Code resource ✵1
来源:互联网 发布:网络项目传销名单 编辑:程序博客网 时间:2024/06/04 23:32
#include<Windows.h>#include<iostream>#include<fstream>using namespace std;BOOL IsPeFile(LPVOID ImageBase) //判断是否是PE文件结构//首先检验文件头部的第一个字是否是PRIMAGE_DOS_SIGNATURE//然后定位PE头,如果PE头符合IMAGE_NT_SIGNATURE则可以判断是有效的PE文件//经过检验没有任何问题{ PIMAGE_DOS_HEADER pDosHeader = NULL; PIMAGE_NT_HEADERS pNtHeader = NULL; if(!ImageBase) return FALSE; pDosHeader = (PIMAGE_DOS_HEADER) ImageBase; if(pDosHeader->e_magic != IMAGE_DOS_SIGNATURE) return FALSE ; pNtHeader = (PIMAGE_NT_HEADERS32)((DWORD)pDosHeader+pDosHeader->e_lfanew); if(pNtHeader->Signature != IMAGE_NT_SIGNATURE ) return FALSE; return TRUE;}PIMAGE_NT_HEADERS GetNtHeader(LPVOID ImageBase) //获取NT结构指针//q1什么叫做NT结构指针//即返回pNtHeader{ PIMAGE_DOS_HEADER pDosHeader = NULL; PIMAGE_NT_HEADERS pNtHeader = NULL; if(!IsPeFile(ImageBase)) return NULL; pDosHeader = (PIMAGE_DOS_HEADER)ImageBase; pNtHeader = (PIMAGE_NT_HEADERS32)((DWORD)pDosHeader+pDosHeader->e_lfanew); return pNtHeader;}//以下我们就要获取PE头结构的两个部分 FileHeader与Optionalheader PIMAGE_FILE_HEADER WINAPI GetFileHeader(LPVOID Imagebase){//为什么有个winapi// 获取FileHeader PIMAGE_FILE_HEADER pFileHeader; PIMAGE_NT_HEADERS pNtHeader = NULL; pNtHeader = GetNtHeader(Imagebase); if(!pNtHeader) return NULL; pFileHeader = & pNtHeader->FileHeader; return pFileHeader;}PIMAGE_OPTIONAL_HEADER GetOptionalHeader(LPVOID ImageBase){ PIMAGE_OPTIONAL_HEADER pOptionHeader = NULL; PIMAGE_NT_HEADERS pNtHeader = NULL; pNtHeader = GetNtHeader(ImageBase); if(!pNtHeader) return NULL; pOptionHeader = & pNtHeader->OptionalHeader; return pOptionHeader;}//将RVA地址转换为磁盘文件中的偏移BOOL RvaToOffset(LPVOID lpMoudle,DWORD Rva){ //定义变量存储转换后的偏移值和节表数 DWORD FileOffset; WORD nSectionNum; //取NT结构头 IMAGE_NT_HEADERS *pNTHead; pNTHead=GetNtHeader(lpMoudle); nSectionNum=pNTHead->FileHeader.NumberOfSections; //NumberOfSections:定义PE文件Section的个数。如果对PE文件新增或删除Section的话,一定要记的修改此域。 //取节表结构头(紧接在IMAGE_NT_HEADERS后面就是IMAGE_SECTION_HEADER) IMAGE_SECTION_HEADER *pSectionHead; pSectionHead=(IMAGE_SECTION_HEADER *)((DWORD)pNTHead+sizeof(IMAGE_NT_HEADERS)); //循环比较Rva值所对应节表的偏移 for(int i=0; i<nSectionNum; i++) { if((pSectionHead->VirtualAddress<=Rva) && (Rva<(pSectionHead->SizeOfRawData+pSectionHead->VirtualAddress))) { FileOffset=Rva-pSectionHead->VirtualAddress+pSectionHead->PointerToRawData; return FileOffset; } pSectionHead++; } return FALSE;}BOOL RvaToVirtualAddress(LPVOID lpMoudle,DWORD Rva){ DWORD offect=RvaToOffset(lpMoudle,Rva); /*if(offect==NULL||offect==FALSE) return FALSE;*/ return (DWORD)lpMoudle+offect;}//看到这里了------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------//3.23VOID HandleSessionTable(LPVOID file,LPVOID base){ char funcname[16]="MessageBoxA"; char DLLname[16]="user32.dll"; char Caption[16]="Warning"; char Content[16]="This is test"; DWORD LoadLibraryAAddr=0x1f864; DWORD GetProcAddress=0x24c46; char codes[]="\x60\xe8\x0\x0\x0\x0\x5f\x83\xef\x6\x8b\x4f\xf8\x8b" //////这里的数据就只插入代码 "\x5f\xfc\x64\x8b\x15\x30\x0\x0\x0\x8b\x52\xc\x8b\x52\x1c\x8b" //////的二进制机器码 "\x12\x8b\x42\x8\x8b\x42\x50\x3\xc8\x50\x8b\xd7\x83\xea\x38\x52" "\xff\xd1\x8b\xc8\x58\x3\xd8\x8b\xd7\x83\xea\x48\x52\x51\xff\xd3" "\x8b\xcf\x83\xe9\x18\x6a\x0\x51\x83\xe9\x10\x51\x6a\x0\xff\xd0\x61" "\xe9\x00\x00\x00\x00"; int datalength=16*4+8; int codeslength=sizeof(codes)-1; IMAGE_NT_HEADERS *nthead=GetNtHeader(base); IMAGE_SECTION_HEADER *sessionhead=(IMAGE_SECTION_HEADER*)((DWORD)nthead+sizeof(IMAGE_NT_HEADERS)); if(sessionhead->VirtualAddress==NULL) return; DWORD sessionnum=nthead->FileHeader.NumberOfSections; IMAGE_SECTION_HEADER *p=sessionhead; DWORD sFileSize=GetFileSize(base,NULL); for(int i=0;i<sessionnum;i++) { cout<<(char*)p->Name<<" " <<(int)p->SizeOfRawData-(int)p->Misc.VirtualSize<<endl; IMAGE_SECTION_HEADER tmp=sessionhead; memcpy(&tmp,p,sizeof(IMAGE_SECTION_HEADER)); if((int)p->SizeOfRawData-(int)p->Misc.VirtualSize>codeslength+datalength&&\ (p->Characteristics&IMAGE_SCN_MEM_EXECUTE)) //看到这里了------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------//3.23 { DWORD datavirtualbase=p->VirtualAddress+p->Misc.VirtualSize; DWORD datafileoffect=p->PointerToRawData+p->Misc.VirtualSize; SetFilePointer(file,datafileoffect,NULL,FILE_BEGIN); WriteFile(file,funcname,16,0,0); WriteFile(file,DLLname,16,0,0); WriteFile(file,Caption,16,0,0); WriteFile(file,Content,16,0,0); WriteFile(file,&LoadLibraryAAddr,4,0,0); WriteFile(file,&GetProcAddress,4,0,0); DWORD codevirtualbase=p->VirtualAddress+p->Misc.VirtualSize+datalength; DWORD cedefileoffset=p->PointerToRawData+p->Misc.VirtualSize+datalength; p->Misc.VirtualSize+=(codeslength+datalength); SetFilePointer(file,cedefileoffset,NULL,FILE_BEGIN); DWORD oldentry=nthead->OptionalHeader.AddressOfEntryPoint; DWORD JMPOffset=oldentry-(codevirtualbase+codeslength-5)-5; memcpy(codes+codeslength-4,&JMPOffset,sizeof(DWORD)); nthead->OptionalHeader.AddressOfEntryPoint=codevirtualbase; DWORD writesize=0; SetFilePointer(file,cedefileoffset,NULL,FILE_BEGIN); if(!WriteFile(file,codes,codeslength,&writesize,0) ) { TCHAR *buffer; ::FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,NULL,GetLastError(),0,( LPTSTR )&buffer,0,NULL ); MessageBox(0,buffer,L"ok",0); } cout<<"success"<<endl; break; } p++; }}void main(){ HANDLE hFile = CreateFile(L"qq.exe", // open pe file GENERIC_READ|GENERIC_WRITE, // open for reading NULL, // share for reading NULL, // no security OPEN_EXISTING, // existing file only FILE_ATTRIBUTE_NORMAL, // normal file NULL); // no attr. template HANDLE hFileMap = CreateFileMapping(hFile,NULL,PAGE_READWRITE,0,0,NULL); if(!hFileMap ) { TCHAR *buffer ; ::FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,NULL,GetLastError(),0,( LPTSTR )&buffer,0,NULL ); MessageBox(0,buffer,L"ok",0); } LPVOID lpMemory = MapViewOfFile(hFileMap,FILE_MAP_READ|FILE_MAP_WRITE ,NULL,NULL,NULL); if(IsPeFile(lpMemory)) { //AnalyzeNTHEADER(lpMemory); cout<<"yes"<<endl; IMAGE_NT_HEADERS *nthead=GetNtHeader(lpMemory); IMAGE_OPTIONAL_HEADER32 *image=GetOptionalHeader(lpMemory); cout<<"DataDirectory num:"<<image->NumberOfRvaAndSizes<<endl; HandleSessionTable(hFile,lpMemory); } else cout<<"no"<<endl; UnmapViewOfFile(lpMemory); CloseHandle(hFileMap); CloseHandle(hFile); system("pause");}
以上内容纯属自己用来备份用的
0 0
- Code resource ✵1
- base code resource
- Resource(1)
- Asn.1 resource
- resource
- resource
- Resource
- Resource
- resource
- @Resource
- Resource
- $resource
- $resource
- Resource
- @Resource
- Resource
- @Resource
- resource
- 用布尔型输出从0到一个数中间被三整除的数
- poj 1001 Exponentiation(大数)
- UVA 208 Firetruck
- hadoop生态系统学习之路(五)hbase的简单使用
- 关于HashMap的ContainsKey()
- Code resource ✵1
- 解决Attribute "rippleColor" has already been defined的问题
- leetcode_154 Find Minimum in Rotated Sorted Array II
- ZOJ 2736 Daffodil number
- 【bzoj2022】弹飞绵羊
- python疑难杂症
- Android 的 SDK Manager 无法启动 闪退解决方法
- struts2工作流程
- 区块链技术资料