关于PE可执行文件的修改
作者 佚名技术
来源 程序设计
浏览
发布时间 2012-06-30
| t; if (dos_head->e_magic != IMAGE_DOS_SIGNATURE) { puts("unknown type of file"); return; } peHeader * header; header = (peHeader *)((char *)dos_head + dos_head->e_lfanew);//μ?μ?PE???tí· if (IsBadReadPtr(header, sizeof(*header)) { puts("(no PE header, probably DOS executable)"); return; } DWORD mods; char tmpstr[4]={0}; DWORD tmpaddress; DWORD tmpaddress1; if(strstr((const char *)header->section_header[0].Name,".text")!=NULL) { virtsize=header->section_header[0].Misc.VirtualSize; //′???μ???êμ3¤?è physaddress=header->section_header[0].PointerToRawData; //′???μ???àí??ò? physsize=header->section_header[0].SizeOfRawData; //′???μ???àí3¤?è peaddress=dos_head->e_lfanew; //μ?μ?PE???tí·μ??aê???ò? peHeader peH; tmpaddress=(unsigned long )&peH; //μ?μ??á11μ???ò? tmpaddress1=(unsigned long )&(peH.section_header[0].Characteristics); //μ?μ?±?á?μ???ò? flagaddress=tmpaddress1-tmpaddress+2; //μ?μ?ê?D?μ??à????ò? flags=0x8000; //ò?°??é????£?“.text”??ê?2??é?áD′μ?£?è?1??ò??òa°?êy?YD′è??a????Dèòa??±???ê?D?£?êμ?êé??a??3ìDò2¢??óD°?êy?YD′è?“.text”??£??ùò?2¢2?Dèòa?ü??£?μ?è?1???êμ???′?óμ?1|?ü£????¨Dèòaêy?Y£????¨Dèòa?ü???a???μ£? space=physsize-virtsize; //μ?μ?′ú????μ??éó?????£?ó?ò??D???é2??éò?D′è??ò??μ?′ú?? //ó?′???μ???àí3¤?è??è¥′???μ???êμ3¤?è?í?éò?μ?μ? progRAV=header->opt_head.ImageBase; //μ?μ?3ìDòμ?×°??μ??·£?ò?°??a400000 codeoffset=header->opt_head.BaseOfCode-physaddress; //μ?μ?′ú????ò?£?ó?′ú?????eê?RVA??è¥′???μ???àí??ò? //ó|?a3ìDòμ?è??ú????1?ê?ê?ò????à??μ???ò?μ??·£?????1?ê??a£o //′ú??μ?D′è?μ??·£?codeoffset entrywrite=header->section_header[0].PointerToRawData+header->section_header[0].Misc.VirtualSize; //′ú??D′è?μ???àí??ò? mods=entrywrite%16; //????±??? if(mods!=0) { entrywrite+=(16-mods); } oldentryaddress=header->opt_head.AddressOfEntryPoint; //±£′??éμ?3ìDòè??úμ??· newentryaddress=entrywrite+codeoffset; //????D?μ?3ìDòè??úμ??· return; } void printaddress() { HINSTANCE gLibMsg=NULL; DWORD funaddress; gLibMsg=LoadLibrary("user32.dll"); funaddress=(DWORD)GetProcAddress(gLibMsg,"MessageBoxA"); MessageBoxAadaddress=funaddress; gLibAMsg=LoadLibrary("kernel32.dll"); //μ?μ?MessageBox?ú?ú′??Dμ?μ??·£?ò?±??ò??ê1ó? } void writefile() { int ret; long retf; DWORD address; int tmp; unsigned char waddress[4]={0}; ret=_open(filename,_O_RDWR | _O_CREAT | _O_BINARY,_S_IREAD | _S_IWRITE); if(!ret) { printf("error open\n"); return; } retf=_lseek(ret,(long)peaddress+40,SEEK_SET); //3ìDòμ?è??úμ??·?úPE???tí·?aê?μ?40′| if(retf==-1) { printf("error seek\n"); return; } address=newentryaddress; tmp=address>>24; waddress[3]=tmp; tmp=address<<8; tmp=tmp>>24; waddress[2]=tmp; tmp=address<<16; tmp=tmp>>24; waddress[1]=tmp; tmp=address<<24; tmp=tmp>>24; waddress[0]=t |
凌众科技专业提供服务器租用、服务器托管、企业邮局、虚拟主机等服务,公司网站:http://www.lingzhong.cn 为了给广大客户了解更多的技术信息,本技术文章收集来源于网络,凌众科技尊重文章作者的版权,如果有涉及你的版权有必要删除你的文章,请和我们联系。以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息,谢谢! |
你可能对下面的文章感兴趣
上一篇: 隐藏任意进程、目录/文件、注册表、端口下一篇: 用拷贝钩子实现对文件夹的监控
关于关于PE可执行文件的修改的所有评论
