和上一节的代码相比,本文章主要修复了上一篇文章代码中PE类中的Analyze函数,这样不管是Before_Stretch_Data还是Stretch_Data,Shrink_Data,在这个函数中都可以分析出PE结构
另外新添加了函数Expand_Section函数,可以自动扩大最后一个节,并写入新的文件中,亲测可以使用,程序可以完美运行
Expand_Section函数的思路就是
扩大节:
只能扩大最后一个节
1.拉伸到内存
2.分配一块新的空间,SizeOfImage + Ex(扩大出来的空间)
3.将最后一个节的SizeOfRawData和VirtualSize改成N SizeOfRawData=VirtualSize=N N=(原来的SizeOfRawData和VirtualSize两者比较大的那一个内存对齐后的值)+Ex
4.修改SizeOfImage大小 SizeOfImage=SizeOfImage+Ex
期间我遇到一个百思不得其解的问题:
就是我将一个类作为参数继续函数传值,但是程序运行报错了,但是如果我传的是引用却不会报错。在文章末尾说
上代码先:
#include
#include
#include
#include
using namespace std;
int MAX(int a, int b)
{
return a >= b ? a : b;
}
class Data
{
public:
PIMAGE_DOS_HEADER my_dos;//dos头结构
PIMAGE_FILE_HEADER my_file;//file结构
PIMAGE_OPTIONAL_HEADER32 my_optional;//可选PE头结构
PIMAGE_SECTION_HEADER* my_section ;//节表结构
void* Before_Stretch_Data ; //指向拉伸前的内容
void* Stretch_Data ; //指向拉伸后的内容
void* Shrink_Data ; //指向缩小PE结构的内容
Data()
{
my_dos = nullptr;//dos头结构
my_file = nullptr;//file结构
my_optional = nullptr;//可选PE头结构
my_section = nullptr;//节表结构
Before_Stretch_Data = nullptr; //指向拉伸前的内容
Stretch_Data = nullptr; //指向拉伸后的内容
Shrink_Data = nullptr; //指向缩小PE结构的内容
}
~Data()
{
if (Before_Stretch_Data != nullptr)
{
free(Before_Stretch_Data);
Before_Stretch_Data = nullptr;
}
if (Stretch_Data != nullptr)
{
free(Stretch_Data);
Stretch_Data = nullptr;
}
if (Shrink_Data != nullptr)
{
free(Shrink_Data);
Shrink_Data = nullptr;
}
}
void Copy_Before_Strectch_Data(Data my_data); //只深拷贝Before_Strectch_Data
};
void Data::Copy_Before_Strectch_Data(Data my_data)
{
int size=_msize(my_data.Before_Stretch_Data);
memcpy_s(this->Before_Stretch_Data, size, my_data.Before_Stretch_Data, size);
}
class PE
{
public:
public:
void Readfile(char* filename, Data& my_data); //读取pe文件
void Analyze_PE(Data& my_data); //分析pe结构
void Stretch_PE(Data& my_data); //拉伸pe结构
void Shrink_PE(Data& my_data); //缩小pe结构
void New_Section(char* filename,Data& my_data);//新增节,非扩大节,并写入新的exe文件中
void Expand_Section(Data& my_data, char* filename); //扩大节
int Section_Align(int temp,Data& my_data); //返回内存对齐后的大小
int File_Align(int temp,Data& my_data); //返回文件对齐后的大小
void Copy_Data(Data& my_data);
};
void PE:: Expand_Section(Data& my_data,char* filename)
{
this->Stretch_PE(my_data);
unsigned Size = 0;//扩大节后新的文件大小
Size = my_data.my_optional->ImageBase + Section_Align(MAX(my_data.my_section[0]->SizeOfRawData, my_data.my_section[0]->Misc.VirtualSize),my_data);
Data Expand_Data;
Expand_Data.Stretch_Data= (void*)malloc(Size);
memset(Expand_Data.Stretch_Data, 0, Size);
memcpy_s(Expand_Data.Stretch_Data, _msize(my_data.Stretch_Data), my_data.Stretch_Data, _msize(my_data.Stretch_Data));
Analyze_PE(Expand_Data);
