增加節表存放shellcode

將shellcode放在PE文件新增的節表中

1. // InsertShellCodeToPE.cpp : Defines the entry point for the console application.
2. //
4. #include "stdafx.h"
5. #include <Windows.h>
7. #define FILENAME "hello.exe"
9. //自定義的shellcode
10. char shellcode[] = "\x90\x90\x90\x90\xb8\x90\x90\x90\x90\xff\xe0\x00";
12. /************************************************************************/
13. /* 函數說明：將dwNum按dwAlign大小生成對齊大小 */
14. /* 參數：dwNum 待對齊的數據長度 */
15. /* dwAlign 對齊粒度 */
16. /* 返回值：返回按指定粒度對齊後的大小 */
17. /************************************************************************/
18. DWORD Align(DWORD dwNum, DWORD dwAlign)
19. {
20. if (dwNum % dwAlign == 0)
21. {
22. return dwNum;
23. }
24. else
25. {
26. return (dwNum / dwAlign + 1) * dwAlign;
27. }
28. }
31. int main(int argc, char* argv[])
32. {
33. HANDLE hFile = ::CreateFile(FILENAME, FILE_GENERIC_READ|FILE_GENERIC_WRITE|FILE_GENERIC_EXECUTE, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
34. if (NULL == hFile)
35. {
36. printf("createfile error");
37. return -1;
38. }
39. HANDLE hFileMap = ::CreateFileMapping(hFile, NULL, PAGE_EXECUTE_READWRITE, 0, 0, NULL);
40. int n = GetLastError();
41. if (NULL == hFileMap)
42. {
43. printf("CreateFileMapping error");
44. return -1;
45. }
46. LPVOID lpMemory = ::MapViewOfFile(hFileMap, FILE_MAP_ALL_ACCESS, 0, 0, 0);
47. if (NULL == lpMemory)
48. {
49. printf("MapViewOfFile error");
50. return -1;
51. }
53. PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)lpMemory;
54. PIMAGE_NT_HEADERS pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)lpMemory + pDosHeader->e_lfanew);
55. PIMAGE_FILE_HEADER pFileHeader = (PIMAGE_FILE_HEADER)&(pNTHeader->FileHeader);
56. PIMAGE_OPTIONAL_HEADER pOptionalHeader = (PIMAGE_OPTIONAL_HEADER)&pNTHeader->OptionalHeader;
58. PIMAGE_SECTION_HEADER pSection = NULL;
59. IMAGE_SECTION_HEADER secToAdd = {0};
61. if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE || pNTHeader->Signature != IMAGE_NT_SIGNATURE)
62. {
63. printf("Not valid PE file...");
64. return -1;
65. }
67. pSection = (PIMAGE_SECTION_HEADER)((BYTE*)pOptionalHeader + pFileHeader->SizeOfOptionalHeader);
69. DWORD dwSectionNum = pFileHeader->NumberOfSections;
70. DWORD dwSectionAlign = pOptionalHeader->SectionAlignment;
71. DWORD dwOEP = pOptionalHeader->AddressOfEntryPoint;
72. dwOEP = (DWORD)(pOptionalHeader->ImageBase + dwOEP);
75. pSection = pSection + dwSectionNum - 1; //pSection指向了最後一個section節表的起始,下面根據最後一個section節表設置新的節表數據
76. strcpy((char *)secToAdd.Name, ".xiaoju");
77. secToAdd.Characteristics = pSection->Characteristics;
78. secToAdd.VirtualAddress = pSection->VirtualAddress + Align(pSection->Misc.VirtualSize, dwSectionAlign);
79. secToAdd.Misc.VirtualSize = dwSectionAlign;
80. secToAdd.PointerToRawData = pSection->PointerToRawData + pSection->SizeOfRawData;
81. secToAdd.SizeOfRawData = dwSectionAlign;
83. pSection++; //pSection指向了所有節表的最後
84. //寫入新的節表
85. memcpy(pSection, &secToAdd, sizeof(IMAGE_SECTION_HEADER));
87. //改寫pe文件中節表的數量
88. pFileHeader->NumberOfSections++;
90. //將shellcode中的預留位填充好
91. *(DWORD*)&shellcode[5] = dwOEP;
93. //增加文件大小
94. BYTE bNum = '\x0';
95. DWORD dwWritten = 0;
96. ::SetFilePointer(hFile, 0, 0, FILE_END);
97. ::WriteFile(hFile, &bNum, dwSectionAlign, &dwWritten, NULL);
99. //在新增節表的PointerToRawData處寫入shellcode
100. ::SetFilePointer(hFile, pSection->PointerToRawData, 0, FILE_BEGIN);
101. ::WriteFile(hFile, shellcode, strlen(shellcode)+3, &dwWritten, NULL);
103. //修改程序的映象大小和OEP
104. pOptionalHeader->SizeOfImage = pOptionalHeader->SizeOfImage + dwSectionAlign;
105. pOptionalHeader->AddressOfEntryPoint = pSection->VirtualAddress;
107. ::UnmapViewOfFile(lpMemory);
110. ::CloseHandle(hFileMap);
111. ::CloseHandle(hFile);
113. return 0;
114. }

原始hello.exe

程序運行後，修改後的hello.exe