// 函数说明: 处理 TLS 回调函数 DWORD CPE::DealWithTLS(PSHELL_DATA & pPackInfo) { if (m_pNtHeader->OptionalHeader.DataDirectory[9].VirtualAddress == 0) { return false; } else { PIMAGE_TLS_DIRECTORY32 g_lpTlsDir = (PIMAGE_TLS_DIRECTORY32) (RvaToOffset(m_pNtHeader->OptionalHeader.DataDirectory[9].VirtualAddress) + m_pFileBuf); // 获取 TLSIndex 的 文件偏移 DWORD IndexOfOffset = RvaToOffset(g_lpTlsDir->AddressOfIndex - m_dwImageBase); // 设置 TLSIndex 的值 pPackInfo->TLSIndex = 0; if (IndexOfOffset != -1) { pPackInfo->TLSIndex = *(DWORD*)(IndexOfOffset + m_pFileBuf); } // 设置 TLS 表中的信息 m_StartOfDataAddress = g_lpTlsDir->StartAddressOfRawData; m_EndOfDataAddresss = g_lpTlsDir->EndAddressOfRawData; m_CallBackFuncAddress = g_lpTlsDir->AddressOfCallBacks; // 将 TLS 回调函数 rva 设置到共享信息结构体 pPackInfo->TLSCallBackFuncRva = m_CallBackFuncAddress; return true; } }
// 函数说明: 设置 TLS 回调函数 // 1. 将 被加壳程序的 TLS 数据目录表指向壳的 // 2. 通过 TLS 表中的 StartAddressOfRawData 在区段中寻找 // 3. 将 Index 索引存入壳与加壳器之间交互的数据结构,计算这个变量的 RVA(在重定位后设置为 Rva-代码段基址+FKBUG段基址+被加壳程序加载基址) // 4. 壳的 TLS 表前两项同 被加壳程序的 TLS 表, 但数值上需要在重定位之后设置为和被加壳程序的 TLS 表项相同 // 5. 壳的 AddressOfFunc 同被加壳程序的 TLS 表, 但数值上也是需要重定位之后设为与被加壳程序相同 void CPE::SetTLS(DWORD NewSectionRva, PCHAR pStubBuf, PSHELL_DATA pPackInfo) { PIMAGE_DOS_HEADER pStubDos = (PIMAGE_DOS_HEADER)pStubBuf; PIMAGE_NT_HEADERS pStubNt = (PIMAGE_NT_HEADERS) (pStubDos->e_lfanew + pStubBuf); PIMAGE_DOS_HEADER pPeDos = (PIMAGE_DOS_HEADER)m_pFileBuf; PIMAGE_NT_HEADERS pPeNt = (PIMAGE_NT_HEADERS)(pPeDos->e_lfanew + m_pFileBuf); PIMAGE_TLS_DIRECTORY32 pITD = (PIMAGE_TLS_DIRECTORY32)(RvaToOffset(pPeNt->OptionalHeader.DataDirectory[9].VirtualAddress) + m_pFileBuf); // 将被加壳程序的 TLS 表指向壳的 TLS表 pPeNt->OptionalHeader.DataDirectory[9].VirtualAddress = (pStubNt->OptionalHeader.DataDirectory[9].VirtualAddress - 0x1000) + NewSectionRva; // 获取交互数据结构中 TLSIndex 的 Rva DWORD IndexRva = ((DWORD)pPackInfo - (DWORD)pStubBuf + 4) - 0x1000 + NewSectionRva + pPeNt->OptionalHeader.ImageBase; pITD->AddressOfIndex = IndexRva; pITD->StartAddressOfRawData = m_StartOfDataAddress; pITD->EndAddressOfRawData = m_EndOfDataAddresss; // 然后先取消 TLS 的回调函数, 向交互数据结构体中传入 TLS 回调函数指针, 在壳里边手动调用 TLS回调函数,最后设置回去 pITD->AddressOfCallBacks = 0; }
ULONG PE::GetExportOffset(const unsigned char* FileData, ULONG FileSize, const char* ExportName) { //Verify DOS Header PIMAGE_DOS_HEADER pdh = (PIMAGE_DOS_HEADER)FileData; if (pdh->e_magic != IMAGE_DOS_SIGNATURE) { Log("[TITANHIDE] Invalid IMAGE_DOS_SIGNATURE!\n"); return PE_ERROR_VALUE; } //Verify PE Header PIMAGE_NT_HEADERS pnth = (PIMAGE_NT_HEADERS)(FileData + pdh->e_lfanew); if (pnth->Signature != IMAGE_NT_SIGNATURE) { Log("[TITANHIDE] Invalid IMAGE_NT_SIGNATURE!\n"); return PE_ERROR_VALUE; } //Verify Export Directory PIMAGE_DATA_DIRECTORY pdd = pnth->OptionalHeader.DataDirectory; ULONG ExportDirRva = pdd[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; ULONG ExportDirSize = pdd[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; ULONG ExportDirOffset = RvaToOffset(pnth, ExportDirRva, FileSize); if (ExportDirOffset == PE_ERROR_VALUE) { Log("[TITANHIDE] Invalid Export Directory!\n"); return PE_ERROR_VALUE; } //Read Export Directory PIMAGE_EXPORT_DIRECTORY ExportDir = (PIMAGE_EXPORT_DIRECTORY)(FileData + ExportDirOffset); ULONG NumberOfNames = ExportDir->NumberOfNames; ULONG AddressOfFunctionsOffset = RvaToOffset(pnth, ExportDir->AddressOfFunctions, FileSize); ULONG AddressOfNameOrdinalsOffset = RvaToOffset(pnth, ExportDir->AddressOfNameOrdinals, FileSize); ULONG AddressOfNamesOffset = RvaToOffset(pnth, ExportDir->AddressOfNames, FileSize); if (AddressOfFunctionsOffset == PE_ERROR_VALUE || AddressOfNameOrdinalsOffset == PE_ERROR_VALUE || AddressOfNamesOffset == PE_ERROR_VALUE) { Log("[TITANHIDE] Invalid Export Directory Contents!\n"); return PE_ERROR_VALUE; } ULONG* AddressOfFunctions = (ULONG*)(FileData + AddressOfFunctionsOffset); USHORT* AddressOfNameOrdinals = (USHORT*)(FileData + AddressOfNameOrdinalsOffset); ULONG* AddressOfNames = (ULONG*)(FileData + AddressOfNamesOffset); //Find Export ULONG ExportOffset = PE_ERROR_VALUE; for (ULONG i = 0; i < NumberOfNames; i++) { ULONG CurrentNameOffset = RvaToOffset(pnth, AddressOfNames[i], FileSize); if (CurrentNameOffset == PE_ERROR_VALUE) continue; const char* CurrentName = (const char*)(FileData + CurrentNameOffset); ULONG CurrentFunctionRva = AddressOfFunctions[AddressOfNameOrdinals[i]]; if (CurrentFunctionRva >= ExportDirRva && CurrentFunctionRva < ExportDirRva + ExportDirSize) continue; //we ignore forwarded exports if (!strcmp(CurrentName, ExportName)) //compare the export name to the requested export { ExportOffset = RvaToOffset(pnth, CurrentFunctionRva, FileSize); break; } } if (ExportOffset == PE_ERROR_VALUE) { Log("[TITANHIDE] Export %s not found in export table!\n", ExportName); } return ExportOffset; }
int main() { PIMAGE_DOS_HEADER pDosHeader; PIMAGE_NT_HEADERS pImageHeader; PIMAGE_DATA_DIRECTORY pDataDirectory; PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor; PIMAGE_THUNK_DATA32 pFirstThunk; PIMAGE_THUNK_DATA32 pOriginalFirstThunk; PIMAGE_IMPORT_BY_NAME pNameImg; PIMAGE_SECTION_HEADER pSecHeader; char szFileName[MAX_PATH]; DWORD dwName, dwTest; LPDWORD lpwdAddress; HANDLE hMap, hMapView; BOOL bFound = FALSE; LPVOID lpMap; printf("File: "); scanf("%s", szFileName); hFile = CreateFile(szFileName, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if(hFile == INVALID_HANDLE_VALUE) Error(); hMap = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL); if(!hMap) Error(); hMapView = MapViewOfFile(hMap, FILE_MAP_READ, 0, 0, 0); if(!hMapView) Error(); pDosHeader = (PIMAGE_DOS_HEADER)hMapView; if(pDosHeader->e_magic != IMAGE_DOS_SIGNATURE) Error(); else printf("\n%x (MZ) found, valid PE\nPE Header offset: 0x%x\n", pDosHeader->e_magic, pDosHeader->e_lfanew); pImageHeader = (PIMAGE_NT_HEADERS)((char*)pDosHeader + pDosHeader->e_lfanew); if(pImageHeader->Signature != IMAGE_NT_SIGNATURE) Error(); else { printf("\n%x (PE00) signature found\nImageBase: 0x%x\n\n", pImageHeader->Signature, pImageHeader->OptionalHeader.ImageBase); if(pImageHeader->OptionalHeader.Subsystem == IMAGE_SUBSYSTEM_WINDOWS_GUI) printf("\"%s\" is GUI based", szFileName); else if(pImageHeader->OptionalHeader.Subsystem == IMAGE_SUBSYSTEM_WINDOWS_CUI) printf("\"%s\" is CLI based", szFileName); else printf("\"%s\" is something else", szFileName); } printf("\nAddress of Entry Point: 0x%x", pImageHeader->OptionalHeader.AddressOfEntryPoint); printf("\n\nLocating IAT\n"); pDataDirectory = &pImageHeader->OptionalHeader.DataDirectory[1]; pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((char*)pDosHeader + RvaToOffset(pImageHeader, pDataDirectory->VirtualAddress)); pOriginalFirstThunk = (PIMAGE_THUNK_DATA32)((char*)pDosHeader + RvaToOffset(pImageHeader, pImportDescriptor->OriginalFirstThunk)); pSecHeader = IMAGE_FIRST_SECTION(pImageHeader); printf("IAT Entrypoint: 0x%x\nDumping IAT...\n", (pDataDirectory - pSecHeader->VirtualAddress) + pSecHeader->PointerToRawData); while(pImportDescriptor->OriginalFirstThunk != 0 && !bFound) { dwName = (DWORD)((char*)lpMap + RvaToOffset(pImageHeader, pImportDescriptor->Name)); pOriginalFirstThunk = (PIMAGE_THUNK_DATA32)((char*)pDosHeader + RvaToOffset(pImageHeader, pImportDescriptor->OriginalFirstThunk)); pFirstThunk = (PIMAGE_THUNK_DATA32)((char*)pDosHeader + RvaToOffset(pImageHeader, pImportDescriptor->FirstThunk)); while(pOriginalFirstThunk->u1.AddressOfData != 0 && !bFound) { pNameImg = (PIMAGE_IMPORT_BY_NAME)((char*)pDosHeader + RvaToOffset(pImageHeader, pOriginalFirstThunk->u1.AddressOfData)); dwTest = (DWORD)pOriginalFirstThunk->u1.Function & (DWORD)IMAGE_ORDINAL_FLAG32; printf("\nAddr: 0x%x (0x%x) - Name: %s", pOriginalFirstThunk->u1.Function, pFirstThunk->u1.AddressOfData, (const char *)pNameImg->Name); if(dwTest == 0) if(strcmp("printf", (const char *)pNameImg->Name) == 0) { lpwdAddress = (LPDWORD)pFirstThunk->u1.Function; bFound = TRUE; } pOriginalFirstThunk++; pFirstThunk++; } pImportDescriptor++; } printf("\n...Done"); CloseHandle(hFile); _getch(); return 0; }
LRESULT CALLBACK WindowProcedure (HWND hwnd, UINT message, WPARAM wParam, LPARAM lParam) { switch (message) /* handle the messages */ { case WM_COMMAND: { switch(LOWORD(wParam)) { case BUTTON1:{ // OPEN A PE FILE OPENFILENAME ofn; char szFileName[MAX_PATH] = ""; SendDlgItemMessage(hwnd,BUTTON5, BN_CLICKED, (WPARAM)hBtn5,(LPARAM) hwnd); ZeroMemory(&ofn, sizeof(ofn)); ofn.lStructSize = sizeof(ofn); ofn.hwndOwner = hwnd; ofn.lpstrFilter = "Executables (*.exe)\0*.exe\0Dll (*.dll)\0*.dll\0"; ofn.lpstrFile = szFileName; ofn.nMaxFile = MAX_PATH; ofn.Flags = OFN_EXPLORER | OFN_FILEMUSTEXIST | OFN_HIDEREADONLY; ofn.lpstrDefExt = ""; if(GetOpenFileName(&ofn)){ SetDlgItemText(hwnd,EDIT1,szFileName); } }break; case BUTTON2:{ // READS INFORMATIONF FROM PE HEADER remove("import.txt"); remove("export.txt"); char txt[5024], txt1[2056], txt2[2056], txt3[2056], txt4[2056], txt5[2056]; txt[0] = txt1[0] = txt2[0] = txt3[0] = txt4[0] = txt5[0] = '\0'; int len = GetWindowTextLength (GetDlgItem (hwnd, EDIT1)); GetDlgItemText(hwnd,EDIT1,FileName, len + 1); hFile = CreateFile(FileName, GENERIC_READ, FILE_SHARE_READ, 0,OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0); if (hFile == INVALID_HANDLE_VALUE){ MessageBoxA(NULL,"Cannot Open the File","Error",MB_OK);break; } FileSize = GetFileSize(hFile, NULL); BaseAddress = (BYTE *) malloc(FileSize); if (!ReadFile(hFile, BaseAddress, FileSize, &BR, NULL)){ free(BaseAddress); CloseHandle(hFile); break; } ImageDosHeader = (IMAGE_DOS_HEADER *) BaseAddress; ImageOptionalHeader = (_IMAGE_OPTIONAL_HEADER *) BaseAddress; if (ImageDosHeader->e_magic != IMAGE_DOS_SIGNATURE) // checks the DOS SIGNATURE, if not equals to (MZ) then stops { MessageBoxA(NULL,"Invalid Dos Header","Error",MB_OK); free(BaseAddress); CloseHandle(hFile); break; } ImageNtHeaders = (IMAGE_NT_HEADERS *) (ImageDosHeader->e_lfanew + (DWORD) ImageDosHeader); if (ImageNtHeaders->Signature != IMAGE_NT_SIGNATURE) // checks the PE header, if not equals to NT signature stops { MessageBoxA(NULL,"Invalid PE Signature","Error",MB_OK); free(BaseAddress); CloseHandle(hFile); break; } // takes the address of first section ImageSectionHeader = IMAGE_FIRST_SECTION(ImageNtHeaders); // shows the section table for (x = 0; x < ImageNtHeaders->FileHeader.NumberOfSections; x++) { memcpy(SectionName, ImageSectionHeader[x].Name,IMAGE_SIZEOF_SHORT_NAME); long lSize; char * buffer; size_t result; _ultoa(ImageSectionHeader[x].VirtualAddress,txt1,16); _ultoa(ImageSectionHeader[x].Misc.VirtualSize,txt2,16); _ultoa(ImageSectionHeader[x].PointerToRawData,txt3,16); _ultoa(ImageSectionHeader[x].SizeOfRawData,txt4,16); _ultoa(ImageSectionHeader[x].Characteristics,txt5,16); strcat(txt, "Section Name: "); strcat(txt, SectionName); strcat(txt , "\r\n"); strcat(txt, "Virtual Address: "); strcat(txt, txt1); strcat(txt , "\r\n"); strcat(txt, "Virtual Size: "); strcat(txt, txt2); strcat(txt , "\r\n"); strcat(txt, "Raw Address: "); strcat(txt, txt3); strcat(txt , "\r\n"); strcat(txt, "Raw Size: "); strcat(txt, txt4); strcat(txt , "\r\n"); strcat(txt, "Characteristics: "); strcat(txt, txt5); strcat(txt , "\r\n\r\n"); SetDlgItemText(hwnd,EDIT2,txt); } /* VARIABLES USED TO STORE AND SHOW INFORMATIONS */ char Img[LENGTH],Img1[LENGTH]; char AeP[LENGTH],AeP1[LENGTH]; char BoC[LENGTH],BoC1[LENGTH]; char BoD[LENGTH],BoD1[LENGTH]; char Sa[LENGTH] ,Sa1[LENGTH]; char Fa[LENGTH] ,Fa1[LENGTH]; char Ss[LENGTH] ,Ss1[LENGTH]; char SoC[LENGTH],SoC1[LENGTH]; char SiD[LENGTH],SiD1[LENGTH]; char SuD[LENGTH],SuD1[LENGTH]; char Em[LENGTH] ,Em1[LENGTH]; char Sgn[LENGTH],Sgn1[LENGTH]; Img[0], Img1[0], AeP[0], AeP1[0], BoC[0], BoC1[0], BoD[0], BoD1[0], Sa[0] , Sa1[0] , Fa[0], Fa1[0] = '\0'; Ss[0] , Ss1[0] , SoC[0], SoC1[0], SiD[0], SiD1[0], SuD[0], SuD1[0], Em[0] , Em1[0] , Sgn[0], Sgn1[0] = '\0'; for (int i = 0; i < LENGTH; i++){ Img[i] = '\0'; AeP[i] = '\0'; BoC[i] = '\0'; BoD[i] = '\0'; Sa[i] = '\0'; Fa[i] = '\0'; Ss[i] = '\0'; SoC[i] = '\0'; SiD[i] = '\0'; SuD[i] = '\0'; Em[i] = '\0'; Sgn[i] = '\0'; } //STORES VALUES DWORD ImageBase = ImageNtHeaders->OptionalHeader.ImageBase; DWORD AddressOfEntryPoint = ImageNtHeaders->OptionalHeader.AddressOfEntryPoint; DWORD BaseOfCode = ImageNtHeaders->OptionalHeader.BaseOfCode; DWORD BaseOfData = ImageNtHeaders->OptionalHeader.BaseOfData; DWORD SectionAlignment = ImageNtHeaders->OptionalHeader.SectionAlignment; DWORD FileAlignment = ImageNtHeaders->OptionalHeader.FileAlignment; DWORD Subsystem = ImageNtHeaders->OptionalHeader.Subsystem; DWORD SizeOfCode = ImageNtHeaders->OptionalHeader.SizeOfCode; DWORD SizeOfInitializedData = ImageNtHeaders->OptionalHeader.SizeOfInitializedData; DWORD SizeOfUnitializedData = ImageNtHeaders->OptionalHeader.SizeOfUninitializedData; DWORD EMagic = ImageDosHeader->e_magic; DWORD Signature = ImageNtHeaders->Signature; /* CONVERT DWORD TO HEX ==> I REALLY LOVE THIS FUNCTION :P*/ _ultoa(ImageBase,Img1,16); _ultoa(AddressOfEntryPoint,AeP1,16); _ultoa(BaseOfCode,BoC1,16); _ultoa(BaseOfData,BoD1,16); _ultoa(SectionAlignment,Sa1,16); _ultoa(FileAlignment,Fa1,16); _ultoa(Subsystem,Ss1,16); _ultoa(SizeOfCode,SoC1,16); _ultoa(SizeOfInitializedData,SiD1,16); _ultoa(SizeOfUnitializedData,SuD1,16); _ultoa(EMagic,Em1,16); _ultoa(Signature,Sgn1,16); strcat(Img,"ImageBase: 0x"); strcat(Img, Img1); strcat(AeP, "AddressOfEntryPoint: 0x"); strcat(AeP, AeP1); strcat(BoC, "BaseOfCode: 0x"); strcat(BoC, BoC1); strcat(BoD, "BaseOfData: 0x"); strcat(BoD, BoD1); strcat(Sa, "SectionAlignment: 0x"); strcat(Sa, Sa1); strcat(Fa, "FileAlignment: 0x"); strcat(Fa, Fa1); strcat(Ss, "Subsystem: 0x"); strcat(Ss, Ss1); strcat(SoC, "SizeOfCode: 0x"); strcat(SoC, SoC1); strcat(SiD, "SizeOfInitializedData: 0x"); strcat(SiD, SiD1); strcat(SuD, "SizeOfUnitializedData: 0x"); strcat(SuD, SuD1); strcat(Em, "EMagic Signature: 0x"); strcat(Em, Em1); strcat(Sgn, "PE Signature: 0x"); strcat(Sgn, Sgn1); SetDlgItemText(hwnd,LABEL5, Img); SetDlgItemText(hwnd,LABEL6, AeP); SetDlgItemText(hwnd,LABEL7, BoC); SetDlgItemText(hwnd,LABEL8, BoD); SetDlgItemText(hwnd,LABEL9, Sa); SetDlgItemText(hwnd,LABEL10,Fa); SetDlgItemText(hwnd,LABEL11,Ss); SetDlgItemText(hwnd,LABEL12,SoC); SetDlgItemText(hwnd,LABEL13,SiD); SetDlgItemText(hwnd,LABEL14,SuD); SetDlgItemText(hwnd,LABEL15,Em); SetDlgItemText(hwnd,LABEL16,Sgn); /* INFORMATION */ /* LOGS FROM IMPORT TABLE */ f = fopen("import.txt","wa"); IT_Offset = RvaToOffset(ImageNtHeaders,ImageNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); ImageImportDescr = (IMAGE_IMPORT_DESCRIPTOR *) (IT_Offset + (DWORD) BaseAddress); x = 0; // counter used under while (ImageImportDescr[x].FirstThunk != 0) // analyzes all descriptors { Name = (char *) (RvaToOffset(ImageNtHeaders, ImageImportDescr[x].Name) + (DWORD) BaseAddress); fprintf(f,"\nModule Name: %s\r\nFunctions:\r\n", Name); // selects the array to analyze Thunks = (DWORD *) (RvaToOffset(ImageNtHeaders, ImageImportDescr[x].OriginalFirstThunk != 0 ? ImageImportDescr[x].OriginalFirstThunk : ImageImportDescr[x].FirstThunk) + (DWORD) BaseAddress); y = 0; // another counter // browse into internal functions of the analyzed file while (Thunks[y] != 0) { //imports if (Thunks[y] & IMAGE_ORDINAL_FLAG) { fprintf(f,"Ordinal: %08X\r\n", (Thunks[y] - IMAGE_ORDINAL_FLAG)); y++; continue; } ImgName = (IMAGE_IMPORT_BY_NAME *) (RvaToOffset(ImageNtHeaders, Thunks[y]) + (DWORD) BaseAddress); fprintf(f,"Name: %s\r\n", &ImgName->Name); y++; } x++; } fflush(f); fclose(f); std::ifstream of("import.txt"); char *s; char sf[LENGTH*50],sf1[LENGTH*50]; sf[0], sf1[0] = '\0'; while (of) { of.getline(sf,1000); strcat(sf1,sf); strcat(sf1,"\r\n"); } SetDlgItemText(hwnd,EDIT3,sf1); of.close(); remove("import.txt"); /* IMPORT TABLE */ /* LOGS FROM EXPORT TABLE */ ET_Offset = RvaToOffset(ImageNtHeaders,ImageNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); ImageExportDir = (IMAGE_EXPORT_DIRECTORY *) (ET_Offset +(DWORD) BaseAddress); Name = (char *) (RvaToOffset(ImageNtHeaders,ImageExportDir->Name) + (DWORD) BaseAddress); Functions = (DWORD *) (RvaToOffset(ImageNtHeaders, ImageExportDir->AddressOfFunctions) + (DWORD) BaseAddress); Names = (DWORD *) (RvaToOffset(ImageNtHeaders, ImageExportDir->AddressOfNames) + (DWORD) BaseAddress); NameOrds = (WORD *) (RvaToOffset(ImageNtHeaders, ImageExportDir->AddressOfNameOrdinals) + (DWORD) BaseAddress); // enums and shows functions for (x = 0; x < ImageExportDir->NumberOfFunctions; x++) { // controllo se l'EP e' 0 // se si' allora passa alla prossima funzione if (Functions[x] == 0)continue; printf("\nOrd: %04X\nEP: %08X\n", (x + ImageExportDir->Base), Functions[x]); f=fopen("export.txt","a"); if (f != NULL) { fprintf(f,"\nOrd: %04X\nEP: %08X\n", (x + ImageExportDir->Base), Functions[x] ); fflush(f); } // if the function has also a name I show it for (y = 0; y < ImageExportDir->NumberOfNames; y++) { if (NameOrds[y] == x) { FName = (char *) (RvaToOffset(ImageNtHeaders, Names[y]) + (DWORD) BaseAddress); printf("Name: %s\n", FName); if (f != NULL) { fprintf(f,"Name: %s\n", FName); fflush(f); fclose(f); } break; } } } std::ifstream of1("export.txt"); char sf2[LENGTH*80],sf3[LENGTH*80]; sf2[0], sf3[0] = '\0'; while (of1) { of1.getline(sf2,1000); strcat(sf3,sf2); strcat(sf3,"\r\n"); } SetDlgItemText(hwnd,EDIT4,sf3); of1.close(); remove("export.txt"); /* EXPORT TABLE */ free(BaseAddress); CloseHandle(hFile); }break; // end case BUTTON2 case BUTTON3:{PostQuitMessage (0);break;} case BUTTON4:{ HANDLE hFile; BYTE *BaseAddress; WORD nSection; DWORD FileSize, BRW, NameSize, Size; char Dim[MAX_PATH], Sect[MAX_PATH]; int len, lent; IMAGE_DOS_HEADER *ImageDosHeader; IMAGE_NT_HEADERS *ImageNtHeaders; IMAGE_SECTION_HEADER *ImageSectionHeader; len = GetWindowTextLength (GetDlgItem (hwnd, EDIT6)); GetDlgItemText(hwnd,EDIT6,Dim, len + 1); lent = GetWindowTextLength (GetDlgItem (hwnd, EDIT5)); GetDlgItemText(hwnd,EDIT5,Sect, lent + 1); Size = atoi(Dim); if (Size > 0 && lent > 0) { hFile = CreateFile(FileName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0); if (hFile == INVALID_HANDLE_VALUE) { printf("Cannot Open the File\n"); return -1; } FileSize = GetFileSize(hFile, NULL); BaseAddress = (BYTE *) malloc(FileSize); if (!ReadFile(hFile, BaseAddress, FileSize, &BRW, NULL)) { free(BaseAddress); CloseHandle(hFile); return -1; } ImageDosHeader = (IMAGE_DOS_HEADER *) BaseAddress; ImageOptionalHeader = (_IMAGE_OPTIONAL_HEADER *) BaseAddress; if (ImageDosHeader->e_magic != IMAGE_DOS_SIGNATURE) // checks the DOS SIGNATURE, if not equals to (MZ) then stops { MessageBoxA(NULL,"Invalid Dos Header","Error",MB_OK); free(BaseAddress); CloseHandle(hFile); break; } ImageNtHeaders = (IMAGE_NT_HEADERS *) (ImageDosHeader->e_lfanew + (DWORD) ImageDosHeader); if (ImageNtHeaders->Signature != IMAGE_NT_SIGNATURE) // checks the PE header, if not equals to NT signature stops { MessageBoxA(NULL,"Invalid PE Signature","Error",MB_OK); free(BaseAddress); CloseHandle(hFile); break; } // prende le dimensioni printf("Creating New Section...\n"); nSection = ImageNtHeaders->FileHeader.NumberOfSections; ImageNtHeaders->FileHeader.NumberOfSections++; ImageSectionHeader = IMAGE_FIRST_SECTION(ImageNtHeaders); ImageNtHeaders->OptionalHeader.SizeOfImage += CalcAlignment(ImageNtHeaders->OptionalHeader.SectionAlignment, Size); ZeroMemory(&ImageSectionHeader[nSection], IMAGE_SIZEOF_SECTION_HEADER); if (strlen(Sect) <= IMAGE_SIZEOF_SHORT_NAME) { NameSize = strlen(Sect); } else { NameSize = IMAGE_SIZEOF_SHORT_NAME; } memcpy(&ImageSectionHeader[nSection].Name, Sect, NameSize); // calcola il Virtual Address della nuova sezione ImageSectionHeader[nSection].VirtualAddress = CalcAlignment(ImageNtHeaders->OptionalHeader.SectionAlignment, (ImageSectionHeader[nSection - 1].VirtualAddress + ImageSectionHeader[nSection - 1].Misc.VirtualSize)); ImageSectionHeader[nSection].Misc.VirtualSize = Size; if (ImageSectionHeader[nSection - 1].SizeOfRawData % ImageNtHeaders->OptionalHeader.FileAlignment) { // se la sezione prima di quella che vogliamo creare noi non � allineata lo faccio ImageSectionHeader[nSection - 1].SizeOfRawData = CalcAlignment(ImageNtHeaders->OptionalHeader.FileAlignment, ImageSectionHeader[nSection - 1].SizeOfRawData); SetFilePointer(hFile,(ImageSectionHeader[nSection - 1].PointerToRawData + ImageSectionHeader[nSection - 1].SizeOfRawData), NULL, FILE_BEGIN); SetEndOfFile(hFile); } ImageSectionHeader[nSection].PointerToRawData = GetFileSize(hFile, NULL); ImageSectionHeader[nSection].SizeOfRawData = CalcAlignment(ImageNtHeaders->OptionalHeader.FileAlignment, Size); ImageSectionHeader[nSection].Characteristics = IMAGE_SCN_MEM_READ; SetFilePointer(hFile, ImageSectionHeader[nSection].SizeOfRawData,NULL, FILE_END); SetEndOfFile(hFile); // salvo le modifiche SetFilePointer(hFile, 0, NULL, FILE_BEGIN); WriteFile(hFile, BaseAddress, FileSize, &BRW, NULL); MessageBox(NULL,"The section has been successfully added!","Info",MB_OK); free(BaseAddress); CloseHandle(hFile); } else { MessageBox(NULL,"The section was not added correctly!","Error",MB_OK); } }break; // fine button 4 case BUTTON5: { MessageBoxA(NULL,"Program created by Zyrel aka Marco Lagalla.\nVisit us on: <a href="http://www.unfair-gamers.com" target="_blank">http://www.unfair-gamers.com</a>!\nThanks to Ntoskrnl <img src="images/smilies1/wink1.gif" style="vertical-align: middle;" border="0" alt="Wink" title="Wink" />","Credits and Disclaimer",MB_OK); }break; case BUTTON6: { ShellExecute(NULL,"open","http://www.unfair-gamers.com/forum/index.php",NULL,NULL,SW_HIDE); }break; default:{break;} // DEFAUL CONTROLLI }break;} // FINE WM_COMMAND case WM_DESTROY: { PostQuitMessage (0); }break; /* send a WM_QUIT to the message queue */ default: /* for messages that we don't deal with */ return DefWindowProc (hwnd, message, wParam, lParam); case WM_CTLCOLORSTATIC: { SetTextColor((HDC)hLabel2,RGB(141,149,155)); } } return 0; }