📄 sectionimport.cpp
字号:
#include "stdafx.h"
#include "sectionimport.h"
using namespace std;
namespace PE {
CSectionImport::CSectionImport(void)
{
}
CSectionImport::~CSectionImport(void)
{
Cleanup();
}
// Copy import directory entries
void CSectionImport::Copy(void)
{
IMAGE_IMPORT_DESCRIPTOR id;
DWORD dwCount;
CSection *pOurSection;
char szSectionName[16];
IMAGE_SECTION_HEADER hdrSection;
if (m_ppe == NULL || m_pAttached == NULL) return; // Need to be attached first
// Copy section name
m_pAttached->GetHeader(hdrSection);
lstrcpyn(szSectionName, (LPCSTR )hdrSection.Name, 8);
szSectionName[8] = '\0';
pOurSection = m_ppe->GetSectionByName(szSectionName);
// Copy descriptors
if (m_ppe->m_ddImport.IsInitialized() == TRUE) {
for (dwCount = 0; dwCount < m_ppe->m_ddImport.GetNumEntries(); dwCount++) {
m_ppe->m_ddImport.GetEntry(dwCount, &id);
if (pOurSection->WithinRVA(id.Name)) {
// These imported functions were added by SectionImport before, readd them
LPSTR pDLLName = (LPSTR )m_ppe->GetDataAtRVA(id.Name);
DWORD dwCount2;
for (dwCount2 = 0; dwCount2 < m_ppe->m_ddImport.GetNumFunctions(dwCount); dwCount2++) {
if (m_ppe->m_ddImport.IsOrdinal(dwCount, dwCount2) == TRUE) {
DWORD dwOrdinal = m_ppe->m_ddImport.GetOrdinal(dwCount, dwCount2);
if (dwOrdinal != PE_INVALID) {
Add(pDLLName, (WORD )dwOrdinal);
}
} else {
DWORD dwLen = m_ppe->m_ddImport.GetFuncName(dwCount, dwCount2, NULL);
if (dwLen) {
LPSTR pFuncName = new char[dwLen + 1];
if (pFuncName) {
WORD wHint;
m_ppe->m_ddImport.GetFuncName(dwCount, dwCount2, pFuncName, &wHint);
Add(pDLLName, pFuncName, wHint);
delete [] pFuncName;
}
}
}
}
} else {
m_lstExisting.push_back(id);
}
}
}
}
void CSectionImport::Attach(CPortableExecutable *ppe, LPSTR pSectionName)
{
IMAGE_NT_HEADERS hdr;
IMAGE_SECTION_HEADER hdrSection;
CSection sct;
// Clean up
Cleanup();
// Set section name and characteristics
if (IsBadReadPtr(pSectionName, 1) == FALSE) {
if (lstrlen(pSectionName) < 8)
lstrcpy((LPSTR )hdrSection.Name, pSectionName);
else
lstrcpyn((LPSTR )hdrSection.Name, pSectionName, 8);
}
hdrSection.Characteristics = IMAGE_SCN_CNT_INITIALIZED_DATA | IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE;
sct.SetHeader(hdrSection);
// Attach CPortableExecutable class
m_ppe = ppe;
// Get section
m_pAttached = ppe->GetSectionByName(pSectionName);
if (m_pAttached == NULL) {
// Add section
ppe->AddSection(&sct);
m_pAttached = ppe->GetLastSectionInFile(); // The newly added section
}
if (m_pAttached) {
// Change data directory address
ppe->m_Headers.GetNt(hdr);
m_pAttached->GetHeader(hdrSection);
hdr.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = hdrSection.VirtualAddress;
ppe->m_Headers.SetNt(hdr);
}
}
void CSectionImport::Update(void)
{
DWORD dwSize;
DWORD dwUnalignedSize;
LPBYTE pData;
LPBYTE pCurrent;
IMAGE_NT_HEADERS hdr;
IMAGE_SECTION_HEADER hdrSection;
impDescIterator dii;
impIterator ii;
IMAGE_IMPORT_DESCRIPTOR id;
strIterator si;
DWORD dwNamesRVA;
DWORD dwFuncsRVA;
DWORD dwFuncNamesRVA;
DWORD dwTemp;
if (m_ppe == NULL || m_pAttached == NULL) return; // Need to be attached first
// Get size
dwSize = m_lstExisting.size() * sizeof(IMAGE_IMPORT_DESCRIPTOR); // Existing descriptors
dwSize += m_lstDLLs.size() * sizeof(IMAGE_IMPORT_DESCRIPTOR); // New descriptors
