PIMAGE_SECTION_HEADER GetSectionHeader(HMODULE hMod, const char *section_name) { PIMAGE_NT_HEADERS pNTH; PIMAGE_SECTION_HEADER pSH; WORD c; if(!hMod || !section_name) { return 0; } pNTH = GetNtHeader(hMod); if(!pNTH) { return NULL; } // OptionalHeader position + SizeOfOptionalHeader = Section headers pSH = (PIMAGE_SECTION_HEADER)((DWORD)(&pNTH->OptionalHeader) + (DWORD)pNTH->FileHeader.SizeOfOptionalHeader); if(!VirtualCheckRegion(pSH, sizeof(IMAGE_SECTION_HEADER) * pNTH->FileHeader.NumberOfSections)) { return 0; } // Search for(c = 0; c < pNTH->FileHeader.NumberOfSections; c++) { if(strncmp(pSH->Name, section_name, 8) == 0) { return pSH; } ++pSH; } return NULL; }
/* * 参数: * pMem:被保护目标程序的文件映射指针 * addrImageBase:映射的基地址 * pRecord:保护信息记录结构 * pEncryptProcedures:加密函数结构的指针 * * 介绍: * 按下确定按钮,保护选定的函数 */ __void __API__ PowerProtectAthGo(__memory pMem, PPOWER_PROTECTER_PROCEDURE pRecord, PPOWER_PROTECTER_ENCRYPT_PROCEDURE pEncryptProcedures) { __integer i = 0; __integer iCount = 0; __integer iEncryptInstCount = 0; __address addrImageBase = 0; PPOWER_PROTECTER_INSTRUCTION pInstructions = NULL; PPOWER_PROTECTER_PROCEDURE_RECORD pProcedure = NULL; PPOWER_PROTECTER_WATCH_RECORD pKeyProcedure = NULL; PPOWER_PROTECTER_ENCRYPT_PROCEDURE pCurrEncryptProcedure = NULL; PIMAGE_NT_HEADERS pNtHdr = NULL; // 获取NT头 pNtHdr = GetNtHeader(pMem); // 获取基地址 addrImageBase = pNtHdr->OptionalHeader.ImageBase; // 记录的总数 iCount = pRecord->iCount; // 设置每个函数文件地址指针 PowerProtecterSetFileAddress(pMem, addrImageBase, pRecord); pCurrEncryptProcedure = pEncryptProcedures;//指向第一个加密函数结构 for (i = 0; i < iCount; i++) { pProcedure = &(pRecord->Procedure[i]); pKeyProcedure = &(pRecord->KeyProcedure[i]); pInstructions = (PPOWER_PROTECTER_INSTRUCTION)&(pRecord->Instructions[i]); iEncryptInstCount = pRecord->iInstructionCount[i]; pCurrEncryptProcedure = PowerProtectThisProcedure(i, pMem, pProcedure, pKeyProcedure, pInstructions, iEncryptInstCount, pCurrEncryptProcedure); } }
PIMAGE_SECTION_HEADER CPEFile::GetFirstSectionHeader() // done! { PIMAGE_NT_HEADERS32 pNth = GetNtHeader(); if (pNth) return IMAGE_FIRST_SECTION(pNth); return NULL; }
PIMAGE_FILE_HEADER CPEFile::GetNtFileHeader() // done! { PIMAGE_NT_HEADERS32 pNth = GetNtHeader(); if (pNth) return (PIMAGE_FILE_HEADER)&pNth->FileHeader; return NULL; }
PIMAGE_OPTIONAL_HEADER32 CPEFile::GetNtOptionalHeader() // done! { PIMAGE_NT_HEADERS32 pNth=GetNtHeader(); if (pNth) return (PIMAGE_OPTIONAL_HEADER32)&pNth->OptionalHeader; return NULL; }
bool CPEFile::IsPEFile() // done! { PIMAGE_DOS_HEADER pDosHeader = GetDosHeader(); if (pDosHeader->e_magic == IMAGE_DOS_SIGNATURE) { PIMAGE_NT_HEADERS32 pNtHeader = GetNtHeader(); if (pNtHeader->Signature == IMAGE_NT_SIGNATURE) return true; } return false; }
void *GetNtDataDirectory(HMODULE hMod, BYTE directory) { PIMAGE_NT_HEADERS pNTH; assert(directory <= IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR); pNTH = GetNtHeader(hMod); if(pNTH) { DWORD DirVA = pNTH->OptionalHeader.DataDirectory[directory].VirtualAddress; if(DirVA) { return (BYTE*)hMod + DirVA; } } return NULL; }
/* * * 参数: * pMem:被保护程序映射的内存指针 * pRecord:记录了要保护的信息 * * 介绍: * 核算所有加密函数结构的长度 */ __integer __API__ PowerProtecterAthCountAllEncryptProceduresSize(__memory pMem, PPOWER_PROTECTER_PROCEDURE pRecord) { __integer iTotalSize = 0; __integer i = 0; __integer iCount = 0; __integer iEncryptInstSize = 0; __integer iSize = 0; __address addrImageBase = 0; __integer iFlowCount = 0; ud_t ud_obj = {0}; addrImageBase = GetNtHeader(pMem)->OptionalHeader.ImageBase; iCount = pRecord->iCount; for (i = 0; i < iCount; i++) { __memory pProcFileAddress = NULL; __integer iProcSize = 0; __address addrProcMemAddress = 0; addrProcMemAddress = pRecord->Procedure[i].addrMemAddress; pProcFileAddress = pMem + Rva2Raw(pMem, addrProcMemAddress - addrImageBase); iProcSize = pRecord->Procedure[i].iSize; // 这里分析这个函数的流程指令计数 ud_init(&ud_obj); ud_set_input_buffer(&ud_obj, pProcFileAddress, iProcSize); ud_set_mode(&ud_obj, 32); ud_set_syntax(&ud_obj, UD_SYN_INTEL); while (ud_disassemble(&ud_obj)) { POWER_PROTECTER_FLOW_TYPE Type = PPFT_NONE; Type = IsFlowInstructionByOffset(&ud_obj); if (Type != PPFT_NONE) iFlowCount++; } // 计算最终所需的数据 iEncryptInstSize = (iFlowCount + pRecord->iInstructionCount[i]) * sizeof(POWER_PROTECTER_ENCRYPT_INSTRUCTION);//计算加密指令总长度 // 加密后函数的长度 + 函数加密结构长度 + 解密指令结构总长度 iSize = pRecord->Procedure[i].iSize + sizeof(POWER_PROTECTER_ENCRYPT_PROCEDURE) + iEncryptInstSize; iSize = Alig(iSize, __POWER_PROTECT_ENCRYPT_PROCEDURE_ALIGN__, TRUE); iTotalSize += iSize; } return iTotalSize; }
void * CPEFile::GetDirectoryEntryToData(unsigned short DirectoryEntry) { DWORD dwDataStartRVA; void * pDirData = NULL; PIMAGE_NT_HEADERS32 pNth = NULL; PIMAGE_OPTIONAL_HEADER32 pOh = NULL; pNth = GetNtHeader(); if (!pNth) return NULL; dwDataStartRVA = GetDataDirectory(DirectoryEntry)->VirtualAddress; if (!dwDataStartRVA) return NULL; pDirData = RvaToPtr(dwDataStartRVA); if (!pDirData) return NULL; return pDirData; }
void * CPEFile::VaToPtr(DWORD dwVA) { PIMAGE_NT_HEADERS32 pNth = GetNtHeader(); DWORD dwRVA = dwVA-GetNtOptionalHeader()->ImageBase; return ImageRvaToVa(pNth,m_pFile->ImageBase,dwRVA,NULL); }
void * CPEFile::RvaToPtr(DWORD dwRVA) { PIMAGE_NT_HEADERS32 pNth = GetNtHeader(); return ImageRvaToVa(pNth,m_pFile->ImageBase,dwRVA,NULL); }