尝试着在磁盘中修改PE文件。用到writefile和SetFilePointer这两个函数
下面先来看看这两个函数:
DWORD WINAPI SetFilePointer(
__in HANDLE hFile,
__in LONG lDistanceToMove,
__inout_opt PLONG lpDistanceToMoveHigh,
__in DWORD dwMoveMethod
);
A handle to the file.
The file handle must be created with the GENERIC_READ or GENERIC_WRITE access right. For more information, see File Security and Access Rights.
The low order 32-bits of a signed value that specifies the number of bytes to move the file pointer.
If lpDistanceToMoveHigh is not NULL, lpDistanceToMoveHigh and lDistanceToMove form a single 64-bit signed value that specifies the distance to move.
If lpDistanceToMoveHigh is NULL, lDistanceToMove is a 32-bit signed value. A positive value for lDistanceToMove moves the file pointer forward in the file, and a negative value moves the file pointer back.
A pointer to the high order 32-bits of the signed 64-bit distance to move.
If you do not need the high order 32-bits, this pointer must be set to NULL.
When not NULL, this parameter also receives the high order DWORD of the new value of the file pointer. For more information, see the Remarks section in this topic.
The starting point for the file pointer move.
This parameter can be one of the following values.
Value | Meaning |
---|---|
|
The starting point is zero or the beginning of the file. |
|
The starting point is the current value of the file pointer. |
|
The starting point is the current end-of-file position. |
http://blog.csdn.net/ITLionWoo/article/details/659492
设置完文件指针以后,我们就要往文件里面写东西了:
Syntax
BOOL WINAPI WriteFile( __in HANDLE hFile, __in LPCVOID lpBuffer, __in DWORD nNumberOfBytesToWrite, __out_opt LPDWORD lpNumberOfBytesWritten, __inout_opt LPOVERLAPPED lpOverlapped );
Parameters
A handle to the file or I/O device (for example, a file, file stream, physical disk, volume, console buffer, tape drive, socket, communications resource, mailslot, or pipe).
The hFile parameter must have been created with the write access. For more information, see Generic Access Rights and File Security and Access Rights.
For asynchronous write operations, hFile can be any handle opened with the CreateFile function using the FILE_FLAG_OVERLAPPED flag or a socket handle returned by the socket or accept function.
A pointer to the buffer containing the data to be written to the file or device.
This buffer must remain valid for the duration of the write operation. The caller must not use this buffer until the write operation is completed.
The number of bytes to be written to the file or device.
A value of zero specifies a null write operation. The behavior of a null write operation depends on the underlying file system or communications technology.
Windows Server 2003 and Windows XP: Pipe write operations across a network are limited in size per write. The amount varies per platform. For x86 platforms it's 63.97 MB. For x64 platforms it's 31.97 MB. For Itanium it's 63.95 MB. For more information regarding pipes, see the Remarks section.
A pointer to the variable that receives the number of bytes written when using a synchronous hFile parameter. WriteFile sets this value to zero before doing any work or error checking. Use NULL for this parameter if this is an asynchronous operation to avoid potentially erroneous results.
This parameter can be NULL only when the lpOverlapped parameter is not NULL.
For more information, see the Remarks section.
A pointer to an OVERLAPPED structure is required if the hFile parameter was opened with FILE_FLAG_OVERLAPPED, otherwise this parameter can be NULL.
For an hFile that supports byte offsets, if you use this parameter you must specify a byte offset at which to start writing to the file or device. This offset is specified by setting the Offset and OffsetHigh members of the OVERLAPPED structure. For an hFile that does not support byte offsets, Offset and OffsetHigh are ignored.
To write to the end of file, specify both the Offset and OffsetHigh members of the OVERLAPPED structure as 0xFFFFFFFF. This is functionally equivalent to previously calling the CreateFile function to open hFile using FILE_APPEND_DATA access.
For more information about different combinations of lpOverlapped and FILE_FLAG_OVERLAPPED, see the Remarks section and the Synchronization and File Position section.
要了解最后两个参数。我们首先了解下异步和同步的概念。
这里讲的异步和同步的概念是狭义的,只是针对这个函数而言。
如果我们把最后一个参数lpOverlapped 设置为NULL,也就是同步的,那么就是等待数据写入内存完毕以后函数才返回。
如果我们把最后一个参数设置为FILE_FLAG_OVERLAPPED,那么首先必须在createfile函数里面标明异步操作 FILE_APPEND_DATA 这个属性
如果是异步操作,那么函数不会等待数据写入到内存中才继续执行,而是不管有没有写入都继续执行。这也就是所谓的异步,也就是多线程的处理。
我们一般的操作是不用异步操作的,所以直接设置最后一个参数是NULL。
然后倒数第二个参数的作用是什么呢?
lpNumberOfBytesWritten这个参数的作用就是如果成功的写入了,那么写入内存的数据大小就会保存到这个指针所指向的变量里面。
如果我们设置了最后一个参数是NULL,也就是说我们使用的是同步操作,那么必须设置这个值。
如果我们设置最后一个参数是FILE_FLAG_OVERLAPPED,那么可以设置这个参数是NULL
自己有讲的不明白的地方,大家也可以参考下面这个博客:
http://www.cppblog.com/SpringSnow/archive/2009/02/09/73334.html