[求助]PE添加新节写入ShellCode-软件逆向-看雪论坛-安全社区|非营利性质技术交流社区

[求助]PE添加新节写入ShellCode

发表于: 2023-1-10 17:25 7967

[求助]PE添加新节写入ShellCode

wx_非0即1

2023-1-10 17:25

7967

//add_section.cpp

#include "windows.h"

#include "stdio.h"
//判断文件是否为合法PE文件
BOOL CheckPe(FILE* pFile)
{
fseek(pFile, 0, SEEK_SET);
BOOL bFlags = FALSE;
WORD IsMZ;
DWORD IsPE, pNT;
fread(&IsMZ, sizeof(WORD), 1, pFile);
if (IsMZ == 0x5A4D)
{
fseek(pFile, 0x3c, SEEK_SET);
fread(&pNT, sizeof(DWORD), 1, pFile);
fseek(pFile, pNT, SEEK_SET);
fread(&IsPE, sizeof(DWORD), 1, pFile);
if (IsPE == 0X00004550)
bFlags = TRUE;
else
bFlags = FALSE;
}
else
bFlags = FALSE;
fseek(pFile, 0, SEEK_SET);
return bFlags;
}

//用来计算对齐数据后的大小
int alig(int size, unsigned int align)
{
if (size%align != 0)
return (size / align + 1)*align;
else
return size;
}

int main(int argc, char argv[])
{
//if (argc != 2)
//{
// printf("\t\tusage:add_section filename\n");
// exit(-1);
//}
FILE rwFile;
if ((rwFile = fopen("D:\test\ConsoleApplication13.exe", "rb")) == NULL)//打开文件失败则退出
{
printf("\t\tOpen file faild\n");
exit(-1);
}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

if (!CheckPe(rwFile))
{
    printf("\t\tinvalid pe......!\n");
    exit(-1);
}
//备份原文件
char szNewFile[35] = "D:\\test\\ConsoleApplication13_1.exe";
if (!CopyFile("D:\\test\\ConsoleApplication13.exe", szNewFile, 0)) //若备份文件出错则退出
{
    printf("\t\tbak faild\n");
    exit(-1);
}
IMAGE_NT_HEADERS NThea;
fseek(rwFile, 0x3c, 0);
DWORD pNT; //pNT中存放IMAGE_NT_HEADERS结构的地址
fread(&pNT, sizeof(DWORD), 1, rwFile);
fseek(rwFile, pNT, 0);
fread(&NThea, sizeof(IMAGE_NT_HEADERS), 1, rwFile); //读取原文件的IMAGE_NT_HEADERS结构
//保存原文件区块数量与OEP
int nOldSectionNo = NThea.FileHeader.NumberOfSections;
int OEP = NThea.OptionalHeader.AddressOfEntryPoint;
 
 
//保存文件对齐值与区块对齐值
int SECTION_ALIG = NThea.OptionalHeader.SectionAlignment;
int FILE_ALIG = NThea.OptionalHeader.FileAlignment;
 
//定义要添加的区块
IMAGE_SECTION_HEADER        NewSection;
//将该结构全部清零
memset(&NewSection, 0, sizeof(IMAGE_SECTION_HEADER));
//再定义一个区块，来存放原文件最后一个区块的信息
IMAGE_SECTION_HEADER SEChea;
//读原文件最后一个区块的信息
fseek(rwFile, pNT + 248, 0);
for (int i = 0; i < nOldSectionNo; i++)
    fread(&SEChea, sizeof(IMAGE_SECTION_HEADER), 1, rwFile);
 
FILE *newfile = fopen(szNewFile, "rb+");
if (newfile == NULL)
{
    printf("\t\tOpen bak file faild\n");
    exit(-1);
}
fseek(newfile, SEChea.PointerToRawData + SEChea.SizeOfRawData, SEEK_SET);
 
