📄 unit1.pas
字号:
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, ExtCtrls, StdCtrls;
type
TForm1 = class(TForm)
Label1: TLabel;
Edit1: TEdit;
Button1: TButton;
Bevel1: TBevel;
Button3: TButton;
OpenDialog1: TOpenDialog;
procedure FormCreate(Sender: TObject);
procedure Button1Click(Sender: TObject);
procedure Button3Click(Sender: TObject);
procedure obtain;
private
{ Private declarations }
FImageBase: DWORD;
public
{ Public declarations }
end;
THEAD = array[0..63] of byte;
var
Form1: TForm1;
const
MYSECTION = 'Fi7ke'; //添加的节名,自定义
JMPOFF = 31; //花指令的机器码,Ollydbg加载后随便取
OEPCODE: THEAD = ($9C, $60, $EB, $05, $00, $00, $00, $33, $C0, $8B, $C4, $83,
$C0, $04, $93, $8B, $E3, $8B, $5B, $FC, $81, $EB, $07, $30,
$40, $00, $87, $DD, $EB, $0A, $E9, $02, $FF, $FF, $0D, $90,
$90, $90, $90, $EB, $F4, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00);
procedure AddSection(FName: string);
implementation
{$R *.dfm}
procedure AddSection(FName: string);
var
DOSHEADER: IMAGE_DOS_HEADER;
PEHEADER: IMAGE_NT_HEADERS;
SectionHeader: IMAGE_SECTION_HEADER;
MySectionHeader: IMAGE_SECTION_HEADER;
fs: TFileStream;
AddressOfEntryPoint: DWORD;
begin
fs := TFileStream.Create(FName, fmOpenReadWrite +
fmShareDenyWrite);
try
fs.Seek(0, soFromBeginning);
fs.Read(DOSHEADER, sizeof(DOSHEADER));
fs.Seek(DOSHEADER._lfanew, soFromBeginning);
fs.Read(PEHEADER, sizeOf(PEHEADER));
fs.Seek(sizeOf(SectionHeader) *
(PEHEADER.FileHeader.NumberOfSections - 1), soFromCurrent);
fs.Read(SectionHeader, sizeof(IMAGE_SECTION_HEADER));
MySectionHeader.Name[0] := ord('F');
MySectionHeader.Name[1] := ord('i');
MySectionHeader.Name[2] := ord('7');
MySectionHeader.Name[3] := ord('k');
MySectionHeader.Name[4] := ord('e');
MySectionHeader.Name[5] := 0;
MySectionHeader.Name[6] := 0;
MySectionHeader.Name[7] := 0;
MySectionHeader.VirtualAddress := PEHEADER.OptionalHeader.SizeOfImage;
MySectionHeader.Misc.VirtualSize := $200;
MySectionHeader.SizeOfRawData := (MySectionHeader.VirtualAddress div
PEHEADER.OptionalHeader.FileAlignment + 1) * PEHEADER.OptionalHeader.FileAlignment -
PEHEADER.OptionalHeader.SizeOfImage;
MySectionHeader.PointerToRawData :=
SectionHeader.SizeOfRawData + SectionHeader.PointerToRawData;
MySectionHeader.Characteristics := $E0000020;
Inc(PEHEADER.FileHeader.NumberOfSections);
fs.Write(MySectionHeader, sizeOf(MySectionHeader));
fs.Seek(DOSHEADER._lfanew, soFromBeginning);
AddressOfEntryPoint := PEHEADER.OptionalHeader.AddressOfEntryPoint;
PEHEADER.OptionalHeader.AddressOfEntryPoint :=
MySectionHeader.VirtualAddress;
PEHEADER.OptionalHeader.MajorLinkerVersion := 7;
PEHEADER.OptionalHeader.MinorLinkerVersion := 0;
AddressOfEntryPoint := AddressOfEntryPoint +
PEHEADER.OptionalHeader.ImageBase;
