【逆向】通过新增节移动导出表和重定位表(附完整代码,直接可运行)

移动导出表

首先先说说为啥要挪导出表。
教程的回答是这样的:

为什么要移动各种表?

1、这些表是编译器生成的,里面存储了非常重要的信息。

2、在程序启动的时候,系统会根据这些表做初始化的工作:

比如,将用到的DLL中的函数地址存储到IAT表中.

3、为了保护程序,可以对.exe的二进制代码进行加密操作,但问题是:

各种表的信息与客户字节的代码和数据都混在一起了,如果进行加密,那系统在初始化的时候会出问题!

总结:

学会移动各种表,是对程序加密/破解的基础.

但是我之前一直不理解,特么为毛要挪动函数名字符串啊,这玩意不是等dll解密出来就能用了吗?

百思不得其解,去问大佬们,大佬们说的我都听又听不懂,学又学不会。很淦

但是我只能装作听懂的样子,感谢大佬们的赐教,其实我是不懂的,经过一番摸索,我终于悟了!

首先给大家看看用def导出的dll应该怎么使用
首先 ,加了密后,只有使用Dll的时候,dll才会解密,那在dll外想要调用dll
代码简单表示为这样:

#include 
#include 
using namespace std;
int main()
{

	HMODULE h = LoadLibrary(L"reloca.dll");
	typedef void(*PFUNC)();
	PFUNC my_func = (PFUNC)GetProcAddress(h, "Print");
	my_func();
	return 0;
}

可以看到,外部调用dll的时候是要使用名字的,也就是在解密前,就需要函数名字符串了!

所以移动函数名是至关重要的!

以下是代码

VOID PE::Remove_Relocation(Data& my_data)
{
	Data Remove_Relocation_Data;
	DWORD Relocation_Data_Size = 0;//重定位表的大小
	LPVOID Temp_Ptr = (LPVOID)((DWORD)my_data.my_Data_Directory[5]->VirtualAddress + (DWORD)my_data.Stretch_Data);
	PIMAGE_BASE_RELOCATION relocation_ptr = (PIMAGE_BASE_RELOCATION)Temp_Ptr;
	while (TRUE)
	{
		if (relocation_ptr->SizeOfBlock == 0)
		{
			break;
		}
		Relocation_Data_Size += relocation_ptr->SizeOfBlock;
		relocation_ptr = (PIMAGE_BASE_RELOCATION)((DWORD)relocation_ptr+(DWORD)relocation_ptr->SizeOfBlock);
	}
	DWORD Real_Size = Relocation_Data_Size;
	DWORD SizeOfRawData = File_Align(Relocation_Data_Size, my_data);
	Relocation_Data_Size = Section_Align(Relocation_Data_Size, my_data);

	Remove_Relocation_Data.Stretch_Data = new char[Relocation_Data_Size+ my_data.my_optional->SizeOfImage];
	if (Remove_Relocation_Data.Stretch_Data == nullptr)
	{
		cout << "Remove_Relocation_Data.Stretch_Data分配空间失败!" << endl;
		return;
	}
	memcpy_s(Remove_Relocation_Data.Stretch_Data, Relocation_Data_Size + my_data.my_optional->SizeOfImage, my_data.Stretch_Data, my_data.my_optional->SizeOfImage);
	//现在要将新的节设置好
	//	1. 添加一个新的节
	//	2. 在新增节后面,填充一个节大小的000
	//	3. 修改PE头节的数量
	//	4. 修改sizeOfImage的大小
	//	5. 再原有的数据的最后,新增一个节的数据(内存对齐的整数倍)
	//	6. 修正新增节的属性
	//	7. (被坑了好久)记得在对应节填上数据!!!否则会因为数据为空而不能运行
	Temp_Ptr = (LPVOID)((DWORD)Remove_Relocation_Data.Stretch_Data + (DWORD)my_data.my_optional->SizeOfImage);
	memset(Temp_Ptr, 0, Relocation_Data_Size);
	Analyze_PE(Remove_Relocation_Data, 2);
	Remove_Relocation_Data.my_file->NumberOfSections += 1;
	Analyze_PE(Remove_Relocation_Data, 2);//必须再分析一次,否则Remove_Relocation_Data.my_section[Remove_Relocation_Data.my_file->NumberOfSections - 1]会报错
	Remove_Relocation_Data.my_optional->SizeOfImage += Relocation_Data_Size;
	Remove_Relocation_Data.my_section[Remove_Relocation_Data.my_file->NumberOfSections - 1]->Characteristics = my_data.my_section[0]->Characteristics;
	Remove_Relocation_Data.my_section[Remove_Relocation_Data.my_file->NumberOfSections - 1]->Misc.VirtualSize =Relocation_Data_Size;
	memcpy_s(Remove_Relocation_Data.my_section[Remove_Relocation_Data.my_file->NumberOfSections - 1]->Name, 7, "reloca", 7);
	Remove_Relocation_Data.my_section[Remove_Relocation_Data.my_file->NumberOfSections - 1]->NumberOfLinenumbers = my_data.my_section[0]->NumberOfLinenumbers;
	Remove_Relocation_Data.my_section[Remove_Relocation_Data.my_file->NumberOfSections - 1]->NumberOfRelocations = my_data.my_section[0]->NumberOfRelocations;
	Remove_Relocation_Data.my_section[Remove_Relocation_Data.my_file->NumberOfSections - 1]->PointerToLinenumbers = my_data.my_section[0]->PointerToLinenumbers;
	Remove_Relocation_Data.my_section[Remove_Relocation_Data.my_file->NumberOfSections - 1]->PointerToRawData = my_data.my_section[my_data.my_file->NumberOfSections - 1]->PointerToRawData + my_data.my_section[my_data.my_file->NumberOfSections - 1]->SizeOfRawData;
	Remove_Relocation_Data.my_section[Remove_Relocation_Data.my_file->NumberOfSections - 1]->PointerToRelocations = my_data.my_section[0]->PointerToRelocations;
	Remove_Relocation_Data.my_section[Remove_Relocation_Data.my_file->NumberOfSections - 1]->SizeOfRawData = SizeOfRawData;
	Remove_Relocation_Data.my_section[Remove_Relocation_Data.my_file->NumberOfSections - 1]->VirtualAddress = my_data.my_section[my_data.my_file->NumberOfSections - 1]->VirtualAddress + Section_Align(my_data.my_section[my_data.my_file->NumberOfSections - 1]->Misc.VirtualSize, my_data);

	memcpy_s(Temp_Ptr, Real_Size, (LPVOID)((DWORD)my_data.my_Data_Directory[5]->VirtualAddress+ (DWORD)my_data.Stretch_Data), Real_Size);
	Remove_Relocation_Data.my_Data_Directory[5]->VirtualAddress = (DWORD)my_data.my_optional->SizeOfImage;
	FILE* my_file;
	Shrink_PE(Remove_Relocation_Data);
	Analyze_PE(Remove_Relocation_Data, 1);
	DWORD Size = _msize(Remove_Relocation_Data.Shrink_Data);
	if (fopen_s(&my_file, "reloca", "wb") == 0)
	{
		fwrite(Remove_Relocation_Data.Shrink_Data, 1, Size, my_file);
		cout << "写入成功!" << endl;
		return;
	}
	else
	{
		cout << "写入失败!" << endl;
	}
	

}


 

