// 函数说明: 处理 TLS 回调函数
DWORD CPE::DealWithTLS(PSHELL_DATA & pPackInfo)
{
if (m_pNtHeader->OptionalHeader.DataDirectory[9].VirtualAddress == 0)
{
return false;
}
else
{
PIMAGE_TLS_DIRECTORY32 g_lpTlsDir =
(PIMAGE_TLS_DIRECTORY32)
(RvaToOffset(m_pNtHeader->OptionalHeader.DataDirectory[9].VirtualAddress) + m_pFileBuf);
// 获取 TLSIndex 的 文件偏移
DWORD IndexOfOffset = RvaToOffset(g_lpTlsDir->AddressOfIndex - m_dwImageBase);
// 设置 TLSIndex 的值
pPackInfo->TLSIndex = 0;
if (IndexOfOffset != -1)
{
pPackInfo->TLSIndex = *(DWORD*)(IndexOfOffset + m_pFileBuf);
}
// 设置 TLS 表中的信息
m_StartOfDataAddress = g_lpTlsDir->StartAddressOfRawData;
m_EndOfDataAddresss = g_lpTlsDir->EndAddressOfRawData;
m_CallBackFuncAddress = g_lpTlsDir->AddressOfCallBacks;
// 将 TLS 回调函数 rva 设置到共享信息结构体
pPackInfo->TLSCallBackFuncRva = m_CallBackFuncAddress;
return true;
}
}
// 函数说明: 设置 TLS 回调函数
// 1. 将 被加壳程序的 TLS 数据目录表指向壳的
// 2. 通过 TLS 表中的 StartAddressOfRawData 在区段中寻找
// 3. 将 Index 索引存入壳与加壳器之间交互的数据结构,计算这个变量的 RVA(在重定位后设置为 Rva-代码段基址+FKBUG段基址+被加壳程序加载基址)
// 4. 壳的 TLS 表前两项同 被加壳程序的 TLS 表, 但数值上需要在重定位之后设置为和被加壳程序的 TLS 表项相同
// 5. 壳的 AddressOfFunc 同被加壳程序的 TLS 表, 但数值上也是需要重定位之后设为与被加壳程序相同
void CPE::SetTLS(DWORD NewSectionRva, PCHAR pStubBuf, PSHELL_DATA pPackInfo)
{
PIMAGE_DOS_HEADER pStubDos = (PIMAGE_DOS_HEADER)pStubBuf;
PIMAGE_NT_HEADERS pStubNt = (PIMAGE_NT_HEADERS)
(pStubDos->e_lfanew + pStubBuf);
PIMAGE_DOS_HEADER pPeDos = (PIMAGE_DOS_HEADER)m_pFileBuf;
PIMAGE_NT_HEADERS pPeNt = (PIMAGE_NT_HEADERS)(pPeDos->e_lfanew + m_pFileBuf);
PIMAGE_TLS_DIRECTORY32 pITD =
(PIMAGE_TLS_DIRECTORY32)(RvaToOffset(pPeNt->OptionalHeader.DataDirectory[9].VirtualAddress) + m_pFileBuf);
// 将被加壳程序的 TLS 表指向壳的 TLS表
pPeNt->OptionalHeader.DataDirectory[9].VirtualAddress =
(pStubNt->OptionalHeader.DataDirectory[9].VirtualAddress - 0x1000) + NewSectionRva;
// 获取交互数据结构中 TLSIndex 的 Rva
DWORD IndexRva = ((DWORD)pPackInfo - (DWORD)pStubBuf + 4) - 0x1000 + NewSectionRva + pPeNt->OptionalHeader.ImageBase;
pITD->AddressOfIndex = IndexRva;
pITD->StartAddressOfRawData = m_StartOfDataAddress;
pITD->EndAddressOfRawData = m_EndOfDataAddresss;
// 然后先取消 TLS 的回调函数, 向交互数据结构体中传入 TLS 回调函数指针, 在壳里边手动调用 TLS回调函数,最后设置回去
pITD->AddressOfCallBacks = 0;
}
ULONG PE::GetExportOffset(const unsigned char* FileData, ULONG FileSize, const char* ExportName)
{
//Verify DOS Header
PIMAGE_DOS_HEADER pdh = (PIMAGE_DOS_HEADER)FileData;
if (pdh->e_magic != IMAGE_DOS_SIGNATURE)
{
Log("[TITANHIDE] Invalid IMAGE_DOS_SIGNATURE!\n");
return PE_ERROR_VALUE;
}
//Verify PE Header
PIMAGE_NT_HEADERS pnth = (PIMAGE_NT_HEADERS)(FileData + pdh->e_lfanew);
if (pnth->Signature != IMAGE_NT_SIGNATURE)
{
Log("[TITANHIDE] Invalid IMAGE_NT_SIGNATURE!\n");
return PE_ERROR_VALUE;
}
//Verify Export Directory
PIMAGE_DATA_DIRECTORY pdd = pnth->OptionalHeader.DataDirectory;
ULONG ExportDirRva = pdd[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
ULONG ExportDirSize = pdd[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
ULONG ExportDirOffset = RvaToOffset(pnth, ExportDirRva, FileSize);
if (ExportDirOffset == PE_ERROR_VALUE)
{
Log("[TITANHIDE] Invalid Export Directory!\n");
return PE_ERROR_VALUE;
}
//Read Export Directory
PIMAGE_EXPORT_DIRECTORY ExportDir = (PIMAGE_EXPORT_DIRECTORY)(FileData + ExportDirOffset);
ULONG NumberOfNames = ExportDir->NumberOfNames;
ULONG AddressOfFunctionsOffset = RvaToOffset(pnth, ExportDir->AddressOfFunctions, FileSize);
ULONG AddressOfNameOrdinalsOffset = RvaToOffset(pnth, ExportDir->AddressOfNameOrdinals, FileSize);
ULONG AddressOfNamesOffset = RvaToOffset(pnth, ExportDir->AddressOfNames, FileSize);
if (AddressOfFunctionsOffset == PE_ERROR_VALUE ||
AddressOfNameOrdinalsOffset == PE_ERROR_VALUE ||
AddressOfNamesOffset == PE_ERROR_VALUE)
{
Log("[TITANHIDE] Invalid Export Directory Contents!\n");
return PE_ERROR_VALUE;
}
ULONG* AddressOfFunctions = (ULONG*)(FileData + AddressOfFunctionsOffset);
USHORT* AddressOfNameOrdinals = (USHORT*)(FileData + AddressOfNameOrdinalsOffset);
ULONG* AddressOfNames = (ULONG*)(FileData + AddressOfNamesOffset);
//Find Export
ULONG ExportOffset = PE_ERROR_VALUE;
for (ULONG i = 0; i < NumberOfNames; i++)
{
ULONG CurrentNameOffset = RvaToOffset(pnth, AddressOfNames[i], FileSize);
if (CurrentNameOffset == PE_ERROR_VALUE)
continue;
const char* CurrentName = (const char*)(FileData + CurrentNameOffset);
ULONG CurrentFunctionRva = AddressOfFunctions[AddressOfNameOrdinals[i]];
if (CurrentFunctionRva >= ExportDirRva && CurrentFunctionRva < ExportDirRva + ExportDirSize)
continue; //we ignore forwarded exports
if (!strcmp(CurrentName, ExportName)) //compare the export name to the requested export
{
ExportOffset = RvaToOffset(pnth, CurrentFunctionRva, FileSize);
break;
}
}
if (ExportOffset == PE_ERROR_VALUE)
{
Log("[TITANHIDE] Export %s not found in export table!\n", ExportName);
}
return ExportOffset;
}
int main()
{
PIMAGE_DOS_HEADER pDosHeader;
PIMAGE_NT_HEADERS pImageHeader;
PIMAGE_DATA_DIRECTORY pDataDirectory;
PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor;
PIMAGE_THUNK_DATA32 pFirstThunk;
PIMAGE_THUNK_DATA32 pOriginalFirstThunk;
PIMAGE_IMPORT_BY_NAME pNameImg;
PIMAGE_SECTION_HEADER pSecHeader;
char szFileName[MAX_PATH];
DWORD dwName, dwTest;
LPDWORD lpwdAddress;
HANDLE hMap,
hMapView;
BOOL bFound = FALSE;
LPVOID lpMap;
printf("File: ");
scanf("%s", szFileName);
hFile = CreateFile(szFileName, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if(hFile == INVALID_HANDLE_VALUE)
Error();
hMap = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL);
if(!hMap)
Error();
hMapView = MapViewOfFile(hMap, FILE_MAP_READ, 0, 0, 0);
if(!hMapView)
Error();
pDosHeader = (PIMAGE_DOS_HEADER)hMapView;
if(pDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
Error();
else
printf("\n%x (MZ) found, valid PE\nPE Header offset: 0x%x\n", pDosHeader->e_magic, pDosHeader->e_lfanew);
pImageHeader = (PIMAGE_NT_HEADERS)((char*)pDosHeader + pDosHeader->e_lfanew);
if(pImageHeader->Signature != IMAGE_NT_SIGNATURE)
Error();
else {
printf("\n%x (PE00) signature found\nImageBase: 0x%x\n\n", pImageHeader->Signature, pImageHeader->OptionalHeader.ImageBase);
if(pImageHeader->OptionalHeader.Subsystem == IMAGE_SUBSYSTEM_WINDOWS_GUI)
printf("\"%s\" is GUI based", szFileName);
else if(pImageHeader->OptionalHeader.Subsystem == IMAGE_SUBSYSTEM_WINDOWS_CUI)
printf("\"%s\" is CLI based", szFileName);
else
printf("\"%s\" is something else", szFileName);
}
printf("\nAddress of Entry Point: 0x%x", pImageHeader->OptionalHeader.AddressOfEntryPoint);
printf("\n\nLocating IAT\n");
pDataDirectory = &pImageHeader->OptionalHeader.DataDirectory[1];
pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((char*)pDosHeader + RvaToOffset(pImageHeader, pDataDirectory->VirtualAddress));
pOriginalFirstThunk = (PIMAGE_THUNK_DATA32)((char*)pDosHeader + RvaToOffset(pImageHeader, pImportDescriptor->OriginalFirstThunk));
pSecHeader = IMAGE_FIRST_SECTION(pImageHeader);
printf("IAT Entrypoint: 0x%x\nDumping IAT...\n", (pDataDirectory - pSecHeader->VirtualAddress) + pSecHeader->PointerToRawData);
while(pImportDescriptor->OriginalFirstThunk != 0 && !bFound)
{
dwName = (DWORD)((char*)lpMap + RvaToOffset(pImageHeader, pImportDescriptor->Name));
pOriginalFirstThunk = (PIMAGE_THUNK_DATA32)((char*)pDosHeader + RvaToOffset(pImageHeader, pImportDescriptor->OriginalFirstThunk));
pFirstThunk = (PIMAGE_THUNK_DATA32)((char*)pDosHeader + RvaToOffset(pImageHeader, pImportDescriptor->FirstThunk));
while(pOriginalFirstThunk->u1.AddressOfData != 0 && !bFound)
{
pNameImg = (PIMAGE_IMPORT_BY_NAME)((char*)pDosHeader + RvaToOffset(pImageHeader, pOriginalFirstThunk->u1.AddressOfData));
dwTest = (DWORD)pOriginalFirstThunk->u1.Function & (DWORD)IMAGE_ORDINAL_FLAG32;
printf("\nAddr: 0x%x (0x%x) - Name: %s", pOriginalFirstThunk->u1.Function, pFirstThunk->u1.AddressOfData, (const char *)pNameImg->Name);
if(dwTest == 0)
if(strcmp("printf", (const char *)pNameImg->Name) == 0)
{
lpwdAddress = (LPDWORD)pFirstThunk->u1.Function;
bFound = TRUE;
}
pOriginalFirstThunk++;
pFirstThunk++;
}
pImportDescriptor++;
}
printf("\n...Done");
CloseHandle(hFile);
_getch();
return 0;
}
LRESULT CALLBACK WindowProcedure (HWND hwnd, UINT message, WPARAM wParam, LPARAM lParam)
{
switch (message) /* handle the messages */
{
case WM_COMMAND:
{
switch(LOWORD(wParam))
{
case BUTTON1:{ // OPEN A PE FILE
OPENFILENAME ofn;
char szFileName[MAX_PATH] = "";
SendDlgItemMessage(hwnd,BUTTON5, BN_CLICKED, (WPARAM)hBtn5,(LPARAM) hwnd);
ZeroMemory(&ofn, sizeof(ofn));
ofn.lStructSize = sizeof(ofn);
ofn.hwndOwner = hwnd;
ofn.lpstrFilter = "Executables (*.exe)\0*.exe\0Dll (*.dll)\0*.dll\0";
ofn.lpstrFile = szFileName;
ofn.nMaxFile = MAX_PATH;
ofn.Flags = OFN_EXPLORER | OFN_FILEMUSTEXIST | OFN_HIDEREADONLY;
ofn.lpstrDefExt = "";
if(GetOpenFileName(&ofn)){
SetDlgItemText(hwnd,EDIT1,szFileName);
}
}break;
case BUTTON2:{ // READS INFORMATIONF FROM PE HEADER
remove("import.txt");
remove("export.txt");
char txt[5024], txt1[2056], txt2[2056], txt3[2056], txt4[2056], txt5[2056];
txt[0] = txt1[0] = txt2[0] = txt3[0] = txt4[0] = txt5[0] = '\0';
int len = GetWindowTextLength (GetDlgItem (hwnd, EDIT1));
GetDlgItemText(hwnd,EDIT1,FileName, len + 1);
hFile = CreateFile(FileName, GENERIC_READ, FILE_SHARE_READ, 0,OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
if (hFile == INVALID_HANDLE_VALUE){
MessageBoxA(NULL,"Cannot Open the File","Error",MB_OK);break;
}
FileSize = GetFileSize(hFile, NULL);
BaseAddress = (BYTE *) malloc(FileSize);
if (!ReadFile(hFile, BaseAddress, FileSize, &BR, NULL)){
free(BaseAddress);
CloseHandle(hFile);
break;
}
ImageDosHeader = (IMAGE_DOS_HEADER *) BaseAddress;
ImageOptionalHeader = (_IMAGE_OPTIONAL_HEADER *) BaseAddress;
if (ImageDosHeader->e_magic != IMAGE_DOS_SIGNATURE) // checks the DOS SIGNATURE, if not equals to (MZ) then stops
{
MessageBoxA(NULL,"Invalid Dos Header","Error",MB_OK);
free(BaseAddress);
CloseHandle(hFile);
break;
}
ImageNtHeaders = (IMAGE_NT_HEADERS *) (ImageDosHeader->e_lfanew + (DWORD) ImageDosHeader);
if (ImageNtHeaders->Signature != IMAGE_NT_SIGNATURE) // checks the PE header, if not equals to NT signature stops
{
MessageBoxA(NULL,"Invalid PE Signature","Error",MB_OK);
free(BaseAddress);
CloseHandle(hFile);
break;
}
// takes the address of first section
ImageSectionHeader = IMAGE_FIRST_SECTION(ImageNtHeaders);
// shows the section table
for (x = 0; x < ImageNtHeaders->FileHeader.NumberOfSections; x++)
{
memcpy(SectionName, ImageSectionHeader[x].Name,IMAGE_SIZEOF_SHORT_NAME);
long lSize;
char * buffer;
size_t result;
_ultoa(ImageSectionHeader[x].VirtualAddress,txt1,16);
_ultoa(ImageSectionHeader[x].Misc.VirtualSize,txt2,16);
_ultoa(ImageSectionHeader[x].PointerToRawData,txt3,16);
_ultoa(ImageSectionHeader[x].SizeOfRawData,txt4,16);
_ultoa(ImageSectionHeader[x].Characteristics,txt5,16);
strcat(txt, "Section Name: ");
strcat(txt, SectionName);
strcat(txt , "\r\n");
strcat(txt, "Virtual Address: ");
strcat(txt, txt1);
strcat(txt , "\r\n");
strcat(txt, "Virtual Size: ");
strcat(txt, txt2);
strcat(txt , "\r\n");
strcat(txt, "Raw Address: ");
strcat(txt, txt3);
strcat(txt , "\r\n");
strcat(txt, "Raw Size: ");
strcat(txt, txt4);
strcat(txt , "\r\n");
strcat(txt, "Characteristics: ");
strcat(txt, txt5);
strcat(txt , "\r\n\r\n");
SetDlgItemText(hwnd,EDIT2,txt);
}
/* VARIABLES USED TO STORE AND SHOW INFORMATIONS */
char Img[LENGTH],Img1[LENGTH];
char AeP[LENGTH],AeP1[LENGTH];
char BoC[LENGTH],BoC1[LENGTH];
char BoD[LENGTH],BoD1[LENGTH];
char Sa[LENGTH] ,Sa1[LENGTH];
char Fa[LENGTH] ,Fa1[LENGTH];
char Ss[LENGTH] ,Ss1[LENGTH];
char SoC[LENGTH],SoC1[LENGTH];
char SiD[LENGTH],SiD1[LENGTH];
char SuD[LENGTH],SuD1[LENGTH];
char Em[LENGTH] ,Em1[LENGTH];
char Sgn[LENGTH],Sgn1[LENGTH];
Img[0], Img1[0], AeP[0], AeP1[0], BoC[0], BoC1[0], BoD[0], BoD1[0], Sa[0] , Sa1[0] , Fa[0], Fa1[0] = '\0';
Ss[0] , Ss1[0] , SoC[0], SoC1[0], SiD[0], SiD1[0], SuD[0], SuD1[0], Em[0] , Em1[0] , Sgn[0], Sgn1[0] = '\0';
for (int i = 0; i < LENGTH; i++){
Img[i] = '\0';
AeP[i] = '\0';
BoC[i] = '\0';
BoD[i] = '\0';
Sa[i] = '\0';
Fa[i] = '\0';
Ss[i] = '\0';
SoC[i] = '\0';
SiD[i] = '\0';
SuD[i] = '\0';
Em[i] = '\0';
Sgn[i] = '\0';
}
//STORES VALUES
DWORD ImageBase = ImageNtHeaders->OptionalHeader.ImageBase;
DWORD AddressOfEntryPoint = ImageNtHeaders->OptionalHeader.AddressOfEntryPoint;
DWORD BaseOfCode = ImageNtHeaders->OptionalHeader.BaseOfCode;
DWORD BaseOfData = ImageNtHeaders->OptionalHeader.BaseOfData;
DWORD SectionAlignment = ImageNtHeaders->OptionalHeader.SectionAlignment;
DWORD FileAlignment = ImageNtHeaders->OptionalHeader.FileAlignment;
DWORD Subsystem = ImageNtHeaders->OptionalHeader.Subsystem;
DWORD SizeOfCode = ImageNtHeaders->OptionalHeader.SizeOfCode;
DWORD SizeOfInitializedData = ImageNtHeaders->OptionalHeader.SizeOfInitializedData;
DWORD SizeOfUnitializedData = ImageNtHeaders->OptionalHeader.SizeOfUninitializedData;
DWORD EMagic = ImageDosHeader->e_magic;
DWORD Signature = ImageNtHeaders->Signature;
/* CONVERT DWORD TO HEX ==> I REALLY LOVE THIS FUNCTION :P*/
_ultoa(ImageBase,Img1,16);
_ultoa(AddressOfEntryPoint,AeP1,16);
_ultoa(BaseOfCode,BoC1,16);
_ultoa(BaseOfData,BoD1,16);
_ultoa(SectionAlignment,Sa1,16);
_ultoa(FileAlignment,Fa1,16);
_ultoa(Subsystem,Ss1,16);
_ultoa(SizeOfCode,SoC1,16);
_ultoa(SizeOfInitializedData,SiD1,16);
_ultoa(SizeOfUnitializedData,SuD1,16);
_ultoa(EMagic,Em1,16);
_ultoa(Signature,Sgn1,16);
strcat(Img,"ImageBase: 0x");
strcat(Img, Img1);
strcat(AeP, "AddressOfEntryPoint: 0x");
strcat(AeP, AeP1);
strcat(BoC, "BaseOfCode: 0x");
strcat(BoC, BoC1);
strcat(BoD, "BaseOfData: 0x");
strcat(BoD, BoD1);
strcat(Sa, "SectionAlignment: 0x");
strcat(Sa, Sa1);
strcat(Fa, "FileAlignment: 0x");
strcat(Fa, Fa1);
strcat(Ss, "Subsystem: 0x");
strcat(Ss, Ss1);
strcat(SoC, "SizeOfCode: 0x");
strcat(SoC, SoC1);
strcat(SiD, "SizeOfInitializedData: 0x");
strcat(SiD, SiD1);
strcat(SuD, "SizeOfUnitializedData: 0x");
strcat(SuD, SuD1);
strcat(Em, "EMagic Signature: 0x");
strcat(Em, Em1);
strcat(Sgn, "PE Signature: 0x");
strcat(Sgn, Sgn1);
SetDlgItemText(hwnd,LABEL5, Img);
SetDlgItemText(hwnd,LABEL6, AeP);
SetDlgItemText(hwnd,LABEL7, BoC);
SetDlgItemText(hwnd,LABEL8, BoD);
SetDlgItemText(hwnd,LABEL9, Sa);
SetDlgItemText(hwnd,LABEL10,Fa);
SetDlgItemText(hwnd,LABEL11,Ss);
SetDlgItemText(hwnd,LABEL12,SoC);
SetDlgItemText(hwnd,LABEL13,SiD);
SetDlgItemText(hwnd,LABEL14,SuD);
SetDlgItemText(hwnd,LABEL15,Em);
SetDlgItemText(hwnd,LABEL16,Sgn);
/* INFORMATION */
/* LOGS FROM IMPORT TABLE */
f = fopen("import.txt","wa");
IT_Offset = RvaToOffset(ImageNtHeaders,ImageNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
ImageImportDescr = (IMAGE_IMPORT_DESCRIPTOR *) (IT_Offset + (DWORD) BaseAddress);
x = 0; // counter used under
while (ImageImportDescr[x].FirstThunk != 0) // analyzes all descriptors
{
Name = (char *) (RvaToOffset(ImageNtHeaders, ImageImportDescr[x].Name) + (DWORD) BaseAddress);
fprintf(f,"\nModule Name: %s\r\nFunctions:\r\n", Name);
// selects the array to analyze
Thunks = (DWORD *) (RvaToOffset(ImageNtHeaders, ImageImportDescr[x].OriginalFirstThunk != 0 ? ImageImportDescr[x].OriginalFirstThunk : ImageImportDescr[x].FirstThunk) + (DWORD) BaseAddress);
y = 0; // another counter
// browse into internal functions of the analyzed file
while (Thunks[y] != 0)
{
//imports
if (Thunks[y] & IMAGE_ORDINAL_FLAG)
{
fprintf(f,"Ordinal: %08X\r\n", (Thunks[y] - IMAGE_ORDINAL_FLAG));
y++;
continue;
}
ImgName = (IMAGE_IMPORT_BY_NAME *) (RvaToOffset(ImageNtHeaders, Thunks[y]) + (DWORD) BaseAddress);
fprintf(f,"Name: %s\r\n", &ImgName->Name);
y++;
}
x++;
}
fflush(f);
fclose(f);
std::ifstream of("import.txt");
char *s;
char sf[LENGTH*50],sf1[LENGTH*50];
sf[0], sf1[0] = '\0';
while (of)
{
of.getline(sf,1000);
strcat(sf1,sf);
strcat(sf1,"\r\n");
}
SetDlgItemText(hwnd,EDIT3,sf1);
of.close();
remove("import.txt");
/* IMPORT TABLE */
/* LOGS FROM EXPORT TABLE */
ET_Offset = RvaToOffset(ImageNtHeaders,ImageNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
ImageExportDir = (IMAGE_EXPORT_DIRECTORY *) (ET_Offset +(DWORD) BaseAddress);
Name = (char *) (RvaToOffset(ImageNtHeaders,ImageExportDir->Name) + (DWORD) BaseAddress);
Functions = (DWORD *) (RvaToOffset(ImageNtHeaders, ImageExportDir->AddressOfFunctions) + (DWORD) BaseAddress);
Names = (DWORD *) (RvaToOffset(ImageNtHeaders, ImageExportDir->AddressOfNames) + (DWORD) BaseAddress);
NameOrds = (WORD *) (RvaToOffset(ImageNtHeaders, ImageExportDir->AddressOfNameOrdinals) + (DWORD) BaseAddress);
// enums and shows functions
for (x = 0; x < ImageExportDir->NumberOfFunctions; x++)
{
// controllo se l'EP e' 0
// se si' allora passa alla prossima funzione
if (Functions[x] == 0)continue;
printf("\nOrd: %04X\nEP: %08X\n", (x + ImageExportDir->Base), Functions[x]);
f=fopen("export.txt","a");
if (f != NULL) {
fprintf(f,"\nOrd: %04X\nEP: %08X\n", (x + ImageExportDir->Base), Functions[x] );
fflush(f);
}
// if the function has also a name I show it
for (y = 0; y < ImageExportDir->NumberOfNames; y++)
{
if (NameOrds[y] == x)
{
FName = (char *) (RvaToOffset(ImageNtHeaders, Names[y]) + (DWORD) BaseAddress);
printf("Name: %s\n", FName);
if (f != NULL)
{
fprintf(f,"Name: %s\n", FName);
fflush(f);
fclose(f);
}
break;
}
}
}
std::ifstream of1("export.txt");
char sf2[LENGTH*80],sf3[LENGTH*80];
sf2[0], sf3[0] = '\0';
while (of1)
{
of1.getline(sf2,1000);
strcat(sf3,sf2);
strcat(sf3,"\r\n");
}
SetDlgItemText(hwnd,EDIT4,sf3);
of1.close();
remove("export.txt");
/* EXPORT TABLE */
free(BaseAddress);
CloseHandle(hFile);
}break; // end case BUTTON2
case BUTTON3:{PostQuitMessage (0);break;}
case BUTTON4:{
HANDLE hFile;
BYTE *BaseAddress;
WORD nSection;
DWORD FileSize, BRW, NameSize, Size;
char Dim[MAX_PATH], Sect[MAX_PATH];
int len, lent;
IMAGE_DOS_HEADER *ImageDosHeader;
IMAGE_NT_HEADERS *ImageNtHeaders;
IMAGE_SECTION_HEADER *ImageSectionHeader;
len = GetWindowTextLength (GetDlgItem (hwnd, EDIT6));
GetDlgItemText(hwnd,EDIT6,Dim, len + 1);
lent = GetWindowTextLength (GetDlgItem (hwnd, EDIT5));
GetDlgItemText(hwnd,EDIT5,Sect, lent + 1);
Size = atoi(Dim);
if (Size > 0 && lent > 0)
{
hFile = CreateFile(FileName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
if (hFile == INVALID_HANDLE_VALUE)
{
printf("Cannot Open the File\n");
return -1;
}
FileSize = GetFileSize(hFile, NULL);
BaseAddress = (BYTE *) malloc(FileSize);
if (!ReadFile(hFile, BaseAddress, FileSize, &BRW, NULL))
{
free(BaseAddress);
CloseHandle(hFile);
return -1;
}
ImageDosHeader = (IMAGE_DOS_HEADER *) BaseAddress;
ImageOptionalHeader = (_IMAGE_OPTIONAL_HEADER *) BaseAddress;
if (ImageDosHeader->e_magic != IMAGE_DOS_SIGNATURE) // checks the DOS SIGNATURE, if not equals to (MZ) then stops
{
MessageBoxA(NULL,"Invalid Dos Header","Error",MB_OK);
free(BaseAddress);
CloseHandle(hFile);
break;
}
ImageNtHeaders = (IMAGE_NT_HEADERS *) (ImageDosHeader->e_lfanew + (DWORD) ImageDosHeader);
if (ImageNtHeaders->Signature != IMAGE_NT_SIGNATURE) // checks the PE header, if not equals to NT signature stops
{
MessageBoxA(NULL,"Invalid PE Signature","Error",MB_OK);
free(BaseAddress);
CloseHandle(hFile);
break;
}
// prende le dimensioni
printf("Creating New Section...\n");
nSection = ImageNtHeaders->FileHeader.NumberOfSections;
ImageNtHeaders->FileHeader.NumberOfSections++;
ImageSectionHeader = IMAGE_FIRST_SECTION(ImageNtHeaders);
ImageNtHeaders->OptionalHeader.SizeOfImage += CalcAlignment(ImageNtHeaders->OptionalHeader.SectionAlignment, Size);
ZeroMemory(&ImageSectionHeader[nSection], IMAGE_SIZEOF_SECTION_HEADER);
if (strlen(Sect) <= IMAGE_SIZEOF_SHORT_NAME)
{
NameSize = strlen(Sect);
}
else
{
NameSize = IMAGE_SIZEOF_SHORT_NAME;
}
memcpy(&ImageSectionHeader[nSection].Name, Sect, NameSize);
// calcola il Virtual Address della nuova sezione
ImageSectionHeader[nSection].VirtualAddress = CalcAlignment(ImageNtHeaders->OptionalHeader.SectionAlignment, (ImageSectionHeader[nSection - 1].VirtualAddress + ImageSectionHeader[nSection - 1].Misc.VirtualSize));
ImageSectionHeader[nSection].Misc.VirtualSize = Size;
if (ImageSectionHeader[nSection - 1].SizeOfRawData % ImageNtHeaders->OptionalHeader.FileAlignment)
{
// se la sezione prima di quella che vogliamo creare noi non � allineata lo faccio
ImageSectionHeader[nSection - 1].SizeOfRawData = CalcAlignment(ImageNtHeaders->OptionalHeader.FileAlignment, ImageSectionHeader[nSection - 1].SizeOfRawData);
SetFilePointer(hFile,(ImageSectionHeader[nSection - 1].PointerToRawData + ImageSectionHeader[nSection - 1].SizeOfRawData), NULL, FILE_BEGIN);
SetEndOfFile(hFile);
}
ImageSectionHeader[nSection].PointerToRawData = GetFileSize(hFile, NULL);
ImageSectionHeader[nSection].SizeOfRawData = CalcAlignment(ImageNtHeaders->OptionalHeader.FileAlignment, Size);
ImageSectionHeader[nSection].Characteristics = IMAGE_SCN_MEM_READ;
SetFilePointer(hFile, ImageSectionHeader[nSection].SizeOfRawData,NULL, FILE_END);
SetEndOfFile(hFile);
// salvo le modifiche
SetFilePointer(hFile, 0, NULL, FILE_BEGIN);
WriteFile(hFile, BaseAddress, FileSize, &BRW, NULL);
MessageBox(NULL,"The section has been successfully added!","Info",MB_OK);
free(BaseAddress);
CloseHandle(hFile);
}
else
{
MessageBox(NULL,"The section was not added correctly!","Error",MB_OK);
}
}break; // fine button 4
case BUTTON5:
{
MessageBoxA(NULL,"Program created by Zyrel aka Marco Lagalla.\nVisit us on: <a href="http://www.unfair-gamers.com" target="_blank">http://www.unfair-gamers.com</a>!\nThanks to Ntoskrnl <img src="images/smilies1/wink1.gif" style="vertical-align: middle;" border="0" alt="Wink" title="Wink" />","Credits and Disclaimer",MB_OK);
}break;
case BUTTON6:
{
ShellExecute(NULL,"open","http://www.unfair-gamers.com/forum/index.php",NULL,NULL,SW_HIDE);
}break;
default:{break;} // DEFAUL CONTROLLI
}break;} // FINE WM_COMMAND
case WM_DESTROY:
{
PostQuitMessage (0);
}break; /* send a WM_QUIT to the message queue */
default: /* for messages that we don't deal with */
return DefWindowProc (hwnd, message, wParam, lParam);
case WM_CTLCOLORSTATIC:
{
SetTextColor((HDC)hLabel2,RGB(141,149,155));
}
}
return 0;
}
