标题:放下代码 PE文件变形之初步 移动PE头
只看楼主
zhu224039
Rank: 8Rank: 8
等 级:贵宾
威 望:17
帖 子:862
专家分:792
注 册:2012-7-29
结帖率:59.52%
 问题点数:0 回复次数:0 
放下代码 PE文件变形之初步 移动PE头
程序代码:
.386 
.model flat,stdcall 
option casemap:none 
include windows.inc 
include user32.inc 
include kernel32.inc 
include gdi32.inc 
includelib gdi32.lib 
includelib user32.lib 
includelib kernel32.lib 
Message  proto :DWORD

 movfile proto  :dword,:dword,:dword

 IsPeFile proto :dword

 MovPeHead proto :dword,:dword,:dword
.data
     
     szFileName db "E:\stu1\stu2\bin\Debug\main.exe",0
     szEorro    db "file open fail",0
     szCaption  db "PEêμÑé",0
     szsuccesful db "successful!",0
     szpe    db "this is a pe file",0
     szPeMovNo  db "Îļt2»Dèòaòƶˉ",0
     szNoPe     db "this is not PE file",0
.data?
     hFileHanld dword ?
     szbuff  dword 4096 dup (?)
     szreadnum dword ?
     szbuff1    IMAGE_DOS_HEADER <>
     dwPeRav    dword ?
     
.code
     start:
             
            invoke CreateFile,offset szFileName,GENERIC_READ or GENERIC_WRITE,NULL,NULL,OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL
            .IF eax==INVALID_HANDLE_VALUE
                invoke MessageBox,NULL,offset szEorro,offset szCaption,MB_OK
                invoke ExitProcess,NULL
            .endif
            
            mov hFileHanld ,eax
            invoke ReadFile,hFileHanld,offset szbuff, 0400h,offset szreadnum,NULL
            invoke IsPeFile,offset szbuff
            .if eax==0
                invoke MessageBox,NULL,szNoPe,NULL,MB_OK
                jmp over 
            .endif
            mov dwPeRav,eax
            invoke MovPeHead,offset szbuff,0ch,dwPeRav
            
            invoke SetFilePointer,hFileHanld,0,0,FILE_BEGIN
            invoke WriteFile,hFileHanld,offset szbuff,400h,NULL,NULL
            
            
            
         over:  
            invoke ExitProcess,NULL
           Message proc lpstring:dword
               
               invoke MessageBox,NULL,lpstring,offset szCaption,MB_OK
               ret

           Message endp
          movfile proc  dst:dword,src:dword,sizelen:dword
              
              mov edi,dst
              mov esi,src
              mov ecx,sizelen
          next:    movsb
              mov byte ptr [esi-1],0
              loop next
              ret

          movfile endp
          IsPeFile proc lpbuff:dword
              mov esi,lpbuff
              mov eax,0
              assume esi : ptr IMAGE_DOS_HEADER
              .IF [esi].e_magic=="ZM"
                  mov esi,[esi].e_lfanew
                  add esi,lpbuff
                  .if word ptr [esi]=="EP"
                      invoke Message ,offset szpe
                      sub esi,lpbuff
                      mov eax,esi 
                  .endif
                 
              .endif
          
              assume esi : nothing    
              ret

          IsPeFile endp
          
         MovPeHead proc lpDosHead :dword,dwPosition : DWORD,dwPeRav1 :dword
             mov eax,dwPeRav1
             .if dwPosition==eax
                 invoke MessageBox,NULL,offset szPeMovNo,NULL,MB_OK
                 ret
             .endif
              mov esi,lpDosHead
              push esi
              assume esi:ptr IMAGE_DOS_HEADER
              mov esi,[esi].e_lfanew
              add esi,lpDosHead
              assume esi:nothing
              assume esi:ptr IMAGE_NT_HEADERS
              mov  dx,[esi].FileHeader.NumberOfSections
              movzx edx,dx
              mov eax,sizeof(IMAGE_SECTION_HEADER)
              MUL edx
              add eax,sizeof(IMAGE_NT_HEADERS)
              assume esi : nothing
              mov ebx,lpDosHead
              add ebx,dwPosition
              invoke movfile,ebx,esi,eax   
              pop esi
              assume esi : ptr IMAGE_DOS_HEADER
              mov eax,dwPosition
              mov [esi].e_lfanew,eax
              assume esi:nothing
              ret
         MovPeHead endp
     end start


[ 本帖最后由 zhu224039 于 2014-3-15 17:20 编辑 ]
搜索更多相关主题的帖子: windows include option 变形 
2014-03-15 17:00



参与讨论请移步原网站贴子:https://bbs.bccn.net/thread-428562-1-1.html




关于我们 | 广告合作 | 编程中国 | 清除Cookies | TOP | 手机版

编程中国 版权所有,并保留所有权利。
Powered by Discuz, Processed in 0.285242 second(s), 8 queries.
Copyright©2004-2024, BCCN.NET, All Rights Reserved