// ArmReb.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <windows.h>
#include <stdio.h>
typedef struct IatPtr {
DWORD AsciiPtr;
} IatPtr, *PIatPtr;
typedef struct ImpAsciiHdr {
WORD AsciiLen;
unsigned char Ascii;
} ImpAsciiHdr, *PImpAsciiHdr;
typedef struct ImpHdr {
DWORD ApiRVA;
DWORD ApiCnt;
} ImpHdr, *PImpHdr;
typedef struct RETBUFFER {
BYTE * FileOffset;
DWORD FileSize;
DWORD ErrCode;
DWORD Bread;
} RETBUFFER, *PRETBUFFER;
// ************************************************************************
// RVA2RAW (DWORD RVA) finds & translates
//
// Return Codes: != 0 -> RAW POSITION
//
// 0 failed to find
//
// ************************************************************************
DWORD RVA2RAW (DWORD offset,BYTE * base)
{
PIMAGE_DOS_HEADER doshdr = (PIMAGE_DOS_HEADER) (BYTE *)base;
PIMAGE_NT_HEADERS nthdr = (PIMAGE_NT_HEADERS) (BYTE *)(base+doshdr->e_lfanew);
PIMAGE_SECTION_HEADER temp_section_header = (PIMAGE_SECTION_HEADER)(BYTE *)(base+doshdr->e_lfanew+sizeof (IMAGE_NT_HEADERS));
for (int seccounter=0;seccounter < nthdr->FileHeader.NumberOfSections;seccounter++)
{
if ((offset >= temp_section_header->VirtualAddress) && (offset <= (temp_section_header->VirtualAddress+temp_section_header->Misc.VirtualSize))) return ((offset-temp_section_header->VirtualAddress)+temp_section_header->PointerToRawData);
temp_section_header++;
}
return 0;
}
DWORD ReadFileMem (char * FileName,RETBUFFER * tescht)
{
PRETBUFFER StrPtr = (PRETBUFFER) (tescht);
HANDLE File;
File = CreateFile (FileName,GENERIC_READ,0,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
if (File == INVALID_HANDLE_VALUE) return -1;
StrPtr->FileSize = GetFileSize (File,0);
if (StrPtr->FileSize == 0) return -1;
StrPtr->FileOffset = (unsigned char *)GlobalAlloc (GMEM_ZEROINIT,StrPtr->FileSize);
if (StrPtr->FileOffset == 0) return -1;
if (ReadFile (File,StrPtr->FileOffset,StrPtr->FileSize,&StrPtr->Bread,0) == 0) return -1;
StrPtr->ErrCode = 1;
CloseHandle (File);
return 0;
}
DWORD WriteFileMem (char * FileName,RETBUFFER * tescht)
{
PRETBUFFER StrPtr = (PRETBUFFER) (tescht);
HANDLE File;
File = CreateFile (FileName,GENERIC_READ | GENERIC_WRITE,0,0,OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);
if (File == INVALID_HANDLE_VALUE) return -1;
if (StrPtr->FileSize == 0) return -1;
if (StrPtr->FileOffset == 0) return -1;
if (WriteFile (File,StrPtr->FileOffset,StrPtr->FileSize,&StrPtr->Bread,0) == 0) return -1;
StrPtr->ErrCode = 1;
CloseHandle (File);
return 0;
}
int main(int argc, char* argv[])
{
printf ("ArmRebuild v0.1 * for private -internal- use only * ^DAEMON^ 2oo5\n\n");
if (argc == 3)
{
RETBUFFER ImportsInfo;
RETBUFFER DumpFileInfo;
memset (&ImportsInfo,0,sizeof(RETBUFFER));
memset (&DumpFileInfo,0,sizeof(RETBUFFER));
// LOAD DATA INTO MEMORY
if (ReadFileMem (argv[1],&ImportsInfo) != 0)
{
printf ("[x] Failed to Load '%s'\n",argv[1]);
return 0;
}
printf ("[i] Loaded '%s' Size: %d\n",argv[1],ImportsInfo.FileSize);
if (ReadFileMem (argv[2],&DumpFileInfo) != 0)
{
printf ("[x] Failed to Load '%s'\n",argv[2]);
return 0;
}
printf ("[i] Loaded '%s' Size: %d\n",argv[2],DumpFileInfo.FileSize);
do
{
// DUMP IMPORT INFORMATION ON SCREEN
printf ("[i] DLL ASCII: '%s'\n",ImportsInfo.FileOffset);
PImpHdr ImpHdrPtr = (PImpHdr) (ImportsInfo.FileOffset+strlen ((const char *)ImportsInfo.FileOffset)+1);
printf ("[i] API's to fix: %d DestOfs: %8.8X\n",ImpHdrPtr->ApiCnt,ImpHdrPtr->ApiRVA);
// TRANSLATE RVA TO RAW
PIatPtr RawOfs = (PIatPtr) (RVA2RAW (ImpHdrPtr->ApiRVA,DumpFileInfo.FileOffset)+DumpFileInfo.FileOffset);
// DUMP APIS TO SCREEN
BYTE * TmpApiPtr = (ImportsInfo.FileOffset+strlen ((const char *)ImportsInfo.FileOffset)+9);
for (unsigned int i=1;i<=ImpHdrPtr->ApiCnt;i++)
{
PImpAsciiHdr TmpAscii = (PImpAsciiHdr) TmpApiPtr;
if (TmpAscii->Ascii == 0xFF)
{
// NO NEED TO FIX ORDINALS, DIDN'T GET MESSED!
//printf ("[i] Api[%d] IT Entry: %8.8X Ordinal: %8.8X\n",i,RawOfs->AsciiPtr,*(DWORD*)(&TmpAscii->Ascii+1));
}
else
{
//printf ("[i] Api[%d] IT Entry: %8.8X Ascii: '%s'\n",i,RawOfs->AsciiPtr,&TmpAscii->Ascii);
// FIX IT
memcpy (2+RVA2RAW(RawOfs->AsciiPtr,DumpFileInfo.FileOffset)+DumpFileInfo.FileOffset,&TmpAscii->Ascii,strlen ((const char *)(&TmpAscii->Ascii)));
}
TmpApiPtr += sizeof (TmpAscii->AsciiLen)+TmpAscii->AsciiLen;
RawOfs++;
}
ImportsInfo.FileOffset = TmpApiPtr+2;
} while (strlen ((const char *)ImportsInfo.FileOffset) != 0);
// DUMP BUFFER TO DISK
unsigned char OutFn[256];
strcpy ((char *)OutFn,argv[2]);
strcat ((char *)OutFn,".fix");
if (WriteFileMem ((char *)OutFn,&DumpFileInfo) != 0)
{
printf ("[x] Failed to Write '%s'\n",OutFn);
return 0;
}
printf ("[i] Written Mem to '%s'\n",OutFn);
return 1;
}
printf ("Syntax: ArmRebuild.exe [imports.ext] [dumptofix.ext]\n");
return 0;
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
