滴水PE作业3

最新推荐文章于 2024-10-10 08:12:22 发布
原创 最新推荐文章于 2024-10-10 08:12:22 发布 · 166 阅读 · 0 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
文章标签:

#c++ #c语言 #开发语言

该代码实现读取PE文件,将导出表和重定位表的数据移到新节中,涉及内存分配、文件操作及PE结构解析。通过新增节、调整内存布局,并更新文件头信息来保存修改。

 实现目标: 开辟新的节并将导出表与重定位表的数据移到新的节中

代码如下

#include<stdio.h>
#include<stdlib.h>
#include<string.h>
#include<Windows.h>
FILE* OpenFile(char path[]);
char* GetMemory(FILE* file_point);
void FreeMemory(FILE* file_point, char* memory_point[], int memory_size);
void conversion(PIMAGE_SECTION_HEADER section);
PIMAGE_DOS_HEADER dos_ptr(char* memory);
PIMAGE_NT_HEADERS nt_ptr(char* memory);
PIMAGE_FILE_HEADER file_ptr(char* memory);
PIMAGE_OPTIONAL_HEADER optional_ptr(char* memory);
PIMAGE_SECTION_HEADER section_ptr(char* memory);
PIMAGE_SECTION_HEADER last_section_ptr(char* memory);
void export_file(char* memory);
char* transform_to_file(char* memory, char* first);
char* transform_to_memory(char* memory, char* first);
DWORD get_largest_size(DWORD virtual_size, DWORD file_size);
DWORD* data_directory(char* memory);

char* add_table(char* memory, FILE* file_point);
DWORD get_int(DWORD alignment, DWORD Size);
char* move_export(char* memory);
void move_reloc(char* space, char* memory);
void move_table(char path[]);
DWORD* table_address(char* memory);
DWORD need_space(char* memory);
void export_file(char* memory);

FILE* OpenFile(char path[]) {
	//打开文件
	FILE* file_point;
	int return1 = fopen_s(&file_point, path, "rb");
	if (return1 != 0) {
		printf("获取文件指针错误\n");
	}
	return file_point;
}
//得到开辟内存所需要的大小
char* GetMemory(FILE* file_point) {
	//开辟空间
	fseek(file_point, 0, SEEK_END);
	int file_size = ftell(file_point);
	fseek(file_point, 0, SEEK_SET);
	DWORD needed_size = sizeof(char) * file_size;
	char* enter_memory = (char*)malloc(needed_size);
	memset(enter_memory, 0, needed_size);
	fread(enter_memory, file_size, 1, file_point);
	return enter_memory;
}
//释放空间
void FreeMemory(FILE* file_point, char* memory_point[], int memory_size) {
	for (int i = 0; i < memory_size; i++) {
		free(memory_point[i]);
	}
	fclose(file_point);
}

void conversion(PIMAGE_SECTION_HEADER section) {
	char* point = (char*)section;
	printf("节表: ");
	for (int i = 0; i < 8; i++) {
		printf("%c", *point);
		point++;
	}
}

