滴水三期逆向基础系列(一)-读取文件到内存再读取回文件
跟着滴水三期学了很长时间了,本着,每一点都要吃透的精神,跟“读文件到内存(拉伸),再读回文件(压缩回来)”杠了一天。先看看按着老师的架构写的代码吧(老师的代码有很多问题(可能是我太菜了吧),踩了很多坑,最后自己推翻重写,全改过来了。)
先看看全部函数的声明
#include <windows.h>
#include <stdio.h>#define FilePath_In "d://test.exe"
#define FilePath_Out "d://test_new.exe"
#define messageBoxAddr 0x77E5425F
#define shellCodeLength 0x12extern BYTE shellCode[];DWORD ReadPEFile(IN LPSTR lpszFile, OUT LPVOID *pFileBuffer);VOID ReturnAllPEInfo(IN LPVOID pFileBuffer);DWORD CopyFileBufferToImageBuffer(IN LPVOID pFileBuffer, OUT LPVOID *pImageBuffer);DWORD CopyImageBufferToNewFileBuffer(IN LPVOID pImageBuffer, OUT LPVOID *pNewFileBuffer);BOOL NewFileBufferToFile(IN LPVOID pNewFileBuffer, size_t size, OUT LPSTR lpszFile);
之后就是函数实现啦
#include "stdafx.h"
#include "global.h"
#include <stdio.h>
#include <windows.h>
#include <iostream>//_CRT_SECURE_NO_WARNINGSusing namespace std;
BYTE shellCode[] = {0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00,0xE8, 0x00, 0x00, 0x00, 0x00,0xE9, 0x00, 0x00, 0x00, 0x00
};DWORD ReadPEFile(IN LPSTR lpszFile, OUT LPVOID *pFileBuffer
){FILE *pFile = NULL;DWORD fileSize = 0;LPVOID pTempFileBuffer = NULL;pFile = fopen(lpszFile, "rb");if(!pFile){printf("fopen打开EXE文件失败...");return ERROR;}fseek(pFile, 0, SEEK_END);fileSize = ftell(pFile);fseek(pFile, 0, SEEK_SET);pTempFileBuffer = malloc(fileSize);memset(pTempFileBuffer,0x00,fileSize);if(!pTempFileBuffer){printf("pTempFileBuffer空间申请失败...");fclose(pFile);return ERROR;}size_t n = fread(pTempFileBuffer, fileSize, 1, pFile);if(!n){printf("fread数据读取失败...");free(pTempFileBuffer);fclose(pFile);return ERROR;}*pFileBuffer = pTempFileBuffer;pTempFileBuffer = NULL;fclose(pFile);return fileSize;
}VOID ReturnAllPEInfo(IN LPVOID pFileBuffer
){PIMAGE_DOS_HEADER idh = NULL;PIMAGE_NT_HEADERS inh = NULL;PIMAGE_FILE_HEADER ifh = NULL;PIMAGE_OPTIONAL_HEADER ioh = NULL;PIMAGE_SECTION_HEADER ish = NULL;idh = (PIMAGE_DOS_HEADER)pFileBuffer;inh = (PIMAGE_NT_HEADERS)((BYTE *)pFileBuffer + idh->e_lfanew);ifh = (PIMAGE_FILE_HEADER)((BYTE *)inh + sizeof(DWORD));ioh = (PIMAGE_OPTIONAL_HEADER)((BYTE *)ifh + IMAGE_SIZEOF_FILE_HEADER);ish = (PIMAGE_SECTION_HEADER)((BYTE *)ioh + ifh->SizeOfOptionalHeader);cout << hex << "-----------IMAGE_DOS_HEADER_BASE---------" << endl;cout << hex << "|-e_magic = " << idh->e_magic << endl;cout << hex << "|-e_lfanew = " << idh->e_lfanew << endl;cout << hex << "|" << endl;cout << hex << "|------------------IMAGE_NT_HEADERS_BASE-----------------" << endl;cout << hex << "|-signature = " << IMAGE_NT_SIGNATURE << endl;cout << hex << "|" << endl;cout << hex << "|---------IMAGE_FILE_HEADER_BASE---------" << endl;cout << hex << "||-Machine = " << ifh->Machine << endl;cout << hex << "||-NumberOfSections = " << ifh->NumberOfSections << endl;cout << hex << "||-TimeDataStamp = " << ifh->TimeDateStamp << endl;cout << hex << "||-PointerToSymbolicTable = " << ifh->PointerToSymbolTable << endl;cout << hex << "||-NumberOfSymbols = " << ifh->NumberOfSymbols << endl;cout << hex << "||-SizeOfOptionalHeader = " << ifh->SizeOfOptionalHeader << endl;cout << hex << "||-Characteristics = " << ifh->Characteristics << endl;cout << hex << "||" << endl;cout << hex << "||-----------IMAGE_OPTIONAL_HEADER---------" << endl;cout << hex << "||-Magic = " << ioh->Magic << endl;printf( "||-MajorLinkerVersion = %x\n", ioh->MajorLinkerVersion);printf( "||-MinorLinkerVersion = %x\n", ioh->MinorLinkerVersion);cout << hex << "||-SizeOfCode = " << ioh->SizeOfCode << endl;cout << hex << "||-SizeOfInitializedData = " << ioh->SizeOfInitializedData << endl;cout << hex << "||-SizeOfUninitializedData = " << ioh->SizeOfUninitializedData << endl;cout << hex << "||-AddressOfEntryPoint = " << ioh->AddressOfEntryPoint << endl;cout << hex << "||-BaseOfCode = " << ioh->BaseOfCode << endl;cout << hex << "||-BaseOfData = " << ioh->BaseOfData << endl;cout << hex << "||"<< endl;cout << hex << "||-----------NT 结构增加的领域---------" << endl;cout << hex << "||-ImageBase = " << ioh->ImageBase << endl;cout << hex << "||-SectionAlignment = " << ioh->SectionAlignment << endl;cout << hex << "||-FileAlignment = " << ioh->FileAlignment << endl;cout << hex << "||-MajorOperatingSystemVersion = " << ioh->MajorOperatingSystemVersion << endl;cout << hex << "||-MinorOperatingSystemVersion = " << ioh->MinorOperatingSystemVersion << endl;cout << hex << "||-MajorImageVersion = " << ioh->MajorImageVersion << endl;cout << hex << "||-MinorImageVersion = " << ioh->MinorImageVersion << endl;cout << hex << "||-MajorSubsystemVersion = " << ioh->MajorSubsystemVersion << endl;cout << hex << "||-MinorSubsystemVersion = " << ioh->MinorSubsystemVersion << endl;cout << hex << "||-Win32VersionValue = " << ioh->Win32VersionValue << endl;cout << hex << "||-SizeOfImage = " << ioh->SizeOfImage << endl;cout << hex << "||-SizeOfHeaders = " << ioh->SizeOfHeaders << endl;cout << hex << "||-CheckSum = " << ioh->CheckSum << endl;cout << hex << "||-Subsystem = " << ioh->Subsystem << endl;cout << hex << "||-DllCharacteristics = " << ioh->DllCharacteristics << endl;cout << hex << "||-SizeOfStackReserve = " << ioh->SizeOfStackReserve << endl;cout << hex << "||-SizeOfStackCommit = " << ioh->SizeOfStackCommit << endl;cout << hex << "||-SizeOfHeapReserve = " << ioh->SizeOfHeapReserve << endl;cout << hex << "||-SizeOfHeapCommit = " << ioh->SizeOfHeapCommit << endl;cout << hex << "||-LoaderFlags = " << ioh->LoaderFlags << endl;cout << hex << "||-NumberOfRvaAndSizes = " << ioh->NumberOfRvaAndSizes << endl;cout << hex << "|" << endl;cout << hex << "|-------PE结构大小----------------------" << endl;cout << hex << "|-sizeof(IMAGE_DOS_HEADER) = " << sizeof(IMAGE_DOS_HEADER)<< endl;cout << hex << "|-sizeof(IMAGE_FILE_HEADER) = " << sizeof(IMAGE_FILE_HEADER) << endl;cout << hex << "|-sizeof(IMAGE_OPTIONAL_HEADER) = " << sizeof(IMAGE_OPTIONAL_HEADER) << endl;cout << hex << "|-realSizeof(IMAGE_OPTIONAL_HEADER) = " << sizeof(IMAGE_OPTIONAL_HEADER) << endl;cout << hex << "|-sizeof(IMAGE_NT_HEADERS) = " << sizeof(IMAGE_NT_HEADERS) << endl;cout << hex << "|" << endl;cout << hex << "|-------文件中PE头基址----------------------" << endl;cout << hex << "|-IMAGE_DOS_HEADER_BASE = " << (void *)((BYTE *)idh - (BYTE *)idh) << endl;cout << hex << "|-IMAGE_NT_HEADERS_BASE = " << (void *)((BYTE *)inh - (BYTE *)idh) << endl;cout << hex << "|-IMAGE_FILE_HEADER_BASE = " << (void *)((BYTE *)ifh - (BYTE *)idh) << endl;cout << hex << "|-IMAGE_OPTIONAL_HEADER_BASE = " << (void *)((BYTE *)ioh - (BYTE *)idh) << endl;cout << hex << "|" << endl;for(int i = 0; i < ifh->NumberOfSections; i ++){char *postion = (char *)((char *)ioh + ifh->SizeOfOptionalHeader + (sizeof(IMAGE_SECTION_HEADER) * i));if(*postion == 0x00){break;}IMAGE_SECTION_HEADER *ish = (IMAGE_SECTION_HEADER*)postion;cout << hex << "|----------------------------------------"<< endl;cout << hex << "|---------------节表"<< i + 1 << "--------------" << endl;cout << hex << "||-SectionName = " << ish->Name << endl;cout << hex << "||-BaseAddress = " << (void *)((char *)postion - (char *)idh) << endl;cout << hex << "||-MemoryBaseAddress = " << (void *)(char *)postion << endl;printf( "||-VirtualSize = %x\n", ish->Misc);cout << hex << "||-VirtualAddress = " << ish->VirtualAddress << endl;cout << hex << "||-SizeOfRawData = " << ish->SizeOfRawData << endl;cout << hex << "||-PointerToRawData = " << ish->PointerToRawData << endl;cout << hex << "||-PointerToRelocations = " << ish->PointerToRelocations << endl;cout << hex << "||-PointerToLinenumbers = " << ish->PointerToLinenumbers << endl;cout << hex << "||-NumberOfRelocation = " << ish->NumberOfRelocations << endl;cout << hex << "||-NumberOfLinenumbers = " << ish->NumberOfLinenumbers << endl;cout << hex << "||-Characteristics = " << ish->Characteristics << endl;}cout << hex << "|----------------------------------------"<< endl;return;
}DWORD CopyFileBufferToImageBuffer(IN LPVOID pFileBuffer,OUT LPVOID *pImageBuffer
){PIMAGE_DOS_HEADER pDosHeader = NULL;PIMAGE_NT_HEADERS pNTHeader = NULL;PIMAGE_FILE_HEADER pFileHeader = NULL;PIMAGE_OPTIONAL_HEADER pOptionHeader = NULL;PIMAGE_SECTION_HEADER pSectionHeader = NULL;LPVOID pTempFileBuffer = NULL;if(pFileBuffer ==NULL){printf("pFileBuffer缓冲区指针出错...\n");return ERROR;}//判断是否含有有效MZ和PE标志if(*((PWORD)pFileBuffer) != IMAGE_DOS_SIGNATURE){printf("无有效的MZ标志\n");return ERROR;}pDosHeader = (PIMAGE_DOS_HEADER)pFileBuffer;if(*((PDWORD)((BYTE *)pFileBuffer + pDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE){printf("无有效的PE标志\n");return ERROR;}//找到所有PE文件结构的头地址pNTHeader = (PIMAGE_NT_HEADERS)((BYTE *)pFileBuffer + pDosHeader->e_lfanew);pFileHeader = (PIMAGE_FILE_HEADER)((BYTE *)pNTHeader + sizeof(DWORD));pOptionHeader = (PIMAGE_OPTIONAL_HEADER)((BYTE *)pFileHeader + IMAGE_SIZEOF_FILE_HEADER);pSectionHeader = (PIMAGE_SECTION_HEADER)((BYTE *)pOptionHeader + pFileHeader->SizeOfOptionalHeader);//根据SizeOfImage申请空间哦pTempFileBuffer = malloc(pOptionHeader->SizeOfImage);if(!pTempFileBuffer){printf("pTempFileBuffer空间申请失败...");return ERROR;}memset(pTempFileBuffer, 0, pOptionHeader->SizeOfImage);memcpy(pTempFileBuffer, pDosHeader, pOptionHeader->SizeOfHeaders);for(DWORD i = 0; i < pFileHeader->NumberOfSections; i++){memcpy((PVOID)((BYTE *)pTempFileBuffer + (pSectionHeader + i)->VirtualAddress), (PVOID)((BYTE *)pDosHeader + (pSectionHeader + i)->PointerToRawData), (pSectionHeader + i)->SizeOfRawData);}*pImageBuffer = pTempFileBuffer;pTempFileBuffer = NULL;return pOptionHeader->SizeOfImage;
}DWORD CopyImageBufferToNewFileBuffer(IN LPVOID pImageBuffer, OUT LPVOID *pNewFileBuffer
){PIMAGE_DOS_HEADER pDosHeader = NULL;PIMAGE_NT_HEADERS pNTHeader = NULL;PIMAGE_FILE_HEADER pFileHeader = NULL;PIMAGE_OPTIONAL_HEADER pOptionHeader = NULL;PIMAGE_SECTION_HEADER pSectionHeader = NULL;if(pImageBuffer ==NULL){printf("pImageBuffer缓冲区指针出错...\n");return ERROR;}//判断是否含有有效MZ和PE标志if(*((PWORD)pImageBuffer) != IMAGE_DOS_SIGNATURE){printf("无有效的MZ标志\n");return ERROR;}pDosHeader = (PIMAGE_DOS_HEADER)pImageBuffer;if(*((PDWORD)((BYTE *)pImageBuffer + pDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE){printf("无有效的PE标志\n");return ERROR;}//找到所有PE文件结构的头地址pNTHeader = (PIMAGE_NT_HEADERS)((BYTE *)pImageBuffer + pDosHeader->e_lfanew);pFileHeader = (PIMAGE_FILE_HEADER)((BYTE *)pNTHeader + sizeof(DWORD));pOptionHeader = (PIMAGE_OPTIONAL_HEADER)((BYTE *)pFileHeader + IMAGE_SIZEOF_FILE_HEADER);pSectionHeader = (PIMAGE_SECTION_HEADER)((BYTE *)pOptionHeader + pFileHeader->SizeOfOptionalHeader);for(DWORD i = 0; i < pFileHeader->NumberOfSections; i++){cout << "pSectionHeader->Name = " << (pSectionHeader + i)->Name << endl;memcpy((PVOID)((BYTE *)pDosHeader + (pSectionHeader + i)->PointerToRawData), (PVOID)((BYTE *)pImageBuffer + (pSectionHeader + i)->VirtualAddress), (pSectionHeader + i)->SizeOfRawData);}*pNewFileBuffer = pImageBuffer;pImageBuffer = NULL;return pOptionHeader->SizeOfImage;
}BOOL NewFileBufferToFile(IN LPVOID pNewFileBuffer, size_t size,OUT LPSTR lpszFile
){if(pNewFileBuffer == NULL){printf("pNewFileBuffer缓冲区出差...\n");return ERROR;}FILE *pFile = NULL;size_t fileSize = size;pFile = fopen(lpszFile, "wb");if(!pFile){printf("fopen保存EXE文件失败...\n");return ERROR;}size_t n = fwrite(pNewFileBuffer, fileSize, 1, pFile);if(!n){printf("fwrite数据写入失败...\n");fclose(pFile);return ERROR;}fclose(pFile);return TRUE;
}
之后就是调用了
// test.cpp : 定义控制台应用程序的入口点。
//#include "stdafx.h"
#include "global.h"int _tmain(int argc, _TCHAR* argv[]){LPVOID pFileBuffer = NULL;LPVOID pImageBuffer = NULL;LPVOID pNewFileBuffer = NULL;ReadPEFile(FilePath_In, &pFileBuffer);//ReturnAllPEInfo(pFileBuffer);CopyFileBufferToImageBuffer(pFileBuffer, &pImageBuffer);DWORD FileSize = CopyImageBufferToNewFileBuffer(pImageBuffer, &pNewFileBuffer);NewFileBufferToFile(pNewFileBuffer, FileSize, FilePath_Out);printf("为防止闪屏消失,请手动按任意键结束..."); getchar();return 0;
}
一起学习的小伙伴可以互相关注,一起学习,一起加油噢!
这个系列会一直更新,最重要的是,想练习前面的小伙伴,记得自己写Hello World来测试。
滴水三期逆向基础系列(一)-读取文件到内存再读取回文件相关推荐
- 服务器文件夹取消只读,服务器上的excle文件有人打开文件编辑后关闭文件,别人再去打开文件时“**”正在编辑,用只读方式打开!excel怎样解除只读...
在office2007 word excle PPT 中怎么设置权限为:禁止复制,禁止打印,禁止修改,仅只读功能呢?! 在工具----选项----安全性,根据你的要求设置相关密码即可! excel怎么 ...
- python csv读取数据 去掉标题-Python读csv文件去掉一列后再写入新的文件实例
用了两种方式解决该问题,都是网上现有的解决方案. 场景说明: 有一个数据文件,以文本方式保存,现在有三列user_id,plan_id,mobile_id.目标是得到新文件只有mobile_id,pl ...
- python 读plt文件_用python读Excel文件
在IC设计.验证.后端中经常会用Excel来做配置文件.寄存器表.定义后端SDC参数等,不管Excel好不好用,但学习成本低啊. Excel文件的结构 Excel文件主要由工作簿(book).工作表( ...
- 打开服务器文件提示内存不够,打开服务器文件提示内存不够
打开服务器文件提示内存不够 内容精选 换一换 本节操作指导您完成Windows操作系统云服务器磁盘空间清理.弹性云服务器匀出一部分磁盘空间来充当内存使用,当内存耗尽时,云服务器可以使用虚拟内存来缓解内 ...
- python为csv文件添加表头_python读csv文件时指定行为表头或无表头的方法
python读csv文件时指定行为表头或无表头的方法 pd.read_csv()方法中header参数,默认为0,标签为0(即第1行)的行为表头.若设置为-1,则无表头.示例如下: (1)不设置hea ...
- 查看服务器文件夹内存,查看服务器各文件夹内存占用
查看服务器各文件夹内存占用 内容精选 换一换 部署提供可视化.一键式部署服务,支持并行部署和流水线无缝集成,实现部署环境标准化和部署过程自动化.本节通过以下五步介绍如何使用部署服务将项目代码部署到云主 ...
- java多线程 文件夹_java多线程读同一个文件
java多线程同时读取一个文件,这个方法可行吗?不可行. 多线程能够提高效率是因为现在的cpu普遍是多核cpu, 多条线程可以在多个内核中同时执行来提高计算效率.但是计算机磁盘的磁头只有一个,即使多条 ...
- python 读取csv带表头_python读csv文件时指定行为表头或无表头的方法
pd.read_csv()方法中header参数,默认为0,标签为0(即第1行)的行为表头.若设置为-1,则无表头.示例如下: (1)不设置header参数(默认)时: df1 = pd.read_c ...
- C#实现图片文件到数据流再到图片文件的转换
//----引入必要的命名空间 using System.IO; using System.Drawing.Imaging; //----代码部分----// private byte[] photo ...
最新文章
- 过去的一年,我在读研
- TensorFlow MNIST初级学习
- Git/TortoiseGit使用
- 嵌入式Linux的Qt
- 轻量级文本编辑器,Notepad最佳替代品:Notepad++
- Python精通-运算符与基本数据类型(三)
- J-UI框架踩过的坑
- c语言break和return区别,C语言break,continue和return的区别
- 4.MySQL优化---多表查询优化
- echarts3Dearth 地球数据可视化添加 tooltip效果和涟漪扩散的效果
- 战地一自定义服务器怎么搜索,战地1怎么快速加入服务器?多种加入方法一览...
- 如何搭建积分商城软件活动功能
- 运维演进正确之道-ITIL+DevOps双态运维
- 如何使用Tracup设定现实的项目目标(以及要避免的错误)
- 如何整店导出天猫店铺商品主图及详情图
- 简单的模拟京东商城购买过程-pymysql
- YOLOv5/v7 引入 RepVGG 重参数化模块
- 关于isEmpty(),null,“”的理解
- Python使用Turtle画孟加拉国国旗
- 算术游戏C语言,10个有趣的算术游戏,让你立刻爱上数学!
热门文章
- 深度linux系统怎么打字,深度操作系统 Deepin V20 安装搜狗输入法报错处理方法
- html调取android手机录音并保存,华为手机怎么导出录音文件并保存至电脑?
- 【SpringBoot】27、SpringBoot中整合Ehcache实现热点数据缓存
- 【模型库】5J100T系列变速器
- Matlab/Simulink自动生成STM32代码_基于模型的开发_环境搭建
- android限制时间锁怎么关闭,时间锁怎么用?时间锁在哪里解除[多图]
- javaweb发布到云服务器上之后,验证码接收不到问题
- stm32cube+freerots基础案例一:点灯
- Swagger-Codegen使用详解
- 线程一共有几种状态?