解析程序自己的附加数据,将附加数据写入文件中。
主要是解析PE文件头,定位到overlay的地方,写入文件。常应用的场景是在crackme中,crackme自身有一段加密过的附加数据,在crackme运行的过程中解析自己的附加数据,然后解密这段数据。。。。
代码留存:
//解析自己的PE文件
TCHAR szModuleFile[MAX_PATH] = {0};
::GetModuleFileName(NULL, szModuleFile, MAX_PATH);
HANDLE hFile = ::CreateFile(szModuleFile, 0X80000000, 0X1, NULL, 0x3, 0x80, NULL );
if (!hFile)
{
AfxMessageBox("create file error");
return ;
}
DWORD dwFileSize = 0;
dwFileSize = ::GetFileSize(hFile, NULL);
if (!dwFileSize)
{
AfxMessageBox("GetFileSize error");
return ;
}
TCHAR *pBuffer = new TCHAR[dwFileSize+1];
DWORD dwReadBytes = 0;
BOOL bSuc = ::ReadFile(hFile, pBuffer, dwFileSize, &dwReadBytes, NULL);
if (!bSuc)
{
AfxMessageBox("read file error");
return ;
}
IMAGE_DOS_HEADER *pDosHead =(IMAGE_DOS_HEADER *)pBuffer;
IMAGE_NT_HEADERS *pNtHeader;
// 得到PE文件头.
pNtHeader = (IMAGE_NT_HEADERS*)((char*)pDosHead + pDosHead->e_lfanew);
WORD wNumOfSection = pNtHeader->FileHeader.NumberOfSections;
//DWORD dwTemp = wNumOfSection * (sizeof(IMAGE_SECTION_HEADER)/sizeof(DWORD));
WORD wSizeOfOptionalHeader = pNtHeader->FileHeader.SizeOfOptionalHeader;
DWORD *pOverLay;
DWORD *pLastSectionVirualAddress;
DWORD *pLastSectionVirualSize;
DWORD *pLastSectionPhyAddress, *pLastSectionPhySize;
pLastSectionVirualSize = (DWORD*) ((char*)pNtHeader+ sizeof(IMAGE_NT_HEADERS) + (wNumOfSection-1)*sizeof(IMAGE_SECTION_HEADER) + sizeof(BYTE)*IMAGE_SIZEOF_SHORT_NAME );
pLastSectionVirualAddress = pLastSectionVirualSize + 1;
pLastSectionPhyAddress = pLastSectionVirualSize + 2;
pLastSectionPhySize = pLastSectionVirualSize + 3;
DWORD dw1 = *pLastSectionPhyAddress;
DWORD dw2 = *pLastSectionPhySize;
pOverLay = (DWORD*)(dw1 + dw2 + pBuffer);
DWORD dwOverlaySize = dwFileSize - (dw1 + dw2);
HANDLE hOutFile = ::CreateFile("C:\\Users\\Administrator\\Desktop\\crackme.exe.overlay", GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_NEW, NULL, NULL);
if (!hOutFile)
{
return ;
}
DWORD dwWritten = 0;
::WriteFile(hOutFile, pOverLay, dwOverlaySize, &dwWritten, NULL);
::CloseHandle(hOutFile);
if ((char *)pOverLay == 0x0)
{
AfxMessageBox("附加数据首字节为0");
return ;
}
::free(pBuffer);
::CloseHandle(hFile);