PIMAGE_DOS_HEADER dos_ptr(char* memory) {
	return (PIMAGE_DOS_HEADER)(memory);
}
PIMAGE_NT_HEADERS nt_ptr(char* memory) {
	return (PIMAGE_NT_HEADERS)((DWORD)dos_ptr(memory) + dos_ptr(memory)->e_lfanew);
}
PIMAGE_FILE_HEADER file_ptr(char* memory) {
	return (PIMAGE_FILE_HEADER)((DWORD)nt_ptr(memory) + 4);
}
PIMAGE_OPTIONAL_HEADER optional_ptr(char* memory) {
	return (PIMAGE_OPTIONAL_HEADER)((DWORD)file_ptr(memory) + 20);
}
PIMAGE_SECTION_HEADER section_ptr(char* memory) {
	return (PIMAGE_SECTION_HEADER)(optional_ptr(memory) + 1);
}
PIMAGE_SECTION_HEADER last_section_ptr(char* memory) {
	PIMAGE_SECTION_HEADER section = section_ptr(memory);
	PIMAGE_FILE_HEADER file = file_ptr(memory);
	int circle_num = file->NumberOfSections;
	for (int i = 0; i < circle_num - 1; i++) {
		section++;
	}
	return section;
}
//导出文件
void export_file(char* memory) {
	FILE* win_file = NULL;
	fopen_s(&win_file, "D:\\Ddisk\\last_memory.exe", "wb");
	fseek(win_file, 0, SEEK_SET);
	PIMAGE_OPTIONAL_HEADER optional = optional_ptr(memory);
	//先导出头部数据
	int sizeofHeaders = optional->SizeOfHeaders;
	int fileAlignment = optional->FileAlignment;
	if ((sizeofHeaders % fileAlignment) > 0) {
		DWORD header_data = fileAlignment * ((sizeofHeaders / fileAlignment) + 1);
		fwrite(memory, 1, header_data, win_file);
	}
	else if ((sizeofHeaders % fileAlignment) == 0) {
		DWORD header_data2 = fileAlignment * (sizeofHeaders / fileAlignment);
		fwrite(memory, 1, header_data2, win_file);
	}
	//导出各个节
	int section_num = file_ptr(memory)->NumberOfSections;
	PIMAGE_SECTION_HEADER section = section_ptr(memory);
	for (int i = 0; i < section_num; i++) {
		fseek(win_file, section->PointerToRawData, SEEK_SET);
		fwrite((char*)(section->PointerToRawData + (DWORD)memory), 1, section->SizeOfRawData, win_file);
		section++;
	}
	fclose(win_file);
}
//将RVA转为FOA
char* transform_to_file(char* memory, char* first) {
	//定位file并获取节表数量
	PIMAGE_DOS_HEADER dos = (PIMAGE_DOS_HEADER)first;
	PIMAGE_FILE_HEADER file = (PIMAGE_FILE_HEADER)((DWORD)dos + dos->e_lfanew + 4);
	int table_num = file->NumberOfSections;
	//定位optional并获取内存基址与对齐
	PIMAGE_OPTIONAL_HEADER optional = (PIMAGE_OPTIONAL_HEADER)(DWORD(file) + 20);
	DWORD image_base = optional->ImageBase;
	DWORD align = optional->SectionAlignment;
	if ((int)(memory - first) >= (int)image_base) { memory = memory - image_base; }
	if ((int)memory < (int)align) { return memory; }
	PIMAGE_SECTION_HEADER section = NULL;
	section = (PIMAGE_SECTION_HEADER)(optional + 1);
	for (int i = 0; i < table_num; i++) {
		if ((section->VirtualAddress + get_largest_size(section->Misc.VirtualSize, section->SizeOfRawData)) >= (DWORD)memory && (DWORD)memory >= section->VirtualAddress) {
			return (char*)((DWORD)section->PointerToRawData + ((DWORD)memory - (DWORD)section->VirtualAddress));
			break;
		}
		section++;
	}
	return (char*)-1;
}
//将FOA转为RVA
char* transform_to_memory(char* memory, char* first) {
	//定位file并获取节表数量
	PIMAGE_DOS_HEADER dos = (PIMAGE_DOS_HEADER)first;
	PIMAGE_FILE_HEADER file = (PIMAGE_FILE_HEADER)((DWORD)dos + dos->e_lfanew + 4);
	int table_num = file->NumberOfSections;
	//定位optional并获取内存基址与对齐
	PIMAGE_OPTIONAL_HEADER optional = (PIMAGE_OPTIONAL_HEADER)(DWORD(file) + 20);
	DWORD image_base = optional->ImageBase;
	DWORD align = optional->SectionAlignment;
	if ((int)(memory - first) >= (int)image_base) { memory = memory - image_base; }
	if ((int)memory < (int)align) { return memory; }
	PIMAGE_SECTION_HEADER section = NULL;
	section = (PIMAGE_SECTION_HEADER)(optional + 1);
	for (int i = 0; i < table_num; i++) {
		if (section->PointerToRawData + get_largest_size(section->Misc.VirtualSize, section->SizeOfRawData) >= (DWORD)memory && (DWORD)memory >= section->PointerToRawData) {
			return (char*)((DWORD)section->VirtualAddress + ((DWORD)memory - (DWORD)section->PointerToRawData));
			break;
		}
		section++;
	}
	return (char*)-1;
}
//判断节表中的virtual_size与file_size的大小
DWORD get_largest_size(DWORD virtual_size, DWORD file_size) {
	if (virtual_size > file_size) {
		return virtual_size;
	}
	else {
		return file_size;
	}
	return 0;
}
//得到数据目录表中所有相关的数据
DWORD* data_directory(char* memory) {
	PIMAGE_OPTIONAL_HEADER optional = optional_ptr(memory);
	DWORD* data_directory = (DWORD*)&optional->DataDirectory;
	int directory_circle = optional->NumberOfRvaAndSizes;
	DWORD sum_arr[32] = { 0 };
	for (int i = 0; i < directory_circle; i++) {
		sum_arr[i + 16] = *data_directory;
		sum_arr[i] = (DWORD)(transform_to_file((char*)*data_directory, memory));
		data_directory = data_directory + 2;
	}
	return sum_arr;
}

//新增一个节
// 不拉伸, 使用file_buffer
// 1. 修改numberOfSection
// 2. 修改SizeOfImage=原来的sizeofImage+节对齐后的长度
// 3. 向节表中添加信息
//	(1)判断sizeofHeaders-最后一个节表位置判断是否足够添加节(是否够40字节))
//	(2)够的话添加, 不够的话将节表的数据向前移,修改e_lfanew的值, 继续添加, 还不够的话添加失败(或将两个节表合并, 空出一个节表)
//	(3)判断加多少: 遍历导出表与导入表的数据, 根据其结果得到大小
DWORD get_int(DWORD alignment, DWORD Size) {
	if (Size % alignment == 0) {
		return alignment * (Size / alignment);
	}
	else {
		return ((Size / alignment) * alignment) + alignment;
	}
}
//得到数据目录表存储的各个表的数据
DWORD* table_address(char* memory) {
	PIMAGE_OPTIONAL_HEADER optional = optional_ptr(memory);
	DWORD* data_directory = (DWORD*)&optional->DataDirectory;
	int directory_circle = optional->NumberOfRvaAndSizes;
	DWORD sum_arr[32] = { 0 };
	for (int i = 0; i < directory_circle; i++) {
		sum_arr[i + 16] = *data_directory;
		sum_arr[i] = (DWORD)(transform_to_file((char*)*data_directory, memory));
		data_directory = data_directory + 2;
	}
	return sum_arr;
}
//计算开辟新的节表所需要的空间
DWORD need_space(char* memory) {
	//求出节需要的空间, 目前需要的空间为导出表的数据+重定位表的数据
	//使用数组存储所有表的地址
	DWORD* ptr_one = table_address(memory);
	DWORD directory_arr[32] = { 0 };
	for (int i = 0; i < 32; i++) {
		directory_arr[i] = *ptr_one;
		ptr_one++;
	}
	PIMAGE_OPTIONAL_HEADER optional = optional_ptr(memory);
	//得到导出表需要的空间
	DWORD export_sum_space = 0;
	if (directory_arr[0] != 0) {
		PIMAGE_EXPORT_DIRECTORY export_table2 = (PIMAGE_EXPORT_DIRECTORY)(directory_arr[0] + (DWORD)memory);
		char* name_base = (char*)(transform_to_file((char*)export_table2->Name, memory) + (DWORD)memory);
		//得到导出表需要的空间
		DWORD function_space = 4 * export_table2->NumberOfFunctions;
		DWORD name_order_space = (strlen(name_base)) + (6 * export_table2->NumberOfNames);
		DWORD export_space = ((DWORD)(export_table2 + 1) - (DWORD)(export_table2));
		export_sum_space = function_space + name_order_space + export_space;

	}
	DWORD reloc_size = 0;
	//得到重定位表需要的空间
	if (directory_arr[5] != 0) {
		PIMAGE_BASE_RELOCATION reloc_table = (PIMAGE_BASE_RELOCATION)(directory_arr[5] + (DWORD)memory);
		while (reloc_table->SizeOfBlock != 0 && reloc_table->VirtualAddress != 0) {
			reloc_size = reloc_size + reloc_table->SizeOfBlock;
			reloc_table = (PIMAGE_BASE_RELOCATION)((DWORD)reloc_table + reloc_table->SizeOfBlock);
		}
	}
	return reloc_size + export_sum_space;
}
//添加新的节表
char* add_table(char* memory, FILE* file_point) {
	//得到各个头的指针
	PIMAGE_DOS_HEADER dos = dos_ptr(memory);
	PIMAGE_NT_HEADERS nt = nt_ptr(memory);
	PIMAGE_FILE_HEADER file = file_ptr(memory);
	PIMAGE_OPTIONAL_HEADER optional = optional_ptr(memory);
	PIMAGE_SECTION_HEADER section = section_ptr(memory);