Expand_Data.my_section[my_data.my_file->NumberOfSections - 1]->SizeOfRawData = Section_Align(MAX(my_data.my_section[0]->SizeOfRawData, my_data.my_section[0]->Misc.VirtualSize), my_data) + Section_Align(MAX(my_data.my_section[my_data.my_file->NumberOfSections - 1]->SizeOfRawData, my_data.my_section[my_data.my_file->NumberOfSections - 1]->Misc.VirtualSize), my_data);
Expand_Data.my_section[my_data.my_file->NumberOfSections - 1]->Misc.VirtualSize = Expand_Data.my_section[my_data.my_file->NumberOfSections - 1]->SizeOfRawData;
Expand_Data.my_optional->SizeOfImage += Section_Align(MAX(my_data.my_section[0]->SizeOfRawData, my_data.my_section[0]->Misc.VirtualSize), my_data);
void* Temp_Ptr = (char*)Expand_Data.Stretch_Data+ Expand_Data.my_section[Expand_Data.my_file->NumberOfSections - 1]->VirtualAddress+ Section_Align(MAX(my_data.my_section[Expand_Data.my_file->NumberOfSections - 1]->SizeOfRawData, my_data.my_section[Expand_Data.my_file->NumberOfSections - 1]->Misc.VirtualSize),my_data);
int temp_size = Section_Align(MAX(my_data.my_section[0]->SizeOfRawData, my_data.my_section[0]->Misc.VirtualSize), my_data);
void* Temp_Ptr2 = (char*)my_data.Stretch_Data + my_data.my_section[0]->VirtualAddress;
memcpy_s(Temp_Ptr, temp_size, Temp_Ptr2, temp_size);
Shrink_PE(Expand_Data);
FILE* my_file;
if (fopen_s(&my_file, filename, "wb") != 0)
{
cout << "打开文件失败!" << endl;
}
else
{
Size = _msize(Expand_Data.Shrink_Data);
fwrite(Expand_Data.Shrink_Data, 1, Size, my_file);
cout << "写入成功!" << endl;
}
}
int PE::Section_Align(int temp, Data& my_data)
{
return (temp / my_data.my_optional->SectionAlignment)* my_data.my_optional->SectionAlignment + my_data.my_optional->SectionAlignment;
}
int PE::File_Align(int temp, Data& my_data)
{
return temp / my_data.my_optional->FileAlignment + my_data.my_optional->FileAlignment;
}
void PE::New_Section(char* filename, Data& my_data)
{
unsigned int Size; //Size是新文件的大小,是原来的文件大小加上.VirtualSize和SizeOfRawData较大的那个
Size = my_data.my_optional->SizeOfHeaders;
for (int i = 0;i < my_data.my_file->NumberOfSections; i++)
{
Size += my_data.my_section[i]->SizeOfRawData;
}
Size+= my_data.my_section[0]->SizeOfRawData;//这是最终新的文件的大小
Data New_Data;
New_Data.Before_Stretch_Data = (void*)malloc(Size*1);
memset(New_Data.Before_Stretch_Data, 0, Size);
memcpy_s(New_Data.Before_Stretch_Data, Size, my_data.Before_Stretch_Data, Size - my_data.my_section[0]->SizeOfRawData);//将原来的文件复制过来
Analyze_PE(New_Data);//让New_Data的dos,file,optional,section有数据
//复制新的节表
void* Temp_ptr1 = (char*)my_data.Before_Stretch_Data + 0x98 + my_data.my_file->SizeOfOptionalHeader;
void* Temp_ptr2 = (char*)New_Data.Before_Stretch_Data + 0x98 + my_data.my_file->SizeOfOptionalHeader + my_data.my_file->NumberOfSections * 0x28;
memcpy_s(Temp_ptr2, 0x28, Temp_ptr1, 0x28);
//复制新的节
Temp_ptr1 = (char*)my_data.Before_Stretch_Data + my_data.my_optional->SizeOfHeaders;//指向.text段
Temp_ptr2 = (char*)New_Data.Before_Stretch_Data + Size - my_data.my_section[0]->SizeOfRawData;
memcpy_s(Temp_ptr2, my_data.my_section[0]->SizeOfRawData, Temp_ptr1, my_data.my_section[0]->SizeOfRawData);//复制完.text段作为新增节
//接下来要改Header的各项数据
New_Data.my_file->NumberOfSections++;
New_Data.my_optional->SizeOfImage += my_data.my_section[0]->SizeOfRawData;
Analyze_PE(New_Data);
New_Data.my_section[New_Data.my_file->NumberOfSections - 1]->PointerToRawData = New_Data.my_section[New_Data.my_file->NumberOfSections - 2]->PointerToRawData + New_Data.my_section[New_Data.my_file->NumberOfSections - 2]->SizeOfRawData;
int size;
if (New_Data.my_section[New_Data.my_file->NumberOfSections - 2]->Misc.VirtualSize >= New_Data.my_section[New_Data.my_file->NumberOfSections - 2]->SizeOfRawData)
{
size = New_Data.my_section[New_Data.my_file->NumberOfSections - 2]->Misc.VirtualSize;
}
else
{
size = New_Data.my_section[New_Data.my_file->NumberOfSections - 2]->SizeOfRawData;
}
size = size / my_data.my_optional->SectionAlignment + my_data.my_optional->SectionAlignment;
New_Data.my_section[New_Data.my_file->NumberOfSections - 1]->VirtualAddress = New_Data.my_section[New_Data.my_file->NumberOfSections - 2]->VirtualAddress+size;
FILE* my_file;
if (fopen_s(&my_file, filename, "wb") == 0)
{
fwrite(New_Data.Before_Stretch_Data, 1, Size, my_file);
cout << "写入成功!" << endl;
return;
}
else
{
cout << "打开文件失败" << endl;
return;
}
}
void PE::Readfile(char* filename,Data& my_data)
{
unsigned int size;
FILE* datafile;
void* data;
//打开文件
if (fopen_s(&datafile, filename, "rb") != 0)
{
cout << "打开文件失败" << endl;
return;
}
else
{
//获取文件的大小
cout << "打开文件成功!" << endl;
fseek(datafile, 0, SEEK_END);
size = ftell(datafile);
fseek(datafile, 0, SEEK_SET);
if (size == -1L)
{
cout << "文件大小判断失败!" << endl;
return;
}
//申请内存空间把文件内容保存下来
my_data.Before_Stretch_Data = (void*)malloc(size * sizeof(char));
if (fread_s(my_data.Before_Stretch_Data, size, sizeof(char), size, datafile) == 0)
{
cout << "写入数据失败!" << endl;
return;
}
cout << "写入数据成功,成功获取Data!" << endl;
return ;
}
}
//分析PE结构
void PE::Analyze_PE(Data& my_data)
{
if (my_data.Before_Stretch_Data != nullptr)
{
DWORD* Temp_ptr = (DWORD*)my_data.Before_Stretch_Data;
my_data.my_dos = (PIMAGE_DOS_HEADER)Temp_ptr;
Temp_ptr = (DWORD*)((char*)my_data.Before_Stretch_Data + my_data.my_dos->e_lfanew);
Temp_ptr++;
my_data.my_file = (PIMAGE_FILE_HEADER)Temp_ptr;
Temp_ptr = (DWORD*)((char*)Temp_ptr + 0x14);
my_data.my_optional = (PIMAGE_OPTIONAL_HEADER)Temp_ptr;
Temp_ptr = (DWORD*)((char*)my_data.my_optional + my_data.my_file->SizeOfOptionalHeader);
my_data.my_section = (PIMAGE_SECTION_HEADER*)malloc(sizeof(IMAGE_SECTION_HEADER) * my_data.my_file->NumberOfSections);
for (int i = 0; i < my_data.my_file->NumberOfSections; i++)
{
my_data.my_section[i] = (PIMAGE_SECTION_HEADER)Temp_ptr;
Temp_ptr = (DWORD*)((char*)Temp_ptr + 0x28);
}
return;
}
else if(my_data.Stretch_Data!=nullptr)
{
DWORD* Temp_ptr = (DWORD*)my_data.Stretch_Data;
my_data.my_dos = (PIMAGE_DOS_HEADER)Temp_ptr;
Temp_ptr = (DWORD*)((char*)my_data.Stretch_Data + my_data.my_dos->e_lfanew);
Temp_ptr++;
my_data.my_file = (PIMAGE_FILE_HEADER)Temp_ptr;
Temp_ptr = (DWORD*)((char*)Temp_ptr + 0x14);
my_data.my_optional = (PIMAGE_OPTIONAL_HEADER)Temp_ptr;
Temp_ptr = (DWORD*)((char*)my_data.my_optional + my_data.my_file->SizeOfOptionalHeader);
my_data.my_section = (PIMAGE_SECTION_HEADER*)malloc(sizeof(IMAGE_SECTION_HEADER) * my_data.my_file->NumberOfSections);
for (int i = 0; i < my_data.my_file->NumberOfSections; i++)
{
my_data.my_section[i] = (PIMAGE_SECTION_HEADER)Temp_ptr;
Temp_ptr = (DWORD*)((char*)Temp_ptr + 0x28);
}
return;
}
else if (my_data.Shrink_Data != nullptr)
{
DWORD* Temp_ptr = (DWORD*)my_data.Shrink_Data;
my_data.my_dos = (PIMAGE_DOS_HEADER)Temp_ptr;
Temp_ptr = (DWORD*)((char*)my_data.Shrink_Data + my_data.my_dos->e_lfanew);
Temp_ptr++;
my_data.my_file = (PIMAGE_FILE_HEADER)Temp_ptr;
Temp_ptr = (DWORD*)((char*)Temp_ptr + 0x14);
my_data.my_optional = (PIMAGE_OPTIONAL_HEADER)Temp_ptr;
Temp_ptr = (DWORD*)((char*)my_data.my_optional + my_data.my_file->SizeOfOptionalHeader);
my_data.my_section = (PIMAGE_SECTION_HEADER*)malloc(sizeof(IMAGE_SECTION_HEADER) * my_data.my_file->NumberOfSections);
for (int i = 0; i < my_data.my_file->NumberOfSections; i++)
{
my_data.my_section[i] = (PIMAGE_SECTION_HEADER)Temp_ptr;
Temp_ptr = (DWORD*)((char*)Temp_ptr + 0x28);
}
return;
}
cout << "分析pe结构失败!" << endl;
cout << "失败原因,Data类里三个状态的指针皆为空指针!" << endl;
}
//拉伸PE结构 注意看PIMAGE_XXX_HEADER的定义,它们本就是指向结构体的指针
void PE::Stretch_PE(Data& my_data)
{
unsigned Memory_Size = 0;
Memory_Size = my_data.my_optional->SizeOfImage;
my_data.Stretch_Data = (void*)malloc(sizeof(char) * Memory_Size);
memset(my_data.Stretch_Data, 0, Memory_Size);
void* temp_before_stretch_data_ptr = my_data.Before_Stretch_Data;
int size_of_dos = 0x40;
int size_of_junk = 0x40;
int size_of_file = 0x18;
unsigned Size_Of_Optional = my_data.my_file->SizeOfOptionalHeader;
unsigned Size_Of_Section = 0x28;
unsigned Size_Of_Header = size_of_dos + size_of_file + size_of_junk + Size_Of_Optional + Size_Of_Section * my_data.my_file->NumberOfSections;//还未对齐
memcpy_s(my_data.Stretch_Data, Memory_Size, my_data.Before_Stretch_Data, Size_Of_Header);
void* temp_stretch_data = my_data.Stretch_Data;
//现在计算head头对齐后的大小
int Size = Size_Of_Header % my_data.my_optional->SectionAlignment;
Size_Of_Header = my_data.my_optional->SectionAlignment * Size;
for (int i = 0; i < my_data.my_file->NumberOfSections; i++)
{
temp_stretch_data = (void*)((char*)my_data.Stretch_Data + my_data.my_section[i]->VirtualAddress);
