dwAddress=dwMessageBoxAadaddress-(dwProgRAV+dwNewEntryAddress+nTotLen-5); strAddress1=StrOfDWord(dwAddress); // 计算返回地址. dwAddress=0-(dwNewEntryAddress-dwOldEntryAddress+nTotLen); strAddress2=StrOfDWord(dwAddress); // 对话框头代码(固定). unsigned char cHeader[2]={0x6a,0x40}; // 标题定义. www.2cto.com unsigned char cDesCap[5]={0xe8,nLenCap1,0x00,0x00,0x00}; // 内容定义. unsigned char cDesTxt[5]={0xe8,nLenTxt1,0x00,0x00,0x00}; // 对话框后部分的代码段. unsigned char cFix[12] ={0x6a,0x00,0xe8,0x00,0x00,0x00,0x00,0xe9,0x00,0x00,0x00,0x00}; // 修改对话框后部分的代码段. for(int i=0;i<4;i++) cFix[3+i]=strAddress1.GetAt(i); for(i=0;i<4;i++) cFix[8+i]=strAddress2.GetAt(i); char* cMessageBox=new char[nTotLen]; char* cMsg; // 生成对话框命令字符串. memcpy((cMsg = cMessageBox),(char*)cHeader,2); memcpy((cMsg += 2),cDesCap,5); memcpy((cMsg += 5),strCap,nLenCap1); memcpy((cMsg += nLenCap1),cDesTxt,5); memcpy((cMsg += 5),strTxt,nLenTxt1); memcpy((cMsg += nLenTxt1),cFix,12); // 向应用程序写入对话框代码. CString strErrMsg; long retf; retf=_lseek(ret,(long)dwEntryWrite,SEEK_SET); if(retf==-1) { delete[] cMessageBox; AfxMessageBox("Error seek."); return FALSE; } retf=_write(ret,cMessageBox,nTotLen); if(retf==-1) { delete[] cMessageBox; strErrMsg.Format("error write: %d",GetLastError()); AfxMessageBox(strErrMsg); return FALSE; } delete[] cMessageBox; return TRUE; } void CPe::WriteFile(CString strFileName,CString strMsg) { CString strAddress1,strAddress2; int ret; unsigned char waddress[4]={0}; ret=_open(strFileName,_O_RDWR | _O_CREAT | _O_BINARY,_S_IREAD | _S_IWRITE); if(!ret) { AfxMessageBox("Error open."); return; } // 把新的入口地址写入文件,程序的入口地址在偏移PE文件头开始第40位. if(!WriteNewEntry(ret,(long)(dwPeAddress+40),dwNewEntryAddress)) return; // 把对话框代码写入到应用程序中. if(!WriteMessageBox(ret,(long)dwEntryWrite,"Test",strMsg)) return; _close(ret); }
下面我们实现编程修改OEP [cpp] #include <windows.h> #include BOOL ReadOEPbyMemory(LPCSTR szFileName); BOOL ReadOEPbyFile(LPCSTR szFileName); void main() { ReadOEPbyFile("..\\calc.exe"); ReadOEPbyMemory("..\\calc.exe"); getchar(); } // 通过文件读取OEP值. BOOL ReadOEPbyFile(LPCSTR szFileName) { HANDLE hFile; // 打开文件. if ((hFile = CreateFile(szFileName, GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, FILE_FLAG_SEQUENTIAL_SCAN, 0)) == INVALID_HANDLE_VALUE) { printf("can't not open file.\n"); return FALSE; } DWORD dwOEP,cbRead; IMAGE_DOS_HEADER dos_head[sizeof(IMAGE_DOS_HEADER)]; if (!ReadFile(hFile, dos_head, sizeof(IMAGE_DOS_HEADER), &cbRead, NULL)){ printf("read image_dos_header failed.\n"); CloseHandle(hFile); return FALSE; } int nEntryPos=dos_head->e_lfanew+40; SetFilePointer(hFile, nEntryPos, NULL, FILE_BEGIN); if (!ReadFile(hFile, &dwOEP, sizeof(dwOEP), &cbRead, NULL)){ printf("read OEP failed.\n"); CloseHandle(hFile); return FA |