-
-
[旧帖]
[原创]突破受限的区段数目
0.00雪花
-
发表于:
2010-5-15 23:31
2767
-
[旧帖] [原创]突破受限的区段数目
0.00雪花
在看雪上蹲了好长时间,还是个非正式的会员,特发此文章,希望能够成为正式的会员,
各种加区段不成功的朋友请看这片文章
在这里先申明一下,我的文章刚才已经在百度Blog上发表了,地址如下:
http://hi.baidu.com/8ohack/blog/category/%B3%CC%D0%F2%B7%D6%CE%F6%D3%EB%B5%F7%CA%D4
【文章标题】: 突破受限的区段数目
【文章作者】: ALL
【作者主页】: hi.baidu.com/8oahck
【操作平台】: WindowsXP
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
手工加区段
节表后面添加Ox200字节,调整PointerToRawData与BoundImport
从下面的节表信息,我们已经可以看出,无法添加区段了,不相信的话可以用zeroAdd1.0添加区段试一下,
我试过没有成功,所以在此将自己总结的一点小技巧与大家分享一下。
--------------------------------------------------------
其实也可以将原有区段的大小改变,然后写入数据,
大家到我的Blog中去看看这片文章相信会有收获的
hi.baidu.com/8ohack >> 程序分析与调试 〉〉 调整区段大小
对于下面出现的情况,
我们则需要手工增加区段表的空间,然后才能成功添加区段。
------------------------------------------------------------------------------
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
000001C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001D0 00 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00 .........text...
000001E0 48 77 00 00 00 10 00 00 00 78 00 00 00 04 00 00 Hw.......x......
000001F0 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`
00000200 2E 64 61 74 61 00 00 00 A8 1B 00 00 00 90 00 00 .data...?...?.
00000210 00 08 00 00 00 7C 00 00 00 00 00 00 00 00 00 00 .....|..........
00000220 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 ....@..?rsrc...
00000230 20 7F 00 00 00 B0 00 00 00 80 00 00 00 84 00 00 ...?..€...?.
00000240 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 ............@..@
00000250 A2 BD 02 48 58 00 00 00 B6 BD 02 48 65 00 00 00 ⒔.HX...督.He...
00000260 CA BD 02 48 71 00 00 00 6C BD 02 48 7E 00 00 00 式.Hq...l?H~...
--------------------------------------------------------------------------------
思路:调整节表空间[加上0x200个字节,那么这两百个字节可供你....其实一般一个节表只有28字节],
在添加空白空间前,大家应该先熟悉一下下面的结构。
typedef struct _IMAGE_SECTION_HEADER
(
BYTE NAME[IMAGE_SIZEOF_SHORT_NAME]; 8 bytes // 区段名
Union
(
DWORD PhysicalAddress;
DWORD VirtualSize; 4 bytes // 虚拟大小
)Misc;
DWORD VirtualAddress; // 虚拟地址
DWORD SizeOfRawData; // 镜像大小
DWORD PointerToRawData; // 镜像指针
DWORD PointerToRelocations;
DWORD PointerToLinenumbers;
WORD NumberOfRelocations; 2 bytes
WORD NumberOfLinenumbers;
DWORD Characteristics; // 总计:40 bytes
) IMAGE_SECTION_HEADER,*PIMAGE_SECTION_HEADER;
在添加完0x200空白字节后一定要,搞清楚后面的对齐位置,然后在PointerToRawData中正确指定。
--------------------------------------------------------------------------------
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
000001D0 00 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00 .........text...
000001E0 48 77 00 00 00 10 00 00 00 78 00 00 00 04 00 00 Hw.......x......
000001F0 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`
00000200 2E 64 61 74 61 00 00 00 A8 1B 00 00 00 90 00 00 .data...?...?.
00000210 00 08 00 00 00 7C 00 00 00 00 00 00 00 00 00 00 .....|..........
00000220 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 ....@..?rsrc...
00000230 20 7F 00 00 00 B0 00 00 00 80 00 00 00 84 00 00 ...?..€...?.
00000240 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 ............@..@
00000250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000310 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000350 A2 BD 02 48 58 00 00 00 B6 BD 02 48 65 00 00 00 ⒔.HX...督.He...
00000360 CA BD 02 48 71 00 00 00 6C BD 02 48 7E 00 00 00 式.Hq...l?H~...
00000370 6C l
上面的00就是我添加的空间。添加了0x100个字节后,注意各节表PointerToRawData的变化
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
000001D0 2E 74 65 78 74 00 00 00 .text...
000001E0 48 77 00 00 00 10 00 00 00 78 00 00 00 04 00 00 Hw.......x......
000001F0 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`
00000200 2E 64 61 74 61 00 00 00 A8 1B 00 00 00 90 00 00 .data...?...?.
00000210 00 08 00 00 00 7C 00 00 00 00 00 00 00 00 00 00 .....|..........
00000220 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 ....@..?rsrc...
00000230 20 7F 00 00 00 B0 00 00 00 80 00 00 00 84 00 00 ...?..€...?.
00000240 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 ............@..@
如果所有的指针都指向正确的位置,程序运行时不错误,但是没有界面,那么我们还需要将BoundImport全部置零
----------------------------------------------------------------------------------
->Bound Import Directory
1. BoundImportDescriptor:
TimeDateStamp: 0x4802BDC6 (GMT: Mon Apr 14 02:13:26 2008)
OffsetModuleName: 0x0028 ("KERNEL32.dll")
NumberOfModuleForwarderRefs: 0x0001
1. ModuleForwarderReference:
TimeDateStamp: 0x4802BDC5 (GMT: Mon Apr 14 02:13:25 2008)
OffsetModuleName: 0x0035 ("NTDLL.DLL")
Reserved: 0x0000
2. BoundImportDescriptor:
TimeDateStamp: 0x4802BD6C (GMT: Mon Apr 14 02:11:56 2008)
OffsetModuleName: 0x003F ("msvcrt.dll")
NumberOfModuleForwarderRefs: 0x0000
3. BoundImportDescriptor:
TimeDateStamp: 0x4802BDBD (GMT: Mon Apr 14 02:13:17 2008)
OffsetModuleName: 0x004A ("USER32.dll")
NumberOfModuleForwarderRefs: 0x0000
节表尾部的非空白数据就是BoundImport的数据,将这些数据置零就可以了
cmd: 00000248 | 00000058
Notepad: 00000250 | 000000D0
记住还需要修改各区段的PointerToRawData
同时要将BoundImport全部设为零
--------------------------------------------------------------------------------
【经验总结】
<1>添加空白区,正确设置PointerToRawDat
<2>BoundImport置零
--------------------------------------------------------------------------------
【版权声明】: 版权只属于原作者,如果涉及版权,请于作者联系!
2010年05月15日 16:30:06
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课