Windows PE 重定位表编程(枚举重定位地址)
2023-09-11 14:14:00 时间
原理之前单独总结过,在这里:
http://blog.csdn.net/u013761036/article/details/54051347
下面是枚举重定位信息的代码:
// ReLocationX86.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <string>
#include <windows.h>
#include <shlwapi.h>
#include <Dbghelp.h> //ImageRvaToVa
#pragma comment(lib, "Dbghelp.lib")
#pragma comment(lib, "shlwapi.lib")
using namespace std;
#pragma warning(disable : 4996)
unsigned char bMemory[1024*1024*5] = {0};
DWORD dwLoadPE2Memory(string strPePath){
FILE *fpLoadDll;
char cCache[1024];
if((fpLoadDll = fopen(strPePath.c_str(),"rb")) == NULL) {
return 0;
}
DWORD dwNowReadId = 0;
while (1) {
ZeroMemory(cCache ,sizeof(cCache));
DWORD dwReadSize = fread(cCache,1,1024 ,fpLoadDll);
DWORD dwErrorCode = GetLastError();
if(dwReadSize == 0){
break;
}
for(int i = 1 ;i <= dwReadSize ;i ++){
bMemory[dwNowReadId++] = cCache[i-1];
}
}
fclose(fpLoadDll);
return dwNowReadId;
}
void DoReLocation( void * pBaseAddress){
PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)pBaseAddress;
PIMAGE_NT_HEADERS pNtHeaders = (PIMAGE_NT_HEADERS)((PBYTE)pBaseAddress + pDosHeader->e_lfanew);
//PIMAGE_BASE_RELOCATION pNowPageAddress = (PIMAGE_BASE_RELOCATION)((unsigned long)pBaseAddress + pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
if(pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress == 0){
return ;
}
PIMAGE_BASE_RELOCATION pNowPageAddress = (PIMAGE_BASE_RELOCATION)ImageRvaToVa(
pNtHeaders, pBaseAddress,
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress,
NULL);
while ((pNowPageAddress->VirtualAddress + pNowPageAddress->SizeOfBlock) != 0) {
WORD *pLocalListAddress = (WORD *)((PBYTE)pNowPageAddress + sizeof(IMAGE_BASE_RELOCATION));
int nNumberOfReloc = (pNowPageAddress->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION))/sizeof(WORD);
for ( int i=0 ; i < nNumberOfReloc; i++){
if ((DWORD)(pLocalListAddress[i] & 0x0000F000) == 0x00003000){
DWORD* pNeedReLocationAddress = (DWORD *)((PBYTE)pBaseAddress + pNowPageAddress->VirtualAddress + (pLocalListAddress[i] & 0x0FFF));
DWORD dwDelta = (DWORD)pBaseAddress - pNtHeaders->OptionalHeader.ImageBase;
*pLocalListAddress += dwDelta;
DWORD dwSorAddress ,dwNewAddress ,dwImageBaseAddress ,dwVirtualBaseAddress;
dwSorAddress = *pLocalListAddress - dwDelta;
dwNewAddress = *pLocalListAddress;
dwImageBaseAddress = pNtHeaders->OptionalHeader.ImageBase;
dwVirtualBaseAddress = (DWORD)pBaseAddress;
printf("ImageBasAd:%X ,VirtualBasAd:%X ,SorAd:%X ,NewAd:%X\n" ,dwImageBaseAddress ,dwVirtualBaseAddress ,dwSorAddress ,dwNewAddress);
}
}
pNowPageAddress = (PIMAGE_BASE_RELOCATION)((PBYTE)pNowPageAddress + pNowPageAddress->SizeOfBlock);
}
}
int _tmain(int argc, _TCHAR* argv[])
{
//HMODULE hModule = GetModuleHandle(NULL);
if(dwLoadPE2Memory("C:\\TTT.exe")){
DoReLocation(bMemory);
}
return 0;
}
相关文章
- Windows PE第6章 栈与重定位表
- Windows Server系统加固
- [windows菜鸟]Windows API函数大全(完整)
- [windows菜鸟]C#中调用Windows API参考工具
- 在windows环境下实现开机延迟启动tomcat
- windows找不到文件cmd怎么办?
- windows消息机制-4(MFC)
- Windows安装MongoDB(图文解说详细版)
- Windows下安装Scala
- windows Redis绑定ip无效,Redis设置密码无效,Windows Redis 配置不生效, Windows Redis requirepass不生效
- windows clone 迁移数据库
- Windows 10 Redstone将允许在云端保存账户密码与菜单布局
- 【Linux】Windows下,CentOS7安装图文详细教程
- Windows PowerShell 中启动 Nginx 报错解决方案
- 在Windows Server 2012 中安装 .NET 3.5 Framework
- 计算机网络课程实验2——WINDOWS 环境下用 SMTP 实现 EMAIL 客户端