《 encryption and decryption 》 Shells in books , But to make a deep impression, I'd like to write it by hand

When copying the code, I suddenly think of one I have seen before VS plug-in unit , Code highlighting , Automatic completion and other functions are quite perfect , It's a lot easier to write code ..

Shell process ( Write and update ):

1 Load each block of the file into memory according to the memory alignment

3 Dump input table

Source code :

void LoadFile(char *szFileName) { HANDLE hFile; IMAGE_DOS_HEADER dosHeader;
IMAGE_NT_HEADERS ntHeader; PIMAGE_SECTION_HEADER psecHeader; long nFileSize;
long nFileAlign; long nSectionAlign; long nNTHeaderSize; int nHeaderSize; int
nSectionNum; int nIndex; long nRawDataSize; long nRawDataOffset; long
nVirtualAddress; long nVirtualSize; unsigned long NumberOfBytesRead; // Read file information
hFile=CreateFile(szFileName,GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
if(hFile==INVALID_HANDLE_VALUE) { //printf(" fail to open file \n"); }
ReadFile(hFile,&dosHeader,sizeof(dosHeader),&NumberOfBytesRead,NULL); // judge MZ sign
if (dosHeader.e_magic!=0x5A4D) { //Not Standard PE File }
SetFilePointer(hFile,dosHeader.e_lfanew,NULL,FILE_BEGIN);
ReadFile(hFile,&ntHeader,sizeof(ntHeader),&NumberOfBytesRead,NULL); // judge PE sign if
(ntHeader.Signature!=0x4550) { //Not Standard PE File }
nFileSize=GetFileSize(hFile,NULL);
nSectionNum=ntHeader.FileHeader.NumberOfSections;
m_nImageSize=ntHeader.OptionalHeader.SizeOfImage;
nFileAlign=ntHeader.OptionalHeader.FileAlignment;
nSectionAlign=ntHeader.OptionalHeader.SectionAlignment;
nHeaderSize=ntHeader.OptionalHeader.SizeOfHeaders; // This is the size of the block table from the beginning to the block table
m_nImageSize=Align_Size(m_nImageSize,nSectionAlign);
m_pImageBase=(char*)malloc(m_nImageSize); memset(m_pImageBase,0,m_nImageSize);
SetFilePointer(hFile,0,NULL,FILE_BEGIN);
ReadFile(hFile,m_pImageBase,nHeaderSize,&NumberOfBytesRead,NULL);
m_pntHeaders=(PIMAGE_NT_HEADERS)((DWORD)m_pImageBase+dosHeader.e_lfanew);
nNTHeaderSize=sizeof(ntHeader.Signature)+sizeof(ntHeader.FileHeader)+ntHeader.FileHeader.SizeOfOptionalHeader;
// Because the number of data directory is not necessarily, it needs to be calculated by yourself
m_psecHeaders=(PIMAGE_SECTION_HEADER)((DWORD)m_pntHeaders+nNTHeaderSize);
// Copy the data of each section to the corresponding location
for(nIndex=0,psecHeader=m_psecHeaders;nIndex<nSectionNum;++nIndex,++psecHeader)
{ nRawDataSize=psecHeader->SizeOfRawData;
nRawDataOffset=psecHeader->PointerToRawData;
nVirtualAddress=psecHeader->VirtualAddress;
nVirtualSize=psecHeader->Misc.VirtualSize;
SetFilePointer(hFile,nRawDataOffset,NULL,FILE_BEGIN);
ReadFile(hFile,&m_pImageBase[nVirtualAddress],nRawDataSize,&NumberOfBytesRead,NULL);
} // This points to the last section , Save additional data by the way SaveExtraData(hFile,psecHeader,nFileSize); } long
Align_Size(long nImageSize,long nSectionAlign) { return
(nImageSize+nSectionAlign-1) / nSectionAlign * nSectionAlign; } void
SaveExtraData(HANDLE hFile,PIMAGE_SECTION_HEADER pLastSectionHead,long
nFileSize) { long
nExtraDataSize=nFileSize-(pLastSectionHead->PointerToRawData+pLastSectionHead->SizeOfRawData);
unsigned long NumberOfBytesRead; if (nExtraDataSize>0) { pExtraData=new
char[nExtraDataSize]; memset(pExtraData,0,nExtraDataSize);
ReadFile(hFile,pExtraData,nExtraDataSize,&NumberOfBytesRead,NULL); } else {
//no extra data } } PCHAR RVAToPtr(DWORD dwRva) { if ((UINT)dwRva<m_nImageSize)
{ return PCHAR(dwRva+(DWORD)m_pImageBase); } else { return NULL; } }
UINT AddressImportTable(PCHAR m_pImportTable) { PIMAGE_IMPORT_DESCRIPTOR
pImportDescriptor=NULL,pDescriptor=NULL; PIMAGE_DATA_DIRECTORY pImportDir=NULL;
UINT nSize=0; PCHAR pData=NULL; PCHAR pFuncNum=0; PCHAR pszDllName;
PIMAGE_THUNK_DATA32 pFirstThunk=NULL; PIMAGE_IMPORT_BY_NAME pImportName=NULL;
pImportDir=&m_pntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
pImportDescriptor=(PIMAGE_IMPORT_DESCRIPTOR)RVAToPtr(pImportDir->VirtualAddress);
// Mobile input table
for(pData=m_pImportTable,pDescriptor=pImportDescriptor;pDescriptor->Name!=0;pDescriptor++)
{ // preservation FirstThunk *(DWORD*)pData=pDescriptor->FirstThunk;
pData=pData+sizeof(DWORD); pszDllName=(PCHAR)RVAToPtr(pDescriptor->Name);
// preservation dll Name length *(BYTE*)(pData)=(BYTE)(strlen(pszDllName));
pData=pData+sizeof(BYTE); // preservation dll name
memcpy(pData,pszDllName,strlen(pszDllName+1));
pData=pData+strlen(pszDllName)+1; // Save the number of functions and record variables pFuncNum=pData;
*(BYTE*)pFuncNum=0; pData=pData+sizeof(DWORD); if
(pDescriptor->OriginalFirstThunk!=0) {
pFirstThunk=(PIMAGE_THUNK_DATA32)RVAToPtr(pDescriptor->OriginalFirstThunk); }
else { pFirstThunk=(PIMAGE_THUNK_DATA32)RVAToPtr(pDescriptor->FirstThunk); }
while(pFirstThunk->u1.AddressOfData!=NULL) { if
(IMAGE_SNAP_BY_ORDINAL32(pFirstThunk->u1.Ordinal)) { // Import serial number *(BYTE*)pData=0;
pData=pData+sizeof(BYTE); *(DWORD*)pData=(DWORD)pFirstThunk->u1.Ordinal &
0x7FFFFFFF; pData=pData+sizeof(DWORD)+1; (*(DWORD*)pFuncNum)++; } else {
// String import
pImportName=(PIMAGE_IMPORT_BY_NAME)RVAToPtr((DWORD)pFirstThunk->u1.AddressOfData);
*(BYTE*)pData=(BYTE)(strlen((char*)pImportName->Name)); (*(DWORD*)pFuncNum)++;
pData=pData+(strlen((char*)pImportName->Name))+1; } pFirstThunk++; } }
*(DWORD*)pData=(DWORD)0; pData=pData+sizeof(DWORD); return
(pData-m_pImportTable); }

Technology
©2019-2020 Toolsou All rights reserved,
One is called “ Asking for the train ” A small village Finally got the train Spring Boot Lesson 16 :SpringBoot Implementation of multithreading with injection class Chrome OS, For programmers and Windows What does it mean ? Internet Marketing JAVA Convert a string to a numeric type I've been drinking soft water for three years ? What is the use of soft water and water softener You don't know ——HarmonyOS Talking about uni-app Page value transfer problem JavaScript Medium Call and ApplySparkSQL Achieve partition overlay write Character recognition technology of vehicle license plate based on Neural Network