注入（二）：修改导入表(c++）

导入表注入：修改游戏EXE依赖dll树上找个结点，程序运行前加载，加载修改回导入表。
优：游戏依赖库多，不易用完整性来查验，同时客户端版本不同，更易躲过检测
缺点：文件操作明显，易被ProcessMonitor检测到

//BeModeImportTableExe.exe
void main(void)
{int i = 0;while(true){__asm{mov eax,iinc eax}}
}

//修改导入表的exe
#include <Windows.h>DWORD PEAlign(DWORD dwTarNum,DWORD dwAlignTo)
{   return(((dwTarNum+dwAlignTo-1)/dwAlignTo)*dwAlignTo);
}//
//增加导入表项
//
BOOL AddNewSection(LPCTSTR lpStrModulePath, DWORD dwNewSectionSize)
{bool   bSuccess = false;LPVOID lpMemModule = NULL;LPBYTE lpData = NULL;HANDLE hFile = INVALID_HANDLE_VALUE, hFileMapping = INVALID_HANDLE_VALUE;PIMAGE_NT_HEADERS pNtHeader = NULL;PIMAGE_SECTION_HEADER pNewSection = NULL, pLastSection = NULL;OutputDebugString("[!] AddNewSection Enter!\n");//TODO:可能还涉及关闭windows文件保护__try{//pe文件映射到内存hFile = CreateFile(lpStrModulePath,GENERIC_READ | GENERIC_WRITE,FILE_SHARE_READ | FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);if ( INVALID_HANDLE_VALUE == hFile ){OutputDebugString("[-] AddNewSection CreateFile fail!\n");goto _EXIT_;}DWORD dwFileSize = GetFileSize(hFile, NULL);hFileMapping = CreateFileMapping(hFile, NULL, PAGE_READWRITE/* | SEC_IMAGE*/, 0, dwFileSize, "WINSUN_MAPPING_FILE");if ( NULL == hFileMapping ){OutputDebugString("[-] AddNewSection CreateFileMapping fail!\n");goto _EXIT_;}lpMemModule = MapViewOfFile(hFileMapping, FILE_MAP_ALL_ACCESS, 0, 0, dwFileSize);if ( NULL == lpMemModule ){OutputDebugString("[-] AddNewSection MapViewOfFile fail!\n");goto _EXIT_;}lpData = (LPBYTE)lpMemModule;//判断是否是PE文件if (((PIMAGE_DOS_HEADER)lpData)->e_magic != IMAGE_DOS_SIGNATURE ){OutputDebugString("[-] AddNewSection PE Header MZ error!\n");goto _EXIT_;}pNtHeader = (PIMAGE_NT_HEADERS)(lpData + ((PIMAGE_DOS_HEADER)(lpData))->e_lfanew);if ( pNtHeader->Signature != IMAGE_NT_SIGNATURE ){OutputDebugString("[-] AddNewSection PE Header PE error!\n");goto _EXIT_;}//判断是否可以增加一个新节if ( ((pNtHeader->FileHeader.NumberOfSections + 1) * sizeof(IMAGE_SECTION_HEADER)) > (pNtHeader->OptionalHeader.SizeOfHeaders) ){OutputDebugString("[-] AddNewSection cannot add a new section!\n");goto _EXIT_;}pNewSection  = (PIMAGE_SECTION_HEADER)(pNtHeader+1) + pNtHeader->FileHeader.NumberOfSections;pLastSection = pNewSection - 1;DWORD rsize,vsize,roffset,voffset;//对齐偏移和RVArsize=PEAlign(dwNewSectionSize,pNtHeader->OptionalHeader.FileAlignment);roffset=PEAlign(pLastSection->PointerToRawData+pLastSection->SizeOfRawData,pNtHeader->OptionalHeader.FileAlignment);vsize=PEAlign(dwNewSectionSize,pNtHeader->OptionalHeader.SectionAlignment);voffset=PEAlign(pLastSection->VirtualAddress+pLastSection->Misc.VirtualSize,pNtHeader->OptionalHeader.SectionAlignment);//填充新节表memcpy(pNewSection->Name, "WINSUN", strlen("WINSUN"));pNewSection->VirtualAddress = voffset;pNewSection->PointerToRawData = roffset;pNewSection->Misc.VirtualSize = vsize;pNewSection->SizeOfRawData = rsize;pNewSection->Characteristics = IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE;//修改IMAGE_NT_HEADERS，增加新节表pNtHeader->FileHeader.NumberOfSections++;pNtHeader->OptionalHeader.SizeOfImage += vsize;pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = 0;pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = 0;//增加新节到文件尾部DWORD dwWriteBytes;SetFilePointer(hFile,0,0,FILE_END);PBYTE pbNewSectionContent = new BYTE[rsize];ZeroMemory(pbNewSectionContent, rsize);bSuccess = WriteFile(hFile, pbNewSectionContent, rsize, &dwWriteBytes, NULL);if (!bSuccess){MessageBox(NULL,"新增节失败","error",MB_OK);goto _EXIT_;}}__except(EXCEPTION_EXECUTE_HANDLER){OutputDebugString("[-] AddImportTableItem  Exception!\n");return false;}OutputDebugString("[!] AddNewSection Exit!\n");bSuccess = true;
_EXIT_:if ( hFile ){CloseHandle(hFile);}if ( lpMemModule){UnmapViewOfFile(lpMemModule);}if ( hFileMapping ){CloseHandle(hFileMapping);}return true;
}//
PIMAGE_SECTION_HEADER ImageRVA2Section(PIMAGE_NT_HEADERS pImgNTHeader, DWORD dwRVA)
{int i;PIMAGE_SECTION_HEADER pSectionHeader  = (PIMAGE_SECTION_HEADER)(pImgNTHeader+1);for(i=0;i<pImgNTHeader->FileHeader.NumberOfSections;i++){if((dwRVA>=(pSectionHeader+i)->VirtualAddress) && (dwRVA<=((pSectionHeader+i)->VirtualAddress+(pSectionHeader+i)->SizeOfRawData))){return ((PIMAGE_SECTION_HEADER)(pSectionHeader+i));}}return(NULL);
}//
// calulates the Offset from a RVA
// Base    - base of the MMF
// dwRVA - the RVA to calculate
// returns 0 if an error occurred else the calculated Offset will be returned
DWORD RVA2Offset(PIMAGE_NT_HEADERS pImgNTHeader, DWORD dwRVA)
{DWORD _offset;PIMAGE_SECTION_HEADER section;section=ImageRVA2Section(pImgNTHeader,dwRVA);//ImageRvaToSection(pimage_nt_headers,Base,dwRVA);if(section==NULL){return(0);}_offset=dwRVA+section->PointerToRawData-section->VirtualAddress;return(_offset);
}BOOL AddNewImportDescriptor(const char * szPEFilePath,char * szInjectDllName, char *szImportFuncName)
{BOOL bSuccess = FALSE;LPVOID lpMemModule = NULL;LPBYTE lpData = NULL;HANDLE hFile = INVALID_HANDLE_VALUE, hFileMapping = INVALID_HANDLE_VALUE;PIMAGE_NT_HEADERS pNtHeader = NULL;PIMAGE_IMPORT_DESCRIPTOR pstImportTable = NULL;PIMAGE_SECTION_HEADER    pstSectionHeader = NULL;__try{//pe文件映射到内存hFile = CreateFile(szPEFilePath,GENERIC_READ | GENERIC_WRITE,FILE_SHARE_READ | FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);if ( INVALID_HANDLE_VALUE == hFile ){OutputDebugString("[-] AddNewImportDescriptor CreateFile fail!\n");goto _EXIT_;}DWORD dwFileSize = GetFileSize(hFile, NULL);hFileMapping = CreateFileMapping(hFile, NULL, PAGE_READWRITE/* | SEC_IMAGE*/, 0, dwFileSize, "WINSUN_MAPPING_FILE");if ( NULL == hFileMapping ){OutputDebugString("[-] AddNewImportDescriptor CreateFileMapping fail!\n");goto _EXIT_;}lpMemModule = MapViewOfFile(hFileMapping, FILE_MAP_ALL_ACCESS, 0, 0, dwFileSize);if ( NULL == lpMemModule ){OutputDebugString("[-] AddNewImportDescriptor MapViewOfFile fail!\n");goto _EXIT_;}lpData = (LPBYTE)lpMemModule;//判断是否是PEif (((PIMAGE_DOS_HEADER)lpData)->e_magic != IMAGE_DOS_SIGNATURE ){OutputDebugString("[-] AddNewImportDescriptor PE Header MZ error!\n");goto _EXIT_;}pNtHeader = (PIMAGE_NT_HEADERS)(lpData + ((PIMAGE_DOS_HEADER)(lpData))->e_lfanew);if ( pNtHeader->Signature != IMAGE_NT_SIGNATURE ){OutputDebugString("[-] AddNewImportDescriptor PE Header PE error!