PE伪装器[花指令添加器] ---by fi7ke
这个是修改PE头骗过PEID的小工具。也就是大家通常所说的给程序添加花指令。原理非常简单,就是给EXE文件加一个PE头,然后写我们的“花指令”。如果你读懂过jingtao的“谈Delphi编程中流的应用”那篇文章的话。相信对这段代码不会陌生,因为这基本原理是一样的。只是代码中有几个数据结构可能是平时极少用到的,都是用来存放PE结构的变量。大家可以参考PE结构方面的资料。(其实看名字应该也能猜出个十有八九)注释我懒得写了,有问题直接跟贴。
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, ExtCtrls, StdCtrls;
type
TForm1 = class(TForm)
Label1: TLabel;
Edit1: TEdit;
Button1: TButton;
Bevel1: TBevel;
Button3: TButton;
OpenDialog1: TOpenDialog;
procedure FormCreate(Sender: TObject);
procedure Button1Click(Sender: TObject);
procedure Button3Click(Sender: TObject);
procedure obtain;
private
{ Private declarations }
FImageBase: DWORD;
public
{ Public declarations }
end;
THEAD = array[0..63] of byte;
var
Form1: TForm1;
const
MYSECTION = 'Fi7ke'; //添加的节名,自定义
JMPOFF = 43; //花指令的机器码,Ollydbg加载后随便取
OEPCODE: THEAD = ($55, $8B, $EC, $6A, $FF, $68, $2A, $2C, $0A, $00, $68, $38,
$90, $0D, $00, $64, $A1, $00, $00, $00, $00, $50, $64, $89,
$25, $00, $00, $00, $00, $58, $64, $A3, $00, $00, $00, $00,
$58, $58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF,
$E0, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00);
procedure AddSection(FName: string);
implementation
{$R *.dfm}
procedure AddSection(FName: string);
var
DOSHEADER: IMAGE_DOS_HEADER;
PEHEADER: IMAGE_NT_HEADERS;
SectionHeader: IMAGE_SECTION_HEADER;
MySectionHeader: IMAGE_SECTION_HEADER;
fs: TFileStream;
AddressOfEntryPoint: DWORD;
begin
fs := TFileStream.Create(FName, fmOpenReadWrite +
fmShareDenyWrite);
try
fs.Seek(0, soFromBeginning);
fs.Read(DOSHEADER, sizeof(DOSHEADER));
fs.Seek(DOSHEADER._lfanew, soFromBeginning);
fs.Read(PEHEADER, sizeOf(PEHEADER));
fs.Seek(sizeOf(SectionHeader) *
(PEHEADER.FileHeader.NumberOfSections - 1), soFromCurrent);
fs.Read(SectionHeader, sizeof(IMAGE_SECTION_HEADER));
MySectionHeader.Name[0] := ord('F');
MySectionHeader.Name[1] := ord('i');
MySectionHeader.Name[2] := ord('7');
MySectionHeader.Name[3] := ord('k');
MySectionHeader.Name[4] := ord('e');
MySectionHeader.Name[5] := 0;
MySectionHeader.Name[6] := 0;
MySectionHeader.Name[7] := 0;
MySectionHeader.VirtualAddress := PEHEADER.OptionalHeader.SizeOfImage;
MySectionHeader.Misc.VirtualSize := $200;
MySectionHeader.SizeOfRawData := (MySectionHeader.VirtualAddress div
PEHEADER.OptionalHeader.FileAlignment + 1) * PEHEADER.OptionalHeader.FileAlignment -
PEHEADER.OptionalHeader.SizeOfImage;
MySectionHeader.PointerToRawData :=
SectionHeader.SizeOfRawData + SectionHeader.PointerToRawData;
MySectionHeader.Characteristics := $E0000020;
Inc(PEHEADER.FileHeader.NumberOfSections);
fs.Write(MySectionHeader, sizeOf(MySectionHeader));
fs.Seek(DOSHEADER._lfanew, soFromBeginning);
AddressOfEntryPoint := PEHEADER.OptionalHeader.AddressOfEntryPoint;
PEHEADER.OptionalHeader.AddressOfEntryPoint :=
MySectionHeader.VirtualAddress;
PEHEADER.OptionalHeader.MajorLinkerVersion := 7;
PEHEADER.OptionalHeader.MinorLinkerVersion := 0;
AddressOfEntryPoint := AddressOfEntryPoint +
PEHEADER.OptionalHeader.ImageBase;
asm //这里说明一下,这是嵌入的汇编代码,寄存器—CPU暂时储存数据的东西,比内存更快,以提高效率
PUSHAD
LEA eax, OEPCODE //将OEPCODE的地址交给寄存器
ADD eax, JMPOFF 添加JMPOFF值给寄存器
MOV edx, AddressOfEntryPoint //转移指令,相当于付值语句,左边给右边
MOV DWORD ptr [eax], edx //同上
POPAD
end;
PEHEADER.OptionalHeader.SizeOfImage :=
PEHEADER.OptionalHeader.SizeOfImage + MySectionHeader.Misc.VirtualSize;
fs.Write(PEHEADER, sizeof(PEHEADER));
fs.Seek(fs.Size, soFromBeginning);
fs.Write(OEPCODE, MySectionHeader.Misc.VirtualSize)
finally
fs.Free;
end;
end;
procedure TForm1.FormCreate(Sender: TObject);
begin
Edit1.Clear;
end;
procedure TForm1.Button1Click(Sender: TObject);
begin
if OpenDialog1.Execute then
Edit1.Text := OpenDialog1.FileName;
end;
procedure TForm1.obtain;
var
DOSHEADER: IMAGE_DOS_HEADER;
PEHEADER: IMAGE_NT_HEADERS;
fs: TFileStream;
begin
fs := TFileStream.Create(Edit1.Text, fmOpenReadWrite +
fmShareDenyWrite);
try
fs.Seek(0, soFromBeginning);
fs.Read(DOSHEADER, sizeof(DOSHEADER));
fs.Seek(DOSHEADER._lfanew, soFromBeginning);
fs.Read(PEHEADER, sizeOf(PEHEADER));
FImageBase := PEHEADER.OptionalHeader.ImageBase;
finally
fs.Free;
end;
end;
procedure TForm1.Button3Click(Sender: TObject);
begin
if trim(Edit1.Text) = '' then
begin
Messagebox(Handle, '请选择你要伪装的程序!', '提示', MB_OK + MB_ICONSTOP);
Exit;
end;
AddSection(Edit1.Text);
Messagebox(Handle, '伪装成功!', '提示', MB_OK + MB_ICONINFORMATION);
end;
end.