	int section_num = file->NumberOfSections;
	int size_of_header = optional->SizeOfHeaders;
	PIMAGE_SECTION_HEADER last_site = section;
	for (int i = 0; i < section_num; i++) {
		last_site++;
	}
	//将第一个节表的数据复制到要添加的最后一个节表中
	if ((size_of_header - ((DWORD)(last_site)-(DWORD)(memory))) >= 80 && *(char*)last_site == 0x00) {
		DWORD add_data = (DWORD)(section + 1) - (DWORD)(section);
		char* first_site = (char*)section;
		char* last_site2 = (char*)last_site;
		for (int i = 0; i < add_data; i++) {
			*last_site2 = *first_site;
			first_site++;
			last_site2++;
		}
		//更改节表的名称
		char* correct_added_data = (char*)last_site;
		char myName[] = "BruceLi";
		for (int i = 0; i < 8; i++) {
			*correct_added_data = myName[i];
			correct_added_data++;
		}
		//修改新的节表的起始地址, 大小属性
		PIMAGE_SECTION_HEADER dao2_last_site = last_site - 1;
		last_site->PointerToRawData = (dao2_last_site->PointerToRawData + get_int(optional->FileAlignment, dao2_last_site->SizeOfRawData));
		last_site->VirtualAddress = (dao2_last_site->VirtualAddress + get_int(optional->SectionAlignment, dao2_last_site->Misc.VirtualSize));
		DWORD last_size = get_int(optional->SectionAlignment, need_space(memory));
		last_site->SizeOfRawData = last_size;
		last_site->Misc.VirtualSize = last_size;
		//修改Number of section,修改SizeOfImage
		file->NumberOfSections = file->NumberOfSections + 1;
		optional->SizeOfImage = optional->SizeOfImage + last_size;
		//开辟新的空间
		fseek(file_point, 0, SEEK_END);
		int file_size = ftell(file_point);
		char* ptr = memory;
		ptr = (char*)realloc(memory, (file_size + last_size) * sizeof(char));
		return ptr;
	}
	else {
		if (((size_of_header - ((DWORD)last_site - (DWORD)memory)) + (dos->e_lfanew - 0x40)) >= 80) {
			//空间不够但将节表的数据向前移>=40字节, 修改e_lfanew的值
			dos->e_lfanew = 0x40;
			int circle_times = (DWORD)last_site - (DWORD)nt;
			char* correct_ptr = (char*)nt;
			char* correct_ptr2 = (char*)(memory + 64);
			for (int i = 0; i < circle_times; i++) {
				*correct_ptr2 = *correct_ptr;
				*correct_ptr = 0;
				correct_ptr2++;
				correct_ptr++;
			}
			printf("Error\n");
			return 0;
		}
		else {
			printf("Error\n");
			return 0;
		}

	}
	return 0;
}
//将file_address转为virtual_address

//移动导出表
char* move_export(char* memory) {
	//得到数据目录表与需要填充数据的空间
	PIMAGE_SECTION_HEADER last_section = last_section_ptr(memory);
	char* space_site = (char*)last_section->PointerToRawData;
	DWORD arr[32] = { 0 };
	DWORD* ptr = table_address(memory);
	for (int i = 0; i < 32; i++) {
		arr[i] = *ptr;
		ptr++;
	}
	//填充名称表的数据
	char* space2 = space_site + (DWORD)memory;
	if (arr[0] != 0) {
		//根据得到的名称表的大小将名称表移至地址处
		//得到导出表的地址
		PIMAGE_EXPORT_DIRECTORY export_table = (PIMAGE_EXPORT_DIRECTORY)(memory + arr[0]);
		int numberOfNames = export_table->NumberOfNames;
		//得到导出表→ 名称表的地址
		char* addressOfNames_address = transform_to_file((char*)export_table->AddressOfNames, memory) + (DWORD)memory;
		//得到名称表存储名称的真实的值
		char* addressOfNames = (char*)(transform_to_file((char*)*(DWORD*)addressOfNames_address, memory) + (DWORD)memory);
		DWORD* name_address = (DWORD*)addressOfNames_address;

