本文介绍了一段用于将ShellCode注入到PE文件特定节中的代码,包括读取文件、处理头信息、判断空间大小、修改权限、调整入口点和写入ShellCode,最终保存文件并释放资源。
BOOL ShellCodeToAnySections(DWORD numberOfSecitons,PVOID fileName) {
//&MessageBox = 750F0D80
//读取到imagebuffer 并且套入Headers
BYTE shellcode[] = { 0x6a,0x00,0x6a,0x00,0x6a,0x00,0x6a,0x00,0xe8,0xD9,0x42,0xcd,0x74,0xe9,0x12,0xc9,0xff,0xff };
PVOID pFileBuffer = FileToFileBuffer(fileName);
PVOID pImageBuffer = FileBufferToImageBuffer(pFileBuffer);
PIMAGE_DOS_HEADER pDosHeader = pImageBuffer;
PIMAGE_NT_HEADERS pNTHeader = (DWORD)pDosHeader + pDosHeader->e_lfanew;
if (pNTHeader->Signature != IMAGE_NT_SIGNATURE) {
printf("File is not PE\n");
free(pFileBuffer);
return FALSE;
}
PIMAGE_FILE_HEADER pFileHeader = &pNTHeader->FileHeader;
PIMAGE_OPTIONAL_HEADER pOptHeader = (DWORD)pFileHeader + sizeof(IMAGE_FILE_HEADER);
PIMAGE_SECTION_HEADER pSecHeader = (DWORD)pOptHeader + pFileHeader->SizeOfOptionalHeader;
//判断大小是否足够
if (numberOfSecitons >= pFileHeader->NumberOfSections) {
printf("over max number of sections\n");
return FALSE;
}
pSecHeader += numberOfSecitons;
if ((int)(pSecHeader->SizeOfRawData - pSecHeader->Misc.PhysicalAddress) < (int)sizeof(shellcode)) {
printf("section size is not enough\n");
return FALSE;
}
//更改权限为可执行无脑改
pSecHeader->Characteristics |= IMAGE_SCN_MEM_EXECUTE;
//先定位需要在内存种再哪个位置写入计算E8 E9后面的地址然后补全shellcode
//E8后面应该是MessageBox - (ImageBase + VA + VS + 8 + 5)| E9 EOP - (ImageBase + VA + VS + E + 5)
//没有程序给我测试文件对齐与内存对齐不同的软件,自己写了一个结果vs是随机基址
PVOID pWritePosition = (DWORD)pImageBuffer + pSecHeader->VirtualAddress + pSecHeader->Misc.VirtualSize;
PVOID e8Addr = (DWORD)MessageBoxA - (pOptHeader->ImageBase + pSecHeader->VirtualAddress + pSecHeader->Misc.PhysicalAddress + 8 + 5);
PVOID e9Addr = pOptHeader->AddressOfEntryPoint - (pSecHeader->VirtualAddress + pSecHeader->Misc.PhysicalAddress + 8 + 5 + 5);
*(PDWORD)(shellcode + 9) = e8Addr;
*(PDWORD)(shellcode + 9 + 5) = e9Addr;
//改变OEP
pOptHeader->AddressOfEntryPoint = pSecHeader->VirtualAddress + pSecHeader->Misc.VirtualSize;
//写入shellcode
memcpy(pWritePosition, shellcode, sizeof(shellcode));
//存盘
pImageBuffer = ImageBufferToFileBuffer("C:\\Users\\12459\\Downloads\\111.exe", pImageBuffer);
if (!pImageBuffer) {
printf("fwrite failed\n");
return FALSE;
}
free(pImageBuffer);
return TRUE;
}
扫一扫
评论 1
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
查看更多评论
添加红包
