A Simple PE Test

 摘自http://book.csdn.net/bookfiles/212/10021210203.shtml

1. // Pe.h: 定义CPe类
3. //
4. #include <io.h>
5. #include <fcntl.h>
6. #include <sys/stat.h>
8. typedef struct PE_HEADER_MAP
9. {
10.     DWORD signature;
11.     IMAGE_FILE_HEADER _head;
12.     IMAGE_OPTIONAL_HEADER opt_head;
13.     IMAGE_SECTION_HEADER section_header[6];
14. } peHeader;
16. class CPe  
17. {
18. public:
19.     CPe();
20.     virtual ~CPe();
22. public: 
23.     void CalcAddress(const void *base);
24.     void ModifyPe(CString strFileName,CString strMsg);
25. //    void WriteFile(CString strFileName,CString strMsg);
26.     void WriteFile(CString strFileName);
27.     BOOL WriteNewEntry(int ret,long offset,DWORD dwAddress);
28.     BOOL WriteMessageBox(int ret,long offset,CString strCap,CString strTxt);
29.     CString StrOfDWord(DWORD dwAddress);
31. public:
32.     DWORD dwSpace;
33.     DWORD dwEntryAddress;
34.     DWORD dwEntryWrite;
35.     DWORD dwProgRAV;
36.     DWORD dwOldEntryAddress;
37.     DWORD dwNewEntryAddress;
38.     DWORD dwCodeOffset;
39.     DWORD dwPeAddress;
40.     DWORD dwFlagAddress;
41.     DWORD dwVirtSize;
42.     DWORD dwPhysAddress;
43.     DWORD dwPhysSize;
44.     DWORD dwMessageBoxAadaddress;
45. };
47. #endif

 

1. // Pe.cpp: 实现 CPe类
2. //
3. #include "stdafx.h"
4. #include "Pe.h"
5. CPe::CPe()
6. {
8. }
10. CPe::~CPe()
11. {
13. }
15. void CPe::ModifyPe(CString strFileName,CString strMsg)
16. {
17.     CString strErrMsg;
18.     HANDLE hFile, hMapping;
19.     void *basepointer; 
20.     // 打开要修改的文件
21.     if ((hFile = CreateFile(strFileName, GENERIC_READ|GENERIC_WRITE, 
22.         FILE_SHARE_READ|FILE_SHARE_WRITE, 0, 
23.         OPEN_EXISTING, FILE_FLAG_SEQUENTIAL_SCAN, 0)) == INVALID_HANDLE_VALUE)
24.     {
25.         AfxMessageBox("Could not open file.");
26.         return;
27.     }
29.     // 创建一个映射文件
31.     if (!(hMapping = CreateFileMapping(hFile, 0, PAGE_READONLY | SEC_COMMIT, 0, 0, 0)))
32.     {
33.         AfxMessageBox("Mapping failed.");
34.         CloseHandle(hFile);
35.         return;
36.     }
38.     // 把文件头映象存入baseointer
39.     if (!(basepointer = MapViewOfFile(hMapping, FILE_MAP_READ, 0, 0, 0)))
40.     {
41.         AfxMessageBox("View failed.");
42.         CloseHandle(hMapping);
43.         CloseHandle(hFile);
44.         return;
45.     }
47.     CloseHandle(hMapping);
48.     CloseHandle(hFile);
49.     CalcAddress(basepointer); // 得到相关地址
50.     UnmapViewOfFile(basepointer);  
51.     if(dwSpace<50)
52.     {
53.         AfxMessageBox("No room to write the data!");
54.     }
55.     else
56.     {
57.      //   WriteFile(strFileName,strMsg); // 写文件
58.         WriteFile(strFileName);
59.     }
60.     
61.     if ((hFile = CreateFile(strFileName, GENERIC_READ|GENERIC_WRITE, 
62.         FILE_SHARE_READ|FILE_SHARE_WRITE,0, 
63.         OPEN_EXISTING, FILE_FLAG_SEQUENTIAL_SCAN, 0)) == INVALID_HANDLE_VALUE)
64.     {
65.         AfxMessageBox("Could not open file.");
66.         return;
67.     } 
68.     CloseHandle(hFile);
69. }
71. void CPe::CalcAddress(const void *base)
72. {
73.     IMAGE_DOS_HEADER * dos_head =(IMAGE_DOS_HEADER *)base;
74.     if (dos_head->e_magic != IMAGE_DOS_SIGNATURE)
75.     {
76.         AfxMessageBox("Unknown type of file.");
77.         return;
78.     }    
79.     peHeader * header;
80.     // 得到PE文件头
81.     header = (peHeader *)((char *)dos_head + dos_head->e_lfanew);
82.     if(IsBadReadPtr(header, sizeof(*header)))
83.     {
84.         AfxMessageBox("No PE header, probably DOS executable.");
85.         return;
86.     }
88.     DWORD mods;
89.     char tmpstr[4]={0};
90.     if(strstr((const char *)header->section_header[0].Name,".text")!= NULL)
91.     {
92.         // 此段的真实长度
93.         dwVirtSize=header->section_header[0].Misc.VirtualSize;
94.         // 此段的物理偏移
95.         dwPhysAddress=header->section_header[0].PointerToRawData;
96.         // 此段的物理长度
97.         dwPhysSize=header->section_header[0].SizeOfRawData;       
98.         // 得到PE文件头的开始偏移
99.         dwPeAddress=dos_head->e_lfanew;        
100.         // 得到代码段的可用空间，用以判断可不可以写入我们的代码
101.         // 用此段的物理长度减去此段的真实长度就可以得到
102.         dwSpace=dwPhysSize-dwVirtSize;
103.         // 得到程序的装载地址，一般为0x400000
104.         dwProgRAV=header->opt_head.ImageBase; 
105.         // 得到代码偏移，用代码段起始RVA减去此段的物理偏移
106.         // 应为程序的入口计算公式是一个相对的偏移地址，计算公式为：
107.         // 代码的写入地址+dwCodeOffset
108.         dwCodeOffset=header->opt_head.BaseOfCode-dwPhysAddress;        
109.         // 代码写入的物理偏移
110.         dwEntryWrite=header->section_header[0].PointerToRawData+header->
111.             section_header[0].Misc.VirtualSize;
112.         //对齐边界
113.         mods=dwEntryWrite%16;
114.         if(mods!=0)
115.         {
116.             dwEntryWrite+=(16-mods);
117.         }
118.         // 保存旧的程序入口地址
119.         dwOldEntryAddress=header->opt_head.AddressOfEntryPoint;
120.         // 计算新的程序入口地址        
121.         dwNewEntryAddress=dwEntryWrite+dwCodeOffset;
122.         return;
123.     }
124. }  
126. CString CPe::StrOfDWord(DWORD dwAddress)
127. {
128.     unsigned char waddress[4]={0};  
129.     waddress[3]=(char)(dwAddress>>24)&0xFF;
130.     waddress[2]=(char)(dwAddress>>16)&0xFF;
131.     waddress[1]=(char)(dwAddress>>8)&0xFF;
132.     waddress[0]=(char)(dwAddress)&0xFF;
133.     return waddress;
134. }
136. BOOL CPe::WriteNewEntry(int ret,long offset, DWORD dwAddress)
137. {
138.     CString strErrMsg;
139.     long retf;
140.     unsigned char waddress[4]={0};
141.     retf=_lseek(ret,offset,SEEK_SET);
142.     if(retf==-1)
143.     {
144.         AfxMessageBox("Error seek.");
145.         return FALSE;
146.     }
147.     memcpy(waddress,StrOfDWord(dwAddress),4);
148.     retf=_write(ret,waddress,4);
149.     if(retf==-1)
150.     {
151.         strErrMsg.Format("Error write: %d",GetLastError());
152.         AfxMessageBox(strErrMsg);
153.         return FALSE;
154.     }
155.     return TRUE;
156. }
158. BOOL CPe::WriteMessageBox(int ret,long offset,CString strCap,CString strTxt)
159. {
160.     CString strAddress1,strAddress2;
161.     unsigned char waddress[4]={0};
162.     DWORD dwAddress;
163.     // 获取MessageBox在内存中的地址
164.     HINSTANCE gLibMsg=LoadLibrary("user32.dll"); 
165.     dwMessageBoxAadaddress=(DWORD)GetProcAddress(gLibMsg,"MessageBoxA");
166.     // 计算校验位
167.     int nLenCap1 =strCap.GetLength()+1;   // 加上字符串后面的结束位
168.     int nLenTxt1 =strTxt.GetLength()+1;   // 加上字符串后面的结束位
169.     int nTotLen=nLenCap1+nLenTxt1+24;
170.     // 重新计算MessageBox函数的地址
171.     dwAddress=dwMessageBoxAadaddress-(dwProgRAV+dwNewEntryAddress+nTotLen-5);
172.     strAddress1=StrOfDWord(dwAddress);
173.     // 计算返回地址
174.     dwAddress=0-(dwNewEntryAddress-dwOldEntryAddress+nTotLen);
175.     strAddress2=StrOfDWord(dwAddress);
176.     // 对话框头代码(固定)
177.     unsigned char cHeader[2]={0x6a,0x40};
178.     // 标题定义
179.     unsigned char cDesCap[5]={0xe8,nLenCap1,0x00,0x00,0x00}; 
180.     // 内容定义
181.     unsigned char cDesTxt[5]={0xe8,nLenTxt1,0x00,0x00,0x00};  
182.     // 对话框后部分的代码段
183.     unsigned char cFix[12]
184.         ={0x6a,0x00,0xe8,0x00,0x00,0x00,0x00,0xe9,0x00,0x00,0x00,0x00};  
185.     // 修改对话框后部分的代码段
186.     for(int i=0;i<4;i++)
187.         cFix[3+i]=strAddress1.GetAt(i);
188.     for(i=0;i<4;i++)
189.         cFix[8+i]=strAddress2.GetAt(i);
190.     char* cMessageBox=new char[nTotLen];
191.     char* cMsg; 
193.     // 生成对话框命令字符串
194.     memcpy((cMsg  = cMessageBox),(char*)cHeader,2);
195.     memcpy((cMsg += 2),cDesCap,5);
196.     memcpy((cMsg += 5),strCap,nLenCap1);
197.     memcpy((cMsg += nLenCap1),cDesTxt,5);
198.     memcpy((cMsg += 5),strTxt,nLenTxt1);
199.     memcpy((cMsg += nLenTxt1),cFix,12);
200.     // 向应用程序写入对话框代码
201.     CString strErrMsg;
202.     long retf;
203.     retf=_lseek(ret,(long)dwEntryWrite,SEEK_SET);
204.     if(retf==-1)
205.     {
206.         delete[] cMessageBox;
207.         AfxMessageBox("Error seek.");
208.         return FALSE;
209.     }
211.     retf=_write(ret,cMessageBox,nTotLen);
212.     if(retf==-1)
213.     {
214.         delete[] cMessageBox;
215.         strErrMsg.Format("Error write: %d",GetLastError());
216.         AfxMessageBox(strErrMsg);
217.         return FALSE;
218.     }
219.     delete[] cMessageBox;
220.     return TRUE;
221. }
223. void CPe::WriteFile(CString strFileName)
224. {
225.     CString strAddress1,strAddress2;
226.     int ret;
227.     unsigned char waddress[4]={0};  
228.     ret=_open(strFileName,_O_RDWR | _O_CREAT | _O_BINARY,_S_IREAD | _S_IWRITE);
229.     if(!ret)
230.     {
231.         AfxMessageBox("Error open");
232.         return;
233.     }
234.     // 把新的入口地址写入文件,程序的入口地址在偏移PE文件头开始第40位
235.     if(!WriteNewEntry(ret,(long)(dwPeAddress+40),dwNewEntryAddress)) 
236.         return;
237.     // 把对话框代码写入到应用程序中
238.     if(!WriteMessageBox(ret,(long)dwEntryWrite,"Test","We are the world!")) 
239.         return;
240.      _close(ret);
241. }