📄 rebit.c
字号:
}
}
pDW++;
}
IID2->TimeDateStamp = 0;
IID2->ForwarderChain = 0;
IID2++;
} while(IID2->FirstThunk != 0);
}
DWORD SearchForFirstThunk(void)
{
DWORD *pDW;
BOOL Found;
DWORD i,ii,iii;
DWORD SearchAddress;
DWORD dwMaxSearchBase;
DWORD dwFirstThunkBlock;
dwMaxSearchBase = dwMemBase + MemSize-5;
// search in the whole file for "AnyAPIAddress" it should be found in an FirstThunk
// search thunk block for each dll and return a pointer to the topmost (first) Thunk block
dwFirstThunkBlock = 0xFFFFFFFF;
for(i=0; i<DllNum; i++) {
for(ii=0; ii<(DWORD)FunctNum[i]; ii++) {
SearchAddress = Functaddresses[i][ii];
if(SearchAddress == 0) {
continue;
}
pDW = (DWORD*)dwMemBase;
while((DWORD)pDW < dwMaxSearchBase) {
if(*pDW == SearchAddress) {
goto SEARCHDONE;
}
pDW++;
}
}
continue;
SEARCHDONE:
// now we go up until the found dword is not 0 and GetaddressOrdinal returns -1
while((DWORD)pDW > dwMemBase) {
pDW--;
if(*pDW == 0) {
continue;
}
Found = FALSE;
for(iii=0; iii<DllNum; iii++) { // test the found Address with all dll names
if(GetAddressOrdinal(Dllnames[iii],*pDW) != 0xFFFFFFFF) {
Found = TRUE;
break;
}
}
if(!Found) {
break;
}
}
pDW++;
// now search again until non-Zero
do {
pDW++;
} while(*pDW == 0);
if((DWORD)pDW < dwFirstThunkBlock) {
dwFirstThunkBlock = (DWORD)pDW;
}
}
dwFirstThunkBlock -= ((dwFirstThunkBlock == 0xFFFFFFFF) ? 0 : dwMemBase);
return(dwFirstThunkBlock);
//if(dwFirstThunkBlock == 0xFFFFFFFF) {
//return(dwFirstThunkBlock);
//}
//else {
//return(dwFirstThunkBlock - dwMemBase);
//}
}
void MakeIID(DWORD FirstThunkAddr)
{
PIMAGE_IMPORT_DESCRIPTOR pIID;
PIMAGE_SECTION_HEADER pSectionh, pNewSectionh;
PIMAGE_SECTION_HEADER pItSech;
DWORD i,ii,iii;
DWORD *pDW;
DWORD dwTmpNum;
DWORD dwSearchEnd;
BOOL bFoundNextThunks;
bFoundNextThunks = TRUE;
// make a new section
pSectionh = sectionh;
peh->OptionalHeader.FileAlignment = 0x200;
for(i=0; i<(DWORD)(peh->FileHeader.NumberOfSections); i++) {
pSectionh++;
}
peh->FileHeader.NumberOfSections++;
for(i=0; i<=7; i++) {
pSectionh->Name[i] = szNewSecName[i];
}
pNewSectionh = pSectionh;
pNewSectionh->Characteristics = 0xC0000040;
pNewSectionh->Misc.VirtualSize = 0x1000;
pSectionh--;
// set a valid RawOffset
dwTmpNum = pSectionh->SizeOfRawData + pSectionh->PointerToRawData;
if(dwTmpNum%0x200 != 0) {
dwTmpNum = ((dwTmpNum / 0x200) + 1) * 0x200;
}
pNewSectionh->PointerToRawData = dwTmpNum;
// set a valild VirtualAddress
dwTmpNum = pSectionh->VirtualAddress + pSectionh->Misc.VirtualSize;
if(dwTmpNum%0x1000 != 0) {
dwTmpNum = ((dwTmpNum/0x1000) + 1) * 0x1000;
}
pNewSectionh->VirtualAddress = dwTmpNum;
// set new section RawSize
pNewSectionh->SizeOfRawData = 0x200;
// correct the SizeOfImage
peh->OptionalHeader.SizeOfImage += 0x1000;
// write the new IID into the new section
peh->OptionalHeader.DataDirectory[1].VirtualAddress = pNewSectionh->VirtualAddress;
