首页
社区
课程
招聘
[求助]PE添加新节 写入ShellCode
发表于: 2023-1-10 17:25 7681

[求助]PE添加新节 写入ShellCode

2023-1-10 17:25
7681

//add_section.cpp

 

#include "windows.h"

 

#include "stdio.h"
//判断文件是否为合法PE文件
BOOL CheckPe(FILE* pFile)
{
fseek(pFile, 0, SEEK_SET);
BOOL bFlags = FALSE;
WORD IsMZ;
DWORD IsPE, pNT;
fread(&IsMZ, sizeof(WORD), 1, pFile);
if (IsMZ == 0x5A4D)
{
fseek(pFile, 0x3c, SEEK_SET);
fread(&pNT, sizeof(DWORD), 1, pFile);
fseek(pFile, pNT, SEEK_SET);
fread(&IsPE, sizeof(DWORD), 1, pFile);
if (IsPE == 0X00004550)
bFlags = TRUE;
else
bFlags = FALSE;
}
else
bFlags = FALSE;
fseek(pFile, 0, SEEK_SET);
return bFlags;
}

 

//用来计算对齐数据后的大小
int alig(int size, unsigned int align)
{
if (size%align != 0)
return (size / align + 1)*align;
else
return size;
}

 

int main(int argc, char argv[])
{
//if (argc != 2)
//{
// printf("\t\tusage:add_section filename\n");
// exit(-1);
//}
FILE
rwFile;
if ((rwFile = fopen("D:\test\ConsoleApplication13.exe", "rb")) == NULL)//打开文件失败则退出
{
printf("\t\tOpen file faild\n");
exit(-1);
}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
if (!CheckPe(rwFile))
{
    printf("\t\tinvalid pe......!\n");
    exit(-1);
}
//备份原文件
char szNewFile[35] = "D:\\test\\ConsoleApplication13_1.exe";
if (!CopyFile("D:\\test\\ConsoleApplication13.exe", szNewFile, 0)) //若备份文件出错则退出
{
    printf("\t\tbak faild\n");
    exit(-1);
}
IMAGE_NT_HEADERS NThea;
fseek(rwFile, 0x3c, 0);
DWORD pNT; //pNT中存放IMAGE_NT_HEADERS结构的地址
fread(&pNT, sizeof(DWORD), 1, rwFile);
fseek(rwFile, pNT, 0);
fread(&NThea, sizeof(IMAGE_NT_HEADERS), 1, rwFile); //读取原文件的IMAGE_NT_HEADERS结构
//保存原文件区块数量与OEP
int nOldSectionNo = NThea.FileHeader.NumberOfSections;
int OEP = NThea.OptionalHeader.AddressOfEntryPoint;
 
 
//保存文件对齐值与区块对齐值
int SECTION_ALIG = NThea.OptionalHeader.SectionAlignment;
int FILE_ALIG = NThea.OptionalHeader.FileAlignment;
 
//定义要添加的区块
IMAGE_SECTION_HEADER        NewSection;
//将该结构全部清零
memset(&NewSection, 0, sizeof(IMAGE_SECTION_HEADER));
//再定义一个区块,来存放原文件最后一个区块的信息
IMAGE_SECTION_HEADER SEChea;
//读原文件最后一个区块的信息
fseek(rwFile, pNT + 248, 0);
for (int i = 0; i < nOldSectionNo; i++)
    fread(&SEChea, sizeof(IMAGE_SECTION_HEADER), 1, rwFile);
 
FILE *newfile = fopen(szNewFile, "rb+");
if (newfile == NULL)
{
    printf("\t\tOpen bak file faild\n");
    exit(-1);
}
fseek(newfile, SEChea.PointerToRawData + SEChea.SizeOfRawData, SEEK_SET);
 
 
 
int i = 0;
// x86 shellcode
//CHAR shellcode[] = { 0x550x8B0xEC0x830xEC0x5C0x530x560x570xE80x720x010x000x000x8B0xD00x330xDB0x8B0x420x3C0x390x5C0x100x7C0x0F0x840x9F0x000x000x000x8B0x740x100x780x850xF60x0F0x840x930x000x000x000x8B0x440x160x240x330xC90x8B0x7C0x160x200x030xC20x890x450xFC0x030xFA0x8B0x440x160x1C0x8B0x740x160x180x030xC20x890x450xF80x4E0x660x0F0x1F0x440x000x000x8B0x040x8F0x030xC20x800x380x470x750x4E0x800x780x010x650x750x480x800x780x020x740x750x420x800x780x030x500x750x3C0x800x780x040x720x750x360x800x780x050x6F0x750x300x800x780x060x630x750x2A0x800x780x070x410x750x240x800x780x080x640x750x1E0x800x780x090x640x750x180x800x780x0A0x720x750x120x800x780x0B0x650x750x0C0x800x780x0C0x730x750x060x800x780x0D0x730x740x070x410x3B0xCE0x760xA30xEB0x0F0x8B0x450xFC0x8B0x5D0xF80x0F0xB70x040x480x8B0x1C0x830x030xDA0x8D0x450xD00xC70x450xD00x4C0x6F0x610x640x500xC70x450xD40x4C0x690x620x720xC70x450xD80x610x720x790x570xC60x450xDC0x000xE80xA00x000x000x000x500xFF0xD30x330xC90xC70x450xA40x750x000x730x000x660x890x4D0xB80x8D0x4D0xE00x510x8D0x4D0xA40xC70x450xA80x650x000x720x000x510xC70x450xAC0x330x000x320x000xC70x450xB00x2E0x000x640x000xC70x450xB40x6C0x000x6C0x000xC70x450xE00x4D0x650x730x730xC70x450xE40x610x670x650x420xC70x450xE80x6F0x780x570x000xFF0xD00x500xFF0xD30x330xC90xC70x450xBC0x530x000x680x000x510x660x890x4D0xF40x8D0x4D0xEC0x510x8D0x4D0xBC0xC70x450xC00x650x000x6C0x000x510x6A0x000xC70x450xC40x6C0x000x630x000xC70x450xC80x6F0x000x640x000xC70x450xCC0x650x000x000x000xC70x450xEC0x4C0x000x590x000xC70x450xF00x530x000x4D0x000xFF0xD00x5F0x5E0x330xC00x5B0x8B0xE50x5D0xC30xCC0xCC0xCC0xCC0xCC0x640xA10x300x000x000x000x8B0x400x0C0x8B0x400x140x8B0x000x8B0x000x8B0x400x100xC30x000x000x000x000x000x000x000x000x000x000x000x00 };
//char *shellcode =
//    "\x33\xC9\x64\x8B\x41\x30\x8B\x40\x0C\x8B\x70\x14\xAD\x96\xAD\x8B\x58\x10\x8B\x53\x3C\x03\xD3\x8B\x52\x78\x03\xD3\x8B\x72\x20\x03"
//    "\xF3\x33\xC9\x41\xAD\x03\xC3\x81\x38\x47\x65\x74\x50\x75\xF4\x81\x78\x04\x72\x6F\x63\x41\x75\xEB\x81\x78\x08\x64\x64\x72\x65\x75"
//    "\xE2\x8B\x72\x24\x03\xF3\x66\x8B\x0C\x4E\x49\x8B\x72\x1C\x03\xF3\x8B\x14\x8E\x03\xD3\x33\xC9\x53\x52\x51\x68\x61\x72\x79\x41\x68"
//    "\x4C\x69\x62\x72\x68\x4C\x6F\x61\x64\x54\x53\xFF\xD2\x83\xC4\x0C\x59\x50\x51\x66\xB9\x6C\x6C\x51\x68\x33\x32\x2E\x64\x68\x75\x73"
//    "\x65\x72\x54\xFF\xD0\x83\xC4\x10\x8B\x54\x24\x04\x33\xC9\x51\xB9\x74\x6F\x6E\x61\x51\x83\x6C\x24\x03\x61\x68\x65\x42\x75\x74\x68"
//    "\x4D\x6F\x75\x73\x68\x53\x77\x61\x70\x54\x50\xFF\xD2\x83\xC4\x14\x33\xC9"
//    "\x41" // inc ecx - Remove this to restore the functionality
//    "\x51\xFF\xD0\x83\xC4\x04\x5A\x5B\xB9\x65\x73\x73\x61"
//    "\x51\x83\x6C\x24\x03\x61\x68\x50\x72\x6F\x63\x68\x45\x78\x69\x74\x54\x53\xFF\xD2\x33\xC9\x51\xFF\xD0";
/*CHAR shellcode[] = {
0x6A, 0x00,
0x6A, 0x00,
0x6A, 0x00,
0x6A, 0x00,
0xE8, 0x00, 0x00, 0x00, 0x00
};*/
 