移动重定位表

还是因为加密的原因,故需要移动重定位表。

顺便说说重定位表的工作原理:
如果PE程序运行时,在内存中站住了自己ImageBase的内存位置,此时重定位表就没有用。

如果PE程序运行时,在内存中没有站住自己ImageBase的内存位置,就需要修正重定位表的固定地址。

比如,原本dll程序自身的ImageBase为10000000,但是发现内存中这个位置已有一个dll,而内存中12000000的位置是空的,那自己只能修改ImageBase为12000000,贴到这里来,两个位置差值为2000000,所以重定位表中的RVA所指向的每一个固定地址,都要自增2000000,这样就完成了重定位表的工作。

以下是代码:
 

VOID PE::Remove_Export_Table(Data& my_data)
{
	DWORD Export_Size = my_data.my_Export_Directory->NumberOfFunctions * sizeof(DWORD) + my_data.my_Export_Directory->NumberOfNames * sizeof(WORD) + my_data.my_Export_Directory->NumberOfNames * sizeof(DWORD);
	for (int i = 0; i < my_data.my_Export_Directory->NumberOfNames; i++)
	{
		Export_Size += strlen(my_data.my_Export_Name[i]);
	}
	Export_Size = Section_Align(Export_Size, my_data);
	DWORD Total_Size =Export_Size+ my_data.my_optional->SizeOfImage;
	Data Remove_Export_Data;
	Remove_Export_Data.Stretch_Data = new char[Total_Size];
	if (Remove_Export_Data.Stretch_Data == nullptr)
	{
		cout << "Remove_Export_Data分配空间失败!!" << endl;
	}
	memcpy_s(Remove_Export_Data.Stretch_Data, Total_Size, my_data.Stretch_Data, my_data.my_optional->SizeOfImage);

	LPVOID Temp_Ptr= (LPVOID)((DWORD)Remove_Export_Data.Stretch_Data + my_data.my_optional->SizeOfImage);//这里是指向新的节
	//现在要将新的节设置好
	//	1. 添加一个新的节
	//	2. 在新增节后面,填充一个节大小的000
	//	3. 修改PE头节的数量
	//	4. 修改sizeOfImage的大小
	//	5. 再原有的数据的最后,新增一个节的数据(内存对齐的整数倍)
	//	6. 修正新增节的属性
	//	7. (被坑了好久)记得在对应节填上数据!!!否则会因为数据为空而不能运行
	memset(Temp_Ptr, 0, Export_Size);
	Analyze_PE(Remove_Export_Data, 2);
	Remove_Export_Data.my_file->NumberOfSections++;
	Remove_Export_Data.my_optional->SizeOfImage += Export_Size;
	Analyze_PE(Remove_Export_Data, 2); //可以分析到新的节表
	//开始修改节的属性
	Remove_Export_Data.my_section[Remove_Export_Data.my_file->NumberOfSections - 1]->Characteristics = my_data.my_section[0]->Characteristics;
	Remove_Export_Data.my_section[Remove_Export_Data.my_file->NumberOfSections - 1]->Misc.VirtualSize = Export_Size;
	memcpy_s(Remove_Export_Data.my_section[Remove_Export_Data.my_file->NumberOfSections - 1]->Name, 7, "remove",7);
	Remove_Export_Data.my_section[Remove_Export_Data.my_file->NumberOfSections - 1]->NumberOfLinenumbers = my_data.my_section[0]->NumberOfLinenumbers;
	Remove_Export_Data.my_section[Remove_Export_Data.my_file->NumberOfSections - 1]->NumberOfRelocations = my_data.my_section[0]->NumberOfRelocations;
	Remove_Export_Data.my_section[Remove_Export_Data.my_file->NumberOfSections - 1]->PointerToLinenumbers = my_data.my_section[0]->PointerToLinenumbers;
	Remove_Export_Data.my_section[Remove_Export_Data.my_file->NumberOfSections - 1]->PointerToRawData = my_data.my_section[my_data.my_file->NumberOfSections-1]->PointerToRawData+ my_data.my_section[my_data.my_file->NumberOfSections - 1]->SizeOfRawData;
	Remove_Export_Data.my_section[Remove_Export_Data.my_file->NumberOfSections - 1]->PointerToRelocations = my_data.my_section[0]->PointerToRelocations;
	Remove_Export_Data.my_section[Remove_Export_Data.my_file->NumberOfSections - 1]->SizeOfRawData = Export_Size;
	Remove_Export_Data.my_section[Remove_Export_Data.my_file->NumberOfSections - 1]->VirtualAddress = my_data.my_section[my_data.my_file->NumberOfSections - 1]->VirtualAddress + Section_Align(my_data.my_section[my_data.my_file->NumberOfSections - 1]->SizeOfRawData,my_data);
	
	Print_ExportTable(Remove_Export_Data);
	//开始移动导出表的信息!
	memcpy_s(Temp_Ptr, sizeof(DWORD) * my_data.my_Export_Directory->NumberOfFunctions, (LPVOID)(my_data.my_Export_Directory->AddressOfFunctions+(DWORD)my_data.Stretch_Data), sizeof(DWORD) * my_data.my_Export_Directory->NumberOfFunctions);
	Remove_Export_Data.my_Export_Directory->AddressOfFunctions = (DWORD)Temp_Ptr-(DWORD)Remove_Export_Data.Stretch_Data;
	Temp_Ptr = (LPVOID)((DWORD)Temp_Ptr + sizeof(DWORD) * my_data.my_Export_Directory->NumberOfFunctions);

	memcpy_s(Temp_Ptr, sizeof(WORD) * my_data.my_Export_Directory->NumberOfNames, (LPVOID)(my_data.my_Export_Directory->AddressOfNameOrdinals + (DWORD)my_data.Stretch_Data), sizeof(WORD) * my_data.my_Export_Directory->NumberOfNames);
	Remove_Export_Data.my_Export_Directory->AddressOfNameOrdinals = (DWORD)Temp_Ptr - (DWORD)Remove_Export_Data.Stretch_Data;
	Temp_Ptr = (LPVOID)((DWORD)Temp_Ptr + sizeof(WORD) * my_data.my_Export_Directory->NumberOfNames);

	memcpy_s(Temp_Ptr, sizeof(DWORD) * my_data.my_Export_Directory->AddressOfNames, (LPVOID)(my_data.my_Export_Directory->AddressOfNames + (DWORD)my_data.Stretch_Data), sizeof(DWORD) * my_data.my_Export_Directory->NumberOfNames);
	Remove_Export_Data.my_Export_Directory->AddressOfNames = (DWORD)Temp_Ptr - (DWORD)Remove_Export_Data.Stretch_Data;
	Temp_Ptr = (LPVOID)((DWORD)Temp_Ptr + sizeof(DWORD) * my_data.my_Export_Directory->AddressOfNames);

	FILE* my_file;
	Shrink_PE(Remove_Export_Data);
	DWORD Size = _msize(Remove_Export_Data.Shrink_Data);
	if (fopen_s(&my_file, "remove", "wb") == 0)
	{
		fwrite(Remove_Export_Data.Shrink_Data, 1, Size, my_file);
		cout << "写入成功!" << endl;
		return;
	}
	else
	{
		cout << "写入失败!" << endl;
	}

}

完整可直接运行代码如下:
 