asm //这里说明一下,这是嵌入的汇编代码,寄存器—CPU暂时储存数据的东西,比内存更快,以提高效率
PUSHAD
LEA eax, OEPCODE //将OEPCODE的地址交给寄存器
ADD eax, JMPOFF //添加JMPOFF值给寄存器
MOV edx, AddressOfEntryPoint //转移指令,相当于付值语句,左边给右边
MOV DWORD ptr [eax], edx //同上
POPAD
end;
PEHEADER.OptionalHeader.SizeOfImage :=
PEHEADER.OptionalHeader.SizeOfImage + MySectionHeader.Misc.VirtualSize;
fs.Write(PEHEADER, sizeof(PEHEADER));
fs.Seek(fs.Size, soFromBeginning);
fs.Write(OEPCODE, MySectionHeader.Misc.VirtualSize)
finally
fs.Free;
end;
end;
procedure TForm1.FormCreate(Sender: TObject);
begin
Edit1.Clear;
end;
procedure TForm1.Button1Click(Sender: TObject);
begin
if OpenDialog1.Execute then
Edit1.Text := OpenDialog1.FileName;
end;
procedure TForm1.obtain;
var
DOSHEADER: IMAGE_DOS_HEADER;
PEHEADER: IMAGE_NT_HEADERS;
fs: TFileStream;
begin
fs := TFileStream.Create(Edit1.Text, fmOpenReadWrite +
fmShareDenyWrite);
try
fs.Seek(0, soFromBeginning);
fs.Read(DOSHEADER, sizeof(DOSHEADER));
fs.Seek(DOSHEADER._lfanew, soFromBeginning);
fs.Read(PEHEADER, sizeOf(PEHEADER));
FImageBase := PEHEADER.OptionalHeader.ImageBase;
finally
fs.Free;
end;
end;
procedure TForm1.Button3Click(Sender: TObject);
begin
if trim(Edit1.Text) = '' then
begin
Messagebox(Handle, '请选择你要伪装的程序!', '提示', MB_OK + MB_ICONSTOP);
Exit;
end;
AddSection(Edit1.Text);
Messagebox(Handle, '伪装成功!', '提示', MB_OK + MB_ICONINFORMATION);
end;
end. unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, ExtCtrls, StdCtrls;
type
TForm1 = class(TForm)
Label1: TLabel;
Edit1: TEdit;
Button1: TButton;
Bevel1: TBevel;
Button3: TButton;
OpenDialog1: TOpenDialog;
Button2: TButton;
procedure FormCreate(Sender: TObject);
procedure Button1Click(Sender: TObject);
procedure Button3Click(Sender: TObject);
procedure obtain;
private
{ Private declarations }
FImageBase: DWORD;
public
{ Public declarations }
end;
THEAD = array[0..63] of byte;
var
Form1: TForm1;
const
MYSECTION = 'xinghe'; //添加的节名,自定义
JMPOFF = 31; //花指令的机器码,Ollydbg加载后随便取
OEPCODE: THEAD = ($9C, $60, $EB, $05, $00, $00, $00, $33, $C0, $8B, $C4, $83,
$C0, $04, $93, $8B, $E3, $8B, $5B, $FC, $81, $EB, $07, $30,
$40, $00, $87, $DD, $EB, $0A, $E9, $02, $FF, $FF, $0D, $90,
$90, $90, $90, $EB, $F4, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00);
procedure AddSection(FName: string);
implementation
{$R *.dfm}
procedure AddSection(FName: string);
var
DOSHEADER: IMAGE_DOS_HEADER;
PEHEADER: IMAGE_NT_HEADERS;
SectionHeader: IMAGE_SECTION_HEADER;
MySectionHeader: IMAGE_SECTION_HEADER;
fs: TFileStream;
AddressOfEntryPoint: DWORD;
begin
fs := TFileStream.Create(FName, fmOpenReadWrite +
fmShareDenyWrite);
try
fs.Seek(0, soFromBeginning);
fs.Read(DOSHEADER, sizeof(DOSHEADER));
fs.Seek(DOSHEADER._lfanew, soFromBeginning);
fs.Read(PEHEADER, sizeOf(PEHEADER));
fs.Seek(sizeOf(SectionHeader) *
