#include "stdafx.h"
#include <windows.h>
#include <stdio.h>
DWORD ReadPEFile(IN LPSTR lpszFile,OUT LPVOID *pFileBuffer)
{
LPVOID pTempFileBuffer=NULL;
FILE *pFile=NULL;
DWORD fileSize=0;
pFile=fopen(lpszFile,"rb");
if(!pFile)
{
fclose(pFile);
return 0;
}
fseek(pFile,0,SEEK_END);
fileSize=ftell(pFile);
fseek(pFile,0,SEEK_SET);
if(fileSize==0)
{
return 0;
}
pTempFileBuffer=malloc(fileSize);
if(!pTempFileBuffer)
{
fclose(pFile);
return 0;
}
size_t n=fread(pTempFileBuffer,fileSize,1,pFile);
if(!n)
{
free(pTempFileBuffer);
fclose(pFile);
return 0;
}
*pFileBuffer=pTempFileBuffer;
fclose(pFile);
return fileSize;
}
BOOL UnloadShell(HANDLE ProcHnd, unsigned long BaseAddr)
{
typedef unsigned long (__stdcall *pfZwUnmapViewOfSection)(unsigned long, unsigned long);
pfZwUnmapViewOfSection ZwUnmapViewOfSection = NULL;
BOOL res = FALSE;
HMODULE m = LoadLibrary("ntdll.dll");
if(m)
{
ZwUnmapViewOfSection = (pfZwUnmapViewOfSection)GetProcAddress(m, "ZwUnmapViewOfSection");
if(ZwUnmapViewOfSection) {
//printf("%x\n",ZwUnmapViewOfSection((unsigned long)ProcHnd, BaseAddr));
res = (ZwUnmapViewOfSection((unsigned long)ProcHnd, BaseAddr) == 0);
}
FreeLibrary(m);
}
return res;
}
DWORD CopyFileBufferToImageBuffer(IN LPVOID pFileBuffer,OUT LPVOID *pImageBuffer)
{
if(*((PWORD)pFileBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是exe");
return 0;
}
LPVOID pTempImageBuffer = NULL;
PIMAGE_DOS_HEADER pDosHeader = NULL;
PIMAGE_NT_HEADERS pNTHeader = NULL;
PIMAGE_FILE_HEADER pPEHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 pOptionHeader = NULL;
PIMAGE_SECTION_HEADER pSectionHeader = NULL;
pDosHeader = (PIMAGE_DOS_HEADER)(pFileBuffer);
pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pFileBuffer+pDosHeader->e_lfanew);
pPEHeader = (PIMAGE_FILE_HEADER)((DWORD)pNTHeader+4);
pOptionHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)pPEHeader+IMAGE_SIZEOF_FILE_HEADER);
pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader+pPEHeader->SizeOfOptionalHeader);
pTempImageBuffer=malloc(pOptionHeader->SizeOfImage);
if(!pTempImageBuffer)
{
printf("申请空间失败");
return 0;
}
memset(pTempImageBuffer,0,pOptionHeader->SizeOfImage);
memcpy(pTempImageBuffer,pFileBuffer,pOptionHeader->SizeOfHeaders);
for(int i=0;i<pPEHeader->NumberOfSections;i++,pSectionHeader++)
{
memcpy((LPVOID)((DWORD)pTempImageBuffer+pSectionHeader->VirtualAddress),
(LPVOID)((DWORD)pFileBuffer+pSectionHeader->PointerToRawData),
pSectionHeader->SizeOfRawData);
}
*pImageBuffer=pTempImageBuffer;
return pOptionHeader->SizeOfImage;
}
BOOL MemeryTOFile(IN LPVOID pFileBuffer,IN DWORD size,OUT LPSTR lpszFile)
{
FILE *pFile=NULL;
//DWORD fileSize=0;
pFile=fopen(lpszFile,"wb");
size_t n=fwrite(pFileBuffer,size,1,pFile);
if(!n)
{
printf("存盘失败\n");
free(pFileBuffer);
fclose(pFile);
return 0;
}
fclose(pFile);
return 1;
};
int main(int argc, char* argv[])
{
STARTUPINFO ie_si = {0};
PROCESS_INFORMATION ie_pi;
ie_si.cb = sizeof(ie_si);
//以挂起的方式创建进程
TCHAR szBuffer[256] = "C:/Program Files (x86)/KuGou/KGMusic/KuGou.exe";
CreateProcess(
NULL, // name of executable module
szBuffer, // command line string
NULL, // SD
NULL, // SD
FALSE, // handle inheritance option
CREATE_SUSPENDED, // creation flags
NULL, // new environment block
NULL, // current directory name
&ie_si, // startup information
&ie_pi // process information
);
CONTEXT contx;
contx.ContextFlags = CONTEXT_FULL;
GetThreadContext(ie_pi.hThread, &contx);
printf("%x\n",contx.Eax) ;
//获取入口点
DWORD dwEntryPoint = contx.Eax;
//获取ImageBase
char* baseAddress = (CHAR *) contx.Ebx+8;
memset(szBuffer,0,256);
ReadProcessMemory(ie_pi.hProcess,baseAddress,szBuffer,4,NULL);
//int ret=UnloadShell(ie_pi.hProcess,*(DWORD*)szBuffer);
printf("szBuffer==%x\n",*(DWORD*)szBuffer);
LPVOID pFileBuffer = NULL;
ReadPEFile("C:/Users/Shigx/AppData/Local/Kingsoft/Power Word 2016/2016.3.3.0318/PowerWord.exe",&pFileBuffer);
PIMAGE_DOS_HEADER pDosHeader = NULL;
PIMAGE_NT_HEADERS pNTHeader = NULL;
PIMAGE_FILE_HEADER pPEHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 pOptionHeader = NULL;
PIMAGE_SECTION_HEADER pSectionHeader = NULL;
PIMAGE_DATA_DIRECTORY pDataDirectory = NULL;
pDosHeader=(PIMAGE_DOS_HEADER)pFileBuffer;
pNTHeader=(PIMAGE_NT_HEADERS)((DWORD)pDosHeader+pDosHeader->e_lfanew);
pPEHeader=(PIMAGE_FILE_HEADER)((DWORD)pNTHeader+4);
pOptionHeader=(PIMAGE_OPTIONAL_HEADER32)((DWORD)pPEHeader+IMAGE_SIZEOF_FILE_HEADER);
pSectionHeader=(PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader+pPEHeader->SizeOfOptionalHeader);
pDataDirectory=pOptionHeader->DataDirectory;
if(pDataDirectory[5].VirtualAddress)
{
LPVOID pImageBuffer = NULL;
PIMAGE_BASE_RELOCATION pBaseRelocation = NULL;
CopyFileBufferToImageBuffer(pFileBuffer,&pImageBuffer);
//MemeryTOFile(pImageBuffer,pOptionHeader->SizeOfImage,"C:/搜狗浏览器下载/逆向工程/check.exe");
pDosHeader=(PIMAGE_DOS_HEADER)pImageBuffer;
pNTHeader=(PIMAGE_NT_HEADERS)((DWORD)pDosHeader+pDosHeader->e_lfanew);
pPEHeader=(PIMAGE_FILE_HEADER)((DWORD)pNTHeader+4);
pOptionHeader=(PIMAGE_OPTIONAL_HEADER32)((DWORD)pPEHeader+IMAGE_SIZEOF_FILE_HEADER);
pSectionHeader=(PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader+pPEHeader->SizeOfOptionalHeader);
pDataDirectory=pOptionHeader->DataDirectory;
pBaseRelocation=(PIMAGE_BASE_RELOCATION)((DWORD)pImageBuffer+pDataDirectory[5].VirtualAddress);
while(!(pBaseRelocation->VirtualAddress==0&&pBaseRelocation->SizeOfBlock==0))
{
for(DWORD i=0;i<(pBaseRelocation->SizeOfBlock-8)/2;i++)
{
DWORD baseAddr=*((PWORD)((DWORD)pBaseRelocation+8+i*2));
DWORD ifChange=baseAddr/0x1000;
if(ifChange==3)
{
DWORD *offset=NULL;
offset=(DWORD*)((DWORD)pImageBuffer+pBaseRelocation->VirtualAddress+baseAddr-ifChange*0x1000);
*offset=*offset+(DWORD)pImageBuffer-pOptionHeader->ImageBase;
}
}
pBaseRelocation=(PIMAGE_BASE_RELOCATION)((DWORD)pBaseRelocation+pBaseRelocation->SizeOfBlock);
}
contx.Eax=(DWORD)pImageBuffer+pOptionHeader->AddressOfEntryPoint;
memset(szBuffer,0,256);
*(DWORD*)szBuffer=(DWORD)pImageBuffer;
WriteProcessMemory(ie_pi.hProcess,baseAddress,szBuffer,4,NULL);
SetThreadContext(ie_pi.hThread, &contx);
ResumeThread(ie_pi.hThread);
exit(0);
}
else
{
printf("没有重定位表\n");
exit(0);
}
return 0;
}
