65,208
社区成员
发帖
与我相关
我的任务
分享跪求用VC++向PE文件中添加新节,100分!!!!!!!!!!!
请问有用VC++向PE文件中添加新节的例子吗?我找了很久也没有找到 跪求这个例子
各位大侠帮忙啊!!!!!!100分!!!!!!!!!!!1
各位大侠帮忙啊!!!!!!100分!!!!!!!!!!!1
...全文
请发表友善的回复…
发表回复
lightnut 2007-05-29
- 打赏
- 举报
http://www.codeproject.com/system/inject2exe.asp
theendname 2007-05-29
- 打赏
- 举报
mark
ASDKLHGJ 2007-05-29
- 打赏
- 举报
谢了下面的大哥,我先调一下,不过看加这么多汇编我心里都有点发毛了
nf3 2007-05-29
- 打赏
- 举报
收藏
星羽 2007-05-28
- 打赏
- 举报
转:
;***********************************************
;程序名称:为PE文件添加新节显示启动信息
;作者:罗聪
;日期:2002-11-10
;出处:http://www.luocong.com(老罗的缤纷天地)
;本代码使用了病毒技术,但纯粹只用于技术研究。
;切记:请勿用于非法用途!!!!!!
;注意事项:如欲转载,请保持本程序的完整,并注明:
;转载自“老罗的缤纷天地”(http://www.luocong.com)
;***********************************************
.386
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\comdlg32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\comdlg32.lib
WndProc proto :DWORD, :DWORD, :DWORD, :DWORD
AddNewSection proto :DWORD
;很有用的宏:
CTEXT MACRO y:VARARG
LOCAL sym
CONST segment
ifidni <y>,<>
sym db 0
else
sym db y,0
endif
CONST ends
exitm <offset sym>
ENDM
.const
IDI_LC equ 1
IDC_BUTTON_OPEN equ 3000
MAXSIZE equ 260
Head_Len equ sizeof IMAGE_NT_HEADERS + sizeof IMAGE_SECTION_HEADER
.data
szDlgName db "lc_dialog", 0
szCaption db "Section Add demo by LC", 0
ofn OPENFILENAME <>
szFileName db MAXSIZE dup(0)
szFilterString db "PE 可执行文件", 0, "*.exe", 0, 0
szMyTitle db "请打开一个PE可执行文件...", 0
PE_Header IMAGE_NT_HEADERS <0>
My_Section IMAGE_SECTION_HEADER <>
szDllName db "User32", 0
szMessageBoxA db "MessageBoxA", 0
.data?
hInstance HINSTANCE ?
.code
main:
invoke GetModuleHandle, NULL
mov hInstance, eax
invoke DialogBoxParam, eax, offset szDlgName, 0, WndProc, 0
invoke ExitProcess, eax
WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
.if uMsg == WM_CLOSE
invoke EndDialog, hWnd, 0
.elseif uMsg == WM_INITDIALOG
;设置我的图标:
invoke LoadIcon, hInstance, IDI_LC
invoke SendMessage, hWnd, WM_SETICON, ICON_SMALL, eax
.elseif uMsg == WM_COMMAND
mov eax, wParam
mov edx, eax
shr edx, 16
movzx eax, ax
.if edx == BN_CLICKED
.if eax == IDCANCEL
invoke EndDialog, hWnd, NULL
.elseif eax == IDC_BUTTON_OPEN || eax == IDOK
;调用子程序,添加节:
invoke AddNewSection, hWnd
.endif
.endif
.else
mov eax, FALSE
ret
.endif
mov eax, TRUE
ret
WndProc endp
;***********************************************
;程序名称:为PE文件添加新节显示启动信息
;作者:罗聪
;日期:2002-11-10
;出处:http://www.luocong.com(老罗的缤纷天地)
;本代码使用了病毒技术,但纯粹只用于技术研究。
;切记:请勿用于非法用途!!!!!!
;注意事项:如欲转载,请保持本程序的完整,并注明:
;转载自“老罗的缤纷天地”(http://www.luocong.com)
;***********************************************
.386
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\comdlg32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\comdlg32.lib
WndProc proto :DWORD, :DWORD, :DWORD, :DWORD
AddNewSection proto :DWORD
;很有用的宏:
CTEXT MACRO y:VARARG
LOCAL sym
CONST segment
ifidni <y>,<>
sym db 0
else
sym db y,0
endif
CONST ends
exitm <offset sym>
ENDM
.const
IDI_LC equ 1
IDC_BUTTON_OPEN equ 3000
MAXSIZE equ 260
Head_Len equ sizeof IMAGE_NT_HEADERS + sizeof IMAGE_SECTION_HEADER
.data
szDlgName db "lc_dialog", 0
szCaption db "Section Add demo by LC", 0
ofn OPENFILENAME <>
szFileName db MAXSIZE dup(0)
szFilterString db "PE 可执行文件", 0, "*.exe", 0, 0
szMyTitle db "请打开一个PE可执行文件...", 0
PE_Header IMAGE_NT_HEADERS <0>
My_Section IMAGE_SECTION_HEADER <>
szDllName db "User32", 0
szMessageBoxA db "MessageBoxA", 0
.data?
hInstance HINSTANCE ?
.code
main:
invoke GetModuleHandle, NULL
mov hInstance, eax
invoke DialogBoxParam, eax, offset szDlgName, 0, WndProc, 0
invoke ExitProcess, eax
WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
.if uMsg == WM_CLOSE
invoke EndDialog, hWnd, 0
.elseif uMsg == WM_INITDIALOG
;设置我的图标:
invoke LoadIcon, hInstance, IDI_LC
invoke SendMessage, hWnd, WM_SETICON, ICON_SMALL, eax
.elseif uMsg == WM_COMMAND
mov eax, wParam
mov edx, eax
shr edx, 16
movzx eax, ax
.if edx == BN_CLICKED
.if eax == IDCANCEL
invoke EndDialog, hWnd, NULL
.elseif eax == IDC_BUTTON_OPEN || eax == IDOK
;调用子程序,添加节:
invoke AddNewSection, hWnd
.endif
.endif
.else
mov eax, FALSE
ret
.endif
mov eax, TRUE
ret
WndProc endp
spofmy 2007-05-28
- 打赏
- 举报
那就在 VC 中嵌入汇编吧 ...
---------------------------------
呵呵 好主意
---------------------------------
呵呵 好主意
jixingzhong 2007-05-28
- 打赏
- 举报
那就在 VC 中嵌入汇编吧 ...
ASDKLHGJ 2007-05-28
- 打赏
- 举报
最好有个例子啊
珍惜生命远离CPP 2007-05-28
- 打赏
- 举报
添加段用C应该不难啊
ASDKLHGJ 2007-05-28
- 打赏
- 举报
在VC++中对齐也是个问题
ASDKLHGJ 2007-05-28
- 打赏
- 举报
主要是设置新节的属性这地方有问题 哪位大侠能指点下? 我现在已经能够指向新节开始处了
taodm 2007-05-28
- 打赏
- 举报
汇编翻译到C嘛
ASDKLHGJ 2007-05-28
- 打赏
- 举报
看雪上都是用汇编的啊
ASDKLHGJ 2007-05-28
- 打赏
- 举报
是啊 ,我看用汇编都还可以,但是用VC++就有点困难了
珍惜生命远离CPP 2007-05-28
- 打赏
- 举报
我会手工添加
PEditor这个也能添加
PEditor这个也能添加
taodm 2007-05-28
- 打赏
- 举报
去《看雪论坛》求。
ASDKLHGJ 2007-05-28
- 打赏
- 举报
急啊!!!!
ly19820701 2007-05-28
- 打赏
- 举报
mark
大爷想要时光机 2007-05-28
- 打赏
- 举报
kanxue老大对不住了,又乱拿您老人家地盘上的文章了
大爷想要时光机 2007-05-28
- 打赏
- 举报
标 题: 为PE文件增加新节,并在新节中增入SHELL CODE加载指定DLL【原创】【原创】
作 者: llydd
时 间: 2006-12-17,00:03
链 接: http://bbs.pediy.com/showthread.php?t=36497
//add_section.cpp
#include "windows.h"
#include "stdio.h"
//判断文件是否为合法PE文件
BOOL CheckPe(FILE* pFile)
{
fseek(pFile,0,SEEK_SET);
BOOL bFlags=FALSE;
WORD IsMZ;
DWORD IsPE,pNT;
fread(&IsMZ,sizeof(WORD),1,pFile);
if(IsMZ==0x5A4D)
{
fseek(pFile,0x3c,SEEK_SET);
fread(&pNT,sizeof(DWORD),1,pFile);
fseek(pFile,pNT,SEEK_SET);
fread(&IsPE,sizeof(DWORD),1,pFile);
if(IsPE==0X00004550)
bFlags=TRUE;
else
bFlags=FALSE;
}
else
bFlags=FALSE;
fseek(pFile,0,SEEK_SET);
return bFlags;
}
//用来计算对齐数据后的大小
int alig(int size,unsigned int align)
{
if(size%align!=0)
return (size/align+1)*align;
else
return size;
}
int main(int argc,char* argv[])
{
if(argc!=2)
{
printf("\t\tusage:add_section filename\n");
exit(-1);
}
FILE* rwFile;
if((rwFile=fopen(argv[1],"rb"))==NULL)//打开文件失败则退出
{
printf("\t\tOpen file faild\n");
exit(-1);
}
if(!CheckPe(rwFile))
{
printf("\t\tinvalid pe......!\n");
exit(-1);
}
//备份原文件
char szNewFile[10]="_New.exe";
if(!CopyFile(argv[1],szNewFile,0)) //若备份文件出错则退出
{
printf("\t\tbak faild\n");
exit(-1);
}
IMAGE_NT_HEADERS NThea;
fseek(rwFile,0x3c,0);
DWORD pNT; //pNT中存放IMAGE_NT_HEADERS结构的地址
fread(&pNT,sizeof(DWORD),1,rwFile);
fseek(rwFile,pNT,0);
fread(&NThea,sizeof(IMAGE_NT_HEADERS),1,rwFile); //读取原文件的IMAGE_NT_HEADERS结构
//保存原文件区块数量与OEP
int nOldSectionNo=NThea.FileHeader.NumberOfSections;
int OEP=NThea.OptionalHeader.AddressOfEntryPoint;
//保存文件对齐值与区块对齐值
int SECTION_ALIG=NThea.OptionalHeader.SectionAlignment;
int FILE_ALIG=NThea.OptionalHeader.FileAlignment;
//定义要添加的区块
IMAGE_SECTION_HEADER NewSection;
//将该结构全部清零
memset(&NewSection, 0, sizeof(IMAGE_SECTION_HEADER));
//再定义一个区块,来存放原文件最后一个区块的信息
IMAGE_SECTION_HEADER SEChea;
//读原文件最后一个区块的信息
fseek(rwFile,pNT+248,0);
for(int i=0;i<nOldSectionNo;i++)
fread(&SEChea,sizeof(IMAGE_SECTION_HEADER),1,rwFile);
FILE *newfile=fopen(szNewFile,"rb+");
if(newfile==NULL)
{
printf("\t\tOpen bak file faild\n");
exit(-1);
}
fseek(newfile,SEChea.PointerToRawData+SEChea.SizeOfRawData,SEEK_SET);
goto shellend;
__asm
{
shell: PUSHAD
MOV EAX,DWORD PTR FS:[30H] ;FS:[30H]指向PEB
MOV EAX,DWORD PTR [EAX+0CH] ;获取PEB_LDR_DATA结构的指针
MOV EAX,DWORD PTR [EAX+1CH] ;获取LDR_MODULE链表表首结点的inInitializeOrderModuleList成员的指针
MOV EAX,DWORD PTR [EAX] ;LDR_MODULE链表第二个结点的inInitializeOrderModuleList成员的指针
MOV EAX,DWORD PTR [EAX+08H] ;inInitializeOrderModuleList偏移8h便得到Kernel32.dll的模块基址
MOV EBP,EAX ; 将Kernel32.dll模块基址地址放至kernel中
MOV EAX,DWORD PTR [EAX+3CH] ;指向IMAGE_NT_HEADERS
MOV EAX,DWORD PTR [EBP+EAX+120] ;指向导出表
MOV ECX,[EBP+EAX+24] ;取导出表中导出函数名字的数目
MOV EBX,[EBP+EAX+32] ;取导出表中名字表的地址
ADD EBX,EBP
PUSH WORD PTR 0X00 ;构造GetProcAddress字符串
PUSH DWORD PTR 0X73736572
PUSH DWORD PTR 0X64644163
PUSH DWORD PTR 0X6F725074
PUSH WORD PTR 0X6547
MOV EDX,ESP
PUSH ECX
F1:
MOV EDI,EDX
POP ECX
DEC ECX
TEST ECX,ECX
JZ EXIT
MOV ESI,[EBX+ECX*4]
ADD ESI,EBP
PUSH ECX
MOV ECX,15
REPZ CMPSB
TEST ECX,ECX
JNZ F1
POP ECX
MOV ESI,[EBP+EAX+36] ;取得导出表中序号表的地址
ADD ESI,EBP
MOVZX ESI,WORD PTR[ESI+ECX*2] ;取得进入函数地址表的序号
MOV EDI,[EBP+EAX+28] ;取得函数地址表的地址
ADD EDI,EBP
MOV EDI,[EDI+ESI*4] ;取得GetProcAddress函数的地址
ADD EDI,EBP
PUSH WORD PTR 0X00 ;构造LoadLibraryA字符串
PUSH DWORD PTR 0X41797261
PUSH DWORD PTR 0X7262694C
PUSH DWORD PTR 0X64616F4C
PUSH ESP
PUSH EBP
CALL EDI ;调用GetProcAddress取得LoadLibraryA函数的地址
PUSH WORD PTR 0X00 ;构造test符串,测试新增节后的EXE是否能正常加载test.dll
PUSH DWORD PTR 0X74736574
PUSH ESP
CALL EAX
EXIT: ADD ESP,36 ;平衡堆栈
POPAD
}
shellend:
char *pShell;
int nShellLen;
__asm
{
LEA EAX,shell
MOV pShell,EAX;
LEA EBX,shellend
SUB EBX,EAX
MOV nShellLen,EBX
}
//写入SHELLCODE,
for(i=0;i<nShellLen;i++)
fputc(pShell[i],newfile);
//SHELLCODE之后是跳转到原OEP的指令
NewSection.VirtualAddress=SEChea.VirtualAddress+alig(SEChea.Misc.VirtualSize,SECTION_ALIG);
BYTE jmp = 0xE9;
OEP=OEP-(NewSection.VirtualAddress+nShellLen)-5;
fwrite(&jmp, sizeof(jmp), 1, newfile);
fwrite(&OEP, sizeof(OEP), 1, newfile);
//将最后增加的数据用0填充至按文件中对齐的大小
for(i=0;i<alig(nShellLen,FILE_ALIG)-nShellLen-5;i++)
fputc('\0',newfile);
//新区块中的数据
strcpy((char*)NewSection.Name,".llydd");
NewSection.PointerToRawData=SEChea.PointerToRawData+SEChea.SizeOfRawData;
NewSection.Misc.VirtualSize=nShellLen;
NewSection.SizeOfRawData=alig(nShellLen,FILE_ALIG);
NewSection.Characteristics=0xE0000020;//新区块可读可写可执行
fseek(newfile,pNT+248+sizeof(IMAGE_SECTION_HEADER)*nOldSectionNo,0);
//写入新的块表
fwrite(&NewSection,sizeof(IMAGE_SECTION_HEADER),1,newfile);
int nNewImageSize=NThea.OptionalHeader.SizeOfImage+alig(nShellLen,SECTION_ALIG);
int nNewSizeofCode=NThea.OptionalHeader.SizeOfCode+alig(nShellLen,FILE_ALIG);
fseek(newfile,pNT,0);
NThea.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress=0;
NThea.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size=0;
NThea.OptionalHeader.SizeOfCode=nNewSizeofCode;
NThea.OptionalHeader.SizeOfImage=nNewImageSize;
NThea.FileHeader.NumberOfSections=nOldSectionNo+1;
NThea.OptionalHeader.AddressOfEntryPoint=NewSection.VirtualAddress;
//写入更新后的PE头结构
fwrite(&NThea,sizeof(IMAGE_NT_HEADERS),1,newfile);
printf("\t\tok.........!\n");
fclose(newfile);
fclose(rwFile);
return 1;
}
作 者: llydd
时 间: 2006-12-17,00:03
链 接: http://bbs.pediy.com/showthread.php?t=36497
//add_section.cpp
#include "windows.h"
#include "stdio.h"
//判断文件是否为合法PE文件
BOOL CheckPe(FILE* pFile)
{
fseek(pFile,0,SEEK_SET);
BOOL bFlags=FALSE;
WORD IsMZ;
DWORD IsPE,pNT;
fread(&IsMZ,sizeof(WORD),1,pFile);
if(IsMZ==0x5A4D)
{
fseek(pFile,0x3c,SEEK_SET);
fread(&pNT,sizeof(DWORD),1,pFile);
fseek(pFile,pNT,SEEK_SET);
fread(&IsPE,sizeof(DWORD),1,pFile);
if(IsPE==0X00004550)
bFlags=TRUE;
else
bFlags=FALSE;
}
else
bFlags=FALSE;
fseek(pFile,0,SEEK_SET);
return bFlags;
}
//用来计算对齐数据后的大小
int alig(int size,unsigned int align)
{
if(size%align!=0)
return (size/align+1)*align;
else
return size;
}
int main(int argc,char* argv[])
{
if(argc!=2)
{
printf("\t\tusage:add_section filename\n");
exit(-1);
}
FILE* rwFile;
if((rwFile=fopen(argv[1],"rb"))==NULL)//打开文件失败则退出
{
printf("\t\tOpen file faild\n");
exit(-1);
}
if(!CheckPe(rwFile))
{
printf("\t\tinvalid pe......!\n");
exit(-1);
}
//备份原文件
char szNewFile[10]="_New.exe";
if(!CopyFile(argv[1],szNewFile,0)) //若备份文件出错则退出
{
printf("\t\tbak faild\n");
exit(-1);
}
IMAGE_NT_HEADERS NThea;
fseek(rwFile,0x3c,0);
DWORD pNT; //pNT中存放IMAGE_NT_HEADERS结构的地址
fread(&pNT,sizeof(DWORD),1,rwFile);
fseek(rwFile,pNT,0);
fread(&NThea,sizeof(IMAGE_NT_HEADERS),1,rwFile); //读取原文件的IMAGE_NT_HEADERS结构
//保存原文件区块数量与OEP
int nOldSectionNo=NThea.FileHeader.NumberOfSections;
int OEP=NThea.OptionalHeader.AddressOfEntryPoint;
//保存文件对齐值与区块对齐值
int SECTION_ALIG=NThea.OptionalHeader.SectionAlignment;
int FILE_ALIG=NThea.OptionalHeader.FileAlignment;
//定义要添加的区块
IMAGE_SECTION_HEADER NewSection;
//将该结构全部清零
memset(&NewSection, 0, sizeof(IMAGE_SECTION_HEADER));
//再定义一个区块,来存放原文件最后一个区块的信息
IMAGE_SECTION_HEADER SEChea;
//读原文件最后一个区块的信息
fseek(rwFile,pNT+248,0);
for(int i=0;i<nOldSectionNo;i++)
fread(&SEChea,sizeof(IMAGE_SECTION_HEADER),1,rwFile);
FILE *newfile=fopen(szNewFile,"rb+");
if(newfile==NULL)
{
printf("\t\tOpen bak file faild\n");
exit(-1);
}
fseek(newfile,SEChea.PointerToRawData+SEChea.SizeOfRawData,SEEK_SET);
goto shellend;
__asm
{
shell: PUSHAD
MOV EAX,DWORD PTR FS:[30H] ;FS:[30H]指向PEB
MOV EAX,DWORD PTR [EAX+0CH] ;获取PEB_LDR_DATA结构的指针
MOV EAX,DWORD PTR [EAX+1CH] ;获取LDR_MODULE链表表首结点的inInitializeOrderModuleList成员的指针
MOV EAX,DWORD PTR [EAX] ;LDR_MODULE链表第二个结点的inInitializeOrderModuleList成员的指针
MOV EAX,DWORD PTR [EAX+08H] ;inInitializeOrderModuleList偏移8h便得到Kernel32.dll的模块基址
MOV EBP,EAX ; 将Kernel32.dll模块基址地址放至kernel中
MOV EAX,DWORD PTR [EAX+3CH] ;指向IMAGE_NT_HEADERS
MOV EAX,DWORD PTR [EBP+EAX+120] ;指向导出表
MOV ECX,[EBP+EAX+24] ;取导出表中导出函数名字的数目
MOV EBX,[EBP+EAX+32] ;取导出表中名字表的地址
ADD EBX,EBP
PUSH WORD PTR 0X00 ;构造GetProcAddress字符串
PUSH DWORD PTR 0X73736572
PUSH DWORD PTR 0X64644163
PUSH DWORD PTR 0X6F725074
PUSH WORD PTR 0X6547
MOV EDX,ESP
PUSH ECX
F1:
MOV EDI,EDX
POP ECX
DEC ECX
TEST ECX,ECX
JZ EXIT
MOV ESI,[EBX+ECX*4]
ADD ESI,EBP
PUSH ECX
MOV ECX,15
REPZ CMPSB
TEST ECX,ECX
JNZ F1
POP ECX
MOV ESI,[EBP+EAX+36] ;取得导出表中序号表的地址
ADD ESI,EBP
MOVZX ESI,WORD PTR[ESI+ECX*2] ;取得进入函数地址表的序号
MOV EDI,[EBP+EAX+28] ;取得函数地址表的地址
ADD EDI,EBP
MOV EDI,[EDI+ESI*4] ;取得GetProcAddress函数的地址
ADD EDI,EBP
PUSH WORD PTR 0X00 ;构造LoadLibraryA字符串
PUSH DWORD PTR 0X41797261
PUSH DWORD PTR 0X7262694C
PUSH DWORD PTR 0X64616F4C
PUSH ESP
PUSH EBP
CALL EDI ;调用GetProcAddress取得LoadLibraryA函数的地址
PUSH WORD PTR 0X00 ;构造test符串,测试新增节后的EXE是否能正常加载test.dll
PUSH DWORD PTR 0X74736574
PUSH ESP
CALL EAX
EXIT: ADD ESP,36 ;平衡堆栈
POPAD
}
shellend:
char *pShell;
int nShellLen;
__asm
{
LEA EAX,shell
MOV pShell,EAX;
LEA EBX,shellend
SUB EBX,EAX
MOV nShellLen,EBX
}
//写入SHELLCODE,
for(i=0;i<nShellLen;i++)
fputc(pShell[i],newfile);
//SHELLCODE之后是跳转到原OEP的指令
NewSection.VirtualAddress=SEChea.VirtualAddress+alig(SEChea.Misc.VirtualSize,SECTION_ALIG);
BYTE jmp = 0xE9;
OEP=OEP-(NewSection.VirtualAddress+nShellLen)-5;
fwrite(&jmp, sizeof(jmp), 1, newfile);
fwrite(&OEP, sizeof(OEP), 1, newfile);
//将最后增加的数据用0填充至按文件中对齐的大小
for(i=0;i<alig(nShellLen,FILE_ALIG)-nShellLen-5;i++)
fputc('\0',newfile);
//新区块中的数据
strcpy((char*)NewSection.Name,".llydd");
NewSection.PointerToRawData=SEChea.PointerToRawData+SEChea.SizeOfRawData;
NewSection.Misc.VirtualSize=nShellLen;
NewSection.SizeOfRawData=alig(nShellLen,FILE_ALIG);
NewSection.Characteristics=0xE0000020;//新区块可读可写可执行
fseek(newfile,pNT+248+sizeof(IMAGE_SECTION_HEADER)*nOldSectionNo,0);
//写入新的块表
fwrite(&NewSection,sizeof(IMAGE_SECTION_HEADER),1,newfile);
int nNewImageSize=NThea.OptionalHeader.SizeOfImage+alig(nShellLen,SECTION_ALIG);
int nNewSizeofCode=NThea.OptionalHeader.SizeOfCode+alig(nShellLen,FILE_ALIG);
fseek(newfile,pNT,0);
NThea.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress=0;
NThea.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size=0;
NThea.OptionalHeader.SizeOfCode=nNewSizeofCode;
NThea.OptionalHeader.SizeOfImage=nNewImageSize;
NThea.FileHeader.NumberOfSections=nOldSectionNo+1;
NThea.OptionalHeader.AddressOfEntryPoint=NewSection.VirtualAddress;
//写入更新后的PE头结构
fwrite(&NThea,sizeof(IMAGE_NT_HEADERS),1,newfile);
printf("\t\tok.........!\n");
fclose(newfile);
fclose(rwFile);
return 1;
}
加载更多回复(2)
