跟着滴水三期学了很长时间了,本着,每一点都要吃透的精神,跟“读文件到内存(拉伸),再读回文件(压缩回来)”杠了一天。先看看按着老师的架构写的代码吧(老师的代码有很多问题(可能是我太菜了吧),踩了很多坑,最后自己推翻重写,全改过来了。)

先看看全部函数的声明


#include <windows.h>
#include <stdio.h>#define FilePath_In      "d://test.exe"
#define FilePath_Out     "d://test_new.exe"
#define messageBoxAddr   0x77E5425F
#define shellCodeLength  0x12extern BYTE shellCode[];DWORD ReadPEFile(IN LPSTR lpszFile, OUT LPVOID *pFileBuffer);VOID ReturnAllPEInfo(IN LPVOID pFileBuffer);DWORD CopyFileBufferToImageBuffer(IN LPVOID pFileBuffer, OUT LPVOID *pImageBuffer);DWORD CopyImageBufferToNewFileBuffer(IN LPVOID pImageBuffer, OUT LPVOID *pNewFileBuffer);BOOL NewFileBufferToFile(IN LPVOID pNewFileBuffer, size_t size, OUT LPSTR lpszFile);

之后就是函数实现啦

#include "stdafx.h"
#include "global.h"
#include <stdio.h>
#include <windows.h>
#include <iostream>//_CRT_SECURE_NO_WARNINGSusing namespace std;
BYTE shellCode[] = {0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00,0xE8, 0x00, 0x00, 0x00, 0x00,0xE9, 0x00, 0x00, 0x00, 0x00
};DWORD ReadPEFile(IN LPSTR lpszFile, OUT LPVOID *pFileBuffer
){FILE *pFile = NULL;DWORD fileSize = 0;LPVOID pTempFileBuffer = NULL;pFile = fopen(lpszFile, "rb");if(!pFile){printf("fopen打开EXE文件失败...");return ERROR;}fseek(pFile, 0, SEEK_END);fileSize = ftell(pFile);fseek(pFile, 0, SEEK_SET);pTempFileBuffer = malloc(fileSize);memset(pTempFileBuffer,0x00,fileSize);if(!pTempFileBuffer){printf("pTempFileBuffer空间申请失败...");fclose(pFile);return ERROR;}size_t n = fread(pTempFileBuffer, fileSize, 1, pFile);if(!n){printf("fread数据读取失败...");free(pTempFileBuffer);fclose(pFile);return ERROR;}*pFileBuffer = pTempFileBuffer;pTempFileBuffer = NULL;fclose(pFile);return fileSize;
}VOID ReturnAllPEInfo(IN LPVOID pFileBuffer
){PIMAGE_DOS_HEADER idh = NULL;PIMAGE_NT_HEADERS inh = NULL;PIMAGE_FILE_HEADER ifh = NULL;PIMAGE_OPTIONAL_HEADER ioh = NULL;PIMAGE_SECTION_HEADER ish = NULL;idh = (PIMAGE_DOS_HEADER)pFileBuffer;inh = (PIMAGE_NT_HEADERS)((BYTE *)pFileBuffer + idh->e_lfanew);ifh = (PIMAGE_FILE_HEADER)((BYTE *)inh + sizeof(DWORD));ioh = (PIMAGE_OPTIONAL_HEADER)((BYTE *)ifh + IMAGE_SIZEOF_FILE_HEADER);ish = (PIMAGE_SECTION_HEADER)((BYTE *)ioh + ifh->SizeOfOptionalHeader);cout << hex << "-----------IMAGE_DOS_HEADER_BASE---------" << endl;cout << hex << "|-e_magic                           = " << idh->e_magic << endl;cout << hex << "|-e_lfanew                          = " << idh->e_lfanew << endl;cout << hex << "|" << endl;cout << hex << "|------------------IMAGE_NT_HEADERS_BASE-----------------" << endl;cout << hex << "|-signature                         = " << IMAGE_NT_SIGNATURE << endl;cout << hex << "|" << endl;cout << hex << "|---------IMAGE_FILE_HEADER_BASE---------" << endl;cout << hex << "||-Machine                          = " << ifh->Machine << endl;cout << hex << "||-NumberOfSections                 = " << ifh->NumberOfSections << endl;cout << hex << "||-TimeDataStamp                    = " << ifh->TimeDateStamp << endl;cout << hex << "||-PointerToSymbolicTable           = " << ifh->PointerToSymbolTable << endl;cout << hex << "||-NumberOfSymbols                  = " << ifh->NumberOfSymbols << endl;cout << hex << "||-SizeOfOptionalHeader             = " << ifh->SizeOfOptionalHeader << endl;cout << hex << "||-Characteristics                  = " << ifh->Characteristics << endl;cout << hex << "||" << endl;cout << hex << "||-----------IMAGE_OPTIONAL_HEADER---------" << endl;cout << hex << "||-Magic                            = " << ioh->Magic << endl;printf(        "||-MajorLinkerVersion               = %x\n", ioh->MajorLinkerVersion);printf(        "||-MinorLinkerVersion               = %x\n", ioh->MinorLinkerVersion);cout << hex << "||-SizeOfCode                       = " << ioh->SizeOfCode << endl;cout << hex << "||-SizeOfInitializedData            = " << ioh->SizeOfInitializedData << endl;cout << hex << "||-SizeOfUninitializedData          = " << ioh->SizeOfUninitializedData << endl;cout << hex << "||-AddressOfEntryPoint              = " << ioh->AddressOfEntryPoint << endl;cout << hex << "||-BaseOfCode                       = " << ioh->BaseOfCode << endl;cout << hex << "||-BaseOfData                       = " << ioh->BaseOfData << endl;cout << hex << "||"<< endl;cout << hex << "||-----------NT 结构增加的领域---------" << endl;cout << hex << "||-ImageBase                        = " << ioh->ImageBase << endl;cout << hex << "||-SectionAlignment                 = " << ioh->SectionAlignment << endl;cout << hex << "||-FileAlignment                    = " << ioh->FileAlignment << endl;cout << hex << "||-MajorOperatingSystemVersion      = " << ioh->MajorOperatingSystemVersion << endl;cout << hex << "||-MinorOperatingSystemVersion      = " << ioh->MinorOperatingSystemVersion << endl;cout << hex << "||-MajorImageVersion                = " << ioh->MajorImageVersion << endl;cout << hex << "||-MinorImageVersion                = " << ioh->MinorImageVersion << endl;cout << hex << "||-MajorSubsystemVersion            = " << ioh->MajorSubsystemVersion << endl;cout << hex << "||-MinorSubsystemVersion            = " << ioh->MinorSubsystemVersion << endl;cout << hex << "||-Win32VersionValue                = " << ioh->Win32VersionValue << endl;cout << hex << "||-SizeOfImage                      = " << ioh->SizeOfImage << endl;cout << hex << "||-SizeOfHeaders                    = " << ioh->SizeOfHeaders << endl;cout << hex << "||-CheckSum                         = " << ioh->CheckSum << endl;cout << hex << "||-Subsystem                        = " << ioh->Subsystem << endl;cout << hex << "||-DllCharacteristics               = " << ioh->DllCharacteristics << endl;cout << hex << "||-SizeOfStackReserve               = " << ioh->SizeOfStackReserve << endl;cout << hex << "||-SizeOfStackCommit                = " << ioh->SizeOfStackCommit << endl;cout << hex << "||-SizeOfHeapReserve                = " << ioh->SizeOfHeapReserve << endl;cout << hex << "||-SizeOfHeapCommit                 = " << ioh->SizeOfHeapCommit << endl;cout << hex << "||-LoaderFlags                      = " << ioh->LoaderFlags << endl;cout << hex << "||-NumberOfRvaAndSizes              = " << ioh->NumberOfRvaAndSizes << endl;cout << hex << "|" << endl;cout << hex << "|-------PE结构大小----------------------" << endl;cout << hex << "|-sizeof(IMAGE_DOS_HEADER)          = " << sizeof(IMAGE_DOS_HEADER)<< endl;cout << hex << "|-sizeof(IMAGE_FILE_HEADER)         = " << sizeof(IMAGE_FILE_HEADER) << endl;cout << hex << "|-sizeof(IMAGE_OPTIONAL_HEADER)     = " << sizeof(IMAGE_OPTIONAL_HEADER) << endl;cout << hex << "|-realSizeof(IMAGE_OPTIONAL_HEADER) = " << sizeof(IMAGE_OPTIONAL_HEADER) << endl;cout << hex << "|-sizeof(IMAGE_NT_HEADERS)          = " << sizeof(IMAGE_NT_HEADERS) << endl;cout << hex << "|" << endl;cout << hex << "|-------文件中PE头基址----------------------" << endl;cout << hex << "|-IMAGE_DOS_HEADER_BASE             = " << (void *)((BYTE *)idh - (BYTE *)idh) << endl;cout << hex << "|-IMAGE_NT_HEADERS_BASE             = " << (void *)((BYTE *)inh - (BYTE *)idh)  << endl;cout << hex << "|-IMAGE_FILE_HEADER_BASE            = " << (void *)((BYTE *)ifh - (BYTE *)idh)  << endl;cout << hex << "|-IMAGE_OPTIONAL_HEADER_BASE        = " << (void *)((BYTE *)ioh - (BYTE *)idh)  << endl;cout << hex << "|" << endl;for(int i = 0; i < ifh->NumberOfSections; i ++){char *postion = (char *)((char *)ioh + ifh->SizeOfOptionalHeader + (sizeof(IMAGE_SECTION_HEADER) * i));if(*postion == 0x00){break;}IMAGE_SECTION_HEADER *ish = (IMAGE_SECTION_HEADER*)postion;cout << hex << "|----------------------------------------"<< endl;cout << hex << "|---------------节表"<< i + 1 << "--------------" << endl;cout << hex << "||-SectionName               = " << ish->Name << endl;cout << hex << "||-BaseAddress               = " << (void *)((char *)postion - (char *)idh) << endl;cout << hex << "||-MemoryBaseAddress         = " << (void *)(char *)postion << endl;printf(        "||-VirtualSize               = %x\n", ish->Misc);cout << hex << "||-VirtualAddress            = " << ish->VirtualAddress << endl;cout << hex << "||-SizeOfRawData             = " << ish->SizeOfRawData << endl;cout << hex << "||-PointerToRawData          = " << ish->PointerToRawData << endl;cout << hex << "||-PointerToRelocations      = " << ish->PointerToRelocations << endl;cout << hex << "||-PointerToLinenumbers      = " << ish->PointerToLinenumbers << endl;cout << hex << "||-NumberOfRelocation        = " << ish->NumberOfRelocations << endl;cout << hex << "||-NumberOfLinenumbers       = " << ish->NumberOfLinenumbers << endl;cout << hex << "||-Characteristics           = " << ish->Characteristics << endl;}cout << hex << "|----------------------------------------"<< endl;return;
}DWORD CopyFileBufferToImageBuffer(IN LPVOID pFileBuffer,OUT LPVOID *pImageBuffer
){PIMAGE_DOS_HEADER pDosHeader = NULL;PIMAGE_NT_HEADERS pNTHeader = NULL;PIMAGE_FILE_HEADER pFileHeader = NULL;PIMAGE_OPTIONAL_HEADER pOptionHeader = NULL;PIMAGE_SECTION_HEADER pSectionHeader = NULL;LPVOID pTempFileBuffer = NULL;if(pFileBuffer ==NULL){printf("pFileBuffer缓冲区指针出错...\n");return ERROR;}//判断是否含有有效MZ和PE标志if(*((PWORD)pFileBuffer) != IMAGE_DOS_SIGNATURE){printf("无有效的MZ标志\n");return ERROR;}pDosHeader = (PIMAGE_DOS_HEADER)pFileBuffer;if(*((PDWORD)((BYTE *)pFileBuffer + pDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE){printf("无有效的PE标志\n");return ERROR;}//找到所有PE文件结构的头地址pNTHeader = (PIMAGE_NT_HEADERS)((BYTE *)pFileBuffer + pDosHeader->e_lfanew);pFileHeader = (PIMAGE_FILE_HEADER)((BYTE *)pNTHeader + sizeof(DWORD));pOptionHeader = (PIMAGE_OPTIONAL_HEADER)((BYTE *)pFileHeader + IMAGE_SIZEOF_FILE_HEADER);pSectionHeader = (PIMAGE_SECTION_HEADER)((BYTE *)pOptionHeader + pFileHeader->SizeOfOptionalHeader);//根据SizeOfImage申请空间哦pTempFileBuffer = malloc(pOptionHeader->SizeOfImage);if(!pTempFileBuffer){printf("pTempFileBuffer空间申请失败...");return ERROR;}memset(pTempFileBuffer, 0, pOptionHeader->SizeOfImage);memcpy(pTempFileBuffer, pDosHeader, pOptionHeader->SizeOfHeaders);for(DWORD i = 0; i < pFileHeader->NumberOfSections; i++){memcpy((PVOID)((BYTE *)pTempFileBuffer + (pSectionHeader + i)->VirtualAddress), (PVOID)((BYTE *)pDosHeader + (pSectionHeader + i)->PointerToRawData), (pSectionHeader + i)->SizeOfRawData);}*pImageBuffer = pTempFileBuffer;pTempFileBuffer = NULL;return pOptionHeader->SizeOfImage;
}DWORD CopyImageBufferToNewFileBuffer(IN LPVOID pImageBuffer, OUT LPVOID *pNewFileBuffer
){PIMAGE_DOS_HEADER pDosHeader = NULL;PIMAGE_NT_HEADERS pNTHeader = NULL;PIMAGE_FILE_HEADER pFileHeader = NULL;PIMAGE_OPTIONAL_HEADER pOptionHeader = NULL;PIMAGE_SECTION_HEADER pSectionHeader = NULL;if(pImageBuffer ==NULL){printf("pImageBuffer缓冲区指针出错...\n");return ERROR;}//判断是否含有有效MZ和PE标志if(*((PWORD)pImageBuffer) != IMAGE_DOS_SIGNATURE){printf("无有效的MZ标志\n");return ERROR;}pDosHeader = (PIMAGE_DOS_HEADER)pImageBuffer;if(*((PDWORD)((BYTE *)pImageBuffer + pDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE){printf("无有效的PE标志\n");return ERROR;}//找到所有PE文件结构的头地址pNTHeader = (PIMAGE_NT_HEADERS)((BYTE *)pImageBuffer + pDosHeader->e_lfanew);pFileHeader = (PIMAGE_FILE_HEADER)((BYTE *)pNTHeader + sizeof(DWORD));pOptionHeader = (PIMAGE_OPTIONAL_HEADER)((BYTE *)pFileHeader + IMAGE_SIZEOF_FILE_HEADER);pSectionHeader = (PIMAGE_SECTION_HEADER)((BYTE *)pOptionHeader + pFileHeader->SizeOfOptionalHeader);for(DWORD i = 0; i < pFileHeader->NumberOfSections; i++){cout << "pSectionHeader->Name = " << (pSectionHeader + i)->Name << endl;memcpy((PVOID)((BYTE *)pDosHeader + (pSectionHeader + i)->PointerToRawData), (PVOID)((BYTE *)pImageBuffer + (pSectionHeader + i)->VirtualAddress), (pSectionHeader + i)->SizeOfRawData);}*pNewFileBuffer = pImageBuffer;pImageBuffer = NULL;return pOptionHeader->SizeOfImage;
}BOOL NewFileBufferToFile(IN LPVOID pNewFileBuffer, size_t size,OUT LPSTR lpszFile
){if(pNewFileBuffer == NULL){printf("pNewFileBuffer缓冲区出差...\n");return ERROR;}FILE *pFile = NULL;size_t fileSize = size;pFile = fopen(lpszFile, "wb");if(!pFile){printf("fopen保存EXE文件失败...\n");return ERROR;}size_t n = fwrite(pNewFileBuffer, fileSize, 1, pFile);if(!n){printf("fwrite数据写入失败...\n");fclose(pFile);return ERROR;}fclose(pFile);return TRUE;
}

之后就是调用了

// test.cpp : 定义控制台应用程序的入口点。
//#include "stdafx.h"
#include "global.h"int _tmain(int argc, _TCHAR* argv[]){LPVOID pFileBuffer = NULL;LPVOID pImageBuffer = NULL;LPVOID pNewFileBuffer = NULL;ReadPEFile(FilePath_In, &pFileBuffer);//ReturnAllPEInfo(pFileBuffer);CopyFileBufferToImageBuffer(pFileBuffer, &pImageBuffer);DWORD FileSize = CopyImageBufferToNewFileBuffer(pImageBuffer, &pNewFileBuffer);NewFileBufferToFile(pNewFileBuffer, FileSize, FilePath_Out);printf("为防止闪屏消失,请手动按任意键结束..."); getchar();return 0;
}

一起学习的小伙伴可以互相关注,一起学习,一起加油噢!

这个系列会一直更新,最重要的是,想练习前面的小伙伴,记得自己写Hello World来测试。

滴水三期逆向基础系列(一)-读取文件到内存再读取回文件相关推荐

  1. 服务器文件夹取消只读,服务器上的excle文件有人打开文件编辑后关闭文件,别人再去打开文件时“**”正在编辑,用只读方式打开!excel怎样解除只读...

    在office2007 word excle PPT 中怎么设置权限为:禁止复制,禁止打印,禁止修改,仅只读功能呢?! 在工具----选项----安全性,根据你的要求设置相关密码即可! excel怎么 ...

  2. python csv读取数据 去掉标题-Python读csv文件去掉一列后再写入新的文件实例

    用了两种方式解决该问题,都是网上现有的解决方案. 场景说明: 有一个数据文件,以文本方式保存,现在有三列user_id,plan_id,mobile_id.目标是得到新文件只有mobile_id,pl ...

  3. python 读plt文件_用python读Excel文件

    在IC设计.验证.后端中经常会用Excel来做配置文件.寄存器表.定义后端SDC参数等,不管Excel好不好用,但学习成本低啊. Excel文件的结构 Excel文件主要由工作簿(book).工作表( ...

  4. 打开服务器文件提示内存不够,打开服务器文件提示内存不够

    打开服务器文件提示内存不够 内容精选 换一换 本节操作指导您完成Windows操作系统云服务器磁盘空间清理.弹性云服务器匀出一部分磁盘空间来充当内存使用,当内存耗尽时,云服务器可以使用虚拟内存来缓解内 ...

  5. python为csv文件添加表头_python读csv文件时指定行为表头或无表头的方法

    python读csv文件时指定行为表头或无表头的方法 pd.read_csv()方法中header参数,默认为0,标签为0(即第1行)的行为表头.若设置为-1,则无表头.示例如下: (1)不设置hea ...

  6. 查看服务器文件夹内存,查看服务器各文件夹内存占用

    查看服务器各文件夹内存占用 内容精选 换一换 部署提供可视化.一键式部署服务,支持并行部署和流水线无缝集成,实现部署环境标准化和部署过程自动化.本节通过以下五步介绍如何使用部署服务将项目代码部署到云主 ...

  7. java多线程 文件夹_java多线程读同一个文件

    java多线程同时读取一个文件,这个方法可行吗?不可行. 多线程能够提高效率是因为现在的cpu普遍是多核cpu, 多条线程可以在多个内核中同时执行来提高计算效率.但是计算机磁盘的磁头只有一个,即使多条 ...

  8. python 读取csv带表头_python读csv文件时指定行为表头或无表头的方法

    pd.read_csv()方法中header参数,默认为0,标签为0(即第1行)的行为表头.若设置为-1,则无表头.示例如下: (1)不设置header参数(默认)时: df1 = pd.read_c ...

  9. C#实现图片文件到数据流再到图片文件的转换

    //----引入必要的命名空间 using System.IO; using System.Drawing.Imaging; //----代码部分----// private byte[] photo ...

最新文章

  1. 过去的一年,我在读研
  2. TensorFlow MNIST初级学习
  3. Git/TortoiseGit使用
  4. 嵌入式Linux的Qt
  5. 轻量级文本编辑器,Notepad最佳替代品:Notepad++
  6. Python精通-运算符与基本数据类型(三)
  7. J-UI框架踩过的坑
  8. c语言break和return区别,C语言break,continue和return的区别
  9. 4.MySQL优化---多表查询优化
  10. echarts3Dearth 地球数据可视化添加 tooltip效果和涟漪扩散的效果
  11. 战地一自定义服务器怎么搜索,战地1怎么快速加入服务器?多种加入方法一览...
  12. 如何搭建积分商城软件活动功能
  13. 运维演进正确之道-ITIL+DevOps双态运维
  14. 如何使用Tracup设定现实的项目目标(以及要避免的错误)
  15. 如何整店导出天猫店铺商品主图及详情图
  16. 简单的模拟京东商城购买过程-pymysql
  17. YOLOv5/v7 引入 RepVGG 重参数化模块
  18. 关于isEmpty(),null,“”的理解
  19. Python使用Turtle画孟加拉国国旗
  20. 算术游戏C语言,10个有趣的算术游戏,让你立刻爱上数学!

热门文章

  1. 深度linux系统怎么打字,深度操作系统 Deepin V20 安装搜狗输入法报错处理方法
  2. html调取android手机录音并保存,华为手机怎么导出录音文件并保存至电脑?
  3. 【SpringBoot】27、SpringBoot中整合Ehcache实现热点数据缓存
  4. 【模型库】5J100T系列变速器
  5. Matlab/Simulink自动生成STM32代码_基于模型的开发_环境搭建
  6. android限制时间锁怎么关闭,时间锁怎么用?时间锁在哪里解除[多图]
  7. javaweb发布到云服务器上之后,验证码接收不到问题
  8. stm32cube+freerots基础案例一:点灯
  9. Swagger-Codegen使用详解
  10. 线程一共有几种状态?