#include <iostream>

#include <Windows.h>

#include <ShlObj.h>

#include <Shlwapi.h>

#pragma comment(lib, "Shell32.lib")

#pragma comment(lib, "Shlwapi.lib")

DWORD align(DWORD size, DWORD align, DWORD addr) {

    if (!(size % align))

        return addr + size;

    return addr + (size / align + 1) * align;

}

int main(int argc, char* argv[])

{

    /*if (argc < 3)

    {

        std::cout << "Argomenti insufficienti.\n";

        return 0;

    }*/

    HANDLE FirstFile = CreateFileA("Test_Hello World.exe", GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, NULL, NULL);            // File to read data from

    if (FirstFile == INVALID_HANDLE_VALUE)

    {

        std::cout << "Impossibile aprire il file passato come primo argomento.\n";

        return 0;

    }

    HANDLE SecFile = CreateFileA("Test_Hello World.exe", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, NULL, NULL);               // File to write the read data in

    if (SecFile == INVALID_HANDLE_VALUE)

    {

        std::cout << "Impossibile aprire il file passato come secondo argomento.\n";

        return 0;

    }

    DWORD FirstFS = GetFileSize(FirstFile, 0);              // First file dimension

    DWORD SecondFS = GetFileSize(SecFile, 0);               // Second file dimension

    BYTE* FirstFB = (BYTE*)VirtualAlloc(NULL, FirstFS, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);           // Allocates memory for the first file

    BYTE* SecondFB = (BYTE*)VirtualAlloc(NULL, SecondFS, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);         // Allocates memory for the second file

    DWORD BytesRead = 0;

    DWORD BytesWritten = 0;

    if (bool Read = ReadFile(FirstFile, FirstFB, FirstFS, &BytesRead, NULL) == FALSE)                   // Reads the first file

    {

        std::cout << "Impossibile leggere primo file.\n";

        return 0;

    }

    else

    {

        std::cout << "Letti " << BytesRead << " dal primo file.\n";

        BytesRead = 0;

    }

    if (bool Read = ReadFile(SecFile, SecondFB, SecondFS, &BytesRead, NULL) == FALSE)                       // Reads the second file

    {

        std::cout << "Impossibile leggere secondo file.\n";

        return 0;

    }

    else

    {

        std::cout << "Letti " << BytesRead << " bytes dal secondo file.\n";

        BytesRead = 0;

    }

    /*

    *

    * The code is problematic beyond this point!

    *

    * SecondFB = Pointer to the second file's data buffer that needs to be modified by adding the new section.

    * FirstFB = Pointer to the first file's data buffer that will be written inside the ".sdata" section.

    * Both of them have been loaded in memory using VirtualAlloc.

    *

    * Ask me anything for further info and many, many thanks :D

    */

    // Here I add a new section to the second file.

    PIMAGE_DOS_HEADER sIDH = (IMAGE_DOS_HEADER*)SecondFB;

    PIMAGE_NT_HEADERS sINH = (IMAGE_NT_HEADERS*)(SecondFB + sIDH->e_lfanew);

    PIMAGE_FILE_HEADER sIFH = (PIMAGE_FILE_HEADER)(SecondFB + sIDH->e_lfanew + sizeof(DWORD));

    PIMAGE_OPTIONAL_HEADER sIOH = (PIMAGE_OPTIONAL_HEADER)(SecondFB + sIDH->e_lfanew + sizeof(DWORD) + sizeof(IMAGE_FILE_HEADER));

    PIMAGE_SECTION_HEADER sISH = (PIMAGE_SECTION_HEADER)(SecondFB + sIDH->e_lfanew + sizeof(IMAGE_NT_HEADERS));

    // Here I name the new section inside the file

    ZeroMemory(&sISH[sIFH->NumberOfSections], sizeof(IMAGE_SECTION_HEADER));

    CopyMemory(sISH[sIFH->NumberOfSections].Name, ".scode", 8);