#include 
#include 
#include 
#include 
#include 
using namespace std;

int MAX(int a, int b)
{
	return a >= b ? a : b;
}

class Data
{
public:
	PIMAGE_DOS_HEADER my_dos;//dos头结构
	PIMAGE_FILE_HEADER my_file;//file结构
	PIMAGE_OPTIONAL_HEADER32 my_optional;//可选PE头结构
	PIMAGE_SECTION_HEADER* my_section;//节表结构
	PIMAGE_DATA_DIRECTORY* my_Data_Directory;//数据目录结构
	//0.导出表	1.导入表	2.资源表	3.异常信息表	4.安全证书表	5.重定位表	6.调试信息表	7.版权所以表	
	//8.全局指针表	9.TLS表	10.加载配置表	11.绑定导入表	12.IAT表	13.延迟绑定表	14.COM信息表	15.未使用
	CHAR my_Export_Name[50][30];//导出表的名字
	PIMAGE_EXPORT_DIRECTORY my_Export_Directory; //指向导出表结构的指针
	DWORD	Export_AddressOfFunction[50];  //指向导出表中函数的地址
	PIMAGE_BASE_RELOCATION Relocation_Table[500]; //指向重定位表的数组



	void* Before_Stretch_Data; //指向拉伸前的内容
	void* Stretch_Data; //指向拉伸后的内容
	void* Shrink_Data; //指向缩小PE结构的内容


	Data()
	{
		my_dos = nullptr;//dos头结构
		my_file = nullptr;//file结构
		my_optional = nullptr;//可选PE头结构
		my_section = nullptr;//节表结构
		my_Data_Directory = nullptr;


		Before_Stretch_Data = nullptr; //指向拉伸前的内容
		Stretch_Data = nullptr; //指向拉伸后的内容
		Shrink_Data = nullptr; //指向缩小PE结构的内容
	}

	~Data()
	{
		if (Before_Stretch_Data != nullptr)
		{
			free(Before_Stretch_Data);
			Before_Stretch_Data = nullptr;
		}

		if (Stretch_Data != nullptr)
		{
			free(Stretch_Data);
			Stretch_Data = nullptr;
		}

		if (Shrink_Data != nullptr)
		{
			free(Shrink_Data);
			Shrink_Data = nullptr;
		}
	}


	VOID Copy_Before_Strectch_Data(Data my_data); //只深拷贝Before_Strectch_Data
};

VOID Data::Copy_Before_Strectch_Data(Data my_data)
{
	int size = _msize(my_data.Before_Stretch_Data);
	memcpy_s(this->Before_Stretch_Data, size, my_data.Before_Stretch_Data, size);
}



class PE
{
public:
	VOID Readfile(char* filename, Data& my_data);  //读取pe文件

	VOID Analyze_PE(Data& my_data, int num);  //分析pe结构

	VOID Stretch_PE(Data& my_data);  //拉伸pe结构

	VOID Shrink_PE(Data& my_data); //缩小pe结构

	VOID New_Section(char* filename, Data& my_data);//新增节,非扩大节,并写入新的exe文件中

	VOID Expand_Section(Data& my_data, char* filename);  //扩大节

	DWORD Section_Align(DWORD temp, Data& my_data); //返回内存对齐后的大小

	DWORD File_Align(DWORD temp, Data& my_data); //返回文件对齐后的大小

	VOID Combine_Section(char* filename, Data& my_data); //合并节

	VOID Copy_Data(Data& my_data);

	VOID Print_IMAGE_DATA_DIRECTORY(Data& my_data);  //打印目录结构

	VOID Analyze_Data_Directory(Data& my_data); //分析目录结构 //先分析才能打印

	DWORD  Rva_To_Foa(DWORD Rva_Offset, Data& my_data); //Rva转Foa

	VOID Print_ExportTable(Data& my_data);  //打印导出表

	VOID GetFunctionAddrByName(Data& my_data, char* name);  //通过函数名字输出DLL里函数的偏移

	VOID GetFunctionAddrByOrdinal(Data& my_data, int ordinal);  //通过序号输出DLL里函数的偏移

	VOID Print_Relocation(Data& mydata);  //打印重定位表

	VOID Remove_Export_Table(Data& my_data);  //移动导出表

	VOID Remove_Relocation(Data& my_data);  //移动重定位表
};

VOID PE::Remove_Relocation(Data& my_data)
{
	Data Remove_Relocation_Data;
	DWORD Relocation_Data_Size = 0;//重定位表的大小
	LPVOID Temp_Ptr = (LPVOID)((DWORD)my_data.my_Data_Directory[5]->VirtualAddress + (DWORD)my_data.Stretch_Data);
	PIMAGE_BASE_RELOCATION relocation_ptr = (PIMAGE_BASE_RELOCATION)Temp_Ptr;
	while (TRUE)
	{
		if (relocation_ptr->SizeOfBlock == 0)
		{
			break;
		}
		Relocation_Data_Size += relocation_ptr->SizeOfBlock;
		relocation_ptr = (PIMAGE_BASE_RELOCATION)((DWORD)relocation_ptr+(DWORD)relocation_ptr->SizeOfBlock);
	}
	DWORD Real_Size = Relocation_Data_Size;
	DWORD SizeOfRawData = File_Align(Relocation_Data_Size, my_data);
	Relocation_Data_Size = Section_Align(Relocation_Data_Size, my_data);

	Remove_Relocation_Data.Stretch_Data = new char[Relocation_Data_Size+ my_data.my_optional->SizeOfImage];
	if (Remove_Relocation_Data.Stretch_Data == nullptr)
	{
		cout << "Remove_Relocation_Data.Stretch_Data分配空间失败!" << endl;
		return;
	}
	memcpy_s(Remove_Relocation_Data.Stretch_Data, Relocation_Data_Size + my_data.my_optional->SizeOfImage, my_data.Stretch_Data, my_data.my_optional->SizeOfImage);
	//现在要将新的节设置好
	//	1. 添加一个新的节
	//	2. 在新增节后面,填充一个节大小的000
	//	3. 修改PE头节的数量
	//	4. 修改sizeOfImage的大小
	//	5. 再原有的数据的最后,新增一个节的数据(内存对齐的整数倍)
	//	6. 修正新增节的属性
	//	7. (被坑了好久)记得在对应节填上数据!!!否则会因为数据为空而不能运行
	Temp_Ptr = (LPVOID)((DWORD)Remove_Relocation_Data.Stretch_Data + (DWORD)my_data.my_optional->SizeOfImage);
	memset(Temp_Ptr, 0, Relocation_Data_Size);
	Analyze_PE(Remove_Relocation_Data, 2);
	Remove_Relocation_Data.my_file->NumberOfSections += 1;
	Analyze_PE(Remove_Relocation_Data, 2);//必须再分析一次,否则Remove_Relocation_Data.my_section[Remove_Relocation_Data.my_file->NumberOfSections - 1]会报错
	Remove_Relocation_Data.my_optional->SizeOfImage += Relocation_Data_Size;
	Remove_Relocation_Data.my_section[Remove_Relocation_Data.my_file->NumberOfSections - 1]->Characteristics = my_data.my_section[0]->Characteristics;
	Remove_Relocation_Data.my_section[Remove_Relocation_Data.my_file->NumberOfSections - 1]->Misc.VirtualSize =Relocation_Data_Size;
	memcpy_s(Remove_Relocation_Data.my_section[Remove_Relocation_Data.my_file->NumberOfSections - 1]->Name, 7, "reloca", 7);
	Remove_Relocation_Data.my_section[Remove_Relocation_Data.my_file->NumberOfSections - 1]->NumberOfLinenumbers = my_data.my_section[0]->NumberOfLinenumbers;
	Remove_Relocation_Data.my_section[Remove_Relocation_Data.my_file->NumberOfSections - 1]->NumberOfRelocations = my_data.my_section[0]->NumberOfRelocations;
	Remove_Relocation_Data.my_section[Remove_Relocation_Data.my_file->NumberOfSections - 1]->PointerToLinenumbers = my_data.my_section[0]->PointerToLinenumbers;
	Remove_Relocation_Data.my_section[Remove_Relocation_Data.my_file->NumberOfSections - 1]->PointerToRawData = my_data.my_section[my_data.my_file->NumberOfSections - 1]->PointerToRawData + my_data.my_section[my_data.my_file->NumberOfSections - 1]->SizeOfRawData;
	Remove_Relocation_Data.my_section[Remove_Relocation_Data.my_file->NumberOfSections - 1]->PointerToRelocations = my_data.my_section[0]->PointerToRelocations;
	Remove_Relocation_Data.my_section[Remove_Relocation_Data.my_file->NumberOfSections - 1]->SizeOfRawData = SizeOfRawData;
	Remove_Relocation_Data.my_section[Remove_Relocation_Data.my_file->NumberOfSections - 1]->VirtualAddress = my_data.my_section[my_data.my_file->NumberOfSections - 1]->VirtualAddress + Section_Align(my_data.my_section[my_data.my_file->NumberOfSections - 1]->Misc.VirtualSize, my_data);

