使用zwUnmap或者ntUnmap卸载外壳,壳文件加载在随机地址,比如0xdd0000时,源文件贴在0x400000,卸载壳文件加载的位置后会无法运行.打开源文件随机基址后,壳文件随机加载,比如0xdd0000,同样卸载壳文件加载位置,将源文件贴在0xdd0000这个位置并修复重定位表却可以运行.试了很多种发现只有壳文件卸载后源文件贴在壳文件原来的地址才能运行,不然只要卸载壳文件就运行不起来.这是为什么?卸载壳文件加载的位置后用virtualalloc重新申请该位置内存后也跑不起来.求解答.// ShellCode.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
#include <iostream>
#include<windows.h>
#pragma comment(lib, "WindowsApp.lib")
typedef ULONG(WINAPI* PFNNtUnmapViewOfSection) (HANDLE ProcessHandle, PVOID BaseAddress);
typedef unsigned long(__stdcall* pfZwUnmapViewOfSection)(unsigned long, unsigned long);
DWORD RVATOFOA(LPVOID pFileBuffer, DWORD RVA) {
_IMAGE_DOS_HEADER* DOS_HEADER = (_IMAGE_DOS_HEADER*)pFileBuffer;
_IMAGE_NT_HEADERS* NT_HEADERS = (_IMAGE_NT_HEADERS*)((DWORD)pFileBuffer + DOS_HEADER->e_lfanew);
_IMAGE_SECTION_HEADER* SECTION_HEADER = (_IMAGE_SECTION_HEADER*)((DWORD)pFileBuffer + DOS_HEADER->e_lfanew + 0x4 + sizeof(_IMAGE_FILE_HEADER) + NT_HEADERS->FileHeader.SizeOfOptionalHeader);
if (RVA < SECTION_HEADER->VirtualAddress)return RVA;
for (int i = 0; i < NT_HEADERS->FileHeader.NumberOfSections; i++) {
if (i == NT_HEADERS->FileHeader.NumberOfSections - 1 || (RVA >= (SECTION_HEADER + i)->VirtualAddress && RVA < (SECTION_HEADER + i + 1)->VirtualAddress))
return RVA + (SECTION_HEADER + i)->PointerToRawData - (SECTION_HEADER + i)->VirtualAddress;
void ChangeImageBase(LPVOID pFileBuffer, DWORD ImageBase) {
_IMAGE_DOS_HEADER* DOS_HEADER = (_IMAGE_DOS_HEADER*)pFileBuffer;
_IMAGE_NT_HEADERS* NT_HEADERS = (_IMAGE_NT_HEADERS*)((DWORD)pFileBuffer + DOS_HEADER->e_lfanew);
_IMAGE_BASE_RELOCATION* BASE_RELOC = (_IMAGE_BASE_RELOCATION*)((DWORD)pFileBuffer + RVATOFOA(pFileBuffer, NT_HEADERS->OptionalHeader.DataDirectory[5].VirtualAddress));
DWORD offset = ImageBase - NT_HEADERS->OptionalHeader.ImageBase;
while (BASE_RELOC->SizeOfBlock || BASE_RELOC->VirtualAddress) {
int NUM = (BASE_RELOC->SizeOfBlock - 0x8) / 2;
for (int i = 0; i < NUM; i++) {
if ((*((WORD*)((DWORD)BASE_RELOC + 0x8) + i) >> 12) == 3) {
*(DWORD*)((DWORD)pFileBuffer + (RVATOFOA(pFileBuffer, BASE_RELOC->VirtualAddress + (*((WORD*)((DWORD)BASE_RELOC + 0x8) + i) & 0x0FFF)))) += offset;
BASE_RELOC = (_IMAGE_BASE_RELOCATION*)((DWORD)BASE_RELOC + BASE_RELOC->SizeOfBlock);
NT_HEADERS->OptionalHeader.ImageBase = ImageBase;
int APIENTRY WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nShowCmd)
_IMAGE_DOS_HEADER* DOS_HEADER = (_IMAGE_DOS_HEADER*)hInstance;
_IMAGE_NT_HEADERS* NT_HEADERS = (_IMAGE_NT_HEADERS*)((DWORD)hInstance + DOS_HEADER->e_lfanew);
_IMAGE_SECTION_HEADER* SECTION_HEADER = (_IMAGE_SECTION_HEADER*)((DWORD)hInstance + DOS_HEADER->e_lfanew + 0x4 + sizeof(_IMAGE_FILE_HEADER) + NT_HEADERS->FileHeader.SizeOfOptionalHeader);
DWORD SECTION_OFFSET = -1;
wsprintf(Buffer, L"%08x", hIn
...(已截断)
---
来源: 看雪论坛
原文链接: https://bbs.kanxue.com/thread-288142.htm
[求助]滴水逆向三期的加壳作业求助
155 浏览
1 回复
去网上找,有一个博主发过帖子的,好像叫小新