BOOL FixSections(CHAR* szTargetFname)
{
VOID* pMap;
PIMAGE_DOS_HEADER pDosh;
PIMAGE_NT_HEADERS pPeh;
PIMAGE_SECTION_HEADER pSech;
int i;
// map the file
if (!(pMap = MapFileRW(szTargetFname)))
return FALSE;
if (!IsPE(pMap))
{
UnmapViewOfFile(pMap);
return FALSE;
}
// start the correction
pDosh = (PIMAGE_DOS_HEADER)(pMap);
pPeh = (PIMAGE_NT_HEADERS)((DWORD)pDosh + pDosh->e_lfanew);
pSech = (PIMAGE_SECTION_HEADER)((DWORD)pDosh + pDosh->e_lfanew + 0xF8);
i = pPeh->FileHeader.NumberOfSections;
do
{
pSech->PointerToRawData = pSech->VirtualAddress;
pSech->SizeOfRawData = pSech->Misc.VirtualSize;
++pSech;
--i;
} while (i != 0);
// clean up
UnmapViewOfFile(pMap);
return TRUE;
}
// 函数说明: 初始化PE,读取PE文件,保存PE信息
BOOL CPE::InitPE(CString strFilePath)
{
//打开文件
if (OpenPEFile(strFilePath) == FALSE)
return FALSE;
//将PE以文件分布格式读取到内存
m_dwFileSize = GetFileSize(m_hFile, NULL);
m_pFileBuf = new BYTE[m_dwFileSize];
DWORD ReadSize = 0;
ReadFile(m_hFile, m_pFileBuf, m_dwFileSize, &ReadSize, NULL);
CloseHandle(m_hFile);
m_hFile = NULL;
//判断是否为PE文件
if (IsPE() == FALSE)
return FALSE;
//将PE以内存分布格式读取到内存
//修正没镜像大小没有对齐的情况
m_dwImageSize = m_pNtHeader->OptionalHeader.SizeOfImage;
m_dwMemAlign = m_pNtHeader->OptionalHeader.SectionAlignment;
m_dwSizeOfHeader = m_pNtHeader->OptionalHeader.SizeOfHeaders;
m_dwSectionNum = m_pNtHeader->FileHeader.NumberOfSections;
if (m_dwImageSize % m_dwMemAlign)
m_dwImageSize = (m_dwImageSize / m_dwMemAlign + 1) * m_dwMemAlign;
LPBYTE pFileBuf_New = new BYTE[m_dwImageSize];
memset(pFileBuf_New, 0, m_dwImageSize);
//拷贝文件头
memcpy_s(pFileBuf_New, m_dwSizeOfHeader, m_pFileBuf, m_dwSizeOfHeader);
//拷贝区段
PIMAGE_SECTION_HEADER pSectionHeader = IMAGE_FIRST_SECTION(m_pNtHeader);
for (DWORD i = 0; i < m_dwSectionNum; i++, pSectionHeader++)
{
memcpy_s(pFileBuf_New + pSectionHeader->VirtualAddress,
pSectionHeader->SizeOfRawData,
m_pFileBuf+pSectionHeader->PointerToRawData,
pSectionHeader->SizeOfRawData);
}
delete[] m_pFileBuf;
m_pFileBuf = pFileBuf_New;
pFileBuf_New = NULL;
//获取PE信息
GetPEInfo();
return TRUE;
}
BOOL PasteOrgIT(CHAR* szOrgITPE,CHAR* szTargetPE)
{
VOID *pOrgMem,*pTargetMem;
PIMAGE_DOS_HEADER pDosh;
PIMAGE_NT_HEADERS pPeh;
PIMAGE_SECTION_HEADER pSech;
PIMAGE_IMPORT_DESCRIPTOR pOrgIID,pTarIID;
DWORD *pdwOrg,*pdwTar;
// map the files and fill some PE structs
pOrgMem = MapFileR(szOrgITPE);
if (!pOrgMem)
return FALSE;
pTargetMem = MapFileRW(szTargetPE);
if (!pTargetMem)
{
UnmapViewOfFile(pOrgMem);
return FALSE;
}
__try
{
if (!IsPE(pTargetMem))
{
UnmapViewOfFile(pOrgMem);
UnmapViewOfFile(pTargetMem);
return FALSE;
}
pDosh = (PIMAGE_DOS_HEADER)(pOrgMem);
pPeh = (PIMAGE_NT_HEADERS)((DWORD)pDosh + pDosh->e_lfanew);
pSech = (PIMAGE_SECTION_HEADER)((DWORD)pPeh + 0xF8);
pOrgIID = (PIMAGE_IMPORT_DESCRIPTOR)(
(DWORD)pOrgMem +
Rva2Offset(
pPeh,
pDosh,
pPeh->OptionalHeader.DataDirectory[1].VirtualAddress));
pTarIID = (PIMAGE_IMPORT_DESCRIPTOR)(
(DWORD)pTargetMem +
pPeh->OptionalHeader.DataDirectory[1].VirtualAddress);
// START THE FIX
while(pOrgIID->FirstThunk)
{
pdwOrg = (DWORD*)((DWORD)pOrgMem + Rva2Offset(pPeh,pDosh,pOrgIID->FirstThunk));
pdwTar = (DWORD*)((DWORD)pTargetMem + pTarIID->FirstThunk);
pTarIID->ForwarderChain = 0; // This is need for W9X ! The PE loader wouldn't
pTarIID->TimeDateStamp = 0; // initialize the Import Table without it.
while(*pdwTar)
{
*pdwTar = *pdwOrg;
++pdwTar;
++pdwOrg;
}
++pOrgIID;
++pTarIID;
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
UnmapViewOfFile(pOrgMem);
UnmapViewOfFile(pTargetMem);
return FALSE;
}
// clean up
UnmapViewOfFile(pOrgMem);
UnmapViewOfFile(pTargetMem);
return TRUE;
}