所有新增节的代码实现

#include "openfile.h"
#include <stdio.h>
#include <malloc.h>
#include <memory.h>
#include <Windows.h>

#define MASSAGEBOXAADDR 0x757A7E60
#define IMAGE_SIZEOF_DOS_HEADER 0x40

BYTE shellCode[] = {
0x6A,0x00,0x6A,
0xE8,
0xE9,0x00
};

BYTE SectionName[] = { 0x2e,0x74,0 };

//读取文件返回fileBuffer
LPVOID ReadPEFile(LPSTR lpszFole)
{
FILE* pFile = NULL;
DWORD fileSize = 0;
LPVOID pFileBuffer = NULL;

//读取文件
pFile = fopen(lpszFole,"rb");
if (!pFile)
{
printf("打开EXE文件失败n");
return NULL;
}
//把下标移动到文件最后
fseek(pFile,SEEK_END);
//获取文件大小
fileSize = ftell(pFile);
//恢复文件下标到最开始
fseek(pFile,SEEK_SET);
//分配缓冲区
pFileBuffer = malloc(fileSize);

if (!pFileBuffer)
{
printf("分配空间失败n");
free(pFileBuffer);
return NULL;
}
size_t n = fread(pFileBuffer,1,fileSize,pFile);
if (!n)
{
printf("文件读取失败n");
free(pFileBuffer);
fclose(pFile);
return NULL;
}
//关闭文件
fclose(pFile);
return pFileBuffer;
}

//拉伸fileBuffer返回ImageBuffer
LPVOID CopyFileBufferToImageBuffer(LPSTR lpszFole)
{
LPVOID pFileBuffer = NULL;
LPVOID pImageBuffer = NULL;
PIMAGE_DOS_HEADER pe_dos_header = NULL;
PIMAGE_FILE_HEADER pe_file_header = NULL;
PIMAGE_OPTIONAL_HEADER32 pe_option_header_32 = NULL;
PIMAGE_NT_HEADERS pe_nt_header = NULL;
PIMAGE_SECTION_HEADER pe_section_header = NULL;
pFileBuffer = ReadPEFile(lpszFole);
if (!pFileBuffer)
{
printf("打开文件失败n");
return NULL;
}
if (*((PWORD)pFileBuffer)!=IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标记n");
free(pFileBuffer);
return NULL;
}
pe_dos_header = (PIMAGE_DOS_HEADER)pFileBuffer;
//printf("********************打印DOS头****************************n");
//printf("MZ标志 %xn",pe_dos_header->e_magic);
//printf("PE偏移 %xn",pe_dos_header->e_lfanew);

