#include "openfile.h" #include <stdio.h> #include <malloc.h> #include <memory.h> #include <Windows.h> #define MASSAGEBOXAADDR 0x757A7E60 #define IMAGE_SIZEOF_DOS_HEADER 0x40 BYTE shellCode[] = { 0x6A,0x00,0x6A,0x00,0x6A,0x00,0x6A,0x00, 0xE8,0x00,0x00,0x00,0x00, 0xE9,0x00,0x00,0x00,0x00 }; BYTE SectionName[] = { 0x2e,0x74,0x74,0x74,0,0,0,0 }; BYTE NewExportFileName[] = "NewTestDll.dll"; BYTE DllName[] = "injectDll.dll"; BYTE APIName[] = "_Run@0"; //新建INT表 typedef struct _NEW_INT_TABLE { DWORD VirtualAddress; DWORD OverAddress; }NEW_INT_TABLE,*PNEW_INT_TABLE; //新建IAT表 typedef struct _NEW_IAT_TABLE { DWORD VirtualAddress; DWORD OverAddress; }NEW_IAT_TABLE, *PNEW_IAT_TABLE; //读取文件返回fileBuffer LPVOID ReadPEFile(LPSTR lpszFole) { FILE* pFile = NULL; DWORD fileSize = 0; LPVOID pFileBuffer = NULL; //读取文件 pFile = fopen(lpszFole, "rb"); if (!pFile) { printf("打开EXE文件失败 "); return NULL; } //把下标移动到文件最后 fseek(pFile, 0, SEEK_END); //获取文件大小 fileSize = ftell(pFile); //恢复文件下标到最开始 fseek(pFile, 0, SEEK_SET); //分配缓冲区 pFileBuffer = malloc(fileSize); if (!pFileBuffer) { printf("分配空间失败 "); free(pFileBuffer); return NULL; } size_t n = fread(pFileBuffer, 1, fileSize, pFile); if (!n) { printf("文件读取失败 "); free(pFileBuffer); fclose(pFile); return NULL; } //关闭文件 fclose(pFile); return pFileBuffer; } //拉伸fileBuffer返回ImageBuffer LPVOID CopyFileBufferToImageBuffer(LPSTR lpszFole) { LPVOID pFileBuffer = NULL; LPVOID pImageBuffer = NULL; PIMAGE_DOS_HEADER pe_dos_header = NULL; PIMAGE_FILE_HEADER pe_file_header = NULL; PIMAGE_OPTIONAL_HEADER32 pe_option_header_32 = NULL; PIMAGE_NT_HEADERS pe_nt_header = NULL; PIMAGE_SECTION_HEADER pe_section_header = NULL; pFileBuffer = ReadPEFile(lpszFole); if (!pFileBuffer) { printf("打开文件失败 "); return NULL; } if (*((PWORD)pFileBuffer)!=IMAGE_DOS_SIGNATURE) { printf("不是有效的MZ标记 "); free(pFileBuffer); return NULL; } pe_dos_header = (PIMAGE_DOS_HEADER)pFileBuffer; //printf("********************打印DOS头**************************** "); //printf("MZ标志 %x ", pe_dos_header->e_magic); //printf("PE偏移 %x ", pe_dos_header->e_lfanew); if (*((PDWORD)((DWORD)pFileBuffer+pe_dos_header->e_lfanew))!=IMAGE_NT_SIGNATURE) { printf("不是有效的PE标志 "); free(pFileBuffer); return NULL; } pe_nt_header = (PIMAGE_NT_HEADERS)((DWORD)pFileBuffer + pe_dos_header->e_lfanew); //printf("PE标志 %x ", pe_nt_header->Signature); pe_file_header = (PIMAGE_FILE_HEADER)((DWORD)pe_nt_header + 4); //printf("********************标准PE头**************************** "); //printf("运行平台: %x ", pe_file_header->Machine); //printf("节的数量: %x ", pe_file_header->NumberOfSections); //printf("编译器生成的时间戳: %x ", pe_file_header->TimeDateStamp); //printf("可选PE头大小: %x ",pe_file_header->SizeOfOptionalHeader); //printf("PE特征: %x ", pe_file_header->Characteristics); pe_option_header_32 = (PIMAGE_OPTIONAL_HEADER32)((DWORD)pe_file_header + IMAGE_SIZEOF_FILE_HEADER); //printf("********************可选PE头**************************** "); //printf("文件类型: %x ", pe_option_header_32->Magic); //printf("代码节的和: %x ", pe_option_header_32->SizeOfCode); //printf("已初始化数据大小的和: %x ", pe_option_header_32->SizeOfInitializedData); //printf("未初始化数据大小的和: %x ", pe_option_header_32->SizeOfUninitializedData); //printf("程序入口: %x ", pe_option_header_32->AddressOfEntryPoint); //printf("代码开始的基址: %x ", pe_option_header_32->BaseOfCode); //printf("数据开始的基址: %x ", pe_option_header_32->BaseOfData); //printf("内存镜像基址: %x ", pe_option_header_32->ImageBase); //printf("内存对齐: %x ", pe_option_header_32->SectionAlignment); //printf("文件对齐: %x ", pe_option_header_32->FileAlignment); //printf("内存中整个PE文件映像的尺寸: %x ", pe_option_header_32->SizeOfImage); //printf("所有头+节表按照文件对齐后的大小: %x ", pe_option_header_32->SizeOfHeaders); //printf("效验和: %x ", pe_option_header_32->CheckSum); //printf("初始化保留的栈的大小: %x ", pe_option_header_32->SizeOfStackReserve); //printf("初始化时实际提交的栈的大小: %x ", pe_option_header_32->SizeOfStackCommit); //printf("初始化时保留的堆的大小: %x ", pe_option_header_32->SizeOfHeapReserve); //printf("初始化时实际提交的堆的大小: %x ", pe_option_header_32->SizeOfHeapCommit); //printf("目录项数目: %x ", pe_option_header_32->NumberOfRvaAndSizes); pImageBuffer = malloc(pe_option_header_32->SizeOfImage); if (!pImageBuffer) { printf("分配空间失败 "); free(pFileBuffer); return NULL; } memset(pImageBuffer, 0, pe_option_header_32->SizeOfImage); memcpy(pImageBuffer, pFileBuffer, pe_option_header_32->SizeOfHeaders); //printf("%p ", pImageBuffer); pe_section_header = (PIMAGE_SECTION_HEADER)((DWORD)pe_option_header_32 + pe_file_header->SizeOfOptionalHeader); //printf("********************节表**************************** "); for (size_t i = 0; i < pe_file_header->NumberOfSections; i++) { //printf("NAME: %s ", pe_section_header->Name); //printf("MISC: %x ", pe_section_header->Misc); //printf("节区在内存中的偏移地址: %x ", pe_section_header->VirtualAddress); //printf("节在文件中对齐后的尺寸: %x ", pe_section_header->SizeOfRawData); //printf("节区在文件中的偏移: %x ", pe_section_header->PointerToRawData); //printf("节的属性: %x ", pe_section_header->Characteristics); memcpy(((CHAR*)(DWORD)pImageBuffer) + pe_section_header->VirtualAddress, ((CHAR*)(DWORD)pFileBuffer) + pe_section_header->PointerToRawData, pe_section_header->SizeOfRawData); pe_section_header = (PIMAGE_SECTION_HEADER)((DWORD)pe_section_header + IMAGE_SIZEOF_SECTION_HEADER); } free(pFileBuffer); return pImageBuffer; } //给节表添加E8E9硬编码,返回ImageBuffer LPVOID AddImageBufferShellCode(LPSTR lpszFole) { LPVOID pImageBuffer = NULL; PIMAGE_DOS_HEADER ImageDosHeader = NULL; PIMAGE_NT_HEADERS ImageNTHeader = NULL; PIMAGE_FILE_HEADER ImageFileHeader = NULL; PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader32 = NULL; PIMAGE_SECTION_HEADER ImageSectionHeader = NULL; DWORD NumberOfSection = 4; DWORD SizeOfSection = 0; pImageBuffer = CopyFileBufferToImageBuffer(lpszFole); if (!pImageBuffer) { printf("分配空间失败 "); free(pImageBuffer); return NULL; } if (*(PWORD((DWORD)pImageBuffer))!=IMAGE_DOS_SIGNATURE) { printf("不是有效的MZ标记 "); free(pImageBuffer); return NULL; } ImageDosHeader = (PIMAGE_DOS_HEADER)((DWORD)pImageBuffer); if (*(PDWORD)((DWORD)pImageBuffer + ImageDosHeader->e_lfanew) != IMAGE_NT_SIGNATURE) { printf("不是有效的PE标记 "); free(pImageBuffer); return NULL; } ImageNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pImageBuffer + ImageDosHeader->e_lfanew); ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTHeader + 4); ImageOptionalHeader32 = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER); PIMAGE_SECTION_HEADER ImageSectionHeader_text = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader32 + ImageFileHeader->SizeOfOptionalHeader); //保存可执行的Characteristics DWORD executableCharacteristics = ImageSectionHeader_text->Characteristics; if (NumberOfSection > ImageFileHeader->NumberOfSections) { printf("超出节的数量 "); free(pImageBuffer); return NULL; } if (NumberOfSection > 1) { SizeOfSection = IMAGE_SIZEOF_SECTION_HEADER * (NumberOfSection - 1); } ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader_text + SizeOfSection); if ((DWORD)(ImageSectionHeader->SizeOfRawData- ImageSectionHeader->Misc.VirtualSize) < sizeof(shellCode)) { printf("剩余的节区空间不足 "); free(pImageBuffer); return NULL; } if (ImageSectionHeader->Misc.VirtualSize > ImageSectionHeader->SizeOfRawData) { printf("VirtualSize超出SizeOfRawData最大范围不能写入 "); free(pImageBuffer); return NULL; } //PDWORD code = (PDWORD)shellCode; *((PDWORD)(shellCode + 0x9)) = (DWORD)MASSAGEBOXAADDR - (DWORD)(ImageOptionalHeader32->ImageBase + (ImageSectionHeader->VirtualAddress + ImageSectionHeader->Misc.VirtualSize + 0xD)); *((PDWORD)(shellCode + 0xe)) = (DWORD)(ImageOptionalHeader32->ImageBase + ImageOptionalHeader32->AddressOfEntryPoint) - (DWORD)(ImageOptionalHeader32->ImageBase + (ImageSectionHeader->VirtualAddress + ImageSectionHeader->Misc.VirtualSize + 0x12)); ImageSectionHeader->Characteristics = (ImageSectionHeader->Characteristics | executableCharacteristics); DWORD addTheAddressOfTheCode = (DWORD)pImageBuffer + ImageSectionHeader->VirtualAddress + ImageSectionHeader->Misc.VirtualSize; memcpy((CHAR*)addTheAddressOfTheCode, &shellCode, sizeof(shellCode)); //DWORD E8Code = (DWORD)MASSAGEBOXAADDR - (DWORD)(ImageOptionalHeader32->ImageBase + (ImageSectionHeader->VirtualAddress + ImageSectionHeader->Misc.VirtualSize + 0xD)); //memcpy(((CHAR*)addTheAddressOfTheCode + 0x9), &E8Code, sizeof(E8Code)); //DWORD E9Code = (DWORD)(ImageOptionalHeader32->ImageBase + ImageOptionalHeader32->AddressOfEntryPoint) - (DWORD)(ImageOptionalHeader32->ImageBase + (ImageSectionHeader->VirtualAddress + ImageSectionHeader->Misc.VirtualSize + 0x12)); //memcpy(((CHAR*)addTheAddressOfTheCode + 0xe), &E9Code, sizeof(E9Code)); ImageOptionalHeader32->AddressOfEntryPoint = ImageSectionHeader->VirtualAddress + ImageSectionHeader->Misc.VirtualSize; return pImageBuffer; } DWORD GetdwRVA(LPSTR lpszFole,DWORD offset) { LPVOID pFileBuffer = NULL; LPVOID pImageBuffer = NULL; DWORD TrueLocation = NULL; DWORD dwRVA = NULL; PIMAGE_DOS_HEADER pe_dos_header = NULL; PIMAGE_FILE_HEADER pe_file_header = NULL; PIMAGE_OPTIONAL_HEADER32 pe_option_header_32 = NULL; PIMAGE_NT_HEADERS pe_nt_header = NULL; PIMAGE_SECTION_HEADER pe_section_header = NULL; pFileBuffer = ReadPEFile(lpszFole); if (!pFileBuffer) { printf("打开文件失败 "); return NULL; } if (*((PWORD)pFileBuffer) != IMAGE_DOS_SIGNATURE) { printf("不是有效的MZ标记 "); free(pFileBuffer); return NULL; } pe_dos_header = (PIMAGE_DOS_HEADER)pFileBuffer; if (*((PDWORD)((DWORD)pFileBuffer + pe_dos_header->e_lfanew)) != IMAGE_NT_SIGNATURE) { printf("不是有效的PE标志 "); free(pFileBuffer); return NULL; } pe_nt_header = (PIMAGE_NT_HEADERS)((DWORD)pFileBuffer + pe_dos_header->e_lfanew); pe_file_header = (PIMAGE_FILE_HEADER)((DWORD)pe_nt_header + 4); pe_option_header_32 = (PIMAGE_OPTIONAL_HEADER32)((DWORD)pe_file_header + IMAGE_SIZEOF_FILE_HEADER); pImageBuffer = malloc(pe_option_header_32->SizeOfImage); if (!pImageBuffer) { printf("分配空间失败 "); free(pFileBuffer); return NULL; } memset(pImageBuffer, 0, pe_option_header_32->SizeOfImage); memcpy(pImageBuffer, pFileBuffer, pe_option_header_32->SizeOfHeaders); pe_section_header = (PIMAGE_SECTION_HEADER)((DWORD)pe_option_header_32 + pe_file_header->SizeOfOptionalHeader); TrueLocation = offset - (DWORD)pImageBuffer; for (size_t i = 0; i < pe_file_header->NumberOfSections; i++) { memcpy(((CHAR*)(DWORD)pImageBuffer) + pe_section_header->VirtualAddress, ((CHAR*)(DWORD)pFileBuffer) + pe_section_header->PointerToRawData, pe_section_header->SizeOfRawData); if (TrueLocation > pe_section_header->VirtualAddress && TrueLocation < (pe_section_header->VirtualAddress + pe_section_header->Misc.VirtualSize)) { dwRVA = TrueLocation - pe_section_header->VirtualAddress; } pe_section_header = (PIMAGE_SECTION_HEADER)((DWORD)pe_section_header + IMAGE_SIZEOF_SECTION_HEADER); } free(pFileBuffer); free(pImageBuffer); return dwRVA; } //创建新的ImageBuffer LPVOID CopyImageBufferToNewImageBuffer(LPSTR srcFile) { LPVOID ImageBuffer = NULL; LPVOID NewImageBuffer = NULL; PIMAGE_DOS_HEADER ImageDosHeader = NULL; PIMAGE_NT_HEADERS ImageNTheader = NULL; PIMAGE_FILE_HEADER ImageFileHeader = NULL; PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL; PIMAGE_SECTION_HEADER ImageSectionHeader = NULL; ImageBuffer = CopyFileBufferToImageBuffer(srcFile); if (!ImageBuffer) { printf("分配空间失败 "); return NULL; } if (*((PWORD)(DWORD)ImageBuffer)!=IMAGE_DOS_SIGNATURE) { printf("不是有效的MZ标志 "); free(ImageBuffer); return NULL; } ImageDosHeader = (PIMAGE_DOS_HEADER)ImageBuffer; if (*((PDWORD)((DWORD)ImageBuffer + ImageDosHeader->e_lfanew))!=IMAGE_NT_SIGNATURE) { printf("不是有效的PE标志"); free(ImageBuffer); return NULL; } ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)ImageBuffer + ImageDosHeader->e_lfanew); ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4); ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER); ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader); NewImageBuffer = malloc(ImageOptionalHeader->SizeOfImage + 0x1000); if (!NewImageBuffer) { printf("NewImageBuffer分配空间失败 "); free(ImageBuffer); return NULL; } memset(NewImageBuffer, 0, ImageOptionalHeader->SizeOfImage + 0x1000); memcpy(NewImageBuffer, ImageBuffer, ImageOptionalHeader->SizeOfImage); return NewImageBuffer; } //获取内存对齐或文件对齐 DWORD GetSectionAlignmentOrFileAlignment(DWORD currentNumber, DWORD Alignment) { if (currentNumber % Alignment != 0) { currentNumber = currentNumber + 0x1; return GetSectionAlignmentOrFileAlignment(currentNumber, Alignment); } return currentNumber; } //合并节 LPVOID MergeSection(LPSTR srcFile) { LPVOID NewImageBuffer = NULL; PIMAGE_DOS_HEADER ImageDosHeader = NULL; PIMAGE_NT_HEADERS ImageNTheader = NULL; PIMAGE_FILE_HEADER ImageFileHeader = NULL; PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL; PIMAGE_SECTION_HEADER ImageSectionHeader = NULL; PIMAGE_SECTION_HEADER LastImageSectionHeader = NULL; PIMAGE_SECTION_HEADER NextImageSectionHeader = NULL; NewImageBuffer = CopyImageBufferToNewImageBuffer(srcFile); if (!NewImageBuffer) { printf("分配空间失败 "); return NULL; } if (*((PWORD)(DWORD)NewImageBuffer) != IMAGE_DOS_SIGNATURE) { printf("不是有效的MZ标志 "); free(NewImageBuffer); return NULL; } ImageDosHeader = (PIMAGE_DOS_HEADER)NewImageBuffer; if (*((PDWORD)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE) { printf("不是有效的PE标志"); free(NewImageBuffer); return NULL; } ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew); ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4); ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER); ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader); LastImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((DWORD)(ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER)); DWORD MAX = LastImageSectionHeader->SizeOfRawData > LastImageSectionHeader->Misc.VirtualSize ? LastImageSectionHeader->SizeOfRawData : LastImageSectionHeader->Misc.VirtualSize; ImageSectionHeader->Misc.VirtualSize = ImageSectionHeader->SizeOfRawData = (MAX + LastImageSectionHeader->VirtualAddress) - GetSectionAlignmentOrFileAlignment(ImageOptionalHeader->SizeOfHeaders,ImageOptionalHeader->SectionAlignment); for (INT i = 0; i < (ImageFileHeader->NumberOfSections - 1); i++) { NextImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + IMAGE_SIZEOF_SECTION_HEADER); ImageSectionHeader->Characteristics = ImageSectionHeader->Characteristics | NextImageSectionHeader->Characteristics; } ImageFileHeader->NumberOfSections = 1; return NewImageBuffer; } //提升FILE头OPTIONAL头节表信息 LPVOID LiftHeaderInfo(LPSTR srcFile) { LPVOID NewImageBuffer = NULL; PIMAGE_DOS_HEADER ImageDosHeader = NULL; PIMAGE_NT_HEADERS ImageNTheader = NULL; PIMAGE_FILE_HEADER ImageFileHeader = NULL; PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL; PIMAGE_SECTION_HEADER ImageSectionHeader = NULL; PIMAGE_SECTION_HEADER LastImageSectionHeader = NULL; PIMAGE_SECTION_HEADER NewImageSectionHeader = NULL; NewImageBuffer = CopyImageBufferToNewImageBuffer(srcFile); if (!NewImageBuffer) { printf("分配空间失败 "); return NULL; } if (*((PWORD)(DWORD)NewImageBuffer) != IMAGE_DOS_SIGNATURE) { printf("不是有效的MZ标志 "); free(NewImageBuffer); return NULL; } ImageDosHeader = (PIMAGE_DOS_HEADER)NewImageBuffer; if (*((PDWORD)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE) { printf("不是有效的PE标志"); free(NewImageBuffer); return NULL; } ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew); ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4); ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER); ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader); LastImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((DWORD)(ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER)); //提升头 memcpy((PNZCH)((DWORD)NewImageBuffer + IMAGE_SIZEOF_DOS_HEADER), (PNZCH)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew), (4 + IMAGE_SIZEOF_FILE_HEADER + ImageFileHeader->SizeOfOptionalHeader + (ImageFileHeader->NumberOfSections * IMAGE_SIZEOF_SECTION_HEADER))); ImageDosHeader->e_lfanew = IMAGE_SIZEOF_DOS_HEADER; return NewImageBuffer; } //增加一个新的节 LPVOID AddNewSection(LPSTR srcFile) { LPVOID NewImageBuffer = NULL; PIMAGE_DOS_HEADER ImageDosHeader = NULL; PIMAGE_NT_HEADERS ImageNTheader = NULL; PIMAGE_FILE_HEADER ImageFileHeader = NULL; PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL; PIMAGE_SECTION_HEADER ImageSectionHeader = NULL; PIMAGE_SECTION_HEADER LastSectionHeader = NULL; PIMAGE_SECTION_HEADER NewSectionHeader = NULL; DWORD EntryPoint = 0; DWORD PointerToRawData = 0; NewImageBuffer = MergeSection(srcFile); if (!NewImageBuffer) { printf("分配空间失败 "); return NULL; } if (*((PWORD)(DWORD)NewImageBuffer) != IMAGE_DOS_SIGNATURE) { printf("不是有效的MZ标志 "); free(NewImageBuffer); return NULL; } ImageDosHeader = (PIMAGE_DOS_HEADER)NewImageBuffer; if (*((PDWORD)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE) { printf("不是有效的PE标志"); free(NewImageBuffer); return NULL; } ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew); ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4); ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER); ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader); DWORD SizeOfImageDosHeaderToImageSectionHeader = ((DWORD)IMAGE_SIZEOF_DOS_HEADER + (ImageDosHeader->e_lfanew - ((DWORD)IMAGE_SIZEOF_DOS_HEADER) + 4 + IMAGE_SIZEOF_FILE_HEADER + ImageFileHeader->SizeOfOptionalHeader + (ImageFileHeader->NumberOfSections * IMAGE_SIZEOF_SECTION_HEADER))); if ((ImageOptionalHeader->SizeOfHeaders - SizeOfImageDosHeaderToImageSectionHeader) < 0x50) { printf("剩余的节表空白区小于80个字节 "); free(NewImageBuffer); return NULL; } LastSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER)); //判断程序入口点 if (LastSectionHeader->Misc.VirtualSize > LastSectionHeader->SizeOfRawData) { EntryPoint = GetSectionAlignmentOrFileAlignment(LastSectionHeader->VirtualAddress + LastSectionHeader->Misc.VirtualSize, ImageOptionalHeader->SectionAlignment); PointerToRawData = GetSectionAlignmentOrFileAlignment(LastSectionHeader->PointerToRawData + LastSectionHeader->Misc.VirtualSize, ImageOptionalHeader->FileAlignment); } else { EntryPoint = GetSectionAlignmentOrFileAlignment(LastSectionHeader->VirtualAddress + LastSectionHeader->SizeOfRawData, ImageOptionalHeader->SectionAlignment); PointerToRawData = GetSectionAlignmentOrFileAlignment(LastSectionHeader->PointerToRawData + LastSectionHeader->SizeOfRawData, ImageOptionalHeader->FileAlignment); } //修改新增节表的数据 NewSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)LastSectionHeader + IMAGE_SIZEOF_SECTION_HEADER); memcpy((PNZCH)(NewSectionHeader->Name), &SectionName, sizeof(SectionName)); NewSectionHeader->Misc.VirtualSize = 0x1000; NewSectionHeader->VirtualAddress = EntryPoint; NewSectionHeader->SizeOfRawData = 0x1000; NewSectionHeader->PointerToRawData = PointerToRawData; NewSectionHeader->PointerToRelocations = ImageSectionHeader->PointerToRelocations; NewSectionHeader->PointerToLinenumbers = ImageSectionHeader->PointerToLinenumbers; NewSectionHeader->NumberOfRelocations = ImageSectionHeader->NumberOfRelocations; NewSectionHeader->NumberOfLinenumbers = ImageSectionHeader->NumberOfLinenumbers; NewSectionHeader->Characteristics = 0x60000020; //新增节表后补零 memset((PIMAGE_SECTION_HEADER)((DWORD)NewSectionHeader + IMAGE_SIZEOF_SECTION_HEADER), 0, IMAGE_SIZEOF_SECTION_HEADER); *(PDWORD)(shellCode + 0x9) = (DWORD)MASSAGEBOXAADDR - (DWORD)(ImageOptionalHeader->ImageBase + (NewSectionHeader->VirtualAddress + 0xd)); *(PDWORD)(shellCode + 0xe) = ((DWORD)(ImageOptionalHeader->ImageBase + ImageOptionalHeader->AddressOfEntryPoint) - (DWORD)(ImageOptionalHeader->ImageBase + (NewSectionHeader->VirtualAddress + 0x12))); memcpy(((CHAR*)NewImageBuffer + NewSectionHeader->VirtualAddress), &shellCode, sizeof(shellCode)); //修改节数量 ImageFileHeader->NumberOfSections = ImageFileHeader->NumberOfSections + 1; //修改程序入口点 ImageOptionalHeader->AddressOfEntryPoint = EntryPoint; //修改SizeOfImage大小 ImageOptionalHeader->SizeOfImage = ImageOptionalHeader->SizeOfImage + 0x1000; return NewImageBuffer; } //扩大节 LPVOID AmplifySection(LPSTR srcFile) { LPVOID NewImageBuffer = NULL; PIMAGE_DOS_HEADER ImageDosHeader = NULL; PIMAGE_NT_HEADERS ImageNTheader = NULL; PIMAGE_FILE_HEADER ImageFileHeader = NULL; PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL; PIMAGE_SECTION_HEADER ImageSectionHeader = NULL; PIMAGE_SECTION_HEADER LastImageSectionHeader = NULL; NewImageBuffer = CopyImageBufferToNewImageBuffer(srcFile); if (!NewImageBuffer) { printf("分配空间失败 "); return NULL; } if (*((PWORD)(DWORD)NewImageBuffer) != IMAGE_DOS_SIGNATURE) { printf("不是有效的MZ标志 "); free(NewImageBuffer); return NULL; } ImageDosHeader = (PIMAGE_DOS_HEADER)NewImageBuffer; if (*((PDWORD)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE) { printf("不是有效的PE标志"); free(NewImageBuffer); return NULL; } ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew); ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4); ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER); ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader); LastImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER)); if (LastImageSectionHeader->Misc.VirtualSize > LastImageSectionHeader->SizeOfRawData) { DWORD VirtualSize = GetSectionAlignmentOrFileAlignment(LastImageSectionHeader->Misc.VirtualSize, ImageOptionalHeader->SectionAlignment); *(PDWORD)(shellCode + 0x9) = (MASSAGEBOXAADDR - ((DWORD)ImageOptionalHeader->ImageBase + LastImageSectionHeader->VirtualAddress + VirtualSize + 0xd)); *(PDWORD)(shellCode + 0xe) = (((DWORD)ImageOptionalHeader->ImageBase + ImageOptionalHeader->AddressOfEntryPoint) - ((DWORD)ImageOptionalHeader->ImageBase + LastImageSectionHeader->VirtualAddress + VirtualSize + 0x12)); memcpy((PNZCH)((DWORD)NewImageBuffer + LastImageSectionHeader->VirtualAddress + VirtualSize), &shellCode, sizeof(shellCode)); ImageOptionalHeader->AddressOfEntryPoint = (DWORD)(LastImageSectionHeader->VirtualAddress + VirtualSize); } else { DWORD SizeOfRawData = GetSectionAlignmentOrFileAlignment(LastImageSectionHeader->SizeOfRawData, ImageOptionalHeader->SectionAlignment); *(PDWORD)(shellCode + 0x9) = (MASSAGEBOXAADDR - ((DWORD)ImageOptionalHeader->ImageBase + LastImageSectionHeader->VirtualAddress + SizeOfRawData + 0xd)); *(PDWORD)(shellCode + 0xe) = (((DWORD)ImageOptionalHeader->ImageBase + ImageOptionalHeader->AddressOfEntryPoint) - ((DWORD)ImageOptionalHeader->ImageBase + LastImageSectionHeader->VirtualAddress + SizeOfRawData + 0x12)); memcpy((PNZCH)((DWORD)NewImageBuffer + LastImageSectionHeader->VirtualAddress + SizeOfRawData), &shellCode, sizeof(shellCode)); ImageOptionalHeader->AddressOfEntryPoint = (DWORD)(LastImageSectionHeader->VirtualAddress + SizeOfRawData); } LastImageSectionHeader->Misc.VirtualSize = LastImageSectionHeader->Misc.VirtualSize + 0x1000; LastImageSectionHeader->SizeOfRawData = LastImageSectionHeader->SizeOfRawData + 0x1000; ImageOptionalHeader->SizeOfImage = ImageOptionalHeader->SizeOfImage + 0x1000; LastImageSectionHeader->Characteristics = (LastImageSectionHeader->Characteristics | ImageSectionHeader->Characteristics); return NewImageBuffer; } //复制ImageBuffer到新的FileBuffer,返回新的FileBuffer LPVOID CopyImageBufferToNewBuffer(LPSTR lpszFole) { LPVOID pNewBuffer = NULL; LPVOID pImageBuffer = NULL; PIMAGE_FILE_HEADER ImageFileHeader = NULL; PIMAGE_DOS_HEADER ImageDosHeader = NULL; PIMAGE_NT_HEADERS ImageNTheader = NULL; PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader32 = NULL; PIMAGE_SECTION_HEADER ImageSectionHeader = NULL; PIMAGE_SECTION_HEADER LastImageSectionHeader = NULL; pImageBuffer = AddNewSection(lpszFole); if (!pImageBuffer) { printf("空间分配失败 "); free(pImageBuffer); return NULL; } if (*((PWORD)pImageBuffer) != IMAGE_DOS_SIGNATURE) { printf("不是有效的MZ标记 "); free(pImageBuffer); return NULL; } ImageDosHeader = (PIMAGE_DOS_HEADER)pImageBuffer; if (*((PDWORD)((DWORD)pImageBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE) { printf("不是有效的PE标志 "); free(pImageBuffer); return NULL; } ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)pImageBuffer + ImageDosHeader->e_lfanew); ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4); ImageOptionalHeader32 = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER); ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader32 + ImageFileHeader->SizeOfOptionalHeader); LastImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER)); pNewBuffer = malloc(LastImageSectionHeader->VirtualAddress + LastImageSectionHeader->SizeOfRawData); if (!pNewBuffer) { printf("分配空间失败 "); free(pImageBuffer); return NULL; } memcpy(pNewBuffer, pImageBuffer, ImageOptionalHeader32->SizeOfHeaders); printf("%x ",LastImageSectionHeader->VirtualAddress); printf("%x ", LastImageSectionHeader->SizeOfRawData); for (size_t i = 0; i < ImageFileHeader->NumberOfSections; i++) { memset((PNZCH)((DWORD)pNewBuffer + ImageSectionHeader->PointerToRawData), 0, ImageSectionHeader->SizeOfRawData); memcpy((PNZCH)((DWORD)pNewBuffer + ImageSectionHeader->PointerToRawData), (PNZCH)((DWORD)pImageBuffer + ImageSectionHeader->VirtualAddress), ImageSectionHeader->SizeOfRawData); ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + IMAGE_SIZEOF_SECTION_HEADER); } free(pImageBuffer); return pNewBuffer; } //新建文件保存新增的节到新的文件中 VOID CopyNewImageBufferToNewFile(LPSTR destFile, LPSTR srcFile) { FILE* NewFile = NULL; LPVOID NewFileBuffer = NULL; PIMAGE_DOS_HEADER ImageDosHeader = NULL; PIMAGE_NT_HEADERS ImageNTheader = NULL; PIMAGE_FILE_HEADER ImageFileHeader = NULL; PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL; PIMAGE_SECTION_HEADER ImageSectionHeader = NULL; PIMAGE_SECTION_HEADER LastSectionHeader = NULL; NewFile = fopen(destFile, "wb"); if (!NewFile) { printf("打开文件失败 "); return; } NewFileBuffer = CopyImageBufferToNewBuffer(srcFile); if (!NewFileBuffer) { printf("分配空间失败 "); return; } if (*((PWORD)(DWORD)NewFileBuffer) != IMAGE_DOS_SIGNATURE) { printf("不是有效的MZ标志 "); free(NewFileBuffer); return; } ImageDosHeader = (PIMAGE_DOS_HEADER)NewFileBuffer; if (*((PDWORD)((DWORD)NewFileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE) { printf("不是有效的PE标志"); free(NewFileBuffer); return; } ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)NewFileBuffer + ImageDosHeader->e_lfanew); ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4); ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER); ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader); LastSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER)); DWORD result = fwrite(NewFileBuffer, sizeof(char), (LastSectionHeader->PointerToRawData + LastSectionHeader->SizeOfRawData), NewFile); if (result < (DWORD)(LastSectionHeader->PointerToRawData + LastSectionHeader->SizeOfRawData)) { printf("文件写入失败 "); free(NewFileBuffer); fclose(NewFile); return; } free(NewFileBuffer); printf("文件写入完成 "); } //输出数据目录 LPVOID DataDirectory(LPSTR srcFile) { LPVOID FileBuffer = NULL; PIMAGE_DOS_HEADER ImageDosHeader = NULL; PIMAGE_NT_HEADERS ImageNTheader = NULL; PIMAGE_FILE_HEADER ImageFileHeader = NULL; PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL; FileBuffer = ReadPEFile(srcFile); if (!FileBuffer) { printf("空间分配失败 "); return NULL; } if (*((PWORD)(DWORD)FileBuffer) != IMAGE_DOS_SIGNATURE) { printf("不是有效的MZ标志 "); free(FileBuffer); return NULL; } ImageDosHeader = (PIMAGE_DOS_HEADER)FileBuffer; if (*((PDWORD)((DWORD)FileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE) { printf("不是有效的PE标志"); free(FileBuffer); return NULL; } ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)FileBuffer + ImageDosHeader->e_lfanew); ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4); ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER); /* //导出表 printf("导出表%p ", ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]); //导入表 printf("导出表%p ", ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]); //资源表 printf("资源表%p ", ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE]); //异常信息表 printf("异常信息表%p ", ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXCEPTION]); //安全证书表 printf("安全证书表%p ", ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY]); //重定位表 printf("重定位表%p ", ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC]); //调试信息表 printf("调试信息表%p ", ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG]); //版权所有表 printf("版权所有表%p ", ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_ARCHITECTURE]); //全局指针表 printf("全局指针表%p ", ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_GLOBALPTR]); //TLS表 printf("TLS表%p ", ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS]); //加载配置表 printf("加载配置表%p ", ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG]); //绑定导入表 printf("绑定导入表%p ", ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT]); //IAT表 printf("IAT表%p ", ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT]); //延迟导入表 printf("延迟导入表%p ", ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT]); //COM信息表 printf("COM信息表%p ", ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR]); */ return FileBuffer; } //RVA转FOA DWORD RVAToFOA(LPVOID FileBuffer, DWORD VirtualAddress) { PIMAGE_DOS_HEADER ImageDosHeader = NULL; PIMAGE_NT_HEADERS ImageNTheader = NULL; PIMAGE_FILE_HEADER ImageFileHeader = NULL; PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL; PIMAGE_SECTION_HEADER ImageSectionHeader = NULL; DWORD FOA = NULL; if (*((PWORD)(DWORD)FileBuffer) != IMAGE_DOS_SIGNATURE) { printf("不是有效的MZ标志 "); free(FileBuffer); return NULL; } ImageDosHeader = (PIMAGE_DOS_HEADER)FileBuffer; if (*((PDWORD)((DWORD)FileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE) { printf("不是有效的PE标志"); free(FileBuffer); return NULL; } ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)FileBuffer + ImageDosHeader->e_lfanew); ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4); ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER); ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader); if (VirtualAddress <= ImageOptionalHeader->SizeOfHeaders) { return VirtualAddress; } for (size_t i = 0; i < ImageFileHeader->NumberOfSections; i++) { if (VirtualAddress >= ImageSectionHeader->VirtualAddress && VirtualAddress < (ImageSectionHeader->VirtualAddress + ImageSectionHeader->Misc.VirtualSize)) { FOA = ((DWORD)ImageSectionHeader->PointerToRawData + (VirtualAddress - ImageSectionHeader->VirtualAddress)); } ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + IMAGE_SIZEOF_SECTION_HEADER); } return FOA; } //FOA转RVA DWORD FOAToRVA(LPVOID FileBuffer, DWORD VirtualAddress) { PIMAGE_DOS_HEADER ImageDosHeader = NULL; PIMAGE_NT_HEADERS ImageNTheader = NULL; PIMAGE_FILE_HEADER ImageFileHeader = NULL; PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL; PIMAGE_SECTION_HEADER ImageSectionHeader = NULL; DWORD RVA = NULL; if (*((PWORD)(DWORD)FileBuffer) != IMAGE_DOS_SIGNATURE) { printf("不是有效的MZ标志 "); free(FileBuffer); return NULL; } ImageDosHeader = (PIMAGE_DOS_HEADER)FileBuffer; if (*((PDWORD)((DWORD)FileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE) { printf("不是有效的PE标志"); free(FileBuffer); return NULL; } ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)FileBuffer + ImageDosHeader->e_lfanew); ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4); ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER); ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader); if (VirtualAddress <= ImageOptionalHeader->SizeOfHeaders) { return VirtualAddress; } for (size_t i = 0; i < ImageFileHeader->NumberOfSections; i++) { if (VirtualAddress >= ImageSectionHeader->PointerToRawData && VirtualAddress < (ImageSectionHeader->PointerToRawData + ImageSectionHeader->SizeOfRawData)) { RVA = ((DWORD)ImageSectionHeader->VirtualAddress + (VirtualAddress - ImageSectionHeader->PointerToRawData)); } ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + IMAGE_SIZEOF_SECTION_HEADER); } return RVA; } //通过函数名获取函数地址 LPVOID GetFunctionAddrByName(LPVOID FileBuffer, LPSTR FunctionName) { PIMAGE_DOS_HEADER ImageDosHeader = NULL; PIMAGE_NT_HEADERS ImageNTheader = NULL; PIMAGE_FILE_HEADER ImageFileHeader = NULL; PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL; IMAGE_DATA_DIRECTORY ExportTableVirtualAddress; PIMAGE_EXPORT_DIRECTORY ImageExportDirectory = NULL; PDWORD ResultAddressOfName = NULL; LPVOID ResultAddressOfFunction = NULL; WORD ResultAddressOfNameOrdinals = NULL; DWORD IndexFunctionAddress = NULL; if (*((PWORD)(DWORD)FileBuffer) != IMAGE_DOS_SIGNATURE) { printf("不是有效的MZ标志 "); free(FileBuffer); return NULL; } ImageDosHeader = (PIMAGE_DOS_HEADER)FileBuffer; if (*((PDWORD)((DWORD)FileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE) { printf("不是有效的PE标志"); free(FileBuffer); return NULL; } ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)FileBuffer + ImageDosHeader->e_lfanew); ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4); ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER); //导出表 ExportTableVirtualAddress = ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; DWORD ExportTableFOA = RVAToFOA(FileBuffer, ExportTableVirtualAddress.VirtualAddress); ImageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((DWORD)FileBuffer + ExportTableFOA); //获取函数名称偏移 PDWORD FuntionNameAddress = (PDWORD)((DWORD)FileBuffer + RVAToFOA(FileBuffer, ImageExportDirectory->AddressOfNames)); //获取函数序号偏移 PWORD AddressOfNameOrdinals = (PWORD)((DWORD)FileBuffer + RVAToFOA(FileBuffer, ImageExportDirectory->AddressOfNameOrdinals)); //获取函数偏移 PDWORD AddressOfFunctions = (PDWORD)((DWORD)FileBuffer + RVAToFOA(FileBuffer, ImageExportDirectory->AddressOfFunctions)); //获取函数名称下标 for (size_t i = 0; i < ImageExportDirectory->NumberOfNames; i++) { if (*((LPSTR)((DWORD)FileBuffer + RVAToFOA(FileBuffer, FuntionNameAddress[i]))) == *FunctionName) { ResultAddressOfNameOrdinals = AddressOfNameOrdinals[i]; IndexFunctionAddress = (DWORD)AddressOfFunctions[ResultAddressOfNameOrdinals]; ResultAddressOfFunction = (LPVOID)((DWORD)FileBuffer + RVAToFOA(FileBuffer, IndexFunctionAddress)); } } return ResultAddressOfFunction; } //通过序号获取函数地址 LPVOID GetFunctionAddrByOrdinals(LPVOID FileBuffer, DWORD Ordinals) { PIMAGE_DOS_HEADER ImageDosHeader = NULL; PIMAGE_NT_HEADERS ImageNTheader = NULL; PIMAGE_FILE_HEADER ImageFileHeader = NULL; PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL; IMAGE_DATA_DIRECTORY ExportTableVirtualAddress; PIMAGE_EXPORT_DIRECTORY ImageExportDirectory = NULL; PDWORD ResultAddressOfName = NULL; LPVOID ResultAddressOfFunction = NULL; DWORD OrdinalsIndex = NULL; DWORD FunctionAddressIndex = NULL; if (*((PWORD)(DWORD)FileBuffer) != IMAGE_DOS_SIGNATURE) { printf("不是有效的MZ标志 "); free(FileBuffer); return NULL; } ImageDosHeader = (PIMAGE_DOS_HEADER)FileBuffer; if (*((PDWORD)((DWORD)FileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE) { printf("不是有效的PE标志"); free(FileBuffer); return NULL; } ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)FileBuffer + ImageDosHeader->e_lfanew); ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4); ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER); //导出表 ExportTableVirtualAddress = ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; DWORD ExportTableFOA = RVAToFOA(FileBuffer, ExportTableVirtualAddress.VirtualAddress); ImageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((DWORD)FileBuffer + ExportTableFOA); //获取函数名称偏移 PDWORD FuntionNameAddress = (PDWORD)((DWORD)FileBuffer + RVAToFOA(FileBuffer, ImageExportDirectory->AddressOfNames)); //获取函数序号偏移 PWORD AddressOfNameOrdinals = (PWORD)((DWORD)FileBuffer + RVAToFOA(FileBuffer, ImageExportDirectory->AddressOfNameOrdinals)); //获取函数偏移 PDWORD AddressOfFunctions = (PDWORD)((DWORD)FileBuffer + RVAToFOA(FileBuffer, ImageExportDirectory->AddressOfFunctions)); //获取函数下标 OrdinalsIndex = Ordinals - ImageExportDirectory->Base; //通过下标获取指向的函数在内存中的地址 FunctionAddressIndex = AddressOfFunctions[OrdinalsIndex]; //通过FileBuffer获取函数编译 ResultAddressOfFunction = (LPVOID)((DWORD)FileBuffer + RVAToFOA(FileBuffer, FunctionAddressIndex)); return ResultAddressOfFunction; } //输出导出表 DWORD ExportTable(LPSTR srcFile) { LPVOID FileBuffer = NULL; PIMAGE_DOS_HEADER ImageDosHeader = NULL; PIMAGE_NT_HEADERS ImageNTheader = NULL; PIMAGE_FILE_HEADER ImageFileHeader = NULL; PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL; IMAGE_DATA_DIRECTORY ExportTableVirtualAddress; PIMAGE_EXPORT_DIRECTORY ImageExportDirectory = NULL; FileBuffer = ReadPEFile(srcFile); if (!FileBuffer) { printf("空间分配失败 "); return NULL; } if (*((PWORD)(DWORD)FileBuffer) != IMAGE_DOS_SIGNATURE) { printf("不是有效的MZ标志 "); free(FileBuffer); return NULL; } ImageDosHeader = (PIMAGE_DOS_HEADER)FileBuffer; if (*((PDWORD)((DWORD)FileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE) { printf("不是有效的PE标志"); free(FileBuffer); return NULL; } ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)FileBuffer + ImageDosHeader->e_lfanew); ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4); ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER); //导出表 ExportTableVirtualAddress = ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; DWORD ExportTableFOA = RVAToFOA(FileBuffer,ExportTableVirtualAddress.VirtualAddress); ImageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((DWORD)FileBuffer + ExportTableFOA); printf("Characteristics->%x ",ImageExportDirectory->Characteristics); printf("TimeDateStamp->%x ",ImageExportDirectory->TimeDateStamp); printf("MajorVersion->%x ",ImageExportDirectory->MajorVersion); printf("MinorVersion->%x ",ImageExportDirectory->MinorVersion); printf("Name地址->%x ",ImageExportDirectory->Name); printf("Name名字->%s ",((CHAR*)FileBuffer + RVAToFOA(FileBuffer, ImageExportDirectory->Name))); printf("Base->%x ",ImageExportDirectory->Base); printf("NumberOfFunctions->%x ",ImageExportDirectory->NumberOfFunctions); printf("NumberOfNames->%x ",ImageExportDirectory->NumberOfNames); printf("AddressOfFunctions->%x ",ImageExportDirectory->AddressOfFunctions); printf("AddressOfNames->%x ",ImageExportDirectory->AddressOfNames); printf("AddressOfNameOrdinals->%x ",ImageExportDirectory->AddressOfNameOrdinals); return 0; } //输出重定位表 LPVOID RelocationTable(LPSTR srcFile) { LPVOID FileBuffer = NULL; PIMAGE_DOS_HEADER ImageDosHeader = NULL; PIMAGE_NT_HEADERS ImageNTheader = NULL; PIMAGE_FILE_HEADER ImageFileHeader = NULL; PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL; IMAGE_DATA_DIRECTORY ImageDataDirctory; PIMAGE_BASE_RELOCATION ImageBaseRelocation = NULL; DWORD ImageDataDirctoryVirtualAddress = NULL; PWORD RepairAddress = NULL; int count = 1; FileBuffer = ReadPEFile(srcFile); if (!FileBuffer) { printf("空间分配失败 "); return NULL; } if (*((PWORD)(DWORD)FileBuffer) != IMAGE_DOS_SIGNATURE) { printf("不是有效的MZ标志 "); free(FileBuffer); return NULL; } ImageDosHeader = (PIMAGE_DOS_HEADER)FileBuffer; if (*((PDWORD)((DWORD)FileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE) { printf("不是有效的PE标志"); free(FileBuffer); return NULL; } ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)FileBuffer + ImageDosHeader->e_lfanew); ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4); ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER); ImageDataDirctory = ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC]; ImageDataDirctoryVirtualAddress = RVAToFOA(FileBuffer, ImageDataDirctory.VirtualAddress); ImageBaseRelocation = (PIMAGE_BASE_RELOCATION)((DWORD)FileBuffer + ImageDataDirctoryVirtualAddress); RepairAddress = (PWORD)((DWORD)ImageBaseRelocation + 8); while (ImageBaseRelocation->VirtualAddress!=0 && ImageBaseRelocation->SizeOfBlock!=0) { printf("第%d项 ",count); for (size_t i = 0; i < ((ImageBaseRelocation->SizeOfBlock - 8) / 2); i++) { printf("RVA->%x-----属性->%x---FOA偏移->%p ", (ImageBaseRelocation->VirtualAddress + (*RepairAddress & 0x0FFF)), ((*RepairAddress & 0xF000) >> 12), RepairAddress); RepairAddress++; } ImageBaseRelocation = (PIMAGE_BASE_RELOCATION)((DWORD)ImageBaseRelocation + ImageBaseRelocation->SizeOfBlock); RepairAddress = (PWORD)((DWORD)ImageBaseRelocation + 8); count++; } return 0; } //创建FileBuffer增加0x1000长度 LPVOID CopyFileBufferToNewFileBuffer(LPSTR srcFile) { LPVOID FileBuffer = NULL; LPVOID NewFileBuffer = NULL; PIMAGE_DOS_HEADER ImageDosHeader = NULL; PIMAGE_NT_HEADERS ImageNTheader = NULL; PIMAGE_FILE_HEADER ImageFileHeader = NULL; PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL; PIMAGE_SECTION_HEADER ImageSectionHeader = NULL; PIMAGE_SECTION_HEADER LastImageSectionHeader = NULL; DWORD SizeOfFileBuffer = NULL; FileBuffer = ReadPEFile(srcFile); if (!FileBuffer) { printf("空间分配失败 "); return NULL; } if (*((PWORD)(DWORD)FileBuffer) != IMAGE_DOS_SIGNATURE) { printf("不是有效的MZ标志 "); free(FileBuffer); return NULL; } ImageDosHeader = (PIMAGE_DOS_HEADER)FileBuffer; if (*((PDWORD)((DWORD)FileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE) { printf("不是有效的PE标志"); free(FileBuffer); return NULL; } ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)FileBuffer + ImageDosHeader->e_lfanew); ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4); ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER); ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader); LastImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER)); SizeOfFileBuffer = ((DWORD)LastImageSectionHeader->PointerToRawData + LastImageSectionHeader->SizeOfRawData); NewFileBuffer = malloc(SizeOfFileBuffer + 0x1000); if (!NewFileBuffer) { printf("分配空间失败 "); free(FileBuffer); return NULL; } memset(NewFileBuffer, 0, SizeOfFileBuffer + 0x1000); memcpy(NewFileBuffer, FileBuffer, SizeOfFileBuffer); free(FileBuffer); return NewFileBuffer; } //NewFileBuffer新增节 LPVOID AddSectionToNewFileBuffer(LPVOID NewFileBuffer) { PIMAGE_DOS_HEADER ImageDosHeader = NULL; PIMAGE_NT_HEADERS ImageNTheader = NULL; PIMAGE_FILE_HEADER ImageFileHeader = NULL; PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL; PIMAGE_SECTION_HEADER ImageSectionHeader = NULL; PIMAGE_SECTION_HEADER LastImageSectionHeader = NULL; PIMAGE_SECTION_HEADER NewImageSectionHeader = NULL; DWORD SizeOfFileBuffer = NULL; if (!NewFileBuffer) { printf("空间分配失败 "); return NULL; } if (*((PWORD)(DWORD)NewFileBuffer) != IMAGE_DOS_SIGNATURE) { printf("不是有效的MZ标志 "); free(NewFileBuffer); return NULL; } ImageDosHeader = (PIMAGE_DOS_HEADER)NewFileBuffer; if (*((PDWORD)((DWORD)NewFileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE) { printf("不是有效的PE标志"); free(NewFileBuffer); return NULL; } ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)NewFileBuffer + ImageDosHeader->e_lfanew); ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4); ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER); ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader); LastImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER)); SizeOfFileBuffer = ((DWORD)LastImageSectionHeader->PointerToRawData + LastImageSectionHeader->SizeOfRawData); if ((ImageOptionalHeader->SizeOfHeaders - (IMAGE_SIZEOF_DOS_HEADER + (ImageDosHeader->e_lfanew - IMAGE_SIZEOF_DOS_HEADER) + 4 + IMAGE_SIZEOF_FILE_HEADER + ImageFileHeader->SizeOfOptionalHeader + (ImageFileHeader->NumberOfSections * IMAGE_SIZEOF_SECTION_HEADER))) < 0X50) { printf("剩余的空间大小不能添加新的节表"); free(NewFileBuffer); return NULL; } NewImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)LastImageSectionHeader + IMAGE_SIZEOF_SECTION_HEADER); memcpy(((PNZCH)NewImageSectionHeader->Name), &SectionName, sizeof(SectionName)); NewImageSectionHeader->Misc.VirtualSize = 0x1000; NewImageSectionHeader->SizeOfRawData = 0x1000; if (LastImageSectionHeader->Misc.VirtualSize > LastImageSectionHeader->SizeOfRawData) { NewImageSectionHeader->VirtualAddress = ((DWORD)LastImageSectionHeader->VirtualAddress + GetSectionAlignmentOrFileAlignment(LastImageSectionHeader->Misc.VirtualSize,ImageOptionalHeader->SectionAlignment)); } else { NewImageSectionHeader->VirtualAddress = ((DWORD)LastImageSectionHeader->VirtualAddress + GetSectionAlignmentOrFileAlignment(LastImageSectionHeader->Misc.VirtualSize, ImageOptionalHeader->SectionAlignment)); } NewImageSectionHeader->Characteristics = 0xE0000060; NewImageSectionHeader->PointerToRawData = ((DWORD)LastImageSectionHeader->PointerToRawData + LastImageSectionHeader->SizeOfRawData); NewImageSectionHeader->PointerToRelocations = ImageSectionHeader->PointerToRelocations; NewImageSectionHeader->PointerToLinenumbers = ImageSectionHeader->PointerToLinenumbers; NewImageSectionHeader->NumberOfRelocations = ImageSectionHeader->NumberOfRelocations; NewImageSectionHeader->NumberOfLinenumbers = ImageSectionHeader->NumberOfLinenumbers; memset((NewImageSectionHeader + IMAGE_SIZEOF_SECTION_HEADER), 0, 40); ImageFileHeader->NumberOfSections = ImageFileHeader->NumberOfSections + 1; ImageOptionalHeader->SizeOfImage = ImageOptionalHeader->SizeOfImage + 0x1000; return NewFileBuffer; } //移动导出表 LPVOID MoveExportTable(LPVOID NewFileBuffer) { PIMAGE_DOS_HEADER ImageDosHeader = NULL; PIMAGE_NT_HEADERS ImageNTheader = NULL; PIMAGE_FILE_HEADER ImageFileHeader = NULL; PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL; PIMAGE_SECTION_HEADER ImageSectionHeader = NULL; PIMAGE_SECTION_HEADER LastImageSectionHeader = NULL; PIMAGE_SECTION_HEADER NewImageSectionHeader = NULL; PIMAGE_DATA_DIRECTORY ImageDataDirectory = NULL; PIMAGE_EXPORT_DIRECTORY ImageExportDirectory = NULL; PIMAGE_EXPORT_DIRECTORY NewImageExportDirectory = NULL; if (!NewFileBuffer) { printf("空间分配失败 "); return NULL; } if (*((PWORD)(DWORD)NewFileBuffer) != IMAGE_DOS_SIGNATURE) { printf("不是有效的MZ标志 "); free(NewFileBuffer); return NULL; } ImageDosHeader = (PIMAGE_DOS_HEADER)NewFileBuffer; if (*((PDWORD)((DWORD)NewFileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE) { printf("不是有效的PE标志"); free(NewFileBuffer); return NULL; } ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)NewFileBuffer + ImageDosHeader->e_lfanew); ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4); ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER); ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader); LastImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER)); ImageDataDirectory = (PIMAGE_DATA_DIRECTORY)&ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; ImageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((DWORD)NewFileBuffer + RVAToFOA(NewFileBuffer, ImageDataDirectory->VirtualAddress)); //复制AddressOfFunctions memcpy((PNZCH)((DWORD)NewFileBuffer + LastImageSectionHeader->PointerToRawData), (PNZCH)((DWORD)NewFileBuffer + RVAToFOA(NewFileBuffer, ImageExportDirectory->AddressOfFunctions)), (ImageExportDirectory->NumberOfFunctions * 4)); //复制AddressOfNameOrdinals memcpy((PNZCH)((DWORD)NewFileBuffer + (LastImageSectionHeader->PointerToRawData + (ImageExportDirectory->NumberOfFunctions * 4))), (PNZCH)((DWORD)NewFileBuffer + RVAToFOA(NewFileBuffer, ImageExportDirectory->AddressOfNameOrdinals)), (ImageExportDirectory->NumberOfNames * 2)); //复制AddressOfNames memcpy((PNZCH)((DWORD)NewFileBuffer + (LastImageSectionHeader->PointerToRawData + ((ImageExportDirectory->NumberOfFunctions * 4) + (ImageExportDirectory->NumberOfNames * 2)))), (PNZCH)((DWORD)NewFileBuffer + RVAToFOA(NewFileBuffer, ImageExportDirectory->AddressOfNames)), (ImageExportDirectory->NumberOfNames * 4)); //复制函数名在新加节中的起始位置 DWORD FunctionNameStartAddress = ((DWORD)LastImageSectionHeader->PointerToRawData + ((ImageExportDirectory->NumberOfFunctions * 4) + (ImageExportDirectory->NumberOfNames * 2) + (ImageExportDirectory->NumberOfNames * 4))); //FileBuffer中的原函数名的起始位置 PDWORD FunctionNameAddress = (PDWORD)((DWORD)NewFileBuffer + RVAToFOA(NewFileBuffer, ImageExportDirectory->AddressOfNames)); PDWORD NewFunctionNameAddress = (PDWORD)((DWORD)NewFileBuffer + (LastImageSectionHeader->PointerToRawData + (ImageExportDirectory->NumberOfFunctions*4) + (ImageExportDirectory->NumberOfNames*2))); //计算FunctionNameAddress偏移 DWORD Offset = FunctionNameStartAddress - LastImageSectionHeader->PointerToRawData; for (size_t i = 0; i < ImageExportDirectory->NumberOfNames; i++) { //取出原函数名的起始位置 PNZCH FunctionName = (PNZCH)(((DWORD)NewFileBuffer + RVAToFOA(NewFileBuffer, *FunctionNameAddress))); memcpy((PNZCH)((DWORD)NewFileBuffer + FunctionNameStartAddress), FunctionName,strlen(FunctionName)); memset((PNZCH)((DWORD)NewFileBuffer + (FunctionNameStartAddress + strlen(FunctionName))), 0, 1); *NewFunctionNameAddress = (DWORD)LastImageSectionHeader->VirtualAddress + Offset; Offset = Offset + strlen(FunctionName) + 1; FunctionNameStartAddress = FunctionNameStartAddress + strlen(FunctionName) + 1; FunctionNameAddress = FunctionNameAddress++; NewFunctionNameAddress = NewFunctionNameAddress++; } //修复新的导出表数据 NewImageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((DWORD)NewFileBuffer + (LastImageSectionHeader->PointerToRawData + Offset)); memcpy(NewImageExportDirectory, ImageExportDirectory, sizeof(IMAGE_EXPORT_DIRECTORY)); memcpy((PNZCH)((DWORD)NewFileBuffer + (LastImageSectionHeader->PointerToRawData + Offset) + sizeof(IMAGE_EXPORT_DIRECTORY)), NewExportFileName, sizeof(NewExportFileName)); NewImageExportDirectory->Name = (LastImageSectionHeader->VirtualAddress + (Offset + sizeof(IMAGE_EXPORT_DIRECTORY))); NewImageExportDirectory->AddressOfFunctions = LastImageSectionHeader->VirtualAddress; NewImageExportDirectory->AddressOfNameOrdinals = (LastImageSectionHeader->VirtualAddress + (NewImageExportDirectory->NumberOfFunctions * 4)); NewImageExportDirectory->AddressOfNames = (LastImageSectionHeader->VirtualAddress + (NewImageExportDirectory->NumberOfFunctions * 4) + (NewImageExportDirectory->NumberOfNames * 2)); ImageDataDirectory->VirtualAddress = ((DWORD)LastImageSectionHeader->VirtualAddress + Offset); return NewFileBuffer; } //移动重定位表 LPVOID MoveRelocateTable(LPVOID NewFileBuffer) { PIMAGE_DOS_HEADER ImageDosHeader = NULL; PIMAGE_NT_HEADERS ImageNTheader = NULL; PIMAGE_FILE_HEADER ImageFileHeader = NULL; PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL; PIMAGE_SECTION_HEADER ImageSectionHeader = NULL; PIMAGE_SECTION_HEADER LastImageSectionHeader = NULL; PIMAGE_SECTION_HEADER NewImageSectionHeader = NULL; PIMAGE_DATA_DIRECTORY ImageDataDirectory = NULL; PIMAGE_BASE_RELOCATION ImageBaseRelocation = NULL; PIMAGE_BASE_RELOCATION NewImageBaseRelocationStartAddress = NULL; if (!NewFileBuffer) { printf("空间分配失败 "); return NULL; } if (*((PWORD)(DWORD)NewFileBuffer) != IMAGE_DOS_SIGNATURE) { printf("不是有效的MZ标志 "); free(NewFileBuffer); return NULL; } ImageDosHeader = (PIMAGE_DOS_HEADER)NewFileBuffer; if (*((PDWORD)((DWORD)NewFileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE) { printf("不是有效的PE标志"); free(NewFileBuffer); return NULL; } ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)NewFileBuffer + ImageDosHeader->e_lfanew); ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4); ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER); ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader); LastImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER)); ImageDataDirectory = (PIMAGE_DATA_DIRECTORY)(&ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC]); ImageBaseRelocation = (PIMAGE_BASE_RELOCATION)((DWORD)NewFileBuffer + RVAToFOA(NewFileBuffer, ImageDataDirectory->VirtualAddress)); //新的重定位表起始地址 NewImageBaseRelocationStartAddress = (PIMAGE_BASE_RELOCATION)((DWORD)NewFileBuffer + LastImageSectionHeader->PointerToRawData); while (ImageBaseRelocation->VirtualAddress!=0 && ImageBaseRelocation->SizeOfBlock !=0) { memcpy((PNZCH)NewImageBaseRelocationStartAddress, (PNZCH)ImageBaseRelocation, ImageBaseRelocation->SizeOfBlock); NewImageBaseRelocationStartAddress = (PIMAGE_BASE_RELOCATION)((DWORD)NewImageBaseRelocationStartAddress + ImageBaseRelocation->SizeOfBlock); ImageBaseRelocation = (PIMAGE_BASE_RELOCATION)((DWORD)ImageBaseRelocation + ImageBaseRelocation->SizeOfBlock); } ImageDataDirectory->VirtualAddress = LastImageSectionHeader->VirtualAddress; return NewFileBuffer; } //移动重定位表并修改ImageBase LPVOID MoveRelocateTableAndAlterImageBase(LPVOID NewFileBuffer) { PIMAGE_DOS_HEADER ImageDosHeader = NULL; PIMAGE_NT_HEADERS ImageNTheader = NULL; PIMAGE_FILE_HEADER ImageFileHeader = NULL; PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL; PIMAGE_SECTION_HEADER ImageSectionHeader = NULL; PIMAGE_SECTION_HEADER LastImageSectionHeader = NULL; PIMAGE_SECTION_HEADER NewImageSectionHeader = NULL; PIMAGE_DATA_DIRECTORY ImageDataDirectory = NULL; PIMAGE_BASE_RELOCATION ImageBaseRelocation = NULL; if (!NewFileBuffer) { printf("空间分配失败 "); return NULL; } if (*((PWORD)(DWORD)NewFileBuffer) != IMAGE_DOS_SIGNATURE) { printf("不是有效的MZ标志 "); free(NewFileBuffer); return NULL; } ImageDosHeader = (PIMAGE_DOS_HEADER)NewFileBuffer; if (*((PDWORD)((DWORD)NewFileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE) { printf("不是有效的PE标志"); free(NewFileBuffer); return NULL; } ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)NewFileBuffer + ImageDosHeader->e_lfanew); ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4); ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER); ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader); LastImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER)); ImageDataDirectory = (PIMAGE_DATA_DIRECTORY)(&ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC]); ImageOptionalHeader->ImageBase = 0x20000000; ImageBaseRelocation = (PIMAGE_BASE_RELOCATION)((DWORD)NewFileBuffer + RVAToFOA(NewFileBuffer, ImageDataDirectory->VirtualAddress)); while (ImageBaseRelocation->VirtualAddress!=0&&ImageBaseRelocation->SizeOfBlock!=0) { PWORD StartDataAddress = PWORD((DWORD)ImageBaseRelocation + 8); for (size_t i = 0; i < ((ImageBaseRelocation->SizeOfBlock-8)/2); i++) { WORD FourHigh = ((*StartDataAddress & 0xF000)>>12); WORD LowBit = (*StartDataAddress & 0x0FFF); if (FourHigh == 3) { *((PDWORD)((DWORD)NewFileBuffer + RVAToFOA(NewFileBuffer, ((DWORD)ImageBaseRelocation->VirtualAddress + LowBit)))) = *((PDWORD)((DWORD)NewFileBuffer + RVAToFOA(NewFileBuffer, ((DWORD)ImageBaseRelocation->VirtualAddress + LowBit)))) + 0x10000000; } StartDataAddress++; } ImageBaseRelocation = (PIMAGE_BASE_RELOCATION)((DWORD)ImageBaseRelocation + ImageBaseRelocation->SizeOfBlock); } return NewFileBuffer; } //打印导入表 VOID PrintImportTable(LPVOID FileBuffer) { PIMAGE_FILE_HEADER ImageFileHeader = NULL; PIMAGE_DOS_HEADER ImageDosHeader = NULL; PIMAGE_NT_HEADERS ImageNTheader = NULL; PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader32 = NULL; PIMAGE_DATA_DIRECTORY ImageDataDirectory = NULL; PIMAGE_IMPORT_DESCRIPTOR ImageImportDescriptor = NULL; if (*((PWORD)FileBuffer) != IMAGE_DOS_SIGNATURE) { printf("不是有效的MZ标记 "); free(FileBuffer); return ; } ImageDosHeader = (PIMAGE_DOS_HEADER)FileBuffer; if (*((PDWORD)((DWORD)FileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE) { printf("不是有效的PE标志 "); free(FileBuffer); return ; } ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)FileBuffer + ImageDosHeader->e_lfanew); ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4); ImageOptionalHeader32 = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER); ImageDataDirectory = (PIMAGE_DATA_DIRECTORY)&ImageOptionalHeader32->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]; ImageImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)FileBuffer + RVAToFOA(FileBuffer, ImageDataDirectory->VirtualAddress)); while (ImageImportDescriptor->Characteristics != 0) { PNZCH DllName = (PNZCH)((DWORD)FileBuffer + RVAToFOA(FileBuffer, ImageImportDescriptor->Name)); printf("Dll名称->%s ", DllName); printf("------------------------------------------- "); printf("TimeDateStamp->%d ", ImageImportDescriptor->TimeDateStamp); printf("OriginalFirstThunk函数名或序号为 "); PDWORD OriginalFirstThunk = (PDWORD)((DWORD)FileBuffer + RVAToFOA(FileBuffer, ImageImportDescriptor->OriginalFirstThunk)); PDWORD FirstThunk = (PDWORD)((DWORD)FileBuffer + RVAToFOA(FileBuffer, ImageImportDescriptor->FirstThunk)); while (*OriginalFirstThunk != 0) { DWORD OriginalFirstThunkBestHighBit = (*OriginalFirstThunk & 0x80000000) >> 31; if (OriginalFirstThunkBestHighBit == 1) { DWORD OriginalFirstThunkSerialNumber = (*OriginalFirstThunk & 0x6FFFFFFF); printf("序号为->%x ", OriginalFirstThunkSerialNumber); } else { PIMAGE_IMPORT_BY_NAME OriginalFirstThunkFunctionName = (PIMAGE_IMPORT_BY_NAME)((DWORD)FileBuffer + RVAToFOA(FileBuffer, *OriginalFirstThunk)); printf("HIT为->%x ", OriginalFirstThunkFunctionName->Hint); printf("函数名为->%s ", OriginalFirstThunkFunctionName->Name); } OriginalFirstThunk++; } printf("FirstThunk函数名或序号为 "); while (*FirstThunk != 0) { DWORD FirstThunkBestHighBit = (*FirstThunk & 0x80000000) >> 31; if (FirstThunkBestHighBit == 1) { DWORD FirstThunkSerialNumber = (*FirstThunk & 0x6FFFFFFF); printf("序号为->%x ", FirstThunkSerialNumber); } else { PIMAGE_IMPORT_BY_NAME FirstThunkFunctionName = (PIMAGE_IMPORT_BY_NAME)((DWORD)FileBuffer + RVAToFOA(FileBuffer, *FirstThunk)); printf("HIT为->%x ", FirstThunkFunctionName->Hint); printf("函数名为->%s ", FirstThunkFunctionName->Name); } FirstThunk++; } ImageImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)ImageImportDescriptor + sizeof(IMAGE_IMPORT_DESCRIPTOR)); } free(FileBuffer); } //打印绑定导入表 VOID PrintBoundImportTable(LPVOID FileBuffer) { PIMAGE_FILE_HEADER ImageFileHeader = NULL; PIMAGE_DOS_HEADER ImageDosHeader = NULL; PIMAGE_NT_HEADERS ImageNTheader = NULL; PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader32 = NULL; PIMAGE_DATA_DIRECTORY ImageDataDirectoryToImportDescriptor = NULL; PIMAGE_DATA_DIRECTORY ImageDataDirectoryToBoundImportDescriptor = NULL; PIMAGE_IMPORT_DESCRIPTOR ImageImportDescriptor = NULL; PIMAGE_BOUND_IMPORT_DESCRIPTOR ImageBoundImportDescriptor = NULL; PIMAGE_BOUND_FORWARDER_REF ImageBoundForwarderRef = NULL; DWORD FirstBoundImportDescriptorAddress = NULL; if (*((PWORD)FileBuffer) != IMAGE_DOS_SIGNATURE) { printf("不是有效的MZ标记 "); free(FileBuffer); return; } ImageDosHeader = (PIMAGE_DOS_HEADER)FileBuffer; if (*((PDWORD)((DWORD)FileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE) { printf("不是有效的PE标志 "); free(FileBuffer); return; } ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)FileBuffer + ImageDosHeader->e_lfanew); ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4); ImageOptionalHeader32 = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER); ImageDataDirectoryToImportDescriptor = (PIMAGE_DATA_DIRECTORY)&ImageOptionalHeader32->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]; ImageImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)FileBuffer + RVAToFOA(FileBuffer, ImageDataDirectoryToImportDescriptor->VirtualAddress)); ImageDataDirectoryToBoundImportDescriptor = (PIMAGE_DATA_DIRECTORY)&ImageOptionalHeader32->DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT]; ImageBoundImportDescriptor = (PIMAGE_BOUND_IMPORT_DESCRIPTOR)((DWORD)FileBuffer + ImageDataDirectoryToBoundImportDescriptor->VirtualAddress); FirstBoundImportDescriptorAddress = ((DWORD)FileBuffer + ImageDataDirectoryToBoundImportDescriptor->VirtualAddress); while (ImageImportDescriptor->OriginalFirstThunk !=0 && ImageImportDescriptor->FirstThunk !=0) { if (ImageImportDescriptor->TimeDateStamp == -1) { printf("------------------------------------------------------------------------- "); printf("NAME->%s ", (PNZCH)(FirstBoundImportDescriptorAddress + ImageBoundImportDescriptor->OffsetModuleName)); printf("------------------------------------------------------------------------- "); printf("OffsetModuleName->%x ", ImageBoundImportDescriptor->OffsetModuleName); printf("TimeDateStamp->%x ", ImageBoundImportDescriptor->TimeDateStamp); printf("NumberOfModuleForwarderRefs->%x ", ImageBoundImportDescriptor->NumberOfModuleForwarderRefs); if (ImageBoundImportDescriptor->NumberOfModuleForwarderRefs > 0) { size_t i = 1; ImageBoundForwarderRef = (PIMAGE_BOUND_FORWARDER_REF)((DWORD)ImageBoundImportDescriptor + sizeof(IMAGE_BOUND_IMPORT_DESCRIPTOR)); for (i; i <= ImageBoundImportDescriptor->NumberOfModuleForwarderRefs; i++) { printf("引入的NAME->%s ", (PNZCH)(FirstBoundImportDescriptorAddress + ImageBoundForwarderRef->OffsetModuleName)); printf("------------------------------------------------------------------------- "); printf("OffsetModuleName->%x ", ImageBoundForwarderRef->OffsetModuleName); printf("TimeDateStamp->%x ", ImageBoundForwarderRef->TimeDateStamp); ImageBoundForwarderRef++; } ImageBoundImportDescriptor = (PIMAGE_BOUND_IMPORT_DESCRIPTOR)((DWORD)ImageBoundImportDescriptor + (i * sizeof(IMAGE_BOUND_FORWARDER_REF))); } else { ImageBoundImportDescriptor++; } } ImageImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)ImageImportDescriptor + sizeof(IMAGE_IMPORT_DESCRIPTOR)); } } //导入表注入 LPVOID InjectImportTable(LPVOID NewFileBuffer) { PIMAGE_DOS_HEADER ImageDosHeader = NULL; PIMAGE_NT_HEADERS ImageNTheader = NULL; PIMAGE_FILE_HEADER ImageFileHeader = NULL; PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL; PIMAGE_SECTION_HEADER ImageSectionHeader = NULL; PIMAGE_SECTION_HEADER LastImageSectionHeader = NULL; PIMAGE_SECTION_HEADER NewImageSectionHeader = NULL; PIMAGE_DATA_DIRECTORY ImageDataDirectory = NULL; PIMAGE_IMPORT_DESCRIPTOR ImageImportDescriptor = NULL; PIMAGE_IMPORT_DESCRIPTOR NewImageImportDescriptor = NULL; PIMAGE_IMPORT_DESCRIPTOR LastImageImportDescriptor = NULL; PIMAGE_IMPORT_BY_NAME NewImageImportByName = NULL; PNEW_INT_TABLE NewINTTable = NULL; PNEW_IAT_TABLE NewIATTable = NULL; PDWORD NewAddSectionStartAddress = NULL; int ImportTableCount = 0; if (!NewFileBuffer) { printf("空间分配失败 "); return NULL; } if (*((PWORD)(DWORD)NewFileBuffer) != IMAGE_DOS_SIGNATURE) { printf("不是有效的MZ标志 "); free(NewFileBuffer); return NULL; } ImageDosHeader = (PIMAGE_DOS_HEADER)NewFileBuffer; if (*((PDWORD)((DWORD)NewFileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE) { printf("不是有效的PE标志"); free(NewFileBuffer); return NULL; } ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)NewFileBuffer + ImageDosHeader->e_lfanew); ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4); ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER); ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader); LastImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER)); ImageDataDirectory = (PIMAGE_DATA_DIRECTORY)(&ImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]); ImageImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)NewFileBuffer + RVAToFOA(NewFileBuffer, ImageDataDirectory->VirtualAddress)); NewAddSectionStartAddress = (PDWORD)((DWORD)NewFileBuffer + LastImageSectionHeader->PointerToRawData); //复制DLL名称 memcpy((PNZCH)NewAddSectionStartAddress, (PNZCH)&DllName, strlen((PNZCH)&DllName)); //复制函数名称 memcpy((PNZCH)((DWORD)NewAddSectionStartAddress + strlen((PNZCH)& DllName) + 3), (PNZCH)&APIName, strlen((PNZCH)& APIName)); while (ImageImportDescriptor->OriginalFirstThunk!=0&&ImageImportDescriptor->FirstThunk!=0) { memcpy((PNZCH)((DWORD)NewAddSectionStartAddress + (strlen((PNZCH)& DllName) + 3) + (strlen((PNZCH)& APIName) + 1) + (ImportTableCount* sizeof(IMAGE_IMPORT_DESCRIPTOR))), ImageImportDescriptor, sizeof(IMAGE_IMPORT_DESCRIPTOR)); ImportTableCount++; ImageImportDescriptor++; } NewImageImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)NewAddSectionStartAddress + (strlen((PNZCH)& DllName) + 3) + (strlen((PNZCH)& APIName) + 1) + (ImportTableCount * sizeof(IMAGE_IMPORT_DESCRIPTOR))); //最后一个导入表信息,并全部置0 LastImageImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)NewImageImportDescriptor + sizeof(IMAGE_IMPORT_DESCRIPTOR)); memset((PNZCH)LastImageImportDescriptor, 0, sizeof(IMAGE_IMPORT_DESCRIPTOR)); //添加INT表 NewINTTable = (PNEW_INT_TABLE)((DWORD)LastImageImportDescriptor + sizeof(IMAGE_IMPORT_DESCRIPTOR)); //添加IAT表 NewIATTable = (PNEW_IAT_TABLE)((DWORD)NewINTTable + sizeof(NEW_INT_TABLE)); //添加ImportByName表 NewImageImportByName = (PIMAGE_IMPORT_BY_NAME)((DWORD)NewAddSectionStartAddress + (strlen((PNZCH)& DllName) + 1)); //修复INT表 NewINTTable->VirtualAddress = (DWORD)LastImageSectionHeader->VirtualAddress + ((strlen((PNZCH)& DllName) + 1)); NewINTTable->OverAddress = 0; //修复IAT表 NewIATTable->VirtualAddress = (DWORD)LastImageSectionHeader->VirtualAddress + ((strlen((PNZCH)& DllName) + 1)); NewIATTable->OverAddress = 0; //修复新增导入表 NewImageImportDescriptor->FirstThunk = (DWORD)LastImageSectionHeader->VirtualAddress + ((DWORD)NewIATTable - ((DWORD)NewFileBuffer + LastImageSectionHeader->PointerToRawData)); NewImageImportDescriptor->OriginalFirstThunk = (DWORD)LastImageSectionHeader->VirtualAddress + ((DWORD)NewINTTable - ((DWORD)NewFileBuffer + LastImageSectionHeader->PointerToRawData)); NewImageImportDescriptor->TimeDateStamp = 0; NewImageImportDescriptor->ForwarderChain = 0; NewImageImportDescriptor->Name = (DWORD)LastImageSectionHeader->VirtualAddress; //修复数据目录 ImageDataDirectory->VirtualAddress = (LastImageSectionHeader->VirtualAddress + (strlen((PNZCH)& DllName) + 3) + (strlen((PNZCH)& APIName) + 1)); ImageDataDirectory->Size = ((DWORD)ImageDataDirectory->Size + sizeof(IMAGE_IMPORT_DESCRIPTOR)); return NewFileBuffer; } //复制NewFileBuffer到新的文件中 VOID CopyNewFileBufferToNewFile(LPVOID NewFileBuffer, LPSTR DestFile) { FILE* NewFile = NULL; PIMAGE_DOS_HEADER ImageDosHeader = NULL; PIMAGE_NT_HEADERS ImageNTheader = NULL; PIMAGE_FILE_HEADER ImageFileHeader = NULL; PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL; PIMAGE_SECTION_HEADER ImageSectionHeader = NULL; PIMAGE_SECTION_HEADER LastSectionHeader = NULL; NewFile = fopen(DestFile, "wb"); if (!NewFile) { printf("打开文件失败 "); return; } if (*((PWORD)(DWORD)NewFileBuffer) != IMAGE_DOS_SIGNATURE) { printf("不是有效的MZ标志 "); free(NewFileBuffer); return; } ImageDosHeader = (PIMAGE_DOS_HEADER)NewFileBuffer; if (*((PDWORD)((DWORD)NewFileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE) { printf("不是有效的PE标志"); free(NewFileBuffer); return; } ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)NewFileBuffer + ImageDosHeader->e_lfanew); ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4); ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER); ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader); LastSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER)); DWORD result = fwrite(NewFileBuffer, sizeof(char), (LastSectionHeader->PointerToRawData + LastSectionHeader->SizeOfRawData), NewFile); if (result < (DWORD)(LastSectionHeader->PointerToRawData + LastSectionHeader->SizeOfRawData)) { printf("文件写入失败 "); free(NewFileBuffer); fclose(NewFile); return; } free(NewFileBuffer); printf("文件写入完成 "); }