PE文件相关代码

最新推荐文章于 2024-08-11 14:52:34 发布
最新推荐文章于 2024-08-11 14:52:34 发布
阅读量832 收藏
点赞数
CC 4.0 BY-SA版权
分类专栏: 程序编年史
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/xiaokint3/article/details/8163532
本文介绍了一种使用WIN32汇编语言实现非导入表调用API的方法,通过直接查找PE文件的导出表来获取API地址,并展示了具体的汇编代码示例。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

;WIN32汇编无输入表调用API
		.386
		.model flat,stdcall
		option casemap:none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Include 文件定义
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include		windows.inc

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 数据段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
		.const

szCaption	db	'恭喜',0
szText		db	'非导入表调用成功!',0
szLoadLibrary	db	'LoadLibraryA',0
szGetProcAddress db	'GetProcAddress',0
szUser32	db	'user32',0
szMessageBox	db	'MessageBoxA',0

		.data?
ALoadLibrary	dd	?
AGetProcAddress dd      ?
AMessageBox	dd	?
dwKernel32Base	dd	?

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 代码段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
		.code
_Handler proc _lpExceptionRecord,_lpSEH,_lpContext,_lpDispatchertext
	pushad
	mov	esi,_lpExceptionRecord
	assume	esi:ptr EXCEPTIONRECORD
	mov	edi,_lpContext
	assume	edi:ptr CONTEXT
	mov	eax,_lpSEH
	push	[eax+0ch]
	pop	[edi].regEbp
	push	[eax+08]
	pop	[edi].regEip
	push	eax
	pop	[edi].regEsp
	assume	edi:nothing,esi:nothing
	popad
	mov	eax,ExceptionContinueExecution
	ret
_Handler endp

_GetKernel32Base proc uses edi esi ebx dwEsp
	call	@F
	@@:
	pop	ebx
	sub	ebx,offset @B

	;安装SEH
	assume	fs:nothing
	push	ebp
	lea	eax, [ebx+offset _safeplace]
	push	eax
	lea	eax,[ebx + offset _Handler]
	push	eax
	push	fs:[0]
	mov	fs:[0],esp

	mov	eax,dwEsp
	and	eax,0ffff0000h

	.while	eax>=70000000h
		.if word ptr [eax] == IMAGE_DOS_SIGNATURE
			mov	edi,eax
			add	edi,[eax+03ch]
			.if word ptr [edi] == IMAGE_NT_SIGNATURE
				jmp	find
			.endif
		.endif
		_safeplace:
		sub	eax,10000h
	.endw
	mov	eax,0
	find:
	pop	fs:[0]
	add	esp,0ch
	ret
_GetKernel32Base endp

_GetApi	proc	_hModule,_lpszApi
	local	@dwReturn,@dwSize
	pushad
	
	call	@F
	@@:
	pop	ebx
	sub	ebx,@B
	
	assume	fs:nothing
	push	ebp
	push	[ebx+offset error]
	push	[ebx+offset _Handler]
	push	fs:[0]
	mov	fs:[0],esp
	
	mov	edi,_lpszApi
	mov	ecx,-1
	xor	eax,eax
	cld
	repnz	scasb
	sub	edi,_lpszApi
	mov	@dwSize,edi

	mov	esi,_hModule
	add	esi,[esi+3ch]
	assume	esi:ptr IMAGE_NT_HEADERS
	mov	esi,[esi].OptionalHeader.DataDirectory.VirtualAddress
	add	esi,_hModule
	assume	esi:ptr IMAGE_EXPORT_DIRECTORY

	mov	ebx,[esi].AddressOfNames
	add	ebx,_hModule
	xor	edx,edx
	.while  edx <	[esi].NumberOfNames
		push	esi
		mov	edi,[ebx]
		add	edi,_hModule
		mov	esi,_lpszApi
		mov	ecx,@dwSize
		cld
		repz	cmpsb
		.if	!ecx
			pop	esi
			jmp	@F
		.endif
		next:
		pop	esi
		inc	edx
		add	ebx,4
	.endw
	jmp	error
	@@:
	sub	ebx,[esi].AddressOfNames
	sub	ebx,_hModule
	shr	ebx,1
	add	ebx,[esi].AddressOfNameOrdinals
	add	ebx,_hModule
	movzx	eax,word ptr [ebx]
	shl	eax,2
	add	eax,[esi].AddressOfFunctions
	add	eax,_hModule

	mov	eax,[eax]
	add	eax,_hModule
	mov	@dwReturn,eax
	error:
	pop	fs:[0]
	add	esp,0ch
	assume	esi:nothing
	popad
	mov	eax,@dwReturn
	ret
_GetApi endp

start:
		mov	eax,[esp]
		invoke	_GetKernel32Base,eax
		.if	eax
			mov	dwKernel32Base,eax
			invoke	_GetApi,eax, offset szGetProcAddress
			mov	AGetProcAddress,eax
		.endif
		.if	AGetProcAddress
			push	offset szLoadLibrary
			push	dwKernel32Base
			call	AGetProcAddress
			.if	eax
				mov	ALoadLibrary,eax
				push	offset szUser32
				call	eax
				.if	eax
					push	offset szMessageBox
					push	eax
					call	AGetProcAddress
					.if	eax
						mov	AMessageBox,eax
					.endif
				.endif
			.endif
		.endif
		.if	AMessageBox
			push	MB_YESNO
			push	offset szCaption
			push	offset szText
			push	NULL
			call	AMessageBox
		.endif
		ret;invoke	ExitProcess,NULL
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
		end	start


 

可以嵌入PE文件执行的WIN32汇编代码

		.386
		.model flat,stdcall
		option casemap:none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Include 文件定义
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include		windows.inc

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 代码段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
		.code

	jmp	_NewEntry

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;重要的函数名,为兼容WIN7 kernelbase.dll,增加LoadLibraryA函数
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
szLoadLibraryA db	'LoadLibraryA',0
;szLoadLibraryA   db	'LoadLibraryA',0       
szGetProcAddress db	'GetProcAddress',0

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;补丁功能代码需要的DLL,函数名,字符串等全局变量定义
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
szUser32	 db	'user32',0

szMessageBoxA	 db	'MessageBoxA',0

szCaption	db	'恭喜',0
szText		db	'非导入表调用成功!',0


;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;SEH错误Handler
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_SEHHandler proc _lpExceptionRecord,_lpSEH,_lpContext,_lpDispatchertext
	pushad
	mov	esi,_lpExceptionRecord
	assume	esi:ptr EXCEPTIONRECORD
	mov	edi,_lpContext
	assume	edi:ptr CONTEXT
	mov	eax,_lpSEH
	push	[eax+0ch]
	pop	[edi].regEbp
	push	[eax+08]
	pop	[edi].regEip
	push	eax
	pop	[edi].regEsp
	assume	edi:nothing,esi:nothing
	popad
	mov	eax,ExceptionContinueExecution
	ret
_SEHHandler endp


;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;获取kernel32.dll基地址,2种获取方法自行选择
;PS:用PEB获取最好使用LoadLibraryExA函数以兼容WIN7
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_GetKernel32Base proc uses edi esi ebx _dwEsp
	call	@F
	@@:
	pop	ebx
	sub	ebx,offset @B

	;安装SEH
	assume	fs:nothing
	push	ebp
	lea	eax, [ebx+offset _safeplace]
	push	eax
	lea	eax,[ebx + offset _SEHHandler]
	push	eax
	push	fs:[0]
	mov	fs:[0],esp

	mov	eax,_dwEsp
	and	eax,0ffff0000h

	.while	eax>=70000000h
		.if word ptr [eax] == IMAGE_DOS_SIGNATURE
			mov	edi,eax
			add	edi,[eax+03ch]
			.if word ptr [edi] == IMAGE_NT_SIGNATURE
				jmp	find
			.endif
		.endif
		_safeplace:
		sub	eax,10000h
	.endw
	mov	eax,0
	find:
	pop	fs:[0]
	add	esp,0ch
	ret
_GetKernel32Base endp

