📄 frmmain.frm
字号:
End If
hFile = Ret
If Not isPE(FilePath) Then
MsgBox "不是有效的PE文件", vbInformation + vbOKOnly, "提示"
GoTo ErrHandle
End If
SetFilePointer hFile, &H3C, 0, FILE_BEGIN
'''&H3C 为保存PE结构地址的文件偏移地址
ReadFileLng hFile, ByVal VarPtr(dwPE_Header_OffSet), 4, lngBytesRead, 0 '读取 e_lfanew字段
'PE signature (PE) PE结构的地址
SetFilePointer hFile, dwPE_Header_OffSet, 0, FILE_BEGIN
ReadFileLng hFile, ByVal VarPtr(PE_Header), Len(PE_Header) + Len(SECTION_Header), lngBytesRead, 0
'**************************************************
'判断是否有多余空间来新增区段
'**************************************************
SECTION_Num = PE_Header.FileHeader.NumberOfSections
SECTION_Mount = SECTION_Num * &H28 '&h28 = sizeof IMAGE_SECTION_HEADER
SECTION_Mount = SECTION_Mount + dwPE_Header_OffSet '+PE文件头偏移
SECTION_Mount = SECTION_Mount + &H18 'sizeof IMAGE_FILE_HEADER + "PE"
SECTION_Mount = SECTION_Mount + PE_Header.FileHeader.SizeOfOptionalHeader 'sizeof IMAGE_OPTIONAL_HEADER
SECTION_Mount = SECTION_Mount + &H28
If SECTION_Mount > PE_Header.OptionalHeader.SizeOfHeaders Then
MsgBox "没有足够空间加入新节", vbInformation + vbOKOnly, "提示"
GoTo ErrHandle
End If
'保存原入口
Old_AddressOfEntryPoint = PE_Header.OptionalHeader.AddressOfEntryPoint
Old_ImageBase = PE_Header.OptionalHeader.ImageBase
'**************************************************
'计算新节的偏移地址:
'**************************************************
dwMySectionOffSet = PE_Header.FileHeader.NumberOfSections * &H28
'dwMySectionOffSet = dwMySectionOffSet + 4 ';4h = sizeof "PE\0\0"
dwMySectionOffSet = dwMySectionOffSet + dwPE_Header_OffSet
dwMySectionOffSet = dwMySectionOffSet + &H18
dwMySectionOffSet = dwMySectionOffSet + Len(OPTIONAL_Header) 'OPTIONAL_Header = IMAGE_OPTIONAL_HEADER
'新节偏移地址
' ;****************************************
' ;填充我们自己的节的信息:
' ;****************************************
strSectionName = (StrConv(strNewSectionName, vbFromUnicode))
Call CopyMemory(ByVal VarPtr(SECTION_Header.SectionName(0)), ByVal StrPtr(strSectionName), 8)
SECTION_Header.VirtualSize = lngNewSectionSize
SECTION_Header.VirtualAddress = PE_Header.OptionalHeader.SizeOfImage
SECTION_Header.SizeOfRawData = (SECTION_Header.VirtualSize \ PE_Header.OptionalHeader.FileAlignment + 1) * PE_Header.OptionalHeader.FileAlignment
'SizeOfRawData在EXE文件中是对齐到FileAlignMent的整数倍的值
NewOffset = dwMySectionOffSet - &H18
'这个偏移是定位到最后一节的“SizeOfRawData” &h18 = sizeof IMAGE_FILE_HEADER
SetFilePointer hFile, NewOffset, 0, FILE_BEGIN
ReadFileLng hFile, ByVal VarPtr(dwLastSection_SizeOfRawData), 4, lngBytesRead, 0
ReadFileLng hFile, ByVal VarPtr(dwLastSection_PointerToRawData), 4, lngBytesRead, 0
'每个节的 PointerToRawData 等于它的上一节的 SizeOfRawData + PointerToRawData:
SECTION_Header.PointerToRawData = dwLastSection_SizeOfRawData + dwLastSection_PointerToRawData
SECTION_Header.PointerToRelocations = 0
SECTION_Header.PointerToLinenumbers = 0
SECTION_Header.NumberOfRelocations = 0
SECTION_Header.NumberOfLinenumbers = 0
SECTION_Header.Characteristics = &HE0000020 ';可读可写可执行
'''计算jmp的偏移量
' Select Case ComboFakeCode.Text
' Case "EXECryptor 1.x.x -> SoftComplete Developement":
' strFakeCode = strEXECryptor
' Case "ASPack 2.12 -> Alexey Solodovnikov":
' strFakeCode = strAsPack
' Case ".BJFNT 1.3 -> :MARQUiS:":
' strFakeCode = strBJFNT
