有个心得:学习其实也是要逼出来的。好好学习了下PE,体验了把纯手工PEDiy,算是有点收获了。
算是很普通的方法,没什么新意,用了
WINSHELLAPI BOOL WINAPI ShellExecuteEx(
LPSHELLEXECUTEINFO lpExecInfo );
这个函数
未增加新节,OpenUrlA大小12bytes
1.添加一个输入函数,ShellExecuteExA
抄袭了Stud_PE添加输入函数的方法,不然要全部整理一遍输入表也烦的
定位到输入表 0x614,将红色标出的原有的IMAGE_IMPORT_DESCRIPTOR复制到新的输入表开始位置0x6B0,然后接上新添加的输入函数 ShellExecuteExA的IID,INT,IAT等
00000610h: 00 00 00 00
5C 20 00 00 00 00 00 00 00 00 00 00 ; ....\ ..........
00000620h: 72 20 00 00 0C 20 00 00 50 20 00 00 00 00 00 00 ; r ... ..P ......
00000630h: 00 00 00 00 9C 20 00 00 00 20 00 00 00 00 00 00 ; ....?... ......
00000640h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000650h: 8A 20 00 00 7E 20 00 00 00 00 00 00 64 20 00 00 ; ?..~ ......d ..
00000660h: 00 00 00 00 BE 01 4D 65 73 73 61 67 65 42 6F 78 ; ....?MessageBox
00000670h: 41 00 55 53 45 52 33 32 2E 64 6C 6C 00 00 99 01 ; A.USER32.dll..?
00000680h: 48 65 61 70 41 6C 6C 6F 63 00 40 01 47 65 74 50 ; HeapAlloc.@.GetP
00000690h: 72 6F 63 65 73 73 48 65 61 70 00 00 4B 45 52 4E ; rocessHeap..KERN
000006a0h: 45 4C 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 00 ; EL32.dll........
000006b0h:
5C 20 00 00 00 00 00 00 00 00 00 00 72 20 00 00 ; \ ..........r ..
000006c0h: 0C 20 00 00 50 20 00 00 00 00 00 00 00 00 00 00 ; . ..P ..........
000006d0h: 9C 20 00 00 00 20 00 00 08 21 00 00 00 00 00 00 ; ?... ...!......
000006e0h: 00 00 00 00 22 21 00 00 00 21 00 00 00 00 00 00 ; ...."!...!......
000006f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000700h: 10 21 00 00 00 00 00 00 10 21 00 00 00 00 00 00 ; .!.......!......
00000710h: 00 00 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 ; ..ShellExecuteEx
00000720h: 41 00 73 68 65 6C 6C 33 32 2E 64 6C 6C 00 00 00 ; A.shell32.dll...
2.添加输出表及输出函数OpenUrlA
.rdata节还很空么,就加到这里好了
紧接在输出表内容后面.
顺便把ShellExcuteExA要用的两个字串也加在后面,"open","http://bbs.pediy.com"
00000730h: 00 00 00 00 00 00 00 00 00 00 00 00 64 21 00 00 ; ............d!..
00000740h: 01 00 00 00 01 00 00 00 01 00 00 00 58 21 00 00 ; ............X!..
00000750h: 5C 21 00 00 60 21 00 00 D0 10 00 00 6E 21 00 00 ; \!..`!..?..n!..
00000760h: 00 00 01 00 70 65 64 69 79 2E 64 6C 6C 00 4F 70 ; ....pediy.dll.Op
00000770h: 65 6E 55 72 6C 41 00 6F 70 65 6E 00 68 74 74 70 ; enUrlA.open.http
00000780h: 3A 2F 2F 62 62 73 2E 70 65 64 69 79 2E 63 6F 6D ; ://bbs.pediy.com
3.添加一个SHELLEXECUTEINFO类型变量
开始没注意,顺手加到了.text节,后来发现原来ShellExcuteExA要回写些东西的
改到.data节中,其中红色标出两处需要重定位
00000860h: 3C 00 00 00 12 00 00 00 00 00 00 00 77 21 40 00 ; <...........w!@.
00000870h: 7C 21 40 00 00 00 00 00 00 00 00 00 05 00 00 00 ; |!@.............
00000880h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000890h: 00 00 00 00 00 00 00 00 00 00 00 00 ; ............
到od里面去看看清楚点的
003F3060 0000003C // cbSize
003F3064 00000012 // SEE_MASK_NOCLOSEPROCESS
003F3068 00000000
003F306C
003F2177 ASCII "open"
003F3070
003F217C ASCII "http://bbs.pediy.com"
003F3074 00000000
003F3078 00000000
003F307C 00000005 //SW_SHOW
003F3080 00000000
003F3084 00000000
003F3088 00000000
003F308C 00000000
003F3090 00000000
003F3094 00000000
003F3098 00000000
003F309C 00000000
4.添加OpenUrlA代码
加在原有代码后面
000004d0h: 68 60 30 40 00 FF 15 00 21 40 00 C3 00 00 00 00 ; h`0@...!@.?...
003F10D0 >/$ 68 60303F00 push 003F3060
003F10D5 |. FF15 00213F00 call dword ptr [<&shell32.ShellExecut>; shell32.ShellExecuteExA
003F10DB \. C3 retn
5.添加重定位
.text节中加红色标出两处重定位,size加4
.data中上面提到SHELLEXECUTEINFO变量中
LPCSTR lpVerb;
LPCSTR lpFile;
这两处需要重定位,绿色标出
003F10D0 >/$ 68
60303F00 push 003F3060
003F10D5 |. FF15
00213F00 call dword ptr [<&shell32.ShellExecut>; shell32.ShellExecuteExA
003F10DB \. C3 retn
00000a00h: 00 10 00 00
24 00 00 00 03 30 08 30 10 30 2F 30 ; ....$....0.0.0/0
00000a10h: 34 30 83 30 8E 30 96 30 9F 30 BE 30 C5 30
D1 30 ; 40???????
00000a20h:
D7 30 00 00 00 30 00 00 0E 00 00 00 6C 30 70 30 ; ?...0......l0p0
6.其他
将各节的VirtualSize改成修改后的大小
将DataDirectory中
IMAGE_DIRECTORY_ENTRY_EXPORT
IMAGE_DIRECTORY_ENTRY_IMPORT
IMAGE_DIRECTORY_ENTRY_BASERELOC
的RVA和Size都改成修改后的值
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!