#include <iostream>

#include <Windows.h>

#include <ShlObj.h>

#include <Shlwapi.h>

#pragma comment(lib, "Shell32.lib")

#pragma comment(lib, "Shlwapi.lib")

DWORD align(DWORD size, DWORD align, DWORD addr) {

    if (!(size % align))

        return addr + size;

    return addr + (size / align + 1) * align;

}

int main(int argc, char* argv[])

{

    /*if (argc < 3)

    {

        std::cout << "Argomenti insufficienti.\n";

        return 0;

    }*/

    HANDLE FirstFile = CreateFileA("Test_Hello World.exe", GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, NULL, NULL);            // File to read data from

    if (FirstFile == INVALID_HANDLE_VALUE)

    {

        std::cout << "Impossibile aprire il file passato come primo argomento.\n";

        return 0;

    }

    HANDLE SecFile = CreateFileA("Test_Hello World.exe", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, NULL, NULL);               // File to write the read data in

    if (SecFile == INVALID_HANDLE_VALUE)

    {

        std::cout << "Impossibile aprire il file passato come secondo argomento.\n";

        return 0;

    }

    DWORD FirstFS = GetFileSize(FirstFile, 0);              // First file dimension

    DWORD SecondFS = GetFileSize(SecFile, 0);               // Second file dimension

    BYTE* FirstFB = (BYTE*)VirtualAlloc(NULL, FirstFS, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);           // Allocates memory for the first file

    BYTE* SecondFB = (BYTE*)VirtualAlloc(NULL, SecondFS, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);         // Allocates memory for the second file

    DWORD BytesRead = 0;

    DWORD BytesWritten = 0;

    if (bool Read = ReadFile(FirstFile, FirstFB, FirstFS, &BytesRead, NULL) == FALSE)                   // Reads the first file

    {

        std::cout << "Impossibile leggere primo file.\n";

        return 0;

    }

    else

    {

        std::cout << "Letti " << BytesRead << " dal primo file.\n";

        BytesRead = 0;

    }

    if (bool Read = ReadFile(SecFile, SecondFB, SecondFS, &BytesRead, NULL) == FALSE)                       // Reads the second file

    {

        std::cout << "Impossibile leggere secondo file.\n";

        return 0;

    }

    else

    {

        std::cout << "Letti " << BytesRead << " bytes dal secondo file.\n";

        BytesRead = 0;

    }

    /*

    *

    * The code is problematic beyond this point!

    *

    * SecondFB = Pointer to the second file's data buffer that needs to be modified by adding the new section.

    * FirstFB = Pointer to the first file's data buffer that will be written inside the ".sdata" section.

    * Both of them have been loaded in memory using VirtualAlloc.

    *

    * Ask me anything for further info and many, many thanks :D

    */

    // Here I add a new section to the second file.

    PIMAGE_DOS_HEADER sIDH = (IMAGE_DOS_HEADER*)SecondFB;

    PIMAGE_NT_HEADERS sINH = (IMAGE_NT_HEADERS*)(SecondFB + sIDH->e_lfanew);

    PIMAGE_FILE_HEADER sIFH = (PIMAGE_FILE_HEADER)(SecondFB + sIDH->e_lfanew + sizeof(DWORD));

    PIMAGE_OPTIONAL_HEADER sIOH = (PIMAGE_OPTIONAL_HEADER)(SecondFB + sIDH->e_lfanew + sizeof(DWORD) + sizeof(IMAGE_FILE_HEADER));

    PIMAGE_SECTION_HEADER sISH = (PIMAGE_SECTION_HEADER)(SecondFB + sIDH->e_lfanew + sizeof(IMAGE_NT_HEADERS));

    // Here I name the new section inside the file

    ZeroMemory(&sISH[sIFH->NumberOfSections], sizeof(IMAGE_SECTION_HEADER));

    CopyMemory(sISH[sIFH->NumberOfSections].Name, ".scode", 8);

    /*

        0xE00000E0 = IMAGE_SCN_MEM_WRITE |

                     IMAGE_SCN_CNT_CODE  |

                     IMAGE_SCN_CNT_UNINITIALIZED_DATA  |

                     IMAGE_SCN_MEM_EXECUTE |

                     IMAGE_SCN_CNT_INITIALIZED_DATA |

                     IMAGE_SCN_MEM_READ

    */

    // Here all the required information gets filled in

    sISH[sIFH->NumberOfSections].VirtualAddress = align(sISH[sIFH->NumberOfSections - 1].Misc.VirtualSize, sIOH->SectionAlignment, sISH[sIFH->NumberOfSections - 1].VirtualAddress);

    sISH[sIFH->NumberOfSections].SizeOfRawData = align(FirstFS, sIOH->SectionAlignment, 0);

    sISH[sIFH->NumberOfSections].Misc.VirtualSize = align(FirstFS, sIOH->SectionAlignment, 0);

    sISH[sIFH->NumberOfSections].PointerToRawData = align(sISH[sIFH->NumberOfSections - 1].SizeOfRawData, sIOH->FileAlignment, sISH[sIFH->NumberOfSections - 1].PointerToRawData);

    sISH[sIFH->NumberOfSections].Characteristics = 0xE00000E0;

    // Here the changes are written to the second file

    SetFilePointer(SecFile, sISH[sIFH->NumberOfSections].PointerToRawData + sISH[sIFH->NumberOfSections].SizeOfRawData, NULL, FILE_BEGIN);

    SetEndOfFile(SecFile);

    sIOH->SizeOfImage = sISH[sIFH->NumberOfSections].VirtualAddress + sISH[sIFH->NumberOfSections].Misc.VirtualSize;

    sIFH->NumberOfSections += 1;

    SetFilePointer(SecFile, 0, NULL, FILE_BEGIN);

    BytesWritten = 0;

    bool W = WriteFile(SecFile, SecondFB, SecondFS, &BytesWritten, NULL);

    if (W == FALSE)

    {

        std::cout << "Impossibile aggiungere sezione alla stub.\n";

        return 0;

    }

    else

    {

        std::cout << "Scritti " << BytesWritten << " bytes nella stub. (Aggiunta nuova sezione.)\n";

        BytesWritten = 0;

    }

    // Here I write the data inside the new section

    SetFilePointer(SecFile, sISH[sIFH->NumberOfSections - 1].PointerToRawData, 0, FILE_BEGIN);

    if (bool Write = WriteFile(SecFile, FirstFB, FirstFS, &BytesWritten, NULL) == FALSE)

    {

        std::cout << "Impossibile aggiungere sezione alla stub.\n";

    }

    else

    {

        std::cout << "Scritti " << BytesWritten << " bytes nella stub.\n";

        BytesWritten = 0;

    }

    // Here I close all the handles

    VirtualFree(FirstFB, FirstFS, MEM_RELEASE);

    CloseHandle(FirstFile);

    VirtualFree(SecondFB, SecondFS, MEM_RELEASE);

    CloseHandle(SecFile);

    std::cout << "Binding completato.\n";

    return 0;

}

win32 - PE Executable and section inject的更多相关文章

  1. 深入理解 Win32 PE 文件格式

    深入理解 Win32 PE 文件格式 Matt Pietrek 这篇文章假定你熟悉C++和Win32. 概述 理解可移植可执行文件格式(PE)可以更好地了解操作系统.如果你知道DLL和EXE中都有些什 ...

  2. 深入理解 Win32 PE 文件格式 Matt Pietrek(慢慢体会)

    这篇文章假定你熟悉C++和Win32. 概述 理解可移植可执行文件格式(PE)可以更好地了解操作系统.如果你知道DLL和EXE中都有些什么东西,那么你就是一个知识渊博的程序员.这一系列文章的第一部分, ...

  3. 《Peering Inside the PE: A Tour of the Win32 Portable Executable File Format》阅读笔记二

    Common Sections The .text section is where all general-purpose code emitted by the compiler or assem ...

  4. PE Header and Export Table for Delphi

    Malware Analysis Tutorial 8: PE Header and Export Table 2. Background Information of PE HeaderAny bi ...

  5. The Portable Executable File Format from Top to Bottom(每个结构体都非常清楚)

    The Portable Executable File Format from Top to Bottom Randy KathMicrosoft Developer Network Technol ...

  6. 利用PE数据目录的导入表获取函数名及其地址

    PE文件是以64字节的DOS文件头开始的(IMAGE_DOS_HEADER),接着是一段小DOS程序,然后是248字节的 NT文件头(IMAGE_NT_HEADERS),NT的文件头位置由IMAGE_ ...

  7. 深入学习PE文件(转)

    PE文件是Win32的原生文件格式.每一个Win32可执行文件都遵循PE文件格式.对PE文件格式的了解可以加深你对Win32系统的深入理解. 一. 基本结构. 上图便是PE文件的基本结构.(注意:DO ...

  8. 深入剖析PE文件

    不赖猴的笔记,转载请注明出处. 深入剖析PE文件 PE文件是Win32的原生文件格式.每一个Win32可执行文件都遵循PE文件格式.对PE文件格式的了解可以加深你对Win32系统的深入理解. 一.   ...

  9. Load PE from memory(反取证)(未完)

      Article 1:Loading Win32/64 DLLs "manually" without LoadLibrary() The most important step ...

  10. 动态加载并执行Win32可执行程序

    本文所贴出的PoC代码将告诉你如何通过CreateProcess创建一个傀儡进程(称之为可执行程序A),并把dwCreationFlags设置为CREATE_SUSPENDED,然后把另一个可执行程序 ...

随机推荐

  1. [转帖]Tiup 常用运维操作命令干货

    https://zhuanlan.zhihu.com/p/356031031 **导读**> 作者:杨漆> 16年关系型数据库管理,从oracle 9i .10g.11g.12c到Mysq ...

  2. [转帖]k8s对接ceph,ceph-csi方式

    1.上传ceph-csi-yaml和ceph-csi-image 两个文件夹到服务器 2.加载 ceph-csi-image里面的镜像 3.将加载好的镜像上传到本地harbor上. 4.修改ceph- ...

  3. [转帖]Linux shell 单引号和双引号

    https://www.cnblogs.com/airoot/p/15324883.html 在编写shell脚本的时候经常会用到引号,有些时候却老是忘记单引号和双引号之间的区别,所以就整理一下供以后 ...

  4. 【转帖】【ethtool】ethtool 网卡诊断、调整工具、网卡性能优化| 解决丢包严重

    目录 即看即用 详细信息 软件简介 安装 ethtool的使用 输出详解 其他指令 将 ethtool 设置永久保存 如何使用 ethtool 优化 Linux 虚拟机网卡性能 ethtool 解决网 ...

  5. [转帖]python库Paramiko

    https://zhuanlan.zhihu.com/p/456447145 测试过程中经常会遇到需要将本地的文件上传到远程服务器上,或者需要将服务器上的文件拉到本地进行操作,以前安静经常会用到xft ...

  6. [转帖]Shell~echo -e 颜色输出

    https://www.cnblogs.com/ElegantSmile/p/11144879.html echo -e 可以控制字体颜色和背景颜色输出 从一个例子开始: # echo -e &quo ...

  7. IPMI的简单使用

    背景 公司一台十一年前的服务器砸到我手中,要重装CentOS7的操作系统. 本着不想进机房, 不想格式化U盘的想法, 想用BMC进行安装系统. 遇到的第一个问题是不知道密码. 询问之前的机器持有人,也 ...

  8. 一文详解 Netty 组件

    作者:京东物流 张弓言 一.背景 Netty 是一款优秀的高性能网络框架,内部通过 NIO 的方式来处理网络请求,在高负载下也能可靠和高效地处理 I/O 操作 作为较底层的网络通信框架,其被广泛应用在 ...

  9. 我对computed的理解-以及computed的传参

    computed 传参 <template> <div> <p>computed传参的写法:{{ who1Params('--我是传参的内容') }}</p& ...

  10. 【JS 逆向百例】HN某服务网登录逆向,验证码形同虚设

    声明 本文章中所有内容仅供学习交流,抓包内容.敏感网址.数据接口均已做脱敏处理,严禁用于商业用途和非法用途,否则由此产生的一切后果均与作者无关,若有侵权,请联系我立即删除! 逆向目标 目标:某政务服务 ...