleSys = LoadLibraryA((LPCSTR)(pImport[i].Name + imgbase));
		pimpthunk = (PIMAGE_THUNK_DATA32)(pImport[i].OriginalFirstThunk + imgbase);
		pimpwrite = (FARPROC*)(pImport[i].FirstThunk + imgbase);
		for(p=0;pimpthunk[p].u1.AddressOfData!=0;p++)
		{
			pimpname = (PIMAGE_IMPORT_BY_NAME)((DWORD)pimpthunk[p].u1.AddressOfData+imgbase);
			if(IMAGE_SNAP_BY_ORDINAL32(pimpthunk[p].u1.AddressOfData))
			{
				pFunc = GetProcAddress(hModuleSys,(LPCSTR)IMAGE_ORDINAL(pimpthunk[p].u1.AddressOfData));
				pimpwrite[p] = pFunc;
			}else
			{
				pFunc = GetProcAddress(hModuleSys,(LPCSTR)&pimpname->Name);
				pimpwrite[p] = pFunc;
			}
		}
	}
}
void LoadImport(PBYTE pSrc,PBYTE pDest)
{
	PIMAGE_DOS_HEADER pImageDosSrc;
	PIMAGE_NT_HEADERS pImageNtSrc;
	PIMAGE_DOS_HEADER pImageDosDest;
	PIMAGE_NT_HEADERS pImageNtDest; 
	PIMAGE_DATA_DIRECTORY pDirectory;
	pImageDosSrc = (PIMAGE_DOS_HEADER)pSrc;
	pImageNtSrc = (PIMAGE_NT_HEADERS)&pSrc[pImageDosSrc->e_lfanew];
	
	pImageDosDest = (PIMAGE_DOS_HEADER)pDest;
	pImageNtDest = (PIMAGE_NT_HEADERS)&pDest[pImageDosDest->e_lfanew];

	pDirectory = &pImageNtDest->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
	if(!pDirectory->VirtualAddress)
		return;
	GetImportInfo((DWORD)pDest,pDirectory->VirtualAddress);
}

bool check_import(HMODULE hModule)
{
	PBYTE pImage = (PBYTE)hModule;
	PIMAGE_DOS_HEADER pImageDos;
	PIMAGE_NT_HEADERS pImageNT;
	PIMAGE_DATA_DIRECTORY pDataDirectory;
	PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor;
	pImageDos = (PIMAGE_DOS_HEADER)pImage;
	pImageNT = (PIMAGE_NT_HEADERS)&pImage[pImageDos->e_lfanew];

	pDataDirectory = &pImageNT->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
	if(!pDataDirectory->VirtualAddress)
		return false;
	pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)&pImage[pDataDirectory->VirtualAddress];

	for(int i=0;pImportDescriptor[i].Characteristics!=0;i++)
	{
		HMODULE hCurrentModule = LoadLibraryA((LPCSTR)(&pImage[pImportDescriptor[i].Name]));
		PIMAGE_THUNK_DATA32 pCurrentImportThunk = (PIMAGE_THUNK_DATA32)(&pImage[pImportDescriptor[i].OriginalFirstThunk]);
		FARPROC* pCurrentImportList = (FARPROC*)(&pImage[pImportDescriptor[i].FirstThunk]);
		for(int m_imp=0;pCurrentImportThunk[m_imp].u1.AddressOfData!=0;m_imp++)
		{
			if(IMAGE_SNAP_BY_ORDINAL32(pCurrentImportThunk[m_imp].u1.AddressOfData))
			{
				if(pCurrentImportList[m_imp] != GetProcAddress(hCurrentModule,(LPCSTR)IMAGE_ORDINAL(pCurrentImportThunk[m_imp].u1.AddressOfData)))
					return false;
			}else
			{
				if(pCurrentImportList[m_imp] != GetProcAddress(hCurrentModule,(LPCSTR)&((PIMAGE_IMPORT_BY_NAME)&pImage[pCurrentImportThunk[m_imp].u1.AddressOfData])->Name))
					return false;
			}
		}
	}
	return true;
}
void FixupResource(PBYTE pDest)
{
	DWORD imagebase;
	PIMAGE_RESOURCE_DIRECTORY pRes;
	PIMAGE_RESOURCE_DIRECTORY_ENTRY pEntry;
	DWORD nEntries;
	DWORD i;
	PIMAGE_RESOURCE_DIRECTORY pRes2;
	PIMAGE_RESOURCE_DIRECTORY_ENTRY pEntry2;
	DWORD nEntries2;
	PIMAGE_RESOURCE_DIR_STRING_U pDirStr;
	PIMAGE_RESOURCE_DIRECTORY pRes3;
	PIMAGE_RESOURCE_DIRECTORY_ENTRY pEntry3;
	DWORD nEntries3;
	DWORD j;
	DWORD k;
	PIMAGE_RESOURCE_DATA_ENTRY pData;
	PIMAGE_DOS_HEADER pImageDosDest;
	PIMAGE_NT_HEADERS pImageNtDest; 
	
