首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 社区
  2. 付费问答
    3. 发新帖
[旧帖] [求助]我的向pe文件注入一个section,这个节里面添加一个加壳的dll 文件格式可以被exescope正确打开但是不能运行提示不正确的win32格式 0.00雪花
发表于: 2009-8-27 08:47 1529

[旧帖] [求助]我的向pe文件注入一个section,这个节里面添加一个加壳的dll 文件格式可以被exescope正确打开但是不能运行提示不正确的win32格式 0.00雪花

wangjinron 活跃值
2009-8-27 08:47
1529
int __addnewsection_to_pefile(const char*exefil,const char* dllnew,const char* code,int codelen,int flag_shellbefore)
{
         HANDLE pMap,pfile;
     char* pmemHandle;
    LoadPEFile(exefil,&pmemHandle);
//pmemHandle=(char*)crt_mapf2(exefil,&pMap,&pfile,0);//如何如何得到用户的进程内存景象
  //HANDLE hCurrent = 0;
    IMAGE_DOS_HEADER *pi_dos_header;
    IMAGE_NT_HEADERS *pi_nt_header;
    IMAGE_DATA_DIRECTORY *pi_data_dir_import,*pIMAGE_DATA_DIRECTORYbase;
    IMAGE_IMPORT_DESCRIPTOR *pi_import_des;
        IMAGE_THUNK_DATA *pitdTHUNK_DATA, *pitdTHUNK_DATA2;
    pi_dos_header = (IMAGE_DOS_HEADER *)pmemHandle;
    pi_nt_header = (IMAGE_NT_HEADERS *)((DWORD)pmemHandle + pi_dos_header->e_lfanew);
        /////////////////
           SECTION_ALIG=pi_nt_header->OptionalHeader.SectionAlignment;
       FILE_ALIG=pi_nt_header->OptionalHeader.FileAlignment;

        int nSections=pi_nt_header->FileHeader.NumberOfSections;
        int sectionsTable_offsetinfile=(char*)pi_nt_header+sizeof(IMAGE_NT_HEADERS)-pmemHandle;
        pIMAGE_DATA_DIRECTORYbase=pi_nt_header->OptionalHeader.DataDirectory;
    pi_data_dir_import = &pIMAGE_DATA_DIRECTORYbase[1];   
        char* pImport_data_offset_infile = pmemHandle+RVA2(pmemHandle,pi_data_dir_import->VirtualAddress);
        INT numberofImportEntry=pi_data_dir_import->Size/sizeof(IMAGE_IMPORT_DESCRIPTOR);
        numberofImportEntry--;
        int newsectionoff_infile=sectionsTable_offsetinfile+nSections*sizeof(IMAGE_SECTION_HEADER);
        IMAGE_SECTION_HEADER*   pFirstSection=(IMAGE_SECTION_HEADER*)((char*)pi_nt_header+sizeof(IMAGE_NT_HEADERS));
         IMAGE_SECTION_HEADER  NewSection;
         IMAGE_SECTION_HEADER  SEChea;
         IMAGE_SECTION_HEADER  FirstSection;
         char zer0;
         zer0=0;
         int dwfilesize;// = filesz(exefil);
         //dwfilesize = filesz((char*)exefil);
         SEChea= *((IMAGE_SECTION_HEADER*)(sectionsTable_offsetinfile+pmemHandle)+nSections-1);
         FirstSection=*pFirstSection;
         //InsertFileLoop(exefil,SEChea.PointerToRawData+SEChea.Misc.VirtualSize,&zer0,sizeof(zer0),aligSize(SEChea.SizeOfRawData,SECTION_ALIG));
         ////////////////////////////////////////////////////////////////////////////////////////////////////
         //InsertFile(exefil,&zer0,sizeof(zer0),aligSize(SEChea.Misc.VirtualSize,SECTION_ALIG));
     // dwfilesize+=aligSize(SEChea.Misc.VirtualSize,SECTION_ALIG);
         ///////////////////////////////////////////////////////////////////////////////////////////////////////
         dwfilesize=filesz((char*)exefil);
         int olddwFileSize=dwfilesize;
         InsertFileEndLoop(exefil,&zer0,sizeof(zer0),aligSize(dwfilesize,FILE_ALIG));
         InsertFileEndLoop(exefil,&zer0,sizeof(zer0),SECTION_ALIG);
         ZeroMemory(&NewSection,sizeof(NewSection));

