我想直接替换PE文件资源中的图标文件,前面已经实现对图标的地址定位了,就是替换方面有点难题
var
FResourceBase ,sourceBase:PImageResourceDirectory ;
te,entry:PImageResourceDirectoryEntry;
iconEntry:PImageResourceDirectoryEntry;
tempDir:PImageResourceDirectory;
tempEntry:PImageResourceDirectoryEntry;
firstIconDir:PImageResourceDirectory;
firstIconEntry:PImageResourceDirectoryEntry;
firstIconData: PImageResourceDataEntry;
pFirstIcon:word;
SEChea:PImageSectionHeader;
fhandle:LongWord;
DOS:PImageDosHeader;
nts:PImageNtHeaders;
buffer:pchar;
size,i,j,K:integer;
ofn:openfilename;
hMapping:thandle;
map:pointer;
//去掉最高位
function StripHighBit(L: Longint): DWORD;
begin
Result := L and IMAGE_OFFSET_STRIP_HIGH;
end;
begin
getmem(buffer,256);
int:=false;
ofn.lStructSize:=sizeof(openfilename);
ofn.nMaxFile:=512;
ofn.lpstrFile:=buffer;
ofn.lpstrFilter:='*.exe';
ofn.Flags:=OFN_FILEMUSTEXIST or OFN_HIDEREADONLY or OFN_EXPLORER;
GetOpenFileNameA(ofn);
CopyFile(buffer,'New.exe',false);
fhandle:=createfile(buffer,GENERIC_READ, FILE_SHARE_READ,nil,OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL,0);
hMapping:=CreateFileMapping(fhandle,NiL,PAGE_READONLY,0,0,0);
map:=mapviewoffile(hmapping,FILE_MAP_READ,0,0,0);
dos:=map;
if dos^.e_magic<>IMAGE_DOS_SIGNATURE then
messagebox(0,'错误的PE文件格式!','OK',0);
cardinal(nts):=cardinal(dos)+dos^._lfanew;
if nts^.Signature<>IMAGE_NT_SIGNATURE then
messagebox(0,'错误的PE文件格式!1','OK',0);
SEChea := PImageSectionHeader(NTS);
Inc(PImageNtHeaders(SEChea));
for I := 0 to NTS^.FileHeader.NumberOfSections - 1 do
begin
if Strlicomp(@SEChea^.Name, PChar('.rsrc'), IMAGE_SIZEOF_SHORT_NAME) = 0 then
begin
FResourceBase := PImageResourceDirectory(SEChea^.PointerToRawData + LongWord(Dos));
messagebox(0,pchar('OK FOUND FILES IS '+IntToHex(LongWord(@FResourceBase),8)),'OK',0);
break;
end;
Inc(SEChea);
continue;
end;
sourceBase:=PImageResourceDirectory(SEChea^.PointerToRawData + LongWord(Dos));
Entry:=PImageResourceDirectoryEntry(longWORD(sourceBase)+sizeof(TImageResourceDirectory));
te:=entry;
for J := 1 to FResourceBase^.NumberOfIdEntries+FResourceBase^.NumberOfNamedEntries do
BEGIN
if te^.Name = 3 THEN
BEGIN
iconEntry:=PIMAGERESOURCEDIRECTORYENTRY(LongWord(FResourceBase)+StripHighBit(te^.OffsetToData));//找到 Icon 的资源目录了!!!
BREAK;
end;
inc(te);
CONTINUE;
END;
tempDir:=PIMAGERESOURCEDIRECTORY(iconEntry);
tempEntry:=PIMAGERESOURCEDIRECTORYENTRY(LongWord(tempDir)+sizeof(TIMAGERESOURCEDIRECTORY));
for K := 0 to tempDir^.NumberOfIdEntries+tempDir^.NumberOfNamedEntries - 1 do
begin
if (StripHighBit(tempEntry.OffsetToData) >0) and(k=0) THEN
BEGIN
firstIconDir:=PIMAGERESOURCEDIRECTORY(LongWord(FResourceBase)+StripHighBit(tempEntry.OffsetToData));
firstIconEntry:=PIMAGERESOURCEDIRECTORYENTRY(LongWord(firstIconDir)+sizeof(TIMAGERESOURCEDIRECTORY));
firstIconData:= PIMAGERESOURCEDATAENTRY(LongWord(FResourceBase)+StripHighBit(firstIconEntry.OffsetToData));
end;
inc(entry);
END;
pFirstIcon:= firstIconData.OffsetToData - sechea.VirtualAddress + LongWord(FResourceBase);
writeln('file address : '+inttohex(pFirstIcon,8));
writeln('file rva address : '+inttohex(firstIconData.OffsetToData,8));
writeln('file size : '+inttohex(firstIconData.Size,8));
//
下面是替换图标代码,哪位仁兄可以完成之?
[课程]Android-CTF解题方法汇总!