\n");goto _EXIT_;}pstImportTable = (PIMAGE_IMPORT_DESCRIPTOR)(lpData + RVA2Offset(pNtHeader,pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress));BOOL bBoundImport = FALSE;if (pstImportTable->Characteristics == 0 && pstImportTable->FirstThunk != 0){bBoundImport = TRUE;pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = 0;pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = 0;}pstSectionHeader = (PIMAGE_SECTION_HEADER)(pNtHeader+1)+pNtHeader->FileHeader.NumberOfSections-1;PBYTE pbNewSection = pstSectionHeader->PointerToRawData + lpData;int i = 0;while(pstImportTable->FirstThunk != 0){memcpy(pbNewSection, pstImportTable, sizeof(IMAGE_IMPORT_DESCRIPTOR));pstImportTable++;pbNewSection += sizeof(IMAGE_IMPORT_DESCRIPTOR);i++;}memcpy(pbNewSection, (pbNewSection-sizeof(IMAGE_IMPORT_DESCRIPTOR)), sizeof(IMAGE_IMPORT_DESCRIPTOR));DWORD dwDelt = pstSectionHeader->VirtualAddress - pstSectionHeader->PointerToRawData;//avoid import not need tablePIMAGE_THUNK_DATA pImgThunkData = (PIMAGE_THUNK_DATA)(pbNewSection + sizeof(IMAGE_IMPORT_DESCRIPTOR)*2);//import dll namePBYTE pszDllNamePosition = (PBYTE)(pImgThunkData + 2);memcpy(pszDllNamePosition, szInjectDllName, strlen(szInjectDllName));pszDllNamePosition[strlen(szInjectDllName)] = 0;//确定IMAGE_IMPORT_BY_NAM的位置PIMAGE_IMPORT_BY_NAME pImgImportByName = (PIMAGE_IMPORT_BY_NAME)(pszDllNamePosition + strlen(szInjectDllName) + 1);//init IMAGE_THUNK_DATApImgThunkData->u1.Ordinal = dwDelt + (DWORD)pImgImportByName - (DWORD)lpData ;//init IMAGE_IMPORT_BY_NAMEpImgImportByName->Hint = 1;memcpy(pImgImportByName->Name, szImportFuncName, strlen(szImportFuncName)); //== dwDelt + (DWORD)pszFuncNamePosition - (DWORD)lpData ;pImgImportByName->Name[strlen(szImportFuncName)] = 0;//init OriginalFirstThunkif (bBoundImport){((PIMAGE_IMPORT_DESCRIPTOR)pbNewSection)->OriginalFirstThunk = 0;}else((PIMAGE_IMPORT_DESCRIPTOR)pbNewSection)->OriginalFirstThunk = dwDelt + (DWORD)pImgThunkData - (DWORD)lpData;//init FirstThunk((PIMAGE_IMPORT_DESCRIPTOR)pbNewSection)->FirstThunk = dwDelt + (DWORD)pImgThunkData - (DWORD)lpData;//init Name((PIMAGE_IMPORT_DESCRIPTOR)pbNewSection)->Name = dwDelt + (DWORD)pszDllNamePosition-(DWORD)lpData;//改变导入表pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress =  pstSectionHeader->VirtualAddress; pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size          =  (i+1)*sizeof(IMAGE_IMPORT_DESCRIPTOR);}__except(EXCEPTION_EXECUTE_HANDLER){OutputDebugString("[-] AddNewImportDescriptor  Exception!\n");return false;}_EXIT_:if ( hFile ){CloseHandle(hFile);}if ( lpMemModule){UnmapViewOfFile(lpMemModule);}if ( hFileMapping ){CloseHandle(hFileMapping);}return true;
}BOOL AddImportTable(const char * szPEFilePath, char * szInjectDllName,char *szFuncName)
{BOOL bSuccess = FALSE;try{//增加一个叫"WINSUN"的节bSuccess = AddNewSection(szPEFilePath, 256);if (!bSuccess){MessageBox(NULL,"add new section fail", "error", MB_OK);return bSuccess;}//增加一个导入表AddNewImportDescriptor(szPEFilePath, szInjectDllName,szFuncName);}catch ( ... )//CException* e){return bSuccess;}return bSuccess;
}void BackupPE(char * pszPeFilePath)
{CHAR szPath[MAX_PATH] = {0};PCHAR pszPath = pszPeFilePath;pszPath = strrchr(pszPath, '\\');*pszPath = '\0';strcpy_s(szPath, strlen(pszPeFilePath)+1,pszPeFilePath);strcat_s(szPath, strlen("\\backup_")+1,"\\backup_");strcat_s(szPath, strlen(pszPath+1)+1,pszPath+1);*pszPath = '\\';CopyFile(pszPeFilePath, szPath, FALSE);strncpy(pszPeFilePath, szPath, MAX_PATH);return;
}void main(int argc, char **argv)
{AddImportTable("BeModeImportTableExe.exe","WaiGua.dll","InjectFunc");
}

//WaiGua.dll
// dllmain.cpp : Defines the entry point for the DLL application.
#include <Windows.h>
#ifdef __cplusplus
extern "C"
{
#endif  __declspec (dllexport) void InjectFunc(void);#ifdef __cplusplus
}
#endifvoid InjectFunc(void){MessageBoxA(NULL, "Dll export Inject Success", "Dll Inject", MB_OKCANCEL);}
BOOL APIENTRY DllMain( HMODULE hModule,DWORD  ul_reason_for_call,LPVOID lpReserved)
{switch (ul_reason_for_call){case DLL_PROCESS_ATTACH:MessageBoxA(NULL, "the simple inject success", "Dll Inject", MB_OKCANCEL);break;case DLL_THREAD_ATTACH:case DLL_THREAD_DETACH:case DLL_PROCESS_DETACH:break;}return TRUE;
}

注入没问题，运行有问题，还有待调试。

注入（二）：修改导入表(c++）相关推荐

Premiere Pro CC2017教程(二) 修改导入静态图片的时间
导入静态图片修改时间: 导入静态图片默认是5秒,可以在首选项中设置.
Android so导入表,Android so注入(inject)和Hook技术学习（二）——Got表hook之导入表hook...
全局符号表(GOT表)hook实际是通过解析SO文件,将待hook函数在got表的地址替换为自己函数的入口地址,这样目标进程每次调用待hook函数时,实际上是执行了我们自己的函数. GOT表其实包含了 ...
导入表注入原理和C语言实现
一.导入表注入的原理注入是把DLL加载到另一个进程的4GB地址空间中,实现方式有很多种,导入表注入是我学的第一种注入,是通过修改程序的导入表,把自己的DLL添加到导入表中,来实现这个目的. 导入表是 ...
C/C++ 手工实现IAT导入表注入劫持
DLL注入有多种方式,今天介绍的这一种注入方式是通过修改导入表,增加一项导入DLL以及导入函数,我们知道当程序在被运行起来之前,其导入表中的导入DLL与导入函数会被递归读取加载到目标空间中,我们向导入 ...
解析导入表和IAT表
一.导入表的结构导入表的结构看起来复杂,其实只是套娃,不要被它吓到了. 导入表的定义如下: typedef struct _IMAGE_IMPORT_DESCRIPTOR {union {DWORD ...
PE知识复习之PE的导入表
一丶简介上一讲讲解了导出表. 也就是一个PE文件给别人使用的时候.导出的函数函数的地址函数名称序号等等. 一个进程是一组PE文件构成的. PE文件需要依赖那些模块.以及依赖这些模块中的那 ...
修改注册表(设置首页)
三大处方方法一:修改IE工具栏在正常情况下,IE首页的修改可以通过IE工具栏里的"工具"-"Internet选项"-"常规"-" ...
移动导入表/导入表注入（注入导入表后EXE无法运行的BUG解决方案）
移动导入表其实不难,只需要while循环一下导入表并使用memcpy()拷贝到新加的节当中. 核心的代码如下,新增节和其他解析PE文件的最基础的东西发在最后的完整代码里. pImport_Temp = ...
剖析恶意网页修改注册表的十二种现象
[小蓉] 近来,屡屡发生网友在浏览网页时,造成注册表被修改,使得IE默认连接首页.标题栏及IE右键菜单被改为浏览网页时的地址(多为广告信息),更有甚者使浏览者的电脑在启动时出现一个提示窗口显示自己的广 ...

注入（二）：修改导入表(c++）

注入（二）：修改导入表(c++）相关推荐

最新文章

热门文章