	pImageDosDest = (PIMAGE_DOS_HEADER)pDest;
	pImageNtDest = (PIMAGE_NT_HEADERS)&pDest[pImageDosDest->e_lfanew];
	imagebase = pImageNtDest->OptionalHeader.ImageBase;
	if(!pImageNtDest->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress)
		return;
	pRes = (PIMAGE_RESOURCE_DIRECTORY)(imagebase + pImageNtDest->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress);
	nEntries = pRes->NumberOfIdEntries + pRes->NumberOfNamedEntries;
	pEntry = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((DWORD)pRes + sizeof(IMAGE_RESOURCE_DIRECTORY));
	for (i = 0; i < nEntries; ++i, ++pEntry) {
		
		if (IMAGE_RESOURCE_DATA_IS_DIRECTORY & pEntry->OffsetToData) {
			pRes2 = (PIMAGE_RESOURCE_DIRECTORY)((DWORD)pRes
				+ (~IMAGE_RESOURCE_DATA_IS_DIRECTORY & pEntry->OffsetToData));
			nEntries2 = pRes2->NumberOfIdEntries + pRes2->NumberOfNamedEntries;
			pEntry2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((DWORD)pRes2 + sizeof(IMAGE_RESOURCE_DIRECTORY));

			for (j = 0; j < nEntries2; ++j, ++pEntry2) {
				if (IMAGE_RESOURCE_NAME_IS_STRING & pEntry2->Name) {
					
					pDirStr = (PIMAGE_RESOURCE_DIR_STRING_U)((DWORD)pRes
						+ (~IMAGE_RESOURCE_NAME_IS_STRING & pEntry2->Name));
				}
				if (IMAGE_RESOURCE_DATA_IS_DIRECTORY & pEntry2->OffsetToData) {
					pRes3 = (PIMAGE_RESOURCE_DIRECTORY)((DWORD)pRes
						+ (~IMAGE_RESOURCE_DATA_IS_DIRECTORY & pEntry2->OffsetToData));
					nEntries3 = pRes3->NumberOfIdEntries + pRes3->NumberOfNamedEntries;
					pEntry3 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((DWORD)pRes3 + sizeof(IMAGE_RESOURCE_DIRECTORY));

					for (k = 0; k < nEntries3; ++k) {
						assert(~IMAGE_RESOURCE_DATA_IS_DIRECTORY & pEntry3->OffsetToData);
						
						pData = (PIMAGE_RESOURCE_DATA_ENTRY)((DWORD)pRes + pEntry3->OffsetToData);
						pData->OffsetToData += (DWORD)imagebase;
					}
				}
			}
			
		}
	}
}
PVOID ReadData(IN LPCSTR lpFileName,OUT DWORD* ReadSize)
{
	PBYTE pLibrarySrc;
	HANDLE hFile = CreateFileA(lpFileName,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
	if(hFile!=INVALID_HANDLE_VALUE)
	{
		*ReadSize = GetFileSize(hFile,NULL);
		pLibrarySrc = (PBYTE)VirtualAlloc(0,*ReadSize,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
		if(!ReadFile(hFile,pLibrarySrc,*ReadSize,ReadSize,NULL))
		{
			CloseHandle(hFile);
			VirtualFree(pLibrarySrc,*ReadSize,MEM_DECOMMIT);
			return NULL;
		}
		CloseHandle(hFile);
		return (PVOID)pLibrarySrc;
	}
	return NULL;
}
BOOL CheckPEFile(PIMAGE_DOS_HEADER pImageDosDest,PIMAGE_NT_HEADERS* pImageNtDest)
{
	PBYTE pImage = (PBYTE)pImageDosDest;
	if(pImageDosDest->e_magic!=IMAGE_DOS_SIGNATURE)
		return FALSE;
	*pImageNtDest = (PIMAGE_NT_HEADERS)&pImage[pImageDosDest->e_lfanew];
	if((*pImageNtDest)->Signature!=IMAGE_NT_SIGNATURE)
		return FALSE;
	return TRUE;
}
void LoadRelocation(PBYTE pSrc,PBYTE pDest)
{
	PIMAGE_DOS_HEADER pImageDosSrc;
	PIMAGE_NT_HEADERS pImageNtSrc;
	PIMAGE_DOS_HEADER pImageDosDest;
	PIMAGE_NT_HEADERS pImageNtDest;
	PIMAGE_DATA_DIRECTORY pDirectory;
	PIMAGE_BASE_RELOCATION pRelocation;
	DWORD dwOriginAddress;
	DWORD dwBaseDelta;
	PWORD pData;
	int i,size;
	DWORD* dwRelocationPointer;
	int iType;
	pImageDosSrc = (PIMAGE_DOS_HEADER)pSrc;
	pImageNtSrc = (PIMAGE_NT_HEADERS)&pSrc[pImageDosSrc->e_lfanew];
	
	pImageDosDest = (PIMAGE_DOS_HEADER)pDest;
	pImageNtDest = (PIMAGE_NT_HEADERS)&pDest[pImageDosDest->e_lfanew];
	pDirectory = (PIMAGE_DATA_DIRECTORY)&pImageNtDest->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
	if(!pDirectory->VirtualAddress)
		return;
	pRelocation = (PIMAGE_BASE_RELOCATION)(pDirectory->VirtualAddress + (DWORD)pDest);
	dwOriginAddress = pImageNtSrc->OptionalHeader.ImageBase;
	dwBaseDelta = (DWORD)pDest - dwOriginAddress;
	while(pRelocation->VirtualAddress!=0)
	{
		size = (pRelocation->SizeOfBlock-sizeof(IMAGE_DATA_DIRECTORY))/2;
		pData = (PWORD)((DWORD)pRelocation + 8);
		for (i=0;i<size;i++)
		{
			iType = pData[i] >> 12;
			dwRelocationPointer =  (DWORD*)((DWORD)pDest + ((pData[i] & 0x0fff) + pRelocation->VirtualAddress));
			switch(iType)
			{
			case IMAGE_REL_BASED_ABSOLUTE:
				break;
			case IMAGE_REL_BASED_HIGH:
				*(PWORD)dwRelocationPointer = (WORD)(((dwBaseDelta + *(PWORD)dwRelocationPointer) >> 16) & 0xFFFF);
				break;
			case IMAGE_REL_BASED_LOW:
				*(PWORD)dwRelocationPointer = (WORD)((dwBaseDelta + *(PWORD)dwRelocationPointer) & 0xFFFF);
				break;
			case IMAGE_REL_BASED_HIGHLOW:
					*dwRelocationPointer = *dwRelocationPointer + dwBaseDelta;
					break;
			default:
				break;
			}
		}
		pRelocation = (PIMAGE_BASE_RELOCATION)((DWORD)pRelocation + pRelocation->SizeOfBlock);		
	}
}

HMODULE LoadLibraryByResource(WORD wResID,char *pszFileType)
{
	DWORD dwReadSize;
	PBYTE pLibrarySrc;
	PBYTE pLibraryDest;
	PIMAGE_DOS_HEADER pImageDosSrc;
	PIMAGE_NT_HEADERS pImageNtSrc;
	PIMAGE_DOS_HEADER pImageDosDest;
	PIMAGE_NT_HEADERS pImageNtDest;

	HRSRC	hrsc =  FindResourceA(NULL, MAKEINTRESOURCEA(wResID),pszFileType);
	HGLOBAL hG   = LoadResource(NULL, hrsc);

	dwReadSize   = SizeofResource( NULL,  hrsc);
	pLibrarySrc  = (PBYTE)hG;
	if(pLibrarySrc!=NULL)
	{
		pImageDosSrc = (PIMAGE_DOS_HEADER)pLibrarySrc;
		if(!CheckPEFile(pImageDosSrc,&pImageNtSrc))
			return NULL;
		pLibraryDest = (PBYTE)VirtualAlloc(NULL,pImageNtSrc->OptionalHeader.SizeOfImage,MEM_COMMIT,PAGE_EXECUTE_READWRITE);

		//copy header
		memcpy(pLibraryDest, pImageDosSrc, pImageDosSrc->e_lfanew + pImageNtSrc->OptionalHeader.SizeOfHeaders);
		pImageDosDest = (PIMAGE_DOS_HEADER)pLibraryDest;
		pImageNtDest = (PIMAGE_NT_HEADERS)&pLibraryDest[pImageDosDest->e_lfanew];
		pImageNtDest->OptionalHeader.ImageBase = (DWORD)pLibraryDest;

		CopySection(pLibrarySrc,pLibraryDest);
		LoadRelocation(pLibrarySrc,pLibraryDest);
		//FixupResource(pLibraryDest);
		LoadImport(pLibrarySrc,pLibraryDest);
		if(pImageNtDest->OptionalHeader.AddressOfEntryPoint)
			((fnDllMain)(pImageNtDest->OptionalHeader.AddressOfEntryPoint + (DWORD)pLibraryDest))((HINSTANCE)pLibraryDest,DLL_PROCESS_ATTACH,NULL);
		//pImageDosDest->e_magic = 0;
		//pImageNtDest->Signature = 0;
		return (HMODULE)pLibraryDest;
	}
	return NULL;
}

HMODULE LoadLibraryByFile(const char * pszDllPath)
{
	DWORD dwReadSize;
	PBYTE pLibrarySrc;
	PBYTE pLibraryDest;
	PIMAGE_DOS_HEADER pImageDosSrc;
	PIMAGE_NT_HEADERS pImageNtSrc;
	PIMAGE_DOS_HEADER pImageDosDest;
	PIMAGE_NT_HEADERS pImageNtDest;
	pLibrarySrc  = (PBYTE)ReadData(pszDllPath,&dwReadSize);
	if(pLibrarySrc!=NULL)
	{
		pImageDosSrc = (PIMAGE_DOS_HEADER)pLibrarySrc;
		if(!CheckPEFile(pImageDosSrc,&pImageNtSrc))
		{
			VirtualFree(pLibrarySrc,dwReadSize,MEM_COMMIT);
			return NULL;
		}
		pLibraryDest = (PBYTE)VirtualAlloc(NULL,pImageNtSrc->OptionalHeader.SizeOfImage,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
		//copy header
		memcpy(pLibraryDest, pImageDosSrc, pImageDosSrc->e_lfanew + pImageNtSrc->OptionalHeader.SizeOfHeaders);

		pImageDosDest = (PIMAGE_DOS_HEADER)pLibraryDest;
		pImageNtDest = (PIMAGE_NT_HEADERS)&pLibraryDest[pImageDosDest->e_lfanew];
		pImageNtDest->OptionalHeader.ImageBase = (DWORD)pLibraryDest;

		CopySection(pLibrarySrc,pLibraryDest);
		LoadRelocation(pLibrarySrc,pLibraryDest);
		//FixupResource(pLibraryDest);
		LoadImport(pLibrarySrc,pLibraryDest);
		VirtualFree(pLibrarySrc,dwReadSize,MEM_DECOMMIT);
		if(pImageNtDest->OptionalHeader.AddressOfEntryPoint)
			((fnDllMain)(pImageNtDest->OptionalHeader.AddressOfEntryPoint + (DWORD)pLibraryDest))((HINSTANCE)pLibraryDest,DLL_PROCESS_ATTACH,NULL);
		//pImageDosDest->e_magic = 0;
		//pImageNtDest->Signature = 0;
		return (HMODULE)pLibraryDest;
	}
	return NULL;
}


DWORD GetCodeSize(HMODULE hModule)
{
	PBYTE pInfo = (PBYTE)hModule;
	PIMAGE_DOS_HEADER pImgDos = (PIMAGE_DOS_HEADER)pInfo;
	PIMAGE_NT_HEADERS pImgNt;
	if(pImgDos->e_magic==IMAGE_DOS_SIGNATURE)
	{
		pImgNt = (PIMAGE_NT_HEADERS)&pInfo[pImgDos->e_lfanew];
		if(pImgNt)
		{
			if(pImgNt->Signature==IMAGE_NT_SIGNATURE)
			{
				return pImgNt->OptionalHeader.SizeOfCode;
			}
		}
	}
	return NULL;
}
DWORD GetPEImageSize(HMODULE hModule)
{
	PBYTE pInfo = (PBYTE)hModule;
	PIMAGE_DOS_HEADER pImgDos = (PIMAGE_DOS_HEADER)pInfo;
	PIMAGE_NT_HEADERS pImgNt;
	if(pImgDos->e_magic==IMAGE_DOS_SIGNATURE)
	{
		pImgNt = (PIMAGE_NT_HEADERS)&pInfo[pImgDos->e_lfanew];
		if(pImgNt)
		{
			if(pImgNt->Signature==IMAGE_NT_SIGNATURE)
			{
				return pImgNt->OptionalHeader.SizeOfImage;
			}
		}
	}
	return NULL;
}
DWORD GetPEImageEnd(HMODULE hModule)
{
	return ((DWORD)hModule + GetPEImageSize(hModule));
}
DWORD GetPECodeEnd(HMODULE hModule)
{
	return ((DWORD)hModule + GetCodeSize(hModule));
}

