PIMAGE_SECTION_HEADER GetSectionHeader(HMODULE hMod, const char *section_name)
{
PIMAGE_NT_HEADERS pNTH;
PIMAGE_SECTION_HEADER pSH;
WORD c;
if(!hMod || !section_name) {
return 0;
}
pNTH = GetNtHeader(hMod);
if(!pNTH) {
return NULL;
}
// OptionalHeader position + SizeOfOptionalHeader = Section headers
pSH = (PIMAGE_SECTION_HEADER)((DWORD)(&pNTH->OptionalHeader) + (DWORD)pNTH->FileHeader.SizeOfOptionalHeader);
if(!VirtualCheckRegion(pSH, sizeof(IMAGE_SECTION_HEADER) * pNTH->FileHeader.NumberOfSections)) {
return 0;
}
// Search
for(c = 0; c < pNTH->FileHeader.NumberOfSections; c++) {
if(strncmp(pSH->Name, section_name, 8) == 0) {
return pSH;
}
++pSH;
}
return NULL;
}
/*
* 参数:
* pMem:被保护目标程序的文件映射指针
* addrImageBase:映射的基地址
* pRecord:保护信息记录结构
* pEncryptProcedures:加密函数结构的指针
*
* 介绍:
* 按下确定按钮,保护选定的函数
*/
__void __API__ PowerProtectAthGo(__memory pMem, PPOWER_PROTECTER_PROCEDURE pRecord, PPOWER_PROTECTER_ENCRYPT_PROCEDURE pEncryptProcedures) {
__integer i = 0;
__integer iCount = 0;
__integer iEncryptInstCount = 0;
__address addrImageBase = 0;
PPOWER_PROTECTER_INSTRUCTION pInstructions = NULL;
PPOWER_PROTECTER_PROCEDURE_RECORD pProcedure = NULL;
PPOWER_PROTECTER_WATCH_RECORD pKeyProcedure = NULL;
PPOWER_PROTECTER_ENCRYPT_PROCEDURE pCurrEncryptProcedure = NULL;
PIMAGE_NT_HEADERS pNtHdr = NULL;
// 获取NT头
pNtHdr = GetNtHeader(pMem);
// 获取基地址
addrImageBase = pNtHdr->OptionalHeader.ImageBase;
// 记录的总数
iCount = pRecord->iCount;
// 设置每个函数文件地址指针
PowerProtecterSetFileAddress(pMem, addrImageBase, pRecord);
pCurrEncryptProcedure = pEncryptProcedures;//指向第一个加密函数结构
for (i = 0; i < iCount; i++) {
pProcedure = &(pRecord->Procedure[i]);
pKeyProcedure = &(pRecord->KeyProcedure[i]);
pInstructions = (PPOWER_PROTECTER_INSTRUCTION)&(pRecord->Instructions[i]);
iEncryptInstCount = pRecord->iInstructionCount[i];
pCurrEncryptProcedure = PowerProtectThisProcedure(i, pMem, pProcedure, pKeyProcedure, pInstructions, iEncryptInstCount, pCurrEncryptProcedure);
}
}
PIMAGE_SECTION_HEADER CPEFile::GetFirstSectionHeader() // done!
{
PIMAGE_NT_HEADERS32 pNth = GetNtHeader();
if (pNth)
return IMAGE_FIRST_SECTION(pNth);
return NULL;
}
PIMAGE_FILE_HEADER CPEFile::GetNtFileHeader() // done!
{
PIMAGE_NT_HEADERS32 pNth = GetNtHeader();
if (pNth)
return (PIMAGE_FILE_HEADER)&pNth->FileHeader;
return NULL;
}
PIMAGE_OPTIONAL_HEADER32 CPEFile::GetNtOptionalHeader() // done!
{
PIMAGE_NT_HEADERS32 pNth=GetNtHeader();
if (pNth)
return (PIMAGE_OPTIONAL_HEADER32)&pNth->OptionalHeader;
return NULL;
}
bool CPEFile::IsPEFile() // done!
{
PIMAGE_DOS_HEADER pDosHeader = GetDosHeader();
if (pDosHeader->e_magic == IMAGE_DOS_SIGNATURE)
{
PIMAGE_NT_HEADERS32 pNtHeader = GetNtHeader();
if (pNtHeader->Signature == IMAGE_NT_SIGNATURE)
return true;
}
return false;
}
void *GetNtDataDirectory(HMODULE hMod, BYTE directory)
{
PIMAGE_NT_HEADERS pNTH;
assert(directory <= IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR);
pNTH = GetNtHeader(hMod);
if(pNTH) {
DWORD DirVA = pNTH->OptionalHeader.DataDirectory[directory].VirtualAddress;
if(DirVA) {
return (BYTE*)hMod + DirVA;
}
}
return NULL;
}
/*
*
* 参数:
* pMem:被保护程序映射的内存指针
* pRecord:记录了要保护的信息
*
* 介绍:
* 核算所有加密函数结构的长度
*/
__integer __API__ PowerProtecterAthCountAllEncryptProceduresSize(__memory pMem, PPOWER_PROTECTER_PROCEDURE pRecord) {
__integer iTotalSize = 0;
__integer i = 0;
__integer iCount = 0;
__integer iEncryptInstSize = 0;
__integer iSize = 0;
__address addrImageBase = 0;
__integer iFlowCount = 0;
ud_t ud_obj = {0};
addrImageBase = GetNtHeader(pMem)->OptionalHeader.ImageBase;
iCount = pRecord->iCount;
for (i = 0; i < iCount; i++) {
__memory pProcFileAddress = NULL;
__integer iProcSize = 0;
__address addrProcMemAddress = 0;
addrProcMemAddress = pRecord->Procedure[i].addrMemAddress;
pProcFileAddress = pMem + Rva2Raw(pMem, addrProcMemAddress - addrImageBase);
iProcSize = pRecord->Procedure[i].iSize;
// 这里分析这个函数的流程指令计数
ud_init(&ud_obj);
ud_set_input_buffer(&ud_obj, pProcFileAddress, iProcSize);
ud_set_mode(&ud_obj, 32);
ud_set_syntax(&ud_obj, UD_SYN_INTEL);
while (ud_disassemble(&ud_obj)) {
POWER_PROTECTER_FLOW_TYPE Type = PPFT_NONE;
Type = IsFlowInstructionByOffset(&ud_obj);
if (Type != PPFT_NONE)
iFlowCount++;
}
// 计算最终所需的数据
iEncryptInstSize = (iFlowCount + pRecord->iInstructionCount[i]) * sizeof(POWER_PROTECTER_ENCRYPT_INSTRUCTION);//计算加密指令总长度
// 加密后函数的长度 + 函数加密结构长度 + 解密指令结构总长度
iSize = pRecord->Procedure[i].iSize + sizeof(POWER_PROTECTER_ENCRYPT_PROCEDURE) + iEncryptInstSize;
iSize = Alig(iSize, __POWER_PROTECT_ENCRYPT_PROCEDURE_ALIGN__, TRUE);
iTotalSize += iSize;
}
return iTotalSize;
}
void * CPEFile::GetDirectoryEntryToData(unsigned short DirectoryEntry)
{
DWORD dwDataStartRVA;
void * pDirData = NULL;
PIMAGE_NT_HEADERS32 pNth = NULL;
PIMAGE_OPTIONAL_HEADER32 pOh = NULL;
pNth = GetNtHeader();
if (!pNth)
return NULL;
dwDataStartRVA = GetDataDirectory(DirectoryEntry)->VirtualAddress;
if (!dwDataStartRVA)
return NULL;
pDirData = RvaToPtr(dwDataStartRVA);
if (!pDirData)
return NULL;
return pDirData;
}
void * CPEFile::VaToPtr(DWORD dwVA)
{
PIMAGE_NT_HEADERS32 pNth = GetNtHeader();
DWORD dwRVA = dwVA-GetNtOptionalHeader()->ImageBase;
return ImageRvaToVa(pNth,m_pFile->ImageBase,dwRVA,NULL);
}
void * CPEFile::RvaToPtr(DWORD dwRVA)
{
PIMAGE_NT_HEADERS32 pNth = GetNtHeader();
return ImageRvaToVa(pNth,m_pFile->ImageBase,dwRVA,NULL);
}