		for (int i = 0; i < numberOfNames; i++) {
			char* address_name = (char*)(transform_to_file((char*)*(DWORD*)name_address, memory) + (DWORD)memory);
			*name_address = (DWORD)transform_to_memory((char*)(space2 - (DWORD)memory), memory);
			for (int i = 0; i < strlen((char*)addressOfNames) + 1; i++) {
				if (i == strlen((char*)(addressOfNames))) {
					*space2 = 0;
					space2++;
					break;
				}
				*space2 = *address_name;
				space2++;
				address_name++;
			}
			name_address++;
		}
		//修改导出表名称表的地址的指针
		export_table->AddressOfNames = (DWORD)transform_to_memory((char*)((DWORD)space2 - (DWORD)memory), memory);
		//将名称表复制到新的空间
		DWORD* space3 = (DWORD*)space2;
		DWORD* need_copy_name = (DWORD*)addressOfNames_address;
		for (int i = 0; i < numberOfNames; i++) {
			*space3 = *need_copy_name;
			space3++;
			need_copy_name++;
		}
		//根据名称表的space3将序号表中的数据遍历至新的地址
		short* space4 = (short*)space3;
		int order_num = export_table->NumberOfNames;
		short* order_site = (short*)(transform_to_file((char*)export_table->AddressOfNameOrdinals, memory) + (DWORD)memory);
		//修改导出表->序号表的地址的指针
		export_table->AddressOfNameOrdinals = (DWORD)transform_to_memory((char*)((DWORD)space3 - (DWORD)memory), memory);
		for (int i = 0; i < order_num; i++) {
			*space4 = *order_site;
			space4++;
			order_site++;
		}
		//根据名称表的space4将函数表中的数据遍历至新的地址
		DWORD* space5 = (DWORD*)space4;
		int function_num = export_table->NumberOfFunctions;
		DWORD* function_site = (DWORD*)(transform_to_file((char*)export_table->AddressOfFunctions, memory) + (DWORD)memory);
		//修改导出表->函数表的地址的指针
		export_table->AddressOfFunctions = (DWORD)transform_to_memory((char*)((DWORD)space4 - (DWORD)memory), memory);
		for (int i = 0; i < function_num; i++) {
			*space5 = *function_site;
			space5++;
			function_site++;
		}
		//根据返回的space5将导出表的名称导至新的空间, 返回space6
		DWORD* space6 = space5;
		DWORD* function_name_site = (DWORD*)(transform_to_file((char*)export_table->Name, memory) + (DWORD)memory);
		export_table->Name = (DWORD)transform_to_memory((char*)((DWORD)space5 - (DWORD)memory), memory);
		*space6 = *function_name_site;
		space6++;
		//将导出表的数据根据space6移至新的空间
		char* export_data_move = (char*)export_table;
		PIMAGE_OPTIONAL_HEADER optional_last = optional_ptr(memory);
		char* transform_export_address = (char*)optional_last->DataDirectory;
		DWORD* export_table_site = (DWORD*)(transform_to_file((char*)*transform_export_address, memory) + (DWORD)memory);
		*export_table_site = (DWORD)space6;
		char* space7 = (char*)space6;
		for (int i = 0; i < ((DWORD)(export_table + 1) - (DWORD)(export_table)); i++) {
			*space7 = *export_data_move;
			space7++;
			export_data_move++;
		}
		return space7;
	}
	else {
		printf("不存在导出表, 无法移动\n");
		return 0;
	}
	return 0;
}
//移动重定位表
void move_reloc(char* space, char* memory) {
	if (space != 0) {
		//找到重定位表的位置
		PIMAGE_OPTIONAL_HEADER optional = optional_ptr(memory);
		DWORD* reloc = (DWORD*)optional->DataDirectory;
		int circle_times = optional->NumberOfRvaAndSizes;
		for (int i = 0; i < circle_times; i++) {
			if (i == 5) {
				break;
			}
			reloc = reloc + 2;
		}
		DWORD* reloc2 = (DWORD*)*reloc;
		*reloc = (DWORD)transform_to_memory((char*)(space - memory), memory);
		char* new_space = (char*)space;
		PIMAGE_BASE_RELOCATION reloc3 = (PIMAGE_BASE_RELOCATION)(transform_to_file((char*)reloc2, memory) + (DWORD)memory);
		char* reloc4 = NULL;
		while (reloc3->SizeOfBlock != 0 && reloc3->VirtualAddress != 0) {
			reloc4 = (char*)reloc3;
			for (int i = 0; i < reloc3->SizeOfBlock; i++) {
				*new_space = *reloc4;
				new_space++;
				reloc4++;
			}
			reloc3 = (PIMAGE_BASE_RELOCATION)((reloc3->SizeOfBlock) + (DWORD)reloc3);
		}
		for (int i = 0; i < 8; i++) {
			*new_space = 0;
			new_space++;
		}
		printf("移动重定位表成功\n");
	}
	else{
		printf("导出表未移动成功, 重定位表移动失败\n");
	}
}
void move_table(char path[]) {
	FILE* file_point = OpenFile(path);
	char* memory_point = GetMemory(file_point);
	char* added_memory = add_table(memory_point, file_point);
	char* space = move_export(added_memory);
	move_reloc(space, added_memory);
	export_file(added_memory);
	char* memory[] = { added_memory };
	int num = (sizeof(memory)) / 4;
	FreeMemory(file_point, memory, num);
}
int main() {
    char dll[] = "D:\\Ddisk\\逆向\\AutoUpdateUtil.dll";
    char last_memory[] = "D:\\Ddisk\\last_memory.exe";
    char notepad[] = "C:\\Windows\\System32\\notepad.exe";
    char crack[] = "D:\\Ddisk\\逆向\\CrackMe.exe";
	move_table(dll);
}

wave_sky
关注
滴水课程作业(手动+代码解析pe
weixin_52437902的博客
07-27 547
滴水逆向课后作业
滴水三期PE文件格式个人笔记
weixin_73368512的博客
11-30 322
【代码】滴水三期PE文件格式个人笔记。
滴水逆向三期笔记和作业-PE总结1
weixin_44449397的博客
01-18 3079
PE头手动解析,节表,FileBuffer-ImageBuffer
滴水三期 win32作业项目 PE查看器源码
05-16
滴水三期 win32作业项目 PE查看器源码
滴水逆向三期笔记和作业-PE总结3
weixin_44449397的博客
01-20 1875
导出表,重定位表,IAT表和导入表,绑定导入表
滴水逆向PE作业——扩大一个节
weixin_44584614的博客
03-19 900
扩大一个节: 流程如下: 注意:修改完ImageBuffer后需要将其再压缩(拉伸的逆过程)后再存盘。 代码: // ExtendLastSection.cpp : Defines the entry point for the console application. // #include "stdafx.h" #include "windows.h" #include "malloc....
滴水逆向3作业Filebuffer->Imagebuffer->Newbuffer->存盘功能C++源码
06-23
"滴水逆向3作业"是一个关于逆向工程的学习项目,重点在于理解C++源码中如何处理文件,特别是与PE(Portable Executable)文件格式相关的操作。PE文件格式是Windows操作系统中用于可执行程序、动态链接库(DLL)和...
滴水三期】32/64位——PE文件头字段打印与解析
sunqingyu888的博客
08-03 1066
滴水三期】32/64位——PE文件头字段打印与解析
[滴水逆向]03-12 pe头字段说明课后作业,输出pe结构
fzucaicai的博客
09-21 1147
所以重点来了:用完ftell()这个函数,就会将文件内部指针的位置移动到最末尾(如果设置的是SEEK_END),所以需要重新使用一下fseek重新设置文件内部指针的一个位置。有个问题,因为我认为前面一个已经判断指针移动失败了,于是我把第二个注释了,发现少了第二个fseek就会输出错误的答案。如果执行成功 , 则返回 0 , 失败返回非 0 , 并设置 error 错误代码;偏移量参数 , 可以为正数 , 也可以为负数;设置的指针的位置是 起始位置 + 偏移量;
滴水逆向作业——PE03_stage1
weixin_44584614的博客
02-17 1541
#include "stdafx.h" #include "string.h" #include <malloc.h> #include <windows.h> WORD NumberOfSections = 0; DWORD SizeOfHeaders = 0; DWORD SizeOfImage = 0; DWORD SectionAlignment = 0; i...
滴水逆向作业——PE_02打印PE头部信息
weixin_44584614的博客
02-15 1400
打印PE头部信息: PE头包含:DOS头+4字节PE标识符+NT头(标准PE头+可选PE头)。 #include "stdafx.h" #include "string.h" #include <malloc.h> #include <windows.h> FILE* open_file(char* file_path,char* open_mode); int com...
11.PE文件之导出表(IMAGE_EXPORT_DIRECTORY)
kernelhack
10-29 6601
目录 导出表定位以及解析(手动) 代码定位导出表并打印其数据 通过函数名查找导出函数地址 通过导出函数序号查找函数地址 移动导出表 PE中的导出表通常存在于动态链接库文件里.有些EXE也会存在导出表.导出表的主要作用是将PE中存在的函数引出到外部,以便其他人可以使用这些函数,实现代码的重用.导出表的存在可以让程序的开发者很容易清楚PE中到底有多少可以使用的函数. Windows装载器在进行PE装载时,将与进程相关的DLL加载到对应虚拟地址空间.会根据导入表中登记的与该动态链接库相关的由INT指
如何从PIMAGE_EXPORT_DIRECTORY节,得到某个API函数代码地址
lessonzhe的专栏
04-24 2432
//功能:得到某个API函数代码地址//参数://hModule: 导入模块的句柄(如user32.dll模块的句柄,GetModuleHandle("user32.dll"))//pProcName: 函数名或序号 const FARPROC GetExportFunctionFARPROC(HMODULE hModule, LPCSTR pProcName) { PIMAGE_EXPORT_D
PE文件-导出表
weixin_45012273的博客
11-08 1594
导出表 导出表一般用于DLL文件,DLL导出了什么函数都记录在导出表上,在数据目录的第1项,下标为0 导出表结构 typedef struct _IMAGE_EXPORT_DIRECTORY { DWORD Characteristics; //保留值 恒定为0 DWORD TimeDateStamp; //和文件头中的地址一样 WORD MajorVersion; //主版本...
PE文件(七)导入表
2301_78838647的博客
07-10 2012
解析此图:该PE文件以.def的方式自定义序号导出函数,定义了序号13、14、16、17、19的导出函数,那么Base的值应为13,那么序号为13的函数相对相对下标就是0,序号14的导出函数相对下标就是1,序号为15的导出函数虽然没有,但是会把位置空出来,定义地址值为NULL,即0x00000000,序号16的导出函数相对下标就是3…导出函数名称表RVA我们在硬盘数据找该表地址时要先转成FOA,这个地址指向的表记录了导出函数的名称字符串RVA首地址,而不是导出函数名称。//导出函数名称表RVA *
滴水逆向三期实践11:导出表
Rivival_S 的博客
10-28 1471
前面提到头OPTIONAL_HEADER的最后一项,是一个16个元素的结构体数组,为数据目录。 而数据目录项的第一个结构,就是动态链接库中经常提到的 导出表. typedef struct _IMAGE_DATA_DIRECTORY { DWORD VirtualAddress; DWORD Size; } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIR...
《Windows PE》5.2 遍历导出表
最新发布
bcdaren的博客
10-10 1386
这段代码使用了 EnumProcessModules 函数遍历进程中的模块,并使用 GetModuleInformation 函数获取模块的基址。32位和64位PE文件导出表描述符是相同的,遍历导出表的区别只有两点,32位基址和64位基址,以及NT32位NT头和64位NT头的区别。实验34:方法一,使用常规方法实现,将程序读到内存指定位置,进行磁盘与内存的转换。实验35:方法二,使用常规方法实现,将程序读到内存指定位置,进行磁盘与内存的转换。使用常规方法实现,将程序读到内存指定位置,进行磁盘与内存的转换。
滴水逆向三期实践13:移动导出表
Rivival_S 的博客
10-28 1439
为什么要移动各种表? 1、这些表是编译器生成的,里面存储了非常重要的信息。 2、在程序启动的时候,系统会根据这些表做初始化的工作: 比如,将用到的DLL中的函数地址存储到 IAT 表中(IAT表后面会讲) 3、为了保护程序,可以对.exe的二进制代码进行加密操作,但问题是: 我们知道数据目录的各种表是存在各个节里的,而exe的代码的信息也是在节里,表与客户字节的代码和数据都混在一起了,如果进行加密(加壳),那系统在初始化的时候会出问题! 综上,学会移动各种表,是对程序加密/破解的基础。 移动导
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值