|
dwAddress=dwMessageBoxAadaddress-(dwProgRAV+dwNewEntryAddress+nTotLen-5);
strAddress1=StrOfDWord(dwAddress);
// 计算返回地址.
dwAddress=0-(dwNewEntryAddress-dwOldEntryAddress+nTotLen);
strAddress2=StrOfDWord(dwAddress);
// 对话框头代码(固定).
unsigned char cHeader[2]={0x6a,0x40};
// 标题定义. www.2cto.com
unsigned char cDesCap[5]={0xe8,nLenCap1,0x00,0x00,0x00};
// 内容定义.
unsigned char cDesTxt[5]={0xe8,nLenTxt1,0x00,0x00,0x00};
// 对话框后部分的代码段.
unsigned char cFix[12]
={0x6a,0x00,0xe8,0x00,0x00,0x00,0x00,0xe9,0x00,0x00,0x00,0x00};
// 修改对话框后部分的代码段.
for(int i=0;i<4;i++)
cFix[3+i]=strAddress1.GetAt(i);
for(i=0;i<4;i++)
cFix[8+i]=strAddress2.GetAt(i);
char* cMessageBox=new char[nTotLen];
char* cMsg;
// 生成对话框命令字符串.
memcpy((cMsg = cMessageBox),(char*)cHeader,2);
memcpy((cMsg += 2),cDesCap,5);
memcpy((cMsg += 5),strCap,nLenCap1);
memcpy((cMsg += nLenCap1),cDesTxt,5);
memcpy((cMsg += 5),strTxt,nLenTxt1);
memcpy((cMsg += nLenTxt1),cFix,12);
// 向应用程序写入对话框代码.
CString strErrMsg;
long retf;
retf=_lseek(ret,(long)dwEntryWrite,SEEK_SET);
if(retf==-1)
{
delete[] cMessageBox;
AfxMessageBox("Error seek.");
return FALSE;
}
retf=_write(ret,cMessageBox,nTotLen);
if(retf==-1)
{
delete[] cMessageBox;
strErrMsg.Format("error write: %d",GetLastError());
AfxMessageBox(strErrMsg);
return FALSE;
}
delete[] cMessageBox;
return TRUE;
}
void CPe::WriteFile(CString strFileName,CString strMsg)
{
CString strAddress1,strAddress2;
int ret;
unsigned char waddress[4]={0};
ret=_open(strFileName,_O_RDWR | _O_CREAT | _O_BINARY,_S_IREAD | _S_IWRITE);
if(!ret)
{
AfxMessageBox("Error open.");
return;
}
// 把新的入口地址写入文件,程序的入口地址在偏移PE文件头开始第40位.
if(!WriteNewEntry(ret,(long)(dwPeAddress+40),dwNewEntryAddress)) return;
// 把对话框代码写入到应用程序中.
if(!WriteMessageBox(ret,(long)dwEntryWrite,"Test",strMsg)) return;
_close(ret);
}
下面我们实现编程修改OEP
[cpp]
#include <windows.h>
#include
BOOL ReadOEPbyMemory(LPCSTR szFileName);
BOOL ReadOEPbyFile(LPCSTR szFileName);
void main()
{
ReadOEPbyFile("..\\calc.exe");
ReadOEPbyMemory("..\\calc.exe");
getchar();
}
// 通过文件读取OEP值.
BOOL ReadOEPbyFile(LPCSTR szFileName)
{
HANDLE hFile;
// 打开文件.
if ((hFile = CreateFile(szFileName, GENERIC_READ,
FILE_SHARE_READ, 0, OPEN_EXISTING,
FILE_FLAG_SEQUENTIAL_SCAN, 0)) == INVALID_HANDLE_VALUE)
{
printf("can't not open file.\n");
return FALSE;
}
DWORD dwOEP,cbRead;
IMAGE_DOS_HEADER dos_head[sizeof(IMAGE_DOS_HEADER)];
if (!ReadFile(hFile, dos_head, sizeof(IMAGE_DOS_HEADER), &cbRead, NULL)){
printf("read image_dos_header failed.\n");
CloseHandle(hFile);
return FALSE;
}
int nEntryPos=dos_head->e_lfanew+40;
SetFilePointer(hFile, nEntryPos, NULL, FILE_BEGIN);
if (!ReadFile(hFile, &dwOEP, sizeof(dwOEP), &cbRead, NULL)){
printf("read OEP failed.\n");
CloseHandle(hFile);
return FA |