Exemplo n.º 1
0
void get_wprotect_sdk_address(CPESection & section,
                              BuildExeInfo & build_info,
                              char *sz_sdk_begin_name,
                              char *sz_sdk_end_name)
{
    int sdk_begin_count       = 0;
    int sdk_end_count         = 0;
    int protect_begin_address = 0;
    int protect_end_address   = 0;
    int section_count         = section.GetSectionCount();
    int sdk_begin_str_size    = (int)strlen(sz_sdk_begin_name) + 1;
    int sdk_end_str_size      = (int)strlen(sz_sdk_end_name)   + 1;

    for (int i = 0; i < section_count; i++)  // 每个区段
    {
        DWORD section_size;
        BYTE * p = section.GetSectionData(i, &section_size);
        printf("第%d个区段,大小%d\n",i,section_size);

        for (DWORD offset = 0; offset+1 < section_size; offset++)
        {
            if ( !(section.GetCharacteristics(i) & 0x20000000) )  // IMAGE_SCN_MEM_EXECUTE
                continue;

            if (p[offset] == 0xeb)
            {
                if (p[offset+1] == sdk_begin_str_size &&
                    offset+2 + sdk_begin_str_size < section_size)
                {
                    if (!strcmp(sz_sdk_begin_name, (char*)p+offset+2))
                    {
                        sdk_begin_count++;
                        if (sdk_begin_count - sdk_end_count == 1)
                        {
                            memset(p+offset, 0x90, 2+sdk_begin_str_size);
                            protect_begin_address = (ULONG)(p+offset);
                        }
                        else
                        {
                            printf("sdk_begin_count Error!\n");
                        }
                    }
                }
                else if (p[offset+1] == sdk_end_str_size &&
                    offset+2 + sdk_end_str_size < section_size)
                {
                    if (!strcmp(sz_sdk_end_name, (char*)p+offset+2))
                    {
                        sdk_end_count++;
                        if (sdk_begin_count == sdk_end_count)
                        {
                            protect_end_address = (ULONG)(p+offset);
                            memset(p+offset, 0x90, 2+sdk_end_str_size);

                            Code_Piece piece;
                            piece.CodeStartAddr =
                                section.GetSectionVa(i, protect_begin_address - (ULONG)p);

                            piece.CodeSize = protect_end_address - protect_begin_address;
                            build_info.push_back(piece);

                            printf("保护地址%x - %x\n",
                                piece.CodeStartAddr,
                                piece.CodeStartAddr+piece.CodeSize);
                        }
                        else
                        {
                            printf("sdk_end_count Error!\n");
                        }
                    }
                }
            }
        }
    }
    if (sdk_begin_count != sdk_end_count)
    {
        printf("need last sdk_end_count!\n");
        exit(-1);
    }
}
Exemplo n.º 2
0
void get_wprotect_sdk_address(CPESection & section,
                              BuildCodeInfo & build_info,
                              char *sz_sdk_begin_name,
                              char *sz_sdk_end_name)
{
  int sdk_begin_count = 0;
  int sdk_end_count = 0;
  int protect_begin_address = 0;
  int protect_end_address = 0;
  int section_count = section.GetSectionCount();
  for (int index = 0;index <  section_count;index++)
  {
      DWORD section_size;
      BYTE * ptr_section_data = section.GetSectionData(index,&section_size);
      printf("\nSection No.%02d Size 0x%04X Flags 0x%8X IsExecute: %s\n",index,section_size,section.GetCharacteristics(index),(section.GetCharacteristics(index) & 0x20000000)?"true":"false");
      if (! (section.GetCharacteristics(index) & 0x20000000))
      {
          continue;
      }
      for (int offset = 0;offset < section_size;offset++)
      {
          if (ptr_section_data[offset] == 0xeb
                  && sdk_begin_count==0
                  && sdk_end_count==0
                  && offset + max(strlen(sz_sdk_begin_name)+1,strlen(sz_sdk_end_name)+1) < section_size
                  )
          {
              sdk_begin_count++;
              sdk_end_count++;
              if (ptr_section_data[offset + sdk_begin_count] == strlen(sz_sdk_begin_name) + 1
                  && sdk_begin_count == 1)
              {
                  sdk_begin_count++;
                  sdk_end_count = 0;
                  continue;
              }
              else
              {
                  sdk_begin_count = 0;
              }
              if (ptr_section_data[offset + sdk_end_count] == strlen(sz_sdk_end_name) + 1
                  && sdk_end_count == 1)
              {
                  sdk_end_count++;
                  continue;
              }
              else
              {
                  sdk_end_count = 0;
              }

          }
          if (sdk_begin_count > 1)
          {
              if (ptr_section_data[offset + 1] == sz_sdk_begin_name[sdk_begin_count-2])
              {
                  sdk_begin_count++;
              }
              else
              {
                  sdk_begin_count = 0;
                  offset--;
                  continue;
              }

          }
          if (sdk_end_count > 1)
          {
              if (ptr_section_data[offset + 1] == sz_sdk_end_name[sdk_end_count-2])
              {
                  sdk_end_count++;
              }
              else
              {
                  sdk_end_count = 0;
                  offset--;
                  continue;
              }
          }
          if (sdk_begin_count == strlen(sz_sdk_begin_name) + 3)
          {
              int sdk_begin_str_size = strlen(sz_sdk_begin_name) + 1;
              printf("Found WProtect Begin offset:%08X, va:%08X\n",
                     offset - sdk_begin_str_size,
                     section.GetSectionVa(index,offset - sdk_begin_str_size));
              protect_begin_address = section.GetSectionVa(index,offset - sdk_begin_str_size);
              memset((void*)section.GetSectionPtr(index,offset - sdk_begin_str_size),0x90,sdk_begin_count);
              sdk_begin_count = 0;

              //__asm__("int3");
          }
          if (sdk_end_count == strlen(sz_sdk_end_name) + 3)
          {
              printf("Found WProtect End   offset:%08X\n",offset - strlen(sz_sdk_end_name) - 1);
              int sdk_end_str_size = strlen(sz_sdk_end_name) + 1;
              protect_end_address = section.GetSectionVa(index,offset - sdk_end_str_size);
              if (protect_begin_address == 0 )
              {
                  printf("%08X Can not find a mathing WProtect Begin\n",protect_end_address);
              }
              else
              {
                  build_piece piece;
                  piece.build_exec_addr = protect_begin_address;
                  piece.build_exec_size = protect_end_address - protect_begin_address + sdk_end_str_size + 2;
                  printf("Protect Address: %08X - %08X\n",piece.build_exec_addr,piece.build_exec_addr+piece.build_exec_size);
                  build_info.push_back(piece);
              }
              protect_begin_address = 0;
              protect_end_address = 0;
              memset((void*)section.GetSectionPtr(index,offset - sdk_end_str_size),0x90,sdk_end_count);

              sdk_end_count = 0;
          }

          //printf("%x\n",offset);
          //printf("%x ",ptr_section_data[offset]);
          //if ((offset)%16==0)
          //{
          //    printf("\n");
          //}
      }
   }
  //throw;

}