Loading... ### Tool.h ``` #pragma once #include <Windows.h> #include <iostream> class Tool { public: DWORD MyGetProcAddress(DWORD Module, LPCSTR FunName); PIMAGE_DOS_HEADER GetDosHandle(DWORD base); PIMAGE_NT_HEADERS GetNTHandle(DWORD base); BOOL File_IS_PE(DWORD Fpstr); PIMAGE_OPTIONAL_HEADER GetOptionHandle(DWORD base); PIMAGE_FILE_HEADER GetFileHandle(DWORD base); //获取文件到内存 BOOL GetFileMomory(LPCWSTR Filepath); public: //增加区段 BOOL AddSection(LPCSTR SectionName, DWORD sectionSize); DWORD Aligment(DWORD Size, DWORD Align); BOOL SavePeFile(LPCWSTR FileName); private: DWORD FileBase; //文件在内存的指针 DWORD FileSize; //文件大小 protected: }; ``` ### .cpp ``` #include "Tool.h" PIMAGE_DOS_HEADER Tool::GetDosHandle(DWORD base) { return (PIMAGE_DOS_HEADER)base; }; PIMAGE_NT_HEADERS Tool::GetNTHandle(DWORD base) { return (PIMAGE_NT_HEADERS)(GetDosHandle(base)->e_lfanew + base); }; PIMAGE_OPTIONAL_HEADER Tool::GetOptionHandle(DWORD base) { return &GetNTHandle(base)->OptionalHeader; }; PIMAGE_FILE_HEADER Tool::GetFileHandle(DWORD base) { return &GetNTHandle(base)->FileHeader; }; BOOL Tool::File_IS_PE(DWORD base) { if (GetDosHandle(FileBase)->e_magic != IMAGE_DOS_SIGNATURE || GetNTHandle(FileBase)->Signature != IMAGE_NT_SIGNATURE) { MessageBox(NULL, L"错误文件", L"错误文件", 2); return FALSE; } return TRUE; }; BOOL Tool::GetFileMomory(LPCWSTR Filepath) { //创建文件打开 HANDLE lpFile = CreateFile(Filepath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); //获取文件大小 DWORD FileSize = GetFileSize(lpFile, NULL); //申请空间 FileBase = (DWORD)malloc(FileSize * sizeof(BYTE)); //读取所有内容 DWORD RealSize; ReadFile(lpFile, (DWORD*)FileBase, FileSize, &RealSize, NULL); //验证是否是PE文件 return File_IS_PE(FileBase); }; DWORD Tool::Aligment(DWORD Size, DWORD Align) { //如果能整除齐粒度那么就不需要对齐即可,否则就整除后+1成*1即可 return Size % Align == 0 ? Size : Align * (Size / Align + 1); } BOOL Tool::SavePeFile(LPCWSTR FileName) { //1. 始终创建文件的方式打开文件 HANDLE FIleHandle = CreateFile(FileName, GENERIC_ALL, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); //2. 读取目标文件所有内容 DWORD RealWrite = 0; WriteFile(FIleHandle, (LPVOID)FileBase, FileSize, &RealWrite, NULL); //3. 关闭句柄 CloseHandle(FIleHandle); return TRUE; }; BOOL Tool::AddSection(LPCSTR SectionName, DWORD SectionSize) { //获取PE文件最后一个区段对应的区段表地址 auto lastSection = &IMAGE_FIRST_SECTION(GetNTHandle(FileBase))[GetNTHandle(FileBase)->FileHeader.NumberOfSections-1]; //文件头NumberOfSections +1 GetFileHandle(FileBase)->NumberOfSections += 1; auto NewSection = lastSection + 1; //设置区段信息 区段名 memcpy(NewSection->Name, SectionName, strlen(SectionName) + 1); //设置区段信息 区段偏移 区段内存偏移 NewSection->PointerToRawData = lastSection->PointerToRawData + Aligment(lastSection->SizeOfRawData, GetOptionHandle(FileBase)->FileAlignment); NewSection->VirtualAddress = lastSection->VirtualAddress + Aligment(lastSection->Misc.VirtualSize, GetOptionHandle(FileBase)->SectionAlignment); //设置区域信息,区段大小,VSIZE 可以不对其 RSIZE必须对齐 NewSection->SizeOfRawData = NewSection->Misc.VirtualSize = SectionSize; //设置区段信息,设置区段属性 0xE00000E0(所有权限) NewSection->Characteristics = 0xE00000E0; //由于添加了新区段,重新设置SizeOfImage 字段为新的映像大小 GetOptionHandle(FileBase)->SizeOfImage = NewSection->VirtualAddress + NewSection->Misc.VirtualSize; //填充新区段内容, FileSize = NewSection->SizeOfRawData + NewSection->PointerToRawData; FileBase = (DWORD)realloc((LPVOID)FileBase, FileSize); return TRUE; } DWORD Tool::MyGetProcAddress(DWORD Module, LPCSTR FunName) { return 0; } ``` ### Main函数 ``` #include <iostream> #include "Tool.h" int main() { Tool pack; pack.GetFileMomory(L"E:\\上课课间\\第三阶段\\写壳\\第一天\\写壳001\\miaomiaomiao - 副本.exe"); pack.AddSection(".hane", 0x250); pack.SavePeFile(L"bolalala.exe"); } ``` 最后修改:2021 年 01 月 22 日 © 允许规范转载 赞 0 如果觉得我的文章对你有用,请随意赞赏