[原创]调整区段大小-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [原创]调整区段大小 0.00雪花

发表于: 2010-5-15 23:36 1746

[旧帖] [原创]调整区段大小 0.00雪花

Gall

2010-5-15 23:36

1746

希望能够转正

【文章标题】: 调整区段大小
【文章作者】: ALL
【作者主页】: hi.baidu.com/8oahck
【使用工具】: WinHex
【操作平台】: WindowsXP
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
  有时候用LordPE加区段无法成功，这是一件很让人沮丧的事情，
  所以今天在这里介绍一下我的方法，希望对大家有用，
  如果有什么不足的地方，希望大家提出来，大家一起进步！

  在这里以汇编语言生成的一个小程序为例进行说明。
  主要思路:在区段.text指向的空间中新加0X400个字节

  下面的是这个程序的3 个区段
  ================.text[一般代码存放的位置 | 可读，可执行]=========================

    typedef struct _IMAGE_SECTION_HEADER
  (
   BYTE NAME[IMAGE_SIZEOF_SHORT_NAME];    //  2E74 6578 7400 0000 .text 区段名
   Union
   (
      DWORD PhysicalAddress;
       DWORD VirtualSize;                // C802 0000                      虚拟大小
    )Misc;
       DWORD VirtualAddress;             // 0010 0000                      虚拟地址
      DWORD SizeOfRawData;             // 0004 0000  ---0000 0400                   镜像大小
      DWORD PointerToRawData;          // 0004 0000  ---0000 0400                   镜像指针
      DWORD PointerToRelocations;       // 0000 0000                      重定位指针
      DWORD PointerToLinenumbers;       // 0000 0000
      WORD NumberOfRelocations;       // 0000
      WORD NumberOfLinenumbers;       // 0000
      DWORD Characteristics;             // 2000 0060                      区段属性
   ) IMAGE_SECTION_HEADER,*PIMAGE_SECTION_HEADER;

  -------------------------------------------------------------------------------------------------------------------
   从上面的PointerToRawData可以看出.text指向的是0x400的位置，大小为0x400,
    现在我们再0x800处加入我们的0x400字节(十进制:1024)
    加入0x400字节后，原来的大小[SizeOfRawData]变为0x800,后面节的指针也要做相应的修改，

    本来节.rdata的指针[PointerToRawData]是指向0x800的，由于加上了0x400个字节，所以指针变为0xC00
  ----------------------------------------------------------------------------------------------------------------------

    typedef struct _IMAGE_SECTION_HEADER    // 2E72 6461 7461 0000    .rdata
  (
   BYTE NAME[IMAGE_SIZEOF_SHORT_NAME];
   Union
   (
      DWORD PhysicalAddress;
       DWORD VirtualSize;                // 2003 0000
    )Misc;
       DWORD VirtualAddress;             // 0020 0000
      DWORD SizeOfRawData;                // 0004 0000
      DWORD PointerToRawData;             // 0008 0000             此处的指针将做相应的修改
      DWORD PointerToRelocations;       // 0000 0000
      DWORD PointerToLinenumbers;       // 0000 0000
      WORD NumberOfRelocations;          // 0000
      WORD NumberOfLinenumbers;          // 0000
      DWORD Characteristics;             // 4000 0040
   ) IMAGE_SECTION_HEADER,*PIMAGE_SECTION_HEADER;


  -------------------------------------------------------------------------------------------------------------------
    现在来调整一下.data的大小
    在尾部添加0x800个字节
  -------------------------------------------------------------------------------------------------------------------
    typedef struct _IMAGE_SECTION_HEADER
  (
   BYTE NAME[IMAGE_SIZEOF_SHORT_NAME];       // 2E64 6174 6100 0000 .data
   Union
   (
      DWORD PhysicalAddress;
       DWORD VirtualSize;                   // 0800 0000 --- 0000 0008  改为0000 0800 --- 0008 0000
    )Misc;
       DWORD VirtualAddress;                // 0030 0000 --- 0000 3000
      DWORD SizeOfRawData;                // 0000 0000 --- 0004 0000
      DWORD PointerToRawData;             // 0000 0000 --- 000C 0000
      DWORD PointerToRelocations;          // 0000 0000
      DWORD PointerToLinenumbers;          // 0000 0000
      WORD NumberOfRelocations;          // 0000
      WORD NumberOfLinenumbers;          // 0000
      DWORD Characteristics;             // 400000C0 --- C000 0040
   ) IMAGE_SECTION_HEADER,*PIMAGE_SECTION_HEADER;


  ================================================================================

    修改以前的数据

  Offset    0  1  2  3  4  5  6  7 8  9  A  B  C  D  E  F

  000001B0 00 00 00 00 00 00 00 00  2E 74 65 78 74 00 12 00 .........text...
  000001C0 C8 02 00 00 00 10 00 00  00 04 00 00 00 04 00 00 ?..............
  000001D0 00 00 00 00 00 00 00 00  00 00 00 00 20 00 00 60 ............ ..`
  000001E0 2E 72 64 61 74 61 00 00  20 03 00 00 00 20 00 00 .rdata.. .... ..
  000001F0 00 04 00 00 00 08 00 00  00 00 00 00 00 00 00 00 ................
  00000200 00 00 00 00 40 00 00 40  2E 64 61 74 61 00 12 00 ....@..@.data...
  00000210 08 00 00 00 00 30 00 00  00 00 00 00 00 00 00 00 .....0..........
  00000220 00 00 00 00 00 00 00 00  00 00 00 00 40 00 00 C0 ............@..


   修改后的数据

  Offset    0  1  2  3  4  5  6  7 8  9  A  B  C  D  E  F

  000001B0 00 00 00 00 00 00 00 00  2E 74 65 78 74 00 00 00 .........text...
  000001C0 C8 02 00 00 00 10 00 00  00[08]00 00 00 04 00 00 ?..............
  000001D0 00 00 00 00 00 00 00 00  00 00 00 00 20 00 00 60 ............ ..`
  000001E0 2E 72 64 61 74 61 00 00  20 03 00 00 00 20 00 00 .rdata.. .... ..
  000001F0 00 04 00 00 00[0C]00 00  00 00 00 00 00 00 00 00 ................
  00000200 00 00 00 00 40 00 00 40  2E 64 61 74 61 00 00 00 ....@..@.data...
  00000210 08 00 00 00 00 30 00 00  00 00 00 00 00 00 00 00 .....0..........
  00000220 00 00 00 00 00 00 00 00  00 00 00 00 40 00 00 C0 ............@..


  ================================================================================

--------------------------------------------------------------------------------
【经验总结】


    typedef struct _IMAGE_SECTION_HEADER
  (
   BYTE NAME[IMAGE_SIZEOF_SHORT_NAME];
   Union
   (
      DWORD PhysicalAddress;
       DWORD VirtualSize;
    )Misc;
       DWORD VirtualAddress;
      DWORD SizeOfRawData;
      DWORD PointerToRawData;
      DWORD PointerToRelocations;
      DWORD PointerToLinenumbers;
      WORD NumberOfRelocations;
      WORD NumberOfLinenumbers;
      DWORD Characteristics;
   ) IMAGE_SECTION_HEADER,*PIMAGE_SECTION_HEADER;

--------------------------------------------------------------------------------
【版权声明】: 版权只属于原作者,如果涉及版权，请于作者联系！

                                                   2010年05月15日 13:25:49

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・1

免费・0

支持