- 注册时间
- 2011-3-6
- 最后登录
- 1970-1-1
该用户从未签到
|
解析程序自己的附加数据,将附加数据写入文件中。
主要是解析PE文件头,定位到overlay的地方,写入文件。常应用的场景是在crackme中,crackme自身有一段加密过的附加数据,在crackme运行的过程中解析自己的附加数据,然后解密这段数据。。。。
代码留存:
- //解析自己的PE文件
- TCHAR szModuleFile[MAX_PATH] = {0};
- ::GetModuleFileName(NULL, szModuleFile, MAX_PATH);
- HANDLE hFile = ::CreateFile(szModuleFile, 0X80000000, 0X1, NULL, 0x3, 0x80, NULL );
- if (!hFile)
- {
- AfxMessageBox("create file error");
- return ;
- }
- DWORD dwFileSize = 0;
- dwFileSize = ::GetFileSize(hFile, NULL);
- if (!dwFileSize)
- {
- AfxMessageBox("GetFileSize error");
- return ;
- }
- TCHAR *pBuffer = new TCHAR[dwFileSize+1];
- DWORD dwReadBytes = 0;
- BOOL bSuc = ::ReadFile(hFile, pBuffer, dwFileSize, &dwReadBytes, NULL);
- if (!bSuc)
- {
- AfxMessageBox("read file error");
- return ;
- }
- IMAGE_DOS_HEADER *pDosHead =(IMAGE_DOS_HEADER *)pBuffer;
- IMAGE_NT_HEADERS *pNtHeader;
- // 得到PE文件头.
- pNtHeader = (IMAGE_NT_HEADERS*)((char*)pDosHead + pDosHead->e_lfanew);
- WORD wNumOfSection = pNtHeader->FileHeader.NumberOfSections;
- //DWORD dwTemp = wNumOfSection * (sizeof(IMAGE_SECTION_HEADER)/sizeof(DWORD));
- WORD wSizeOfOptionalHeader = pNtHeader->FileHeader.SizeOfOptionalHeader;
- DWORD *pOverLay;
- DWORD *pLastSectionVirualAddress;
- DWORD *pLastSectionVirualSize;
- DWORD *pLastSectionPhyAddress, *pLastSectionPhySize;
- pLastSectionVirualSize = (DWORD*) ((char*)pNtHeader+ sizeof(IMAGE_NT_HEADERS) + (wNumOfSection-1)*sizeof(IMAGE_SECTION_HEADER) + sizeof(BYTE)*IMAGE_SIZEOF_SHORT_NAME );
- pLastSectionVirualAddress = pLastSectionVirualSize + 1;
- pLastSectionPhyAddress = pLastSectionVirualSize + 2;
- pLastSectionPhySize = pLastSectionVirualSize + 3;
- DWORD dw1 = *pLastSectionPhyAddress;
- DWORD dw2 = *pLastSectionPhySize;
- pOverLay = (DWORD*)(dw1 + dw2 + pBuffer);
- DWORD dwOverlaySize = dwFileSize - (dw1 + dw2);
- HANDLE hOutFile = ::CreateFile("C:\\Users\\Administrator\\Desktop\\crackme.exe.overlay", GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_NEW, NULL, NULL);
- if (!hOutFile)
- {
- return ;
- }
- DWORD dwWritten = 0;
- ::WriteFile(hOutFile, pOverLay, dwOverlaySize, &dwWritten, NULL);
- ::CloseHandle(hOutFile);
- if ((char *)pOverLay == 0x0)
- {
- AfxMessageBox("附加数据首字节为0");
- return ;
- }
- ::free(pBuffer);
- ::CloseHandle(hFile);
复制代码 |
|