;********************************************************************
; (Part 3)加入一个新的节,并修正一些PE头部的内容
;********************************************************************
inc [edi].FileHeader.NumberOfSections
mov eax,[edx].PointerToRawData
add eax,[edx].SizeOfRawData
mov [ebx].PointerToRawData,eax
invoke _Align,
offset APPEND_CODE_END-offset APPEND_CODE,[esi].OptionalHeader.FileAlignment
mov [ebx].SizeOfRawData,eax
invoke _Align,
offset APPEND_CODE_END-offset APPEND_CODE,[esi].OptionalHeader.SectionAlignment
add [edi].OptionalHeader.SizeOfCode,eax ;修正SizeOfCode
add [edi].OptionalHeader.SizeOfImage,eax ;修正SizeOfImage
invoke _Align,[edx].Misc.VirtualSize,[esi].OptionalHeader.SectionAlignment
add eax,[edx].VirtualAddress
mov [ebx].VirtualAddress,eax
mov [ebx].Misc.VirtualSize,
offset APPEND_CODE_END-offset APPEND_CODE mov [ebx].Characteristics,IMAGE_SCN_CNT_CODE\
or IMAGE_SCN_MEM_EXECUTE or IMAGE_SCN_MEM_READ or IMAGE_SCN_MEM_WRITE
invoke lstrcpy,addr [ebx].Name1,addr szMySection
offset APPEND_CODE_END-offset APPEND_CODE 这个表达式在程序中出现了三处
用OD载入的时候
004013AC |. FF76 3C push dword ptr [esi+3C]
004013AF |. 68 28030000 push
328
004013B4 |. E8 F9FEFFFF call 004012B2
004013B9 |. 8943 10 mov dword ptr [ebx+10], eax
004013BC |. FF76 38 push dword ptr [esi+38]
004013BF |. 68 28030000 push
328
004013C4 |. E8 E9FEFFFF call 004012B2
004013C9 |. 0147 1C add dword ptr [edi+1C], eax
004013CC |. 0147 50 add dword ptr [edi+50], eax
004013CF |. FF76 38 push dword ptr [esi+38]
004013D2 |. FF72 08 push dword ptr [edx+8]
004013D5 |. E8 D8FEFFFF call 004012B2
004013DA |. 0342 0C add eax, dword ptr [edx+C]
004013DD |. 8943 0C mov dword ptr [ebx+C], eax
004013E0 |. C743 08 6A020>mov dword ptr [ebx+8],
26A
004013E7 |. C743 24 20000>mov dword ptr [ebx+24], E0000020
004013EE |. 68 19214000 push 00402119 ; /String2 = ".adata"
为什么在od里前二处为328而第三处为26A,想不明白,请大家解惑!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