 
 
int i = 0;
// x86 shellcode
//CHAR shellcode[] = { 0x55,  0x8B,  0xEC,  0x83,  0xEC,  0x5C,  0x53,  0x56,  0x57,  0xE8,  0x72,  0x01,  0x00,  0x00,  0x8B,  0xD0,  0x33,  0xDB,  0x8B,  0x42,  0x3C,  0x39,  0x5C,  0x10,  0x7C,  0x0F,  0x84,  0x9F,  0x00,  0x00,  0x00,  0x8B,  0x74,  0x10,  0x78,  0x85,  0xF6,  0x0F,  0x84,  0x93,  0x00,  0x00,  0x00,  0x8B,  0x44,  0x16,  0x24,  0x33,  0xC9,  0x8B,  0x7C,  0x16,  0x20,  0x03,  0xC2,  0x89,  0x45,  0xFC,  0x03,  0xFA,  0x8B,  0x44,  0x16,  0x1C,  0x8B,  0x74,  0x16,  0x18,  0x03,  0xC2,  0x89,  0x45,  0xF8,  0x4E,  0x66,  0x0F,  0x1F,  0x44,  0x00,  0x00,  0x8B,  0x04,  0x8F,  0x03,  0xC2,  0x80,  0x38,  0x47,  0x75,  0x4E,  0x80,  0x78,  0x01,  0x65,  0x75,  0x48,  0x80,  0x78,  0x02,  0x74,  0x75,  0x42,  0x80,  0x78,  0x03,  0x50,  0x75,  0x3C,  0x80,  0x78,  0x04,  0x72,  0x75,  0x36,  0x80,  0x78,  0x05,  0x6F,  0x75,  0x30,  0x80,  0x78,  0x06,  0x63,  0x75,  0x2A,  0x80,  0x78,  0x07,  0x41,  0x75,  0x24,  0x80,  0x78,  0x08,  0x64,  0x75,  0x1E,  0x80,  0x78,  0x09,  0x64,  0x75,  0x18,  0x80,  0x78,  0x0A,  0x72,  0x75,  0x12,  0x80,  0x78,  0x0B,  0x65,  0x75,  0x0C,  0x80,  0x78,  0x0C,  0x73,  0x75,  0x06,  0x80,  0x78,  0x0D,  0x73,  0x74,  0x07,  0x41,  0x3B,  0xCE,  0x76,  0xA3,  0xEB,  0x0F,  0x8B,  0x45,  0xFC,  0x8B,  0x5D,  0xF8,  0x0F,  0xB7,  0x04,  0x48,  0x8B,  0x1C,  0x83,  0x03,  0xDA,  0x8D,  0x45,  0xD0,  0xC7,  0x45,  0xD0,  0x4C,  0x6F,  0x61,  0x64,  0x50,  0xC7,  0x45,  0xD4,  0x4C,  0x69,  0x62,  0x72,  0xC7,  0x45,  0xD8,  0x61,  0x72,  0x79,  0x57,  0xC6,  0x45,  0xDC,  0x00,  0xE8,  0xA0,  0x00,  0x00,  0x00,  0x50,  0xFF,  0xD3,  0x33,  0xC9,  0xC7,  0x45,  0xA4,  0x75,  0x00,  0x73,  0x00,  0x66,  0x89,  0x4D,  0xB8,  0x8D,  0x4D,  0xE0,  0x51,  0x8D,  0x4D,  0xA4,  0xC7,  0x45,  0xA8,  0x65,  0x00,  0x72,  0x00,  0x51,  0xC7,  0x45,  0xAC,  0x33,  0x00,  0x32,  0x00,  0xC7,  0x45,  0xB0,  0x2E,  0x00,  0x64,  0x00,  0xC7,  0x45,  0xB4,  0x6C,  0x00,  0x6C,  0x00,  0xC7,  0x45,  0xE0,  0x4D,  0x65,  0x73,  0x73,  