向PE中注入代码.docx
- 文档编号:6270431
- 上传时间:2023-01-05
- 格式:DOCX
- 页数:19
- 大小:20.39KB
向PE中注入代码.docx
《向PE中注入代码.docx》由会员分享,可在线阅读,更多相关《向PE中注入代码.docx(19页珍藏版)》请在冰豆网上搜索。
向PE中注入代码
向PE中注入代码
Injectyourcodetoa
PortableExecutablefile
向PE中注入代码
ByAshkbiz
Danehkar原文:
译者:
arhat
时间:
2006年4月16日
关键词:
PE调试器反汇编器OEPSEH导入表This
articledemonstratesfivestepstoinjectyourcodeinaportableexecutable
(EXE,DLL,OCX,...)filewithoutrecompilingsource
code.
5个步骤把你的代码注入PE格式的文件(EXE,
DLL,OCX,...)。
Downloads
PEViewer
PEMaker-Step1-AddnewSection.
PEMaker-Step2-Traveltowards
OEP.
PEMaker-Step3-SupportImport
Table.
PEMaker-Step4-SupportDLL
andOCX.
PEMaker-Step5-Finalwork.
CALC.EXE-testfile
Contents
0.Preface
1.Prerequisite
2.PortableExecutablefileformat
2.1TheMS-DOSdata
2.2TheWindowsNTdata
2.3TheSectionHeadersandSections
3.Debugger,DisassemblerandsomeUseful
Tools
3.1Debuggers
3.1.1SoftICE
3.1.2OllyDbg
3.1.3Whichpartsareimportantina
debuggerinterface?
3.2Disassembler
3.2.1Proviewdisassembler
3.2.2W32Dasm
3.2.3IDAPro
3.3SomeUsefulTools
3.3.1LordPE
3.3.2PEiD
3.3.3ResourceHacker
3.3.4WinHex
3.3.5CFFExplorer
4.AddnewsectionandChangeOEP
4.1RetrieveandRebuildPEfile
4.2CreateDatafornewSection
4.3Somenotesregardingcreatinganew
PEfile
4.4Somenotesregardinglinkingthis
VCProject
5.StoreImportantDataandReachOriginal
OEP
5.1RestorethefirstRegistersContext
5.2RestoretheOriginalStack
5.3ApproachOEPbyStructuredException
Handling
5.3.1ImplementExceptionHandler
5.3.2AttainOEPbyadjustingtheThread
Context
6.BuildanImportTableandReconstruct
theOriginalImportTable
6.1ConstructtheClientImportTable
6.2UsingotherAPIfunctionsinrun-time
6.3FixuptheOriginalImportTable
7.SupportDLLandOCX
7.1TwiceOEPapproach
7.2ImplementRelocationTable
7.3BuildaSpecialImporttable
8.PreservetheThreadLocalStorage
9.Injectyourcode
10.Conclusion
0Preface
0序言
Itmightbe,youdemandtocomprehendthewaysavirusprogram
injectsitsprocedureintotheinteriorofaportableexecutablefileand
corruptsit,oryouareinterestedinimplementingapackeroraprotector
foryourspecificintentiontoencryptthedataofyourportableexecutable
(PE)file.Thisarticleiscommittedtorepresentabriefintuitiontorealize
theperformancewhichisaccomplishedbyEXEtoolsorsomekindofmal-wares.
或许,你想知道病毒怎样把病毒体注入PE内来感染它;或许,你为了加密PE中的数据,想了解packer或protector的实现。
那么,本文就是为你准备的,文中介绍了一些EXE工具或mal-wares的实现。
Youcanemploythesourcecodeofthisarticletocreate
yourcustomEXEbuilder.ItcouldbeusedtomakeanEXEprotectorinthe
rightway,orwithawrongintention,topullulateavirus.However,my
purposeofwritingthisarticlehasbeentogazeonthefirstapplication,
soIwillnotberesponsiblefortheimmoralusageofthesemethods.
你可以使用本文的源码定制EXEbuilder,也可利用它制作EXEprotector,或者在不当意图的驱使下,制作病毒。
不过,我写此文的目的是为传播知识,而不是教唆谁谁制作恶意病毒,因此,对那些恶意利用这些方法的行为,我概不负责。
1Prerequisite
1先决条件
Therearenospecificmandatoryprerequisitestofollow
thetopicsinthisarticle.Ifyouarefamiliarwithdebuggerandalsothe
portablefileformat,Isuggestyoutodropthesections2and3,thewhole
ofthesesectionshavebeenmadeforpeoplewhodon’thaveanyknowledge
regardingtheEXEfileformatandalsodebuggers.
关于本文介绍的主题,没有强制性的先决条件。
如果你已经熟悉调试器及PE文件的格式,我建议你跳过第2和第3部分,它们是为初学者准备的。
2PortableExecutablefileformat
2PE文件格式
ThePortableExecutablefileformatwasdefinedtoprovide
thebestwayfortheWindowsOperatingSystemtoexecutecodeandalsoto
storetheessentialdatawhichisneededtorunaprogram,forexampleconstant
data,variabledata,importlibrarylinks,andresourcedata.Itconsists
ofMS-DOSfileinformation,WindowsNTfileinformation,SectionHeaders,
andSectionimages,Table1.
PE文件格式为Windows操作系统执行代码、保存程序运行所需的基本数据(例如,常量,变量,导入表,资源数据等)提供了最好的方法。
它包含MS-DOS文件信息,WindowsNT文件信息,区块头,区块映像,见表1。
2.1TheMS-DOSdata2.1MS-DOS数据
Thesedataletyourememberthefirstdaysofdeveloping
theWindowsOperatingSystem,thedays.Wewereatthebeginningofaway
toachieveacompleteOperatingSystemlikeWindowsNT
3.51(Imean,Win3.1,Win95,Win98werenotperfectOSs).
TheMS-DOSdatacausesthatyourexecutablefilecallsafunctioninside
MS-DOSandtheMS-DOSStubprogramletsitdisplay:
"Thisprogram
cannotberuninMS-DOSmode"or"Thisprogramcanbe
runonlyinWindowsmode",orsomethingslikethesecommentswhen
youtrytorunaWindowsEXEfileinsideMS-DOS6.0,where
thereisnofootstepofWindows.Thus,thisdataisreservedforthecode
toindicatethesecommentsintheMS-DOSoperating
system.ThemostinterestingpartoftheMS-DOSdatais
"MZ"!
Canyoubelieve,itrefers
tothenameof"MarkZbikowski",oneofthefirstMicrosoftprogrammers?
这些数据让我们想起了开发Windows操作系统之初的那些日子。
从一开始到完成类似于WindowsNT
3.51(我的意思是,Win3.1,Win95,Win98还不是真正意义上的操作系统)的完整操作系统。
当你在MS-DOS6.0下运行WindowsEXE文件时,EXE文件将根据MS-DOS数据调用MS-DOS内部函数和MS-DOSStubprogram,显示"ThisprogramcannotberuninMS-DOS
mode"或"ThisprogramcanberunonlyinWindows
mode"之类的注释信息。
因此,MS-DOS操作系统是为了显示这些注释而保留这些数据的。
MS-DOS数据中最有意思的部分是“MZ”!
你可能会想,它是来自“MarkZbikowski”――微软的第一代程序员?
Tome,onlytheoffsetofthePEsignatureintheMS-DOSdatais
important,soIcanuseittofindthepositionoftheWindowsNT
data.IjustrecommendyoutotakealookatTable1,
thenobservethestructureofIMAGE_DOS_HEADER
inthe<winnt.h>headerinthe<MicrosoftVisualStudio
.netpath>\VC7\PlatformSDK\include\folderorthe<Microsoft
VisualStudio6.0path>\VC98\include\folder.Idonotknowwhythe
Microsoftteamhasforgottentoprovidesomecommentaboutthisstructure
intheMSDNlibrary!
对我来说,在MS-DOS数据中,只有PE特征的偏移量比较重要,通过它我可以找到WindowsNT数据的位置。
我建议你仔细查看表1,然后研究<winnt.h>头文件(位于<MicrosoftVisualStudio.netpath>\VC7\PlatformSDK\include\或<MicrosoftVisual
Studio6.0path>\VC98\include\目录中)中的IMAGE_DOS_HEADER结构。
我不知道微软的开发团队为什么会忘了在MSDNlibrary中提供这个结构的注释!
typedefstruct_IMAGE_DOS_HEADER{//DOS.EXEheader"MZ"
WORDe_magic;
//Magicnumber
WORDe_cblp;
//Bytesonlastpageoffile
WORDe_cp;//
Pagesinfile
WORDe_crlc;
//Relocations
WORDe_cparhdr;
//Sizeofheaderinparagraphs
WORDe_minalloc;
//Minimumextraparagraphsneeded
WORDe_maxalloc;
//Maximumextraparagraphsneeded
WORDe_ss;
//Initial(relative)SSvalue
WORDe_sp;
//InitialSPvalue
WORDe_csum;
//Checksum
WORDe_ip;
//InitialIPvalue
WORDe_cs;
//Initial(relative)CSvalue
WORDe_lfarlc;
//Fileaddressofrelocationtable
WORDe_ovno;
//Overlaynumber
WORDe_res[4];
//Reservedwords
WORDe_oemid;
//OEMidentifier(fore_oeminfo)
WORDe_oeminfo;
//OEMinformation;e_oemidspecific
WORDe_res2[10];
//Reservedwords
LONGe_lfanew;
//Fileaddressofthenewexeheader
}
IMAGE_DOS_HEADER,*PIMAGE_DOS_HEADER;
e_lfanewistheoffsetwhichreferstothepositionoftheWindowsNTdata.Ihave
providedaprogramtoobtaintheheaderinformationfromanEXEfileand
todisplayittoyou.Tousetheprogram,justtry:
e_lfanew是引用Windows
NT数据位置的偏移量。
我提供了一个程序,它可以从EXE文件得到头信息,并把这显示出来。
要运行这个程序,只需输入:
PE
Viewer
Downloadsourcefiles-132Kb
Thissampleisusefulforthewholeofthisarticle.
这个例子在整篇文章中都会用到。
Table1-PortableExecutablefile
formatstructure
MS-DOS
information
IMAGE_DOS_
HEADER
DOSEXESignature
00000000ASCII"MZ"
00000002DW0090
00000004DW0003
00000006DW0000
00000008DW0004
0000000ADW0000
0000000CDWFFFF
0000000EDW0000
00000010DW00B8
00000012DW0000
00000014DW0000
00000016DW0000
00000018DW0040
0000001ADW0000
0000001CDB00
…
…
0000003BDB00
0000003CDD000000F0
DOS_PartPag
DOS_PageCnt
DOS_ReloCnt
DOS_HdrSize
DOS_MinMem
DOS_MaxMem
DOS_ReloSS
DOS_ExeSP
DOS_ChkSum
DOS_ExeIPP
DOS_ReloCS
DOS_TablOff
DOS_Overlay
…
Reservedwords
…
OffsettoPEsignature
MS-DOSStub
Program
00000040
-o
.′.í!
?
\Lí!
Thisprogramcanno
00000060tberuninDOSmode....$.......
WindowsNT
information
IMAGE_
NT_HEADERS
Signature
PEsignature(PE)
000000F0ASCII"PE"
IMAGE_
FILE_HEADER
Machine
000000F4DW014C
000000F6DW0003
000000F8DD3B7D8410
000000FCDD00000000
00000100DD00000000
00000104DW00E0
00000106DW010F
NumberOfSections
TimeDateStamp
PointerToSymbolTable
NumberOfSymbols
SizeOfOptionalHeader
Characteristics
IMAGE_
OPTIONAL_
HEADER32
MagicNumber
00000108DW010B
0000010ADB07
0000010BDB00
0000010CDD00012800
00000110DD00009C00
00000114DD00000000
00000118DD00012475
0000011CDD00001000
00000120DD00014000
00000124DD01000000
00000128DD00001000
0000012CDD00000200
00000130DW0005
00000132DW0001
00000134DW0005
00000136DW0001
00000138DW0004
0000013ADW0000
0000013CDD00000000
00000140DD0001F000
00000144DD00000400
00000148DD0001D7FC
0000014CDW0002
0000014EDW8000
00000150DD00040000
00000154DD00001000
00000158DD00100000
0000015CDD00001000
00000160DD00000000
00000164DD00000010
MajorLinkerVersion
MinorLinkerVersion
SizeOfCode
SizeOfInitializedData
SizeOfUninitializedData
AddressOfEntryPoint
BaseOfCode
BaseOfData
ImageBase
SectionAlignment
FileAlignment
MajorOSVersion
MinorOSVersion
MajorImageVersion
MinorImageVersion
MajorSubsystemVersion
MinorSubsystemVersion
Reserved
SizeOfImage
SizeOfHeaders
CheckSum
Subsystem
DLLCharacteristics
SizeOfStackReserve
SizeOfStackCommit
SizeOfHeapReserve
SizeOfHeapCommit
LoaderFlags
Number
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- PE 注入 代码
![提示](https://static.bdocx.com/images/bang_tan.gif)