#include<Windows.h>
#include<iostream>
using namespace std;
//可以通过printf("%p",Messagebox);获得Messagebox地址
int MessageboxAddress = 0x767BACF0;
char insertcode[] = {
0x6A,0x00,
0x6A,0x00,
0x6A,0x00,
0x6A,0x00,
0xE8,0x00,0x00,0x00,0x00,
0xE9,0x00,0x00,0x00,0x00
};
int len(FILE* pfile)
{
fseek(pfile, 0, SEEK_END);
int result = ftell(pfile);
rewind(pfile);
return result;
}
int main()
{
FILE* pfile = fopen("C://Users//52511//Desktop//fg.exe", "rb");
FILE* filebuffer1 = fopen("C://Users//52511//Desktop//fg1.exe", "wb");
int length = len(pfile);
char* buffer = NULL;
buffer = (char*)malloc(sizeof(char) * length);
memset(buffer, 0, length);
fread(buffer, 1, length, pfile);
PIMAGE_DOS_HEADER pdos= (PIMAGE_DOS_HEADER)buffer;
PIMAGE_NT_HEADERS pnt = (PIMAGE_NT_HEADERS)(buffer + pdos->e_lfanew);
PIMAGE_FILE_HEADER pf = (PIMAGE_FILE_HEADER)(buffer + pdos->e_lfanew + 4);
PIMAGE_OPTIONAL_HEADER pot = (PIMAGE_OPTIONAL_HEADER)(buffer + pdos->e_lfanew + 4+20);
PIMAGE_SECTION_HEADER psec = (PIMAGE_SECTION_HEADER)(buffer + pdos->e_lfanew + 4 + 20 + pf->SizeOfOptionalHeader);
int useful = psec[0].SizeOfRawData - psec[0].Misc.VirtualSize;
if (useful < 18)
{
cout << "error" << endl;
free(buffer);
free(pfile);
exit(0);
}
char* code_begin = buffer + psec[0].PointerToRawData + psec[0].Misc.VirtualSize;
memcpy(code_begin, insertcode, 18);
//计算call的地址并写入
DWORD calladder = MessageboxAddress - (pot->ImageBase + (DWORD)(code_begin + 8 + 5) - (DWORD)buffer);
*(PDWORD)(code_begin + 0x09) = calladder;
//计算jmp的地址并写入
DWORD jmpadder = pot->ImageBase + pot->AddressOfEntryPoint - (pot->ImageBase + (DWORD)code_begin + 18 - (DWORD)buffer);
*(PDWORD)(code_begin + 0x0E) = jmpadder;
//改oep
pot->AddressOfEntryPoint = (DWORD)code_begin - (DWORD)buffer;
fwrite(buffer, 1, length, filebuffer1);
free(filebuffer1);
free(buffer);
free(pfile);
return 0;
}
版权声明:本文为qq_52442096原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。