' Case "EXE Shield v0.1b - v0.3b, v0.3 -> SMoKE *":
' strFakeCode = strExeShield
' End Select
strFakeCode = Replace$(strFakeCode, " ", "")
''''这里开始加入反调试
If chkIsDebuggerPresent Then
strFakeCode = strFakeCode & strIsDebuggerPresent
End If
''''''''''''''''''''''
strFakeCode = strFakeCode & "E9"
lngjmpOffset = Len(strFakeCode) \ 2 ''''由于花指令而增加的偏移量
lngjmpOffset = lngjmpOffset + SECTION_Header.VirtualAddress ''''新增的Ep+增加的代码偏移
lngjmpOffset = Old_AddressOfEntryPoint - lngjmpOffset - 4 ' 往回跳
'由于本加花都是跨区段回跳 地址占了 4位 如 E9 ****FFFF
strFakeCode = strFakeCode & ReverseBytes(Hex8(lngjmpOffset))
CodeBuf.nBuf = 0 '在模块中定义
AddCode strFakeCode
' ;****************************************
' ;是否改写所有区段名称:
' ;****************************************
Section_Offset = dwPE_Header_OffSet + &H18 + Len(OPTIONAL_Header)
strSectionName = (StrConv(strNewSectionName, vbFromUnicode))
If chkModifySectionName And SECTION_Num >= 1 Then
For i = 1 To SECTION_Num
SetFilePointer hFile, Section_Offset + (i - 1) * &H28, 0, FILE_BEGIN '&H28 = sizeof(section)
WriteFileLng hFile, ByVal StrPtr(strSectionName), 8, lngBytesRead, 0
Next
End If
' ;**************************************************
' ;重新写入IMAGE_SECTION_HEADER:(包含了新节的信息)
' ;**************************************************
SetFilePointer hFile, dwMySectionOffSet, 0, FILE_BEGIN
WriteFileLng hFile, ByVal VarPtr(SECTION_Header), Len(SECTION_Header), lngBytesRead, 0
' ;****************************************
' ;在文件的最后写入我们的新节:
' ;预留效果:
' ; 1.加花的时候 可以把程序的区段名 改掉
' ; 2.添加 Anti-Debug 代码
' ;****************************************
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
SetFilePointer hFile, 0, 0, FILE_END
WriteFileLng hFile, ByVal VarPtr(CodeBuf.Code.Buf(0)), SECTION_Header.SizeOfRawData, lngBytesRead, 0
' ;**************************************************
' ;改写IMAGE_NT_HEADERS,使新节可以首先执行:
' ;(需要改写 SizeOfImage 和 AddressOfEntryPoint)
' ;**************************************************
PE_Header.FileHeader.NumberOfSections = PE_Header.FileHeader.NumberOfSections + 1
PE_Header.OptionalHeader.SizeOfImage = PE_Header.OptionalHeader.SizeOfImage + (SECTION_Header.VirtualSize \ PE_Header.OptionalHeader.FileAlignment + 1) * PE_Header.OptionalHeader.FileAlignment
'SizeOfImage是一个对齐到SectionAlignment的整数倍的值
PE_Header.OptionalHeader.AddressOfEntryPoint = SECTION_Header.VirtualAddress
'现在的 AddressOfEntryPoint 是指向新节的第一条指令
SetFilePointer hFile, dwPE_Header_OffSet, 0, FILE_BEGIN
WriteFileLng hFile, ByVal VarPtr(PE_Header), Len(PE_Header), lngBytesRead, 0
MsgBox "加花成功,请检查!", vbInformation + vbOKOnly, "提示"
ErrHandle:
CloseHandle hFile
End Sub
Public Sub GotADrop(strFileName As String)
txtFilePath.Text = strFileName
End Sub
Private Sub ComboFakeCode_Click()
' ComboFakeCode.ListIndex 就是xml文件节点的 index
Dim i As Long
Debug.Print ComboFakeCode.ListIndex
strFakeCode = xmlReadWrite.GetChildValue("/junkCode/HexCode", ComboFakeCode.ListIndex)
End Sub
Private Sub ComboFakeCode_KeyPress(KeyAscii As Integer)
KeyAscii = 0
End Sub
Private Sub Form_Load()
Dim i As Long
If Dir(App.Path & "\config.xml") <> "" Then
If Not (xmlReadWrite.OpenXML(App.Path & "\config.xml")) Then
MsgBox "读取配置文件错误", vbInformation, "提示"
Exit Sub
End If
Else
Call InitializexmlData
If Not (xmlReadWrite.OpenXML(App.Path & "\config.xml")) Then
MsgBox "读取配置文件错误", vbInformation, "提示"
Exit Sub
End If
End If
ComboFakeCode.Clear
For i = 0 To xmlReadWrite.NodeCount("/junkCode/HexCode") - 1
ComboFakeCode.AddItem (xmlReadWrite.GetChildAttribute("/junkCode/HexCode", "name", i))
Next
ComboFakeCode.Text = ComboFakeCode.List(0)
strFakeCode = xmlReadWrite.GetChildValue("/junkCode/HexCode", 0)
txtSectionName.Text = xmlReadWrite.ReadNode("/junkCode/SectionName")
txtSectionSize.Text = Val(xmlReadWrite.ReadNode("/junkCode/SectionSize"))
chkIsDebuggerPresent.Value = Val(xmlReadWrite.ReadNode("/junkCode/AddIsDebuggerPresent"))
chkModifySectionName.Value = Val(xmlReadWrite.ReadNode("/junkCode/EditSectionName"))
chkBakFile.Value = Val(xmlReadWrite.ReadNode("/junkCode/BackFile"))
chkTopMost.Value = Val(xmlReadWrite.ReadNode("/junkCode/TopMost"))
''调试
EnableDragDrop Me.hwnd
End Sub
Private Sub Form_Unload(Cancel As Integer)
''调试
DisableDragDrop Me.hwnd
End Sub
Private Sub LoadxmlSetting()
Dim i As Long
Dim strTemp As String
If Dir(App.Path & "\config.xml") <> "" Then
If Not (xmlReadWrite.OpenXML(App.Path & "\config.xml")) Then
MsgBox "读取配置文件错误", vbInformation, "提示"
Exit Sub
End If
ComboFakeCode.Clear
strTemp = xmlReadWrite.ReadNode("/junkCode/SectionName")
Else
Call InitializexmlData
End If
End Sub
Private Sub LoadxmlHexCode()
Dim i As Long
Dim strTemp As String
If Dir(App.Path & "\config.xml") <> "" Then
If Not (xmlReadWrite.OpenXML(App.Path & "\config.xml")) Then
MsgBox "读取配置文件错误", vbInformation, "提示"
End If
ComboFakeCode.Clear
For i = 0 To xmlReadWrite.NodeCount("/junkCode/HexCode") - 1
ComboFakeCode.AddItem (xmlReadWrite.GetChildAttribute("/junkCode/HexCode", "name", i))
Next
Else
Call InitializexmlData
End If
End Sub
Private Sub InitializexmlData()
Dim FileNumber As Integer
FileNumber = FreeFile
Open App.Path & "\config.xml" For Output As FileNumber
Print #FileNumber, "<?xml version=""1.0"" encoding=""GB2312""?>"
Print #FileNumber, "<!--注释简介-->"
Print #FileNumber, "<!--<CodeValue name=""这里添加指令名称如:花指令1"">这里填写花指令代码</CodeValue>-->"
Print #FileNumber, "<junkCode>"
Print #FileNumber, " <HexCode>"
Print #FileNumber, " <SectionName>.kylin</SectionName>"
Print #FileNumber, " <SectionSize>512</SectionSize>"
Print #FileNumber, " <AddIsDebuggerPresent>1</AddIsDebuggerPresent>"
Print #FileNumber, " <EditSectionName>0</EditSectionName>"
Print #FileNumber, " <BackFile>1</BackFile>"
Print #FileNumber, " <TopMost>1</TopMost>"
Print #FileNumber, " <CodeValue name=""EXECryptor 1.x.x -> SoftComplete Developement"">E8240000008B4C240CC70117000100C781B80000000000000031C089411489411880A1C1000000FEC3</CodeValue>"
Print #FileNumber, " <CodeValue name=""ASPack 2.12 -> Alexey Solodovnikov"">60E803000000E9EB045D4555C3E801000000EB5DBBEDFFFFFF03DD81EB0040000061</CodeValue>"
Print #FileNumber, " <CodeValue name="".BJFNT 1.3 -> :MARQUiS:"">EB033A4D3A1EEB02CD209CEB02CD20EB02CD2060619D1F</CodeValue>"
Print #FileNumber, " <CodeValue name=""EXE Shield v0.1b - v0.3b, v0.3 -> SMoKE *"">E8040000008360EB0C5DEB050000000000</CodeValue>"
Print #FileNumber, " </HexCode>"
Print #FileNumber, "</junkCode>"
Close FileNumber
'Call LoadxmlHexCode
End Sub
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -