All the new sections of code implementation

Others 2019-06-27 08:16:04 views: null

#include "openfile.h"
#include <stdio.h>
#include <malloc.h>
#include <memory.h>
#include <Windows.h>

#define MASSAGEBOXAADDR 0x757A7E60
#define IMAGE_SIZEOF_DOS_HEADER 0x40

BYTE shellCode[] = {
0x6A,0x00,0x6A,0x00,0x6A,0x00,0x6A,0x00,
0xE8,0x00,0x00,0x00,0x00,
0xE9,0x00,0x00,0x00,0x00
};

BYTE SectionName[] = { 0x2e,0x74,0x74,0x74,0,0,0,0 };

// read the file return fileBuffer
LPVOID ReadPEFile (LPSTR lpszFole)
{
the FILE *, pFile = NULL;
DWORD fileSize = 0;
LPVOID pFileBuffer = NULL;

// read the file
, pFile = the fopen (lpszFole, "RB");
IF (, pFile! )
{
the printf ( "open EXE file failed \ n-");
return NULL;
}
// move the cursor to the lower end of the file
fseek (, pFile, 0, SEEK_END);
// get the file size
fileSize = ftell (, pFile);
// file under the cursor to the beginning of the recovery
fseek (pFile, 0, SEEK_SET);
// allocate buffer
pFileBuffer = malloc (fileSize);

(! pFileBuffer) IF
{
printf ( "failed to allocate space \ the n-");
as Free (pFileBuffer);
NULL return;
}
size_t n-= fread (pFileBuffer,. 1, fileSize,, pFile);
IF (! n-)
{
the printf ( "file read failed \ n-");
Free (pFileBuffer);
fclose (, pFile);
return NULL;
}
// close the file
fclose (, pFile);
return pFileBuffer;
}

//拉伸fileBuffer返回ImageBuffer
LPVOID CopyFileBufferToImageBuffer(LPSTR lpszFole)
{
LPVOID pFileBuffer = NULL;
LPVOID pImageBuffer = NULL;
PIMAGE_DOS_HEADER pe_dos_header = NULL;
PIMAGE_FILE_HEADER pe_file_header = NULL;
PIMAGE_OPTIONAL_HEADER32 pe_option_header_32 = NULL;
PIMAGE_NT_HEADERS pe_nt_header = NULL;
PIMAGE_SECTION_HEADER pe_section_header = NULL;
pFileBuffer = ReadPEFile(lpszFole);
if (!pFileBuffer)
{
printf("打开文件失败\n");
return NULL;
}
if (*((PWORD)pFileBuffer)!=IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标记\n");
free(pFileBuffer);
return NULL;
}
= pe_dos_header (PIMAGE_DOS_HEADER) pFileBuffer;
// printf ( "DOS print head *************** ******************** ************* \ n-");
// the printf (" the MZ flag% x \ n ", pe_dos_header-> e_magic);
// the printf (" the PE offset% x \ n " , pe_dos_header-> e_lfanew);

IF (! * ((PDWORD) ((DWORD) pFileBuffer + pe_dos_header-> e_lfanew which)) = named IMAGE_NT_SIGNATURE)
{
the printf ( "PE flag is not valid \ n-");
Free (pFileBuffer);
return NULL;
}
pe_nt_header = (PIMAGE_NT_HEADERS ) ((DWORD) pFileBuffer + pe_dos_header-> e_lfanew which);
// the printf ( "the PE flag X% \ n-", pe_nt_header-> the Signature);
pe_file_header = (PIMAGE_FILE_HEADER) ((DWORD) pe_nt_header +. 4);
// the printf ( "******************** standard PE head ************************** ** \ the n-");
// printf (" running platform: the X-% \ the n-", pe_file_header-> Machine);
// printf (" number section: the X-% \ the n-", pe_file_header-> NumberOfSections);
// printf ( "time stamp generated by the compiler:% x \ n", pe_file_header- > TimeDateStamp the);
// printf ( "PE optional header size:% x \ n", pe_file_header- >SizeOfOptionalHeader);
// printf ( "PE wherein: X% \ n-", pe_file_header-> Characteristics);
pe_option_header_32 = (PIMAGE_OPTIONAL_HEADER32) ((DWORD) pe_file_header IMAGE_SIZEOF_FILE_HEADER +);
// the printf ( "*********** Alternatively ********* PE header **************************** \ n-");
// the printf ( "file type:% X \ n-', pe_option_header_32-> Magic);
// the printf (" a code section and: X% \ n-', pe_option_header_32-> SizeOfCode);
// the printf ( "data size and initialized: X% \ n-", pe_option_header_32-> SizeOfInitializedData);
// the printf (" uninitialized data and size:% x \ n ", pe_option_header_32-> SizeOfUninitializedData);
// the printf (" program entry:% x \ n ", pe_option_header_32-> AddressOfEntryPoint);
// the printf ( "base address of the start code:% x \ n", pe_option_header_32-> BaseOfCode);
// the printf ( "base address of the beginning of the data:% x \ n",pe_option_header_32-> BaseOfData);
// printf ( "mirrored memory base address: X% \ n-", pe_option_header_32-> the ImageBase);
// printf ( "memory alignment:% X \ n-", pe_option_header_32-> the SectionAlignment);
// printf ( "document alignment: X% \ n-", pe_option_header_32-> the FileAlignment);
// the printf (" the size of the entire memory image PE file:% X \ n-", pe_option_header_32-> the SizeOfImage);
// the printf (" all files in accordance with the section table header + the size of the aligned:% X \ n-", pe_option_header_32-> SizeOfHeaders);
// the printf (" checksum:% X \ n-", pe_option_header_32-> checkSum);
// the printf (" stack size initialization retained:% the X-\ the n-", pe_option_header_32-> SizeOfStackReserve);
// printf (" the size of the actual submission of the initialization of the stack: the X-% \ the n-", pe_option_header_32-> SizeOfStackCommit the);
// printf (" reserved when initializing heap size: the X-% \ the n-", pe_option_header_32-> SizeOfHeapReserve);
// printf (" actual size of the heap submitted during initialization:% x \ n ",pe_option_header_32->SizeOfHeapCommit);
//printf("目录项数目: %x\n", pe_option_header_32->NumberOfRvaAndSizes);
pImageBuffer = malloc(pe_option_header_32->SizeOfImage);
if (!pImageBuffer)
{
printf("分配空间失败\n");
free(pFileBuffer);
return NULL;
}
memset(pImageBuffer, 0, pe_option_header_32->SizeOfImage);
memcpy(pImageBuffer, pFileBuffer, pe_option_header_32->SizeOfHeaders);
//printf("%p\n", pImageBuffer);
pe_section_header = (PIMAGE_SECTION_HEADER)((DWORD)pe_option_header_32 + pe_file_header->SizeOfOptionalHeader);
//printf("********************节表****************************\n");
for (size_t i = 0; i < pe_file_header->NumberOfSections; i++)
{
//printf("NAME: %s\n", pe_section_header->Name);
the printf // ( "the MISC:% X \ n-", pe_section_header-> the Misc);
// the printf ( "Section regions offset in memory:% X \ n-", pe_section_header-> the VirtualAddress);
// the printf ( "size after byte alignment in the file:% X \ n-', pe_section_header-> the SizeOfRawData);
// the printf (" offset section area in the file:% X \ n-', pe_section_header-> the PointerToRawData);
// printf ( "section properties:% X \ n-", pe_section_header-> Characteristics);
the memcpy (((* CHAR) (DWORD) pImageBuffer) + pe_section_header-> the VirtualAddress,
((* CHAR) (DWORD) pFileBuffer) + pe_section_header- > the PointerToRawData,
pe_section_header-> the SizeOfRawData);
pe_section_header = (PIMAGE_SECTION_HEADER) ((DWORD) pe_section_header IMAGE_SIZEOF_SECTION_HEADER +);
}

Free (pFileBuffer);
return pImageBuffer;
}

//给节表添加E8E9硬编码,返回ImageBuffer
LPVOID AddImageBufferShellCode(LPSTR lpszFole)
{
LPVOID pImageBuffer = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTHeader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader32 = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
DWORD NumberOfSection = 4;
DWORD SizeOfSection = 0;
pImageBuffer = CopyFileBufferToImageBuffer(lpszFole);
if (!pImageBuffer)
{
printf("分配空间失败\n");
free(pImageBuffer);
return NULL;
}
if (*(PWORD((DWORD)pImageBuffer))!=IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标记\n");
free(pImageBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)((DWORD)pImageBuffer);
if (*(PDWORD)((DWORD)pImageBuffer + ImageDosHeader->e_lfanew) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标记\n");
free(pImageBuffer);
return NULL;
}
ImageNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pImageBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTHeader + 4);
ImageOptionalHeader32 = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
PIMAGE_SECTION_HEADER ImageSectionHeader_text = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader32 + ImageFileHeader->SizeOfOptionalHeader);

//保存可执行的Characteristics
DWORD executableCharacteristics = ImageSectionHeader_text->Characteristics;
if (NumberOfSection > ImageFileHeader->NumberOfSections)
{
printf("超出节的数量\n");
free(pImageBuffer);
return NULL;
}
if (NumberOfSection > 1)
{
SizeOfSection = IMAGE_SIZEOF_SECTION_HEADER * (NumberOfSection - 1);
}
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader_text + SizeOfSection);
if ((DWORD)(ImageSectionHeader->SizeOfRawData- ImageSectionHeader->Misc.VirtualSize) < sizeof(shellCode))
{
printf("剩余的节区空间不足\n");
free(pImageBuffer);
return NULL;
}
if (ImageSectionHeader->Misc.VirtualSize > ImageSectionHeader->SizeOfRawData)
{
printf("VirtualSize超出SizeOfRawData最大范围不能写入\n");
free(pImageBuffer);
return NULL;
}
//PDWORD code = (PDWORD)shellCode;

*((PDWORD)(shellCode + 0x9)) = (DWORD)MASSAGEBOXAADDR - (DWORD)(ImageOptionalHeader32->ImageBase + (ImageSectionHeader->VirtualAddress + ImageSectionHeader->Misc.VirtualSize + 0xD));
*((PDWORD)(shellCode + 0xe)) = (DWORD)(ImageOptionalHeader32->ImageBase + ImageOptionalHeader32->AddressOfEntryPoint) - (DWORD)(ImageOptionalHeader32->ImageBase + (ImageSectionHeader->VirtualAddress + ImageSectionHeader->Misc.VirtualSize + 0x12));
ImageSectionHeader->Characteristics = (ImageSectionHeader->Characteristics | executableCharacteristics);
DWORD addTheAddressOfTheCode = (DWORD)pImageBuffer + ImageSectionHeader->VirtualAddress + ImageSectionHeader->Misc.VirtualSize;
memcpy((CHAR*)addTheAddressOfTheCode, &shellCode, sizeof(shellCode));
//DWORD E8Code = (DWORD)MASSAGEBOXAADDR - (DWORD)(ImageOptionalHeader32->ImageBase + (ImageSectionHeader->VirtualAddress + ImageSectionHeader->Misc.VirtualSize + 0xD));
//memcpy(((CHAR*)addTheAddressOfTheCode + 0x9), &E8Code, sizeof(E8Code));
//DWORD E9Code = (DWORD)(ImageOptionalHeader32->ImageBase + ImageOptionalHeader32->AddressOfEntryPoint) - (DWORD)(ImageOptionalHeader32->ImageBase + (ImageSectionHeader->VirtualAddress + ImageSectionHeader->Misc.VirtualSize + 0x12));
//memcpy(((CHAR*)addTheAddressOfTheCode + 0xe), &E9Code, sizeof(E9Code));
ImageOptionalHeader32->AddressOfEntryPoint = ImageSectionHeader->VirtualAddress + ImageSectionHeader->Misc.VirtualSize;
return pImageBuffer;

}


DWORD GetdwRVA(LPSTR lpszFole,DWORD offset)
{
LPVOID pFileBuffer = NULL;
LPVOID pImageBuffer = NULL;
DWORD TrueLocation = NULL;
DWORD dwRVA = NULL;
PIMAGE_DOS_HEADER pe_dos_header = NULL;
PIMAGE_FILE_HEADER pe_file_header = NULL;
PIMAGE_OPTIONAL_HEADER32 pe_option_header_32 = NULL;
PIMAGE_NT_HEADERS pe_nt_header = NULL;
PIMAGE_SECTION_HEADER pe_section_header = NULL;
pFileBuffer = ReadPEFile(lpszFole);
if (!pFileBuffer)
{
printf("打开文件失败\n");
return NULL;
}
if (*((PWORD)pFileBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标记\n");
free(pFileBuffer);
return NULL;
}
Pe_dos_header = (PIMAGE_DOS_HEADER) pFileBuffer;

if (*((PDWORD)((DWORD)pFileBuffer + pe_dos_header->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志\n");
free(pFileBuffer);
return NULL;
}
pe_nt_header = (PIMAGE_NT_HEADERS)((DWORD)pFileBuffer + pe_dos_header->e_lfanew);

pe_file_header = (PIMAGE_FILE_HEADER)((DWORD)pe_nt_header + 4);

pe_option_header_32 = (PIMAGE_OPTIONAL_HEADER32)((DWORD)pe_file_header + IMAGE_SIZEOF_FILE_HEADER);

pImageBuffer = malloc(pe_option_header_32->SizeOfImage);
if (!pImageBuffer)
{
printf("分配空间失败\n");
free(pFileBuffer);
return NULL;
}
memset(pImageBuffer, 0, pe_option_header_32->SizeOfImage);
memcpy(pImageBuffer, pFileBuffer, pe_option_header_32->SizeOfHeaders);
pe_section_header = (PIMAGE_SECTION_HEADER)((DWORD)pe_option_header_32 + pe_file_header->SizeOfOptionalHeader);
TrueLocation = offset - (DWORD)pImageBuffer;
for (size_t i = 0; i < pe_file_header->NumberOfSections; i++)
{

memcpy(((CHAR*)(DWORD)pImageBuffer) + pe_section_header->VirtualAddress,
((CHAR*)(DWORD)pFileBuffer) + pe_section_header->PointerToRawData,
pe_section_header->SizeOfRawData);
if (TrueLocation > pe_section_header->VirtualAddress && TrueLocation < (pe_section_header->VirtualAddress + pe_section_header->Misc.VirtualSize))
{
dwRVA = TrueLocation - pe_section_header->VirtualAddress;
}
pe_section_header = (PIMAGE_SECTION_HEADER)((DWORD)pe_section_header + IMAGE_SIZEOF_SECTION_HEADER);
}

free(pFileBuffer);
free(pImageBuffer);
return dwRVA;
}


DWORD GetdwFoa(LPSTR srcFile, DWORD dwRva)
{
LPVOID pFileBuffer = NULL;
LPVOID pImageBuffer = NULL;
DWORD FOA = NULL;
DWORD TrueLocation = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader32 = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
pImageBuffer = CopyFileBufferToImageBuffer(srcFile);
pFileBuffer = ReadPEFile(srcFile);
if (!pFileBuffer)
{
printf("打开文件失败\n");
return NULL;
}
if (*((PWORD)pFileBuffer)!=IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标记\n");
free(pFileBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)pFileBuffer;

if (*((PDWORD)((DWORD)pFileBuffer + ImageDosHeader->e_lfanew))!=IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志\n");
free(pFileBuffer);
return NULL;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)pFileBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader32 = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader32 + ImageFileHeader->SizeOfOptionalHeader);
TrueLocation = dwRva - (DWORD)pImageBuffer;
printf("%x\n", TrueLocation);
for (size_t i = 1; i < ImageFileHeader->NumberOfSections; i++)
{
if (TrueLocation > ImageSectionHeader->VirtualAddress && TrueLocation < (ImageSectionHeader->VirtualAddress + ImageSectionHeader->Misc.VirtualSize))
{
TrueLocation = TrueLocation - ImageSectionHeader->VirtualAddress;
FOA = ImageSectionHeader->PointerToRawData + TrueLocation;
}
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + IMAGE_SIZEOF_SECTION_HEADER);
}
free(pFileBuffer);
free(pImageBuffer);
return FOA;

}

//创建新的ImageBuffer
LPVOID CopyImageBufferToNewImageBuffer(LPSTR srcFile)
{
LPVOID ImageBuffer = NULL;
LPVOID NewImageBuffer = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
ImageBuffer = CopyFileBufferToImageBuffer(srcFile);
if (!ImageBuffer)
{
printf("分配空间失败\n");
return NULL;
}
if (*((PWORD)(DWORD)ImageBuffer)!=IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志\n");
free(ImageBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)ImageBuffer;
if (*((PDWORD)((DWORD)ImageBuffer + ImageDosHeader->e_lfanew))!=IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志");
free(ImageBuffer);
return NULL;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)ImageBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader);
NewImageBuffer = malloc(ImageOptionalHeader->SizeOfImage + 0x1000);

if (!NewImageBuffer)
{
printf("NewImageBuffer分配空间失败\n");
free(ImageBuffer);
return NULL;
}
memset(NewImageBuffer, 0, ImageOptionalHeader->SizeOfImage + 0x1000);
memcpy(NewImageBuffer, ImageBuffer, ImageOptionalHeader->SizeOfImage);

return NewImageBuffer;

}

// Get file memory alignment or alignment
DWORD GetSectionAlignmentOrFileAlignment (DWORD currentNumber, the Alignment DWORD)
{
IF (% currentNumber the Alignment = 0!)
{
CurrentNumber + 0x1 = currentNumber;
return GetSectionAlignmentOrFileAlignment (currentNumber, the Alignment);
}
return currentNumber;
}

//合并节
LPVOID MergeSection(LPSTR srcFile)
{
LPVOID NewImageBuffer = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER LastImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER NextImageSectionHeader = NULL;
NewImageBuffer = CopyImageBufferToNewImageBuffer(srcFile);
if (!NewImageBuffer)
{
printf("分配空间失败\n");
return NULL;
}
if (*((PWORD)(DWORD)NewImageBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志\n");
free(NewImageBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)NewImageBuffer;
if (*((PDWORD)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志");
free(NewImageBuffer);
return NULL;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader);
LastImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((DWORD)(ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER));
DWORD MAX = LastImageSectionHeader->SizeOfRawData > LastImageSectionHeader->Misc.VirtualSize ? LastImageSectionHeader->SizeOfRawData : LastImageSectionHeader->Misc.VirtualSize;
ImageSectionHeader->Misc.VirtualSize = ImageSectionHeader->SizeOfRawData = (MAX + LastImageSectionHeader->VirtualAddress) - GetSectionAlignmentOrFileAlignment(ImageOptionalHeader->SizeOfHeaders,ImageOptionalHeader->SectionAlignment);
for (INT i = 0; i < (ImageFileHeader->NumberOfSections - 1); i++)
{
NextImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + IMAGE_SIZEOF_SECTION_HEADER);
ImageSectionHeader->Characteristics = ImageSectionHeader->Characteristics | NextImageSectionHeader->Characteristics;
}
ImageFileHeader->NumberOfSections = 1;
return NewImageBuffer;
}

//提升FILE头OPTIONAL头节表信息
LPVOID LiftHeaderInfo(LPSTR srcFile)
{
LPVOID NewImageBuffer = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER LastImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER NewImageSectionHeader = NULL;
NewImageBuffer = CopyImageBufferToNewImageBuffer(srcFile);
if (!NewImageBuffer)
{
printf("分配空间失败\n");
return NULL;
}
if (*((PWORD)(DWORD)NewImageBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志\n");
free(NewImageBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)NewImageBuffer;
if (*((PDWORD)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志");
free(NewImageBuffer);
return NULL;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader);
LastImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((DWORD)(ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER));
//提升头
memcpy((PNZCH)((DWORD)NewImageBuffer + IMAGE_SIZEOF_DOS_HEADER), (PNZCH)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew), (4 + IMAGE_SIZEOF_FILE_HEADER + ImageFileHeader->SizeOfOptionalHeader + (ImageFileHeader->NumberOfSections * IMAGE_SIZEOF_SECTION_HEADER)));
ImageDosHeader->e_lfanew = IMAGE_SIZEOF_DOS_HEADER;
return NewImageBuffer;
}

//增加一个新的节
LPVOID AddNewSection(LPSTR srcFile)
{
LPVOID NewImageBuffer = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER LastSectionHeader = NULL;
PIMAGE_SECTION_HEADER NewSectionHeader = NULL;
DWORD EntryPoint = 0;
DWORD PointerToRawData = 0;

NewImageBuffer = MergeSection(srcFile);
if (!NewImageBuffer)
{
printf("分配空间失败\n");
return NULL;
}
if (*((PWORD)(DWORD)NewImageBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志\n");
free(NewImageBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)NewImageBuffer;
if (*((PDWORD)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志");
free(NewImageBuffer);
return NULL;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader);
DWORD SizeOfImageDosHeaderToImageSectionHeader = ((DWORD)IMAGE_SIZEOF_DOS_HEADER + (ImageDosHeader->e_lfanew - ((DWORD)IMAGE_SIZEOF_DOS_HEADER) + 4 + IMAGE_SIZEOF_FILE_HEADER
+ ImageFileHeader->SizeOfOptionalHeader + (ImageFileHeader->NumberOfSections * IMAGE_SIZEOF_SECTION_HEADER)));
if ((ImageOptionalHeader->SizeOfHeaders - SizeOfImageDosHeaderToImageSectionHeader) < 0x50)
{
printf("剩余的节表空白区小于80个字节\n");
free(NewImageBuffer);
return NULL;
}

LastSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER));
//判断程序入口点
if (LastSectionHeader->Misc.VirtualSize > LastSectionHeader->SizeOfRawData)
{
EntryPoint = GetSectionAlignmentOrFileAlignment(LastSectionHeader->VirtualAddress + LastSectionHeader->Misc.VirtualSize, ImageOptionalHeader->SectionAlignment);
PointerToRawData = GetSectionAlignmentOrFileAlignment(LastSectionHeader->PointerToRawData + LastSectionHeader->Misc.VirtualSize, ImageOptionalHeader->FileAlignment);
}
else
{
EntryPoint = GetSectionAlignmentOrFileAlignment(LastSectionHeader->VirtualAddress + LastSectionHeader->SizeOfRawData, ImageOptionalHeader->SectionAlignment);
PointerToRawData = GetSectionAlignmentOrFileAlignment(LastSectionHeader->PointerToRawData + LastSectionHeader->SizeOfRawData, ImageOptionalHeader->FileAlignment);
}

// modify the data of the new section table
NewSectionHeader = (PIMAGE_SECTION_HEADER) ((DWORD ) LastSectionHeader + IMAGE_SIZEOF_SECTION_HEADER);

memcpy((PNZCH)(NewSectionHeader->Name), &SectionName, sizeof(SectionName));

NewSectionHeader->Misc.VirtualSize = 0x1000;
NewSectionHeader->VirtualAddress = EntryPoint;
NewSectionHeader->SizeOfRawData = 0x1000;
NewSectionHeader->PointerToRawData = PointerToRawData;
NewSectionHeader->PointerToRelocations = ImageSectionHeader->PointerToRelocations;
NewSectionHeader->PointerToLinenumbers = ImageSectionHeader->PointerToLinenumbers;
NewSectionHeader->NumberOfRelocations = ImageSectionHeader->NumberOfRelocations;
NewSectionHeader->NumberOfLinenumbers = ImageSectionHeader->NumberOfLinenumbers;
NewSectionHeader->Characteristics = 0x60000020;
//新增节表后补零
memset((PIMAGE_SECTION_HEADER)((DWORD)NewSectionHeader + IMAGE_SIZEOF_SECTION_HEADER), 0, IMAGE_SIZEOF_SECTION_HEADER);
*(PDWORD)(shellCode + 0x9) = (DWORD)MASSAGEBOXAADDR - (DWORD)(ImageOptionalHeader->ImageBase + (NewSectionHeader->VirtualAddress + 0xd));
*(PDWORD)(shellCode + 0xe) = ((DWORD)(ImageOptionalHeader->ImageBase + ImageOptionalHeader->AddressOfEntryPoint) - (DWORD)(ImageOptionalHeader->ImageBase + (NewSectionHeader->VirtualAddress + 0x12)));
memcpy(((CHAR*)NewImageBuffer + NewSectionHeader->VirtualAddress), &shellCode, sizeof(shellCode));
//修改节数量
ImageFileHeader->NumberOfSections = ImageFileHeader->NumberOfSections + 1;
//修改程序入口点
ImageOptionalHeader->AddressOfEntryPoint = EntryPoint;
//修改SizeOfImage大小
ImageOptionalHeader->SizeOfImage = ImageOptionalHeader->SizeOfImage + 0x1000;