0xC7,  0x45,  0xE4,  0x61,  0x67,  0x65,  0x42,  0xC7,  0x45,  0xE8,  0x6F,  0x78,  0x57,  0x00,  0xFF,  0xD0,  0x50,  0xFF,  0xD3,  0x33,  0xC9,  0xC7,  0x45,  0xBC,  0x53,  0x00,  0x68,  0x00,  0x51,  0x66,  0x89,  0x4D,  0xF4,  0x8D,  0x4D,  0xEC,  0x51,  0x8D,  0x4D,  0xBC,  0xC7,  0x45,  0xC0,  0x65,  0x00,  0x6C,  0x00,  0x51,  0x6A,  0x00,  0xC7,  0x45,  0xC4,  0x6C,  0x00,  0x63,  0x00,  0xC7,  0x45,  0xC8,  0x6F,  0x00,  0x64,  0x00,  0xC7,  0x45,  0xCC,  0x65,  0x00,  0x00,  0x00,  0xC7,  0x45,  0xEC,  0x4C,  0x00,  0x59,  0x00,  0xC7,  0x45,  0xF0,  0x53,  0x00,  0x4D,  0x00,  0xFF,  0xD0,  0x5F,  0x5E,  0x33,  0xC0,  0x5B,  0x8B,  0xE5,  0x5D,  0xC3,  0xCC,  0xCC,  0xCC,  0xCC,  0xCC,  0x64,  0xA1,  0x30,  0x00,  0x00,  0x00,  0x8B,  0x40,  0x0C,  0x8B,  0x40,  0x14,  0x8B,  0x00,  0x8B,  0x00,  0x8B,  0x40,  0x10,  0xC3,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00 };
//char *shellcode =
//    "\x33\xC9\x64\x8B\x41\x30\x8B\x40\x0C\x8B\x70\x14\xAD\x96\xAD\x8B\x58\x10\x8B\x53\x3C\x03\xD3\x8B\x52\x78\x03\xD3\x8B\x72\x20\x03"
//    "\xF3\x33\xC9\x41\xAD\x03\xC3\x81\x38\x47\x65\x74\x50\x75\xF4\x81\x78\x04\x72\x6F\x63\x41\x75\xEB\x81\x78\x08\x64\x64\x72\x65\x75"
//    "\xE2\x8B\x72\x24\x03\xF3\x66\x8B\x0C\x4E\x49\x8B\x72\x1C\x03\xF3\x8B\x14\x8E\x03\xD3\x33\xC9\x53\x52\x51\x68\x61\x72\x79\x41\x68"
//    "\x4C\x69\x62\x72\x68\x4C\x6F\x61\x64\x54\x53\xFF\xD2\x83\xC4\x0C\x59\x50\x51\x66\xB9\x6C\x6C\x51\x68\x33\x32\x2E\x64\x68\x75\x73"
//    "\x65\x72\x54\xFF\xD0\x83\xC4\x10\x8B\x54\x24\x04\x33\xC9\x51\xB9\x74\x6F\x6E\x61\x51\x83\x6C\x24\x03\x61\x68\x65\x42\x75\x74\x68"
//    "\x4D\x6F\x75\x73\x68\x53\x77\x61\x70\x54\x50\xFF\xD2\x83\xC4\x14\x33\xC9"
//    "\x41" // inc ecx - Remove this to restore the functionality
//    "\x51\xFF\xD0\x83\xC4\x04\x5A\x5B\xB9\x65\x73\x73\x61"
//    "\x51\x83\x6C\x24\x03\x61\x68\x50\x72\x6F\x63\x68\x45\x78\x69\x74\x54\x53\xFF\xD2\x33\xC9\x51\xFF\xD0";
/*CHAR shellcode[] = {
0x6A, 0x00,
0x6A, 0x00,
0x6A, 0x00,
0x6A, 0x00,
0xE8, 0x00, 0x00, 0x00, 0x00
};*/
 