dwSize += sizeof(IMAGE_IMPORT_DESCRIPTOR); // NULL descriptor
dwUnalignedSize = dwSize;
dwSize = m_ppe->m_Headers.SectionAlignment(dwSize);
pData = new BYTE [dwSize];
if (pData) {
// Zero section data
ZeroMemory(pData, dwSize);
// Get section header
m_pAttached->GetHeader(hdrSection);
pCurrent = pData;
// Copy existing descriptors
if (m_lstExisting.empty() == FALSE) {
for (dii = m_lstExisting.begin(); dii != m_lstExisting.end(); dii++) {
CopyMemory(pCurrent, &(*dii), sizeof(IMAGE_IMPORT_DESCRIPTOR));
pCurrent += sizeof(IMAGE_IMPORT_DESCRIPTOR);
}
}
dwNamesRVA = hdrSection.VirtualAddress + dwUnalignedSize;
dwFuncsRVA = dwNamesRVA + GetTotalDLLNamesLength();
// Write new descriptors for each DLL in the list
if (m_lstDLLs.empty() == FALSE) {
for (si = m_lstDLLs.begin(); si != m_lstDLLs.end(); si++) {
// Create import descriptor
id.OriginalFirstThunk = dwFuncsRVA + (m_lstImports.size() * sizeof(DWORD) + sizeof(DWORD) * m_lstDLLs.size());
id.Name = dwNamesRVA;
id.ForwarderChain = 0;
id.FirstThunk = dwFuncsRVA;
id.TimeDateStamp = 0; // Not pre-snapped
dwNamesRVA += lstrlen(*si) + 1;
dwFuncsRVA += (GetNumFuncs(si) + 1) * sizeof(DWORD);
CopyMemory(pCurrent, &id, sizeof(IMAGE_IMPORT_DESCRIPTOR));
pCurrent += sizeof(IMAGE_IMPORT_DESCRIPTOR);
}
}
dwNamesRVA = hdrSection.VirtualAddress + dwUnalignedSize;
dwFuncsRVA = dwNamesRVA + GetTotalDLLNamesLength();
// Last descriptor - NULL descriptor
ZeroMemory(pCurrent, sizeof(IMAGE_IMPORT_DESCRIPTOR));
pCurrent += sizeof(IMAGE_IMPORT_DESCRIPTOR);
// Write DLL names
if (m_lstDLLs.empty() == FALSE) {
for (si = m_lstDLLs.begin(); si != m_lstDLLs.end(); si++) {
CopyMemory(pCurrent, (*si), lstrlen(*si) + 1);
pCurrent += (lstrlen(*si) + 1);
}
}
// Write DLL functions
if (m_lstDLLs.empty() == FALSE && m_lstImports.empty() == FALSE) {
// FirstThunk table
// Write pointers to functions
dwFuncNamesRVA = dwFuncsRVA + ((sizeof(DWORD) * m_lstImports.size() + sizeof(DWORD) * m_lstDLLs.size()) * 2);
for (si = m_lstDLLs.begin(); si != m_lstDLLs.end(); si++) {
for (ii = m_lstImports.begin(); ii != m_lstImports.end(); ii++) {
if ((*ii).dll == si) {
if ((*ii).flIsOrdinal == FALSE) {
// Write pointer
CopyMemory(pCurrent, &dwFuncNamesRVA, sizeof(DWORD));
pCurrent += sizeof(DWORD);
dwFuncNamesRVA += sizeof(WORD);
if ((*ii).Type.pName) {
dwFuncNamesRVA += lstrlen((*ii).Type.pName);
}
dwFuncNamesRVA++; // NULL padding
} else {
// Write ordinal
dwTemp = (*ii).Type.wOrdinal;
dwTemp |= IMAGE_ORDINAL_FLAG;
CopyMemory(pCurrent, &dwTemp, sizeof(DWORD));
pCurrent += sizeof(DWORD);
}
}
}
// Write NULL pointer
ZeroMemory(pCurrent, sizeof(DWORD));
pCurrent += sizeof(DWORD);
}
// OriginalFirstThunk table
// Write pointers to functions
dwFuncNamesRVA = dwFuncsRVA + ((sizeof(DWORD) * m_lstImports.size() + sizeof(DWORD) * m_lstDLLs.size()) * 2);
for (si = m_lstDLLs.begin(); si != m_lstDLLs.end(); si++) {
for (ii = m_lstImports.begin(); ii != m_lstImports.end(); ii++) {
if ((*ii).dll == si) {
if ((*ii).flIsOrdinal == FALSE) {
// Write pointer
CopyMemory(pCurrent, &dwFuncNamesRVA, sizeof(DWORD));
pCurrent += sizeof(DWORD);
dwFuncNamesRVA += sizeof(WORD);
if ((*ii).Type.pName) {
dwFuncNamesRVA += lstrlen((*ii).Type.pName);
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -