pNTHeader->OptionalHeader.ImageBase += 0x1000; // 获取 RelocationBase 地址,遍历重定位块修复.....rva pRelocationBase = (PIMAGE_BASE_RELOCATION)pNewSecbuffer; while (1) { if ((pRelocationBase->SizeOfBlock == 0) && (pRelocationBase->VirtualAddress == 0)) break;// 该检测有问题.... PIMAGE_SECTION_HEADER pSecHeader = NULL; // 循环遍历 找到对应的节 pSecHeader = (PIMAGE_SECTION_HEADER)((DWORD)pNTHeader + sizeof(IMAGE_NT_HEADERS32)); int x = 0; BOOL bFind = FALSE; for (x = 0; x < pNTHeader->FileHeader.NumberOfSections; ++x) { DWORD low = pSecHeader->VirtualAddress; // 这个在内存里面啊 // DWORD hign = pSecHeader->VirtualAddress + pSecHeader->Misc.VirtualSize; if ((pRelocationBase->VirtualAddress < hign) && (pRelocationBase->VirtualAddress >= low)) { bFind = TRUE; break; } pSecHeader++; } if (!bFind) // 如果找不到这样的区段 break; // 得到真修改的值 (全局变量的地址 常量 的地址 用户函数的地址)+1000H int nItems = (pRelocationBase->SizeOfBlock - 8) / 2; PWORD pItem = (PWORD)((DWORD)pRelocationBase + 8);//得到第一项... for (int n = 0; n < nItems; ++n) { WORD item12 = *pItem & 0x0fff; // 遍历 该快的items 修复重定位表... WORD item4 = *pItem >> 12; if (item4 == 3) { DWORD rva = pRelocationBase->VirtualAddress + item12; PDWORD pAddress=(PDWORD)((DWORD)newFilebuffer+RVAtoFOA(newFilebuffer, rva)); *pAddress += 0x1000; } pItem++; } pRelocationBase = (PIMAGE_BASE_RELOCATION)((DWORD)pRelocationBase + pRelocationBase->SizeOfBlock); }
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课