 
CHAR shellcode[] = {
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x48, 0xE8, 0x15, 0x01, 0x00, 0x00, 0x50, 0xE8, 0x2F, 0x01, 0x00,
0x00, 0x83, 0xC4, 0x04, 0x89, 0x45, 0xF8, 0xC6, 0x45, 0xC8, 0x4C, 0xC6, 0x45, 0xC9, 0x6F, 0xC6,
0x45, 0xCA, 0x61, 0xC6, 0x45, 0xCB, 0x64, 0xC6, 0x45, 0xCC, 0x4C, 0xC6, 0x45, 0xCD, 0x69, 0xC6,
0x45, 0xCE, 0x62, 0xC6, 0x45, 0xCF, 0x72, 0xC6, 0x45, 0xD0, 0x61, 0xC6, 0x45, 0xD1, 0x72, 0xC6,
0x45, 0xD2, 0x79, 0xC6, 0x45, 0xD3, 0x41, 0xC6, 0x45, 0xD4, 0x00, 0x8D, 0x45, 0xC8, 0x50, 0xE8,
0xCC, 0x00, 0x00, 0x00, 0x50, 0xFF, 0x55, 0xF8, 0x89, 0x45, 0xF4, 0xC6, 0x45, 0xE4, 0x55, 0xC6,
0x45, 0xE5, 0x73, 0xC6, 0x45, 0xE6, 0x65, 0xC6, 0x45, 0xE7, 0x72, 0xC6, 0x45, 0xE8, 0x33, 0xC6,
0x45, 0xE9, 0x32, 0xC6, 0x45, 0xEA, 0x2E, 0xC6, 0x45, 0xEB, 0x64, 0xC6, 0x45, 0xEC, 0x6C, 0xC6,
0x45, 0xED, 0x6C, 0xC6, 0x45, 0xEE, 0x00, 0xC6, 0x45, 0xD8, 0x4D, 0xC6, 0x45, 0xD9, 0x65, 0xC6,
0x45, 0xDA, 0x73, 0xC6, 0x45, 0xDB, 0x73, 0xC6, 0x45, 0xDC, 0x61, 0xC6, 0x45, 0xDD, 0x67, 0xC6,
0x45, 0xDE, 0x65, 0xC6, 0x45, 0xDF, 0x42, 0xC6, 0x45, 0xE0, 0x6F, 0xC6, 0x45, 0xE1, 0x78, 0xC6,
0x45, 0xE2, 0x41, 0xC6, 0x45, 0xE3, 0x00, 0x8D, 0x4D, 0xD8, 0x51, 0x8D, 0x55, 0xE4, 0x52, 0xFF,
0x55, 0xF4, 0x50, 0xFF, 0x55, 0xF8, 0x89, 0x45, 0xF0, 0xC6, 0x45, 0xB8, 0x48, 0xC6, 0x45, 0xB9,
0x65, 0xC6, 0x45, 0xBA, 0x6C, 0xC6, 0x45, 0xBB, 0x6C, 0xC6, 0x45, 0xBC, 0x6F, 0xC6, 0x45, 0xBD,
0x20, 0xC6, 0x45, 0xBE, 0x57, 0xC6, 0x45, 0xBF, 0x6F, 0xC6, 0x45, 0xC0, 0x72, 0xC6, 0x45, 0xC1,
0x6C, 0xC6, 0x45, 0xC2, 0x64, 0xC6, 0x45, 0xC3, 0x21, 0xC6, 0x45, 0xC4, 0x00, 0xC6, 0x45, 0xFC,
0x74, 0xC6, 0x45, 0xFD, 0x69, 0xC6, 0x45, 0xFE, 0x70, 0xC6, 0x45, 0xFF, 0x00, 0x6A, 0x00, 0x8D,
0x45, 0xFC, 0x50, 0x8D, 0x4D, 0xB8, 0x51, 0x6A, 0x00, 0xFF, 0x55, 0xF0, 0x8B, 0xE5, 0x5D, 0xC3,
