PE打补丁技术大全

Downloads

PE Viewer
PE Maker - Step 1 - Add new Section.
PE Maker - Step 2 - Travel towards OEP.
PE Maker - Step 3 - Support Import Table.
PE Maker - Step 4 - Support DLL and OCX.
PE Maker - Step 5 - Final work.
CALC.EXE - test file

PE打补丁技术大全

0 Preface

It might be, you demand to comprehend the ways a virus program injects its procedure in to the interior of a portable executable file and corrupts it, or you are interested in implementing a packer or a protector for your specific intention to encrypt the data of your portable executable (PE) file. This article is committed to represent a brief intuition to realize the performance which is accomplished by EXE tools or some kind of mal-wares.

You can employ the source code of this article to create your custom EXE builder. It could be used to make an EXE protector in the right way, or with a wrong intention, to pullulate a virus. However, my purpose of writing this article has been to gaze on the first application, so I will not be responsible for the immoral usage of these methods.

1 Prerequisite

There are no specific mandatory prerequisites to follow the topics in this article. If you are familiar with debugger and also the portable file format, I suggest you to drop the sections 2 and 3, the whole of these sections have been made for people who don’t have any knowledge regarding the EXE file format and also debuggers.

2 Portable Executable file format

The Portable Executable file format was defined to provide the best way for the Windows Operating System to execute code and also to store the essential data which is needed to run a program, for example constant data, variable data, import library links, and resource data. It consists of MS-DOS file information, Windows NT file information, Section Headers, and Section images, Table 1.

2.1 The MS-DOS data

These data let you remember the first days of developing the Windows Operating System, the days. We were at the beginning of a way to achieve a complete Operating System like Windows NT 3.51 (I mean, Win3.1, Win95,Win98 were not perfect OSs). The MS-DOS data causes that your executable file calls a function inside MS-DOS and the MS-DOS Stub program lets it display: "This program can not be run in MS-DOS mode" or "This program can be run only in Windows mode", or some things like these comments when you try to run a Windows EXE file inside MS-DOS 6.0, where there is no footstep of Windows. Thus, this data is reserved for the code to indicate these comments in the MS-DOS operating system. The most interesting part of the MS-DOS data is "MZ"! Can you believe, it refers to the name of "Mark Zbikowski", one of the first Microsoft programmers?

To me, only the offset of the PE signature in the MS-DOS data is important, so I can use it to find the position of the Windows NT data. I just recommend you to take a look at Table 1, then observe the structure ofIMAGE_DOS_HEADER in the <winnt.h> header in the <Microsoft Visual Studio .net path>\VC7\PlatformSDK\include\ folder or the <Microsoft Visual Studio 6.0 path>\VC98\include\ folder. I do not know why the Microsoft team has forgotten to provide some comment about this structure in the MSDNlibrary!

Hide Copy Code

typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header <FONT color=green>"MZ"</FONT>

    WORD   e_magic;                // Magic number

    WORD   e_cblp;                 // Bytes on last page of file

    WORD   e_cp;                   // Pages in file

    WORD   e_crlc;                 // Relocations

    WORD   e_cparhdr;              // Size of header in paragraphs

    WORD   e_minalloc;             // Minimum extra paragraphs needed

    WORD   e_maxalloc;             // Maximum extra paragraphs needed

    WORD   e_ss;                   // Initial (relative) SS value

    WORD   e_sp;                   // Initial SP value

    WORD   e_csum;                 // Checksum

    WORD   e_ip;                   // Initial IP value

    WORD   e_cs;                   // Initial (relative) CS value

    WORD   e_lfarlc;               // File address of relocation table

    WORD   e_ovno;                 // Overlay number

    WORD   e_res[4];               // Reserved words

    WORD   e_oemid;                // OEM identifier (for e_oeminfo)

    WORD   e_oeminfo;              // OEM information; e_oemid specific

    WORD   e_res2[10];             // Reserved words

    LONG   <FONT color=red>e_lfanew</FONT>;               // File address of the new exe header

  } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;

e_lfanew is the offset which refers to the position of the Windows NT data. I have provided a program to obtain the header information from an EXE file and to display it to you. To use the program, just try:

PE Viewer

Download source files - 132 Kb

PE打补丁技术大全

This sample is useful for the whole of this article.

Table 1 - Portable Executable file format structure

MS-DOS information	`IMAGE_DOS_ HEADER`	DOS EXE Signature	Hide Copy Code 00000000 ASCII <FONT color=green>"MZ"</FONT> 00000002 DW 0090 00000004 DW 0003 00000006 DW 0000 00000008 DW 0004 0000000A DW 0000 0000000C DW FFFF 0000000E DW 0000 00000010 DW 00B8 00000012 DW 0000 00000014 DW 0000 00000016 DW 0000 00000018 DW 0040 0000001A DW 0000 0000001C DB 00 … … 0000003B DB 00 0000003C DD <FONT color=red>000000F0</FONT>
		`DOS_PartPag`
		`DOS_PageCnt`
		`DOS_ReloCnt`
		`DOS_HdrSize`
		`DOS_MinMem`
		`DOS_MaxMem`
		`DOS_ReloSS`
		`DOS_ExeSP`
		`DOS_ChkSum`
		`DOS_ExeIPP`
		`DOS_ReloCS`
		`DOS_TablOff`
		`DOS_Overlay`
		`…`Reserved words`…`
		Offset to PE signature
	MS-DOS Stub Program	Hide Copy Code 00000040 º.´.Í!¸\LÍ!<FONT color=green>This program canno</FONT> 00000060 <FONT color=green>t be run in DOS mode.</FONT>...$.......
Windows NT information `IMAGE_ NT_HEADERS`	Signature	PE signature (PE)	Hide Copy Code <FONT color=red>000000F0</FONT> ASCII <FONT color=green>"PE"</FONT>
	`IMAGE_ FILE_HEADER`	`Machine`	Hide Copy Code 000000F4 DW 014C 000000F6 DW 0003 000000F8 DD 3B7D8410 000000FC DD 00000000 00000100 DD 00000000 00000104 DW 00E0 00000106 DW 010F
		`NumberOfSections`
		`TimeDateStamp`
		`PointerToSymbolTable`
		`NumberOfSymbols`
		`SizeOfOptionalHeader`
		`Characteristics`
	`IMAGE_ OPTIONAL_ HEADER32`	`MagicNumber`	Hide Shrink Copy Code 00000108 DW 010B 0000010A DB 07 0000010B DB 00 0000010C DD 00012800 00000110 DD 00009C00 00000114 DD 00000000 00000118 DD 00012475 0000011C DD 00001000 00000120 DD 00014000 00000124 DD 01000000 00000128 DD 00001000 0000012C DD 00000200 00000130 DW 0005 00000132 DW 0001 00000134 DW 0005 00000136 DW 0001 00000138 DW 0004 0000013A DW 0000 0000013C DD 00000000 00000140 DD 0001F000 00000144 DD 00000400 00000148 DD 0001D7FC 0000014C DW 0002 0000014E DW 8000 00000150 DD 00040000 00000154 DD 00001000 00000158 DD 00100000 0000015C DD 00001000 00000160 DD 00000000 00000164 DD 00000010
		`MajorLinkerVersion`
		`MinorLinkerVersion`
		`SizeOfCode`
		`SizeOfInitializedData`
		`SizeOfUninitializedData`
		`AddressOfEntryPoint`
		`BaseOfCode`
		`BaseOfData`
		`ImageBase`
		`SectionAlignment`
		`FileAlignment`
		`MajorOSVersion`
		`MinorOSVersion`
		`MajorImageVersion`
		`MinorImageVersion`
		`MajorSubsystemVersion`
		`MinorSubsystemVersion`
		`Reserved`
		`SizeOfImage`
		`SizeOfHeaders`
		`CheckSum`
		`Subsystem`
		`DLLCharacteristics`
		`SizeOfStackReserve`
		`SizeOfStackCommit`
		`SizeOfHeapReserve`
		`SizeOfHeapCommit`
		`LoaderFlags`
		`NumberOfRvaAndSizes`
		`IMAGE_ DATA_DIRECTORY[16]`	Export Table
			Import Table
			Resource Table
			Exception Table
			Certificate File
			Relocation Table
			Debug Data
			Architecture Data
			Global Ptr
			TLS Table
			Load Config Table
			Bound Import Table
			Import Address Table
			Delay Import Descriptor
			COM+ Runtime Header
			Reserved
Sections information	`IMAGE_ SECTION_ HEADER[0]`	`Name[8]`	Hide Copy Code 000001E8 ASCII<FONT color=green>".text"</FONT> 000001F0 DD 000126B0 000001F4 DD 00001000 000001F8 DD 00012800 000001FC DD 00000400 00000200 DD 00000000 00000204 DD 00000000 00000208 DW 0000 0000020A DW 0000 0000020C DD 60000020 CODE\|EXECUTE\|READ
		`VirtualSize`
		`VirtualAddress`
		`SizeOfRawData`
		`PointerToRawData`
		`PointerToRelocations`
		`PointerToLineNumbers`
		`NumberOfRelocations`
		`NumberOfLineNumbers`
		`Characteristics`
	`… … … IMAGE_ SECTION_ HEADER[n]`	Hide Copy Code 00000210 ASCII<FONT color=green>".data"</FONT>; SECTION 00000218 DD 0000101C ; VirtualSize = 0x101C 0000021C DD 00014000 ; VirtualAddress = 0x14000 00000220 DD 00000A00 ; SizeOfRawData = 0xA00 00000224 DD 00012C00 ; PointerToRawData = 0x12C00 00000228 DD 00000000 ; PointerToRelocations = 0x0 0000022C DD 00000000 ; PointerToLineNumbers = 0x0 00000230 DW 0000 ; NumberOfRelocations = 0x0 00000232 DW 0000 ; NumberOfLineNumbers = 0x0 00000234 DD C0000040 ; Characteristics = INITIALIZED_DATA\|READ\|WRITE 00000238 ASCII<FONT color=green>".rsrc"</FONT>; SECTION 00000240 DD 00008960 ; VirtualSize = 0x8960 00000244 DD 00016000 ; VirtualAddress = 0x16000 00000248 DD 00008A00 ; SizeOfRawData = 0x8A00 0000024C DD 00013600 ; PointerToRawData = 0x13600 00000250 DD 00000000 ; PointerToRelocations = 0x0 00000254 DD 00000000 ; PointerToLineNumbers = 0x0 00000258 DW 0000 ; NumberOfRelocations = 0x0 0000025A DW 0000 ; NumberOfLineNumbers = 0x0 0000025C DD 40000040 ; Characteristics = INITIALIZED_DATA\|READ
	`SECTION[0]`	Hide Copy Code 00000400 EA 22 DD 77 D7 23 DD 77 ê"Ýw×#Ýw 00000408 9A 18 DD 77 00 00 00 00 šÝw.... 00000410 2E 1E C7 77 83 1D C7 77 .ÇwƒÇw 00000418 FF 1E C7 77 00 00 00 00 ÿÇw.... 00000420 93 9F E7 77 D8 05 E8 77 “ŸçwØèw 00000428 FD A5 E7 77 AD A9 E9 77 ý¥çw©éw 00000430 A3 36 E7 77 03 38 E7 77 £6çw>8çw 00000438 41 E3 E6 77 60 8D E7 77 Aãæw`çw 00000440 E6 1B E6 77 2B 2A E7 77 ææw+*çw 00000448 7A 17 E6 77 79 C8 E6 77 zæwyÈæw 00000450 14 1B E7 77 C1 30 E7 77 çwÁ0çw …
	`… … … SECTION[n]`	Hide Copy Code … 0001BF00 63 00 2E 00 63 00 68 00 c...c.h. 0001BF08 6D 00 0A 00 43 00 61 00 m...C.a. 0001BF10 6C 00 63 00 75 00 6C 00 l.c.u.l. 0001BF18 61 00 74 00 6F 00 72 00 a.t.o.r. 0001BF20 11 00 4E 00 6F 00 74 00 .N.o.t. 0001BF28 20 00 45 00 6E 00 6F 00 .E.n.o. 0001BF30 75 00 67 00 68 00 20 00 u.g.h. . 0001BF38 4D 00 65 00 6D 00 6F 00 M.e.m.o. 0001BF40 72 00 79 00 00 00 00 00 r.y..... 0001BF48 00 00 00 00 00 00 00 00 ........ 0001BF50 00 00 00 00 00 00 00 00 ........ 0001BF58 00 00 00 00 00 00 00 00 ........ 0001BF60 00 00 00 00 00 00 00 00 ........ 0001BF68 00 00 00 00 00 00 00 00 ........ 0001BF70 00 00 00 00 00 00 00 00 ........ 0001BF78 00 00 00 00 00 00 00 00 ........

2.2 The Windows NT data

As mentioned in the preceding section, e_lfanew storage in the MS-DOS data structure refers to the location of the Windows NT information. Hence, if you assume that the pMem pointer relates the start point of the memory space for a selected portable executable file, you can retrieve the MS-DOS header and also the Windows NT headers by the following lines, which you also can perceive in the PE viewer sample (pelib.cpp,PEStructure::OpenFileName()):

Hide Copy Code

IMAGE_DOS_HEADER        image_dos_header;

IMAGE_NT_HEADERS        image_nt_headers;

PCHAR pMem;

…

memcpy(&image_dos_header, pMem, 

       sizeof(IMAGE_DOS_HEADER));

memcpy(&image_nt_headers,

       pMem+image_dos_header.e_lfanew, 

       sizeof(IMAGE_NT_HEADERS));

It seems to be very simple, the retrieval of the headers information. I recommend inspecting the MSDN library regarding the IMAGE_NT_HEADERS structure definition. It makes comprehensible to grasp what the image NT header maintains to execute a code inside the Windows NT OS. Now, you are conversant with the Windows NT structure, it consists of the "PE" Signature, the File Header, and the Optional Header. Do not forget to take a glimpse at their comments in the MSDN Library and besides in Table 1.

One the whole, I consider merely, on the most circumstances, the following cells of the IMAGE_NT_HEADERSstructure:

Hide Copy Code

FileHeader->NumberOfSections

OptionalHeader->AddressOfEntryPoint

OptionalHeader->ImageBase

OptionalHeader->SectionAlignment

OptionalHeader->FileAlignment

OptionalHeader->SizeOfImage

OptionalHeader->

  DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]->VirtualAddress

OptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]->Size

You can observe clearly, the main purpose of these values, and their role when the internal virtual memory space allocated for an EXE file by the Windows OS is fully allocated, if you pay attention to their explanations in MSDNlibrary, so I am not going to repeat the MSDN annotations here.

I should mention a brief comment regarding the PE data directories, or OptionalHeader-> DataDirectory[], as I think there are a few aspects of interest concerning them. When you come to survey the Optional header through the Windows NT information, you will find that there are 16 directories at the end of the Optional Header, where you can find the consecutive directories, including their Relative Virtual Address and Size. I just mention here, the notes from <winnt.h> to clarify these information:

Hide Copy Code

#define IMAGE_DIRECTORY_ENTRY_EXPORT          0 // Export Directory #define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory #define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory #define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory #define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory #define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table #define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory #define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data #define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP #define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory #define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory #define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers #define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import Address Table #define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors #define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor

The last one (15) was reserved for use in future; I have not yet seen any purpose to use it even in PE64.

For instance, if you desire to perceive the relative virtual address (RVA) and the size of the resource data, it is enough to retrieve them by:

Hide Copy Code

DWORD dwRVA = image_nt_headers.OptionalHeader->

  DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE]->VirtualAddress;

DWORD dwSize = image_nt_headers.OptionalHeader->

  DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE]->Size;

To comprehend more regarding the significance of data directories, I forward you to section 3.4.3, Microsoft Portable Executable and the Common Object File Format Specification document by Microsoft, and furthermore section 6 of this document, where you discern the various types of sections and their applications. We will discuss the section's advantage subsequently.

2.3 The Section Headers and Sections

We currently observe how the portable executable files declare the location and the size of a section on a disk storage file and inside the virtual memory space allocated for the program with IMAGE_NT_HEADERS->OptionalHeader->SizeOfImage by the Windows task manager, as well the characteristics to demonstrate the type of the section. To understand better the Section header as my previous declaration, I suggest having a short gape on the IMAGE_SECTION_HEADER structure definition in the MSDN library. For an EXE packer developer,VirtualSize, VirtualAddress, SizeOfRawData, PointerToRawData, and Characteristics cells have significant rules. While developing an EXE packer, you should be clever enough to play with them. There are somethings to be noted while you modify them; you should take care to align the VirtualSize andVirtualAddress according to OptionalHeader->SectionAlignment, as well as SizeOfRawData andPointerToRawData in line with OptionalHeader->FileAlignment. Otherwise, you will corrupt your target EXE file and it will never run. Regarding Characteristics, I pay attention mostly to establish a section byIMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE | IMAGE_SCN_CNT_INITIALIZED_DATA, I prefer my new section has ability to initialize such data during running process; such as import table; besides, I need it to be able to modify itself by the loader with my settings in the section characteristics to read- and writeable.

Moreover, you should pay attention to the section names, you can know the purpose of each section by its name. I will just forward you to section 6: Microsoft Portable Executable and the Common Object File Format Specification documents. I believe, it represents the totality of sections by their names, Table 2.

Table 2 - Section names

".text"	Code Section
"CODE"	Code Section of file linked by Borland Delphi or Borland Pascal
".data"	Data Section
"DATA"	Data Section of file linked by Borland Delphi or Borland Pascal
".rdata"	Section for Constant Data
".idata"	Import Table
".edata"	Export Table
".tls"	TLS Table
".reloc"	Relocation Information
".rsrc"	Resource Information

To comprehend the section headers and also the sections, you can run the sample PE viewer. By this PE viewer, you only can realize the application of the section headers in a file image, so to observe the main significance in the Virtual Memory, you should try to load a PE file by a debugger, and the next section represents the main idea of using the virtual address and –size in the virtual memory by using a debugger. The last note is aboutIMAGE_NT_HEADERS-> FileHeader-><CODE>NumberOfSections, that provides a number of sections in a PE file, do not forget to adjust it whenever you remove or add some sections to a PE file, I am talking about section injection!

3 Debugger, Disassembler and some Useful Tools

In this part, you will become familiar with the necessary and essential equipments to develop your PE tools.

3.1 Debuggers

The first essential prerequisite, to become a PE tools developer, is to have enough experience with bug tracer tools. Furthermore, you should know most of the assembly instructions. To me, the Intel documents are the best references. You can obtain them from the Intel site for IA-32, and on top of that IA-64; the future belongs to IA-64 CPUs, Windows XP 64-bit, and also PE64!

To trace a PE file, SoftICE by Compuware Corporation, I knew it also as named NuMega when I was at high school, is the best debugger in the world. It implements process tracing by using kernel mode method debugging without applying Windows debugging application programming interface (API) functions. In addition, I am going to introduce one perfect debugger in user mode level. It utilizes the Windows debugging API to trace a PE file and also attaches itself to an active process. These API functions have been provided by Microsoft teams, inside the Windows Kernel32 library, to trace a specific process, by using Microsoft tools, or perhaps, to make your own debugger! Some of those API functions inlude: CreateThread(), CreateProcess(), OpenProcess(),DebugActiveProcess(), GetThreadContext(), SetThreadContext(), ContinueDebugEvent(),DebugBreak(), ReadProcessMemory(), WriteProcessMemory(), SuspendThread(), and ResumeThread().

3.1.1 SoftICE

It was in 1987; Frank Grossman and Jim Moskun decided to establish a company called NuMega Technologies in Nashua, NH, in order to develop some equipments to trace and test the reliability of Microsoft Windows software programs. Now, it is a part of Compuware Corporation and its product has participated to accelerate the reliability in Windows software, and additionally in Windows driver developments. Currently, everyone knows the Compuware DriverStudio which is used to establish an environment for implementing the elaboration of a kernel driver or a system file by aiding the Windows Driver Development Kit (DDK). It bypasses the involvement of DDK to implement a portable executable file of kernel level for a Windows system software developer. For us, only one instrument of DriverStudio is important, SoftICE, this debugger can be used to trace every portable executable file, a PE file for user mode level or a PE file for kernel mode level.

Figure 1 - SoftICE Window

EAX=00000000 EBX=7FFDD000 ECX=0007FFB0 EDX=7C90EB94 ESI=FFFFFFFF
EDI=7C919738 EBP=0007FFF0 ESP=0007FFC4 EIP=010119E0 o d i s z a p c
CS=0008 DS=0023 SS=0010 ES=0023 FS=0030 GS=0000 SS:0007FFC4=87C816D4F

0023:01013000 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0023:01013010 01 00 00 00 20 00 00 00-0A 00 00 00 0A 00 00 00 ................
0023:01013020 20 00 00 00 00 00 00 00-53 63 69 43 61 6C 63 00 ........SciCalc.
0023:01013030 00 00 00 00 00 00 00 00-62 61 63 6B 67 72 6F 75 ........backgrou
0023:01013040 6E 64 00 00 00 00 00 00-2E 00 00 00 00 00 00 00 nd..............

0010:0007FFC4 4F 6D 81 7C 38 07 91 7C-FF FF FF FF 00 90 FD 7F Om |8 ‘| .
0010:0007FFD4 ED A6 54 80 C8 FF 07 00-E8 B4 F5 81 FF FF FF FF T .
0010:0007FFE4 F3 99 83 7C 58 6D 81 7C-00 00 00 00 00 00 00 00 Xm |........
0010:0007FFF4 00 00 00 00 E0 19 01 01-00 00 00 00 00 00 00 00 .... ....

010119E0 PUSH EBP
010119E1 MOV EBP,ESP
010119E3 PUSH -1
010119E5 PUSH 01001570
010119EA PUSH 01011D60
010119EF MOV EAX,DWORD PTR FS:[0]
010119F5 PUSH EAX
010119F6 MOV DWORD PTR FS:[0],ESP
010119FD ADD ESP,-68
01011A00 PUSH EBX
01011A01 PUSH ESI
01011A02 PUSH EDI
01011A03 MOV DWORD PTR SS:[EBP-18],ESP
01011A06 MOV DWORD PTR SS:[EBP-4],0

3.1.2 OllyDbg

It was about 4 years ago, that I first saw this debugger by chance. For me, it was the best choice, I was not so wealthy to purchase SoftICE, and at that time, SoftICE only had good functions for DOS, Windows 98, andWindows 2000. I found that this debugger supported all kinds of Windows versions. Therefore, I started to learn it very fast, and now it is my favorite debugger for the Windows OS. It is a debugger that can be used to trace all kinds of portable executable files except a Common Language Infrastructure (CLI) file format in user mode level, by using the Windows debugging API. Oleh Yuschuk, the author, is one of worthiest software developers I have seen in my life. He is a Ukrainian who now lives in Germany. I should mention here that his debugger is the best choice for hacker and cracker parties around the world! It is a freeware! You can try it from OllyDbg Homepage.

Figure 2 - OllyDbg CPU Window

<!--

Hide Shrink PE打补丁技术大全

Copy Code

<FONT color=gray><FONT color=red>010119E0</FONT>

010119E1

010119E3

010119E5

010119EA

010119EF

010119F5

010119F6

010119FD

01011A00

01011A01

01011A02

01011A03

01011A06

01011A0D

01011A0F

01011A15

01011A18

01011A22

01011A2C

01011A32

01011A38

01011A3A

01011A40

01011A46

01011A48

01011A4D

01011A4F

01011A55

01011A5A

01011A5F

01011A61</FONT>

Hide Shrink PE打补丁技术大全

Copy Code

<FONT color=red>$ 55</FONT>

. 8BEC

. 6A FF

. 68 70150001

. 68 601D0101

. 64:A1 00000000

. 50

. 64:8925 000000

. 83C4 98

. 53

. 56

. 57

. 8965 E8

. C745 FC 0000000

. 6A 02

. FF15 B8100001

. 83C4 04

. C705 783F0101 F

. C705 7C3F0101 F

. FF15 BC100001

. 8B0D 743F0101

. 8908

. FF15 C0100001

. 8B15 703F0101

. 8910

. A1 C4100001

. 8B08

. 890D 803F0101

. E8 F6020000

. A1 F0390101

. 85C0

. 75 0E

Hide Shrink PE打补丁技术大全

Copy Code

<FONT color=red>PUSH EBP</FONT>

MOV EBP,ESP PUSH -1 PUSH CALC.01001570 PUSH JMP.&MSVCRT._except_handler3 MOV EAX,DWORD PTR FS:[0] PUSH EAX MOV DWORD PTR FS:[0],ESP ADD ESP,-68 PUSH EBX PUSH ESI PUSH EDI MOV DWORD PTR SS:[EBP-18],ESP MOV DWORD PTR SS:[EBP-4],0 PUSH 2 CALL DWORD PTR DS:[&MSVCRT.__set_app_ty ADD ESP,4 MOV DWORD PTR DS:[1013F78],-1 MOV DWORD PTR DS:[1013F7C],-1 CALL DWORD PTR DS:[&MSVCRT.__p__fmode] MOV ECX, DWORD PTR DS:[1013F74] MOV DWORD PTR DS:[EAX],ECX CALL DWORD PTR DS:[&MSVCRT.__p__commode MOV EDX, DWORD PTR DS:[1013F70] MOV DWORD PTR DS:[EAX],EDX MOV EAX,DWORD PTR DS:[&MSVCRT._adjust_f MOV ECX,DWORD PTR DS:[EAX] MOV DWORD PTR DS:[1013F80],ECX CALL CALC.01011D50 MOV EAX, DWORD PTR DS:[10139F0] TEST EAX,EAX JNZ SHORT CALC.01011A71

Hide Shrink PE打补丁技术大全

Copy Code

<FONT color=gray>EAX<FONT color=red> 00000000</FONT> 

ECX<FONT color=red> 0007FFB0</FONT>

EDX<FONT color=red> 7C90EB94</FONT> ntdll.KiFastSystemCallRet

EBX 7FFD8000

ESP<FONT color=red> 0007FFC4</FONT>

EBP<FONT color=red> 0007FFF0</FONT>

ESI FFFFFFFF EDI 7C910738 ntdll.7C910738 EIP<FONT color=red> 010119E0</FONT> CALC.ModuleEntryPoint C 0 ES 0023 32bit 0(FFFFFFFF) P <FONT color=red>1</FONT> CS 001B 32bit 0(FFFFFFFF) A 0 SS 0023 32bit 0(FFFFFFFF) Z <FONT color=red>1</FONT> DS 0023 32bit 0(FFFFFFFF) S 0 FS <FONT color=red>003B</FONT> 32bit 7FFDF000(FFF) T 0 GS 0000 NULL D 0 O 0 LastErr <FONT color=red>ERROR_ALREADY_EXISTS (000000B7)</FONT> EFL <FONT color=red>00000246</FONT> (NO,NB,E,BE,NS,PE,GE,LE) ST0 empty -UNORM BBB0 01050104 00000000 ST1 empty 0.0 ST2 empty 0.0 ST3 empty 0.0 ST4 empty 0.0 ST5 empty 0.0 ST6 empty <FONT color=red>1.0000000000000000000</FONT> ST7 empty <FONT color=red>1.0000000000000000000</FONT> 3 2 1 0 E S P U O Z D I FST <FONT color=red>4020</FONT> Cond <FONT color=red>1</FONT> 0 0 0 Err 0 0 <FONT color=red>1</FONT> 0 0 0 0 0 FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1</FONT>

EBP=0007FFF0

Hide Shrink PE打补丁技术大全

Copy Code

<FONT color=gray>01013000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

01013010  01 00 00 00 20 00 00 00 0A 00 00 00 0A 00 00 00  ................

01013020  20 00 00 00 00 00 00 00 53 63 69 43 61 6C 63 00  ........SciCalc.

01013030  00 00 00 00 00 00 00 00 62 61 63 6B 67 72 6F 75  ........backgrou

01013040  6E 64 00 00 00 00 00 00 2E 00 00 00 00 00 00 00  nd..............

01013050  30 00 00 00 FF FF FF FF 01 00 00 00 00 00 00 00  0...     .......

01013060  00 00 57 00 58 00 56 01 5C 02 5D 02 07 03 59 03  ..W.X.V \ ]   Y 

01013070  5E 03 5A 03 5B 03 5F 04 00 00 00 00 FF FF FF FF    Z [ _ ....

01013080  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF                  

01013090  00 00 00 00 00 00 00 00 84 15 00 01 00 00 00 00  ........  . ....

010130A0  2E 4B 00 00 00 00 00 00 00 00 FF 00 50 00 00 00  .K........ .P...

010130B0  FF 00 00 00 51 00 00 00 FF 00 00 00 52 00 00 00   ...Q... ...R...

010130C0  FF 00 00 00 53 00 00 00 00 00 FF 00 54 00 00 00   ...S..... .T...

010130D0  00 00 FF 00 55 00 00 00 FF 00 00 00 56 00 00 00  .. .U... ...V...

