 Autor
|
Tema: Trabajar con el PE header (Leído 5,221 veces)
|
akrana
 Desconectado
Mensajes: 36
|
Hola, estoy intentando leer y modificar la cabecera PE de un archivo desde visual basic, pero nose por donde empezar...Alguien me puede echar una mano?
Un saludo, akrana.
|
|
|
|
|
En línea
|
|
|
|
|
MCKSys Argentina
|
Hola!
En el sitio de Iczelion puedes encontrar una DLL que te permite el manejo del PE Header.
Saludos!
|
|
|
|
|
En línea
|
MCKSys Argentina "Si piensas que algo está bien sólo porque todo el mundo lo cree, no estás pensando." |
|
|
akrana
Desconectado
Mensajes: 36
|
Hola, lo estuve mirando, pero necesito hacerlo sin ninguna dll, en puro visual basic...Se que se puede, pero no se como...
De todas formas, muchas gracias por la info!
Un saludo, akrana.
|
|
|
|
|
En línea
|
|
|
|
Karcrack
Desconectado
Mensajes: 2.416
Se siente observado ¬¬'
|
Lo primero que tienes que haces es cargar el fichero en memoria (Usando APIs o metiendolo en un Array de bytes) y rellenar el PE Header copiando la memoria donde este mapeado tu fichero.... Un ejemplo simple de E0N: Option Explicit
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Dest As Any, Src As Any, ByVal L As Long)
Private Enum ImageSignatureTypes
IMAGE_DOS_SIGNATURE = &H5A4D ''\\ MZ
IMAGE_OS2_SIGNATURE = &H454E ''\\ NE
IMAGE_OS2_SIGNATURE_LE = &H454C ''\\ LE
IMAGE_VXD_SIGNATURE = &H454C ''\\ LE
IMAGE_NT_SIGNATURE = &H4550 ''\\ PE\0\0
End Enum
Private Type IMAGE_DOS_HEADER
e_magic As Integer ' Magic number
e_cblp As Integer ' Bytes on last page of file
e_cp As Integer ' Pages in file
e_crlc As Integer ' Relocations
e_cparhdr As Integer ' Size of header in paragraphs
e_minalloc As Integer ' Minimum extra paragraphs needed
e_maxalloc As Integer ' Maximum extra paragraphs needed
e_ss As Integer ' Initial (relative) SS value
e_sp As Integer ' Initial SP value
e_csum As Integer ' Checksum
e_ip As Integer ' Initial IP value
e_cs As Integer ' Initial (relative) CS value
e_lfarlc As Integer ' File address of relocation table
e_ovno As Integer ' Overlay number
e_res(0 To 3) As Integer ' Reserved words
e_oemid As Integer ' OEM identifier (for e_oeminfo)
e_oeminfo As Integer ' OEM information; e_oemid specific
e_res2(0 To 9) As Integer ' Reserved words
e_lfanew As Long ' File address of new exe header
End Type
' MSDOS File header
Private Type IMAGE_FILE_HEADER
Machine As Integer
NumberOfSections As Integer
TimeDateStamp As Long
PointerToSymbolTable As Long
NumberOfSymbols As Long
SizeOfOptionalHeader As Integer
characteristics As Integer
End Type
' Directory format.
Private Type IMAGE_DATA_DIRECTORY
VirtualAddress As Long
Size As Long
End Type
' Optional header format.
Const IMAGE_NUMBEROF_DIRECTORY_ENTRIES = 16
Private Type IMAGE_OPTIONAL_HEADER
' Standard fields.
Magic As Integer
MajorLinkerVersion As Byte
MinorLinkerVersion As Byte
SizeOfCode As Long
SizeOfInitializedData As Long
SizeOfUnitializedData As Long
AddressOfEntryPoint As Long
BaseOfCode As Long
BaseOfData As Long
' NT additional fields.
ImageBase As Long
SectionAlignment As Long
FileAlignment As Long
MajorOperatingSystemVersion As Integer
MinorOperatingSystemVersion As Integer
MajorImageVersion As Integer
MinorImageVersion As Integer
MajorSubsystemVersion As Integer
MinorSubsystemVersion As Integer
W32VersionValue As Long
SizeOfImage As Long
SizeOfHeaders As Long
CheckSum As Long
SubSystem As Integer
DllCharacteristics As Integer
SizeOfStackReserve As Long
SizeOfStackCommit As Long
SizeOfHeapReserve As Long
SizeOfHeapCommit As Long
LoaderFlags As Long
NumberOfRvaAndSizes As Long
DataDirectory(0 To IMAGE_NUMBEROF_DIRECTORY_ENTRIES - 1) As IMAGE_DATA_DIRECTORY
End Type
Private Type IMAGE_NT_HEADERS
Signature As Long
FileHeader As IMAGE_FILE_HEADER
OptionalHeader As IMAGE_OPTIONAL_HEADER
End Type
' Section header
Const IMAGE_SIZEOF_SHORT_NAME = 8
Private Type IMAGE_SECTION_HEADER
SecName As String * IMAGE_SIZEOF_SHORT_NAME
VirtualSize As Long
VirtualAddress As Long
SizeOfRawData As Long
PointerToRawData As Long
PointerToRelocations As Long
PointerToLinenumbers As Long
NumberOfRelocations As Integer
NumberOfLinenumbers As Integer
characteristics As Long
End Type
Public ByteArray() As Byte ' Byte array del archivo a leer
Public TempArray() As Byte ' Array temporal para reducir el ByteArray
Public Config() As Byte ' La posible configuración del archivo leido
Public idh As IMAGE_DOS_HEADER ' Cabeceras
Public inh As IMAGE_NT_HEADERS
Public ish() As IMAGE_SECTION_HEADER
Sub RellenarPE(Ruta As String)
Open Ruta For Binary As #1
ReDim ByteArray(LOF(1) - 1)
Get #1, , ByteArray
Close #1
' Leemos el MS-DOS stub
CopyMemory idh, ByteArray(0), Len(idh)
If idh.e_magic <> IMAGE_DOS_SIGNATURE Then
MsgBox "Formato PE no válido", vbCritical, "Small Crypter"
Exit Sub
End If
' Leemos a partir del PE\0\0 comletando a su vez:
' -> IMAGE_FILE_HEADER (COFF File Header)
' -> IMAGE_OPTIONAL_HEADER (Optional Header)
CopyMemory inh, ByteArray(idh.e_lfanew), Len(inh)
If inh.Signature <> IMAGE_NT_SIGNATURE Then
MsgBox "Formato PE no válido", vbCritical, "Small Crypter"
Exit Sub
End If
' Leemos las distintas secciones
Dim i As Integer
ReDim ish(inh.FileHeader.NumberOfSections - 1)
For i = 0 To inh.FileHeader.NumberOfSections - 1
Call CopyMemory(ish(i), ByteArray(idh.e_lfanew + Len(inh) + Len(ish(i)) * i), Len(ish(i)))
Next i
End Sub |
|
|
|
|
En línea
|
|
|
|
akrana
Desconectado
Mensajes: 36
|
Muchas gracias, justamente a esto me referia!!  Si me puedes pasar algun otro code de ejemplo, te lo agradeceria.. Un saludo, akrana. |
|
|
|
|
En línea
|
|
|
|
Karcrack
Desconectado
Mensajes: 2.416
Se siente observado ¬¬'
|
Otro ejemplo? Eso no es un ejemplo, es una base... a partir de ahi haz tu lo que necesites...
|
|
|
|
|
En línea
|
|
|
|
|
 |
