📄 selfreloc.cpp
字号:
/********************************************************************
Copyright (c) Beijing Feitian Technologies
http://www.FTSafe.com
File : SelfReloc.cpp
Created: 2003/11/04
Author: yihai
Purpose: ?
Revision: ?
*********************************************************************/
#include "stdafx.h"
#include <windows.h>
extern "C"
{
#define __countof(a) sizeof(a)/sizeof(a[0])
#define DEFAULT_LINK_BASE 0x10000000
DWORD g_shl_run_time_base=DEFAULT_LINK_BASE;
DWORD g_shl_old_entry =0; //加壳前程序的入口点
PDWORD g_shl_p_old_IAT_addr = 0; //加壳前程序引入函数表起始位置
DWORD g_shl_old_IAT_size = 0; //加壳前程序引入函数表字节数
PDWORD g_shl_p_new_IAT_addr = 0; //加壳后程序与原来引入函数表对应的新地址
PDWORD g_shl_p_ref_IAT_addr=0;
typedef bool (WINAPI *TPFN_OldDllEntry)(HANDLE hDllHandle,DWORD dwReason,LPVOID lpreserved);
TPFN_OldDllEntry g_pfnOldEntry;
//begin dumpreloc
DWORD g_shl_basereloc_item[] = {
0x0000100B, 0x00001010, 0x00001017, 0x00001025, 0x0000102E
}; //end of g_shl_basereloc_item
//end dumpreloc
void shell_init() //恢复加壳前程序的引入函数表
{
memcpy(g_shl_p_old_IAT_addr,g_shl_p_new_IAT_addr,g_shl_old_IAT_size);
}
void RelocIt(PDWORD pReloc)
{
DWORD dwValue = *pReloc; //取pRelco所指向的内容
dwValue += g_shl_run_time_base; //数组元素中的RVA+运行时基地址
PDWORD pdwData = (PDWORD)dwValue; //取得所要修改的内存地址值
//计算重定位后的值
*pdwData -= DEFAULT_LINK_BASE; //减去原来的基址
*pdwData += g_shl_run_time_base; //加上运行基地址
}
void SelfReloc()
{
if(g_shl_run_time_base==DEFAULT_LINK_BASE) //如果基地址没发生变化
return; //不进行重定位操作
int nCount = __countof(g_shl_basereloc_item);
PDWORD pReloc = g_shl_basereloc_item;
for(int i=0;i<nCount;i++,pReloc++) //取数组中的每个RVA值
{
RelocIt(pReloc);
}
}
BOOL WINAPI ShellDllStartupEntry(HANDLE hDllHandle,
DWORD dwReason,
LPVOID lpreserved
)
{
if(dwReason == DLL_PROCESS_ATTACH)
{
MessageBox(NULL,"Shell DllMain",0,0);
shell_init();
SelfReloc();
}
TPFN_OldDllEntry pfnOldDllEntry = (TPFN_OldDllEntry)g_shl_old_entry;
return pfnOldDllEntry(hDllHandle,dwReason,lpreserved);
}
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -