Programming 版 (精华区)
发信人: pzc (呆呆地发呆), 信区: Programming
标 题: Create PE Dynamically
发信站: 哈工大紫丁香 (2002年04月20日14:36:28 星期六), 站内信件
演示如何在程序中动态创建一个PE文件。
此程序在当前目录中创建一个Win32XJS.exe的可执行文件。
文件仅仅弹出一个MsgBox.
文件大小为1K.
有一个引入函数MessageBoxA.但没有用上,关键利用它来装载User32.dll.
在标号VStart和VImports之间可以加上任意代码,生成真正实用的PE!
但一定要重定位才可以。
.386
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
@ EQU 1000h - offset VStart
VIMPORT_SIZE EQU offset VEnd - offset VImports
VRAW_SIZE EQU 200h
.data
szFileName db 'Win32XJS.exe',0
ByteWrite dd 0
hFile dd 0
.code
MainStart:
push NULL
push FILE_ATTRIBUTE_NORMAL
push CREATE_ALWAYS
push NULL
push FILE_SHARE_READ+FILE_SHARE_WRITE
push GENERIC_READ+GENERIC_WRITE
push offset szFileName
call CreateFile
mov hFile , eax
push 0
push offset ByteWrite
push 200h ; 文件头<200h & FileAliagment=200h
push offset MDosStub
push eax
call WriteFile ;Write DosStub,NTHeader,SectionHeader
push 0
push offset ByteWrite
push VRAW_SIZE
push offset VStart
push hFile
call WriteFile ;Write code and import tatle
push hFile
call CloseHandle
Invoke MessageBox,NULL,0,0,0
VStart: ;New PE starts here :)
push 0
push 0
push 0
push 0
mov eax,77e23d68h ;absolute addr of MessageBoxA in win2K
call eax
ret
VImports: ;New PEz Imports start here
dd offset Kernel32_Pointers + @
dd -1,-1
dd offset Kernel32_Name + @
VIAT:
dd offset Kernel32_Relocated + @
db 14 dup (0)
Kernel32_Pointers dd offset Kernel32_Beep + @ , 0
Kernel32_Relocated dd offset Kernel32_Beep + @ , 0
Kernel32_Beep db ?,?,'MessageBoxA',0
Kernel32_Name db 'User32dll',0
VEnd:
MDosStub: ; No Dos Program , most short !
db 4Dh,5Ah,90h,00,03,00, 00, 00, 04, 00, 00,00,0FFh,0FFh,00,00
db 0B8h, 00, 00, 00, 00, 00, 00, 00,40h, 00, 00, 00, 00, 00,00,00
db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 40h, 00, 00, 00
db 50h,45h,00,00
MFileHeader:
Machine dw 14Ch
NumberOfSections dw 1
TimeDateStamp dd 3cbe5cc2h
PointerToSymbolTable dd 0
NumberOfSymbols dd 0
SizeOfOptionalHeader dw 0e0h
Characteristics dw 10fh
MIMAGE_OPTIONAL_HEADER32:
Magic dw 10bh
MajorLinkerVersion db 5
MinorLinkerVersion db 12
SizeOfCode dd VRAW_SIZE
SizeOfInitializedData dd 0
SizeOfUninitializedData dd 0
AddressOfEntryPoint dd 1000h
BaseOfCode dd 1000h
BaseOfData dd 2000h
ImageBase dd 400000h
SectionAlignment dd 1000h
FileAlignment dd 200h
MajorOperatingSystemVersion dw 4
MinorOperatingSystemVersion dw 0
MajorImageVersion dw 0
MinorImageVersion dw 0
MajorSubsystemVersion dw 4
MinorSubsystemVersion dw 0
Win32VersionValue dd 0
SizeOfImage dd 2000h ;need to change st
SizeOfHeaders dd 200h
CheckSum dd 0
Subsystem dw 2 ;(Windows GUI)
DllCharacteristics dw 0
SizeOfStackReserve dd 100000h
SizeOfStackCommit dd 1000h
SizeOfHeapReserve dd 100000h
SizeOfHeapCommit dd 1000h
LoaderFlags dd 0
NumberOfRvaAndSizes dd 10h
DataDirectory dd 0,0
dd offset VImports+@,VIMPORT_SIZE
dd 14h dup(0)
dd offset VIAT + @,8
dd 0,0,0,0,0,0
MIMAGE_SECTION_HEADER:
Name1 db '.xjs',0,0,0,0
VirtualSize dd offset VEnd - offset VStart
VirtualAddress dd 1000h
SizeOfRawData dd VRAW_SIZE
PointerToRawData dd 200h
PointerToRelocations dd 0
PointerToLinenumbers dd 0
NumberOfRelocations dw 0
NumberOfLinenumbers dw 0
Characteristic dd 60000020h
end MainStart
--
※ 来源:·哈工大紫丁香 bbs.hit.edu.cn·[FROM: 202.118.236.138]
※ 修改:·pzc 於 04月20日20:21:22 修改本文·[FROM: 202.118.236.138]
Powered by KBS BBS 2.0 (http://dev.kcn.cn)
页面执行时间:2.463毫秒