"); return; } CloseHandle(hFile); } void CPe::CalcAddress(const void *base) { IMAGE_DOS_HEADER * dos_head =(IMAGE_DOS_HEADER *)base; if (dos_head->e_magic != IMAGE_DOS_SIGNATURE) { AfxMessageBox("Unknown type of file."); return; } peHeader * header; // 得到PE文件头. header = (peHeader *)((char *)dos_head + dos_head->e_lfanew); if(IsBadReadPtr(header, sizeof(*header))) { AfxMessageBox("No PE header, probably DOS executable."); return; } DWORD mods; char tmpstr[4]={0}; if(strstr((const char *)header->section_header[0].Name,".text")!=NULL) { // 此段的真实长度. dwVirtSize=header->section_header[0].Misc.VirtualSize; // 此段的物理偏移. dwPhysAddress=header->section_header[0].PointerToRawData; // 此段的物理长度. dwPhysSize=header->section_header[0].SizeOfRawData; // 得到PE文件头的开始偏移. dwPeAddress=dos_head->e_lfanew; // 得到代码段的可用空间,用以判断可不可以写入我们的代码 // 用此段的物理长度减去此段的真实长度就可以得到. dwSpace=dwPhysSize-dwVirtSize; // 得到程序的装载地址,一般为0x400000. dwProgRAV=header->opt_head.ImageBase; // 得到代码偏移,用代码段起始RVA减去此段的物理偏移 // 应为程序的入口计算公式是一个相对的偏移地址,计算公式为: // 代码的写入地址+dwCodeOffset. dwCodeOffset=header->opt_head.BaseOfCode-dwPhysAddress; // 代码写入的物理偏移. dwEntryWrite=header->section_header[0].PointerToRawData+header-> section_header[0].Misc.VirtualSize; //对齐边界. mods=dwEntryWrite%16; if(mods!=0) { dwEntryWrite+=(16-mods); } // 保存旧的程序入口地址. dwOldEntryAddress=header->opt_head.AddressOfEntryPoint; // 计算新的程序入口地址. dwNewEntryAddress=dwEntryWrite+dwCodeOffset; return; } } CString CPe::StrOfDWord(DWORD dwAddress) { unsigned char waddress[4]={0}; waddress[3]=(char)(dwAddress>>24)&0xFF; waddress[2]=(char)(dwAddress>>16)&0xFF; waddress[1]=(char)(dwAddress>>8 )&0xFF; waddress[0]=(char)(dwAddress )&0xFF; return waddress; } BOOL CPe::WriteNewEntry(int ret,long offset, DWORD dwAddress) { CString strErrMsg; long retf; unsigned char waddress[4]={0}; retf=_lseek(ret,offset,SEEK_SET); if(retf==-1) { AfxMessageBox("Error seek."); return FALSE; } memcpy(waddress,StrOfDWord(dwAddress),4); retf=_write(ret,waddress,4); if(retf==-1) { strErrMsg.Format("error write: %d",GetLastError()); AfxMessageBox(strErrMsg); return FALSE; } return TRUE; } BOOL CPe::WriteMessageBox(int ret,long offset,CString strCap,CString strTxt) { CString strAddress1,strAddress2; unsigned char waddress[4]={0}; DWORD dwAddress; // 获取MessageBox在内存中的地址. HINSTANCE gLibMsg=LoadLibrary("user32.dll"); dwMessageBoxAadaddress=(DWORD)GetProcAddress(gLibMsg,"MessageBoxA"); // 计算校验位. int nLenCap1 =strCap.GetLength()+1; // 加上字符串后面的结束位. int nLenTxt1 =strTxt.GetLength()+1; // 加上字符串后面的结束位. int nTotLen=nLenCap1+nLenTxt1+24; // 重新计算MessageBox函数的地址. |