-
-
[旧帖]
[求助]关于PE文件的问题
0.00雪花
-
发表于:
2012-6-18 20:26
1797
-
[旧帖] [求助]关于PE文件的问题
0.00雪花
菜鸟的一个小发现,这样居然也能运行?
#include <Windows.h>
#include <DbgHelp.h>
#pragma comment(lib, "DbgHelp.lib")
#include <stdio.h>
void JmpNewModuleExecute()
{
PIMAGE_NT_HEADERS pNtH;
HMODULE hOldMod;
HMODULE hNewMod;
DWORD dwImageSz;
PIMAGE_BASE_RELOCATION pIBR;
LONG lDifference;
DWORD dwRetAddr;
hOldMod = ::GetModuleHandle(NULL);
pNtH = ::ImageNtHeader(hOldMod);
dwImageSz = pNtH->OptionalHeader.SizeOfImage;
hNewMod = (HMODULE)new TCHAR[dwImageSz];
RtlZeroMemory(hNewMod, dwImageSz);
RtlCopyMemory(hNewMod, hOldMod, dwImageSz);
pNtH = ::ImageNtHeader(hNewMod);
//重定位处理
if(pNtH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size > 0)
{
pIBR = (PIMAGE_BASE_RELOCATION)((DWORD)hNewMod + \
pNtH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
lDifference = (LONG)hNewMod - pNtH->OptionalHeader.ImageBase;
for(; pIBR->VirtualAddress != 0; )
{
LPTSTR lpMemPage = (LPTSTR)hNewMod + pIBR->VirtualAddress;
DWORD dwCount = (pIBR->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) >> 1;
PWORD pRelocationItem = (PWORD)((LPTSTR)pIBR + sizeof(IMAGE_BASE_RELOCATION));
for(DWORD i = 0; i < dwCount; i++)
{
INT nOffset = pRelocationItem[i] & 0x0fff;
INT nType = pRelocationItem[i] >> 12;
if(nType == IMAGE_REL_BASED_HIGHLOW)
{
*(LPDWORD)(lpMemPage + nOffset) += lDifference;
}
}
pIBR = (PIMAGE_BASE_RELOCATION)(pRelocationItem + dwCount);
}
}
//获取原先返回地址,如果是debug的话ebp + 4函数执行完后的返回地址
__asm
{
mov eax, ds:[ebp + 4]
mov dwRetAddr, eax
}
dwRetAddr -= (DWORD)hOldMod;
dwRetAddr += (DWORD)hNewMod;
//修改返回地址为新模块地址
__asm
{
mov eax, dwRetAddr
mov ds:[ebp + 4], eax
}
}
void main()
{
HMODULE hModule = NULL;
hModule= ::GetModuleHandle(NULL);
JmpNewModuleExecute();//该函数执行完后,下面的代码就等于在分配的缓存区里面执行
MessageBox(0, 0, 0, 0);
}
[课程]Android-CTF解题方法汇总!