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;用PEB获取基址的方法
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;_GetKernel32Base proc
;	local	@dwRet

;	pushad
;	
;	assume fs:nothing
;	mov eax,fs:[30h]	;获取PEB所在地址
;	mov eax,[eax+0ch]	;获取PEB_LDR_DATA 结构指针
;	mov esi,[eax+1ch]	;获取InInitializationOrderModuleList 链表头
;				;第一个LDR_MODULE节点InInitializationOrderModuleList成员的指针
;	lodsd			;获取双向链表当前节点后继的指针
;	mov eax,[eax+8]		;获取kernel32.dll的基地址
;	mov @dwRet,eax
;	popad
;	
;	mov eax,@dwRet
;	ret
;_GetKernel32Base endp

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;查找导出表获取制定API地址
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_GetApi	proc	_hModule,_lpszApi
	local	@dwReturn,@dwSize
	pushad
	
	call	@F
	@@:
	pop	ebx
	sub	ebx,@B
	
	assume	fs:nothing
	push	ebp
	push	[ebx+offset error]
	push	[ebx+offset _SEHHandler]
	push	fs:[0]
	mov	fs:[0],esp
	
	mov	edi,_lpszApi
	mov	ecx,-1
	xor	eax,eax
	cld
	repnz	scasb
	sub	edi,_lpszApi
	mov	@dwSize,edi

	mov	esi,_hModule
	add	esi,[esi+3ch]
	assume	esi:ptr IMAGE_NT_HEADERS
	mov	esi,[esi].OptionalHeader.DataDirectory.VirtualAddress
	add	esi,_hModule
	assume	esi:ptr IMAGE_EXPORT_DIRECTORY

	mov	ebx,[esi].AddressOfNames
	add	ebx,_hModule
	xor	edx,edx
	.while  edx <	[esi].NumberOfNames
		push	esi
		mov	edi,[ebx]
		add	edi,_hModule
		mov	esi,_lpszApi
		mov	ecx,@dwSize
		cld
		repz	cmpsb
		.if	!ecx
			pop	esi
			jmp	@F
		.endif
		next:
		pop	esi
		inc	edx
		add	ebx,4
	.endw
	jmp	error
	@@:
	sub	ebx,[esi].AddressOfNames
	sub	ebx,_hModule
	shr	ebx,1
	add	ebx,[esi].AddressOfNameOrdinals
	add	ebx,_hModule
	movzx	eax,word ptr [ebx]
	shl	eax,2
	add	eax,[esi].AddressOfFunctions
	add	eax,_hModule

	mov	eax,[eax]
	add	eax,_hModule
	mov	@dwReturn,eax
	error:
	pop	fs:[0]
	add	esp,0ch
	assume	esi:nothing
	popad
	mov	eax,@dwReturn
	ret
_GetApi endp


;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;补丁功能部分
;_dwKernelBase:		kernel32.dll基址
;_lpGetProcAddress:	GetProcAddress地址
;_lpLoadLibraryA	LoadLibraryA或LoadLibraryA地址
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_Patch	proc	_dwKernelBase,_lpGetProcAddress,_lpLoadLibraryA
		local	@hUser32,@lpMessageBoxA
		
		pushad
		lea	edx,dword ptr [ebx+offset szUser32]
		push	0
		push	0
		push	edx
		call	_lpLoadLibraryA
		.if	eax
			mov	@hUser32,eax
			lea	edx,dword ptr [ebx+offset szMessageBoxA]
			push	edx
			push	eax
			call	_lpGetProcAddress
			.if	eax
				mov	@lpMessageBoxA,eax
			.endif
		.endif
		.if	@lpMessageBoxA
		push	MB_YESNO
		lea	edx,dword ptr [ebx+offset szCaption]
		push	edx
		lea	edx,dword ptr [ebx+offset szText]
		push	edx
		push	NULL
		call	@lpMessageBoxA
		.endif
		popad
		ret
_Patch	endp

_start	proc
	local	@dwKernel32Base
	local	@lpGetProcAddress,@lpLoadLibraryA
	
	pushad
	push	edx
	call	_GetKernel32Base
	.if	eax
		mov	@dwKernel32Base,eax
		lea	edx,dword ptr [ebx+offset szGetProcAddress]
		push	edx
		push	eax
		call	_GetApi
		mov	@lpGetProcAddress,eax
	.endif
	.if	@lpGetProcAddress
		lea	edx,dword ptr [ebx+offset szLoadLibraryA]
		push	edx
		push	@dwKernel32Base
		call	@lpGetProcAddress
		.if	eax
			mov	@lpLoadLibraryA,eax
			push	eax
			push	@lpGetProcAddress
			push	@dwKernel32Base
			call	_Patch
		.endif
	.endif

	popad
	xor	eax,eax
	ret
_start	endp

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;PE文件新入口
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_NewEntry:
	mov	edx,[esp]
	call	@F
	@@:
	pop	ebx
	sub	ebx,@B
	call	_start
	;ret
	jmpToStart db 0E9h,0F0h,0FFh,0ffh,0ffh	;需要修正
	ret
end	_NewEntry

 

 

 

 

PE加载器(仅提供个思路..实际中无法使用)

#include <windows.h>
#include <commdlg.h>
#include "resource.h"

#pragma comment(linker,"/BASE:0x70000000")

void PopFileInitialize (HWND hwnd);
BOOL PopFileOpenDlg (HWND hwnd, PTSTR pstrFileName, PTSTR pstrTitleName);

BOOL FixReloc(BYTE *lpImage, DWORD OldImage, PIMAGE_BASE_RELOCATION pRelocData);
BOOL FixIAT(BYTE *lpImage, PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor);
BOOL LoadPE(TCHAR	szFileName[]); 
void SetProtect(BYTE *lpImage, PIMAGE_SECTION_HEADER pFirstSection,DWORD dwSectionNum);

//载入PE用到的参数
HINSTANCE	arg1, arg2;
PSTR		arg3;
int			arg4;

int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance,PSTR szCmdLine, int iCmdShow)
{
	TCHAR	szFileName[MAX_PATH] ={0};
	arg1	= hInstance;
	arg2	= hPrevInstance;
	arg3	= szCmdLine;
	arg4	= iCmdShow;
	PopFileInitialize(NULL);
	PopFileOpenDlg(NULL, szFileName, TEXT("选择要载入的PE文件") );
	if (!LoadPE(szFileName) )
		;//MessageBox(NULL, TEXT("载入PE文件失败"), NULL, NULL);
	return 0;	
}

BOOL LoadPE(TCHAR	szFileName[])
{
	//::PIMAGE_DATA_DIRECTORY		pDataDirectory;
	::PIMAGE_BASE_RELOCATION	pRelocData;
	::PIMAGE_IMPORT_DESCRIPTOR	pImportDescriptor;
	::PIMAGE_NT_HEADERS			pNtHeaders;

	HANDLE	hFile;
	HANDLE	hMap;
	BYTE	*lpMemory;
	BYTE	*lpImage;

	DWORD	dwImageBase;	//文件头基地址
	DWORD	dwEntryAddress;	//入口地址
	DWORD	dwImageSize;

	if (INVALID_HANDLE_VALUE == ( hFile = CreateFile(szFileName, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_ARCHIVE, NULL) ) )
	{
		MessageBox(NULL, L"打开文件失败", NULL, NULL);
		return FALSE;
	}

	hMap	= CreateFileMapping(hFile,  NULL, PAGE_READONLY, 0, 0, NULL);
	if (hMap)
	{
		lpMemory	= (BYTE*)MapViewOfFile (hMap, FILE_MAP_READ, 0, 0, 0);
		if (lpMemory)
		{

			if ( *((WORD*)lpMemory) == 0x5A4D)
			{
				pNtHeaders	= (PIMAGE_NT_HEADERS)(lpMemory + ((PIMAGE_DOS_HEADER)lpMemory)->e_lfanew);
				if (pNtHeaders->Signature == 0x4550)
				{
					dwImageSize	= pNtHeaders->OptionalHeader.SizeOfImage;
					dwImageBase	= pNtHeaders->OptionalHeader.ImageBase;
					dwEntryAddress	= pNtHeaders->OptionalHeader.AddressOfEntryPoint;

					lpImage		= (PBYTE)VirtualAlloc((LPVOID)dwImageBase, dwImageSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
					if (!lpImage)
					{
						lpImage	= (PBYTE)VirtualAlloc(NULL, dwImageSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
					}
						