0x64, 0xA1, 0x30, 0x00, 0x00, 0x00, 0x8B, 0x40, 0x0C, 0x8B, 0x40, 0x14, 0x8B, 0x00, 0x8B, 0x00,
0x8B, 0x40, 0x10, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x24, 0x8B, 0x45, 0x08, 0x89, 0x45, 0xE8, 0x8B, 0x4D, 0xE8, 0x8B,
0x55, 0x08, 0x03, 0x51, 0x3C, 0x89, 0x55, 0xF0, 0xB8, 0x08, 0x00, 0x00, 0x00, 0x6B, 0xC8, 0x00,
0x8B, 0x55, 0xF0, 0x83, 0x7C, 0x0A, 0x7C, 0x00, 0x75, 0x07, 0x33, 0xC0, 0xE9, 0xE3, 0x01, 0x00,
0x00, 0xB8, 0x08, 0x00, 0x00, 0x00, 0x6B, 0xC8, 0x00, 0x8B, 0x55, 0xF0, 0x83, 0x7C, 0x0A, 0x78,
0x00, 0x75, 0x07, 0x33, 0xC0, 0xE9, 0xCA, 0x01, 0x00, 0x00, 0xB8, 0x08, 0x00, 0x00, 0x00, 0x6B,
0xC8, 0x00, 0x8B, 0x55, 0xF0, 0x8B, 0x45, 0x08, 0x03, 0x44, 0x0A, 0x78, 0x89, 0x45, 0xF4, 0x8B,
0x4D, 0xF4, 0x8B, 0x55, 0x08, 0x03, 0x51, 0x20, 0x89, 0x55, 0xE4, 0x8B, 0x45, 0xF4, 0x8B, 0x4D,
0x08, 0x03, 0x48, 0x24, 0x89, 0x4D, 0xE0, 0x8B, 0x55, 0xF4, 0x8B, 0x45, 0x08, 0x03, 0x42, 0x1C,
0x89, 0x45, 0xDC, 0xC7, 0x45, 0xF8, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x45, 0xEC, 0x00, 0x00, 0x00,
0x00, 0xEB, 0x09, 0x8B, 0x4D, 0xF8, 0x83, 0xC1, 0x01, 0x89, 0x4D, 0xF8, 0x8B, 0x55, 0xF4, 0x8B,
0x42, 0x18, 0x83, 0xE8, 0x01, 0x39, 0x45, 0xF8, 0x0F, 0x87, 0x63, 0x01, 0x00, 0x00, 0x8B, 0x4D,
0xF8, 0x8B, 0x55, 0xE4, 0x8B, 0x04, 0x8A, 0x03, 0x45, 0x08, 0x89, 0x45, 0xFC, 0xB9, 0x01, 0x00,
0x00, 0x00, 0x6B, 0xD1, 0x00, 0x8B, 0x45, 0xFC, 0x0F, 0xBE, 0x0C, 0x10, 0x83, 0xF9, 0x47, 0x0F,
0x85, 0x37, 0x01, 0x00, 0x00, 0xBA, 0x01, 0x00, 0x00, 0x00, 0xC1, 0xE2, 0x00, 0x8B, 0x45, 0xFC,
0x0F, 0xBE, 0x0C, 0x10, 0x83, 0xF9, 0x65, 0x0F, 0x85, 0x1F, 0x01, 0x00, 0x00, 0xBA, 0x01, 0x00,
0x00, 0x00, 0xD1, 0xE2, 0x8B, 0x45, 0xFC, 0x0F, 0xBE, 0x0C, 0x10, 0x83, 0xF9, 0x74, 0x0F, 0x85,