 
CHAR shellcode[] = {
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x48, 0xE8, 0x15, 0x01, 0x00, 0x00, 0x50, 0xE8, 0x2F, 0x01, 0x00,
0x00, 0x83, 0xC4, 0x04, 0x89, 0x45, 0xF8, 0xC6, 0x45, 0xC8, 0x4C, 0xC6, 0x45, 0xC9, 0x6F, 0xC6,
0x45, 0xCA, 0x61, 0xC6, 0x45, 0xCB, 0x64, 0xC6, 0x45, 0xCC, 0x4C, 0xC6, 0x45, 0xCD, 0x69, 0xC6,
0x45, 0xCE, 0x62, 0xC6, 0x45, 0xCF, 0x72, 0xC6, 0x45, 0xD0, 0x61, 0xC6, 0x45, 0xD1, 0x72, 0xC6,
0x45, 0xD2, 0x79, 0xC6, 0x45, 0xD3, 0x41, 0xC6, 0x45, 0xD4, 0x00, 0x8D, 0x45, 0xC8, 0x50, 0xE8,
0xCC, 0x00, 0x00, 0x00, 0x50, 0xFF, 0x55, 0xF8, 0x89, 0x45, 0xF4, 0xC6, 0x45, 0xE4, 0x55, 0xC6,
0x45, 0xE5, 0x73, 0xC6, 0x45, 0xE6, 0x65, 0xC6, 0x45, 0xE7, 0x72, 0xC6, 0x45, 0xE8, 0x33, 0xC6,
0x45, 0xE9, 0x32, 0xC6, 0x45, 0xEA, 0x2E, 0xC6, 0x45, 0xEB, 0x64, 0xC6, 0x45, 0xEC, 0x6C, 0xC6,
0x45, 0xED, 0x6C, 0xC6, 0x45, 0xEE, 0x00, 0xC6, 0x45, 0xD8, 0x4D, 0xC6, 0x45, 0xD9, 0x65, 0xC6,
0x45, 0xDA, 0x73, 0xC6, 0x45, 0xDB, 0x73, 0xC6, 0x45, 0xDC, 0x61, 0xC6, 0x45, 0xDD, 0x67, 0xC6,
0x45, 0xDE, 0x65, 0xC6, 0x45, 0xDF, 0x42, 0xC6, 0x45, 0xE0, 0x6F, 0xC6, 0x45, 0xE1, 0x78, 0xC6,
0x45, 0xE2, 0x41, 0xC6, 0x45, 0xE3, 0x00, 0x8D, 0x4D, 0xD8, 0x51, 0x8D, 0x55, 0xE4, 0x52, 0xFF,
0x55, 0xF4, 0x50, 0xFF, 0x55, 0xF8, 0x89, 0x45, 0xF0, 0xC6, 0x45, 0xB8, 0x48, 0xC6, 0x45, 0xB9,
0x65, 0xC6, 0x45, 0xBA, 0x6C, 0xC6, 0x45, 0xBB, 0x6C, 0xC6, 0x45, 0xBC, 0x6F, 0xC6, 0x45, 0xBD,
0x20, 0xC6, 0x45, 0xBE, 0x57, 0xC6, 0x45, 0xBF, 0x6F, 0xC6, 0x45, 0xC0, 0x72, 0xC6, 0x45, 0xC1,
0x6C, 0xC6, 0x45, 0xC2, 0x64, 0xC6, 0x45, 0xC3, 0x21, 0xC6, 0x45, 0xC4, 0x00, 0xC6, 0x45, 0xFC,
0x74, 0xC6, 0x45, 0xFD, 0x69, 0xC6, 0x45, 0xFE, 0x70, 0xC6, 0x45, 0xFF, 0x00, 0x6A, 0x00, 0x8D,
0x45, 0xFC, 0x50, 0x8D, 0x4D, 0xB8, 0x51, 0x6A, 0x00, 0xFF, 0x55, 0xF0, 0x8B, 0xE5, 0x5D, 0xC3,
0x64, 0xA1, 0x30, 0x00, 0x00, 0x00, 0x8B, 0x40, 0x0C, 0x8B, 0x40, 0x14, 0x8B, 0x00, 0x8B, 0x00,
0x8B, 0x40, 0x10, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x24, 0x8B, 0x45, 0x08, 0x89, 0x45, 0xE8, 0x8B, 0x4D, 0xE8, 0x8B,
0x55, 0x08, 0x03, 0x51, 0x3C, 0x89, 0x55, 0xF0, 0xB8, 0x08, 0x00, 0x00, 0x00, 0x6B, 0xC8, 0x00,
0x8B, 0x55, 0xF0, 0x83, 0x7C, 0x0A, 0x7C, 0x00, 0x75, 0x07, 0x33, 0xC0, 0xE9, 0xE3, 0x01, 0x00,
0x00, 0xB8, 0x08, 0x00, 0x00, 0x00, 0x6B, 0xC8, 0x00, 0x8B, 0x55, 0xF0, 0x83, 0x7C, 0x0A, 0x78,
0x00, 0x75, 0x07, 0x33, 0xC0, 0xE9, 0xCA, 0x01, 0x00, 0x00, 0xB8, 0x08, 0x00, 0x00, 0x00, 0x6B,
0xC8, 0x00, 0x8B, 0x55, 0xF0, 0x8B, 0x45, 0x08, 0x03, 0x44, 0x0A, 0x78, 0x89, 0x45, 0xF4, 0x8B,
0x4D, 0xF4, 0x8B, 0x55, 0x08, 0x03, 0x51, 0x20, 0x89, 0x55, 0xE4, 0x8B, 0x45, 0xF4, 0x8B, 0x4D,
0x08, 0x03, 0x48, 0x24, 0x89, 0x4D, 0xE0, 0x8B, 0x55, 0xF4, 0x8B, 0x45, 0x08, 0x03, 0x42, 0x1C,
0x89, 0x45, 0xDC, 0xC7, 0x45, 0xF8, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x45, 0xEC, 0x00, 0x00, 0x00,
0x00, 0xEB, 0x09, 0x8B, 0x4D, 0xF8, 0x83, 0xC1, 0x01, 0x89, 0x4D, 0xF8, 0x8B, 0x55, 0xF4, 0x8B,
0x42, 0x18, 0x83, 0xE8, 0x01, 0x39, 0x45, 0xF8, 0x0F, 0x87, 0x63, 0x01, 0x00, 0x00, 0x8B, 0x4D,
0xF8, 0x8B, 0x55, 0xE4, 0x8B, 0x04, 0x8A, 0x03, 0x45, 0x08, 0x89, 0x45, 0xFC, 0xB9, 0x01, 0x00,
0x00, 0x00, 0x6B, 0xD1, 0x00, 0x8B, 0x45, 0xFC, 0x0F, 0xBE, 0x0C, 0x10, 0x83, 0xF9, 0x47, 0x0F,
0x85, 0x37, 0x01, 0x00, 0x00, 0xBA, 0x01, 0x00, 0x00, 0x00, 0xC1, 0xE2, 0x00, 0x8B, 0x45, 0xFC,
0x0F, 0xBE, 0x0C, 0x10, 0x83, 0xF9, 0x65, 0x0F, 0x85, 0x1F, 0x01, 0x00, 0x00, 0xBA, 0x01, 0x00,
0x00, 0x00, 0xD1, 0xE2, 0x8B, 0x45, 0xFC, 0x0F, 0xBE, 0x0C, 0x10, 0x83, 0xF9, 0x74, 0x0F, 0x85,
0x08, 0x01, 0x00, 0x00, 0xBA, 0x01, 0x00, 0x00, 0x00, 0x6B, 0xC2, 0x03, 0x8B, 0x4D, 0xFC, 0x0F,
0xBE, 0x14, 0x01, 0x83, 0xFA, 0x50, 0x0F, 0x85, 0xF0, 0x00, 0x00, 0x00, 0xB8, 0x01, 0x00, 0x00,
0x00, 0xC1, 0xE0, 0x02, 0x8B, 0x4D, 0xFC, 0x0F, 0xBE, 0x14, 0x01, 0x83, 0xFA, 0x72, 0x0F, 0x85,
0xD8, 0x00, 0x00, 0x00, 0xB8, 0x01, 0x00, 0x00, 0x00, 0x6B, 0xC8, 0x05, 0x8B, 0x55, 0xFC, 0x0F,
0xBE, 0x04, 0x0A, 0x83, 0xF8, 0x6F, 0x0F, 0x85, 0xC0, 0x00, 0x00, 0x00, 0xB9, 0x01, 0x00, 0x00,
0x00, 0x6B, 0xD1, 0x06, 0x8B, 0x45, 0xFC, 0x0F, 0xBE, 0x0C, 0x10, 0x83, 0xF9, 0x63, 0x0F, 0x85,
0xA8, 0x00, 0x00, 0x00, 0xBA, 0x01, 0x00, 0x00, 0x00, 0x6B, 0xC2, 0x07, 0x8B, 0x4D, 0xFC, 0x0F,
0xBE, 0x14, 0x01, 0x83, 0xFA, 0x41, 0x0F, 0x85, 0x90, 0x00, 0x00, 0x00, 0xB8, 0x01, 0x00, 0x00,
0x00, 0xC1, 0xE0, 0x03, 0x8B, 0x4D, 0xFC, 0x0F, 0xBE, 0x14, 0x01, 0x83, 0xFA, 0x64, 0x75, 0x7C,
0xB8, 0x01, 0x00, 0x00, 0x00, 0x6B, 0xC8, 0x09, 0x8B, 0x55, 0xFC, 0x0F, 0xBE, 0x04, 0x0A, 0x83,
0xF8, 0x64, 0x75, 0x68, 0xB9, 0x01, 0x00, 0x00, 0x00, 0x6B, 0xD1, 0x0A, 0x8B, 0x45, 0xFC, 0x0F,
0xBE, 0x0C, 0x10, 0x83, 0xF9, 0x72, 0x75, 0x54, 0xBA, 0x01, 0x00, 0x00, 0x00, 0x6B, 0xC2, 0x0B,
0x8B, 0x4D, 0xFC, 0x0F, 0xBE, 0x14, 0x01, 0x83, 0xFA, 0x65, 0x75, 0x40, 0xB8, 0x01, 0x00, 0x00,
0x00, 0x6B, 0xC8, 0x0C, 0x8B, 0x55, 0xFC, 0x0F, 0xBE, 0x04, 0x0A, 0x83, 0xF8, 0x73, 0x75, 0x2C,
0xB9, 0x01, 0x00, 0x00, 0x00, 0x6B, 0xD1, 0x0D, 0x8B, 0x45, 0xFC, 0x0F, 0xBE, 0x0C, 0x10, 0x83,
0xF9, 0x73, 0x75, 0x18, 0x8B, 0x55, 0xF8, 0x8B, 0x45, 0xE0, 0x0F, 0xB7, 0x0C, 0x50, 0x8B, 0x55,
0xDC, 0x8B, 0x04, 0x8A, 0x03, 0x45, 0x08, 0x89, 0x45, 0xEC, 0xEB, 0x05, 0xE9, 0x82, 0xFE, 0xFF,
0xFF, 0x8B, 0x45, 0xEC, 0x8B, 0xE5, 0x5D, 0xC3,0xE8, 0x00, 0x00, 0x00, 0x00
};

