基础加壳程序

摘要:     给32位的PE文件加壳，包括exe, dll, ocx, 服务程序，com组件等，差不多所有的PE文件都可以用这个给加上了。我写的这个程序需要插上一个U盘，随便有一个U盘就可以，然后才能给程序加壳，加壳的程序也依靠这个U盘才能运行，有点意思吧。先把程序最主要的函数写到下面。

//-------------------------------------------------------------------

// 功能: 加壳

// 参数: oldpe - 加壳前的PE文件

//       shell - 外壳

//       newpe - 加壳后的PE文件

//       devstr - device string 设备字符串

// 返回: 是否加壳成功

// 说明: 这样合并之后, oldpe, shell也被改变了, 不能用了

//       she就是外壳使用的那个段

//       一般roloc就是在最后, 如果万一碰到不是在最后的, 这里就不能加上壳了

//       1-在oldpe中, 2-在shell中, 3-在newpe中

//       R表示在文件中偏移raw, V表示在内存中偏移virtual, T表示有效长度true

//

bool CombinShell(CPeManager* oldpe, CPeManager* shell, CPeManager* newpe, char* devstr)

{

  //保存到壳里面

  TShellHead SH = {0};

  strcpy(SH.Feature, devstr);

  SH.ImageBase = oldpe->GetImageBase();

  SH.OldEntry = oldpe->GetEntryPoint();

  SH.OldImport = oldpe->GetImportVpos();

  SH.OldLastSection = *(oldpe->GetLastSection());

  SH.OldBoundImportDataDir = *(oldpe->GetBoundImportDataDir());

  SH.OldImportDataDir = *(oldpe->GetImportDataDir());

  SH.OldIatDataDir = *(oldpe->GetIatDataDir());

  //--给新PE申请一个空间--------------

  newpe->m_BufSize = oldpe->m_FileSize + shell->m_FileSize + 0x8000;

  newpe->m_Buf = new BYTE[newpe->m_BufSize];

  ::ZeroMemory(newpe->m_Buf, newpe->m_BufSize);

  //--把旧PE复制到新PE中去------------

  DWORD last1_Rpos = oldpe->GetLastRpos();

  DWORD last1_Vpos = oldpe->GetLastVpos();

  DWORD last1_Rsize = oldpe->GetLastRsize();

  DWORD last1_Tsize = oldpe->GetLastTsize();

  memcpy(newpe->m_Buf, oldpe->m_Buf, (last1_Rpos + last1_Rsize)); 

  //--把壳复制到新PE中去-------------------

  DWORD she2_Rpos = shell->GetSheRpos();

  DWORD she2_Vpos = shell->GetSheVpos();

  DWORD she2_Tsize = shell->GetSheTsize();

  DWORD she2_Rsize = shell->GetSheRsize();

  DWORD she3_Vpos = last1_Vpos + oldpe->AlignV(last1_Rsize);

  DWORD she3_Rpos = last1_Rpos + oldpe->AlignV(last1_Rsize);

  int base_move = oldpe->GetImageBase() - shell->GetImageBase(); 

  int Vpos_move = she3_Vpos - she2_Vpos;

  shell->ModifyReloc(base_move, Vpos_move);

  shell->ModifyImport(Vpos_move);

  memcpy(newpe->m_Buf + she3_Rpos, shell->m_Buf + she2_Rpos, she2_Rsize);

  //--修正新PE的段头表--------------------------------

  DWORD last3_Tsize = she3_Vpos + she2_Rsize - last1_Vpos;

  DWORD last3_Rsize = oldpe->AlignR(last3_Tsize);

  newpe->GetLastSection()->Misc.VirtualSize = last3_Rsize;

  newpe->GetLastSection()->SizeOfRawData = last3_Rsize;

  DWORD file3_size = last1_Rpos + last3_Rsize;

  DWORD image3_size = last1_Vpos + last3_Rsize;

  //--合并重定位表--------------------

  if(oldpe->GetRelocSection() != 0)

  {

    //保存到壳里面

    SH.OldRelocDataDir = *(oldpe->GetRelocDataDir());

    SH.OldRelocSection = *(oldpe->GetRelocSection());

    DWORD reloc1_Rpos = oldpe->GetRelocRpos();

    DWORD reloc1_Tsize = oldpe->GetRelocTsize();

    DWORD reloc2_Rpos = shell->GetRelocRpos();

    DWORD reloc2_Tsize = shell->GetRelocTsize();

    DWORD reloc3_Rpos = last1_Rpos + last3_Rsize;

    DWORD reloc3_Vpos = last1_Vpos + oldpe->AlignV(last3_Rsize);

    DWORD reloc3_Tsize = reloc1_Tsize + reloc2_Tsize;

    DWORD reloc3_Rsize = oldpe->AlignR(reloc3_Tsize + 8);

        

    //把旧PE的重定位表复制到新PE中

    memcpy(newpe->m_Buf + reloc3_Rpos, oldpe->m_Buf + reloc1_Rpos, reloc1_Tsize);

    //把壳的重定位表复制到新的PE中去

    memcpy(newpe->m_Buf + reloc3_Rpos + reloc1_Tsize, shell->m_Buf + reloc2_Rpos, reloc2_Tsize);

    //--修正新PE的重定位地址---------

    newpe->GetRelocSection()->Misc.VirtualSize = reloc3_Rsize;

    newpe->GetRelocSection()->SizeOfRawData = reloc3_Rsize;

    newpe->GetRelocSection()->PointerToRawData = reloc3_Rpos;

    newpe->GetRelocSection()->VirtualAddress = reloc3_Vpos;

    newpe->GetRelocDataDir()->Size = reloc3_Tsize;

    newpe->GetRelocDataDir()->VirtualAddress = reloc3_Vpos;

    file3_size = reloc3_Rpos + reloc3_Rsize;

    image3_size = reloc3_Vpos + reloc3_Rsize;     

  }

  //--拷贝附加数据--------------------

  if(oldpe->GetFixTsize() != 0)

  {

    DWORD fix1_Rpos = oldpe->GetFixRpos();

    DWORD fix1_Tsize = oldpe->GetFixTsize();

    memcpy(newpe->m_Buf + file3_size, oldpe->m_Buf + fix1_Rpos, fix1_Tsize);

    file3_size += fix1_Tsize;

  }

  //--修改新PE文件的头部----------------------------

  //入口地址

  if(oldpe->IsDLL())

    newpe->GetOptionalHeader()->AddressOfEntryPoint = shell->GetExportFuncVpos("_DllEntry@12") + Vpos_move;

  else

    newpe->GetOptionalHeader()->AddressOfEntryPoint = shell->GetExportFuncVpos("_ExeEntry@0") + Vpos_move;

 

  //导入表地址

  newpe->GetImportDataDir()->VirtualAddress = shell->GetImportDataDir()->VirtualAddress + Vpos_move;

  newpe->GetImportDataDir()->Size = shell->GetImportDataDir()->Size;

  newpe->GetIatDataDir()->VirtualAddress = 0;

  newpe->GetIatDataDir()->Size = 0;

  newpe->GetBoundImportDataDir()->VirtualAddress = 0;

  newpe->GetBoundImportDataDir()->Size = 0;

  //映像大小

  newpe->GetOptionalHeader()->SizeOfImage = image3_size; 

  newpe->GetOptionalHeader()->CheckSum = 0;

  newpe->m_FileSize = file3_size;

  //每个段都置为可写

  int sec_num = newpe->GetSectionNum();

  IMAGE_SECTION_HEADER* sec_hs = newpe->GetSectionHeaders();

  for(int i = 0; i < sec_num; i++)

  {

    sec_hs[i].Characteristics |= 0x80000000;

  }

  //--保存TShellHead结构-----------------------

  TShellHead* pHead = newpe->GetShellHead(she3_Rpos, she2_Tsize);

  if(pHead == 0)

    return false;

  *pHead = SH;

  return true;

}

因为是个教学程序，界面很简单，下面就是打开了一个扫雷程序。

加壳后的扫雷程序运行时：

如果没有U盘，就会出现：

如果你喜欢这个程序，请留言，或者联系我。