• 通过解析PE头。读取dll模块 和 dll模块函数

    win32

      

    int main()
    {
    //001e1000
    ::MessageBox(NULL, TEXT("111"), TEXT("222"), 0);
    HMODULE vHmodule = GetModuleHandle(NULL);

    printf("vHmodule = 0x%08X ", vHmodule);

    IMAGE_DOS_HEADER *vImageDosHeader = (IMAGE_DOS_HEADER *)vHmodule;
    //printf("%08X ", vImageDosHeader);
    printf("vImageDosHeader->e_lfanew = %08X ", vImageDosHeader->e_lfanew);

    //DWORD *vTemp = (DWORD *)((DWORD)vHmodule + vImageDosHeader->e_lfanew);
    //printf("vTemp=%08X ", vTemp);
    IMAGE_NT_HEADERS *vImageNtHeaders = (IMAGE_NT_HEADERS *)((DWORD)vHmodule + vImageDosHeader->e_lfanew);

    //printf("vImageNtHeaders[0]=%X ", vTemp[0]);
    //printf("vImageNtHeaders[2]=%X ", vTemp[2]);
    //printf("vImageNtHeaders[3]=%X ", vTemp[3]);
    //printf("*vImageDosHeader->e_lfanew=0x%08X ", vImageDosHeader->e_lfanew);

    //printf("%08X ", vImageNtHeaders);
    IMAGE_OPTIONAL_HEADER32 vImageOptionalHeader32 = vImageNtHeaders->OptionalHeader;
    IMAGE_DATA_DIRECTORY vImageDataDirectory = vImageOptionalHeader32.DataDirectory[1];
    printf("*vImageDataDirectory.VirtualAddress=0x%08X ", vImageDataDirectory.VirtualAddress);

    IMAGE_IMPORT_DESCRIPTOR *vImageImportDescriptor = (IMAGE_IMPORT_DESCRIPTOR *)((DWORD)vHmodule + vImageDataDirectory.VirtualAddress);
    IMAGE_THUNK_DATA *vImageThunkData;
    IMAGE_IMPORT_BY_NAME *vImageImportByName;
    printf(" ");
    while (true)
    {
    if (vImageImportDescriptor->OriginalFirstThunk == NULL)
    break;
    printf("vImageImportDescriptor->Name=%s ", ((DWORD)vHmodule + vImageImportDescriptor->Name));
    vImageThunkData = (IMAGE_THUNK_DATA *)((DWORD)vHmodule + vImageImportDescriptor->OriginalFirstThunk);
    while (true)
    {
    if (vImageThunkData->u1.AddressOfData == NULL)
    break;
    vImageImportByName = (IMAGE_IMPORT_BY_NAME *)((DWORD)vHmodule + vImageThunkData->u1.AddressOfData);
    printf("vImageImportByName->Name=%s ", vImageImportByName->Name);
    vImageThunkData++;
    }
    printf(" ");
    vImageImportDescriptor++;
    }
    system("pause");
    return EXIT_SUCCESS;
    }

    MFC

    #include <atlconv.h>

    VOID

    WINAPI
    ReWriteSleep(_In_ DWORD p)
    {
    ::MessageBox(NULL, TEXT("改写Sleep"), TEXT("改写Sleep"), 0);
    return;
    }

    void function dd()

    {

    USES_CONVERSION;

    CString str;
    // TODO: 在此添加控件通知处理程序代码
    HMODULE vHmodule = GetModuleHandle(NULL);

    str.Format(TEXT("vHmodule = 0x%08X "), vHmodule);
    ::OutputDebugString(str);


    IMAGE_DOS_HEADER *vImageDosHeader = (IMAGE_DOS_HEADER *)vHmodule;
    //printf("%08X ", vImageDosHeader);
    str.Format(TEXT("vImageDosHeader->e_lfanew = %08X "), vImageDosHeader->e_lfanew);
    ::OutputDebugString(str);

    //DWORD *vTemp = (DWORD *)((DWORD)vHmodule + vImageDosHeader->e_lfanew);
    //printf("vTemp=%08X ", vTemp);
    IMAGE_NT_HEADERS *vImageNtHeaders = (IMAGE_NT_HEADERS *)((DWORD)vHmodule + vImageDosHeader->e_lfanew);

    //printf("vImageNtHeaders[0]=%X ", vTemp[0]);
    //printf("vImageNtHeaders[2]=%X ", vTemp[2]);
    //printf("vImageNtHeaders[3]=%X ", vTemp[3]);
    //printf("*vImageDosHeader->e_lfanew=0x%08X ", vImageDosHeader->e_lfanew);

    //printf("%08X ", vImageNtHeaders);
    IMAGE_OPTIONAL_HEADER32 vImageOptionalHeader32 = vImageNtHeaders->OptionalHeader;
    IMAGE_DATA_DIRECTORY vImageDataDirectory = vImageOptionalHeader32.DataDirectory[1];

    str.Format(TEXT("*vImageDataDirectory.VirtualAddress=0x%08X "), vImageDataDirectory.VirtualAddress);
    ::OutputDebugString(str);

    IMAGE_IMPORT_DESCRIPTOR *vImageImportDescriptor = (IMAGE_IMPORT_DESCRIPTOR *)((DWORD)vHmodule + vImageDataDirectory.VirtualAddress);
    IMAGE_THUNK_DATA *vImageThunkData;
    IMAGE_THUNK_DATA *vImageThunkData2;
    IMAGE_IMPORT_BY_NAME *vImageImportByName;
    DWORD vFunAddress;
    ::OutputDebugString(TEXT(" "));
    ::OutputDebugString(TEXT(" "));
    CString str2;
    CString str3 = TEXT("Sleep");
    DWORD *p;
    MEMORY_BASIC_INFORMATION pInfo;
    DWORD pInfoOldProtect;
    while (true)
    {
    if (vImageImportDescriptor->OriginalFirstThunk == NULL)
    break;

    vImageThunkData = (IMAGE_THUNK_DATA *)((DWORD)vHmodule + vImageImportDescriptor->OriginalFirstThunk);
    vImageThunkData2 = (IMAGE_THUNK_DATA *)((DWORD)vHmodule + vImageImportDescriptor->FirstThunk);

    if ((DWORD)vImageThunkData->u1.AddressOfData < (DWORD)vHmodule)
    {
    str.Format(TEXT("vImageImportDescriptor->Name=%S "), ((DWORD)vHmodule + vImageImportDescriptor->Name));
    ::OutputDebugString(str);

    //vImageThunkData = (IMAGE_THUNK_DATA *)((DWORD)vHmodule + vImageImportDescriptor->OriginalFirstThunk);
    //str.Format(TEXT("vImageThunkData=%08X "), (vImageThunkData));
    //::OutputDebugString(str);

    str.Format(TEXT("vImageThunkData->u1.AddressOfData=%08X "), (vImageThunkData->u1.AddressOfData));
    ::OutputDebugString(str);

    while (true)
    {
    vImageImportByName = (IMAGE_IMPORT_BY_NAME *)((DWORD)vHmodule + vImageThunkData->u1.AddressOfData);

    if (vImageThunkData->u1.AddressOfData == NULL)
    break;

    str2 = vImageImportByName->Name;
    if (str2 == str3)
    {
    ::OutputDebugString(TEXT(" "));
    ::OutputDebugString(TEXT(" "));
    ::OutputDebugString(TEXT(" "));
    ::OutputDebugString(TEXT(" "));

    //vImageThunkData2->u1.Function = (DWORD)ReWriteSleep;
    str.Format(TEXT("重写Sleep函数地址是=%08X, DWORD ReWriteSleep=%08X "), ReWriteSleep, (DWORD)ReWriteSleep);
    ::OutputDebugString(str);

    str.Format(TEXT("找到了Sleep函数地址是=%08X "), vImageThunkData2->u1.Function);
    ::OutputDebugString(str);

    p = &vImageThunkData2->u1.Function;
    str.Format(TEXT("u1.Function地址=%08X "), p);
    ::OutputDebugString(str);

    str.Format(TEXT("p地址=%08X "), p);
    ::OutputDebugString(str);

    ::MessageBox(NULL, TEXT("333333"), TEXT("55555"), 0);

    ::VirtualQuery(p, &pInfo, sizeof(pInfo));
    ::VirtualProtect(p, sizeof(p), PAGE_EXECUTE_READWRITE, &pInfoOldProtect);
    *p = (DWORD)ReWriteSleep;
    ::VirtualProtect(p, sizeof(p), pInfoOldProtect, &pInfoOldProtect);
    //::VirtualQuery(p, &pInfo, sizeof(pInfo));
    /*__asm
    {
    PUSH EBX
    PUSH ECX
    MOV EBX, DWORD PTR p
    MOV ECX, DWORD PTR ReWriteSleep
    MOV DWORD PTR[EBX], ECX
    POP ECX
    POP EBX
    }*/

    //vImageThunkData2->u1.Function = (DWORD)ReWriteSleep;
    //WriteProcessMemory(GetCurrentProcess(), &vImageThunkData2->u1.Function, ReWriteSleep, 4, NULL);

    ::OutputDebugString(TEXT(" "));
    ::OutputDebugString(TEXT(" "));
    ::OutputDebugString(TEXT(" "));
    ::OutputDebugString(TEXT(" "));
    }

    //sprintf_s(str3, "vImageImportByName->Name=%s ", vImageImportByName->Name);
    str.Format(TEXT("vImageImportByName->Name=%ws "), str2);
    ::OutputDebugString(str);

    str.Format(TEXT("vImageThunkData2->u1.Function=%08X "), vImageThunkData2->u1.Function);
    ::OutputDebugString(str);

    vImageThunkData++;
    vImageThunkData2++;
    }
    }
    ::OutputDebugString(TEXT(" "));
    ::OutputDebugString(TEXT(" "));
    vImageImportDescriptor++;
    }

    }
  • 相关阅读:
    一些PC小软件/工具/神器备份
    三角函数与反三角函数
    常用网站整理(书签整理)
    谷歌和谷歌学术镜像网站
    微擎系统jssdk系统快速签名变量
    phpexcel 导入超过26列时的解决方案
    js循环对象,(多层数组)
    CentOS 6 下无法wget https链接的解决方法
    centos6 7 yum安装mongodb 3.6
    yum except KeyboardInterrupt, e: 错误
  • 原文地址:https://www.cnblogs.com/kuangke/p/5419976.html
Copyright © 2020-2023  润新知