					//文件头读入
					memset(lpImage, 0, dwImageSize);
					memcpy(lpImage, lpMemory, pNtHeaders->OptionalHeader.SizeOfHeaders);

					//区段读入
					PIMAGE_SECTION_HEADER	pSectionHeader, pFirstSection;
					DWORD	dwSectionSize;
					DWORD	dwSectionAddr,dwFileAddr;
					DWORD	dwSectionNum	= pNtHeaders->FileHeader.NumberOfSections;
					pSectionHeader	= pFirstSection = (PIMAGE_SECTION_HEADER)(pNtHeaders+1);

					for (DWORD i=0; i < dwSectionNum; i++, pSectionHeader++)
					{
						dwSectionAddr	= pSectionHeader->VirtualAddress;
						dwFileAddr		= pSectionHeader->PointerToRawData;
						dwSectionSize	= pSectionHeader->Misc.VirtualSize;
						memcpy(lpImage + dwSectionAddr, lpMemory + dwFileAddr, pSectionHeader->SizeOfRawData);
					}

					//修复IAT
					pImportDescriptor	= (PIMAGE_IMPORT_DESCRIPTOR)(lpImage + pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
					FixIAT(lpImage, pImportDescriptor);	

					//重定位修复
					if (pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress)
					{
						pRelocData			= (PIMAGE_BASE_RELOCATION)(lpImage + pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
						FixReloc(lpImage, dwImageBase, pRelocData);
					}

					SetProtect(lpImage, pFirstSection, dwSectionNum);
					//准备跳入PE
					DWORD addr = dwEntryAddress + (DWORD)lpImage;
					_asm
					{
						push	arg4
						push	arg3
						push	arg2
						push	lpImage
						call	addr
					}

				}
				else
					MessageBox(NULL, L"不是PE文件", NULL, NULL);
			}
			else
				MessageBox(NULL, L"不是PE文件", NULL, NULL);
		}
	}

	if (lpMemory)
		UnmapViewOfFile (lpMemory);
	CloseHandle(hMap);
	CloseHandle(hFile);
	return FALSE;
}

BOOL FixReloc(BYTE *lpImage, DWORD OldImage, PIMAGE_BASE_RELOCATION pRelocData)
{
	DWORD	dwOffset;  //修正用
	DWORD	dwBase;		//修正基地址
	DWORD	*dwAddress; //需要修正的地址
	DWORD	dwNum;	//修正项数
	WORD	*wValue;//修正偏移
	PIMAGE_BASE_RELOCATION	pReloc;

	dwOffset	= (DWORD)(lpImage - OldImage);
	pReloc		= pRelocData;
	for (; pReloc->VirtualAddress; pReloc++)
	{
		dwBase	= pReloc->VirtualAddress;
		dwNum	= (pReloc->SizeOfBlock - 8) / 2;
		wValue	= (WORD*)((DWORD)pReloc + 8);
		while(dwNum--)
		{
			dwAddress	= (DWORD*)(lpImage + dwBase + *wValue);
			(*dwAddress)+= dwOffset;
			wValue++;
		}
	}

	return TRUE;
}

BOOL FixIAT(BYTE *lpImage, PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor)
{
	PIMAGE_IMPORT_DESCRIPTOR	pDllImport;
	PIMAGE_THUNK_DATA			pOrignalThunk, pFirstThunk;
	PIMAGE_IMPORT_BY_NAME		pImportByName;
	HMODULE	hModule;
	DWORD	dwAddress,dwFunc;
	char	szDllName[MAX_PATH];

	for (pDllImport = pImportDescriptor; pDllImport->Name ; pDllImport++)
	{
		lstrcpyA(szDllName, (char*)(lpImage + pDllImport->Name));
		if (!(hModule = GetModuleHandleA(szDllName)) )
			hModule	= LoadLibraryA (szDllName);
		if (pDllImport->OriginalFirstThunk)
			pOrignalThunk	= (PIMAGE_THUNK_DATA)(lpImage + pDllImport->OriginalFirstThunk);
		else
			pOrignalThunk	= (PIMAGE_THUNK_DATA)(lpImage + pDllImport->FirstThunk);
		pFirstThunk	= (PIMAGE_THUNK_DATA)(lpImage + pDllImport->FirstThunk);
		for (; pOrignalThunk->u1.Function; pOrignalThunk++, pFirstThunk++)
		{
			if ( (pOrignalThunk->u1.Ordinal) & 0x80000000) //序号导入
			{
				dwFunc	= pOrignalThunk->u1.Ordinal;
				dwFunc	&= 0x7fffffff;
			}
			else    //名称导入
			{
				pImportByName	= (PIMAGE_IMPORT_BY_NAME)(lpImage + pOrignalThunk->u1.Function);
				dwFunc	= (DWORD)pImportByName->Name;
			}
			dwAddress	= (DWORD)GetProcAddress (hModule, (LPCSTR)dwFunc);
			pFirstThunk->u1.Function	= dwAddress;   
		}
	}

	return TRUE;
}

void SetProtect(BYTE *lpImage, PIMAGE_SECTION_HEADER pFirstSection,DWORD dwSectionNum)
{
	PIMAGE_SECTION_HEADER	pSectionHeader = pFirstSection;
	DWORD	dwProtect;
	DWORD	dwSectionSize, dwSectionAddr;
	for (DWORD i=0; i < dwSectionNum; i++, pSectionHeader++)
	{
		dwSectionSize	= pSectionHeader->Misc.VirtualSize;
		dwSectionAddr	= pSectionHeader->VirtualAddress;
		if (pSectionHeader->Characteristics & IMAGE_SCN_MEM_READ)
			dwProtect	= PAGE_READONLY;
		if (pSectionHeader->Characteristics & IMAGE_SCN_MEM_WRITE)
			dwProtect	= PAGE_READWRITE;
		if (pSectionHeader->Characteristics & IMAGE_SCN_MEM_EXECUTE)
		{
			if (pSectionHeader->Characteristics & IMAGE_SCN_MEM_READ)
					dwProtect	= PAGE_EXECUTE_READ;
			else if (pSectionHeader->Characteristics & IMAGE_SCN_MEM_WRITE)
					dwProtect	= PAGE_EXECUTE_READWRITE;
				else
					dwProtect	= PAGE_EXECUTE;
		}
		DWORD	OldProtect;
		if (!VirtualProtect(lpImage+dwSectionAddr, dwSectionSize, dwProtect, &OldProtect) )
			MessageBox(NULL,L"页面属性设置失败", NULL, 0);

	}
}

///////////////////////////////////打开文件对话框/////////////////////////////////////////////////////////
static OPENFILENAME ofn ;

void PopFileInitialize (HWND hwnd)
{
     static TCHAR szFilter[] = TEXT ("PE Files \0*.exe;*.dll\0")  \
                               TEXT ("All Files (*.*)\0*.*\0\0") ;
     
     ofn.lStructSize       = sizeof (OPENFILENAME) ;
     ofn.hwndOwner         = hwnd ;
     ofn.hInstance         = NULL ;
     ofn.lpstrFilter       = szFilter ;
     ofn.lpstrCustomFilter = NULL ;
     ofn.nMaxCustFilter    = 0 ;
     ofn.nFilterIndex      = 0 ;
     ofn.lpstrFile         = NULL ;          // Set in Open and Close functions
     ofn.nMaxFile          = MAX_PATH ;
     ofn.lpstrFileTitle    = NULL ;          // Set in Open and Close functions
     ofn.nMaxFileTitle     = MAX_PATH ;
     ofn.lpstrInitialDir   = NULL ;
     ofn.lpstrTitle        = NULL ;
     ofn.Flags             = 0 ;             // Set in Open and Close functions
     ofn.nFileOffset       = 0 ;
     ofn.nFileExtension    = 0 ;
     ofn.lpstrDefExt       = TEXT ("txt") ;
     ofn.lCustData         = 0L ;
     ofn.lpfnHook          = NULL ;
     ofn.lpTemplateName    = NULL ;
}

BOOL PopFileOpenDlg (HWND hwnd, PTSTR pstrFileName, PTSTR pstrTitleName)
{
     ofn.hwndOwner         = hwnd ;
     ofn.lpstrFile         = pstrFileName ;
	 ofn.lpstrTitle		   = pstrTitleName ;
     ofn.Flags             = OFN_HIDEREADONLY | OFN_CREATEPROMPT ;
     
     return GetOpenFileName (&ofn) ;
}

///////////////////////////////////////////////////////////////////////////////////////////////////////////////////


 

手动解析PE文件(含打印PE文件信息的C练习代码
lygl35的博客
06-17 1126
1、DOS头 _IMAGE_DOS_HEADER(共40个字节) WORD e_magic // 5A4D *EXE标志,“MZ” WORD e_cblp //0090 WORD e_cp //0003 WORD e_crlc //0000 WORD e_cparhdr //0004 WORD e_minalloc //0000 WORD e_maxalloc //FFFF WORD e_ss
PE代码注入
windows小菜鸡的博客
08-15 1509
PE文件入口地址EntryPoint指向了PE文件开始执行的位置,关于PE文件的具体格式,大家可以自行百度。 本代码主要实现了在32位可执行程序中注入了一个弹窗 。其主要原理是修改EntryPoint地址处的内容,指向自己代码的地方,然后执行完毕后,再跳转到原入口的地址。 其中值得注意的几点: (1)需要关闭PE的地址随机化功能,可以通过修改OptionHeader头中的DllCharacteristics = 0x8100,来绕过地址随机化。 (2)计算E8和E9的时候,CALL 偏移:跳转地址 = 当前
PE网上源代码
04-26
PE是一个很久的工具源码
PE文件硬编码代码注入
yuge1123的博客
12-03 854
以下适合有PE基础的人看,最起码要知道PE的基本结构和rva以及foa之间如何相互转换,不然会看的迷迷糊糊首先我们需要准备一个程序,待会将代码注入这个程序中 随便编写一个简单的程序,将随机基址给关闭 程序编译完成之后就是一堆二进制的数据,如果我们想将代码注入到这个程序中,我们也只能以二进制的形式进行注入,不能像编码高级语言一样,比如我们想将 这段代码注入进去,要求是在程序运行时首先运行这段代码,然后再跳转到之前的代码逻辑 我们想将这段代码注入进去的话就只能将这段代码翻译成二进制的形式,然后再到这个exe的
PE文件解析工具源代码
01-10
没什么高深的技术性可言。仅仅是根据微软的Pe格式来解析exe文件而已。作为新手学习PE的一个参考吧。。内附vc base论坛的PE格式说明文档。witch 2013-1-10
PE文件结构及代码注入
最新发布
qq_67812668的博客
08-11 1166
PE即Portable Executable,是win32环境自身所带的可执行文件格式,其部分特性继承自Unix的COFF(Common Object File Format)文件格式。PE示该文件格式是跨win32平台的,即使Windows运行在非Intel的CPU上,任何Win32平台的PE装载器也能识别和使用该文件格式的文件。 所有Win32执行体(除了VxD和16位的DLL)都使用PE文件格式,如EXE文件、DLL文件等,包括NT的内核模式驱动程序(Kernel Mode Driver)。
详解详解windows的PE文件格式.zip_PE 文件格式_PE格式解析_windows PE
09-23
- **重定位**:PE文件可能需要在不同的内存地址加载,因此包含了重定位信息,以修正代码和数据的相对地址。 - **调试信息**:PE文件可以包含调试信息,帮助开发者调试程序。 - **安全特性**:如数字签名,确保...
PE文件分析器WinDump的Delphi源代码..rar
05-03
在实际学习过程中,建议逐步拆解源代码,理解每个函数和模块的功能,同时结合相关书籍和文档加深对PE文件格式的理解。对于Delphi初学者,可以借此机会熟悉Delphi的类库和编程范式;对于有经验的开发者,WinDump的源...
二进制文件/PE文件对比工具非常好用
07-28
描述进一步解释了这个工具的功能,它能够进行二进制级别的比较,确保在两个PE文件之间,无论是代码还是数据,都能准确地找出任何潜在的不一致之处。这对于软件开发者、逆向工程师以及安全研究人员来说尤其有用,因为...
unicorn_pe:Unicorn PE是基于独角兽的检测项目,旨在模拟Windows PE文件代码执行
05-14
Unicorn PE是基于的工具项目/框架,旨在模拟Windows PE文件(尤其是打包文件)的代码执行。 特征 将PE映像从emu内存中转储到文件中,修复导入,解密VMProtect字符串,解密VMProtect导入。 对异常的部分支持。 ...
PE文件解析器的原理(C语言代码
01-16
PE文件可能包含恶意代码,因此在处理时要避免执行任何可能的代码或改变文件的原始状态。此外,解析器应具有良好的错误处理机制,遇到无法识别或无效的PE结构时,应能优雅地退出并报告错误。 总的来说,通过C语言...
最小PE程序代码
01-18
最小PE的程序样例,每次修改后的程序,打包在一个压缩包
汇编写的PE查看工具及其源码
11-14
用汇编写的查看pe文件格式的工具及其源代码
简单PE代码
weixin_30265171的博客
05-17 175
三个文件分别是类定义文件pefile.h;类实现文件pefile.cpp;类调用文件petype.cpp. #ifndef PE_FILE_H #define PE_FILE_H #include "windows.h" #define ISMZHEADER (*(WORD*)File_memory == 0x5a4d) #define ISPEHEAD...
pe代码注射
05-18 1105
/*思路:把一个download && execute shellcode改装注射到pe文件的空闲字节处 enjoy it!*/#include #include//#define        CODESIZE    439typedef    struct    _DISKLIST        //用于保存磁盘驱动器信息的链{    _DISKLIST    *next;   
PE中添加代码
个人笔记
05-21 401
PE中写入Shellcode需要用到的数据必须掌握的知识实现步骤 需要用到的数据 AddressOfEntryPoint ImageBase SizeofRawData VirtualSize 必须掌握的知识 实现的功能:执行完添加的代码后,跳回原来的入口。 硬编码知识: call : E8 X=[(真正跳转的地址-(E8下一行的指令地址))] //X得出来的地址必须是内存加载时的地址 jmp : E9 [同上公式] 变式:X = 真正跳转的地址-(E8当前地址+5) 注:下一行地址 = 当前地址+
解析PE文件代码
qq_43445167的博客
07-03 712
图形界面暂时没做出来 暑假学学QT 读文件只能在主函数里写文件路径 , 是有点low… (流下了没技术的泪水) 头文件代码: #pragma once #include<Windows.h> class CPe { private: PTCHAR ptcFilePath; //PE文件路径 IMAGE_DOS_HEADER pe_cDosHeader; I...
PE相关代码
mergerly的专栏
03-25 1161
查看PE文件重定位 #include "stdafx.h"#include DWORD RVA2Offset(PIMAGE_NT_HEADERS pNTHeader, DWORD dwRVA){    PIMAGE_SECTION_HEADER pSection = (PIMAGE_SECTION_HEADER)((DWORD)pNTHeader + sizeof(IMAGE_NT_
PE基本操作代码
weixin_51061902的博客
01-30 566
最近在学习PE,今天最后一节课做完了,代码很丑,很粗糙,有很多需要改的地方 下面是所有代码,全部经过编译 #include <stdio.h> #include <stdlib.h> #include "string.h" #include <windows.h> #define path "D:\\xx\\xx.exe" #define path1 "D:\\xx\\xx.exe" #define path2 "D:\\xx\\xx.exe" #define CodeL
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值