Make the PE file consistent when code not changed
参考:http://www.mouseos.com/assembly/06.html
参考:http://www.cnblogs.com/tk091/archive/2012/04/18/2456174.html
typedef struct CV_INFO_PDB70
{
DWORD CvSignature;
GUID Guid;
DWORD Age;
//BYTE PdbFileName[];
char PdbFilePath[MAX_PATH];
} CV_INFO_PDB70_T;
static const DWORD g_dwTimeStamp = 0x52C652E0;
// 一共有3个地方要replace
int _tmain(int argc, _TCHAR* argv[])
{
if (argc < 3 || _tcscmp(argv[1], _T("-m")) != 0)
{
printf("cmdline format err.\n");
return 0;
}
_tprintf(_T("---------------\nprocess file %s.\n"), argv[2]);
FILE *fp;
fp = _tfopen(argv[2], _T("rb+"));
if (!fp)
{
printf("occur error -1,reason:%d\n", errno);
return -1;
}
// IMAGE_NT_HEADER address
LONG e_lfanew;
fseek(fp, 0x3c, SEEK_SET);
fread(&e_lfanew, 4, 1, fp);
// Signature
DWORD sign;
fseek(fp, e_lfanew, SEEK_SET);
fread(&sign, 4, 1, fp);
if (sign != 0x00004550)
{
printf("PE header not matched,sign:%x\n---------------\n", sign);
fclose(fp);
return -2;
}
// IMAGE_FILE_HEADER
IMAGE_FILE_HEADER ifh;
fseek(fp, e_lfanew + 4, SEEK_SET);
fread(&ifh, sizeof(IMAGE_FILE_HEADER), 1, fp);
#ifdef _DEBUG
printf("IMAGE_FILE_HEADER结构:\n");
printf("Machine : %04X\n", ifh.Machine);
printf("NumberOfSections : %04X\n", ifh.NumberOfSections);
printf("TimeDateStamp : %08X\n", ifh.TimeDateStamp);
printf("PointerToSymbolTable : %08X\n", ifh.PointerToSymbolTable);
printf("NumberOfSymbols : %08X\n", ifh.NumberOfSymbols);
printf("SizeOfOptionalHeader : %04X\n", ifh.SizeOfOptionalHeader);
printf("Characteristics : %04X\n", ifh.Characteristics);
printf("\n");
#endif
// replace timestamp
_tprintf(_T("replace %s timestamp,old : %08X, new : %08X.\n"), argv[2], ifh.TimeDateStamp, g_dwTimeStamp);
ifh.TimeDateStamp = g_dwTimeStamp;
fseek(fp, e_lfanew + 4, SEEK_SET);
fwrite((void *)&ifh, sizeof(ifh), 1, fp);
// IMAGE_DIRECTORY_ENTRY_DEBUG
LONG debugEntryAddr = e_lfanew + 4 + sizeof(IMAGE_FILE_HEADER) + ifh.SizeOfOptionalHeader + (-10) * (long)sizeof(IMAGE_DATA_DIRECTORY);
fseek(fp, debugEntryAddr, SEEK_SET);
// IMAGE_DATA_DIRECTORY
IMAGE_DATA_DIRECTORY idd;
fread(&idd, sizeof(IMAGE_DATA_DIRECTORY), 1, fp);
#ifdef _DEBUG
printf("IMAGE_DIRECTORY_ENTRY_DEBUG结构:\n");
printf("VirtualAddress : %08X\n", idd.VirtualAddress);
printf("Size : %08X\n", idd.Size);
printf("IMAGE_DEBUG_DIRECTORY一共有%f个\n", 1.0 * idd.Size / sizeof(IMAGE_DEBUG_DIRECTORY));
printf("\n");
#endif
// check the address valid or not
if (idd.VirtualAddress == 0x00 || idd.Size == 0x00)
{
_tprintf(_T("Debug information not found in file %s, skip modify debug info.\n---------------\n"), argv[2]);
fclose(fp);
return 0;
}
// IMAGE_DEBUG_DIRECTORY
IMAGE_DEBUG_DIRECTORY idd2;
fseek(fp, (WORD)idd.VirtualAddress, SEEK_SET); // need convert virtual address
fread(&idd2, sizeof(IMAGE_DEBUG_DIRECTORY), 1, fp);
#ifdef _DEBUG
printf("IMAGE_DEBUG_DIRECTORY结构:\n");