if (*((PDWORD)((DWORD)pFileBuffer+pe_dos_header->e_lfanew))!=IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志n");
free(pFileBuffer);
return NULL;
}
pe_nt_header = (PIMAGE_NT_HEADERS)((DWORD)pFileBuffer + pe_dos_header->e_lfanew);
//printf("PE标志 %xn",pe_nt_header->Signature);
pe_file_header = (PIMAGE_FILE_HEADER)((DWORD)pe_nt_header + 4);
//printf("********************标准PE头****************************n");
//printf("运行平台: %xn",pe_file_header->Machine);
//printf("节的数量: %xn",pe_file_header->NumberOfSections);
//printf("编译器生成的时间戳: %xn",pe_file_header->TimeDateStamp);
//printf("可选PE头大小: %xn",pe_file_header->SizeOfOptionalHeader);
//printf("PE特征: %xn",pe_file_header->Characteristics);
pe_option_header_32 = (PIMAGE_OPTIONAL_HEADER32)((DWORD)pe_file_header + IMAGE_SIZEOF_FILE_HEADER);
//printf("********************可选PE头****************************n");
//printf("文件类型: %xn",pe_option_header_32->Magic);
//printf("代码节的和: %xn",pe_option_header_32->SizeOfCode);
//printf("已初始化数据大小的和: %xn",pe_option_header_32->SizeOfInitializedData);
//printf("未初始化数据大小的和: %xn",pe_option_header_32->SizeOfUninitializedData);
//printf("程序入口: %xn",pe_option_header_32->AddressOfEntryPoint);
//printf("代码开始的基址: %xn",pe_option_header_32->BaSEOfCode);
//printf("数据开始的基址: %xn",pe_option_header_32->BaSEOfData);
//printf("内存镜像基址: %xn",pe_option_header_32->ImageBase);
//printf("内存对齐: %xn",pe_option_header_32->SectionAlignment);
//printf("文件对齐: %xn",pe_option_header_32->FileAlignment);
//printf("内存中整个PE文件映像的尺寸: %xn",pe_option_header_32->SizeOfImage);
//printf("所有头+节表按照文件对齐后的大小: %xn",pe_option_header_32->SizeOfHeaders);
//printf("效验和: %xn",pe_option_header_32->CheckSum);
//printf("初始化保留的栈的大小: %xn",pe_option_header_32->SizeOfStackReserve);
//printf("初始化时实际提交的栈的大小: %xn",pe_option_header_32->SizeOfStackCommit);
//printf("初始化时保留的堆的大小: %xn",pe_option_header_32->SizeOfHeapReserve);
//printf("初始化时实际提交的堆的大小: %xn",pe_option_header_32->SizeOfHeapCommit);
//printf("目录项数目: %xn",pe_option_header_32->NumberOfRvaAndSizes);
pImageBuffer = malloc(pe_option_header_32->SizeOfImage);
if (!pImageBuffer)
{
printf("分配空间失败n");
free(pFileBuffer);
return NULL;
}
memset(pImageBuffer,pe_option_header_32->SizeOfImage);
memcpy(pImageBuffer,pFileBuffer,pe_option_header_32->SizeOfHeaders);
//printf("%pn",pImageBuffer);
pe_section_header = (PIMAGE_SECTION_HEADER)((DWORD)pe_option_header_32 + pe_file_header->SizeOfOptionalHeader);
//printf("********************节表****************************n");
for (size_t i = 0; i < pe_file_header->NumberOfSections; i++)
{
//printf("NAME: %sn",pe_section_header->Name);
//printf("MISC: %xn",pe_section_header->Misc);
//printf("节区在内存中的偏移地址: %xn",pe_section_header->VirtualAddress);
//printf("节在文件中对齐后的尺寸: %xn",pe_section_header->SizeOfRawData);
//printf("节区在文件中的偏移: %xn",pe_section_header->PointerToRawData);
//printf("节的属性: %xn",pe_section_header->Characteristics);
memcpy(((CHAR*)(DWORD)pImageBuffer) + pe_section_header->VirtualAddress,
((CHAR*)(DWORD)pFileBuffer) + pe_section_header->PointerToRawData,
pe_section_header->SizeOfRawData);
pe_section_header = (PIMAGE_SECTION_HEADER)((DWORD)pe_section_header + IMAGE_SIZEOF_SECTION_HEADER);
}

free(pFileBuffer);
return pImageBuffer;
}

//给节表添加E8E9硬编码，返回ImageBuffer
LPVOID AddImageBufferShellCode(LPSTR lpszFole)
{
LPVOID pImageBuffer = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTHeader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader32 = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
DWORD NumberOfSection = 4;
DWORD SizeOfSection = 0;
pImageBuffer = CopyFileBufferToImageBuffer(lpszFole);
if (!pImageBuffer)
{
printf("分配空间失败n");
free(pImageBuffer);
return NULL;
}
if (*(PWORD((DWORD)pImageBuffer))!=IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标记n");
free(pImageBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)((DWORD)pImageBuffer);
if (*(PDWORD)((DWORD)pImageBuffer + ImageDosHeader->e_lfanew) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标记n");
free(pImageBuffer);
return NULL;
}
ImageNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pImageBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTHeader + 4);
ImageOptionalHeader32 = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
PIMAGE_SECTION_HEADER ImageSectionHeader_text = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader32 + ImageFileHeader->SizeOfOptionalHeader);

//保存可执行的Characteristics
DWORD executableCharacteristics = ImageSectionHeader_text->Characteristics;
if (NumberOfSection > ImageFileHeader->NumberOfSections)
{
printf("超出节的数量n");
free(pImageBuffer);
return NULL;
}
if (NumberOfSection > 1)
{
SizeOfSection = IMAGE_SIZEOF_SECTION_HEADER * (NumberOfSection - 1);
}
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader_text + SizeOfSection);
if ((DWORD)(ImageSectionHeader->SizeOfRawData- ImageSectionHeader->Misc.VirtualSize) < sizeof(shellCode))
{
printf("剩余的节区空间不足n");
free(pImageBuffer);
return NULL;
}
if (ImageSectionHeader->Misc.VirtualSize > ImageSectionHeader->SizeOfRawData)
{
printf("VirtualSize超出SizeOfRawData最大范围不能写入n");
free(pImageBuffer);
return NULL;
}
//PDWORD code = (PDWORD)shellCode;

*((PDWORD)(shellCode + 0x9)) = (DWORD)MASSAGEBOXAADDR - (DWORD)(ImageOptionalHeader32->ImageBase + (ImageSectionHeader->VirtualAddress + ImageSectionHeader->Misc.VirtualSize + 0xD));
*((PDWORD)(shellCode + 0xe)) = (DWORD)(ImageOptionalHeader32->ImageBase + ImageOptionalHeader32->AddressOfEntryPoint) - (DWORD)(ImageOptionalHeader32->ImageBase + (ImageSectionHeader->VirtualAddress + ImageSectionHeader->Misc.VirtualSize + 0x12));
ImageSectionHeader->Characteristics = (ImageSectionHeader->Characteristics | executableCharacteristics);
DWORD addTheAddressOfTheCode = (DWORD)pImageBuffer + ImageSectionHeader->VirtualAddress + ImageSectionHeader->Misc.VirtualSize;
memcpy((CHAR*)addTheAddressOfTheCode,&shellCode,sizeof(shellCode));
//DWORD E8Code = (DWORD)MASSAGEBOXAADDR - (DWORD)(ImageOptionalHeader32->ImageBase + (ImageSectionHeader->VirtualAddress + ImageSectionHeader->Misc.VirtualSize + 0xD));
//memcpy(((CHAR*)addTheAddressOfTheCode + 0x9),&E8Code,sizeof(E8Code));
//DWORD E9Code = (DWORD)(ImageOptionalHeader32->ImageBase + ImageOptionalHeader32->AddressOfEntryPoint) - (DWORD)(ImageOptionalHeader32->ImageBase + (ImageSectionHeader->VirtualAddress + ImageSectionHeader->Misc.VirtualSize + 0x12));
//memcpy(((CHAR*)addTheAddressOfTheCode + 0xe),&E9Code,sizeof(E9Code));
ImageOptionalHeader32->AddressOfEntryPoint = ImageSectionHeader->VirtualAddress + ImageSectionHeader->Misc.VirtualSize;
return pImageBuffer;

}

DWORD GetdwRVA(LPSTR lpszFole,DWORD offset)
{
LPVOID pFileBuffer = NULL;
LPVOID pImageBuffer = NULL;
DWORD TrueLocation = NULL;
DWORD dwRVA = NULL;
PIMAGE_DOS_HEADER pe_dos_header = NULL;
PIMAGE_FILE_HEADER pe_file_header = NULL;
PIMAGE_OPTIONAL_HEADER32 pe_option_header_32 = NULL;
PIMAGE_NT_HEADERS pe_nt_header = NULL;
PIMAGE_SECTION_HEADER pe_section_header = NULL;
pFileBuffer = ReadPEFile(lpszFole);
if (!pFileBuffer)
{
printf("打开文件失败n");
return NULL;
}
if (*((PWORD)pFileBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标记n");
free(pFileBuffer);
return NULL;
}
pe_dos_header = (PIMAGE_DOS_HEADER)pFileBuffer;

if (*((PDWORD)((DWORD)pFileBuffer + pe_dos_header->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志n");
free(pFileBuffer);
return NULL;
}
pe_nt_header = (PIMAGE_NT_HEADERS)((DWORD)pFileBuffer + pe_dos_header->e_lfanew);

pe_file_header = (PIMAGE_FILE_HEADER)((DWORD)pe_nt_header + 4);

pe_option_header_32 = (PIMAGE_OPTIONAL_HEADER32)((DWORD)pe_file_header + IMAGE_SIZEOF_FILE_HEADER);

pImageBuffer = malloc(pe_option_header_32->SizeOfImage);
if (!pImageBuffer)
{
printf("分配空间失败n");
free(pFileBuffer);
return NULL;
}
memset(pImageBuffer,pe_option_header_32->SizeOfHeaders);
pe_section_header = (PIMAGE_SECTION_HEADER)((DWORD)pe_option_header_32 + pe_file_header->SizeOfOptionalHeader);
TrueLocation = offset - (DWORD)pImageBuffer;
for (size_t i = 0; i < pe_file_header->NumberOfSections; i++)
{

memcpy(((CHAR*)(DWORD)pImageBuffer) + pe_section_header->VirtualAddress,
pe_section_header->SizeOfRawData);
if (TrueLocation > pe_section_header->VirtualAddress && TrueLocation < (pe_section_header->VirtualAddress + pe_section_header->Misc.VirtualSize))
{
dwRVA = TrueLocation - pe_section_header->VirtualAddress;
}
pe_section_header = (PIMAGE_SECTION_HEADER)((DWORD)pe_section_header + IMAGE_SIZEOF_SECTION_HEADER);
}

free(pFileBuffer);
free(pImageBuffer);
return dwRVA;
}

DWORD GetdwFoa(LPSTR srcFile,DWORD dwRva)
{
LPVOID pFileBuffer = NULL;
LPVOID pImageBuffer = NULL;
DWORD FOA = NULL;
DWORD TrueLocation = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader32 = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
pImageBuffer = CopyFileBufferToImageBuffer(srcFile);
pFileBuffer = ReadPEFile(srcFile);
if (!pFileBuffer)
{
printf("打开文件失败n");
return NULL;
}
if (*((PWORD)pFileBuffer)!=IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标记n");
free(pFileBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)pFileBuffer;

if (*((PDWORD)((DWORD)pFileBuffer + ImageDosHeader->e_lfanew))!=IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志n");
free(pFileBuffer);
return NULL;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)pFileBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader32 = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader32 + ImageFileHeader->SizeOfOptionalHeader);
TrueLocation = dwRva - (DWORD)pImageBuffer;
printf("%xn",TrueLocation);
for (size_t i = 1; i < ImageFileHeader->NumberOfSections; i++)
{
if (TrueLocation > ImageSectionHeader->VirtualAddress && TrueLocation < (ImageSectionHeader->VirtualAddress + ImageSectionHeader->Misc.VirtualSize))
{
TrueLocation = TrueLocation - ImageSectionHeader->VirtualAddress;
FOA = ImageSectionHeader->PointerToRawData + TrueLocation;
}
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + IMAGE_SIZEOF_SECTION_HEADER);
}
free(pFileBuffer);
free(pImageBuffer);
return FOA;

}

//创建新的ImageBuffer
LPVOID CopyImageBufferToNewImageBuffer(LPSTR srcFile)
{
LPVOID ImageBuffer = NULL;
LPVOID NewImageBuffer = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
ImageBuffer = CopyFileBufferToImageBuffer(srcFile);
if (!ImageBuffer)
{
printf("分配空间失败n");
return NULL;
}
if (*((PWORD)(DWORD)ImageBuffer)!=IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志n");
free(ImageBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)ImageBuffer;
if (*((PDWORD)((DWORD)ImageBuffer + ImageDosHeader->e_lfanew))!=IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志");
free(ImageBuffer);
return NULL;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)ImageBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader);
NewImageBuffer = malloc(ImageOptionalHeader->SizeOfImage + 0x1000);

if (!NewImageBuffer)
{
printf("NewImageBuffer分配空间失败n");
free(ImageBuffer);
return NULL;
}
memset(NewImageBuffer,ImageOptionalHeader->SizeOfImage + 0x1000);
memcpy(NewImageBuffer,ImageBuffer,ImageOptionalHeader->SizeOfImage);

return NewImageBuffer;

}

//获取内存对齐或文件对齐
DWORD GetSectionAlignmentOrFileAlignment(DWORD currentNumber,DWORD Alignment)
{
if (currentNumber % Alignment != 0)
{
currentNumber = currentNumber + 0x1;
return GetSectionAlignmentOrFileAlignment(currentNumber,Alignment);
}
return currentNumber;
}

//合并节
LPVOID MergeSection(LPSTR srcFile)
{
LPVOID NewImageBuffer = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER LastImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER NextImageSectionHeader = NULL;
NewImageBuffer = CopyImageBufferToNewImageBuffer(srcFile);
if (!NewImageBuffer)
{
printf("分配空间失败n");
return NULL;
}
if (*((PWORD)(DWORD)NewImageBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志n");
free(NewImageBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)NewImageBuffer;
if (*((PDWORD)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志");
free(NewImageBuffer);
return NULL;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader);
LastImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((DWORD)(ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER));
DWORD MAX = LastImageSectionHeader->SizeOfRawData > LastImageSectionHeader->Misc.VirtualSize ? LastImageSectionHeader->SizeOfRawData : LastImageSectionHeader->Misc.VirtualSize;
ImageSectionHeader->Misc.VirtualSize = ImageSectionHeader->SizeOfRawData = (MAX + LastImageSectionHeader->VirtualAddress) - GetSectionAlignmentOrFileAlignment(ImageOptionalHeader->SizeOfHeaders,ImageOptionalHeader->SectionAlignment);
for (INT i = 0; i < (ImageFileHeader->NumberOfSections - 1); i++)
{
NextImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + IMAGE_SIZEOF_SECTION_HEADER);
ImageSectionHeader->Characteristics = ImageSectionHeader->Characteristics | NextImageSectionHeader->Characteristics;
}
ImageFileHeader->NumberOfSections = 1;
return NewImageBuffer;
}

//提升FILE头OPTIONAL头节表信息
LPVOID LiftHeaderInfo(LPSTR srcFile)
{
LPVOID NewImageBuffer = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER LastImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER NewImageSectionHeader = NULL;
NewImageBuffer = CopyImageBufferToNewImageBuffer(srcFile);
if (!NewImageBuffer)
{
printf("分配空间失败n");
return NULL;
}
if (*((PWORD)(DWORD)NewImageBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志n");
free(NewImageBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)NewImageBuffer;
if (*((PDWORD)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志");
free(NewImageBuffer);
return NULL;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader);
LastImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((DWORD)(ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER));
//提升头
memcpy((PNZCH)((DWORD)NewImageBuffer + IMAGE_SIZEOF_DOS_HEADER),(PNZCH)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew),(4 + IMAGE_SIZEOF_FILE_HEADER + ImageFileHeader->SizeOfOptionalHeader + (ImageFileHeader->NumberOfSections * IMAGE_SIZEOF_SECTION_HEADER)));
ImageDosHeader->e_lfanew = IMAGE_SIZEOF_DOS_HEADER;
return NewImageBuffer;
}

//增加一个新的节
LPVOID AddNewSection(LPSTR srcFile)
{
LPVOID NewImageBuffer = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER LastSectionHeader = NULL;
PIMAGE_SECTION_HEADER NewSectionHeader = NULL;
DWORD EntryPoint = 0;
DWORD PointerToRawData = 0;

NewImageBuffer = MergeSection(srcFile);
if (!NewImageBuffer)
{
printf("分配空间失败n");
return NULL;
}
if (*((PWORD)(DWORD)NewImageBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志n");
free(NewImageBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)NewImageBuffer;
if (*((PDWORD)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志");
free(NewImageBuffer);
return NULL;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader);
DWORD SizeOfImageDosHeaderToImageSectionHeader = ((DWORD)IMAGE_SIZEOF_DOS_HEADER + (ImageDosHeader->e_lfanew - ((DWORD)IMAGE_SIZEOF_DOS_HEADER) + 4 + IMAGE_SIZEOF_FILE_HEADER
+ ImageFileHeader->SizeOfOptionalHeader + (ImageFileHeader->NumberOfSections * IMAGE_SIZEOF_SECTION_HEADER)));
if ((ImageOptionalHeader->SizeOfHeaders - SizeOfImageDosHeaderToImageSectionHeader) < 0x50)
{
printf("剩余的节表空白区小于80个字节n");
free(NewImageBuffer);
return NULL;
}

LastSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER));
//判断程序入口点
if (LastSectionHeader->Misc.VirtualSize > LastSectionHeader->SizeOfRawData)
{
EntryPoint = GetSectionAlignmentOrFileAlignment(LastSectionHeader->VirtualAddress + LastSectionHeader->Misc.VirtualSize,ImageOptionalHeader->SectionAlignment);
PointerToRawData = GetSectionAlignmentOrFileAlignment(LastSectionHeader->PointerToRawData + LastSectionHeader->Misc.VirtualSize,ImageOptionalHeader->FileAlignment);
}
else
{
EntryPoint = GetSectionAlignmentOrFileAlignment(LastSectionHeader->VirtualAddress + LastSectionHeader->SizeOfRawData,ImageOptionalHeader->SectionAlignment);
PointerToRawData = GetSectionAlignmentOrFileAlignment(LastSectionHeader->PointerToRawData + LastSectionHeader->SizeOfRawData,ImageOptionalHeader->FileAlignment);
}

//修改新增节表的数据
NewSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)LastSectionHeader + IMAGE_SIZEOF_SECTION_HEADER);

memcpy((PNZCH)(NewSectionHeader->Name),&SectionName,sizeof(SectionName));

NewSectionHeader->Misc.VirtualSize = 0x1000;
NewSectionHeader->VirtualAddress = EntryPoint;
NewSectionHeader->SizeOfRawData = 0x1000;
NewSectionHeader->PointerToRawData = PointerToRawData;
NewSectionHeader->PointerToRelocations = ImageSectionHeader->PointerToRelocations;
NewSectionHeader->PointerToLinenumbers = ImageSectionHeader->PointerToLinenumbers;
NewSectionHeader->NumberOfRelocations = ImageSectionHeader->NumberOfRelocations;
NewSectionHeader->NumberOfLinenumbers = ImageSectionHeader->NumberOfLinenumbers;
NewSectionHeader->Characteristics = 0x60000020;
//新增节表后补零
memset((PIMAGE_SECTION_HEADER)((DWORD)NewSectionHeader + IMAGE_SIZEOF_SECTION_HEADER),IMAGE_SIZEOF_SECTION_HEADER);
*(PDWORD)(shellCode + 0x9) = (DWORD)MASSAGEBOXAADDR - (DWORD)(ImageOptionalHeader->ImageBase + (NewSectionHeader->VirtualAddress + 0xd));
*(PDWORD)(shellCode + 0xe) = ((DWORD)(ImageOptionalHeader->ImageBase + ImageOptionalHeader->AddressOfEntryPoint) - (DWORD)(ImageOptionalHeader->ImageBase + (NewSectionHeader->VirtualAddress + 0x12)));
memcpy(((CHAR*)NewImageBuffer + NewSectionHeader->VirtualAddress),sizeof(shellCode));
//修改节数量
ImageFileHeader->NumberOfSections = ImageFileHeader->NumberOfSections + 1;
//修改程序入口点
ImageOptionalHeader->AddressOfEntryPoint = EntryPoint;
//修改SizeOfImage大小
ImageOptionalHeader->SizeOfImage = ImageOptionalHeader->SizeOfImage + 0x1000;

return NewImageBuffer;
}

//扩大节
LPVOID AmplifySection(LPSTR srcFile)
{
LPVOID NewImageBuffer = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER LastImageSectionHeader = NULL;
NewImageBuffer = CopyImageBufferToNewImageBuffer(srcFile);
if (!NewImageBuffer)
{
printf("分配空间失败n");
return NULL;
}
if (*((PWORD)(DWORD)NewImageBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志n");
free(NewImageBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)NewImageBuffer;
if (*((PDWORD)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志");
free(NewImageBuffer);
return NULL;
}
ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)NewImageBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader);
LastImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER));
if (LastImageSectionHeader->Misc.VirtualSize > LastImageSectionHeader->SizeOfRawData)
{
DWORD VirtualSize = GetSectionAlignmentOrFileAlignment(LastImageSectionHeader->Misc.VirtualSize,ImageOptionalHeader->SectionAlignment);
*(PDWORD)(shellCode + 0x9) = (MASSAGEBOXAADDR - ((DWORD)ImageOptionalHeader->ImageBase + LastImageSectionHeader->VirtualAddress + VirtualSize + 0xd));
*(PDWORD)(shellCode + 0xe) = (((DWORD)ImageOptionalHeader->ImageBase + ImageOptionalHeader->AddressOfEntryPoint) - ((DWORD)ImageOptionalHeader->ImageBase + LastImageSectionHeader->VirtualAddress + VirtualSize + 0x12));
memcpy((PNZCH)((DWORD)NewImageBuffer + LastImageSectionHeader->VirtualAddress + VirtualSize),sizeof(shellCode));
ImageOptionalHeader->AddressOfEntryPoint = (DWORD)(LastImageSectionHeader->VirtualAddress + VirtualSize);

}
else
{
DWORD SizeOfRawData = GetSectionAlignmentOrFileAlignment(LastImageSectionHeader->SizeOfRawData,ImageOptionalHeader->SectionAlignment);
*(PDWORD)(shellCode + 0x9) = (MASSAGEBOXAADDR - ((DWORD)ImageOptionalHeader->ImageBase + LastImageSectionHeader->VirtualAddress + SizeOfRawData + 0xd));
*(PDWORD)(shellCode + 0xe) = (((DWORD)ImageOptionalHeader->ImageBase + ImageOptionalHeader->AddressOfEntryPoint) - ((DWORD)ImageOptionalHeader->ImageBase + LastImageSectionHeader->VirtualAddress + SizeOfRawData + 0x12));
memcpy((PNZCH)((DWORD)NewImageBuffer + LastImageSectionHeader->VirtualAddress + SizeOfRawData),sizeof(shellCode));
ImageOptionalHeader->AddressOfEntryPoint = (DWORD)(LastImageSectionHeader->VirtualAddress + SizeOfRawData);
}
LastImageSectionHeader->Misc.VirtualSize = LastImageSectionHeader->Misc.VirtualSize + 0x1000;
LastImageSectionHeader->SizeOfRawData = LastImageSectionHeader->SizeOfRawData + 0x1000;
ImageOptionalHeader->SizeOfImage = ImageOptionalHeader->SizeOfImage + 0x1000;
LastImageSectionHeader->Characteristics = (LastImageSectionHeader->Characteristics | ImageSectionHeader->Characteristics);

return NewImageBuffer;
}

//复制ImageBuffer到新的FileBuffer，返回新的FileBuffer
LPVOID CopyImageBufferToNewBuffer(LPSTR lpszFole)
{
LPVOID pNewBuffer = NULL;
LPVOID pImageBuffer = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader32 = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER LastImageSectionHeader = NULL;
pImageBuffer = AddNewSection(lpszFole);
if (!pImageBuffer)
{
printf("空间分配失败n");
free(pImageBuffer);
return NULL;
}
if (*((PWORD)pImageBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标记n");
free(pImageBuffer);
return NULL;
}
ImageDosHeader = (PIMAGE_DOS_HEADER)pImageBuffer;
if (*((PDWORD)((DWORD)pImageBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志n");
free(pImageBuffer);
return NULL;
}

ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)pImageBuffer + ImageDosHeader->e_lfanew);
ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4);
ImageOptionalHeader32 = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER);

ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader32 + ImageFileHeader->SizeOfOptionalHeader);
//(PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER));
LastImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER));
pNewBuffer = malloc(LastImageSectionHeader->VirtualAddress + LastImageSectionHeader->SizeOfRawData);
if (!pNewBuffer)
{
printf("分配空间失败n");
free(pImageBuffer);
return NULL;
}
memcpy(pNewBuffer,pImageBuffer,ImageOptionalHeader32->SizeOfHeaders);
printf("%xn",LastImageSectionHeader->VirtualAddress);
printf("%xn",LastImageSectionHeader->SizeOfRawData);
for (size_t i = 0; i < ImageFileHeader->NumberOfSections; i++)
{
memset((PNZCH)((DWORD)pNewBuffer + ImageSectionHeader->PointerToRawData),ImageSectionHeader->SizeOfRawData);
memcpy((PNZCH)((DWORD)pNewBuffer + ImageSectionHeader->PointerToRawData),(PNZCH)((DWORD)pImageBuffer + ImageSectionHeader->VirtualAddress),ImageSectionHeader->SizeOfRawData);
ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + IMAGE_SIZEOF_SECTION_HEADER);
}

free(pImageBuffer);
return pNewBuffer;
}

//新建文件保存新增的节到新的文件中
VOID CopyNewImageBufferToNewFile(LPSTR destFile,LPSTR srcFile)
{
FILE* NewFile = NULL;
LPVOID NewFileBuffer = NULL;
PIMAGE_DOS_HEADER ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNTheader = NULL;
PIMAGE_FILE_HEADER ImageFileHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 ImageOptionalHeader = NULL;
PIMAGE_SECTION_HEADER ImageSectionHeader = NULL;
PIMAGE_SECTION_HEADER LastSectionHeader = NULL;

NewFile = fopen(destFile,"wb"); if (!NewFile) { printf("打开文件失败n"); return; } NewFileBuffer = CopyImageBufferToNewBuffer(srcFile); if (!NewFileBuffer) { printf("分配空间失败n"); return; } if (*((PWORD)(DWORD)NewFileBuffer) != IMAGE_DOS_SIGNATURE) { printf("不是有效的MZ标志n"); free(NewFileBuffer); return; } ImageDosHeader = (PIMAGE_DOS_HEADER)NewFileBuffer; if (*((PDWORD)((DWORD)NewFileBuffer + ImageDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE) { printf("不是有效的PE标志"); free(NewFileBuffer); return; } ImageNTheader = (PIMAGE_NT_HEADERS)((DWORD)NewFileBuffer + ImageDosHeader->e_lfanew); ImageFileHeader = (PIMAGE_FILE_HEADER)((DWORD)ImageNTheader + 4); ImageOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)ImageFileHeader + IMAGE_SIZEOF_FILE_HEADER); ImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageOptionalHeader + ImageFileHeader->SizeOfOptionalHeader); LastSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)ImageSectionHeader + ((ImageFileHeader->NumberOfSections - 1) * IMAGE_SIZEOF_SECTION_HEADER)); DWORD result = fwrite(NewFileBuffer,sizeof(char),(LastSectionHeader->PointerToRawData + LastSectionHeader->SizeOfRawData),NewFile); if (result < (DWORD)(LastSectionHeader->PointerToRawData + LastSectionHeader->SizeOfRawData)) { printf("文件写入失败n"); free(NewFileBuffer); fclose(NewFile); return; } free(NewFileBuffer); printf("文件写入完成n");}