首页
社区
课程
招聘
往节表空白区添加代码
发表于: 2022-3-14 17:52 8198

往节表空白区添加代码

2022-3-14 17:52
8198

大佬们,想问一下不拉伸exe怎么往节的空白去添加代码阿,思路不是:msgbox地址-文件中代码开始的地址-文件对齐+内存对齐+imagebase吗,但是没有办法运行啊,求求各位大佬扔个代码,或者思路把。

#include <stdio.h>
#include <Windows.h>
#define directory "C:\\Users\\allen\\Desktop\\notepad-XP.exe"
void write(char* ptr, int size)
{
    FILE* fp = fopen("Dll1.exe", "wb");
    fwrite(ptr, size, 1, fp);
    fclose(fp);
}
DWORD rtf(char* buffer, DWORD rva)
{
    PIMAGE_DOS_HEADER doshd = (PIMAGE_DOS_HEADER)buffer;
    PIMAGE_NT_HEADERS nthd = (PIMAGE_NT_HEADERS)(buffer + doshd->e_lfanew);
    PIMAGE_FILE_HEADER filehd = (PIMAGE_FILE_HEADER)(buffer + doshd->e_lfanew + 4);
    PIMAGE_OPTIONAL_HEADER32 optionhd = (PIMAGE_OPTIONAL_HEADER32)(buffer + doshd->e_lfanew + 24);
    PIMAGE_SECTION_HEADER sectionhd = IMAGE_FIRST_SECTION(nthd);
    for (int i = 0; i < filehd->NumberOfSections; i++)
    {
        if (rva >= sectionhd[i].VirtualAddress && rva <= sectionhd[i].VirtualAddress + sectionhd[i].SizeOfRawData)
        {
            return rva - sectionhd[i].VirtualAddress + sectionhd[i].PointerToRawData;
        }
    }
}
 
void main()
{
 
 
    DWORD msgbox = 0x75DF0F40;
    printf("%x\n", msgbox);
    char code[] = {
        0x6A,0x00,0x6A,0x00,0x6A,0x00,0x6A,0x00,0xE8,0x00,0x00,0x00,0x00,0xE9,0x00,0x00,0x00,0x00
    };
    FILE* fp = fopen(directory, "rb");
    fseek(fp, 0, SEEK_END);
    int size = ftell(fp);
    rewind(fp);
    char* ptr = (char*)malloc(size);
    memset(ptr, 0, size);
    fread(ptr, size, 1, fp);
    PIMAGE_DOS_HEADER doshd2 = (PIMAGE_DOS_HEADER)ptr;
    PIMAGE_NT_HEADERS nthd2 = (PIMAGE_NT_HEADERS)(ptr + doshd2->e_lfanew);
    PIMAGE_FILE_HEADER filehd2 = (PIMAGE_FILE_HEADER)(ptr + doshd2->e_lfanew + 4);
    PIMAGE_OPTIONAL_HEADER32 optionhd2 = (PIMAGE_OPTIONAL_HEADER32)(ptr + doshd2->e_lfanew + 24);
    PIMAGE_SECTION_HEADER sectionhd2 = IMAGE_FIRST_SECTION(nthd2);
 
    char* ptr1 = ptr + (sectionhd2->PointerToRawData + sectionhd2->Misc.VirtualSize);
    memcpy(ptr1, code, sizeof(code));
    DWORD ptr2 = msgbox - (DWORD)(ptr1 + 0xd - optionhd2->FileAlignment + optionhd2->SectionAlignment + optionhd2->ImageBase);
    *(ptr1 + 9) = ptr2;
    DWORD ptr3 = (optionhd2->ImageBase+optionhd2->AddressOfEntryPoint) - (DWORD)(ptr1 + 0xd+0x5 - optionhd2->FileAlignment + optionhd2->SectionAlignment + optionhd2->ImageBase);
    *(ptr1 + 0xe) = ptr3;
    optionhd2->AddressOfEntryPoint = ptr1 - ptr;
    write(ptr, size);
    getchar();
}
#include <stdio.h>
#include <Windows.h>
#define directory "C:\\Users\\allen\\Desktop\\notepad-XP.exe"
void write(char* ptr, int size)
{
    FILE* fp = fopen("Dll1.exe", "wb");
    fwrite(ptr, size, 1, fp);
    fclose(fp);
}
DWORD rtf(char* buffer, DWORD rva)
{
    PIMAGE_DOS_HEADER doshd = (PIMAGE_DOS_HEADER)buffer;
    PIMAGE_NT_HEADERS nthd = (PIMAGE_NT_HEADERS)(buffer + doshd->e_lfanew);
    PIMAGE_FILE_HEADER filehd = (PIMAGE_FILE_HEADER)(buffer + doshd->e_lfanew + 4);
    PIMAGE_OPTIONAL_HEADER32 optionhd = (PIMAGE_OPTIONAL_HEADER32)(buffer + doshd->e_lfanew + 24);
    PIMAGE_SECTION_HEADER sectionhd = IMAGE_FIRST_SECTION(nthd);
    for (int i = 0; i < filehd->NumberOfSections; i++)
    {
        if (rva >= sectionhd[i].VirtualAddress && rva <= sectionhd[i].VirtualAddress + sectionhd[i].SizeOfRawData)
        {
            return rva - sectionhd[i].VirtualAddress + sectionhd[i].PointerToRawData;
        }
    }
}
 
void main()
{
 

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 2
支持
分享
最新回复 (3)
雪    币: 209
活跃值: (261)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
节的对齐后大小 - 实际占用大小就是能用的空间。但节尾部可能有一些空间在实际中其实没被用到,这部分也可以占一下,每个节都能插一部分数据。这些都是不改节表所能占用的空间。
一般这种方法塞不进太多东西,都是一个LOADER用别的方式获取到欲执行的代码再跑。
2022-4-6 09:28
0
雪    币: 209
活跃值: (261)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
看你代码,用的都是Virtual的地址去写,这不太对。写入代码的时候应该用Raw相关的地址/偏移/大小。代码的逻辑才用Virtual相关的东西去写。个人理解,没有实践,也可能不对。
建议写完用PEloader的代码测试下,看看哪里不对。
2022-4-6 09:40
0
雪    币: 7465
活跃值: (4196)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4

这个效果?

	DWORD msgbox = 0x752BFF46;
	printf("%x\n", msgbox);
	char code[] = {
		0x6A,0x00,0x6A,0x00,0x6A,0x00,0x6A,0x00,0xE8,0x00,0x00,0x00,0x00,0xE9,0x00,0x00,0x00,0x00
	};
	FILE* fp = fopen(directory, "rb");
	fseek(fp, 0, SEEK_END);
	int size = ftell(fp);
	rewind(fp);
	char* ptr = (char*)malloc(size);
	memset(ptr, 0, size);
	fread(ptr, size, 1, fp);
	fclose(fp);
	PIMAGE_DOS_HEADER doshd2 = (PIMAGE_DOS_HEADER)ptr;
	PIMAGE_NT_HEADERS nthd2 = (PIMAGE_NT_HEADERS)(ptr + doshd2->e_lfanew);
	PIMAGE_FILE_HEADER filehd2 = (PIMAGE_FILE_HEADER)(ptr + doshd2->e_lfanew + 4);
	PIMAGE_OPTIONAL_HEADER32 optionhd2 = (PIMAGE_OPTIONAL_HEADER32)(ptr + doshd2->e_lfanew + 24);
	PIMAGE_SECTION_HEADER sectionhd2 = IMAGE_FIRST_SECTION(nthd2);

	char* ptr1 = ptr + (sectionhd2->PointerToRawData + sectionhd2->Misc.VirtualSize);
	memcpy(ptr1, code, sizeof(code));
	DWORD ptr2 = msgbox - (DWORD)( 0xd + sectionhd2->Misc.VirtualSize + sectionhd2->VirtualAddress + optionhd2->ImageBase);
	*(DWORD*)(ptr1 + 9) = ptr2;
	DWORD ptr3 = (optionhd2->ImageBase+optionhd2->AddressOfEntryPoint) - (DWORD)( 0xd+0x5+sectionhd2->Misc.VirtualSize + sectionhd2->VirtualAddress + optionhd2->ImageBase);
	*(DWORD*)(ptr1 + 0xe) = ptr3;
	optionhd2->AddressOfEntryPoint = sectionhd2->Misc.VirtualSize + sectionhd2->VirtualAddress;
	write(ptr, size);
	getchar();
	return 0;


2022-4-6 10:46
0
游客
登录 | 注册 方可回帖
返回
//