	memcpy_s(Temp_Ptr, Real_Size, (LPVOID)((DWORD)my_data.my_Data_Directory[5]->VirtualAddress+ (DWORD)my_data.Stretch_Data), Real_Size);
	Remove_Relocation_Data.my_Data_Directory[5]->VirtualAddress = (DWORD)my_data.my_optional->SizeOfImage;
	FILE* my_file;
	Shrink_PE(Remove_Relocation_Data);
	Analyze_PE(Remove_Relocation_Data, 1);
	DWORD Size = _msize(Remove_Relocation_Data.Shrink_Data);
	if (fopen_s(&my_file, "reloca", "wb") == 0)
	{
		fwrite(Remove_Relocation_Data.Shrink_Data, 1, Size, my_file);
		cout << "写入成功!" << endl;
		return;
	}
	else
	{
		cout << "写入失败!" << endl;
	}
	

}

VOID PE::Remove_Export_Table(Data& my_data)
{
	DWORD Export_Size = my_data.my_Export_Directory->NumberOfFunctions * sizeof(DWORD) + my_data.my_Export_Directory->NumberOfNames * sizeof(WORD) + my_data.my_Export_Directory->NumberOfNames * sizeof(DWORD);
	for (int i = 0; i < my_data.my_Export_Directory->NumberOfNames; i++)
	{
		Export_Size += strlen(my_data.my_Export_Name[i]);
	}
	Export_Size = Section_Align(Export_Size, my_data);
	DWORD Total_Size =Export_Size+ my_data.my_optional->SizeOfImage;
	Data Remove_Export_Data;
	Remove_Export_Data.Stretch_Data = new char[Total_Size];
	if (Remove_Export_Data.Stretch_Data == nullptr)
	{
		cout << "Remove_Export_Data分配空间失败!!" << endl;
	}
	memcpy_s(Remove_Export_Data.Stretch_Data, Total_Size, my_data.Stretch_Data, my_data.my_optional->SizeOfImage);

	LPVOID Temp_Ptr= (LPVOID)((DWORD)Remove_Export_Data.Stretch_Data + my_data.my_optional->SizeOfImage);//这里是指向新的节
	//现在要将新的节设置好
	//	1. 添加一个新的节
	//	2. 在新增节后面,填充一个节大小的000
	//	3. 修改PE头节的数量
	//	4. 修改sizeOfImage的大小
	//	5. 再原有的数据的最后,新增一个节的数据(内存对齐的整数倍)
	//	6. 修正新增节的属性
	//	7. (被坑了好久)记得在对应节填上数据!!!否则会因为数据为空而不能运行
	memset(Temp_Ptr, 0, Export_Size);
	Analyze_PE(Remove_Export_Data, 2);
	Remove_Export_Data.my_file->NumberOfSections++;
	Remove_Export_Data.my_optional->SizeOfImage += Export_Size;
	Analyze_PE(Remove_Export_Data, 2); //可以分析到新的节表
	//开始修改节的属性
	Remove_Export_Data.my_section[Remove_Export_Data.my_file->NumberOfSections - 1]->Characteristics = my_data.my_section[0]->Characteristics;
	Remove_Export_Data.my_section[Remove_Export_Data.my_file->NumberOfSections - 1]->Misc.VirtualSize = Export_Size;
	memcpy_s(Remove_Export_Data.my_section[Remove_Export_Data.my_file->NumberOfSections - 1]->Name, 7, "remove",7);
	Remove_Export_Data.my_section[Remove_Export_Data.my_file->NumberOfSections - 1]->NumberOfLinenumbers = my_data.my_section[0]->NumberOfLinenumbers;
	Remove_Export_Data.my_section[Remove_Export_Data.my_file->NumberOfSections - 1]->NumberOfRelocations = my_data.my_section[0]->NumberOfRelocations;
	Remove_Export_Data.my_section[Remove_Export_Data.my_file->NumberOfSections - 1]->PointerToLinenumbers = my_data.my_section[0]->PointerToLinenumbers;
	Remove_Export_Data.my_section[Remove_Export_Data.my_file->NumberOfSections - 1]->PointerToRawData = my_data.my_section[my_data.my_file->NumberOfSections-1]->PointerToRawData+ my_data.my_section[my_data.my_file->NumberOfSections - 1]->SizeOfRawData;
	Remove_Export_Data.my_section[Remove_Export_Data.my_file->NumberOfSections - 1]->PointerToRelocations = my_data.my_section[0]->PointerToRelocations;
	Remove_Export_Data.my_section[Remove_Export_Data.my_file->NumberOfSections - 1]->SizeOfRawData = Export_Size;
	Remove_Export_Data.my_section[Remove_Export_Data.my_file->NumberOfSections - 1]->VirtualAddress = my_data.my_section[my_data.my_file->NumberOfSections - 1]->VirtualAddress + Section_Align(my_data.my_section[my_data.my_file->NumberOfSections - 1]->SizeOfRawData,my_data);
	
	Print_ExportTable(Remove_Export_Data);
	//开始移动导出表的信息!
	memcpy_s(Temp_Ptr, sizeof(DWORD) * my_data.my_Export_Directory->NumberOfFunctions, (LPVOID)(my_data.my_Export_Directory->AddressOfFunctions+(DWORD)my_data.Stretch_Data), sizeof(DWORD) * my_data.my_Export_Directory->NumberOfFunctions);
	Remove_Export_Data.my_Export_Directory->AddressOfFunctions = (DWORD)Temp_Ptr-(DWORD)Remove_Export_Data.Stretch_Data;
	Temp_Ptr = (LPVOID)((DWORD)Temp_Ptr + sizeof(DWORD) * my_data.my_Export_Directory->NumberOfFunctions);

	memcpy_s(Temp_Ptr, sizeof(WORD) * my_data.my_Export_Directory->NumberOfNames, (LPVOID)(my_data.my_Export_Directory->AddressOfNameOrdinals + (DWORD)my_data.Stretch_Data), sizeof(WORD) * my_data.my_Export_Directory->NumberOfNames);
	Remove_Export_Data.my_Export_Directory->AddressOfNameOrdinals = (DWORD)Temp_Ptr - (DWORD)Remove_Export_Data.Stretch_Data;
	Temp_Ptr = (LPVOID)((DWORD)Temp_Ptr + sizeof(WORD) * my_data.my_Export_Directory->NumberOfNames);

	memcpy_s(Temp_Ptr, sizeof(DWORD) * my_data.my_Export_Directory->AddressOfNames, (LPVOID)(my_data.my_Export_Directory->AddressOfNames + (DWORD)my_data.Stretch_Data), sizeof(DWORD) * my_data.my_Export_Directory->NumberOfNames);
	Remove_Export_Data.my_Export_Directory->AddressOfNames = (DWORD)Temp_Ptr - (DWORD)Remove_Export_Data.Stretch_Data;
	Temp_Ptr = (LPVOID)((DWORD)Temp_Ptr + sizeof(DWORD) * my_data.my_Export_Directory->AddressOfNames);

	FILE* my_file;
	Shrink_PE(Remove_Export_Data);
	DWORD Size = _msize(Remove_Export_Data.Shrink_Data);
	if (fopen_s(&my_file, "remove", "wb") == 0)
	{
		fwrite(Remove_Export_Data.Shrink_Data, 1, Size, my_file);
		cout << "写入成功!" << endl;
		return;
	}
	else
	{
		cout << "写入失败!" << endl;
	}

}

VOID PE::Print_Relocation(Data& my_data)
{
	DWORD Temp_ptr = (DWORD)my_data.my_Data_Directory[5]->VirtualAddress+(DWORD)my_data.Stretch_Data;
	int count = 1;//这是需要重定位函数的个数
	cout << endl << endl;
	for (int i = 0; i < 500; i++)
	{
		cout << endl;
		cout << "第" << i+1 << "个块" << endl;
		cout << "-----------------------------------------------------" << endl;
		my_data.Relocation_Table[i] = (PIMAGE_BASE_RELOCATION)Temp_ptr;
		my_data.Relocation_Table[i]->VirtualAddress = *(DWORD*)Temp_ptr;
		my_data.Relocation_Table[i]->SizeOfBlock = *(DWORD*)(Temp_ptr + 0x4);
		Temp_ptr += 0x8;


		for (int index = 0; index < (my_data.Relocation_Table[i]->SizeOfBlock - 0x8) / 2; index++)
		{
			PWORD Temp_ptr2 = (PWORD)(Temp_ptr +  2*index);
			int num = (*Temp_ptr2 >> 12);
			if (num == 3)
			{
				cout << count++ << ": 0x" << hex << my_data.Relocation_Table[i]->VirtualAddress + (*(Temp_ptr2) & 0XFFF)<<"  ";
			}
		}
		cout << endl;
		count = 1;
		Temp_ptr += my_data.Relocation_Table[i]->SizeOfBlock-0x8;
		if (*(DWORD*)Temp_ptr == 0&& *(DWORD*)(Temp_ptr+1)==0)
		{
			break;
		}

	}

}

VOID PE::GetFunctionAddrByOrdinal(Data& my_data, int ordinal)
{
	DWORD AddressOfNames_ptr = (DWORD)((DWORD)my_data.my_Export_Directory->AddressOfNameOrdinals + (DWORD)my_data.Stretch_Data);
	for (int i = 0; i < my_data.my_Export_Directory->NumberOfNames; i++)
	{
		if (*(WORD*)AddressOfNames_ptr + my_data.my_Export_Directory->Base == ordinal)
		{
			cout << "成功通过函数的序号找到函数地址!" << endl;
			cout << "0x" << hex << my_data.Export_AddressOfFunction[i] << endl;
			return;
		}
		AddressOfNames_ptr = (DWORD)((char*)AddressOfNames_ptr + 2);
	}
	cout << "没有匹配上!" << endl;
}


VOID PE::GetFunctionAddrByName(Data& my_data, char* name)
{
	int i = 0;
	for (i = 0; i < my_data.my_Export_Directory->NumberOfNames; i++)
	{
		if (!strcmp(name, my_data.my_Export_Name[i]))
		{
			cout << "成功通过函数名匹配到函数!" << endl;
			break;
		}
		if (i == my_data.my_Export_Directory->NumberOfNames - 1)
		{
			cout << "没有匹配到函数名!" << endl;
			return ;
		}
	}
	cout << "0x" << hex << my_data.Export_AddressOfFunction[i] << endl;
	
}


void PE::Print_ExportTable(Data& my_data)
{
	PIMAGE_EXPORT_DIRECTORY my_export_directory_ptr = (PIMAGE_EXPORT_DIRECTORY)((DWORD)my_data.my_Data_Directory[0]->VirtualAddress + (DWORD)my_data.Stretch_Data);
	my_data.my_Export_Directory = my_export_directory_ptr;
	DWORD AddressOfFunctions_ptr = (DWORD)((DWORD)my_export_directory_ptr->AddressOfFunctions + (DWORD)my_data.Stretch_Data);
	DWORD AddressOfNames_ptr = (DWORD)((DWORD)my_export_directory_ptr->AddressOfNames + (DWORD)my_data.Stretch_Data);
	DWORD AddressOfNameOrdinals_ptr = (DWORD)((DWORD)my_export_directory_ptr->AddressOfNameOrdinals + (DWORD)my_data.Stretch_Data);

	cout << "---------------AddressOfFunctions------------------" << endl;
	int number = my_export_directory_ptr->NumberOfFunctions;
	for (int i = 0; i < number; i++)
	{
		cout << i << ": " << "0x" << hex << *((DWORD*)AddressOfFunctions_ptr) << endl;
		my_data.Export_AddressOfFunction[i] = *((DWORD*)AddressOfFunctions_ptr);
		AddressOfFunctions_ptr += 0x4;
		while (*((DWORD*)AddressOfFunctions_ptr) == 0)
		{
			AddressOfFunctions_ptr += 0x4;
		}
	}

	cout << "---------------------Names------------------" << endl;
	number = my_export_directory_ptr->NumberOfNames;
	for (int i = 0; i < number; i++)
	{
		strcpy_s(my_data.my_Export_Name[i], (PCHAR)(*(DWORD*)AddressOfNames_ptr + (DWORD)my_data.Stretch_Data));
		cout << i << ": " << (PCHAR)(*(DWORD*)AddressOfNames_ptr + (DWORD)my_data.Stretch_Data) << endl;
		AddressOfNames_ptr += 0x4;
	}

	cout << "----------------------NameOrdinals---------------" << endl;
	cout << "base: " << my_export_directory_ptr->Base << endl;
	for (int i = 0; i < number; i++)
	{
		cout << i << ": " << *(WORD*)AddressOfNames_ptr << endl;
		AddressOfNames_ptr += 0x2;
	}
}