printf("AddressOfRawData : %08X\n", idd2.AddressOfRawData);
printf("Characteristics : %08X\n", idd2.Characteristics);
printf("MajorVersion : %08X\n", idd2.MajorVersion);
printf("MinorVersion : %08X\n", idd2.MinorVersion);
printf("PointerToRawData : %08X\n", idd2.PointerToRawData);
printf("SizeOfData : %08X\n", idd2.SizeOfData);
printf("TimeDateStamp : %08X\n", idd2.TimeDateStamp);
printf("Type : %08X\n", idd2.Type);
printf("\n");
#endif
// replace timestamp
_tprintf(_T("replace pdb timestamp, old : %08X, new : %08X.\n"), idd2.TimeDateStamp, g_dwTimeStamp);
idd2.TimeDateStamp = g_dwTimeStamp;
fseek(fp, (WORD)idd.VirtualAddress, SEEK_SET); // need convert virtual address
fwrite((void *)&idd2, sizeof(idd2), 1, fp);
// CV_INFO_PDB70
CV_INFO_PDB70_T cvInfo;
fseek(fp, idd2.PointerToRawData, SEEK_SET);
fread(&cvInfo, sizeof(CV_INFO_PDB70_T), 1, fp);
#ifdef _DEBUG
printf("CV_INFO_PDB70结构:\n");
printf("Age : %04X\n", cvInfo.Age);
printf("CvSignature : %04X\n", cvInfo.CvSignature);
printf("PdbFileName : %s\n", cvInfo.PdbFilePath);
printf("Guid : %08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X\n",
cvInfo.Guid.Data1, cvInfo.Guid.Data2, cvInfo.Guid.Data3,
cvInfo.Guid.Data4[0], cvInfo.Guid.Data4[1], cvInfo.Guid.Data4[2],
cvInfo.Guid.Data4[3], cvInfo.Guid.Data4[4], cvInfo.Guid.Data4[5],
cvInfo.Guid.Data4[6], cvInfo.Guid.Data4[7]);
printf("\n");
#endif
if (cvInfo.CvSignature != 0x53445352) //RSDS
{
printf("pdb signature not matched, CvSignature:%x\n---------------\n", cvInfo.CvSignature);
fclose(fp);
return -2;
}
// replace guid
printf("replace pdb guid,old : %08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X\n",
cvInfo.Guid.Data1, cvInfo.Guid.Data2, cvInfo.Guid.Data3, cvInfo.Guid.Data4[0],
cvInfo.Guid.Data4[1], cvInfo.Guid.Data4[2], cvInfo.Guid.Data4[3], cvInfo.Guid.Data4[4],
cvInfo.Guid.Data4[5], cvInfo.Guid.Data4[6], cvInfo.Guid.Data4[7]);
//_tprintf(_T("replace pdb guid,old : %08X-%04X-%04X-%llX\n"), cvInfo.Guid.Data1, cvInfo.Guid.Data2, cvInfo.Guid.Data3, (__int64)cvInfo.Guid.Data4);
__int64 tmp = 0xdc38466dca416db1;
cvInfo.Guid.Data1 = 0xf363bf77;
cvInfo.Guid.Data2 = 0xb00b;
cvInfo.Guid.Data3 = 0x4fb0;
memcpy(&cvInfo.Guid.Data4, &tmp, 8);
//_tprintf(_T("replace pdb guid,new : %08X-%04X-%04X-%llX\n"), cvInfo.Guid.Data1, cvInfo.Guid.Data2, cvInfo.Guid.Data3, tmp);
printf("replace pdb guid,new : %08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X\n",
cvInfo.Guid.Data1, cvInfo.Guid.Data2, cvInfo.Guid.Data3, cvInfo.Guid.Data4[0],
cvInfo.Guid.Data4[1], cvInfo.Guid.Data4[2], cvInfo.Guid.Data4[3], cvInfo.Guid.Data4[4],
cvInfo.Guid.Data4[5], cvInfo.Guid.Data4[6], cvInfo.Guid.Data4[7]);
fseek(fp, idd2.PointerToRawData, SEEK_SET);
fwrite((void *)&cvInfo, sizeof(cvInfo), 1, fp);
fclose(fp);
printf("---------------\n");
//system("pause");
getchar();
return 0;
}
Make the PE file consistent when code not changed的更多相关文章
- PE File.
Figure 1 - PE File The CLR header stores information to indicate that the PE file is a .NET executab ...
- Delphi : Analyze PE file headers?
Analyze PE file headers? { You'll need a OpenDialog to open a Exe-File and a Memo to show the file i ...
- Inject shellcode into PE file
先声明这是不免杀的,只是演示. 哔哩哔哩视频 新增节 一般能实现特定功能的shellcode的长度都比较长,可以分到几个节上的空白区,但是这样麻烦啊,或者把最后一个节扩大,但是最后一个节一般没有执行的 ...
- 《Peering Inside the PE: A Tour of the Win32 Portable Executable File Format》阅读笔记二
Common Sections The .text section is where all general-purpose code emitted by the compiler or assem ...
- dnSpy PE format ( Portable Executable File Format)
Portable Executable File Format PE Format 微软官方的 What is a .PE file in the .NET framework? [closed] ...
- PE Header and Export Table for Delphi
Malware Analysis Tutorial 8: PE Header and Export Table 2. Background Information of PE HeaderAny bi ...
- Reverse Core 第二部分 - 13章 - PE文件格式
@date: 2016/11/24 @author: dlive PE (portable executable) ,它是微软在Unix平台的COFF(Common Object File For ...
- 利用PE数据目录的导入表获取函数名及其地址
PE文件是以64字节的DOS文件头开始的(IMAGE_DOS_HEADER),接着是一段小DOS程序,然后是248字节的 NT文件头(IMAGE_NT_HEADERS),NT的文件头位置由IMAGE_ ...
- Load PE from memory(反取证)(未完)
Article 1:Loading Win32/64 DLLs "manually" without LoadLibrary() The most important step ...
随机推荐
- requests库GET
文档地址:http://docs.python-requests.org/zh_CN/latest/index.html import requests res = requests.get('htt ...
- 02-07Android学习进度报告七
今天主要学习了关于Android开发的Date和Time组件部分内容. 首先看TextClock: 可以通过调用:TextClock提供的is24HourModeEnabled()方法来查看,系统是否 ...
- USN日志
转载:https://www.iteye.com/blog/univasity-805234 https://blog.51cto.com/velika/1440105 源码:https://f ...
- Atcoder Beginning Contest 134E(二分查找(upper_bound),思维)
#include<bits/stdc++.h>using namespace std;int a[100007],f[100007],ans,n;int main(){ cin>&g ...
- 【PAT甲级】1005 Spell It Right (20 分)
题意: 给出一个非零整数N(<=10^100),计算每位之和并用英文输出. AAAAAccepted code: #include<bits/stdc++.h> using name ...
- 使用myeclipse搭建简单的maven工程
请点击或者复制以下链接 http://opiece.me/2016/03/17/maven-and-ssmframework/
- 怎么样运行jar
一.制作jar文件 在制作.jar 文件之前你必须先编译好你的.java文件.假设我们的文件目录是c:javamyJavahelloHello.java 现在假设Hello.java的文件内容为: / ...
- 数字对象NSNumber的使用
先简述下关于NSNumber的信息 NSNumber的存在就相当于java中的装箱与拆箱.只不过java中的装箱拆箱过程,使用的是对应的类型,比如基本数据类型是int.double类型,装箱时就得对应 ...
- 对简易网页版注册系统的制作(连接MySQL数据库)
一.基本需求 二.设计思路: 1.首先创建一个与数据库数据属性对应的类User,并添加get和set方法. 2.之后建立另一个类UserDao用于生成一条完整的数据对象. 3.再建立一个类DButil ...
- redis之string数据类型常用方法总结
目录 redis 字符串(string)[需要掌握] 特点 语法 redis 字符串(string)[需要掌握] 特点 一个键能存储512MB数据 string类型是二进制安全的,可以存储任何数据,比 ...