0x08, 0x01, 0x00, 0x00, 0xBA, 0x01, 0x00, 0x00, 0x00, 0x6B, 0xC2, 0x03, 0x8B, 0x4D, 0xFC, 0x0F,
0xBE, 0x14, 0x01, 0x83, 0xFA, 0x50, 0x0F, 0x85, 0xF0, 0x00, 0x00, 0x00, 0xB8, 0x01, 0x00, 0x00,
0x00, 0xC1, 0xE0, 0x02, 0x8B, 0x4D, 0xFC, 0x0F, 0xBE, 0x14, 0x01, 0x83, 0xFA, 0x72, 0x0F, 0x85,
0xD8, 0x00, 0x00, 0x00, 0xB8, 0x01, 0x00, 0x00, 0x00, 0x6B, 0xC8, 0x05, 0x8B, 0x55, 0xFC, 0x0F,
0xBE, 0x04, 0x0A, 0x83, 0xF8, 0x6F, 0x0F, 0x85, 0xC0, 0x00, 0x00, 0x00, 0xB9, 0x01, 0x00, 0x00,
0x00, 0x6B, 0xD1, 0x06, 0x8B, 0x45, 0xFC, 0x0F, 0xBE, 0x0C, 0x10, 0x83, 0xF9, 0x63, 0x0F, 0x85,
0xA8, 0x00, 0x00, 0x00, 0xBA, 0x01, 0x00, 0x00, 0x00, 0x6B, 0xC2, 0x07, 0x8B, 0x4D, 0xFC, 0x0F,
0xBE, 0x14, 0x01, 0x83, 0xFA, 0x41, 0x0F, 0x85, 0x90, 0x00, 0x00, 0x00, 0xB8, 0x01, 0x00, 0x00,
0x00, 0xC1, 0xE0, 0x03, 0x8B, 0x4D, 0xFC, 0x0F, 0xBE, 0x14, 0x01, 0x83, 0xFA, 0x64, 0x75, 0x7C,
0xB8, 0x01, 0x00, 0x00, 0x00, 0x6B, 0xC8, 0x09, 0x8B, 0x55, 0xFC, 0x0F, 0xBE, 0x04, 0x0A, 0x83,
0xF8, 0x64, 0x75, 0x68, 0xB9, 0x01, 0x00, 0x00, 0x00, 0x6B, 0xD1, 0x0A, 0x8B, 0x45, 0xFC, 0x0F,
0xBE, 0x0C, 0x10, 0x83, 0xF9, 0x72, 0x75, 0x54, 0xBA, 0x01, 0x00, 0x00, 0x00, 0x6B, 0xC2, 0x0B,
0x8B, 0x4D, 0xFC, 0x0F, 0xBE, 0x14, 0x01, 0x83, 0xFA, 0x65, 0x75, 0x40, 0xB8, 0x01, 0x00, 0x00,
0x00, 0x6B, 0xC8, 0x0C, 0x8B, 0x55, 0xFC, 0x0F, 0xBE, 0x04, 0x0A, 0x83, 0xF8, 0x73, 0x75, 0x2C,
0xB9, 0x01, 0x00, 0x00, 0x00, 0x6B, 0xD1, 0x0D, 0x8B, 0x45, 0xFC, 0x0F, 0xBE, 0x0C, 0x10, 0x83,
0xF9, 0x73, 0x75, 0x18, 0x8B, 0x55, 0xF8, 0x8B, 0x45, 0xE0, 0x0F, 0xB7, 0x0C, 0x50, 0x8B, 0x55,
0xDC, 0x8B, 0x04, 0x8A, 0x03, 0x45, 0x08, 0x89, 0x45, 0xEC, 0xEB, 0x05, 0xE9, 0x82, 0xFE, 0xFF,
0xFF, 0x8B, 0x45, 0xEC, 0x8B, 0xE5, 0x5D, 0xC3,0xE8, 0x00, 0x00, 0x00, 0x00
};