;
int nShellLen = sizeof(shellcode);
// x64 shellcode
//写入SHELLCODE,
for (i = 0; i < nShellLen; i++)
fputc(shellcode[i], newfile);
//SHELLCODE之后是跳转到原OEP的指令
NewSection.VirtualAddress = SEChea.VirtualAddress + alig(SEChea.Misc.VirtualSize, SECTION_ALIG);

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
// 跳到原OEP
BYTE jmp = 0xE9;
OEP = OEP - (NewSection.VirtualAddress + nShellLen) - 5;
size_t ret1 = fwrite(&jmp, sizeof(jmp), 1, newfile);
size_t ret2 = fwrite(&OEP, sizeof(OEP), 1, newfile);
 
 
 
//将最后增加的数据用0填充至按文件中对齐的大小
i = 0;
// -5是因为跳入原OEP加入了5字节
for (i = 0; i < alig(nShellLen, FILE_ALIG) - nShellLen; i++)     //for (i = 0; i < alig(nShellLen, FILE_ALIG) - nShellLen; i++) //如果不跳不-5
    fputc('\0', newfile);
//新区块中的数据
strcpy((char*)NewSection.Name, ".llydd");
NewSection.PointerToRawData = SEChea.PointerToRawData + SEChea.SizeOfRawData;
NewSection.Misc.VirtualSize = nShellLen;
NewSection.SizeOfRawData = alig(nShellLen, FILE_ALIG);
NewSection.Characteristics = 0xE0000020;//新区块可读可写可执行
fseek(newfile, pNT + 248 + sizeof(IMAGE_SECTION_HEADER)*nOldSectionNo, 0);
 
//写入新的块表
fwrite(&NewSection, sizeof(IMAGE_SECTION_HEADER), 1, newfile);
 
int nNewImageSize = NThea.OptionalHeader.SizeOfImage + alig(nShellLen, SECTION_ALIG);
int nNewSizeofCode = NThea.OptionalHeader.SizeOfCode + alig(nShellLen, FILE_ALIG);
fseek(newfile, pNT, 0);
NThea.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = 0;
NThea.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = 0;
NThea.OptionalHeader.SizeOfCode = nNewSizeofCode;
NThea.OptionalHeader.SizeOfImage = nNewImageSize;
NThea.FileHeader.NumberOfSections = nOldSectionNo + 1;
NThea.OptionalHeader.AddressOfEntryPoint = NewSection.VirtualAddress;
//写入更新后的PE头结构
fwrite(&NThea, sizeof(IMAGE_NT_HEADERS), 1, newfile);
printf("\t\tok.........!\n");
 
fclose(newfile);
fclose(rwFile);
 
return 1;

}
跳不回原OEP

 

代码啊参考https://bbs.kanxue.com/thread-36497.htm
https://blog.csdn.net/qq_44657899/article/details/124990667?spm=1001.2101.3001.6650.3&utm_medium=distribute.pc_relevant.none-task-blog-2%7Edefault%7EBlogCommendFromBaidu%7ERate-3-124990667-blog-121652465.pc_relevant_3mothn_strategy_and_data_recovery&depth_1-utm_source=distribute.pc_relevant.none-task-blog-2%7Edefault%7EBlogCommendFromBaidu%7ERate-3-124990667-blog-121652465.pc_relevant_3mothn_strategy_and_data_recovery&utm_relevant_index=6


[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 0
支持
分享
最新回复 (1)
雪    币: 1440
活跃值: (1401)
能力值: ( LV3,RANK:23 )
在线值:
发帖
回帖
粉丝
2

还是 调试器动态看看吧 

最后于 2023-1-11 09:46 被Black貓①呺编辑 ,原因:
2023-1-11 09:41
0
游客
登录 | 注册 方可回帖
返回
//