      Main.cpp

// 定义函数指针
typedef BOOL (__stdcall *MSGBOX)(char *,char *);

void Test(HMODULE hModule)
{
	if(hModule)
	{
		MSGBOX pMsgBox = (MSGBOX)MyGetProcAddress(hModule,"MsgBox");
		if(pMsgBox)
		{
			pMsgBox("Hello World","Hi");
		}
		FreeLibrary(hModule);
	}
}

// 从文件加载获取函数地址
void CPEAnalyaisDlg::OnBnClickedButton1()
{
	Test(LoadLibraryByFile("MsgBox.dll"));
}

// 从资源文件加载获取函数地址
void CPEAnalyaisDlg::OnBnClickedButton2()
{
	Test(LoadLibraryByResource(IDR_DLL_MSGBOX,"EXE"));
}

完整工程下载:

http://download.csdn.net/detail/wangningyu/5178695


汪宁宇
关注
  • 0
    点赞
  • 4
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 2
    评论
专栏目录
改写PE文件导入表加载DLL
03-18
通过改写PE文件的导入段,实现DLL加载PE文件的导入段记录了系统所要加载DLL名,以及由该DLL所导出的,PE文件中所用到的函数信息。
PE文件本地DLL注入实现
flukeshen的博客
10-25 2196
本工具是通过修改PE文件的OEP位置,让它指向我们插入的代码(调用LoadLibrary函数),从而载入DLL进行程序注入,载入DLL后系统会自动调用DllMain函数,由于修改了OEP,使得我们的代码执行在被注入程序之前,且在同一地址空间里,简直可以为所欲为了。
MyGetProcAddress
qq_33522888的博客
07-16 470
手动实现了GetProcAddress(),在明白了导出表的结构之后似乎也没什么难度。。。 下面的示例为用手写的MyGetProcAddress()得到MessageBoxW的函数地址,并调用#include <Windows.h> #include <stdio.h>DWORD MyGetProcAddress(HMODULE hModule, LPCSTR lpProcName) {
第四课 通过修改PE加载DLL
xuenixiang.com
08-05 2151
下面通过实例来讲解 下面分析myhack3.dll的源码 首先看一下全部源码 #include "stdio.h" #include "windows.h" #include "shlobj.h" #include "Wininet.h" #include "tchar.h" #pragma comment(lib, "Wininet.lib"
手动加载DLLPE文件)
El Psy Congroo
04-30 4873
以前学重载内核时学到了手动加载一个PE文件,想在Ring3层也实现一遍,不过在GitHub上看到有现成的源码了就不自己写了。本篇文章就分析一下这个mmLoader,看看怎么实现手动加载PE文件
C#实现动态加载dll方法
01-21
本文实例讲述了C#实现动态加载dll方法。分享给大家供大家参考。具体实现方法如下: 代码如下: using System; using System.Collections.Generic; using System.Text; using System.Reflection; using System.IO; ...
DLL加载设置相对路径的方法
08-27
DLL加载设置相对路径的方法 DLL(Dynamic Link Library)是一种软件组件,允许多个应用程序共享代码和资源。为了使用DLL,需要正确地加载和设置相对路径。本文将介绍DLL加载设置相对路径的方法,帮助开发者更好地...
c#动态加载卸载DLL方法
12-25
c#中通过反射可以方便的动态加载dll程序集,但是如果你需要对dll进行更新,却发现.net类库没有提供卸载dll程序集的方法。在.net 中,加入了应用程序域的概念,应用程序域是可以卸载的。也就是说,如果需要对动态加载...
PE(dll、exe)文件内存加载(手动映射)小记
qq_31314583的博客
09-28 2220
