!!很高的手才可以进的,一个从内存中加载并启动一个exe的问题?
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <tlhelp32.h>
//#include <psapi.h>
struct PE_Header
{
unsigned long signature;
unsigned short machine;
unsigned short numSections;
unsigned long timeDateStamp;
unsigned long pointerToSymbolTable;
unsigned long numOfSymbols;
unsigned short sizeOfOptionHeader;
unsigned short characteristics;
};
struct PE_ExtHeader
{
unsigned short magic;
unsigned char majorLinkerVersion;
unsigned char minorLinkerVersion;
unsigned long sizeOfCode;
unsigned long sizeOfInitializedData;
unsigned long sizeOfUninitializedData;
unsigned long addressOfEntryPoint;
unsigned long baseOfCode;
unsigned long baseOfData;
unsigned long imageBase;
unsigned long sectionAlignment;
unsigned long fileAlignment;
unsigned short majorOSVersion;
unsigned short minorOSVersion;
unsigned short majorImageVersion;
unsigned short minorImageVersion;
unsigned short majorSubsystemVersion;
unsigned short minorSubsystemVersion;
unsigned long reserved1;
unsigned long sizeOfImage;
unsigned long sizeOfHeaders;
unsigned long checksum;
unsigned short subsystem;
unsigned short DLLCharacteristics;
unsigned long sizeOfStackReserve;
unsigned long sizeOfStackCommit;
unsigned long sizeOfHeapReserve;
unsigned long sizeOfHeapCommit;
unsigned long loaderFlags;
unsigned long numberOfRVAAndSizes;
unsigned long exportTableAddress;
unsigned long exportTableSize;
unsigned long importTableAddress;
unsigned long importTableSize;
unsigned long resourceTableAddress;
unsigned long resourceTableSize;
unsigned long exceptionTableAddress;
unsigned long exceptionTableSize;
unsigned long certFilePointer;
unsigned long certTableSize;
unsigned long relocationTableAddress;
unsigned long relocationTableSize;
unsigned long debugDataAddress;
unsigned long debugDataSize;
unsigned long archDataAddress;
unsigned long archDataSize;
unsigned long globalPtrAddress;
unsigned long globalPtrSize;
unsigned long TLSTableAddress;
unsigned long TLSTableSize;
unsigned long loadConfigTableAddress;
unsigned long loadConfigTableSize;
unsigned long boundImportTableAddress;
unsigned long boundImportTableSize;
unsigned long importAddressTableAddress;
unsigned long importAddressTableSize;
unsigned long delayImportDescAddress;
unsigned long delayImportDescSize;
unsigned long COMHeaderAddress;
unsigned long COMHeaderSize;
unsigned long reserved2;
unsigned long reserved3;
};
struct SectionHeader
{
unsigned char sectionName[8];
unsigned long virtualSize;
unsigned long virtualAddress;
unsigned long sizeOfRawData;
unsigned long pointerToRawData;
unsigned long pointerToRelocations;
unsigned long pointerToLineNumbers;
unsigned short numberOfRelocations;
unsigned short numberOfLineNumbers;
unsigned long characteristics;
};
struct MZHeader
{
unsigned short signature;
unsigned short partPag;
unsigned short pageCnt;
unsigned short reloCnt;
unsigned short hdrSize;
unsigned short minMem;
unsigned short maxMem;
unsigned short reloSS;
unsigned short exeSP;
unsigned short chksum;
unsigned short exeIP;
unsigned short reloCS;
unsigned short tablOff;
unsigned short overlay;
unsigned char reserved[32];
unsigned long offsetToPE;
};
struct ImportDirEntry
{
DWORD importLookupTable;
DWORD timeDateStamp;
DWORD fowarderChain;
DWORD nameRVA;
DWORD importAddressTable;
};
/
WINBASEAPI
LPVOID
WINAPI
VirtualAllocEx(
HANDLE hProcess,
LPVOID lpAddress,
SIZE_T dwSize,
DWORD flAllocationType,
DWORD flProtect
);
[解决办法]
咕~~(╯﹏╰)b
我就是来接分的。。。
[解决办法]
struct MZHeader mzH;
struct PE_Header peH;
struct PE_ExtHeader peXH;
struct SectionHeader *secHdr;
//从文件取得Exe信息(MZ,PE,PEEXT,Sections)
if(readPEInfo(fp, &mzH, &peH, &peXH, &secHdr))
{
//按exe头的信息计算所需空间
int imageSize = calcTotalImageSize(&mzH, &peH, &peXH, secHdr);
//printf("Image Size = %X\n", imageSize);
LPVOID ptrLoc = VirtualAlloc(NULL, imageSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);//分配空间
if(ptrLoc)
{
//printf("Memory allocated at %X\n", ptrLoc);
loadPE(fp, &mzH, &peH, &peXH, secHdr, ptrLoc);//装载exe文件数据到分配空间
doFork(&mzH, &peH, &peXH, secHdr, ptrLoc, imageSize);//模拟目标Exe运行环境跑Exe代码
[解决办法]
各个函数基本都注释了,需要的知识点比较多,尤其是PE格式是一定要熟悉的,没什么好说的,lz还是要自己加强学习。
BOOL readPEInfo(FILE *fp, struct MZHeader *outMZ, struct PE_Header *outPE, struct PE_ExtHeader *outpeXH, struct SectionHeader **outSecHdr){ //获取要执行的exe文件的长度 fseek(fp, 0, SEEK_END); long fileSize = ftell(fp); fseek(fp, 0, SEEK_SET); //判断长度是否小于PE文件中DOS Stub的大小,如果小于,则说明不是合法的PE格式文件 if(fileSize < sizeof(struct MZHeader)) { printf("File size too small\n"); return FALSE; } //读取DOS Stub到mzH // read MZ Header struct MZHeader mzH; fread(&mzH, sizeof(struct MZHeader), 1, fp); //判断DOS Stub的标志是否是"MZ",如果不是则说明不是合法的PE格式文件 if(mzH.signature != 0x5a4d) // MZ { printf("File does not have MZ header\n"); return FALSE; } //printf("Offset to PE Header = %X\n", mzH.offsetToPE); //检查文件的大小是否小于PE文件头中指明的大小。如果小于,则说明不是合法的PE格式文件 //通常这两个值应该相等,但是实际上fileSize大于后面的和是有可能的,呵呵。 if((unsigned long)fileSize < mzH.offsetToPE + sizeof(struct PE_Header)) { printf("File size too small\n"); return FALSE; } //接下来是读取PE头,PE头的起始位置在DOS Stub中会指明,通常不是和Dos Stub连在一块的, //所以这里需要先SEEK一下文件指针的位置,然后读取 // read PE Header fseek(fp, mzH.offsetToPE, SEEK_SET); struct PE_Header peH; fread(&peH, sizeof(struct PE_Header), 1, fp); //printf("Size of option header = %d\n", peH.sizeOfOptionHeader); //printf("Number of sections = %d\n", peH.numSections); //又是一个判断,检查文件中的可选头的大小和实际大小一致 if(peH.sizeOfOptionHeader != sizeof(struct PE_ExtHeader)) { printf("Unexpected option header size.\n"); return FALSE; } //接着读取PE的可选头 // read PE Ext Header //struct PE_ExtHeader peXH; struct PE_ExtHeader peXH; fread(&peXH, sizeof(struct PE_ExtHeader), 1, fp); //printf("Import table address = %X\n", peXH.importTableAddress); //printf("Import table size = %X\n", peXH.importTableSize); //printf("Import address table address = %X\n", peXH.importAddressTableAddress); //printf("Import address table size = %X\n", peXH.importAddressTableSize); // read the sections //SectionHeader *secHdr = new SectionHeader[peH.numSections]; // VC++ //根据PE头中指明的section个数来分配内存,记录所有的section数据 struct SectionHeader *secHdr = (struct SectionHeader*)malloc(sizeof(struct SectionHeader) * peH.numSections); fread(secHdr, sizeof(struct SectionHeader) * peH.numSections, 1, fp); *outMZ = mzH; *outPE = peH; *outpeXH = peXH; *outSecHdr = secHdr; return TRUE;}
[解决办法]