DWORD PE::Rva_To_Foa(DWORD Rva_Offset, Data& my_data)
{
	int index = 0;
	if (Rva_Offset <= my_data.my_optional->SizeOfHeaders)
	{
		return Rva_Offset;
	}
	else
	{

		while (Rva_Offset > my_data.my_section[index]->VirtualAddress)
		{
			index++;
		}
		index--;
		//计算在节的偏移
		DWORD Section_Offset = Rva_Offset - my_data.my_section[index]->VirtualAddress;
		return my_data.my_section[index]->PointerToRawData + Section_Offset;
	}
}

void PE::Analyze_Data_Directory(Data& my_data)
{
	my_data.my_Data_Directory = nullptr;
	my_data.my_Data_Directory = (PIMAGE_DATA_DIRECTORY*)malloc(16 * sizeof(PIMAGE_DATA_DIRECTORY));
	void* Temp_ptr = my_data.my_optional->DataDirectory;
	for (int i = 0; i < 16; i++)
	{
		my_data.my_Data_Directory[i] = (PIMAGE_DATA_DIRECTORY)Temp_ptr;
		Temp_ptr = (char*)Temp_ptr + 0x8;
	}
}

void PE::Print_IMAGE_DATA_DIRECTORY(Data& my_data)
{
	char arr[16][40] = {
	"IMAGE_DIRECTORY_ENTRY_EXPORT",
	"IMAGE_DIRECTORY_ENTRY_IMPORT",
	"IMAGE_DIRECTORY_ENTRY_RESOURCE",
	"IMAGE_DIRECTORY_ENTRY_EXCEPTION",
	"IMAGE_DIRECTORY_ENTRY_SECURITY",
	"IMAGE_DIRECTORY_ENTRY_BASERELOC",
	"IMAGE_DIRECTORY_ENTRY_DEBUG",
	"IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
	"IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
	"IMAGE_DIRECTORY_ENTRY_TLS",
	"IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
	"IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
	"IMAGE_DIRECTORY_ENTRY_IAT",
	"IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
	"IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
	"RESERVED"
	};

	for (int i = 0; i < 16; i++)
	{
		cout << arr[i] << " :" << endl;
		cout << "Size: " << hex << my_data.my_Data_Directory[i]->Size << endl;
		cout << "Virtual_Address: " << my_data.my_Data_Directory[i]->VirtualAddress << endl;
		cout << "------------------------------------------------------------------------" << endl;
	}
	return;
}


void PE::Combine_Section(char* filename, Data& my_data)
{

	int Max = MAX(my_data.my_section[my_data.my_file->NumberOfSections - 1]->SizeOfRawData, my_data.my_section[my_data.my_file->NumberOfSections - 1]->Misc.VirtualSize);
	int Size = my_data.my_section[my_data.my_file->NumberOfSections - 1]->VirtualAddress + Section_Align(Max, my_data) - Section_Align(my_data.my_optional->SizeOfHeaders, my_data) + MAX(my_data.my_section[0]->SizeOfRawData, my_data.my_section[0]->Misc.VirtualSize);
	Data Comebine_Data;
	int temp_size = _msize(my_data.Stretch_Data) + Max;
	Comebine_Data.Stretch_Data = (void*)malloc(temp_size);
	memset(Comebine_Data.Stretch_Data, 0, Size);

	temp_size = _msize(my_data.Stretch_Data);
	memcpy_s(Comebine_Data.Stretch_Data, temp_size, my_data.Stretch_Data, temp_size);
	Analyze_PE(Comebine_Data, 2);

	void* temp_ptr = (char*)Comebine_Data.Stretch_Data + Max + my_data.my_section[my_data.my_file->NumberOfSections - 1]->VirtualAddress;
	memcpy_s(temp_ptr, MAX(my_data.my_section[0]->SizeOfRawData, my_data.my_section[0]->Misc.VirtualSize), my_data.my_section[0]->VirtualAddress + (char*)my_data.Stretch_Data, MAX(my_data.my_section[0]->SizeOfRawData, my_data.my_section[0]->Misc.VirtualSize));

	Comebine_Data.my_optional->SizeOfImage += Section_Align(MAX(my_data.my_section[0]->SizeOfRawData, my_data.my_section[0]->Misc.VirtualSize), my_data);

	Comebine_Data.my_section[my_data.my_file->NumberOfSections - 1]->SizeOfRawData += File_Align(MAX(my_data.my_section[0]->SizeOfRawData, my_data.my_section[0]->Misc.VirtualSize), my_data);
	Comebine_Data.my_section[my_data.my_file->NumberOfSections - 1]->Misc.VirtualSize = Section_Align(Comebine_Data.my_section[my_data.my_file->NumberOfSections - 1]->Misc.VirtualSize, my_data) + Section_Align(MAX(my_data.my_section[0]->SizeOfRawData, my_data.my_section[0]->Misc.VirtualSize), my_data);

	FILE* my_file;
	if (fopen_s(&my_file, filename, "wb") != 0)
	{
		cout << "打开文件失败" << endl;
		return;
	}

	Shrink_PE(Comebine_Data);
	Analyze_PE(Comebine_Data, 3);

	fwrite(Comebine_Data.Shrink_Data, 1, _msize(Comebine_Data.Shrink_Data), my_file);
	cout << "写入成功!" << endl;

	fclose(my_file);
}


void PE::Expand_Section(Data& my_data, char* filename)
{
	this->Stretch_PE(my_data);
	unsigned Size = 0;//扩大节后新的文件大小
	Size = my_data.my_optional->ImageBase + Section_Align(MAX(my_data.my_section[0]->SizeOfRawData, my_data.my_section[0]->Misc.VirtualSize), my_data);

	Data Expand_Data;
	Expand_Data.Stretch_Data = (void*)malloc(Size);
	memset(Expand_Data.Stretch_Data, 0, Size);
	memcpy_s(Expand_Data.Stretch_Data, _msize(my_data.Stretch_Data), my_data.Stretch_Data, _msize(my_data.Stretch_Data));

	Analyze_PE(Expand_Data, 2);

	Expand_Data.my_section[my_data.my_file->NumberOfSections - 1]->SizeOfRawData = Section_Align(MAX(my_data.my_section[0]->SizeOfRawData, my_data.my_section[0]->Misc.VirtualSize), my_data) + Section_Align(MAX(my_data.my_section[my_data.my_file->NumberOfSections - 1]->SizeOfRawData, my_data.my_section[my_data.my_file->NumberOfSections - 1]->Misc.VirtualSize), my_data);
	Expand_Data.my_section[my_data.my_file->NumberOfSections - 1]->Misc.VirtualSize = Expand_Data.my_section[my_data.my_file->NumberOfSections - 1]->SizeOfRawData;

	Expand_Data.my_optional->SizeOfImage += Section_Align(MAX(my_data.my_section[0]->SizeOfRawData, my_data.my_section[0]->Misc.VirtualSize), my_data);

	void* Temp_Ptr = (char*)Expand_Data.Stretch_Data + Expand_Data.my_section[Expand_Data.my_file->NumberOfSections - 1]->VirtualAddress + Section_Align(MAX(my_data.my_section[Expand_Data.my_file->NumberOfSections - 1]->SizeOfRawData, my_data.my_section[Expand_Data.my_file->NumberOfSections - 1]->Misc.VirtualSize), my_data);
	int temp_size = Section_Align(MAX(my_data.my_section[0]->SizeOfRawData, my_data.my_section[0]->Misc.VirtualSize), my_data);
	void* Temp_Ptr2 = (char*)my_data.Stretch_Data + my_data.my_section[0]->VirtualAddress;

	memcpy_s(Temp_Ptr, temp_size, Temp_Ptr2, temp_size);