return NewImageBuffer;
}

//扩大节
LPVOID AmplifySection(LPSTR srcFile)
{
LPVOID NewImageBuffer = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER LastImageSectionHeader = NULL;
NewImageBuffer = CopyImageBufferToNewImageBuffer(srcFile);
if (!NewImageBuffer)
{
printf("分配空间失败\n");
return NULL;
}
if (*((PWORD)(DWORD)NewImageBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志\n");
free(NewImageBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)NewImageBuffer;
if (*((PDWORD)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志");
free(NewImageBuffer);
return NULL;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader);
LastImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER));
if (LastImageSectionHeader->Misc.VirtualSize > LastImageSectionHeader->SizeOfRawData)
{
DWORD VirtualSize = GetSectionAlignmentOrFileAlignment(LastImageSectionHeader->Misc.VirtualSize, ImageOptionalHeader->SectionAlignment);
*(PDWORD)(shellCode + 0x9) = (MASSAGEBOXAADDR - ((DWORD)ImageOptionalHeader->ImageBase + LastImageSectionHeader->VirtualAddress + VirtualSize + 0xd));
*(PDWORD)(shellCode + 0xe) = (((DWORD)ImageOptionalHeader->ImageBase + ImageOptionalHeader->AddressOfEntryPoint) - ((DWORD)ImageOptionalHeader->ImageBase + LastImageSectionHeader->VirtualAddress + VirtualSize + 0x12));
memcpy((PNZCH)((DWORD)NewImageBuffer + LastImageSectionHeader->VirtualAddress + VirtualSize), &shellCode, sizeof(shellCode));
ImageOptionalHeader->AddressOfEntryPoint = (DWORD)(LastImageSectionHeader->VirtualAddress + VirtualSize);

}
else
{
DWORD SizeOfRawData = GetSectionAlignmentOrFileAlignment(LastImageSectionHeader->SizeOfRawData, ImageOptionalHeader->SectionAlignment);
*(PDWORD)(shellCode + 0x9) = (MASSAGEBOXAADDR - ((DWORD)ImageOptionalHeader->ImageBase + LastImageSectionHeader->VirtualAddress + SizeOfRawData + 0xd));
*(PDWORD)(shellCode + 0xe) = (((DWORD)ImageOptionalHeader->ImageBase + ImageOptionalHeader->AddressOfEntryPoint) - ((DWORD)ImageOptionalHeader->ImageBase + LastImageSectionHeader->VirtualAddress + SizeOfRawData + 0x12));
memcpy((PNZCH)((DWORD)NewImageBuffer + LastImageSectionHeader->VirtualAddress + SizeOfRawData), &shellCode, sizeof(shellCode));
ImageOptionalHeader->AddressOfEntryPoint = (DWORD)(LastImageSectionHeader->VirtualAddress + SizeOfRawData);
}
LastImageSectionHeader->Misc.VirtualSize = LastImageSectionHeader->Misc.VirtualSize + 0x1000;
LastImageSectionHeader->SizeOfRawData = LastImageSectionHeader->SizeOfRawData + 0x1000;
ImageOptionalHeader->SizeOfImage = ImageOptionalHeader->SizeOfImage + 0x1000;
LastImageSectionHeader->Characteristics = (LastImageSectionHeader->Characteristics | ImageSectionHeader->Characteristics);

return NewImageBuffer;
}


//复制ImageBuffer到新的FileBuffer,返回新的FileBuffer
LPVOID CopyImageBufferToNewBuffer(LPSTR lpszFole)
{
LPVOID pNewBuffer = NULL;
LPVOID pImageBuffer = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader32 = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER LastImageSectionHeader = NULL;
pImageBuffer = AddNewSection(lpszFole);
if (!pImageBuffer)
{
printf("空间分配失败\n");
free(pImageBuffer);
return NULL;
}
if (*((PWORD)pImageBuffer) != IMAGE_DOS_SIGNATURE)
{
printf ( "flag is not a valid MZ \ n-");
Free (pImageBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER) pImageBuffer;
IF (* ((PDWORD) ((DWORD) pImageBuffer + ImageDosHeader-> e_lfanew which)) =! named IMAGE_NT_SIGNATURE)
{
the printf ( "PE flag is not valid \ n-");
Free (pImageBuffer);
return NULL;
}

ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)pImageBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader32 = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);

ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader32 + ImageFileHeader->SizeOfOptionalHeader);
//(PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER));
LastImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER));
pNewBuffer = malloc(LastImageSectionHeader->VirtualAddress + LastImageSectionHeader->SizeOfRawData);
if (!pNewBuffer)
{
printf("分配空间失败\n");
free(pImageBuffer);
return NULL;
}
memcpy(pNewBuffer, pImageBuffer, ImageOptionalHeader32->SizeOfHeaders);
printf("%x\n",LastImageSectionHeader->VirtualAddress);
printf("%x\n", LastImageSectionHeader->SizeOfRawData);
for (size_t i = 0; i < ImageFileHeader->NumberOfSections; i++)
{
memset((PNZCH)((DWORD)pNewBuffer + ImageSectionHeader->PointerToRawData), 0, ImageSectionHeader->SizeOfRawData);
memcpy((PNZCH)((DWORD)pNewBuffer + ImageSectionHeader->PointerToRawData), (PNZCH)((DWORD)pImageBuffer + ImageSectionHeader->VirtualAddress), ImageSectionHeader->SizeOfRawData);
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + IMAGE_SIZEOF_SECTION_HEADER);
}

free(pImageBuffer);
return pNewBuffer;
}

// Create a new file to save the new section to the new file
VOID CopyNewImageBufferToNewFile (LPSTR the destFile, LPSTR srcFile)
{
FILE * NewFile = NULL;
LPVOID NewFileBuffer = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
= NULL ImageOptionalHeader PIMAGE_OPTIONAL_HEADER32;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER LastSectionHeader = NULL;

NewFile = the fopen (the destFile, "WB");
(! NewFile) IF
{
the printf ( "open file failed \ n-");
return;
}
NewFileBuffer = CopyImageBufferToNewBuffer (srcFile);
IF (! NewFileBuffer)
{
the printf ( "allocate space failed \ n-");
return;
}
! IF (* ((PWORD) (DWORD) NewFileBuffer) = IMAGE_DOS_SIGNATURE)
{
the printf (" is not a valid MZ flag \ n-");
Free (NewFileBuffer);
return;
}
ImageDosHeader = (PIMAGE_DOS_HEADER ) NewFileBuffer;
IF (* ((PDWORD) ((DWORD) NewFileBuffer + ImageDosHeader-> e_lfanew which)) = named IMAGE_NT_SIGNATURE)!
{
the printf ( "PE is not a valid flag");
Free (NewFileBuffer);
return;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)NewFileBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader);
LastSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER));
DWORD result = fwrite(NewFileBuffer, sizeof(char), (LastSectionHeader->PointerToRawData + LastSectionHeader->SizeOfRawData), NewFile);
if (result < (DWORD)(LastSectionHeader->PointerToRawData + LastSectionHeader->SizeOfRawData))
{
printf ( "file write failed \ n-");
Free (NewFileBuffer);
fclose (NewFile);
return;
}
Free (NewFileBuffer);
printf ( "file write completion \ n-");
}

 

Guess you like

Origin www.cnblogs.com/louzi/p/11094734.html
Recommended
Apache Doris version 2.0.10 is officially released!
Open Source Daily | Big models go to war; big model unicorns are revealed to be selling themselves; Zhou Hongyi suggests that Google open source all its products; the largest open source AI community provides $10 million to share GPUs
Ranking
JS inheritance and monitoring
[ProblemSolving][Ubuntu][LyX] The selected document class ... requires external files that are not available...
Java threads sharing static variable
balancap/SSD-Tensorflow使用及训练预测自己的数据集
Detailed core ES6
JS --- reverse traversal achieved Array array, the array is connected string
How to Uninstall (or Reinstall) Windows 10’s Ubuntu Bash Shell
Linux modify the hostname method
Charging Specification BC v1.2
node的性能和java对比分析
Daily
More
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)

Code World

© 2018 codetd.com