pIID = (PIMAGE_IMPORT_DESCRIPTOR)(dwMemBase + rva2offset(pNewSectionh->VirtualAddress));
pDW = (DWORD*)(dwMemBase + FirstThunkAddr);
// get the end of the current section
//pItSech = rva2section((DWORD)pDW - dwMemBase);
//dwSearchEnd = (DWORD)dwMemBase + pItSech->VirtualAddress + pItSech->Misc.VirtualSize;
do {
// loops until all found thunks were processed
pIID->OriginalFirstThunk = 0;
pIID->TimeDateStamp = 0;
pIID->ForwarderChain = 0;
// find the dll fitting to the current Thunk
for(i=0; i<=DllNum; i++) {
if(GetAddressOrdinal(Dllnames[i],*pDW) != 0xFFFFFFFF) {
break;
}
}
if(i > DllNum-1) { // we passed all dlls
break;
}
pIID->Name = offset2rva((DWORD)(Dllnames[i] - dwMemBase));
pIID->FirstThunk = offset2rva((DWORD)pDW - dwMemBase);
// go to the zero terminating end of the current thunk block
do {
pDW++;
} while(*pDW != 0);
do {
pDW++;
} while(*pDW == 0);
// // needed for older compilers
// // Search the start of the next thunk block
// bFoundNextThunks = FALSE;
// pDW += 3;
// do {
// pDW++;
// for(iii=0; iii<DllNum; iii++) {
// if(GetAddressOrdinal(Dllnames[iii],*pDW) != 0xFFFFFFFF) {
// bFoundNextThunks = TRUE;
// }
// }
// } while(bFoundNextThunks != FALSE || (DWORD)pDW == dwSearchEnd);
//
pIID++;
} while(bFoundNextThunks != FALSE);
// write the terminating IID
pIID->OriginalFirstThunk = 0;
pIID->TimeDateStamp = 0;
pIID->ForwarderChain = 0;
pIID->Name = 0;
pIID->FirstThunk = 0;
}
// needed for win2K
// returns:
// TRUE - SizeOfHeaders changed
// FALSE - ... doesn't change
BOOL FixSizeOfHeaders(BYTE *pMemBase)
{
PIMAGE_NT_HEADERS pPeh;
PIMAGE_DOS_HEADER pDosh;
PIMAGE_SECTION_HEADER pSech;
BYTE i;
DWORD dwMinRO;
BOOL result;
__try {
pDosh = (PIMAGE_DOS_HEADER)pMemBase;
pPeh = (PIMAGE_NT_HEADERS)((DWORD)pDosh + pDosh->e_lfanew);
pSech = (PIMAGE_SECTION_HEADER)((DWORD)pPeh + 0xF8);
dwMinRO = 0xFFFFFFFF;
//find the smallest RawOffset
for(i=0; i<pPeh->FileHeader.NumberOfSections; i++) {
if(pSech->PointerToRawData < dwMinRO) {
dwMinRO = pSech->PointerToRawData;
}
pSech++;
}
// update the header
pPeh->OptionalHeader.SizeOfHeaders = dwMinRO;
// return stuff
if(pPeh->OptionalHeader.SizeOfHeaders != dwMinRO) {
result = TRUE;
}
else {
result = FALSE;
}
}
__except(1) {
return(FALSE);
}
return(result);
}
BYTE RebuildIT(BYTE *pMem, DWORD dwMemSize, BYTE byRebuildType)
{
int i;
DWORD dwNewFirstThunk;
//DWORD dwRebTime;
BYTE result;
result = 0;
if(byRebuildType > 1) {
return(result);
}
// save the ram infos
pMemBase = pMem;
dwMemBase = (DWORD)pMem;
MemSize = dwMemSize;
// access the pe header and check whether it's PE
dosh = (PIMAGE_DOS_HEADER)pMem;
if(dosh->e_magic != IMAGE_DOS_SIGNATURE) {
return(result);
}
peh = (PIMAGE_NT_HEADERS)((DWORD)dosh + (DWORD)(dosh->e_lfanew));
if(peh->Signature != IMAGE_NT_SIGNATURE) {
return(result);
}
//sectionh = (PIMAGE_SECTION_HEADER)((DWORD)peh + 0xF8);
sectionh = (PIMAGE_SECTION_HEADER)peh;
((PIMAGE_NT_HEADERS)sectionh)++;
pDir = (PIMAGE_DATA_DIRECTORY)(dosh->e_lfanew + (DWORD)dosh + 0x80);
FixSizeOfHeaders(pMem);
// START
// dwRebTime = GetTickCount;
switch(byRebuildType) {
case 0: // REBUILD IMPORT TABLE
GetDllNames();
peh->OptionalHeader.DataDirectory[1].VirtualAddress = FindOldIT(pMemBase,MemSize,peh->OptionalHeader.DataDirectory[1].VirtualAddress);
GetFunctNamesFast();
FixIAT(rva2offset(pDir->VirtualAddress) + (DWORD)pMemBase);
break;
case 1: // REBUILD NEW IMPORT TABLE
GetDllNames();
GetFunctNamesFast();
dwNewFirstThunk = SearchForFirstThunk();
if(dwNewFirstThunk == 0xFFFFFFFF) {
return(result);
}
MakeIID(dwNewFirstThunk);
FixIAT(rva2offset(pDir->VirtualAddress) + (DWORD)pMemBase);
break;
}
result = 1;
return(result);
}
BYTE RebuildITDeluxe(char *szTargetFile, BYTE byRebuildType)
{
const DWORD AlignBreaker = 0x1200;
DWORD dwFsize,dwNewSize,i;
PIMAGE_DOS_HEADER dosh;
PIMAGE_NT_HEADERS peh;
PIMAGE_SECTION_HEADER sectionh;
HANDLE hFile;
BYTE *pFileMem;
DWORD dwBuff;
BYTE result;
result = 0;
// map the file
hFile = CreateFile(szTargetFile,GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
if(hFile == INVALID_HANDLE_VALUE) {
return(result);
}
dwFsize = GetFileSize(hFile,0);
pFileMem = (BYTE*)GlobalAlloc(GMEM_FIXED|GMEM_ZEROINIT,dwFsize + AlignBreaker);
if(pFileMem == NULL) {
CloseHandle(hFile);
return(result);
}
ReadFile(hFile,pFileMem,dwFsize,&dwBuff,0);
if(dwBuff == 0) {
GlobalFree(pFileMem);
CloseHandle(hFile);
return(result);
}
// check the PE Signature
dosh = (PIMAGE_DOS_HEADER)pFileMem;
if(dosh->e_magic != IMAGE_DOS_SIGNATURE) {
return(result);
}
peh = (PIMAGE_NT_HEADERS)((DWORD)dosh + (DWORD)(dosh->e_lfanew));
if(peh->Signature != IMAGE_NT_SIGNATURE) {
return(result);
}
sectionh = (PIMAGE_SECTION_HEADER)((DWORD)peh + 0xF8);
if(byRebuildType == 1) {
// find out the real new filesize (support for aligned files !)
dwNewSize = 0;
for(i=0; i<(DWORD)(peh->FileHeader.NumberOfSections); i++) {
if(sectionh->SizeOfRawData + sectionh->PointerToRawData > dwNewSize) {
dwNewSize = sectionh->SizeOfRawData + sectionh->PointerToRawData;
}
sectionh++;
}
// align the last section and add 0x200
if((dwNewSize%0x200) != 0) {
dwNewSize = ((dwNewSize/0x200) + 1) * 0x200;
}
dwFsize = dwNewSize + 0x200;
}
// rebuild it
result = RebuildIT(pFileMem,dwFsize + AlignBreaker,byRebuildType);
// write the file back
SetFilePointer(hFile,0,NULL,FILE_BEGIN);
WriteFile(hFile,pFileMem,dwFsize,&dwBuff,0);
if(dwBuff == 0) {
result = 0;
}
// clean up
GlobalFree(pFileMem);
CloseHandle(hFile);
return(result);
}
// // return values:
// // 0- an error occurred
// // 1- Import Table rebuilded successfully
// // byRebuildType:
// // 0 - rebuild Import Table
// // 1 - rebuild New Import Table
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -