#include <iostream>

#include <Windows.h>

#include <ShlObj.h>

#include <Shlwapi.h>

#pragma comment(lib, "Shell32.lib")

#pragma comment(lib, "Shlwapi.lib")

DWORD align(DWORD size, DWORD align, DWORD addr) {

    if (!(size % align))

        return addr + size;

    return addr + (size / align + 1) * align;

}

int main(int argc, char* argv[])

{

    /*if (argc < 3)

    {

        std::cout << "Argomenti insufficienti.\n";

        return 0;

    }*/

    HANDLE FirstFile = CreateFileA("Test_Hello World.exe", GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, NULL, NULL);            // File to read data from

    if (FirstFile == INVALID_HANDLE_VALUE)

    {

        std::cout << "Impossibile aprire il file passato come primo argomento.\n";

        return 0;

    }

    HANDLE SecFile = CreateFileA("Test_Hello World.exe", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, NULL, NULL);               // File to write the read data in

    if (SecFile == INVALID_HANDLE_VALUE)

    {

        std::cout << "Impossibile aprire il file passato come secondo argomento.\n";

        return 0;

    }

    DWORD FirstFS = GetFileSize(FirstFile, 0);              // First file dimension

    DWORD SecondFS = GetFileSize(SecFile, 0);               // Second file dimension

    BYTE* FirstFB = (BYTE*)VirtualAlloc(NULL, FirstFS, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);           // Allocates memory for the first file

    BYTE* SecondFB = (BYTE*)VirtualAlloc(NULL, SecondFS, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);         // Allocates memory for the second file

    DWORD BytesRead = 0;

    DWORD BytesWritten = 0;

    if (bool Read = ReadFile(FirstFile, FirstFB, FirstFS, &BytesRead, NULL) == FALSE)                   // Reads the first file

    {

        std::cout << "Impossibile leggere primo file.\n";

        return 0;

    }

    else

    {

        std::cout << "Letti " << BytesRead << " dal primo file.\n";

        BytesRead = 0;

    }

    if (bool Read = ReadFile(SecFile, SecondFB, SecondFS, &BytesRead, NULL) == FALSE)                       // Reads the second file

    {

        std::cout << "Impossibile leggere secondo file.\n";

        return 0;

    }

    else

    {

        std::cout << "Letti " << BytesRead << " bytes dal secondo file.\n";

        BytesRead = 0;

    }

    /*

    *

    * The code is problematic beyond this point!

    *

    * SecondFB = Pointer to the second file's data buffer that needs to be modified by adding the new section.

    * FirstFB = Pointer to the first file's data buffer that will be written inside the ".sdata" section.

    * Both of them have been loaded in memory using VirtualAlloc.

    *

    * Ask me anything for further info and many, many thanks :D

    */

    // Here I add a new section to the second file.

    PIMAGE_DOS_HEADER sIDH = (IMAGE_DOS_HEADER*)SecondFB;

    PIMAGE_NT_HEADERS sINH = (IMAGE_NT_HEADERS*)(SecondFB + sIDH->e_lfanew);

    PIMAGE_FILE_HEADER sIFH = (PIMAGE_FILE_HEADER)(SecondFB + sIDH->e_lfanew + sizeof(DWORD));

    PIMAGE_OPTIONAL_HEADER sIOH = (PIMAGE_OPTIONAL_HEADER)(SecondFB + sIDH->e_lfanew + sizeof(DWORD) + sizeof(IMAGE_FILE_HEADER));

    PIMAGE_SECTION_HEADER sISH = (PIMAGE_SECTION_HEADER)(SecondFB + sIDH->e_lfanew + sizeof(IMAGE_NT_HEADERS));

    // Here I name the new section inside the file

    ZeroMemory(&sISH[sIFH->NumberOfSections], sizeof(IMAGE_SECTION_HEADER));

    CopyMemory(sISH[sIFH->NumberOfSections].Name, ".scode", 8);

    /*

        0xE00000E0 = IMAGE_SCN_MEM_WRITE |

                     IMAGE_SCN_CNT_CODE  |

                     IMAGE_SCN_CNT_UNINITIALIZED_DATA  |

                     IMAGE_SCN_MEM_EXECUTE |

                     IMAGE_SCN_CNT_INITIALIZED_DATA |

                     IMAGE_SCN_MEM_READ

    */

    // Here all the required information gets filled in

    sISH[sIFH->NumberOfSections].VirtualAddress = align(sISH[sIFH->NumberOfSections - 1].Misc.VirtualSize, sIOH->SectionAlignment, sISH[sIFH->NumberOfSections - 1].VirtualAddress);

    sISH[sIFH->NumberOfSections].SizeOfRawData = align(FirstFS, sIOH->SectionAlignment, 0);

    sISH[sIFH->NumberOfSections].Misc.VirtualSize = align(FirstFS, sIOH->SectionAlignment, 0);

    sISH[sIFH->NumberOfSections].PointerToRawData = align(sISH[sIFH->NumberOfSections - 1].SizeOfRawData, sIOH->FileAlignment, sISH[sIFH->NumberOfSections - 1].PointerToRawData);

    sISH[sIFH->NumberOfSections].Characteristics = 0xE00000E0;

    // Here the changes are written to the second file

    SetFilePointer(SecFile, sISH[sIFH->NumberOfSections].PointerToRawData + sISH[sIFH->NumberOfSections].SizeOfRawData, NULL, FILE_BEGIN);

    SetEndOfFile(SecFile);

    sIOH->SizeOfImage = sISH[sIFH->NumberOfSections].VirtualAddress + sISH[sIFH->NumberOfSections].Misc.VirtualSize;

    sIFH->NumberOfSections += 1;

    SetFilePointer(SecFile, 0, NULL, FILE_BEGIN);

    BytesWritten = 0;

    bool W = WriteFile(SecFile, SecondFB, SecondFS, &BytesWritten, NULL);

    if (W == FALSE)

    {

        std::cout << "Impossibile aggiungere sezione alla stub.\n";

        return 0;

    }

    else

    {

        std::cout << "Scritti " << BytesWritten << " bytes nella stub. (Aggiunta nuova sezione.)\n";

        BytesWritten = 0;

    }

    // Here I write the data inside the new section

    SetFilePointer(SecFile, sISH[sIFH->NumberOfSections - 1].PointerToRawData, 0, FILE_BEGIN);

    if (bool Write = WriteFile(SecFile, FirstFB, FirstFS, &BytesWritten, NULL) == FALSE)

    {

        std::cout << "Impossibile aggiungere sezione alla stub.\n";

    }

    else

    {

        std::cout << "Scritti " << BytesWritten << " bytes nella stub.\n";

        BytesWritten = 0;

    }

    // Here I close all the handles

    VirtualFree(FirstFB, FirstFS, MEM_RELEASE);

    CloseHandle(FirstFile);

    VirtualFree(SecondFB, SecondFS, MEM_RELEASE);

    CloseHandle(SecFile);

    std::cout << "Binding completato.\n";

    return 0;

}

win32 - PE Executable and section inject的更多相关文章

  1. 深入理解 Win32 PE 文件格式

    深入理解 Win32 PE 文件格式 Matt Pietrek 这篇文章假定你熟悉C++和Win32. 概述 理解可移植可执行文件格式(PE)可以更好地了解操作系统.如果你知道DLL和EXE中都有些什 ...

  2. 深入理解 Win32 PE 文件格式 Matt Pietrek(慢慢体会)

    这篇文章假定你熟悉C++和Win32. 概述 理解可移植可执行文件格式(PE)可以更好地了解操作系统.如果你知道DLL和EXE中都有些什么东西,那么你就是一个知识渊博的程序员.这一系列文章的第一部分, ...

  3. 《Peering Inside the PE: A Tour of the Win32 Portable Executable File Format》阅读笔记二

    Common Sections The .text section is where all general-purpose code emitted by the compiler or assem ...

  4. PE Header and Export Table for Delphi

    Malware Analysis Tutorial 8: PE Header and Export Table 2. Background Information of PE HeaderAny bi ...

  5. The Portable Executable File Format from Top to Bottom(每个结构体都非常清楚)

    The Portable Executable File Format from Top to Bottom Randy KathMicrosoft Developer Network Technol ...

  6. 利用PE数据目录的导入表获取函数名及其地址

    PE文件是以64字节的DOS文件头开始的(IMAGE_DOS_HEADER),接着是一段小DOS程序,然后是248字节的 NT文件头(IMAGE_NT_HEADERS),NT的文件头位置由IMAGE_ ...

  7. 深入学习PE文件(转)

    PE文件是Win32的原生文件格式.每一个Win32可执行文件都遵循PE文件格式.对PE文件格式的了解可以加深你对Win32系统的深入理解. 一. 基本结构. 上图便是PE文件的基本结构.(注意:DO ...

  8. 深入剖析PE文件

    不赖猴的笔记,转载请注明出处. 深入剖析PE文件 PE文件是Win32的原生文件格式.每一个Win32可执行文件都遵循PE文件格式.对PE文件格式的了解可以加深你对Win32系统的深入理解. 一.   ...

  9. Load PE from memory(反取证)(未完)

      Article 1:Loading Win32/64 DLLs "manually" without LoadLibrary() The most important step ...

  10. 动态加载并执行Win32可执行程序

    本文所贴出的PoC代码将告诉你如何通过CreateProcess创建一个傀儡进程(称之为可执行程序A),并把dwCreationFlags设置为CREATE_SUSPENDED,然后把另一个可执行程序 ...

随机推荐

  1. [转帖]prometheus的TCP alloc取值

    prometheus的TCP alloc取值 sockets: used:已使用的所有协议套接字总量 TCP: orphan:无主(不属于任何进程)的TCP连接数(无用.待销毁的TCP socket数 ...

  2. [转帖]Jmeter之JDBC Request使用方法(oracle)

    https://zhuanlan.zhihu.com/p/121747788 JDBC Request: 这个sampler可以向数据库发送一个jdbc请求(sql语句),它经常需要和JDBC Con ...

  3. [转帖]《AWK程序设计语言》笔记(1)—— AWK入门与简单案例

    原文为 <The AWK Programming Language>,GitHub上有中译版,不过有些内容翻译的比较奇怪,建议跟原版对照着看 https://github.com/wuzh ...

  4. [转帖]unmatched(riscv64)上编译,安装和移植SPEC CPU 2006

    https://zhuanlan.zhihu.com/p/429399630 Linux ubuntu 5.11.0-1021-generic #22-Ubuntu SMP Tue Sep 28 15 ...

  5. [转帖]Java连接 MySQL详细教程,分享复习经验和后台开发面经

    (由于安装了汉化包,英文版的用户可以对应图标来操作) 选中菜单栏文件,之后选择项目结构 选择Libraries 点击+ ![在这里插入图片描述](https://img-blog.csdnimg.cn ...

  6. [转帖]Skywalking学习及整合springboot

    目录 1. Skywalking概述 2. Skywalking主要功能 3. Skywalking主要特性 4. Skywalking架构简介 5. Spring Cloud与Skywalking实 ...

  7. [转帖]mvcc多版本并发控制的原理

      https://baijiahao.baidu.com/s?id=1751185558149315946 MVCC多版本并发控制的原理:通过undo_log多版本链条,加上开启事务时产生的read ...

  8. [转帖]UseG1GC垃圾回收技术解析

    https://www.cnblogs.com/yuanzipeng/p/13374690.html 介绍 G1 GC,全称Garbage-First Garbage Collector,通过-XX: ...

  9. [转帖]读Brendan Gregg - 谈性能分析

    https://zhuanlan.zhihu.com/p/206743670 Brendan Gregg何许人 Brendan Gregg在性能分析工业界如雷贯耳, 相信看到这篇文章的人肯定知道他的大 ...

  10. mysql8 部分信息总结

    0. 我这边环境需要的配置参数 datadir=/var/lib/mysqlsocket=/var/lib/mysql/mysql.socklog-error=/var/log/mysqld.logp ...