新学脱壳,还在大门外转悠,写了这个小东东让大家乐乐。
IDFooler,用于欺骗文件检测工具,目前仅能伪装成VC和DELPHI。VC那个还行,DELPHI这个能骗过FI,骗不过PEID。以前坛子里有大大写过,我这个感觉更“傻瓜”一些。
在98下运行没问题,请各位在不同系统中测试。如果哪位有各种壳和编译器的特征码请赐教。
附件:IDFooler.rar
关键部分的源码(请参考挂在上面的WinRoot的文章,上面有PE结构的详细分析)
void CPEDlg::OnApply()
{
CFile myFile;
_IMAGE_DOS_HEADER myDosHeader;
_IMAGE_NT_HEADERS myNtHeader;
_IMAGE_SECTION_HEADER mySectionHeader;
int NumberOfSections,myBufSize;
DWORD VOffset=0,VSize=0,ROffset=0,RSize=0,myVOffset=0,myROffset=0;
DWORD OldEP,NewEP,Jmp;
BYTE VCBuf[53]={
0x55,0x8b,0xec,0x6a,0xff,0x68,0x00,0x00,
0x00,0x00,0x68,0x00,0x00,0x00,0x00,0x64,
0xa1,0x00,0x00,0x00,0x00,0x50,0x64,0x89,
0x25,0x00,0x00,0x00,0x00,0x83,0xec,0x68,
0x53,0x56,0x57,0x58,0x58,0x58,0x83,0xc4,
0x68,0x58,0x67,0x64,0xa3,0x00,0x00,0x58,
0x58,0x58,0x58,0x8b,0xe8
};
BYTE DELPHIBuf[10]={
0x55,0x8b,0xec,0x83,0xc4,0xf4,0x83,0xc4,
0x0c,0x50
};
BYTE myBuf[100]={0};
CString m_bakname=m_filename+".bak";
::CopyFile((LPCTSTR)m_filename,(LPCTSTR)m_bakname,FALSE); //backup
if (!myFile.Open((LPCTSTR)m_filename,CFile::modeReadWrite|CFile::typeBinary,NULL))
return;
myFile.Read(&myDosHeader,sizeof(_IMAGE_DOS_HEADER));
if (myDosHeader.e_magic!=IMAGE_DOS_SIGNATURE)
{
AfxMessageBox("不是有效的MZ文件!",0,0);
return;
}
myFile.Seek(myDosHeader.e_lfanew,CFile::begin);
myFile.Read(&myNtHeader,sizeof(_IMAGE_NT_HEADERS));
if (myNtHeader.Signature!=IMAGE_NT_SIGNATURE)
{
AfxMessageBox("不是有效的PE文件!",0,0);
return;
}
NumberOfSections=myNtHeader.FileHeader.NumberOfSections;
myNtHeader.FileHeader.NumberOfSections=NumberOfSections+1;
myFile.Seek(myDosHeader.e_lfanew,CFile::begin);
myFile.Write(&myNtHeader,sizeof(_IMAGE_NT_HEADERS));
for (int i=0;i<NumberOfSections;i++)
{
myFile.Read(&mySectionHeader,sizeof(_IMAGE_SECTION_HEADER));
if (mySectionHeader.VirtualAddress>VOffset)
{
VOffset=mySectionHeader.VirtualAddress;
VSize=mySectionHeader.Misc.VirtualSize;
}
if (mySectionHeader.PointerToRawData>ROffset)
{
ROffset=mySectionHeader.PointerToRawData;
RSize=mySectionHeader.SizeOfRawData;
}
} //Get the Max Offset
while (myVOffset<VOffset+VSize)
{
myVOffset+=0x1000;
}
while (myROffset<ROffset+RSize)
{
myROffset+=0x200;
}
for (i=0;i<8;i++) mySectionHeader.Name[i]=0;
mySectionHeader.Name[0]='R';
mySectionHeader.Name[1]='o';
mySectionHeader.Name[2]='B';
mySectionHeader.Name[3]='a';
mySectionHeader.Misc.VirtualSize=0x1000;
mySectionHeader.VirtualAddress=myVOffset;
mySectionHeader.SizeOfRawData=0x200;
mySectionHeader.PointerToRawData=myROffset;
mySectionHeader.Characteristics=0xE0000020;
myFile.Write(&mySectionHeader,sizeof(_IMAGE_SECTION_HEADER));
//Add a New Section
OldEP=myNtHeader.OptionalHeader.AddressOfEntryPoint;
NewEP=myVOffset;
myNtHeader.OptionalHeader.AddressOfEntryPoint=NewEP;
myNtHeader.OptionalHeader.MajorLinkerVersion=6;
myNtHeader.OptionalHeader.MinorLinkerVersion=0;
myNtHeader.OptionalHeader.SizeOfImage=myVOffset+0x1000;
myFile.Seek(myDosHeader.e_lfanew,CFile::begin);
myFile.Write(&myNtHeader,sizeof(_IMAGE_NT_HEADERS));
//write new EntryPoint
switch (type)
{
case TYPE_VC:
myBufSize=sizeof(VCBuf);
memcpy(myBuf,VCBuf,myBufSize);
break;
case TYPE_DELPHI:
myBufSize=sizeof(DELPHIBuf);
memcpy(myBuf,DELPHIBuf,sizeof(DELPHIBuf));
}
myFile.SetLength(myROffset+0x200);
myFile.Seek(-0x200,CFile::end);
myFile.Write(&myBuf,myBufSize);
Jmp=OldEP-(NewEP+myBufSize)-5;
BYTE JmpBuf=0xE9;
myFile.Write(&JmpBuf,1);
myFile.Write(&Jmp,sizeof(Jmp));
//write the KeyCode
AfxMessageBox("Success!",MB_OK|MB_ICONINFORMATION,0);
}
呵呵,没什么技术含量,贻笑大方了:)
[培训]科锐软件逆向50期预科班报名即将截止,速来!!! 50期正式班报名火爆招生中!!!