;
int nShellLen = sizeof(shellcode);
// x64 shellcode
//写入SHELLCODE,
for (i = 0; i < nShellLen; i++)
fputc(shellcode[i], newfile);
//SHELLCODE之后是跳转到原OEP的指令
NewSection.VirtualAddress = SEChea.VirtualAddress + alig(SEChea.Misc.VirtualSize, SECTION_ALIG);

// 跳到原OEP
BYTE jmp = 0xE9;
OEP = OEP - (NewSection.VirtualAddress + nShellLen) - 5;
size_t ret1 = fwrite(&jmp, sizeof(jmp), 1, newfile);
size_t ret2 = fwrite(&OEP, sizeof(OEP), 1, newfile);
 
 
 
//将最后增加的数据用0填充至按文件中对齐的大小
i = 0;
// -5是因为跳入原OEP加入了5字节
for (i = 0; i < alig(nShellLen, FILE_ALIG) - nShellLen; i++)     //for (i = 0; i < alig(nShellLen, FILE_ALIG) - nShellLen; i++) //如果不跳不-5
    fputc('\0', newfile);
//新区块中的数据
strcpy((char*)NewSection.Name, ".llydd");
NewSection.PointerToRawData = SEChea.PointerToRawData + SEChea.SizeOfRawData;
NewSection.Misc.VirtualSize = nShellLen;
NewSection.SizeOfRawData = alig(nShellLen, FILE_ALIG);
NewSection.Characteristics = 0xE0000020;//新区块可读可写可执行
fseek(newfile, pNT + 248 + sizeof(IMAGE_SECTION_HEADER)*nOldSectionNo, 0);
 
//写入新的块表
fwrite(&NewSection, sizeof(IMAGE_SECTION_HEADER), 1, newfile);
 
int nNewImageSize = NThea.OptionalHeader.SizeOfImage + alig(nShellLen, SECTION_ALIG);
int nNewSizeofCode = NThea.OptionalHeader.SizeOfCode + alig(nShellLen, FILE_ALIG);
fseek(newfile, pNT, 0);
NThea.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = 0;
NThea.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = 0;
NThea.OptionalHeader.SizeOfCode = nNewSizeofCode;
NThea.OptionalHeader.SizeOfImage = nNewImageSize;
NThea.FileHeader.NumberOfSections = nOldSectionNo + 1;
NThea.OptionalHeader.AddressOfEntryPoint = NewSection.VirtualAddress;
//写入更新后的PE头结构
fwrite(&NThea, sizeof(IMAGE_NT_HEADERS), 1, newfile);
printf("\t\tok.........!\n");
 
fclose(newfile);
fclose(rwFile);
 
return 1;

