int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
//初始化内部堆栈
if(Init() == false)
{
MessageBoxA(0, ERROR_009, "error", MB_ICONERROR);
return 0;
}
//得到当前命令行
ThisCmdLine = lpCmdLine;
//获取当前运行环境
GetModuleFileName(NULL, FileName_Full, 256);
strcpy(FileName_Name, PathFindFileName(FileName_Full));
temp = strlen(FileName_Full) - strlen(FileName_Name);
memcpy(FileName_Path, FileName_Full, temp);
FileName_Path[temp] = 0;
//获取当前进程基址,遍历SectionTable查找易格式原体
DosHeader = (PIMAGE_DOS_HEADER)GetModuleHandle(NULL);
if(DosHeader == NULL)
{
MessageBoxA(0, ERROR_001, "error", MB_ICONERROR);
return 0;
}
NtHeader = (PIMAGE_NT_HEADERS)((UINT32)DosHeader + DosHeader->e_lfanew);
NumberOfSections = NtHeader->FileHeader.NumberOfSections;
SectionHeader = (PIMAGE_SECTION_HEADER)((UINT32)NtHeader + sizeof(IMAGE_NT_HEADERS));
FindOK = false;
for(i = 1; i <= NumberOfSections; i++)
{
memcpy(SectionName, SectionHeader->Name, IMAGE_SIZEOF_SHORT_NAME);
SectionName[IMAGE_SIZEOF_SHORT_NAME + 1] = 0;
//寻找易格式所在节的方法是:简单的比较当前SectionName是否是“.ecode”
if(strcmp(SectionName, ESECTIONNAME) == 0)
{
//找到了易格式所在的节
FindOK = true;
break;
}
SectionHeader++;
}
if(FindOK == false)
{
MessageBoxA(0, ERROR_002, "error", MB_ICONERROR);
return 0;
}
//定位易格式原体,取易格式原体所在节的基址
ESectionVA = (UINT32)DosHeader + (UINT32)SectionHeader->VirtualAddress;
ECodeHeaderInfo = (PAPP_HEADER_INFO)ESectionVA;
if(ECodeHeaderInfo == NULL)
{
MessageBoxA(0, ERROR_003, "error", MB_ICONERROR);
return 0;
}
if(ECodeHeaderInfo->m_dwMark != NEW_E_APP_MARK)
{
MessageBoxA(0, ERROR_004, "error", MB_ICONERROR);
return 0;
}
//获取易格式初始化必需的的数据
//获取各个重要数据段的RVA
pConstSectionOffset = (PSECTION_INFO)((UINT32)ECodeHeaderInfo + ECodeHeaderInfo->m_nConstSectionOffset);
pWinFormSectionOffset = (PSECTION_INFO)((UINT32)ECodeHeaderInfo + ECodeHeaderInfo->m_nWinFormSectionOffset);
pHelpFuncSectionOffset = (PSECTION_INFO)((UINT32)ECodeHeaderInfo + ECodeHeaderInfo->m_nHelpFuncSectionOffset);
pCodeSectionOffset = (PSECTION_INFO)((UINT32)ECodeHeaderInfo + ECodeHeaderInfo->m_nCodeSectionOffset);
pVarSectionOffset = (PSECTION_INFO)((UINT32)ECodeHeaderInfo + ECodeHeaderInfo->m_nVarSectionOffset);
//获取DLL命令信息数组
if(ECodeHeaderInfo->m_nDllCmdCount > 0)
{
DllCmdHead = (PDLLCMD)malloc(sizeof(DLLCMD) * ECodeHeaderInfo->m_nDllCmdCount);
if(DllCmdHead == NULL)
{
MessageBoxA(0, ERROR_007, "error", MB_ICONERROR);
return 0;
}
ThisDllCmd = DllCmdHead;
for(i = 1; i <= (UINT32)ECodeHeaderInfo->m_nDllCmdCount; i++)
{
ThisDllCmd->DllFileName = (char *)((UINT32)ECodeHeaderInfo + pConstSectionOffset->m_nRecordOffset + (*(UINT *)((UINT32)ECodeHeaderInfo + sizeof(APP_HEADER_INFO) + (i - 1) * sizeof(INT))));
ThisDllCmd->DllCmdName = (char *)((UINT32)ECodeHeaderInfo + pConstSectionOffset->m_nRecordOffset + (*(UINT *)((UINT32)ECodeHeaderInfo , ;+ sizeof(APP_HEADER_INFO) + (i + ECodeHeaderInfo->m_nDllCmdCount - 1) * sizeof(INT))));
ThisDllCmd++;
}
}
//获取需要的支持库并加载
LibStringHead = (char *)((UINT32)ECodeHeaderInfo + sizeof(APP_HEADER_INFO) + ECodeHeaderInfo->m_nDllCmdCount * sizeof(INT) * 2);
//统计需要加载的支持库数量
ThisLibString = LibStringHead;
LibCount = 0;
while((* ThisLibString) != NULL)
{
LibCount++;
ThisLibString += (strlen(ThisLibString) + 1);
}
//加载支持库
LibInfoHead = (PLIBINFO)malloc(sizeof(LIBINFO) * LibCount);
ThisLibInfo = LibInfoHead;
ThisLibString = LibStringHead;
while((* ThisLibString) != NULL)
{
temp = 0;
while((* (ThisLibString + temp)) != 0x0d)
{
ThisLibStringInfo.LibName[temp] = (* (ThisLibString + temp));
temp++;
}
ThisLibStringInfo.LibName[temp] = 0;
temp += 1;
while((* (ThisLibString + temp)) != 0x0d)
{
ThisLibStringInfo.ThisGUID[temp - strlen(ThisLibStringInfo.LibName) - 1] = (* (ThisLibString + temp));
temp++;
}
ThisLibStringInfo.ThisGUID[temp] = 0;
ThisLibInfo->ThisLibHandle = NULL;
ThisLibInfo->ThisLibInfo = NULL;
strcpy(ThisLibInfo->ThisLibName, ThisLibStringInfo.LibName);
strcpy(ThisLibFileName, ThisLibStringInfo.LibName);
strcat(ThisLibFileName, ".fne");
FindOK = false;
ThisLibInfo->ThisLibHandle = LoadLibrary(ThisLibFileName);
if(ThisLibInfo->ThisLibHandle == NULL)
{
strcpy(ThisLibFileName, ThisLibStringInfo.LibName);
strcat(ThisLibFileName, ".fnr");
FindOK = false;
ThisLibInfo->ThisLibHandle = LoadLibrary(ThisLibFileName);
if(ThisLibInfo->ThisLibHandle == NULL)
{
//没有加载成功,继续加载下一个支持库
}
else
{
FindOK = true;
}
上一页 1 2 3 4 5 下一页 |
安全中国首页 > 文章中心 > 逆向工程技术