-
-
[原创]手工添加外部DLL输入表并调用添加函数
-
发表于: 2018-12-2 16:06
-
许多时候需要在其他程序里面调用自己写的DLL,这就需要在其他程序里面添加自己DLL的输入表,要添加输入表我们就要先了解一下输入表的结构:
我们先看一下我们需要修改的程序的相关信息
我们先看一下我们需要修改的程序的相关信息
-----------------------------------FileHead Machine: 014C NumberOfSections: 0002 TimeDateStamp: 00000000 PointerToSymbolTable: 00000000 NumberOfSymbols: 00000000 SizeOfOptionalHeader: 00E0 Characteristics: 030F -----------------------------------OptionalHeader Magic: 010B MajorLinkerVersion: 06 MinorLinkerVersion: 00 SizeOfCode: 00000000 SizeOfInitializedData: 00000000 SizeOfUninitializedData: 00000000 AddressOfEntryPoint: 00001040 BaseOfCode: 00001000 BaseOfData: 00002000 //NT additional fields... ImageBase: 00400000 SectionAlignment: 00001000 FileAlignment: 00000200 MajorOperatingSystemVersion: 0004 MinorOperatingSystemVersion: 0000 MajorImageVersion: 0000 MinorImageVersion: 0000 MajorSubsystemVersion: 0004 MinorSubsystemVersion: 0000 Win32VersionValue: 00000000 SizeOfImage: 00003000 SizeOfHeaders: 00000200 CheckSum: 00008217 Subsystem: 0002 DllCharacteristics: 0000 SizeOfStackReserve: 00100000 SizeOfStackCommit: 00001000 SizeOfHeapReserve: 00100000 SizeOfHeapCommit: 00001000 LoaderFlags: 00000000 NumberOfRvaAndSizes: 00000010 ------------------------------------DataDirectory No. VirtualAddress Size 0 00000000 00000000 EXPORT 1 00002040 00000050 IMPORT 2 00000000 00000000 RESOURCE 3 00000000 00000000 EXCEPTION 4 00000000 00000000 SECURITY 5 00000000 00000000 BASERELOC 6 00000000 00000000 DEBUG 7 00000000 00000000 ARCHITECTURE 8 00000000 00000000 GLOBALPTR 9 00000000 00000000 TLS 10 00000000 00000000 LOAD_CONFIG 11 00000000 00000000 BOUND_IMPORT 12 00002090 00000038 IAT 13 00000000 00000000 DELAY_IMPORT 14 00000000 00000000 COM_DESCRIPTOR 15 00000000 00000000 ... --------------------------------Section Name VirtualAddress VirtualSize PointerToRawData SizeOfRawData Characteristics .text 00001000 00000368 00000200 00000400 60000020 .data 00002000 000001C0 00000600 00000200 C0000040 --------------------------------Import ImpAddr: 00000640 OriginalFirstThunk: 000020C8 TimeDateStamp : 00000000 ForwarderChain : 00000000 FirstThunk : 00002090 ●--user32.dll pNameAddr: 00000690 0000 00000690 MessageBoxA OriginalFirstThunk: 000020D0 TimeDateStamp : 00000000 ForwarderChain : 00000000 FirstThunk : 00002098 ●--msvcrt.dll pNameAddr: 00000698 0000 00000698 __set_app_type 0000 0000069C _controlfp 0000 000006A0 exit 0000 000006A4 strstr 0000 000006A8 _XcptFilter 0000 000006AC _exit 0000 000006B0 _except_handler3 OriginalFirstThunk: 000020F0 TimeDateStamp : 00000000 ForwarderChain : 00000000 FirstThunk : 000020B8 ●--kernel32.dll pNameAddr: 000006B8 0000 000006B8 GetCommandLineA 0000 000006BC GetStartupInfoA 0000 000006C0 GetModuleHandleA
从上面的数据可以看出,输入表的地址是:2040,不过这是虚拟地址,要转换成文件的地址,从节的信息可以看出,输入表在.data节,所以这样计算一下:2040-2000+600=640(其中2000是.data节的起始虚拟地址,600是.data节在文件中的起始地址),这就是输入表在文件中的地址了,我们看一下这个地址下的数据:
-----------------------------------FileHead Machine: 014C NumberOfSections: 0002 TimeDateStamp: 00000000 PointerToSymbolTable: 00000000 NumberOfSymbols: 00000000 SizeOfOptionalHeader: 00E0 Characteristics: 030F -----------------------------------OptionalHeader Magic: 010B MajorLinkerVersion: 06 MinorLinkerVersion: 00 SizeOfCode: 00000000 SizeOfInitializedData: 00000000 SizeOfUninitializedData: 00000000 AddressOfEntryPoint: 00001040 BaseOfCode: 00001000 BaseOfData: 00002000 //NT additional fields... ImageBase: 00400000 SectionAlignment: 00001000 FileAlignment: 00000200 MajorOperatingSystemVersion: 0004 MinorOperatingSystemVersion: 0000 MajorImageVersion: 0000 MinorImageVersion: 0000 MajorSubsystemVersion: 0004 MinorSubsystemVersion: 0000 Win32VersionValue: 00000000 SizeOfImage: 00003000 SizeOfHeaders: 00000200 CheckSum: 00008217 Subsystem: 0002 DllCharacteristics: 0000 SizeOfStackReserve: 00100000 SizeOfStackCommit: 00001000 SizeOfHeapReserve: 00100000 SizeOfHeapCommit: 00001000 LoaderFlags: 00000000 NumberOfRvaAndSizes: 00000010 ------------------------------------DataDirectory No. VirtualAddress Size 0 00000000 00000000 EXPORT 1 00002040 00000050 IMPORT 2 00000000 00000000 RESOURCE 3 00000000 00000000 EXCEPTION 4 00000000 00000000 SECURITY 5 00000000 00000000 BASERELOC 6 00000000 00000000 DEBUG 7 00000000 00000000 ARCHITECTURE 8 00000000 00000000 GLOBALPTR 9 00000000 00000000 TLS 10 00000000 00000000 LOAD_CONFIG 11 00000000 00000000 BOUND_IMPORT 12 00002090 00000038 IAT 13 00000000 00000000 DELAY_IMPORT 14 00000000 00000000 COM_DESCRIPTOR 15 00000000 00000000 ... --------------------------------Section Name VirtualAddress VirtualSize PointerToRawData SizeOfRawData Characteristics .text 00001000 00000368 00000200 00000400 60000020 .data 00002000 000001C0 00000600 00000200 C0000040 --------------------------------Import ImpAddr: 00000640 OriginalFirstThunk: 000020C8 TimeDateStamp : 00000000 ForwarderChain : 00000000 FirstThunk : 00002090 ●--user32.dll pNameAddr: 00000690 0000 00000690 MessageBoxA OriginalFirstThunk: 000020D0 TimeDateStamp : 00000000 ForwarderChain : 00000000 FirstThunk : 00002098 ●--msvcrt.dll pNameAddr: 00000698 0000 00000698 __set_app_type 0000 0000069C _controlfp 0000 000006A0 exit 0000 000006A4 strstr 0000 000006A8 _XcptFilter 0000 000006AC _exit 0000 000006B0 _except_handler3 OriginalFirstThunk: 000020F0 TimeDateStamp : 00000000 ForwarderChain : 00000000 FirstThunk : 000020B8 ●--kernel32.dll pNameAddr: 000006B8 0000 000006B8 GetCommandLineA 0000 000006BC GetStartupInfoA 0000 000006C0 GetModuleHandleA
从上面的数据可以看出,输入表的地址是:2040,不过这是虚拟地址,要转换成文件的地址,从节的信息可以看出,输入表在.data节,所以这样计算一下:2040-2000+600=640(其中2000是.data节的起始虚拟地址,600是.data节在文件中的起始地址),这就是输入表在文件中的地址了,我们看一下这个地址下的数据:
输入表的结构大家可以参照我写的另一篇文章:https://bbs.pediy.com/thread-248111.htm
现在的数据来看加一个输入函数是很困难的,因为要将数据整体下移才能挪出空间了,这样要改动的数据就太多了,不过来逆向思维一下,我采取了两个方法来获得空间,首先新增的
IMAGE_IMPORT_DESCRIPTOR结构不往后加,放到现有数据的前面,现在就是
IMAGE_THUNK_DATA32结构还没有空间,我采用的方法是,把
IMAGE_IMPORT_DESCRIPTOR结构中的
OriginalFirstThun清零,这样它指向的数据空间就是放出来了,我们用这部分空间来保存新的输入表,空间都有了,现在就来增加我们需要的输入表。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
最后于 2018-12-3 09:14
被lrtlrt编辑
,原因:
|
|
|---|---|
|
|
|
|
|
|
|
|
多多指教, 
|
|
|
|