}
跳不回原OEP

代码啊参考https://bbs.kanxue.com/thread-36497.htm
00fK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6T1L8r3!0Y4i4K6u0W2j5%4y4V1L8W2)9J5k6h3&6W2N6q4)9J5c8Y4q4I4i4K6g2X3y4o6b7$3y4e0M7^5z5e0W2Q4x3V1k6S2M7Y4c8A6j5$3I4W2i4K6u0r3k6r3g2@1j5h3W2D9M7#2)9J5c8U0p5J5y4o6V1&6x3o6j5$3y4#2)9K6c8Y4y4H3L8g2)9K6c8o6p5H3x3o6q4Q4x3X3f1J5x3e0l9I4i4K6u0W2x3K6l9H3x3g2)9J5k6e0j5$3y4e0m8Q4x3X3f1K6i4K6t1$3j5h3#2H3i4K6y4n7N6i4c8E0i4K6g2X3L8h3g2V1K9i4g2E0i4K6y4p5k6r3W2K6N6s2u0A6j5Y4g2@1k6g2)9J5k6i4m8U0i4K6g2X3M7X3g2D9k6i4k6S2L8Y4c8Q4x3X3g2F1L8$3&6W2i4K6u0V1N6r3q4K6K9#2)9J5k6r3u0D9L8$3N6Q4x3X3b7J5i4K6t1#2y4@1g2V1k6h3k6S2N6h3I4@1i4K6t1#2y4@1g2n7L8r3!0Y4b7$3!0E0L8h3g2F1k6p5k6J5L8$3#2n7j5h3W2V1N6g2)9J5y4e0N6q4f1X3q4@1k6g2)9J5k6o6y4Q4x3X3b7I4x3U0b7&6z5e0l9$3y4U0N6Q4x3X3c8T1L8r3!0Y4i4K6u0V1x3e0t1I4y4U0f1J5y4o6j5#2i4K6u0W2M7r3y4Q4y4h3k6J5k6h3I4W2N6X3q4F1N6q4)9#2k6U0y4E0L8%4c8Z5L8W2)9#2k6Y4y4@1M7X3q4@1k6h3N6&6i4K6g2X3j5h3&6V1i4K6g2X3k6r3q4@1j5g2)9#2k6Y4u0W2j5$3!0$3k6i4u0&6i4K6t1$3j5h3#2H3i4K6y4n7k6r3g2H3N6r3S2Q4y4h3j5I4i4K6u0V1N6i4c8E0i4K6g2X3M7$3!0#2M7X3y4W2i4K6y4p5k6r3W2K6N6s2u0A6j5Y4g2@1k6g2)9J5k6i4m8U0i4K6g2X3M7X3g2D9k6i4k6S2L8Y4c8Q4x3X3g2F1L8$3&6W2i4K6u0V1N6r3q4K6K9#2)9J5k6r3u0D9L8$3N6Q4x3X3b7J5i4K6t1#2y4@1g2V1k6h3k6S2N6h3I4@1i4K6t1#2y4@1g2n7L8r3!0Y4b7$3!0E0L8h3g2F1k6p5k6J5L8$3#2n7j5h3W2V1N6g2)9J5y4e0N6q4f1X3q4@1k6g2)9J5k6o6y4Q4x3X3b7I4x3U0b7&6z5e0l9$3y4U0N6Q4x3X3c8T1L8r3!0Y4i4K6u0V1x3e0t1I4y4U0f1J5y4o6j5#2i4K6u0W2M7r3y4Q4y4h3k6J5k6h3I4W2N6X3q4F1N6q4)9#2k6U0y4E0L8%4c8Z5L8W2)9#2k6Y4y4@1M7X3q4@1k6h3N6&6i4K6g2X3j5h3&6V1i4K6g2X3k6r3q4@1j5g2)9#2k6Y4u0W2j5$3!0$3k6i4u0&6i4K6t1$3j5h3#2H3i4K6y4n7N6i4c8E0i4K6g2X3M7X3g2D9k6i4k6S2L8Y4c8Q4y4h3k6A6L8X3c8W2P5q4)9K6c8o6j5`.

[培训]传播安全知识、拓宽行业人脉——看雪讲师团队等你加入！

#调试逆向 #病毒木马 #问题讨论

收藏・2

免费・1

支持

最新回复 (1)
Black貓①呺雪币： 1440 活跃值： (1522) 能力值： ( LV3，RANK：23 ) 在线值：发帖 2 回帖 72 粉丝 2 关注私信	Black貓①呺 2 楼还是调试器动态看看吧最后于 2023-1-11 09:46 被Black貓①呺编辑，原因： 2023-1-11 09:41 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

wx_非0即1

发帖

回帖

RANK

关注

私信

他的文章

[求助]PE添加新节写入ShellCode 7968

关于我们

联系我们

企业服务

看雪公众号

最新回复 (1)
Black貓①呺雪币： 1440 活跃值： (1522) 能力值： ( LV3，RANK：23 ) 在线值：发帖 2 回帖 72 粉丝 2 关注私信	Black貓①呺 2 楼还是调试器动态看看吧最后于 2023-1-11 09:46 被Black貓①呺编辑，原因： 2023-1-11 09:41 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

[求助]PE添加新节 写入ShellCode

[求助]PE添加新节写入ShellCode