temp_before_stretch_data_ptr = (void*)((char*)my_data.Before_Stretch_Data + my_data.my_section[i]->PointerToRawData);
memcpy_s(temp_stretch_data, my_data.my_section[i]->SizeOfRawData, temp_before_stretch_data_ptr, my_data.my_section[i]->SizeOfRawData);
}
cout << "拉伸成功" << endl;
}
void PE::Shrink_PE(Data& my_data)
{
unsigned int Size = 0;
Size = my_data.my_section[my_data.my_file->NumberOfSections - 1]->PointerToRawData + my_data.my_section[my_data.my_file->NumberOfSections - 1]->SizeOfRawData;
my_data.Shrink_Data = (void*)malloc(Size);
//从Stretch_Data缩小
//复制Heads
memcpy_s(my_data.Shrink_Data, my_data.my_optional->SizeOfHeaders, my_data.Stretch_Data, my_data.my_optional->SizeOfHeaders);
//复制节
void* temp_shrink_data_ptr = my_data.Shrink_Data;
void* temp_stretch_data_ptr = my_data.Stretch_Data;
for (int i = 0; i < my_data.my_file->NumberOfSections; i++)
{
temp_shrink_data_ptr = (void*)((char*)my_data.Shrink_Data + my_data.my_section[i]->PointerToRawData);
temp_stretch_data_ptr = (void*)((char*)my_data.Stretch_Data + my_data.my_section[i]->VirtualAddress);
memcpy_s(temp_shrink_data_ptr, my_data.my_section[i]->SizeOfRawData, temp_stretch_data_ptr, my_data.my_section[i]->SizeOfRawData);
}
cout << "缩小成功" << endl;
return;
}
int main()
{
char filename[100]= "ceshi.exe";
PE my_pe;
Data my_data;
my_pe.Readfile(filename,my_data);
my_pe.Analyze_PE(my_data); //char*& Data, PIMAGE_DOS_HEADER& dos, PIMAGE_FILE_HEADER& file, PIMAGE_OPTIONAL_HEADER32& optional, PIMAGE_SECTION_HEADER*& section
my_pe.Stretch_PE(my_data);
my_pe.Shrink_PE(my_data);
/*char filename2[100] = "666.exe";
my_pe.New_Section(filename2, my_data);*/
char filename3[100] = "555.exe";
my_pe.Expand_Section(my_data,filename3);
return 0;
}
至于刚刚提到的问题,我查看汇编代码发现了些许端倪
004C2E4B C7 45 FC FF FF FF FF mov dword ptr [ebp-4],0FFFFFFFFh
004C2E52 8D 4D B8 lea ecx,[Expand_Data]
004C2E55 E8 08 E4 FF FF call Data::~Data (04C1262h)
004C2E5A 52 push edx
004C2E5B 8B CD mov ecx,ebp
004C2E5D 50 push eax
004C2E5E 8D 15 98 2E 4C 00 lea edx,ds:[4C2E98h]
004C2E64 E8 03 E4 FF FF call @_RTC_CheckStackVars@8 (04C126Ch)
004C2E69 58 pop eax
004C2E6A 5A pop edx
004C2E6B 8B 4D F4 mov ecx,dword ptr [ebp-0Ch]
004C2E6E 64 89 0D 00 00 00 00 mov dword ptr fs:[0],ecx
004C2E75 59 pop ecx
004C2E76 5F pop edi
004C2E77 5E pop esi
004C2E78 5B pop ebx
004C2E79 8B 4D F0 mov ecx,dword ptr [ebp-10h]
004C2E7C 33 CD xor ecx,ebp
004C2E7E E8 21 E3 FF FF call @__security_check_cookie@4 (04C11A4h)
004C2E83 81 C4 3C 01 00 00 add esp,13Ch
004C2E89 3B EC cmp ebp,esp
004C2E8B E8 4F E4 FF FF call __RTC_CheckEsp (04C12DFh)
004C2E90 8B E5 mov esp,ebp
004C2E92 5D pop ebp
004C2E93 C2 08 00 ret 8
这是我传值引用的结果,可以看到只调用了Expand_Data这个类的析构函数,符合常理,但是一旦我将void PE:: Expand_Section(Data& my_data,char* filename)改为void PE:: Expand_Section(Data my_data,char* filename) 我们再反汇编,此时就有问题了!
00AB2E0A C6 45 FC 00 mov byte ptr [ebp-4],0
00AB2E0E 8D 4D B8 lea ecx,[Expand_Data]
00AB2E11 E8 4C E4 FF FF call Data::~Data (0AB1262h)
00AB2E16 C7 45 FC FF FF FF FF mov dword ptr [ebp-4],0FFFFFFFFh
00AB2E1D 8D 4D 08 lea ecx,[my_data]
00AB2E20 E8 3D E4 FF FF call Data::~Data (0AB1262h)
00AB2E25 52 push edx
00AB2E26 8B CD mov ecx,ebp
00AB2E28 50 push eax
00AB2E29 8D 15 64 2E AB 00 lea edx,ds:[0AB2E64h]
00AB2E2F E8 38 E4 FF FF call @_RTC_CheckStackVars@8 (0AB126Ch)
00AB2E34 58 pop eax
00AB2E35 5A pop edx
00AB2E36 8B 4D F4 mov ecx,dword ptr [ebp-0Ch]
00AB2E39 64 89 0D 00 00 00 00 mov dword ptr fs:[0],ecx
00AB2E40 59 pop ecx
00AB2E41 5F pop edi
00AB2E42 5E pop esi
00AB2E43 5B pop ebx
00AB2E44 8B 4D F0 mov ecx,dword ptr [ebp-10h]
00AB2E47 33 CD xor ecx,ebp
00AB2E49 E8 56 E3 FF FF call @__security_check_cookie@4 (0AB11A4h)
00AB2E4E 81 C4 3C 01 00 00 add esp,13Ch
00AB2E54 3B EC cmp ebp,esp
00AB2E56 E8 84 E4 FF FF call __RTC_CheckEsp (0AB12DFh)
00AB2E5B 8B E5 mov esp,ebp
00AB2E5D 5D pop ebp
00AB2E5E C2 20 00 ret 20h
可以看到他居然调用了my_data的析构!这也是导致程序崩溃的原因,因为在main函数中,函数结束后,也会调用my_data的析构,等于调用了析构函数两次!
具体原因查了下资料对象作为参数按值传递为什么会调用析构函数?为什么实参中的内容会被修改?_c++ 类作为参数传递 在函数中被修改-CSDN博客
引用大佬的文章
对象作为参数按值传递为什么会调用析构函数?为什么实参中的内容会被修改?
因为对象按值传递时,编译器自动生成的复制构造函数进行了指针的简单拷贝,像指针直接赋值 str=s 一样,而没有拷贝指针指向的内容,这样当你将对象传递给函数时确实会有一个拷贝,但是这个拷贝会有一个指针的拷贝,所以两个对象中的 str 指向的内存一样,在退出函数时,析构销毁了函数中对象中的指针,但不幸的是这样实参对象 str 指向的内容也被销毁。
哎,c++没学好是这样的,但也算收获蛮多