    /*

        0xE00000E0 = IMAGE_SCN_MEM_WRITE |

                     IMAGE_SCN_CNT_CODE  |

                     IMAGE_SCN_CNT_UNINITIALIZED_DATA  |

                     IMAGE_SCN_MEM_EXECUTE |

                     IMAGE_SCN_CNT_INITIALIZED_DATA |

                     IMAGE_SCN_MEM_READ

    */

    // Here all the required information gets filled in

    sISH[sIFH->NumberOfSections].VirtualAddress = align(sISH[sIFH->NumberOfSections - 1].Misc.VirtualSize, sIOH->SectionAlignment, sISH[sIFH->NumberOfSections - 1].VirtualAddress);

    sISH[sIFH->NumberOfSections].SizeOfRawData = align(FirstFS, sIOH->SectionAlignment, 0);

    sISH[sIFH->NumberOfSections].Misc.VirtualSize = align(FirstFS, sIOH->SectionAlignment, 0);

    sISH[sIFH->NumberOfSections].PointerToRawData = align(sISH[sIFH->NumberOfSections - 1].SizeOfRawData, sIOH->FileAlignment, sISH[sIFH->NumberOfSections - 1].PointerToRawData);

    sISH[sIFH->NumberOfSections].Characteristics = 0xE00000E0;

    // Here the changes are written to the second file

    SetFilePointer(SecFile, sISH[sIFH->NumberOfSections].PointerToRawData + sISH[sIFH->NumberOfSections].SizeOfRawData, NULL, FILE_BEGIN);

    SetEndOfFile(SecFile);

    sIOH->SizeOfImage = sISH[sIFH->NumberOfSections].VirtualAddress + sISH[sIFH->NumberOfSections].Misc.VirtualSize;

    sIFH->NumberOfSections += 1;

    SetFilePointer(SecFile, 0, NULL, FILE_BEGIN);

    BytesWritten = 0;

    bool W = WriteFile(SecFile, SecondFB, SecondFS, &BytesWritten, NULL);

    if (W == FALSE)

    {

        std::cout << "Impossibile aggiungere sezione alla stub.\n";

        return 0;

    }

    else

    {

        std::cout << "Scritti " << BytesWritten << " bytes nella stub. (Aggiunta nuova sezione.)\n";

        BytesWritten = 0;

    }

    // Here I write the data inside the new section

    SetFilePointer(SecFile, sISH[sIFH->NumberOfSections - 1].PointerToRawData, 0, FILE_BEGIN);

    if (bool Write = WriteFile(SecFile, FirstFB, FirstFS, &BytesWritten, NULL) == FALSE)

    {

        std::cout << "Impossibile aggiungere sezione alla stub.\n";

    }

    else

    {

        std::cout << "Scritti " << BytesWritten << " bytes nella stub.\n";

        BytesWritten = 0;

    }

    // Here I close all the handles

    VirtualFree(FirstFB, FirstFS, MEM_RELEASE);

    CloseHandle(FirstFile);

    VirtualFree(SecondFB, SecondFS, MEM_RELEASE);

    CloseHandle(SecFile);

    std::cout << "Binding completato.\n";

    return 0;

}

win32 - PE Executable and section inject的更多相关文章

  1. 深入理解 Win32 PE 文件格式

    深入理解 Win32 PE 文件格式 Matt Pietrek 这篇文章假定你熟悉C++和Win32. 概述 理解可移植可执行文件格式(PE)可以更好地了解操作系统.如果你知道DLL和EXE中都有些什 ...

  2. 深入理解 Win32 PE 文件格式 Matt Pietrek(慢慢体会)

    这篇文章假定你熟悉C++和Win32. 概述 理解可移植可执行文件格式(PE)可以更好地了解操作系统.如果你知道DLL和EXE中都有些什么东西,那么你就是一个知识渊博的程序员.这一系列文章的第一部分, ...

  3. 《Peering Inside the PE: A Tour of the Win32 Portable Executable File Format》阅读笔记二

    Common Sections The .text section is where all general-purpose code emitted by the compiler or assem ...

  4. PE Header and Export Table for Delphi

    Malware Analysis Tutorial 8: PE Header and Export Table 2. Background Information of PE HeaderAny bi ...

  5. The Portable Executable File Format from Top to Bottom(每个结构体都非常清楚)

    The Portable Executable File Format from Top to Bottom Randy KathMicrosoft Developer Network Technol ...