         strcpy((char*)NewSection.Name,".llydd");
         NewSection.VirtualAddress=SEChea.VirtualAddress+alig(SEChea.Misc.VirtualSize,SECTION_ALIG)+FILE_ALIG;
         NewSection.PointerToRawData=filesz((char*)exefil)-SECTION_ALIG;//SEChea.PointerToRawData+SEChea.SizeOfRawData;//dwfilesize+sizeof(IMAGE_SECTION_HEADER);
         NewSection.Misc.VirtualSize=(numberofImportEntry+2)*sizeof(IMAGE_IMPORT_DESCRIPTOR)+strlen(dllnew)+1;
         NewSection.SizeOfRawData=alig(NewSection.Misc.VirtualSize,SECTION_ALIG);
         NewSection.Characteristics=0xc0000040;//0xE0000020;
        // int nNewImageSize=NThea.OptionalHeader.SizeOfImage+alig(nShellLen,SECTION_ALIG);
    // int nNewSizeofCode=NThea.OptionalHeader.SizeOfCode+alig(nShellLen,FILE_ALIG);
        int i_str=0;
        ///////////////////////////////////////////////////////////////////////////////////////////////////////
        if(newsectionoff_infile+2*sizeof(NewSection)>=FirstSection.PointerToRawData){
                MessageBox(0,0,"litle for new section entry in sect table",0);
                return -1;
        }
        WriteFileBuffer(exefil,newsectionoff_infile,(char*)&NewSection,sizeof(NewSection));
                 IMAGE_SECTION_HEADER  SEzer0;
                 ZeroMemory(&SEzer0,0,sizeof(SEzer0));
        WriteFileBuffer(exefil,newsectionoff_infile+sizeof(NewSection),(char*)&SEzer0,sizeof(SEzer0));
        ///////////////////////////////////////////////////////////////////////////////////////////////////////
        //InsertFile(exefil,newsectionoff_infile,(char*)&NewSection,sizeof(NewSection));
        IMAGE_IMPORT_DESCRIPTOR  newImportDesc;
        IMAGE_IMPORT_BY_NAME   *pimport_name;
        ZeroMemory(&newImportDesc,sizeof(newImportDesc));
        // dwfilesize += sizeof(IMAGE_SECTION_HEADER);
        newImportDesc.Name=NewSection.VirtualAddress+sizeof(IMAGE_IMPORT_DESCRIPTOR)*(numberofImportEntry+2);
        newImportDesc.OriginalFirstThunk=newImportDesc.Name+64;
        newImportDesc.FirstThunk=newImportDesc.OriginalFirstThunk+32;
        ///////////////////////////////////////////////////////////////////////////////////////////////////////
        WriteFileBuffer(exefil,NewSection.PointerToRawData,pImport_data_offset_infile,numberofImportEntry*sizeof(IMAGE_IMPORT_DESCRIPTOR));
    //dwfilesize += (numberofImportEntry+2)*sizeof(IMAGE_IMPORT_DESCRIPTOR);
        //////////////////////////////////////////////////////////////////////////////////////////
        WriteFileBuffer(exefil,NewSection.PointerToRawData+numberofImportEntry*sizeof(IMAGE_IMPORT_DESCRIPTOR),
                (char*)&newImportDesc,sizeof(newImportDesc));
        numberofImportEntry++;
        ZeroMemory(&newImportDesc,sizeof(newImportDesc));
        WriteFileBuffer(exefil,NewSection.PointerToRawData+numberofImportEntry*sizeof(IMAGE_IMPORT_DESCRIPTOR),
                (char*)&newImportDesc,sizeof(newImportDesc));
        //InsertFile(exefil,NewSection.PointerToRawData+numberofImportEntry*sizeof(IMAGE_IMPORT_DESCRIPTOR),(char*)&newImportDesc,sizeof(newImportDesc));
        numberofImportEntry++;
        WriteFileBuffer(exefil,NewSection.PointerToRawData+(numberofImportEntry)*sizeof(IMAGE_IMPORT_DESCRIPTOR),(char*)dllnew,strlen(dllnew)+1);
//dwfilesize +=aligSize((numberofImportEntry+2)*sizeof(IMAGE_IMPORT_DESCRIPTOR)+strlen(dllnew)+1,SECTION_ALIG);
  //  pi_import_des = (IMAGE_IMPORT_DESCRIPTOR *)((DWORD)pmemHandle + rva2offset(pmemHandle,pi_data_dir_import->VirtualAddress));
//        IMAGE_IMPORT_DESCRIPTOR* preimage_import_descriptor=pi_import_des;
        ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
        SelfFileInt(exefil,(char*)&pi_data_dir_import->Size-pmemHandle,sizeof(IMAGE_IMPORT_DESCRIPTOR));
        WriteFileInt(exefil,(char*)&(pi_data_dir_import->VirtualAddress)-pmemHandle,NewSection.VirtualAddress);
        //WriteFileInt(exefil,(char*)&pi_data_dir_import->Size-pmemHandle,desi+1);
        SelfFileInt(exefil,(char*)&pi_nt_header->OptionalHeader.SizeOfImage-pmemHandle,SECTION_ALIG+aligSize(olddwFileSize,0x1000));
        SelfFileInt(exefil,(char*)&pi_nt_header->FileHeader.NumberOfSections-pmemHandle,1);
        WriteFileInt(exefil,(char*)&pi_nt_header->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress-pmemHandle,0);
        WriteFileInt(exefil,(char*)&pi_nt_header->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size-pmemHandle,0);

[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法

收藏
免费 0
支持
分享
最新回复 (9)
wangjinron
雪    币: 100
活跃值: (14)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
unsigned long LoadPEFile(const char *FileName, char **Buffer)
{
  FILE *fp = fopen(FileName, "rb");
  fseek(fp, 0, SEEK_END);
  unsigned long len = ftell(fp);
  fseek(fp, 0, SEEK_SET);
  char* bbuff = new char[len + 4];
  char*plog=bbuff;
  *Buffer=bbuff;

  //memset(*Buffer, 0x0, len + 4);
  unsigned long i = 0;
  int ret=0;
  while(i < len)
  {
    ret=fread(bbuff , 1, len-i, fp);
    i+=ret;
        bbuff+=ret;
  }
  fclose(fp);
  return len;
}

void InsertFile(const char* file,int offset,char* data,char size)
{
FILE *fp = fopen(file, "r+b");
  fseek(fp, 0, SEEK_END);
    long i = 0;
  long len = ftell(fp);
  if(offset==-1){
            fwrite(data,1,size,fp);
  }else if(offset>len){
          char fillc=0;
          for(i=0;i<offset-len;i++){
            fwrite(&fillc,1,1,fp);
          }
          fwrite(data,1,size,fp);          
  }
  
  else{
  fseek(fp, offset, SEEK_SET);
  char*pBuffer = new char[len -offset+ 4];
//  memset(pBuffer, 0x0, len + 4);
  while(i < len -offset)
  {
    fread(pBuffer + i, 4, 1, fp);
    i+=4;
  }
  //fclose(fp);
  fseek(fp, offset, SEEK_SET);
  int ret;
  ret=fwrite(data,1,size,fp);
  ret=GetLastError();
  ret=fwrite(pBuffer,1,len -offset,fp);
  }
  fflush(fp);
  fclose(fp);
}
int         InsertFileLoop(const char*exefil,int offset1,char* buf,int buffsize,int loops)
{
int i;
for(i=0;i<loops;i++){
InsertFile(exefil,offset1+i*buffsize,buf,buffsize);
}
return 0;
}
void InsertFileEnd(const char* file,char* data,char size)
{
         InsertFile(file,-1,data, size);
}
int         InsertFileEndLoop(const char*exefil,char* buf,int buffsize,int loops)
{
int i;
for(i=0;i<loops;i++){
InsertFileEnd(exefil,buf,buffsize);
}
return 0;
}
int         InsertFileEnd2(const char* exefil,char* zero,int dw,int times)
{
int i;
for(i=0;i<times;i++){
InsertFileEnd(exefil,zero,dw);
}
return 0;
}

//void  WriteFileBuffer(char* file,int offset,char* data,char* size)
//{
// FILE *fp = fopen(file, "rwb");
//  fseek(fp, offset, SEEK_SET);
//  fwrite(data,size,1,fp);
//  fclose(fp);
//}
int  ReadFileInt(const char* file,int offset);
void ReadFileBuffer(const char* file,int offset,char*p,int len)
{
FILE *fp = fopen(file, "r+b");
int v;
  fseek(fp, offset, SEEK_SET);
  int ret=fread(p,1,len,fp);
  fclose(fp);
  return ;
}
void WriteFileBuffer(const char* file,int offset,char*dat,int len)
{
FILE *fp = fopen(file, "r+b");
  fseek(fp, offset, SEEK_SET);
  fwrite(dat,1,len,fp);
  fflush(fp);
  fclose(fp);
  char *p=new char[len];
  ReadFileBuffer(file,offset,p,len);
  if(memcmp(dat,p,len)){
   ::MessageBox(0,0,"WriteFileInt",0);
  }
  delete p;

}
void  WriteFileInt(const char* file,int offset,int v)
{
FILE *fp = fopen(file, "r+b");
  fseek(fp, offset, SEEK_SET);
  fwrite(&v,1,sizeof(v),fp);
    fflush(fp);
  fclose(fp);
  int k=ReadFileInt(file,offset);
  if(v!=k){
   v=v;
   ::MessageBox(0,0,"WriteFileInt",0);
  }
}
void  WriteFileChar(const char* file,int offset,char v)
{
FILE *fp = fopen(file, "r+b");
  fseek(fp, offset, SEEK_SET);
  fwrite(&v,1,sizeof(v),fp);
    fflush(fp);

  fclose(fp);
}
void  WriteFileShort(const char* file,int offset,short v)
{
FILE *fp = fopen(file, "r+b");
  fseek(fp, offset, SEEK_SET);
  fwrite(&v,1,sizeof(v),fp);
    fflush(fp);

  fclose(fp);
}

int  ReadFileInt(const char* file,int offset)
{
FILE *fp = fopen(file, "r+b");
int v;
  fseek(fp, offset, SEEK_SET);
  int ret=fread(&v,1,sizeof(v),fp);
  fclose(fp);
  return v;
}
char  ReadFileChar(const char* file,int offset)
{
FILE *fp = fopen(file, "r+b");
  fseek(fp, offset, SEEK_SET);
  char v;
  fread(&v,1,sizeof(v),fp);
  fclose(fp);
  return v;
}
short  ReadFileShort(const char* file,int offset)
{
FILE *fp = fopen(file, "r+b");
  fseek(fp, offset, SEEK_SET);
  short v;
  fread(&v,1,sizeof(v),fp);
  fclose(fp);
  return v;
}
void  SelfFileInt(const char* file,int offset,int sec)
{
int v=ReadFileInt(file,offset);
v+=sec;
WriteFileInt(file,offset,v);
}
void  SelfFileShort(const char* file,int offset,short sec)
{
short v=ReadFileShort(file,offset);
v+=sec;
WriteFileShort(file,offset,v);
}

void  SelfFileChar(const char* file,int offset,char sec)
{
char v=ReadFileChar(file,offset);
v+=sec;
WriteFileChar(file,offset,v);
}
2009-8-27 08:55
0
wangjinron
雪    币: 100
活跃值: (14)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
3
exe scope可以正确打开 因此  资源也能正确访问  因此我怀疑是可以是nt header的那个变量没有调整过来
//调导入表的信息
   SelfFileInt(exefil,(char*)&pi_data_dir_import->Size-pmemHandle,sizeof(IMAGE_IMPORT_DESCRIPTOR));
  WriteFileInt(exefil,(char*)&(pi_data_dir_import->VirtualAddress)-pmemHandle,NewSection.VirtualAddress);
  //WriteFileInt(exefil,(char*)&pi_data_dir_import->Size-pmemHandle,desi+1);
//调整文件大小
  SelfFileInt(exefil,(char*)&pi_nt_header->OptionalHeader.SizeOfImage-pmemHandle,SECTION_ALIG+aligSize(olddwFileSize,0x1000));
//调整段数目
  SelfFileInt(exefil,(char*)&pi_nt_header->FileHeader.NumberOfSections-pmemHandle,1);
  WriteFileInt(exefil,(char*)&pi_nt_header->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress-pmemHandle,0);
  WriteFileInt(exefil,(char*)&pi_nt_header->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size-pmemHandle,0);
2009-8-27 09:18
0
sessiondiy
雪    币: 2067
活跃值: (82)
能力值: ( LV9,RANK:180 )
在线值:
发帖
回帖
粉丝
私信
4
直接上传不能跑的target上来比较快吧.
谁有空帮你看code
2009-8-27 09:25
0
wangjinron
雪    币: 100
活跃值: (14)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
5
sessiondiy    什么意思
我不太明白
2009-8-27 09:26
0
sessiondiy
雪    币: 2067
活跃值: (82)
能力值: ( LV9,RANK:180 )
在线值:
发帖
回帖
粉丝
私信
6
太长了. 没人会替你看.
你将成品(exe)放上网盘, 效果大点.
(我不知临时用户能不能上传文件到pediy)
2009-8-27 09:27
0
wangjinron
雪    币: 100
活跃值: (14)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
7
sessiondiy
================================
只要看第一帖
下面的都是辅助工具
主要看第一个函数
是流程
2009-8-27 09:32
0
wangjinron
雪    币: 100
活跃值: (14)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
8
sessiondiy
================================
借你的网盘一用
我上传exe上去
源代码也上去
2009-8-27 09:34
0
wangjinron
雪    币: 100
活跃值: (14)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
9
sessiondiy
================================
留个qq交流一下
2009-8-27 09:40
0
lafeng
雪    币: 140
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
10
FILE *fp = fopen(file, "r+b");
fseek(fp, 0, SEEK_END);
long i = 0;
long len = ftell(fp);
if(offset==-1){
fwrite(data,1,size,fp);

数据貌似都加到文件最后面去了
2009-8-27 11:06
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//