前言 PE文件即Windos操作系统下的可执行文件的文件结构名称,其中包含但不限于.dll .exe .sys .ocx等等。内存加载PE顾名思义就是通过内存,而非文件。这里的内存指代的是直接加载源。 这个技术其实很早之前就有了,网上也有很多开源可参考的代码,但是仅做一个伸手党那是绝对不行的,首先这些历史悠久的代码存在或多或少的bug,或莫名的崩溃咯,或32和64不兼容咯,各种问题皆是。当然,这些前辈先贤的代码一定是具有非常大的参考和开拓意义的。 技术用途 ...
修改PE文件实现静态DLL注入
笔记本
05-07 5291
PE文件注入DLL一般来说分为两种,一种是动态的,就是在程序运行中注入。还有一种是静态的,也就是修改PE文件达到DLL注入的效果。直接上实验步骤 实验(经过处理的NotePad,输入表下面有大量0000空余,无需进行移位操作): 1.LoadPE查看输入表 可以看到输入表的RVA是00007604,转化成文件偏移是6A04(用LoadPE中的位置计算器计算),c32找到6A04处 2...
易语言gzip解压缩模块
07-18
易语言gzip解压缩模块源码,gzip解压缩模块,PeLoader_LoadLibrary,PeLoader_FreeLibrary,PeLoader_GetProcAddress,PeLoader_GetEntryPoint,Call,初始化,GZIP压缩,GZIP解压
易语言汇编PeLoader源码-易语言
06-13
易语言汇编PeLoader源码
易语言学习-PE加载器(PeLoader)支持库版.zip
07-09
易语言学习-PE加载器(PeLoader)支持库版.zip
易语言loader源码,易语言PE加载例程
07-21
易语言PE加载例程源码,PE加载例程,CallOEP,Call,LoadLibrary
汇编PeLoader_模块+例程
01-04
易语言:汇编PeLoader_模块+例程 内存加载DLL的实现
[源码和文档分享]DLL加载模拟器直接在内存中加载DLL不通过API加载
qq_38474647的博客
01-03 191
背景 在网上搜索了很多病毒木马的分析报告,看了一段时间后,发现还是有很多病毒木马都能够模拟PE加载器,把DLL或者是EXE等PE文件,直接从内存中直接加载到自己的内存中执行,不需要通过API函数去操作,以此躲过一些杀软的检测。 在看到这些技术的描述后,虽然没有详细的实现思路,但是凭借自己的知识积累,我也大概知道是怎么做了。后来,就自己动手写了这...
DLL注入之修改PE静态注入
weixin_30530339的博客
11-16 521
DLL注入之修改PE静态注入 0x00 前言 我们要注入的的力量功能是下载baidu首页数据。代码如下: #include"stdio.h" #include"stdio.h" #include"windows.h" #include"shlobj.h" #include"Wininet.h" #include"tchar.h" #pragmacomment...
通过修改PE文件的方式导入DLL(包含详细操作流程)
fanxiaoyao1的博客
06-20 1328
我们需要修改IDT表,增加一条我们字节DLL文件的IID以达到导入的目的。在NT下IMAGE_DATA_DIRECTORY_ARRAY结构体,找到导入表,导入表第一个参数的值便为IDT的RVA RVA是程序的相对虚拟地址,我们要想在文件中精确定位IDT,必须要把RVA转位RAW,在上图中也叫FOA(文件偏移,文件中某个位置距离文件的偏移),具体的计算公式:84CCh属于.rdata节区,VirtualAddress 和PointerToRawData可从节区中获取。 VirtualAddress 是指
GetProcAddress函数实现和分析
热门推荐
half_face的博客
05-26 1万+
在kernel32.dll里有一个GetProcAddress函数,可以找到模块中的函数地址,函数原型是这样的: WINBASEAPI FARPROC WINAPI GetProcAddress(     IN HMODULE hModule,     IN LPCSTR lpProcName     ); hModule 是模块的句柄,说白了就是内存中dll模块的首地址 loP
DLL高级技术:显式加载与符号链接解析
"DLL高级技术,包括DLL的显式加载、符号链接等操作,适用于DLL的开发和深入研究。" 在Windows编程中,动态链接库(Dynamic Link Library, DLL)是一种可共享的代码库,允许多个应用程序共享同一份代码,从而节省...
评论 2
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

汪宁宇

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值