  6. 利用PE数据目录的导入表获取函数名及其地址

    PE文件是以64字节的DOS文件头开始的(IMAGE_DOS_HEADER),接着是一段小DOS程序,然后是248字节的 NT文件头(IMAGE_NT_HEADERS),NT的文件头位置由IMAGE_ ...

  7. 深入学习PE文件(转)

    PE文件是Win32的原生文件格式.每一个Win32可执行文件都遵循PE文件格式.对PE文件格式的了解可以加深你对Win32系统的深入理解. 一. 基本结构. 上图便是PE文件的基本结构.(注意:DO ...

  8. 深入剖析PE文件

    不赖猴的笔记,转载请注明出处. 深入剖析PE文件 PE文件是Win32的原生文件格式.每一个Win32可执行文件都遵循PE文件格式.对PE文件格式的了解可以加深你对Win32系统的深入理解. 一.   ...

  9. Load PE from memory(反取证)(未完)

      Article 1:Loading Win32/64 DLLs "manually" without LoadLibrary() The most important step ...

  10. 动态加载并执行Win32可执行程序

    本文所贴出的PoC代码将告诉你如何通过CreateProcess创建一个傀儡进程(称之为可执行程序A),并把dwCreationFlags设置为CREATE_SUSPENDED,然后把另一个可执行程序 ...

随机推荐

  1. [转帖]ssh_exporter

    https://github.com/treydock/ssh_exporter SSH exporter The SSH exporter attempts to make an SSH conne ...

  2. [转帖]前端安全(同源策略、XSS攻击、CSRF攻击)

    https://juejin.cn/post/6844904158697357319 同源策略(Same-origin policy) 如果两个 URL 的协议.域名和端口都相同,我们就称这两个 UR ...

  3. [转帖]Oracle性能优化-大内存页配置

    一.为什么需要大页面? 如果您有一个大的RAM和SGA,那么HugePages对于Linux上更快的Oracle数据库性能是至关重要的.如果您的组合数据库SGAs很大(比如超过8GB,甚至对于更小的数 ...

  4. [转帖]Lightning 实操指南

    2.2.2 Lightning 实操指南 这一节将介绍如何使用 Lightning 导入数据的实操 2.2.2.1 TiDB Lightning 快速开始 注意 TiDB Lightning 运行后, ...

  5. [转帖]Innodb存储引擎-备份和恢复(分类、冷备、热备、逻辑备份、二进制日志备份和恢复、快照备份、复制)

    文章目录 备份和恢复 分类 冷备 热备 逻辑备份 mysqldump SELECT...INTO OUTFILE 恢复 二进制日志备份与恢复 快照备份(完全备份) 复制 快照+复制的备份架构 备份和恢 ...

  6. [转帖]Guanaco, Llama, Vicuña, Alpaca该怎么区别

    https://zhuanlan.zhihu.com/p/106262896 在智利和秘鲁高原区经常会遇到的一种动物让人十分挠头,学术点称呼就是骆驼科其中一个族群--羊驼属和骆马属.头疼在于,分不清楚 ...

  7. IO调度算法的简单学习与整理

    IO调度算法的简单学习与整理 前言 前几天整理了 /sys/block/sda/queue/nr_requests 以及 /sys/block/sda/device/queue_depth 的两个参数 ...

  8. [转帖]DISK BUSY的理解误区

    前几天有个客户的系统存在性能问题,从AWR报告上我们看到是CPU使用率过高,同时GLOBAL CACHE方面的争用比较严重.系统中的烂SQL很多,数据库中很多几十GB的大表也没有分区,总之问题很多.不 ...

  9. vue启动报错_interopRequireDefault is not a function

    起因 今天接触一个项目vue. 在安装好环境之后,启动的时候报错_interopRequireDefault is not a function 解决的办法:我觉得可能是因为node_modules安 ...

  10. ffmpeg修改文件格式

    http://ffmpeg.org/ 官网下载windows版本 进这个文件夹 随便找一个格式的文件我这里以mp4 放在这个文件夹里面 然后状态栏输入cmd 输入下方命令代码 ffmpeg -i 66 ...