void get_wprotect_sdk_address(CPESection & section,
BuildExeInfo & build_info,
char *sz_sdk_begin_name,
char *sz_sdk_end_name)
{
int sdk_begin_count = 0;
int sdk_end_count = 0;
int protect_begin_address = 0;
int protect_end_address = 0;
int section_count = section.GetSectionCount();
int sdk_begin_str_size = (int)strlen(sz_sdk_begin_name) + 1;
int sdk_end_str_size = (int)strlen(sz_sdk_end_name) + 1;
for (int i = 0; i < section_count; i++) // 每个区段
{
DWORD section_size;
BYTE * p = section.GetSectionData(i, §ion_size);
printf("第%d个区段,大小%d\n",i,section_size);
for (DWORD offset = 0; offset+1 < section_size; offset++)
{
if ( !(section.GetCharacteristics(i) & 0x20000000) ) // IMAGE_SCN_MEM_EXECUTE
continue;
if (p[offset] == 0xeb)
{
if (p[offset+1] == sdk_begin_str_size &&
offset+2 + sdk_begin_str_size < section_size)
{
if (!strcmp(sz_sdk_begin_name, (char*)p+offset+2))
{
sdk_begin_count++;
if (sdk_begin_count - sdk_end_count == 1)
{
memset(p+offset, 0x90, 2+sdk_begin_str_size);
protect_begin_address = (ULONG)(p+offset);
}
else
{
printf("sdk_begin_count Error!\n");
}
}
}
else if (p[offset+1] == sdk_end_str_size &&
offset+2 + sdk_end_str_size < section_size)
{
if (!strcmp(sz_sdk_end_name, (char*)p+offset+2))
{
sdk_end_count++;
if (sdk_begin_count == sdk_end_count)
{
protect_end_address = (ULONG)(p+offset);
memset(p+offset, 0x90, 2+sdk_end_str_size);
Code_Piece piece;
piece.CodeStartAddr =
section.GetSectionVa(i, protect_begin_address - (ULONG)p);
piece.CodeSize = protect_end_address - protect_begin_address;
build_info.push_back(piece);
printf("保护地址%x - %x\n",
piece.CodeStartAddr,
piece.CodeStartAddr+piece.CodeSize);
}
else
{
printf("sdk_end_count Error!\n");
}
}
}
}
}
}
if (sdk_begin_count != sdk_end_count)
{
printf("need last sdk_end_count!\n");
exit(-1);
}
}
void get_wprotect_sdk_address(CPESection & section,
BuildCodeInfo & build_info,
char *sz_sdk_begin_name,
char *sz_sdk_end_name)
{
int sdk_begin_count = 0;
int sdk_end_count = 0;
int protect_begin_address = 0;
int protect_end_address = 0;
int section_count = section.GetSectionCount();
for (int index = 0;index < section_count;index++)
{
DWORD section_size;
BYTE * ptr_section_data = section.GetSectionData(index,§ion_size);
printf("\nSection No.%02d Size 0x%04X Flags 0x%8X IsExecute: %s\n",index,section_size,section.GetCharacteristics(index),(section.GetCharacteristics(index) & 0x20000000)?"true":"false");
if (! (section.GetCharacteristics(index) & 0x20000000))
{
continue;
}
for (int offset = 0;offset < section_size;offset++)
{
if (ptr_section_data[offset] == 0xeb
&& sdk_begin_count==0
&& sdk_end_count==0
&& offset + max(strlen(sz_sdk_begin_name)+1,strlen(sz_sdk_end_name)+1) < section_size
)
{
sdk_begin_count++;
sdk_end_count++;
if (ptr_section_data[offset + sdk_begin_count] == strlen(sz_sdk_begin_name) + 1
&& sdk_begin_count == 1)
{
sdk_begin_count++;
sdk_end_count = 0;
continue;
}
else
{
sdk_begin_count = 0;
}
if (ptr_section_data[offset + sdk_end_count] == strlen(sz_sdk_end_name) + 1
&& sdk_end_count == 1)
{
sdk_end_count++;
continue;
}
else
{
sdk_end_count = 0;
}
}
if (sdk_begin_count > 1)
{
if (ptr_section_data[offset + 1] == sz_sdk_begin_name[sdk_begin_count-2])
{
sdk_begin_count++;
}
else
{
sdk_begin_count = 0;
offset--;
continue;
}
}
if (sdk_end_count > 1)
{
if (ptr_section_data[offset + 1] == sz_sdk_end_name[sdk_end_count-2])
{
sdk_end_count++;
}
else
{
sdk_end_count = 0;
offset--;
continue;
}
}
if (sdk_begin_count == strlen(sz_sdk_begin_name) + 3)
{
int sdk_begin_str_size = strlen(sz_sdk_begin_name) + 1;
printf("Found WProtect Begin offset:%08X, va:%08X\n",
offset - sdk_begin_str_size,
section.GetSectionVa(index,offset - sdk_begin_str_size));
protect_begin_address = section.GetSectionVa(index,offset - sdk_begin_str_size);
memset((void*)section.GetSectionPtr(index,offset - sdk_begin_str_size),0x90,sdk_begin_count);
sdk_begin_count = 0;
//__asm__("int3");
}
if (sdk_end_count == strlen(sz_sdk_end_name) + 3)
{
printf("Found WProtect End offset:%08X\n",offset - strlen(sz_sdk_end_name) - 1);
int sdk_end_str_size = strlen(sz_sdk_end_name) + 1;
protect_end_address = section.GetSectionVa(index,offset - sdk_end_str_size);
if (protect_begin_address == 0 )
{
printf("%08X Can not find a mathing WProtect Begin\n",protect_end_address);
}
else
{
build_piece piece;
piece.build_exec_addr = protect_begin_address;
piece.build_exec_size = protect_end_address - protect_begin_address + sdk_end_str_size + 2;
printf("Protect Address: %08X - %08X\n",piece.build_exec_addr,piece.build_exec_addr+piece.build_exec_size);
build_info.push_back(piece);
}
protect_begin_address = 0;
protect_end_address = 0;
memset((void*)section.GetSectionPtr(index,offset - sdk_end_str_size),0x90,sdk_end_count);
sdk_end_count = 0;
}
//printf("%x\n",offset);
//printf("%x ",ptr_section_data[offset]);
//if ((offset)%16==0)
//{
// printf("\n");
//}
}
}
//throw;
}