解析PE文件的附加數據
阿新 • • 發佈:2017-05-06
dos 寫入 image creat class filesize content res file
解析程序自己的附加數據,將附加數據寫入文件裏。
主要是解析PE文件頭。定位到overlay的地方。寫入文件。
常應用的場景是在crackme中,crackme自身有一段加密過的附加數據。在crackme執行的過程中解析自己的附加數據,然後解密這段數據。。
。。
代碼留存:
//解析自己的PE文件 TCHAR szModuleFile[MAX_PATH] = {0}; ::GetModuleFileName(NULL, szModuleFile, MAX_PATH); HANDLE hFile = ::CreateFile(szModuleFile, 0X80000000, 0X1, NULL, 0x3, 0x80, NULL ); if (!hFile) { AfxMessageBox("create file error"); return ; } DWORD dwFileSize = 0; dwFileSize = ::GetFileSize(hFile, NULL); if (!dwFileSize) { AfxMessageBox("GetFileSize error"); return ; } TCHAR *pBuffer = new TCHAR[dwFileSize+1]; DWORD dwReadBytes = 0; BOOL bSuc = ::ReadFile(hFile, pBuffer, dwFileSize, &dwReadBytes, NULL); if (!bSuc) { AfxMessageBox("read file error"); return ; } IMAGE_DOS_HEADER *pDosHead =(IMAGE_DOS_HEADER *)pBuffer; IMAGE_NT_HEADERS *pNtHeader; // 得到PE文件頭. pNtHeader = (IMAGE_NT_HEADERS*)((char*)pDosHead + pDosHead->e_lfanew); WORD wNumOfSection = pNtHeader->FileHeader.NumberOfSections; //DWORD dwTemp = wNumOfSection * (sizeof(IMAGE_SECTION_HEADER)/sizeof(DWORD)); WORD wSizeOfOptionalHeader = pNtHeader->FileHeader.SizeOfOptionalHeader; DWORD *pOverLay; DWORD *pLastSectionVirualAddress; DWORD *pLastSectionVirualSize; DWORD *pLastSectionPhyAddress, *pLastSectionPhySize; pLastSectionVirualSize = (DWORD*) ((char*)pNtHeader+ sizeof(IMAGE_NT_HEADERS) + (wNumOfSection-1)*sizeof(IMAGE_SECTION_HEADER) + sizeof(BYTE)*IMAGE_SIZEOF_SHORT_NAME ); pLastSectionVirualAddress = pLastSectionVirualSize + 1; pLastSectionPhyAddress = pLastSectionVirualSize + 2; pLastSectionPhySize = pLastSectionVirualSize + 3; DWORD dw1 = *pLastSectionPhyAddress; DWORD dw2 = *pLastSectionPhySize; pOverLay = (DWORD*)(dw1 + dw2 + pBuffer); DWORD dwOverlaySize = dwFileSize - (dw1 + dw2); HANDLE hOutFile = ::CreateFile("C:\\Users\\Administrator\\Desktop\\crackme.exe.overlay", GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_NEW, NULL, NULL); if (!hOutFile) { return ; } DWORD dwWritten = 0; ::WriteFile(hOutFile, pOverLay, dwOverlaySize, &dwWritten, NULL); ::CloseHandle(hOutFile); if ((char *)pOverLay == 0x0) { AfxMessageBox("附加數據首字節為0"); return ; } ::free(pBuffer); ::CloseHandle(hFile);
解析PE文件的附加數據