	Shrink_PE(Expand_Data);

	FILE* my_file;
	if (fopen_s(&my_file, filename, "wb") != 0)
	{
		cout << "打开文件失败!" << endl;

	}
	else
	{
		Size = _msize(Expand_Data.Shrink_Data);
		fwrite(Expand_Data.Shrink_Data, 1, Size, my_file);
		cout << "写入成功!" << endl;
	}
	fclose(my_file);
}


DWORD PE::Section_Align(DWORD temp, Data& my_data)
{
	int i = 0;
	while (temp > i * my_data.my_optional->SectionAlignment)
	{
		i++;
	}
	return i * my_data.my_optional->SectionAlignment;

}

DWORD PE::File_Align(DWORD temp, Data& my_data)
{
	int i = 0;
	while (temp > i * my_data.my_optional->FileAlignment)
	{
		i++;
	}
	return i * my_data.my_optional->FileAlignment;
}

void PE::New_Section(char* filename, Data& my_data)
{
	unsigned int Size; //Size是新文件的大小,是原来的文件大小加上.VirtualSize和SizeOfRawData较大的那个
	Size = my_data.my_optional->SizeOfHeaders;
	for (int i = 0; i < my_data.my_file->NumberOfSections; i++)
	{
		Size += my_data.my_section[i]->SizeOfRawData;
	}
	Size += my_data.my_section[0]->SizeOfRawData;//这是最终新的文件的大小

	Data New_Data;
	New_Data.Before_Stretch_Data = (void*)malloc(Size * 1);
	memset(New_Data.Before_Stretch_Data, 0, Size);
	memcpy_s(New_Data.Before_Stretch_Data, Size, my_data.Before_Stretch_Data, Size - my_data.my_section[0]->SizeOfRawData);//将原来的文件复制过来

	Analyze_PE(New_Data, 1);//让New_Data的dos,file,optional,section有数据

	//复制新的节表
	void* Temp_ptr1 = (char*)my_data.Before_Stretch_Data + 0x98 + my_data.my_file->SizeOfOptionalHeader;
	void* Temp_ptr2 = (char*)New_Data.Before_Stretch_Data + 0x98 + my_data.my_file->SizeOfOptionalHeader + my_data.my_file->NumberOfSections * 0x28;
	memcpy_s(Temp_ptr2, 0x28, Temp_ptr1, 0x28);
	//复制新的节
	Temp_ptr1 = (char*)my_data.Before_Stretch_Data + my_data.my_optional->SizeOfHeaders;//指向.text段
	Temp_ptr2 = (char*)New_Data.Before_Stretch_Data + Size - my_data.my_section[0]->SizeOfRawData;

	memcpy_s(Temp_ptr2, my_data.my_section[0]->SizeOfRawData, Temp_ptr1, my_data.my_section[0]->SizeOfRawData);//复制完.text段作为新增节

	//接下来要改Header的各项数据
	New_Data.my_file->NumberOfSections++;
	New_Data.my_optional->SizeOfImage += my_data.my_section[0]->SizeOfRawData;

	Analyze_PE(New_Data, 1);
	New_Data.my_section[New_Data.my_file->NumberOfSections - 1]->PointerToRawData = New_Data.my_section[New_Data.my_file->NumberOfSections - 2]->PointerToRawData + New_Data.my_section[New_Data.my_file->NumberOfSections - 2]->SizeOfRawData;
	int size;
	if (New_Data.my_section[New_Data.my_file->NumberOfSections - 2]->Misc.VirtualSize >= New_Data.my_section[New_Data.my_file->NumberOfSections - 2]->SizeOfRawData)
	{
		size = New_Data.my_section[New_Data.my_file->NumberOfSections - 2]->Misc.VirtualSize;
	}
	else
	{
		size = New_Data.my_section[New_Data.my_file->NumberOfSections - 2]->SizeOfRawData;
	}
	size = size / my_data.my_optional->SectionAlignment + my_data.my_optional->SectionAlignment;
	New_Data.my_section[New_Data.my_file->NumberOfSections - 1]->VirtualAddress = New_Data.my_section[New_Data.my_file->NumberOfSections - 2]->VirtualAddress + size;

	FILE* my_file;
	if (fopen_s(&my_file, filename, "wb") == 0)
	{
		fwrite(New_Data.Before_Stretch_Data, 1, Size, my_file);
		cout << "写入成功!" << endl;
		return;
	}
	else
	{
		cout << "打开文件失败" << endl;
		return;
	}
	fclose(my_file);
}


void PE::Readfile(char* filename, Data& my_data)
{
	unsigned int size;
	FILE* datafile;
	void* data;
	//打开文件
	if (fopen_s(&datafile, filename, "rb") != 0)
	{
		cout << "打开文件失败" << endl;
		return;
	}


	else
	{
		//获取文件的大小
		cout << "打开文件成功!" << endl;
		fseek(datafile, 0, SEEK_END);
		size = ftell(datafile);
		fseek(datafile, 0, SEEK_SET);
		if (size == -1L)
		{
			cout << "文件大小判断失败!" << endl;
			return;
		}

		//申请内存空间把文件内容保存下来
		my_data.Before_Stretch_Data = (void*)malloc(size * sizeof(char));

		if (fread_s(my_data.Before_Stretch_Data, size, sizeof(char), size, datafile) == 0)
		{
			cout << "写入数据失败!" << endl;
			return;
		}
		cout << "写入数据成功,成功获取Data!" << endl;
		return;
	}

}

//分析PE结构
void PE::Analyze_PE(Data& data, int num)
{
	if (num == 1)
	{
		if (data.Before_Stretch_Data != nullptr)
		{
			DWORD* Temp_ptr = (DWORD*)data.Before_Stretch_Data;
			data.my_dos = (PIMAGE_DOS_HEADER)Temp_ptr;

			Temp_ptr = (DWORD*)((char*)data.Before_Stretch_Data + data.my_dos->e_lfanew);
			Temp_ptr++;
			data.my_file = (PIMAGE_FILE_HEADER)Temp_ptr;

			Temp_ptr = (DWORD*)((char*)Temp_ptr + 0x14);
			data.my_optional = (PIMAGE_OPTIONAL_HEADER)Temp_ptr;


			Temp_ptr = (DWORD*)((char*)data.my_optional + data.my_file->SizeOfOptionalHeader);
			data.my_section = (PIMAGE_SECTION_HEADER*)malloc(sizeof(PIMAGE_SECTION_HEADER) * data.my_file->NumberOfSections);
			memset(data.my_section, 0, sizeof(PIMAGE_SECTION_HEADER) * data.my_file->NumberOfSections);
			for (int i = 0; i < data.my_file->NumberOfSections; i++)
			{
				data.my_section[i] = (PIMAGE_SECTION_HEADER)Temp_ptr;
				Temp_ptr = (DWORD*)((char*)Temp_ptr + 0x28);
			}
			Analyze_Data_Directory(data);
			return;
		}
		cout << "分析PE结构失败!" << endl;
	}

	if (num == 2)
	{
		if (data.Stretch_Data != nullptr)
		{
			DWORD* Temp_ptr = (DWORD*)data.Stretch_Data;
			data.my_dos = (PIMAGE_DOS_HEADER)Temp_ptr;

			Temp_ptr = (DWORD*)((char*)data.Stretch_Data + data.my_dos->e_lfanew);
			Temp_ptr++;
			data.my_file = (PIMAGE_FILE_HEADER)Temp_ptr;

			Temp_ptr = (DWORD*)((char*)Temp_ptr + 0x14);
			data.my_optional = (PIMAGE_OPTIONAL_HEADER)Temp_ptr;

			Temp_ptr = (DWORD*)((char*)data.my_optional + data.my_file->SizeOfOptionalHeader);
			data.my_section = nullptr;
			data.my_section = (PIMAGE_SECTION_HEADER*)malloc(sizeof(PIMAGE_SECTION_HEADER) * data.my_file->NumberOfSections);
			for (int i = 0; i < data.my_file->NumberOfSections; i++)
			{
				data.my_section[i] = (PIMAGE_SECTION_HEADER)Temp_ptr;
				Temp_ptr = (DWORD*)((char*)Temp_ptr + 0x28);
			}
			Analyze_Data_Directory(data);
			return;
		}
		cout << "分析PE结构失败!" << endl;
	}

	if (num == 3)
	{
		if (data.Shrink_Data != nullptr)
		{
			DWORD* Temp_ptr = (DWORD*)data.Shrink_Data;
			data.my_dos = (PIMAGE_DOS_HEADER)Temp_ptr;

			Temp_ptr = (DWORD*)((char*)data.Shrink_Data + data.my_dos->e_lfanew);
			Temp_ptr++;
			data.my_file = (PIMAGE_FILE_HEADER)Temp_ptr;

			Temp_ptr = (DWORD*)((char*)Temp_ptr + 0x14);
			data.my_optional = (PIMAGE_OPTIONAL_HEADER)Temp_ptr;

			Temp_ptr = (DWORD*)((char*)data.my_optional + data.my_file->SizeOfOptionalHeader);
			data.my_section = (PIMAGE_SECTION_HEADER*)malloc(sizeof(PIMAGE_SECTION_HEADER) * data.my_file->NumberOfSections);
			for (int i = 0; i < data.my_file->NumberOfSections; i++)
			{
				data.my_section[i] = (PIMAGE_SECTION_HEADER)Temp_ptr;
				Temp_ptr = (DWORD*)((char*)Temp_ptr + 0x28);
			}
			Analyze_Data_Directory(data);
			return;
		}
		cout << "分析pe结构失败!" << endl;
	}

}

//拉伸PE结构   注意看PIMAGE_XXX_HEADER的定义,它们本就是指向结构体的指针
void PE::Stretch_PE(Data& my_data)
{
	unsigned Memory_Size = 0;
	Memory_Size = my_data.my_optional->SizeOfImage;
	my_data.Stretch_Data = (void*)malloc(sizeof(char) * Memory_Size);
	memset(my_data.Stretch_Data, 0, Memory_Size);
	void* temp_before_stretch_data_ptr = my_data.Before_Stretch_Data;
	int size_of_dos = 0x40;
	int size_of_junk = 0x40;
	int size_of_file = 0x18;
	unsigned Size_Of_Optional = my_data.my_file->SizeOfOptionalHeader;
	unsigned Size_Of_Section = 0x28;
	unsigned Size_Of_Header = my_data.my_optional->SizeOfHeaders;//还未对齐
	memcpy_s(my_data.Stretch_Data, Memory_Size, my_data.Before_Stretch_Data, Size_Of_Header);
	void* temp_stretch_data = my_data.Stretch_Data;
	//现在计算head头对齐后的大小
	int Size = Size_Of_Header % my_data.my_optional->SectionAlignment;
	Size_Of_Header = my_data.my_optional->SectionAlignment * Size;


	for (int i = 0; i < my_data.my_file->NumberOfSections; i++)
	{
		temp_stretch_data = (void*)((char*)my_data.Stretch_Data + my_data.my_section[i]->VirtualAddress);
		temp_before_stretch_data_ptr = (void*)((char*)my_data.Before_Stretch_Data + my_data.my_section[i]->PointerToRawData);
		memcpy_s(temp_stretch_data, my_data.my_section[i]->SizeOfRawData, temp_before_stretch_data_ptr, my_data.my_section[i]->SizeOfRawData);
	}
	cout << "拉伸成功" << endl;
}



void PE::Shrink_PE(Data& my_data)
{
	unsigned int Size = 0;
	Size = my_data.my_section[my_data.my_file->NumberOfSections - 1]->PointerToRawData + my_data.my_section[my_data.my_file->NumberOfSections - 1]->SizeOfRawData;
	my_data.Shrink_Data = (void*)malloc(Size);
	memset(my_data.Shrink_Data, 0, Size);
	//从Stretch_Data缩小

	//复制Heads
	memcpy_s(my_data.Shrink_Data, my_data.my_optional->SizeOfHeaders, my_data.Stretch_Data, my_data.my_optional->SizeOfHeaders);

	//复制节
	void* temp_shrink_data_ptr = my_data.Shrink_Data;
	void* temp_stretch_data_ptr = my_data.Stretch_Data;
	for (int i = 0; i < my_data.my_file->NumberOfSections; i++)
	{
		temp_shrink_data_ptr = (void*)((char*)my_data.Shrink_Data + my_data.my_section[i]->PointerToRawData);
		temp_stretch_data_ptr = (void*)((char*)my_data.Stretch_Data + my_data.my_section[i]->VirtualAddress);
		memcpy_s(temp_shrink_data_ptr, my_data.my_section[i]->SizeOfRawData, temp_stretch_data_ptr, my_data.my_section[i]->SizeOfRawData);
	}
	cout << "缩小成功" << endl;
	return;

}


int main()
{
	char filename[100] = "Dll1.dll";
	PE my_pe;
	Data my_data;
	my_pe.Readfile(filename, my_data);
	my_pe.Analyze_PE(my_data, 1);   //char*& Data, PIMAGE_DOS_HEADER& dos, PIMAGE_FILE_HEADER& file, PIMAGE_OPTIONAL_HEADER32& optional, PIMAGE_SECTION_HEADER*& section
	my_pe.Stretch_PE(my_data);
	my_pe.Analyze_PE(my_data, 2);
	my_pe.Shrink_PE(my_data);
	my_pe.Analyze_Data_Directory(my_data);
	my_pe.Print_IMAGE_DATA_DIRECTORY(my_data);
	//my_pe.Print_ExportTable(my_data);
	//cout << "转化的文件偏移是" << hex << my_pe.Rva_To_Foa(0x3100, my_data) << endl;
	((void(*)())addr)();//调用
	//HMODULE hDll = GetModuleHandleA("Dll1.dll");
	//my_pe.GetFunctionAddrByName(my_data, (char*)"Print");
	//my_pe.GetFunctionAddrByOrdinal(my_data, 14);
	my_pe.Print_ExportTable(my_data);
	cout << hex << "0x" << my_pe.Rva_To_Foa(0x6000, my_data) << endl;
	my_pe.Print_Relocation(my_data);
	cout << hex << my_pe.Rva_To_Foa(0x1b0e0, my_data) << endl;
	//my_pe.Remove_Export_Table(my_data);
	my_pe.Remove_Relocation(my_data);
	return 0;
}


 



 


 

你可能感兴趣的:(滴水逆向,逆向,c++)