上一篇:
下一篇:

程序的自我修改

April 30th, 2008 | lonkil | 编程开发 | 发表评论 | trackback

本文目的在于向读者说明程序进行自我修改的基本方法,并希望可以起到抛砖引玉的作用。
如果读者有更好的方法或见解,欢迎来信交流E-mail: default_and_default_AT_yahoo.cn

C++代码
  1. /*//////////////////////////////////////////////////////////////////////////////
  2. This program will modify itself at the running time,
  3. These  methods will be very useful in some situations,
  4. Gook Luck!
  5. //////////////////////////////////////////////////////////////////////////////*/
  6. #include<stdio.h>
  7. #include<windows.h>
  9. void main()
  10. {
  11. TCHAR Info001[MAX_PATH]=“Welcome to Big Apple!”;
  12. TCHAR Info002[MAX_PATH]=“Welcome to Washington!”;
  13. char temp=(char)0×90;
  14. WORD temp001=0×9090;
  15. DWORD temp002=0×90909090;
  17. PVOID BaseAddressOne=NULL;
  18. PVOID BaseAddressTwo=NULL;
  20. _asm
  21. {
  22. mov BaseAddressOne,offset LabelOne
  23. mov BaseAddressTwo,offset LabelTwo
  24. }
  26. MessageBox(NULL,Info001,“Information”,MB_OK|MB_ICONINFORMATION);
  28. //a kind of method to modify itself
  29. WriteProcessMemory(GetCurrentProcess(),BaseAddressTwo,&temp001,2,NULL);
  30. WriteProcessMemory(GetCurrentProcess(),BaseAddressOne,&temp001,2,NULL);
  33. /*
  34. //Another method to modify itself,this method needs to modify the code section’s
  35. //characteristics in PE file.
  37. _asm
  38. {
  39. mov ebx,BaseAddressOne
  40. mov ecx,BaseAddressTwo
  41. mov dx,temp001
  43. mov [ebx],dx
  44. mov [ecx],dx
  45. }
  46. */
  48. LabelTwo:
  49. _asm
  50. {
  51. jmp LabelOne
  52. }
  53. _asm
  54. {
  55. nop
  56. nop
  57. nop
  58. }
  60. MessageBox(NULL,Info002,“Information”,MB_OK|MB_ICONINFORMATION);
  61. LabelOne:
  62. _asm
  63. {
  64. jmp Over
  65. }
  66. MessageBox(NULL,Info002,“Information”,MB_OK|MB_ICONINFORMATION);
  67. Over:
  68. return;
  69. }

编译这个程序,我们发现WriteProcessMemory() 成功修改了程序自身代码,程序运行正常。
然后我们屏蔽程序中的WriteProcessMemory()调用,用/*  */之中的代码完成自我修改,
运行后会发现系统抛出异常 Access Violation.这是因为PE 中 代码节的属性默认为 0×60000020,
20 表示代码 20000000表示可执行,40000000表示可读,如果我们在此基础上加上 0×80000000(可写)
操作系统的loader在装载可执行文件时,便会将存放代码节数据的内存标记为可读,可写,可执行。
这样就不会有异常了。
读者可使用下面的程序来修改节属性:

C++代码
  1. /**************************************************************************************/
  2. //The following code is used to modify characteristics of sections
  4. #include<windows.h>
  5. #include<stdio.h>
  6. BOOL ModifyCharacteristicsOfSections (LPCTSTR FileName)
  7. {
  8. DWORD i=0;
  9. HANDLE hDestinationFile=NULL;
  10. TCHAR DestinationPEFile[MAX_PATH];
  11. DWORD NumberOfBytesRead=0; //Number of bytes read
  12. DWORD NumberOfBytesWritten=0; //Number of bytes written
  14. DWORD ImageNtSignature=0; //PE signature
  15. DWORD OffsetOfNewHeader=0;
  16. DWORD NumberOfSections=0;
  17. DWORD SizeOfSectionTable=0; //size of section table
  19. HANDLE hGlobalAllocatedMemory=NULL; //use GlobalAlloc();
  21. PIMAGE_SECTION_HEADER pImageSectionHeader=NULL; //a pointer to IMAGE_SECTION_TABLE
  23. IMAGE_DOS_HEADER ImageDosHeader;
  24. IMAGE_NT_HEADERS ImageNTHeaders;
  25. IMAGE_FILE_HEADER ImageFileHeader;
  27. IMAGE_OPTIONAL_HEADER ImageOptionalHeader;
  28. IMAGE_SECTION_HEADER ImageSectionHeader;
  29. DWORD dwFileSize=0;
  31. RtlZeroMemory(&ImageDosHeader,sizeof(IMAGE_DOS_HEADER));
  32. RtlZeroMemory(&ImageNTHeaders,sizeof(IMAGE_NT_HEADERS));
  33. RtlZeroMemory(&ImageFileHeader,sizeof(IMAGE_FILE_HEADER));
  35. RtlZeroMemory(&ImageOptionalHeader,sizeof(IMAGE_OPTIONAL_HEADER));
  36. RtlZeroMemory(&ImageSectionHeader,sizeof(IMAGE_SECTION_HEADER));
  38. strcpy(DestinationPEFile,FileName);
  40. hDestinationFile=CreateFile(DestinationPEFile,
  41. FILE_WRITE_DATA|FILE_READ_DATA,
  42. FILE_SHARE_WRITE,NULL,OPEN_ALWAYS,FILE_ATTRIBUTE_ARCHIVE,NULL);
  44. if(hDestinationFile==INVALID_HANDLE_VALUE)
  45. {
  46. //    printf(“\nCreateFile() fails!Can’t open file. Please try again!\n”);
  47. //    CloseHandle(hDestinationFile);
  48. return TRUE;
  49. }
  50. else
  51. {
  52. dwFileSize=GetFileSize(hDestinationFile,NULL);
  53. }
  55. SetFilePointer(hDestinationFile,0,NULL,FILE_BEGIN); //Revert the file pointer,this is very important.
  57. ReadFile(hDestinationFile,&ImageDosHeader,
  58. sizeof(IMAGE_DOS_HEADER),&NumberOfBytesRead,NULL);
  59. if(NumberOfBytesRead!=sizeof(IMAGE_DOS_HEADER))
  60. {
  61. //    printf(“\nReadFile() fails! Can’t get IMAGE_DOS_HEADER.\n”);
  62. CloseHandle(hDestinationFile);
  63. return FALSE;
  64. }
  66. OffsetOfNewHeader=ImageDosHeader.e_lfanew; //File address of new exe header
  68. SetFilePointer(hDestinationFile,(LONG)OffsetOfNewHeader,NULL,FILE_BEGIN);
  70. ReadFile(hDestinationFile,&ImageNTHeaders,
  71. sizeof(IMAGE_NT_HEADERS),&NumberOfBytesRead,NULL); //Retrieve IMAGE_NT_HEADERS
  72. if(NumberOfBytesRead!=sizeof(IMAGE_NT_HEADERS))
  73. {
  74. CloseHandle(hDestinationFile);
  75. return FALSE;
  76. }
  78. if(ImageNTHeaders.Signature!=0×00004550)
  79. {
  80. //    printf(“Error.\nPE signature is invalid!\n”);
  81. CloseHandle(hDestinationFile);
  82. return FALSE;
  83. }
  86. SetFilePointer(hDestinationFile,OffsetOfNewHeader+4,NULL,FILE_BEGIN);  //Set the file pointer to point to IMAGE_FILE_HEADER
  87. ReadFile(hDestinationFile,&ImageFileHeader,
  88. sizeof(IMAGE_FILE_HEADER),&NumberOfBytesRead,NULL); //Retrieve IMAGE_FILE_HEADER
  89. if(NumberOfBytesRead!=sizeof(IMAGE_FILE_HEADER))
  90. {
  91. //    printf(“\nReadFile() fails! Can’t get IMAGE_FILE_HEADER.\n”);
  92. CloseHandle(hDestinationFile);
  93. return FALSE;
  94. }
  97. if(ImageFileHeader.NumberOfSections<1)
  98. {
  99. CloseHandle(hDestinationFile);
  100. return FALSE;
  101. }
  103. if(dwFileSize<(sizeof(IMAGE_DOS_HEADER)+sizeof(IMAGE_NT_HEADERS)+sizeof(IMAGE_SECTION_HEADER)*ImageFileHeader.NumberOfSections))
  104. {
  105. CloseHandle(hDestinationFile);
  106. return FALSE;
  107. }
  111. ReadFile(hDestinationFile,&ImageOptionalHeader,
  112. sizeof(IMAGE_OPTIONAL_HEADER),&NumberOfBytesRead,NULL); //Retrieve IMAGE_OPTIONAL_HEADER
  114. if(NumberOfBytesRead!=sizeof(IMAGE_OPTIONAL_HEADER))
  115. {
  116. //    printf(“\nReadFile() fails! Can’t get IMAGE_OPTIONAL_HEADER.\n”);
  117. CloseHandle(hDestinationFile);
  118. return FALSE;
  119. }
  120. if(ImageOptionalHeader.SectionAlignment<ImageOptionalHeader.FileAlignment)
  121. {
  122. CloseHandle(hDestinationFile);
  123. return FALSE;
  124. }
  127. NumberOfSections=ImageFileHeader.NumberOfSections; //Number of sections
  128. SizeOfSectionTable=sizeof(IMAGE_SECTION_HEADER)*NumberOfSections; //Get the size of Section Table
  130. hGlobalAllocatedMemory=GlobalAlloc(GPTR,SizeOfSectionTable);      //Allocate memory and initialize with zero
  131. if(hGlobalAllocatedMemory==NULL)
  132. {
  133. //    printf(“\nGlobalAlloc() failed! Please try again.\n”); //if failed,return
  134. CloseHandle(hDestinationFile);
  135. return FALSE;
  136. }
  139. pImageSectionHeader=(PIMAGE_SECTION_HEADER)hGlobalAllocatedMemory; //Convert a handle to a pointer to IMAGE_SECTION_HEADER
  141. for(i=0;i<NumberOfSections;i++) //Retrieve the Section Table
  142. {
  143. ReadFile(hDestinationFile,pImageSectionHeader+i,
  144. sizeof(IMAGE_SECTION_HEADER),&NumberOfBytesRead,NULL);
  145. if(NumberOfBytesRead!=sizeof(IMAGE_SECTION_HEADER))
  146. {
  147. //      printf(“Error.Can’t get IMAGE_SECTION_HEADER.\n”);
  148. CloseHandle(hDestinationFile);
  149. return FALSE;
  150. }
  151. }
  153. for(i=0;i<NumberOfSections;i++)
  154. {
  155. DWORD dwTempCharacteristics=0;
  157. if((*(pImageSectionHeader+i)).PointerToRawData+(*(pImageSectionHeader+i)).SizeOfRawData>dwFileSize)
  158. {
  159. CloseHandle(hDestinationFile);
  160. return FALSE;
  161. }
  162. if((*(pImageSectionHeader+i)).PointerToRawData % ImageOptionalHeader.FileAlignment!=0)
  163. {
  164. CloseHandle(hDestinationFile);
  165. return FALSE;
  166. }
  167. printf(“\nThe name of the section%d: ”,i);
  168. printf(“%s\n”,(*(pImageSectionHeader+i)).Name);
  170. printf(“Characteristics: %#x\n”,(*(pImageSectionHeader+i)).Characteristics);
  171. printf(“\nPlease input the new characteristics of the section.\n”);
  172. printf(“If you enter 0,the characteristics of the section will not be modified.\n”);
  173. scanf(“%x”,&dwTempCharacteristics);
  175. if(dwTempCharacteristics!=0)
  176. (*(pImageSectionHeader+i)).Characteristics=dwTempCharacteristics;
  177. printf(“——————————————————”);
  178. }
  180. SetFilePointer(hDestinationFile,-((long)SizeOfSectionTable),NULL,FILE_CURRENT); //Set the file poiner
  182. WriteFile(hDestinationFile,pImageSectionHeader,SizeOfSectionTable,&NumberOfBytesWritten,NULL);
  183. if(NumberOfBytesWritten==SizeOfSectionTable)
  184. {
  185. printf(“\nComplete successfully!\n”);
  186. }
  187. else
  188. {
  189. printf(“\nWriteFile() failed!\n”);
  190. }
  191. GlobalFree(hGlobalAllocatedMemory); //Free memory
  193. CloseHandle(hDestinationFile);
  195. return TRUE;
  196. }
  198. void main(int argc,char *argv[])
  199. {
  200. if(argc!=2)
  201. {
  202. printf(“Error\nUsage:ModifyCharacteristicsOfSections CompleteDestinationFileName\n”);
  203. return;
  204. }
  205. if(!ModifyCharacteristicsOfSections(argv[1]))
  206. {
  207. printf(“\nError.This usually means that this file is not a valid PE file or\n”);
  208. printf(“that this PE file has been modified by another program,for example,shell programm.\n”);
  209. }
  210. }

/**********************************************************************************************/
以下是上面程序的输出信息:

The name of the section0: .text
Characteristics: 0×60000020

Please input the new characteristics of the section.
If you enter 0,the characteristics of the section will not be modified.
e0000020
——————————————————
The name of the section1: .rdata
Characteristics: 0×40000040

Please input the new characteristics of the section.
If you enter 0,the characteristics of the section will not be modified.
0
——————————————————
The name of the section2: .data
Characteristics: 0xc0000040

Please input the new characteristics of the section.
If you enter 0,the characteristics of the section will not be modified.
0
——————————————————
The name of the section3: .idata
Characteristics: 0xc0000040

Please input the new characteristics of the section.
If you enter 0,the characteristics of the section will not be modified.
0
——————————————————
The name of the section4: .reloc
Characteristics: 0×42000040

Please input the new characteristics of the section.
If you enter 0,the characteristics of the section will not be modified.
0
——————————————————
Complete successfully!

////////////////////////////////////////////////////////////////////////////

The name of the section0: .text
Characteristics: 0xe0000020

Please input the new characteristics of the section.
If you enter 0,the characteristics of the section will not be modified.
0
——————————————————
The name of the section1: .rdata
Characteristics: 0×40000040

Please input the new characteristics of the section.
If you enter 0,the characteristics of the section will not be modified.
0
——————————————————
The name of the section2: .data
Characteristics: 0xc0000040

Please input the new characteristics of the section.
If you enter 0,the characteristics of the section will not be modified.
0
——————————————————
The name of the section3: .idata
Characteristics: 0xc0000040

Please input the new characteristics of the section.
If you enter 0,the characteristics of the section will not be modified.
0
——————————————————
The name of the section4: .reloc
Characteristics: 0×42000040

Please input the new characteristics of the section.
If you enter 0,the characteristics of the section will not be modified.
0
——————————————————
Complete successfully!

原文:http://bbs.pediy.com/showthread.php?t=64033

标签: ,

发表评论





XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>