(PEHEADER.FileHeader.NumberOfSections - 1), soFromCurrent);
fs.Read(SectionHeader, sizeof(IMAGE_SECTION_HEADER));
MySectionHeader.Name[0] := ord('x');
MySectionHeader.Name[1] := ord('i');
MySectionHeader.Name[2] := ord('n');
MySectionHeader.Name[3] := ord('g');
MySectionHeader.Name[4] := ord('h');
MySectionHeader.Name[5] := ord('e');
MySectionHeader.Name[6] := 0;
MySectionHeader.Name[7] := 0;
MySectionHeader.VirtualAddress := PEHEADER.OptionalHeader.SizeOfImage;
MySectionHeader.Misc.VirtualSize := $200;
MySectionHeader.SizeOfRawData := (MySectionHeader.VirtualAddress div
PEHEADER.OptionalHeader.FileAlignment + 1) * PEHEADER.OptionalHeader.FileAlignment -
PEHEADER.OptionalHeader.SizeOfImage;
MySectionHeader.PointerToRawData :=
SectionHeader.SizeOfRawData + SectionHeader.PointerToRawData;
MySectionHeader.Characteristics := $E0000020;
Inc(PEHEADER.FileHeader.NumberOfSections);
fs.Write(MySectionHeader, sizeOf(MySectionHeader));
fs.Seek(DOSHEADER._lfanew, soFromBeginning);
AddressOfEntryPoint := PEHEADER.OptionalHeader.AddressOfEntryPoint;
PEHEADER.OptionalHeader.AddressOfEntryPoint :=
MySectionHeader.VirtualAddress;
PEHEADER.OptionalHeader.MajorLinkerVersion := 7;
PEHEADER.OptionalHeader.MinorLinkerVersion := 0;
AddressOfEntryPoint := AddressOfEntryPoint +
PEHEADER.OptionalHeader.ImageBase;
asm //这里说明一下,这是嵌入的汇编代码,寄存器—CPU暂时储存数据的东西,比内存更快,以提高效率
PUSHAD
LEA eax, OEPCODE //将OEPCODE的地址交给寄存器
ADD eax, JMPOFF //添加JMPOFF值给寄存器
MOV edx, AddressOfEntryPoint //转移指令,相当于付值语句,左边给右边
MOV DWORD ptr [eax], edx //同上
POPAD
end;
PEHEADER.OptionalHeader.SizeOfImage :=
PEHEADER.OptionalHeader.SizeOfImage + MySectionHeader.Misc.VirtualSize;
fs.Write(PEHEADER, sizeof(PEHEADER));
fs.Seek(fs.Size, soFromBeginning);
fs.Write(OEPCODE, MySectionHeader.Misc.VirtualSize)
finally
fs.Free;
end;
end;
procedure TForm1.FormCreate(Sender: TObject);
begin
Edit1.Clear;
end;
procedure TForm1.Button1Click(Sender: TObject);
begin
if OpenDialog1.Execute then
Edit1.Text := OpenDialog1.FileName;
end;
procedure TForm1.obtain;
var
DOSHEADER: IMAGE_DOS_HEADER;
PEHEADER: IMAGE_NT_HEADERS;
fs: TFileStream;
begin
fs := TFileStream.Create(Edit1.Text, fmOpenReadWrite +
fmShareDenyWrite);
try
fs.Seek(0, soFromBeginning);
fs.Read(DOSHEADER, sizeof(DOSHEADER));
fs.Seek(DOSHEADER._lfanew, soFromBeginning);
fs.Read(PEHEADER, sizeOf(PEHEADER));
FImageBase := PEHEADER.OptionalHeader.ImageBase;
finally
fs.Free;
end;
end;
procedure TForm1.Button3Click(Sender: TObject);
begin
if trim(Edit1.Text) = '' then
begin
Messagebox(Handle, '你还没选择程序哦!', '提示', MB_OK + MB_ICONSTOP);
Exit;
end;
AddSection(Edit1.Text);
Messagebox(Handle, '免杀拉!谢谢您你使用', '提示', MB_OK + MB_ICONINFORMATION);
end;
end.
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -