PE Write Section(写入一个节)

whypro

/*
                        . .: .:.. :.. .. .:.::. :. ..:
                      <<-==苒圹圹?苒圹圹?苒圹圹?==<
                       .:: 圹?圹?圹?圹?圹?圹?.:.
                       . .:.苘苒圻.咣圹圹?圹圹圹?..
                        ...圹圮苘?苘苘圹?圹?圹?::.
                       >===圹圹圹?圹圹圹?圹?圹?->>
                      .: .:.. ..:. .: ..:.::. ::.. :.:.

                                  [PEWRSEC]
                    PE Write Section, by Jacky Qwerty/29A


Here's a new utility from 29A. This program simply sets the  write bit to a
section in a PE file. This is needed when you need write access to the code
section in a  first generation sample,  for instance.  There is one utility
from the SDK (EDITBIN) which does exactly the same thing with PE filez, but
it needs some huge DLLz from VC to work.  On the other hand, PEWRSEC can be
compiled as a stupid COM file. Hope this will be handy enough for you ;)

                                                                          */



29A杂志里的一篇文章，通过c语言文件操作来搞定添加新节的功能。
VC++编译成功！

23.zip (215.71 KB, 下载次数: 0)

2010-5-26 14:03 上传

点击文件名下载附件

whypro

1. /*- -[PEWRSEC.C]- - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 */
   
2. 
   
3. #include <errno.h>
   
4. #include <stdio.h>
   
5. #include <stdlib.h>
   
6. #include <string.h>
   
7. #include "types.h"
   
8. #include "mz.h"
   
9. #include "pe.h"
   
10. 
    
11. #define SizeBuffMZ sizeof(IMAGE_DOS_HEADER)
    
12. #define SizeBuffPE (4 + IMAGE_SIZEOF_FILE_HEADER + IMAGE_SIZEOF_STD_OPTIONAL_HEADER)
    
13. #define SizeBuffSH IMAGE_SIZEOF_SECTION_HEADER
    
14. #define SizeBuffMax max(SizeBuffMZ, max(SizeBuffPE, SizeBuffSH))
    
15. 
    
16. INT Strncmpz(BYTE *S1, BYTE *S2, INT Count) {
    
17.   while (Count--) {
    
18.     if (*S1 < *S2) return -1;  // This fucntion doesnt seem to be implemented
    
19.     if (*S1 > *S2++) return 1; // in the standard C string library, It combines
    
20.     if (!*S1++) break; }       // the funtionality of "strcmp" and "strncmp".
    
21.   return 0;
    
22. }
    
23. 
    
24. INT main(INT argc, CHAR *argv[]) {
    
25.   FILE *File;
    
26.   INT RetValue = 1;
    
27.   PCHAR SecName = NULL, FileName = NULL;
    
28.   WORD Sections;
    
29.   PIMAGE_DOS_HEADER pMZ;
    
30.   PIMAGE_NT_HEADERS pPE;
    
31.   PIMAGE_SECTION_HEADER pSH;
    
32.   CHAR Buffer[SizeBuffMax];
    
33.   printf("PEWRSEC - Sets the WRITE bit to a PE section - (c) 1997 jqwerty/29A\n\n");
    
34.   if (argc != 2 && argc != 3) {
    
35.     printf("  Syntax: PEWRSEC [/SEC:<SectionName>] <FileName>  (default: code section)\n");
    
36.     Ret: return RetValue; }
    
37.   while (--argc) {
    
38.     if (*argv[argc] != '/') {
    
39.       if ((FileName = argv[argc]) == NULL) { printf("No filename specified\n"); goto Ret; } }
    
40.     else if (!strncmpi(argv[argc] + 1, "SEC:", 4)) SecName = argv[argc] + 5;
    
41.          else { printf("Unknown option '%s'\n", argv[argc]); goto Ret; } }
    
42.   if ((File = fopen(FileName, "rb+")) == 0) {
    
43.     printf("Can't open '%s'\n", FileName); goto Ret; }
    
44.   if (!fread(pMZ = (PIMAGE_DOS_HEADER)Buffer, SizeBuffMZ, 1, File)) {
    
45.     ReadErr:
    
46.       if (!feof(File)) { printf("Error reading file\n"); CloseFile: fclose(File); goto Ret; }
    
47.       else { InvalidPE: printf("Not a valid PE file\n"); goto CloseFile; } }
    
48.   if (pMZ->e_magic != IMAGE_DOS_SIGNATURE) goto InvalidPE;
    
49.   if (fseek(File, pMZ->e_lfanew, SEEK_SET)) {
    
50.     SeekErr:
    
51.       if (errno != EBADF) { printf("Error in file seek\n"); goto CloseFile; }
    
52.       else goto InvalidPE; }
    
53.   if (!fread(pPE = (PIMAGE_NT_HEADERS)Buffer, SizeBuffPE, 1, File)) goto ReadErr;
    
54.   if (pPE->Signature != IMAGE_NT_SIGNATURE || !(Sections = pPE->FileHeader.NumberOfSections)) goto InvalidPE;
    
55.   if (fseek(File, FIELD_OFFSET(IMAGE_NT_HEADERS, OptionalHeader) + pPE->FileHeader.SizeOfOptionalHeader - SizeBuffPE, SEEK_CUR)) goto SeekErr;
    
56.   do {
    
57.     if (!fread(pSH = (PIMAGE_SECTION_HEADER)Buffer, SizeBuffSH, 1, File)) goto ReadErr;
    
58.     if (SecName) { if (!Strncmpz(SecName, pSH->Name, 8)) break; }
    
59.     else if (pSH->VirtualAddress <= pPE->OptionalHeader.AddressOfEntryPoint && pPE->OptionalHeader.AddressOfEntryPoint < pSH->VirtualAddress + pSH->Misc.VirtualSize) break;
    
60.   } while (--Sections);               
    
61.   if (!Sections) { printf("Section not found\n"); goto CloseFile; }
    
62.   if (!(pSH->Characteristics & IMAGE_SCN_MEM_WRITE)) {
    
63.     pSH->Characteristics |= IMAGE_SCN_MEM_WRITE;
    
64.     if (fseek(File, - SizeBuffSH, SEEK_CUR)) goto SeekErr;
    
65.     if (!fwrite(pSH, SizeBuffSH, 1, File) || fflush(File)) {
    
66.       printf("Error writing file\n"); goto CloseFile; } }
    
67.   printf("Ok\n"); RetValue = 0; goto CloseFile;
    
68. }
    

复制代码

主程序就这么两行?我们一行一行分析！

whypro

3-9行是文件头
#include <errno.h>

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include "types.h"<------------自定义类型

#include "mz.h"<------------dos文件头

#include "pe.h" <------------pe文件头

whypro

11-14行
参考pe.h文件头
#define SizeBuffMZ sizeof(IMAGE_DOS_HEADER)
返回IMAGE_DOS_HEADER大小存入SizeBuffMZ
#define SizeBuffPE (4 + IMAGE_SIZEOF_FILE_HEADER + IMAGE_SIZEOF_STD_OPTIONAL_HEADER)
IMAGE_NT_HEADERS大小存入SizeBuffPE
#define SizeBuffSH IMAGE_SIZEOF_SECTION_HEADER
IMAGE_SECTION_HEADER大小存入SizeBuffSH
#define SizeBuffMax max(SizeBuffMZ, max(SizeBuffPE, SizeBuffSH))
#define max(a,b)    (((a) > (b)) ? (a) : (b))
返回最大那个存SizeBuffMax

whypro

16-22行
自定义函数比较两个字符的大小！
INT Strncmpz(BYTE *S1, BYTE *S2, INT Count) {

  while (Count--) {

    if (*S1 < *S2) return -1;  // This fucntion doesnt seem to be implemented

    if (*S1 > *S2++) return 1; // in the standard C string library, It combines

    if (!*S1++) break; }       // the funtionality of "strcmp" and "strncmp".

  return 0;

}

和它的功能差不多一样
int strncmp ( const char * str1, const char * str2, size_t num );

#include <stdio.h>
#include <string.h>

int main ()
{
  char str[][5] = { "R2D2" , "C3PO" , "R2A6" };
  int n;
  puts ("Looking for R2 astromech droids...");
  for (n=0 ; n<3 ; n++)
    if (strncmp (str[n],"R2xx",2) == 0)
    {
      printf ("found %s\n",str[n]);
    }
  return 0;
}
Looking for R2 astromech droids...
found R2D2
found R2A6

whypro

24-36行
INT main(INT argc, CHAR *argv[]) {

  FILE *File;

  INT RetValue = 1;

  PCHAR SecName = NULL, FileName = NULL;

  WORD Sections;

  PIMAGE_DOS_HEADER pMZ;

  PIMAGE_NT_HEADERS pPE;

  PIMAGE_SECTION_HEADER pSH;

  CHAR Buffer[SizeBuffMax];
_________________________________分割线       结构，变量，数组都有体现 ——————————————————————
  printf("PEWRSEC - Sets the WRITE bit to a PE section - (c) 1997 jqwerty/29A\n\n");

  if (argc != 2 && argc != 3) {

    printf("  Syntax: PEWRSEC [/SEC:<SectionName>] <FileName>  (default: code section)\n");

    Ret: return RetValue; }
命令行参数argc请看 我以前发的贴 好了 就剩printf了自己玩吧！

whypro

37-41行
while (--argc) {
    if (*argv[argc] != '/') {
      if ((FileName = argv[argc]) == NULL) { printf("No filename specified\n"); goto Ret; } }
    else if (!Strncmpz(argv[argc] + 1, "SEC:", 4)) SecName = argv[argc] + 5;
         else { printf("Unknown option '%s'\n", argv[argc]); goto Ret; } }

whypro

if ((File = fopen(FileName, "rb+")) == 0) {
    printf("Can't open '%s'\n", FileName); goto Ret; }
  if (!fread(pMZ = (PIMAGE_DOS_HEADER)Buffer, SizeBuffMZ, 1, File)) {
    ReadErr:
      if (!feof(File)) { printf("Error reading file\n"); CloseFile: fclose(File); goto Ret; }
      else { InvalidPE: printf("Not a valid PE file\n"); goto CloseFile; } }
  if (pMZ->e_magic != IMAGE_DOS_SIGNATURE) goto InvalidPE;
  if (fseek(File, pMZ->e_lfanew, SEEK_SET)) {
    SeekErr:
      if (errno != EBADF) { printf("Error in file seek\n"); goto CloseFile; }
      else goto InvalidPE; }
  if (!fread(pPE = (PIMAGE_NT_HEADERS)Buffer, SizeBuffPE, 1, File)) goto ReadErr;
  if (pPE->Signature != IMAGE_NT_SIGNATURE || !(Sections = pPE->FileHeader.NumberOfSections)) goto InvalidPE;
  if (fseek(File, FIELD_OFFSET(IMAGE_NT_HEADERS, OptionalHeader) + pPE->FileHeader.SizeOfOptionalHeader - SizeBuffPE, SEEK_CUR)) goto SeekErr;

whypro

do {
    if (!fread(pSH = (PIMAGE_SECTION_HEADER)Buffer, SizeBuffSH, 1, File)) goto ReadErr;
    if (SecName) { if (!Strncmpz(SecName, pSH->Name, 8)) break; }
    else if (pSH->VirtualAddress <= pPE->OptionalHeader.AddressOfEntryPoint && pPE->OptionalHeader.AddressOfEntryPoint < pSH->VirtualAddress + pSH->Misc.VirtualSize) break;
  } while (--Sections);

whypro

if (!Sections) { printf("Section not found\n"); goto CloseFile; }
  if (!(pSH->Characteristics & IMAGE_SCN_MEM_WRITE)) {
    pSH->Characteristics |= IMAGE_SCN_MEM_WRITE;
    if (fseek(File, - SizeBuffSH, SEEK_CUR)) goto SeekErr;
    if (!fwrite(pSH, SizeBuffSH, 1, File) || fflush(File)) {
      printf("Error writing file\n"); goto CloseFile; } }
  printf("Ok\n"); RetValue = 0; goto CloseFile;