010130E0  FF 00 00 00 57 00 00 00 FF 00 00 00 58 00 00 00   ...W... ...X...</FONT>

Hide Copy Code

<FONT color=gray>0007FFC4  7C816D4F  RETURN to kernel32.7C816D4F

0007FFC8  7C910738  ntdll.7C910738

0007FFCC  FFFFFFFF

0007FFD0  7FFD8000

0007FFD4  8054A6ED

0007FFD8  0007FFC8

0007FFDC  82574DA8

0007FFE0  FFFFFFFF  End of SEH chain

0007FFE4  7C8399F3  SE handler

0007FFE8  7C816D58  kernel32.7C816D58

0007FFEC  00000000

0007FFF0  00000000

0007FFF4  00000000

0007FFF8  010119E0  CALC.ModuleEntryPoint

0007FFFC  00000000</FONT>

-->

3.1.3 Which parts are important in a debugger interface?

I have introduced two debuggers without talking about how you can employ them, and also which parts you should pay attention more. Regarding using debuggers, I refer you to their instructions in help documents. However, I want to explain shortly the important parts of a debugger; of course, I am talking about low-level debuggers, or in other words, machine-language debuggers of the x86 CPU families.

All of low-level debuggers consist of the following subdivisions:

Registers viewer.

EAX

ECX

EDX

EBX

ESP

EBP

ESI

EDI

EIP

o d t s z a p c

Disassembler or Code viewer.

Hide Copy Code

010119E0 PUSH EBP 010119E1 MOV EBP,ESP 010119E3 PUSH -1 010119E5 PUSH 01001570 010119EA PUSH 01011D60 010119EF MOV EAX,DWORD PTR FS:[0] 010119F5 PUSH EAX 010119F6 MOV DWORD PTR FS:[0],ESP 010119FD ADD ESP,-68 01011A00 PUSH EBX 01011A01 PUSH ESI 01011A02 PUSH EDI 01011A03 MOV DWORD PTR SS:[EBP-18],ESP 01011A06 MOV DWORD PTR SS:[EBP-4],0

Memory watcher.

Stack viewer.

Command line, command buttons, or shortcut keys to follow the debugging process.

Command	SoftICE	OllyDbg
Run	F5	F9
Step Into	F11	F7
Step Over	F10	F8
Set Break Point	F8	F2

You can compare Figure 1 and Figure 2 to distinguish the difference between SoftICE and OllyDbg. When you want to trace a PE file, you should mostly consider these five subdivisions. Furthermore, every debugger comprises of some other useful parts; you should discover them by yourself.

3.2 Disassembler

We can consider OllyDbg and SoftICE as excellent disassemblers, but I also want to introduce another disassembler tool which is famous in the reverse engineering world.

3.2.1 Proview disassembler

Proview or PVDasm is an admirable disassembler by the Reverse-Engineering-Community; it is still under development and bug fixing. You can find its disassmbler source engine and employ it to create your own disassembler.

3.2.2 W32Dasm

W32DASM can disassemble both 16 and 32 bit executable file formats. In addition to its disassembling ability, you can employ it to analyze import, export and resource data directories data.

3.2.3 IDA Pro

All reverse-engineering experts know that IDA Pro can be used to investigate, not only x86 instructions, but that of various kinds of CPU types like AVR, PIC, and etc. It can illustrate the assembly source of a portable executable file by using colored graphics and tables, and is very useful for any newbie in this area. Furthermore, it has the capability to trace an executable file inside the user mode level in the same way as OllyDbg.

3.3 Some Useful Tools

A good PE tools developer is conversant with the tools which save his time, so I recommend to select some appropriate instruments to investigate the base information under a portable executable file.

3.3.1 LordPE

LordPE by y0da is still the first choice to retrieve PE file information with the possibility to modify them.

PE打补丁技术大全

3.3.2 PEiD

PE iDentifier is valuable to identify the type of compilers, packers, and cryptors of PE files. As of now, it can detect more than 500 different signature types of PE files.

PE打补丁技术大全

3.3.3 Resource Hacker

Resource Hacker can be employed to modify resource directory information; icon, menu, version info, string table, and etc.

PE打补丁技术大全

3.3.4 WinHex

WinHex, it is clear what you can do with this tool.

PE打补丁技术大全

3.3.5 CFF Explorer

Eventually, CFF Explorer by Ntoskrnl is what you wish to have as a PE Utility tool in your dream; it supports PE32/64, PE rebuild included Common Language Infrastructure (CLI) file, in other words, the .NET file, a resource modifier, and much more facilities which can not be found in others, just try and discover every unimaginable option by hand.

PE打补丁技术大全

4 Add new section and Change OEP

We are ready to do the first step of making our project. So I have provided a library to add a new section and rebuild the portable executable file. Before starting, I like you get familiar with the headers of a PE file, by usingOllyDbg. You should first open a PE file, that pops up a menu, View->Executable file, again get a popup menuSpecial->PE header. And you will observe a scene similar to Figure 3. Now, come to Main Menu View->Memory, try to distinguish the sections inside the Memory map window.

Figure 3

Hide Shrink PE打补丁技术大全

Copy Code

Hide Shrink PE打补丁技术大全

Copy Code

Hide Shrink PE打补丁技术大全

Copy Code

 ASCII <FONT color=green>"MZ"</FONT>

 DW 0090

 DW 0003

 DW 0000

 DW 0004

 DW 0000

 DW FFFF

 DW 0000

 DW 00B8

 DW 0000

 DW 0000

 DW 0000

 DW 0040

 DW 0000

 DB 00

 DB 00

 DB 00

 DB 00

 DB 00

 DB 00

 DB 00

 DB 00

 DB 00

 DB 00

 DB 00

 DB 00

 DB 00

 DB 00

 DB 00

 DB 00

 DB 00

 DB 00

 DB 00

 DB 00

 DB 00

 DB 00

 DB 00

 DB 00

 DB 00

 DB 00

 DB 00

 DB 00

 DB 00

 DB 00

 DB 00

 DB 00

 DD <FONT color=red>000000F0</FONT>

Hide Shrink PE打补丁技术大全

Copy Code

 DOS EXE Signature

 DOS_PartPag = 90 (144.)

 DOS_PageCnt = 3

 DOS_ReloCnt = 0

 DOS_HdrSize = 4

 DOS_MinMem = 0

 DOS_MaxMem = FFFF (65535.)

 DOS_ReloSS = 0

 DOS_ExeSP = B8

 DOS_ChkSum = 0

 DOS_ExeIP = 0

 DOS_ReloCS = 0

 DOS_TablOff = 40

 DOS_Overlay = 0

































































 Offset to PE signature

I want to explain how we can plainly change the Offset of Entry Point (OEP) in our sample file, CALC.EXE of Windows XP. First, by using a PE Tool, and also using our PE Viewer, we find OEP, 0x00012475, and Image Base,0x01000000. This value of OEP is the Relative Virtual Address, so the Image Base value is used to convert it to the Virtual Address.

Virtual_Address = Image_Base + Relative_Virtual_Address

Hide Copy Code

DWORD OEP_RVA = image_nt_headers->OptionalHeader.AddressOfEntryPoint ; 

// OEP_RVA = 0x00012475 DWORD OEP_VA = image_nt_headers->OptionalHeader.ImageBase + OEP_RVA ; // OEP_VA = 0x01000000 + 0x00012475 = 0x01012475

PE Maker - Step 1

Download source files - 54.7 Kb

CALC.EXE - test file

Download test PE file - 49.5 Kb

DynLoader(), in loader.cpp, is reserved for the data of the new section, in other words, the Loader.

DynLoader Step 1

Hide Copy Code

__stdcall void DynLoader() { _asm { //---------------------------------- DWORD_TYPE(DYN_LOADER_START_MAGIC) //---------------------------------- MOV EAX,01012475h // << Original OEP JMP EAX //---------------------------------- DWORD_TYPE(DYN_LOADER_END_MAGIC) //---------------------------------- } }

Unfortunately, this source can only be applied for the sample test file. We should complete it by saving the value of the original OEP in the new section, and use it to reach the real OEP. I have accomplished it in Step 2 (Section 5).

4.1 Retrieve and Rebuild PE file

I have made a simple class library to recover PE information and to use it in a new PE file.

CPELibrary Class Step 1

Hide Shrink PE打补丁技术大全

Copy Code

//---------------------------------------------------------------- class CPELibrary { private: //----------------------------------------- PCHAR pMem; DWORD dwFileSize; //----------------------------------------- protected: //----------------------------------------- PIMAGE_DOS_HEADER image_dos_header; PCHAR pDosStub; DWORD dwDosStubSize, dwDosStubOffset; PIMAGE_NT_HEADERS image_nt_headers; PIMAGE_SECTION_HEADER image_section_header[MAX_SECTION_NUM]; PCHAR image_section[MAX_SECTION_NUM]; //----------------------------------------- protected: //----------------------------------------- DWORD PEAlign(DWORD dwTarNum,DWORD dwAlignTo); void AlignmentSections(); //----------------------------------------- DWORD Offset2RVA(DWORD dwRO); DWORD RVA2Offset(DWORD dwRVA); //----------------------------------------- PIMAGE_SECTION_HEADER ImageRVA2Section(DWORD dwRVA); PIMAGE_SECTION_HEADER ImageOffset2Section(DWORD dwRO); //----------------------------------------- DWORD ImageOffset2SectionNum(DWORD dwRVA); PIMAGE_SECTION_HEADER AddNewSection(char* szName,DWORD dwSize); //----------------------------------------- public: //----------------------------------------- CPELibrary(); ~CPELibrary(); //----------------------------------------- void OpenFile(char* FileName); void SaveFile(char* FileName); //----------------------------------------- };

By Table 1, the usage of image_dos_header, pDosStub, image_nt_headers, image_section_header[MAX_SECTION_NUM], and image_section[MAX_SECTION_NUM] is clear. We use OpenFile() and SaveFile()to retrieve and rebuild a PE file. Furthermore, AddNewSection() is employed to create the new section, the important step.

4.2 Create Data for new Section

In pecrypt.cpp, I have represented another class, CPECryptor, to comprise the data of the new section. Nevertheless, the data of the new section is created by DynLoader() in loader.cpp, DynLoader Step 1. We use the CPECryptor class to enter this data in to the new section, and also some other stuff.

CPECryptor Class Step 1

Hide Copy Code

//---------------------------------------------------------------- class CPECryptor: public CPELibrary { private: //---------------------------------------- PCHAR pNewSection; //---------------------------------------- DWORD GetFunctionVA(void* FuncName); void* ReturnToBytePtr(void* FuncName, DWORD findstr); //---------------------------------------- protected: //---------------------------------------- public: //---------------------------------------- void CryptFile(int(__cdecl *callback) (unsigned int, unsigned int)); //---------------------------------------- }; //----------------------------------------------------------------

4.3 Some notes regarding creating a new PE file

Align the VirtualAddress and the VirtualSize of each section by SectionAlignment:

Hide Copy Code

image_section_header[i]->VirtualAddress=

    PEAlign(image_section_header[i]->VirtualAddress,

    image_nt_headers->OptionalHeader.SectionAlignment);



image_section_header[i]->Misc.VirtualSize=

    PEAlign(image_section_header[i]->Misc.VirtualSize,

    image_nt_headers->OptionalHeader.SectionAlignment);

Align the PointerToRawData and the SizeOfRawData of each section by FileAlignment:

Hide Copy Code

image_section_header[i]->PointerToRawData =

    PEAlign(image_section_header[i]->PointerToRawData,

            image_nt_headers->OptionalHeader.FileAlignment);



image_section_header[i]->SizeOfRawData =

    PEAlign(image_section_header[i]->SizeOfRawData,

            image_nt_headers->OptionalHeader.FileAlignment);

Correct the SizeofImage by the virtual size and the virtual address of the last section:

Hide Copy Code

image_nt_headers->OptionalHeader.SizeOfImage = 

          image_section_header[LastSection]->VirtualAddress +

          image_section_header[LastSection]->Misc.VirtualSize;

Set the Bound Import Directory header to zero, as this directory is not very important to execute a PE file:

Hide Copy Code

image_nt_headers->

  OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].

  VirtualAddress = 0;

image_nt_headers->

  OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = 0;

4.4 Some notes regarding linking this VC Project

Set Linker->General->Enable Incremental Linking to No (/INCREMENTAL:NO).

You can comprehend the difference between incremental link and no-incremental link by looking at the following picture:

To acquire the virtual address of DynLoader(), we obtain the virtual address of JMP pemaker.DynLoaderin the incremental link, but by no-incremental link, the real virtual address is gained by the following code:

Hide Copy Code
```
DWORD dwVA= (DWORD) DynLoader;
```
This setting is more critical in the incremental link when you try to find the beginning and ending of theLoader, DynLoader(), by CPECryptor::ReturnToBytePtr():

Hide Copy Code
```
void* CPECryptor::ReturnToBytePtr(void* FuncName, DWORD findstr) { void* tmpd; __asm { mov eax, FuncName jmp df hjg: inc eax df: mov ebx, [eax] cmp ebx, findstr jnz hjg mov tmpd, eax } return tmpd; }
```

5 Store Important Data and Reach Original OEP

Right now, we save the Original OEP and also the Image Base in order to reach to the virtual address of OEP. I have reserved a free space at the end of DynLoader() to store them, DynLoader Step 2.

PE Maker - Step 2

Download source files - 58.3 Kb

DynLoader Step 2

Hide Copy Code

__stdcall void DynLoader() { _asm { //---------------------------------- DWORD_TYPE(DYN_LOADER_START_MAGIC) //---------------------------------- Main_0: PUSHAD // get base ebp CALL Main_1 Main_1: POP EBP SUB EBP,OFFSET Main_1 MOV EAX,DWORD PTR [EBP+_RO_dwImageBase] ADD EAX,DWORD PTR [EBP+_RO_dwOrgEntryPoint] PUSH EAX RETN // >> JMP to Original OEP //---------------------------------- DWORD_TYPE(DYN_LOADER_START_DATA1) //----------------------------------<FONT color=red> _RO_dwImageBase: DWORD_TYPE(0xCCCCCCCC) _RO_dwOrgEntryPoint: DWORD_TYPE(0xCCCCCCCC)</FONT> //---------------------------------- DWORD_TYPE(DYN_LOADER_END_MAGIC) //---------------------------------- } }

The new function, CPECryptor::CopyData1(), will implement the copy of the Image Base value and the Offset of Entry Point value into 8 bytes of free space in the loader.

5.1 Restore the first Registers Context

It is important to recover the Original Context of the thread. We have not yet done it in the DynLoader Step 2source code. We can modify the source of DynLoader() to repossess the first Context.

Hide Shrink PE打补丁技术大全

Copy Code

__stdcall void DynLoader() { _asm { //---------------------------------- DWORD_TYPE(DYN_LOADER_START_MAGIC) //---------------------------------- Main_0: <FONT color=red>PUSHAD// Save the registers context in stack</FONT> CALL Main_1 Main_1: POP EBP// Get Base EBP SUB EBP,OFFSET Main_1 MOV EAX,DWORD PTR [EBP+_RO_dwImageBase] ADD EAX,DWORD PTR [EBP+_RO_dwOrgEntryPoint] MOV DWORD PTR [ESP+1Ch],EAX // pStack.Eax <- EAX <FONT color=red>POPAD // Restore the first registers context from stack</FONT> PUSH EAX XOR EAX, EAX RETN // >> JMP to Original OEP //---------------------------------- DWORD_TYPE(DYN_LOADER_START_DATA1) //---------------------------------- _RO_dwImageBase: DWORD_TYPE(0xCCCCCCCC) _RO_dwOrgEntryPoint: DWORD_TYPE(0xCCCCCCCC) //---------------------------------- DWORD_TYPE(DYN_LOADER_END_MAGIC) //---------------------------------- } }

5.2 Restore the Original Stack

We can also recover the original stack by setting the value of the beginning stack + 0x34 to the Original OEP, but it is not very important. Nevertheless, in the following code, I have accomplished the loader code by a simple trick to reach OEP in addition to redecorating the stack. You can observe the implementation by tracing using OllyDbgor SoftICE.

Hide Shrink PE打补丁技术大全

Copy Code

__stdcall void DynLoader() { _asm { //---------------------------------- DWORD_TYPE(DYN_LOADER_START_MAGIC) //---------------------------------- Main_0: PUSHAD // Save the registers context in stack CALL Main_1 Main_1: POP EBP SUB EBP,OFFSET Main_1 MOV EAX,DWORD PTR [EBP+_RO_dwImageBase] ADD EAX,DWORD PTR [EBP+_RO_dwOrgEntryPoint] MOV DWORD PTR [ESP+54h],EAX // pStack.Eip <- EAX POPAD // Restore the first registers context from stack CALL _OEP_Jump DWORD_TYPE(0xCCCCCCCC) _OEP_Jump: PUSH EBP MOV EBP,ESP MOV EAX,DWORD PTR [ESP+3Ch] // EAX <- pStack.Eip MOV DWORD PTR [ESP+4h],EAX // _OEP_Jump RETURN pointer <- EAX XOR EAX,EAX LEAVE RETN //---------------------------------- DWORD_TYPE(DYN_LOADER_START_DATA1) //---------------------------------- _RO_dwImageBase: DWORD_TYPE(0xCCCCCCCC) _RO_dwOrgEntryPoint: DWORD_TYPE(0xCCCCCCCC) //---------------------------------- DWORD_TYPE(DYN_LOADER_END_MAGIC) //---------------------------------- } }

5.3 Approach OEP by Structured Exception Handling

An exception is generated when a program falls into a fault code execution and an error happens, so in such a special condition, the program immediately jumps to a function called the exception handler from exception handler list of the Thread Information Block.

The next example of a try-except statement in C++ clarifies the operation of structured exception handling. Besides the assembly code of this code, it elucidates the structured exception handler installation, the raise of an exception, and the exception handler function.

Hide Shrink PE打补丁技术大全

Copy Code

#include "stdafx.h" #include "windows.h" void RAISE_AN_EXCEPTION() { _asm { INT 3 INT 3 INT 3 INT 3 } } int _tmain(int argc, _TCHAR* argv[]) { __try { __try{ printf("1: Raise an Exception\n"); RAISE_AN_EXCEPTION(); } __finally { printf("2: In Finally\n"); } } __except( printf("3: In Filter\n"), EXCEPTION_EXECUTE_HANDLER ) { printf("4: In Exception Handler\n"); } return 0; }

Hide Shrink PE打补丁技术大全

Copy Code

<FONT color=black>; main()</FONT><FONT color=gray>

00401000: PUSH EBP

00401001: MOV EBP,ESP

00401003: PUSH -1

00401005: PUSH 00407160

<FONT color=black>; __try {</FONT>

<FONT color=green>; the structured exception handler (SEH) installation </FONT><FONT color=blue>

0040100A: PUSH _except_handler3  

0040100F: MOV EAX,DWORD PTR FS:[0]

00401015: PUSH EAX

00401016: MOV DWORD PTR FS:[0],ESP</FONT>

0040101D: SUB ESP,8

00401020: PUSH EBX

00401021: PUSH ESI

00401022: PUSH EDI

00401023: MOV DWORD PTR SS:[EBP-18],ESP

<FONT color=black>;     __try {</FONT>

00401026: XOR ESI,ESI

00401028: MOV DWORD PTR SS:[EBP-4],ESI

0040102B: MOV DWORD PTR SS:[EBP-4],1

00401032: PUSH OFFSET <FONT color=brown>"1: Raise an Exception"</FONT>

00401037: CALL printf

0040103C: ADD ESP,4

<FONT color=green>; the raise a exception, INT 3 exception</FONT>

; RAISE_AN_EXCEPTION()<FONT color=blue>

0040103F: INT3      

00401040: INT3

00401041: INT3

00401042: INT3</FONT>

<FONT color=black>;     } __finally {</FONT>

00401043: MOV DWORD PTR SS:[EBP-4],ESI

00401046: CALL 0040104D

0040104B: JMP 00401080

0040104D: PUSH OFFSET <FONT color=brown>"2: In Finally"</FONT>

00401052: CALL printf

00401057: ADD ESP,4

0040105A: RETN

<FONT color=black>;     }</FONT>

<FONT color=black>; }</FONT>

<FONT color=black>; __except( </FONT>

0040105B: JMP 00401080

0040105D: PUSH OFFSET <FONT color=brown>"3: In Filter"</FONT>

00401062: CALL printf

00401067: ADD ESP,4

0040106A: MOV EAX,1 ; EXCEPTION_EXECUTE_HANDLER = 1

0040106F: RETN

<FONT color=black>;     , EXCEPTION_EXECUTE_HANDLER )</FONT>

<FONT color=black>; {</FONT>

<FONT color=green>; the exception handler funtion</FONT><FONT color=blue>

00401070: MOV ESP,DWORD PTR SS:[EBP-18]

00401073: PUSH OFFSET <FONT color=brown>"4: In Exception Handler"</FONT>

00401078: CALL printf

0040107D: ADD ESP,4</FONT>

<FONT color=black>; }</FONT>

00401080: MOV DWORD PTR SS:[EBP-4],-1

0040108C: XOR EAX,EAX

<FONT color=green>; restore previous SEH</FONT><FONT color=blue>

0040108E: MOV ECX,DWORD PTR SS:[EBP-10]

00401091: MOV DWORD PTR FS:[0],ECX</FONT>

00401098: POP EDI

00401099: POP ESI

0040109A: POP EBX

0040109B: MOV ESP,EBP

0040109D: POP EBP

0040109E: RETN</FONT>

Make a Win32 console project, and link and run the preceding C++ code, to perceive the result:

1: Raise an Exception
3: In Filter
2: In Finally
4: In Exception Handler
_

This program runs the exception expression, printf("3: In Filter\n");, when an exception happens, in this example the INT 3 exception. You can employ other kinds of exception too. In OllyDbg, Debugging options->Exceptions, you can see a short list of different types of exceptions.

PE打补丁技术大全

5.3.1 Implement Exception Handler

We desire to construct a structured exception handler in order to reach OEP. Now, I think you have distinguished the SEH installation, the exception raise, and the exception expression filter, by foregoing the assembly code. To establish our exception handler approach, we need to comprise the following codes:

SEH installation:

Hide Copy Code

<FONT color=gray>    LEA EAX,[EBP+_except_handler1_OEP_Jump] PUSH EAX PUSH DWORD PTR FS:[0] MOV DWORD PTR FS:[0],ESP</FONT>

An Exception Raise:
Hide Copy Code
```
<FONT color=gray>    INT 3</FONT>
```

Exception handler expression filter:

Hide Copy Code

<FONT color=gray>_except_handler1_OEP_Jump:

    PUSH EBP MOV EBP,ESP ... MOV EAX, EXCEPTION_CONTINUE_SEARCH // EXCEPTION_CONTINUE_SEARCH = 0 LEAVE RETN</FONT>

So we yearn for making the ensuing C++ code in assembly language to inaugurate our engine to approach the Offset of Entry Point by SEH.

Hide Copy Code

__try // SEH installation { __asm { INT 3 // An Exception Raise } } __except( ..., EXCEPTION_CONTINUE_SEARCH ){} // Exception handler expression filter

In assembly code...

Hide Copy Code

<FONT color=gray>    <FONT color=green>; ---------------------------------------------------- ; the structured exception handler (SEH) installation <FONT color=black>; __try {</FONT></FONT> LEA EAX,[EBP+_except_handler1_OEP_Jump] PUSH EAX PUSH DWORD PTR FS:[0] MOV DWORD PTR FS:[0],ESP <FONT color=green>; ---------------------------------------------------- ; the raise a INT 3 exception</FONT> INT 3 INT 3 INT 3 INT 3 <FONT color=black>; } ; __except( ... </FONT> <FONT color=green>; ---------------------------------------------------- ; exception handler expression filter</FONT> _except_handler1_OEP_Jump: PUSH EBP MOV EBP,ESP ... MOV EAX, EXCEPTION_CONTINUE_SEARCH ; EXCEPTION_CONTINUE_SEARCH = 0 LEAVE RETN <FONT color=black>; , EXCEPTION_CONTINUE_SEARCH ) { }</FONT></FONT>

The exception value, __except(..., Value), determines how the exception is handled, it can have three values, 1, 0, -1. To understand them, refer to the try-except statement description in the MSDN library. We set it toEXCEPTION_CONTINUE_SEARCH (0), not to run the exception handler function, therefore by this value, the exception is not recognized, is simply ignored, and the thread continues its code-execution.

How the SEH installation is implemented

As you perceived from the illustrated code, the SEH installation is done by the FS segment register. Microsoft Windows 32 bit uses the FS segment register as a pointer to the data block of the main thread. The first 0x1Cbytes comprise the information of the Thread Information Block (TIB). Therefore, FS:[00h] refers toExceptionList of the main thread, Table 3. In our code, we have pushed the pointer to_except_handler1_OEP_Jump in the stack and changed the value of ExceptionList, FS:[00h], to the beginning of the stack, ESP.

Thread Information Block (TIB)

Hide Copy Code

typedef struct _NT_TIB32 { DWORD ExceptionList; DWORD StackBase; DWORD StackLimit; DWORD SubSystemTib; union { DWORD FiberData; DWORD Version; }; DWORD ArbitraryUserPointer; DWORD Self; } NT_TIB32, *PNT_TIB32;

Table 3 - FS segment register and Thread Information Block

DWORD PTR FS:[00h]	ExceptionList
DWORD PTR FS:[04h]	StackBase
DWORD PTR FS:[08h]	StackLimit
DWORD PTR FS:[0Ch]	SubSystemTib
DWORD PTR FS:[10h]	FiberData / Version
DWORD PTR FS:[14h]	ArbitraryUserPointer
DWORD PTR FS:[18h]	Self

5.3.2 Attain OEP by adjusting the Thread Context

In this part, we effectuate our performance by accomplishing the OEP approach. We change the Context of the thread and ignore every simple exception handling, and let the thread continue the execution, but in the original OEP!

When an exception happens, the context of the processor during the time of the exception is saved in the stack. By EXCEPTION_POINTERS, we have access to the pointer of ContextRecord. The ContextRecord has theCONTEXT data structure, Table 4, this is the thread context during the exception time. When we ignore the exception by EXCEPTION_CONTINUE_SEARCH (0), the instruction pointer as well the context will be set toContextRecord in order to return to the previous condition. Therefore, if we change the Eip of the Win32 Thread Context to the Original Offset of Entry Point, it will come clearly into OEP.

Hide Copy Code

    MOV EAX, ContextRecord MOV EDI, dwOEP ; EAX <- dwOEP MOV DWORD PTR DS:[EAX+0B8h], EDI ; pContext.Eip <- EAX

Win32 Thread Context structure

Hide Shrink PE打补丁技术大全

Copy Code

#define MAXIMUM_SUPPORTED_EXTENSION     512 typedef struct _CONTEXT { //----------------------------------------- DWORD ContextFlags; //----------------------------------------- DWORD Dr0; DWORD Dr1; DWORD Dr2; DWORD Dr3; DWORD Dr6; DWORD Dr7; //----------------------------------------- FLOATING_SAVE_AREA FloatSave; //----------------------------------------- DWORD SegGs; DWORD SegFs; DWORD SegEs; DWORD SegDs; //----------------------------------------- DWORD Edi; DWORD Esi; DWORD Ebx; DWORD Edx; DWORD Ecx; DWORD Eax; //----------------------------------------- DWORD Ebp; DWORD Eip; DWORD SegCs; DWORD EFlags; DWORD Esp; DWORD SegSs; //----------------------------------------- BYTE ExtendedRegisters[MAXIMUM_SUPPORTED_EXTENSION]; //---------------------------------------- } CONTEXT, *LPCONTEXT;

Table 4 - CONTEXT

Context Flags	0x00000000	`ContextFlags`
Context Debug Registers	0x00000004	`Dr0`
	0x00000008	`Dr1`
	0x0000000C	`Dr2`
	0x00000010	`Dr3`
	0x00000014	`Dr6`
	0x00000018	`Dr7`
Context Floating Point	0x0000001C	`FloatSave`	`StatusWord`
	0x00000020		`StatusWord`
	0x00000024		`TagWord`
	0x00000028		`ErrorOffset`
	0x0000002C		`ErrorSelector`
	0x00000030		`DataOffset`
	0x00000034		`DataSelector`
	0x00000038 ... 0x00000087		`RegisterArea`[0x50]
	0x00000088		`Cr0NpxState`
Context Segments	0x0000008C	`SegGs`
	0x00000090	`SegFs`
	0x00000094	`SegEs`
	0x00000098	`SegDs`
Context Integer	0x0000009C	`Edi`
	0x000000A0	`Esi`
	0x000000A4	`Ebx`
	0x000000A8	`Edx`
	0x000000AC	`Ecx`
	0x000000B0	`Eax`
Context Control	0x000000B4	`Ebp`
	0x000000B8	`Eip`
	0x000000BC	`SegCs`
	0x000000C0	`EFlags`
	0x000000C4	`Esp`
	0x000000C8	`SegSs`
Context Extended Registers	0x000000CC ... 0x000002CB	`ExtendedRegisters`[0x200]

By the following code, we have accomplished the main purpose of coming to OEP by the structured exception handler:

Hide Shrink PE打补丁技术大全

Copy Code

__stdcall void DynLoader() { _asm { //---------------------------------- DWORD_TYPE(DYN_LOADER_START_MAGIC) //---------------------------------- Main_0: PUSHAD // Save the registers context in stack CALL Main_1 Main_1: POP EBP SUB EBP,OFFSET Main_1 // Get Base EBP MOV EAX,DWORD PTR [EBP+_RO_dwImageBase] ADD EAX,DWORD PTR [EBP+_RO_dwOrgEntryPoint] MOV DWORD PTR [ESP+10h],EAX // pStack.Ebx <- EAX LEA EAX,[EBP+_except_handler1_OEP_Jump] MOV DWORD PTR [ESP+1Ch],EAX // pStack.Eax <- EAX POPAD // Restore the first registers context from stack //---------------------------------------------------- // the structured exception handler (SEH) installation PUSH EAX XOR EAX, EAX PUSH DWORD PTR FS:[0] // NT_TIB32.ExceptionList MOV DWORD PTR FS:[0],ESP // NT_TIB32.ExceptionList <-ESP //---------------------------------------------------- // the raise a INT 3 exception DWORD_TYPE(0xCCCCCCCC) //-------------------------------------------------------- // -------- exception handler expression filter ---------- _except_handler1_OEP_Jump: PUSH EBP MOV EBP,ESP //------------------------------ MOV EAX,DWORD PTR SS:[EBP+010h] // PCONTEXT: pContext <- EAX //============================== PUSH EDI // restore original SEH MOV EDI,DWORD PTR DS:[EAX+0C4h] // pContext.Esp PUSH DWORD PTR DS:[EDI] POP DWORD PTR FS:[0] ADD DWORD PTR DS:[EAX+0C4h],8 // pContext.Esp //------------------------------ // set the Eip to the OEP MOV EDI,DWORD PTR DS:[EAX+0A4h] // EAX <- pContext.Ebx MOV DWORD PTR DS:[EAX+0B8h],EDI // pContext.Eip <- EAX //------------------------------ POP EDI //============================== MOV EAX, EXCEPTION_CONTINUE_SEARCH LEAVE RETN //---------------------------------- DWORD_TYPE(DYN_LOADER_START_DATA1) //---------------------------------- _RO_dwImageBase: DWORD_TYPE(0xCCCCCCCC) _RO_dwOrgEntryPoint: DWORD_TYPE(0xCCCCCCCC) //---------------------------------- DWORD_TYPE(DYN_LOADER_END_MAGIC) //---------------------------------- } }

6 Build an Import Table and Reconstruct the Original Import Table

To use the Windows dynamic link library (DLL) in Windows application programming, there are two ways:

Using Windows libraries by additional dependencies:

Using Windows dynamic link libraries in run-time:

Hide Copy Code

// DLL function signature typedef HGLOBAL (*importFunction_GlobalAlloc)(UINT, SIZE_T); ... importFunction_GlobalAlloc __GlobalAlloc; // Load DLL file HINSTANCE hinstLib = LoadLibrary("Kernel32.dll"); if (hinstLib == NULL) { // Error - unable to load DLL } // Get function pointer __GlobalAlloc = (importFunction_GlobalAlloc)GetProcAddress(hinstLib, "GlobalAlloc"); if (addNumbers == NULL) { // Error - unable to find DLL function } FreeLibrary(hinstLib);

When you make a Windows application project, the linker includes at least kernel32.dll in the base dependencies of your project. Without LoadLibrary() and GetProcAddress() of Kernel32.dll, we can not load a DLL in run-time. The dependencies information is stored in the import table section. By Dependency Walker, it is not so difficult to observe the DLL module and the functions which are imported into a PE file.

PE打补丁技术大全

We attempt to establish our custom import table to conduct our project. Furthermore, we have to fix up the original import table at the end in order to run the real code of the program.

PE Maker - Step 3

Download source files - 65.4 Kb

6.1 Construct the Client Import Table

I strongly advise you to read the section 6.4 of the Microsoft Portable Executable and the Common Object File Format Specification document. This section contains the principal information to comprehend the import table performance.

The import table data is accessible by a second data directory of the optional header from PE headers, so you can access it by using the following code:

Hide Copy Code

DWORD dwVirtualAddress = image_nt_headers->

  OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;

DWORD dwSize = image_nt_headers->

  OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size;

The VirtualAddress refers to structures by IMAGE_IMPORT_DESCRIPTOR. This structure contains the pointer to the imported DLL name and the relative virtual address of the first thunk.

Hide Copy Code

typedef struct _IMAGE_IMPORT_DESCRIPTOR { union { DWORD Characteristics; DWORD OriginalFirstThunk; }; DWORD TimeDateStamp; DWORD ForwarderChain; DWORD <FONT color=red>Name</FONT>; // the imported DLL name DWORD <FONT color=red>FirstThunk</FONT>; // the relative virtual address of the first thunk } IMAGE_IMPORT_DESCRIPTOR, *PIMAGE_IMPORT_DESCRIPTOR;

When a program is running, the Windows task manager sets the thunks by the virtual address of the function. The virtual address is found by the name of the function. At first, the thunks hold the relative virtual address of the function name, Table 5; during execution, they are fixed up by the virtual address of the functions, Table 6.

Table 5 - The Import Table in file image

`IMAGE_IMPORT_ DESCRIPTOR[0]`	`OriginalFirstThunk`
	`TimeDateStamp`
	`ForwarderChain`
	`Name_RVA`	------>	"kernel32.dll",0
	`FirstThunk_RVA`	------>	`proc_1_name_RVA`	------>	0,0,"LoadLibraryA",0
			`proc_2_name_RVA`	------>	0,0,"GetProcAddress",0
			`proc_3_name_RVA`	------>	0,0,"GetModuleHandleA",0
			...
`IMAGE_IMPORT_ DESCRIPTOR[1]`
`...`
`IMAGE_IMPORT_ DESCRIPTOR[n]`

Table 6 - The Import Table in virtual memory

`IMAGE_IMPORT_DESCRIPTOR[0]`	`OriginalFirstThunk`
	`TimeDateStamp`
	`ForwarderChain`
	`Name_RVA`	`------>`	"kernel32.dll",0
	`FirstThunk_RVA`	`------>`	`proc_1_VA`
			`proc_2_VA`
			`proc_3_VA`
			`...`
`IMAGE_IMPORT_DESCRIPTOR[1]`
`...`
`IMAGE_IMPORT_DESCRIPTOR[n]`

We want to make a simple import table to import LoadLibrary(), and GetProcAddress() from Kernel32.dll. We need these two essential API functions to cover other API functions in run-time. The following assembly code shows how easily we can reach our solution:

Hide Copy Code

<FONT color=gray>0101F000: 

<FONT color=blue>00000000</FONT> ; OriginalFirstThunk

0101F004: <FONT color=blue>00000000</FONT> ; TimeDateStamp

0101F008: <FONT color=blue>00000000</FONT> ; ForwarderChain

0101F00C: <FONT color=blue>0001F034</FONT> ; Name;       ImageBase + 0001F034 -> 0101F034 -> "Kernel32.dll",0

0101F010: <FONT color=blue>0001F028</FONT> ; FirstThunk; ImageBase + 0001F028 -> 0101F028

0101F014: <FONT color=blue>00000000</FONT>

0101F018: <FONT color=blue>00000000</FONT>

0101F01C: <FONT color=blue>00000000</FONT>

0101F020: <FONT color=blue>00000000</FONT>

0101F024: <FONT color=blue>00000000</FONT>

0101F028: <FONT color=blue>0001F041</FONT> ; ImageBase + 0001F041 -> 0101F041 -> 0,0,"LoadLibraryA",0

0101F02C: <FONT color=blue>0001F050</FONT> ; ImageBase + 0001F050 -> 0101F050 -> 0,0,"GetProcAddress",0

0101F030: <FONT color=blue>00000000</FONT>

0101F034: <FONT color=brown>'K' 'e' 'r' 'n' 'e' 'l' '3' '2' '.' 'd' 'l' 'l' </FONT><FONT color=blue>00</FONT>

0001F041: <FONT color=blue>00 00</FONT> <FONT color=brown>'L' 'o' 'a' 'd' 'L' 'i' 'b' 'r' 'a' 'r' 'y' 'A'</FONT> 

<FONT color=blue>00</FONT>

0001F050: <FONT color=blue>00 00</FONT> <FONT color=brown>'G' 'e' 't' 'P' 'r' 'o' 'c' 'A' 'd' 'd' 'r' 'e' 's' 's'

</FONT> <FONT color=blue>00</FONT></FONT>

After running...

Hide Copy Code

<FONT color=gray>0101F000: 

<FONT color=blue>00000000</FONT> ; OriginalFirstThunk

0101F004: <FONT color=blue>00000000</FONT> ; TimeDateStamp

0101F008: <FONT color=blue>00000000</FONT> ; ForwarderChain

0101F00C: <FONT color=blue>0001F034</FONT> ; Name;       ImageBase + 0001F034 -> 0101F034 -> "Kernel32.dll",0

0101F010: <FONT color=blue>0001F028</FONT> ; FirstThunk; ImageBase + 0001F028 -> 0101F028

0101F014: <FONT color=blue>00000000</FONT>

0101F018: <FONT color=blue>00000000</FONT>

0101F01C: <FONT color=blue>00000000</FONT>

0101F020: <FONT color=blue>00000000</FONT>

0101F024: <FONT color=blue>00000000</FONT>

0101F028: <FONT color=red>7C801D77</FONT> ; -> Kernel32.LoadLibrary()

0101F02C: <FONT color=red>7C80AC28</FONT> ; -> Kernel32.GetProcAddress()

0101F030: <FONT color=blue>00000000</FONT>

0101F034: <FONT color=brown>'K' 'e' 'r' 'n' 'e' 'l' '3' '2' '.' 'd' 'l' 'l' </FONT>

<FONT color=blue>00</FONT>

0001F041: <FONT color=blue>00 00</FONT> <FONT color=brown>'L' 'o' 'a' 'd' 'L' 'i' 'b' 'r' 'a' 'r' 'y' 'A'

</FONT> <FONT color=blue>00</FONT>

0001F050: <FONT color=blue>00 00</FONT> <FONT color=brown>'G' 'e' 't' 'P' 'r' 'o' 'c' 'A' 'd' 'd' 'r' 'e' 's' 's'

</FONT> <FONT color=blue>00</FONT></FONT>

I have prepared a class library to make every import table by using a client string table. The CITMaker class library in itmaker.h, it will build an import table by sz_IT_EXE_strings and also the relative virtual address of the import table.

Hide Copy Code

static const char *sz_IT_EXE_strings[]= { "Kernel32.dll", "LoadLibraryA", "GetProcAddress", 0,, 0, };

We subsequently employ this class library to establish an import table to support DLLs and OCXs, so this is a general library to present all possible import tables easily. The next step is clarified in the following code.

Hide Copy Code

CITMaker *<FONT color=red>ImportTableMaker</FONT> = new CITMaker( IMPORT_TABLE_EXE );

...

pimage_section_header=AddNewSection( ".xxx", dwNewSectionSize ); // build import table by the current virtual address <FONT color=red>ImportTableMaker</FONT>-><FONT color=green>Build</FONT> ( <FONT color=blue>pimage_section_header->VirtualAddress</FONT> ); memcpy( pNewSection, <FONT color=red>ImportTableMaker</FONT>-><FONT color=green>pMem</FONT>, <FONT color=red>ImportTableMaker</FONT>-><FONT color=green>dwSize</FONT> ); ... memcpy( image_section[image_nt_headers->FileHeader.NumberOfSections-1], pNewSection, dwNewSectionSize ); ... image_nt_headers->OptionalHeader. DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = <FONT color=blue>pimage_section_header->VirtualAddress</FONT>; image_nt_headers->OptionalHeader. DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size = <FONT color=red>ImportTableMaker</FONT>-><FONT color=green>dwSize</FONT>; ... delete <FONT color=red>ImportTableMaker</FONT>;

The import table is copied at the beginning of the new section, and the relevant data directory is adjusted to the relative virtual address of the new section and the size of the new import table

6.2 Using other API functions in run-time

At this time, we can load other DLLs and find the process address of other functions by using LoadLibrary()and GetProcAddress():

Hide Copy Code

<FONT color=gray>lea edi, <FONT color=red>@</FONT><FONT color=brown>"Kernel32.dll"</FONT>

//-------------------

<FONT color=blue>push edi

mov eax,offset _p_LoadLibrary

call [ebp+eax] //LoadLibrary(lpLibFileName);</FONT>

//-------------------

mov esi,eax    // esi -> hModule

lea edi, <FONT color=red>@</FONT><FONT color=brown>"GetModuleHandleA"</FONT>

//-------------------

<FONT color=blue>push edi

push esi

mov eax,offset _p_GetProcAddress

call [ebp+eax] //GetModuleHandle=GetProcAddress(hModule, lpProcName);</FONT>

//--------------------</FONT>

I want to have a complete imported function table similar in performance done in a real EXE file. If you look inside a PE file, you will discover that an API call is done by an indirection jump through the virtual address of the API function:

JMP DWORD PTR [XXXXXXXX]

Hide Copy Code

<FONT color=gray>...

0101F028: <FONT color=red>7C801D77</FONT>      ; Virtual Address of kernel32.LoadLibrary()

...

0101F120: JMP DWORD PTR [<FONT color=red>0101F028</FONT>]

...

0101F230: CALL <FONT color=red>0101F120</FONT> ;  JMP to kernel32.LoadLibrary

...</FONT>

It makes it easy to expand the other part of our project by this performance, so we construct two data tables: first for API virtual addresses, and the second for the JMP [XXXXXXXX].

Hide Copy Code

#define __jmp_api               byte_type(0xFF) byte_type(0x25)

__asm { ... //---------------------------------------------------------------- _p_GetModuleHandle: dword_type(0xCCCCCCCC) _p_VirtualProtect: dword_type(0xCCCCCCCC) _p_GetModuleFileName: dword_type(0xCCCCCCCC) _p_CreateFile: dword_type(0xCCCCCCCC) _p_GlobalAlloc: dword_type(0xCCCCCCCC) //---------------------------------------------------------------- _jmp_GetModuleHandle: __jmp_api dword_type(0xCCCCCCCC) _jmp_VirtualProtect: __jmp_api dword_type(0xCCCCCCCC) _jmp_GetModuleFileName: __jmp_api dword_type(0xCCCCCCCC) _jmp_CreateFile: __jmp_api dword_type(0xCCCCCCCC) _jmp_GlobalAlloc: __jmp_api dword_type(0xCCCCCCCC) //---------------------------------------------------------------- ... }

In the succeeding code, we has concluded our ambition to install a custom internal import table! (We can not call it import table.)

Hide Shrink PE打补丁技术大全

Copy Code

<FONT color=gray>    ...

    lea edi,[ebp+_p_szKernel32]

    lea ebx,[ebp+_p_GetModuleHandle]

    lea ecx,[ebp+_jmp_GetModuleHandle]

    add ecx,02h

_api_get_lib_address_loop:

        push ecx

        <FONT color=blue>push edi

        mov eax,offset _p_LoadLibrary

        call [ebp+eax]    //LoadLibrary(lpLibFileName);</FONT>

        pop ecx

        mov esi,eax       // esi -> hModule

        push edi

        call __strlen

        add esp,04h

        add edi,eax

_api_get_proc_address_loop:

            push ecx

            <FONT color=blue>push edi

            push esi

            mov eax,offset _p_GetProcAddress

            call [ebp+eax]//GetModuleHandle=GetProcAddress(hModule, lpProcName);</FONT>

            pop ecx

            <FONT color=green>mov [ebx],eax

            mov [ecx],ebx // JMP DWORD PTR [XXXXXXXX] </FONT>

            add ebx,04h

            add ecx,06h

            push edi

            call __strlen

            add esp,04h

            add edi,eax

            mov al,byte ptr [edi]

        test al,al

        jnz _api_get_proc_address_loop

        inc edi

        mov al,byte ptr [edi]

    test al,al

    jnz _api_get_lib_address_loop

    ...</FONT>

6.3 Fix up the Original Import Table

In order to run the program again, we should fix up the thunks of the actual import table, otherwise we have a corrupted target PE file. Our code must correct all of the thunks the same as Table 5 to Table 6. Once more,LoadLibrary() and GetProcAddress() aid us in our effort to reach our intention.

Hide Shrink PE打补丁技术大全

Copy Code

<FONT color=gray>    ...

    mov ebx,[ebp+<FONT color=red>_p_dwImportVirtualAddress</FONT>]

    test ebx,ebx

    jz _it_fixup_end

    mov esi,[ebp+<FONT color=red>_p_dwImageBase</FONT>]

    add ebx,esi                   // dwImageBase + dwImportVirtualAddress

_it_fixup_get_lib_address_loop:

        mov eax,[ebx+00Ch]        // image_import_descriptor.Name

        test eax,eax

        jz _it_fixup_end

        

        mov ecx,[ebx+010h]        // image_import_descriptor.FirstThunk

        add ecx,esi

        mov [ebp+<FONT color=red>_p_dwThunk</FONT>],ecx // dwThunk

        mov ecx,[ebx]             // image_import_descriptor.Characteristics

        test ecx,ecx

        jnz _it_fixup_table

            mov ecx,[ebx+010h]

_it_fixup_table:

        add ecx,esi

        mov [ebp+<FONT color=red>_p_dwHintName</FONT>],ecx // dwHintName

        add eax,esi  // image_import_descriptor.Name + dwImageBase = ModuleName

        <FONT color=blue>push eax  // lpLibFileName

        mov eax,offset _p_LoadLibrary

        call [ebp+eax]             // LoadLibrary(lpLibFileName);</FONT>



        test eax,eax

        jz _it_fixup_end

        mov edi,eax

_it_fixup_get_proc_address_loop:

            mov ecx,[ebp+<FONT color=red>_p_dwHintName</FONT>] // dwHintName

            mov edx,[ecx]            // image_thunk_data.Ordinal

            test edx,edx

            jz _it_fixup_next_module

            test edx,080000000h      // .IF( import by ordinal )

            jz _it_fixup_by_name

                and edx,07FFFFFFFh   // get ordinal

                jmp _it_fixup_get_addr

_it_fixup_by_name:

            add edx,esi  // image_thunk_data.Ordinal + dwImageBase = OrdinalName

            inc edx

            inc edx                  // OrdinalName.Name

_it_fixup_get_addr:

            <FONT color=blue>push edx //lpProcName

            push edi                 // hModule                        

            mov eax,offset _p_GetProcAddress

            call [ebp+eax] // GetProcAddress(hModule, lpProcName);</FONT>



            <FONT color=green>mov ecx,[ebp+<FONT color=red>_p_dwThunk</FONT>] // dwThunk

            mov [ecx],eax  // correction the thunk</FONT>

            // dwThunk => next dwThunk

            add dword ptr [ebp+<FONT color=red>_p_dwThunk</FONT>], <FONT color=blue>004h</FONT>

            // dwHintName => next dwHintName

            add dword ptr [ebp+<FONT color=red>_p_dwHintName</FONT>],<FONT color=blue>004h</FONT>

        jmp _it_fixup_get_proc_address_loop

_it_fixup_next_module:

        add ebx,014h      // sizeof(IMAGE_IMPORT_DESCRIPTOR)

    jmp _it_fixup_get_lib_address_loop

_it_fixup_end:

    ...</FONT>

7 Support DLL and OCX

Now, we intend to include the dynamic link library (DLL) and OLE-ActiveX Control in our PE builder project. Supporting them is very easy if we pay attention to the two time arrival into the Offset of Entry Point, the relocation table implementation, and the client import table.

PE Maker - Step 4

Download source files - 68.6 Kb

7.1 Twice OEP approach

The Offset of Entry Point of a DLL file or an OCX file is touched by the main program atleast twice:

Constructor:
When a DLL is loaded by LoadLibrary(), or an OCX is registered by using LoadLibrary() andGetProcAddress() through calling DllRegisterServer(), the first of the OEP arrival is done.

Hide Copy Code
```
hinstDLL = LoadLibrary( "test1.dll" );
```
Hide Copy Code
```
hinstOCX = LoadLibrary( "test1.ocx" ); _DllRegisterServer = GetProcAddress( hinstOCX, "DllRegisterServer" ); _DllRegisterServer(); // ocx register
```
Destructor:
When the main program frees the library usage by FreeLibrary(), the second OEP arrival happens.

Hide Copy Code
```
FreeLibrary( hinstDLL );
```
Hide Copy Code
```
FreeLibrary( hinstOCX );
```

To perform this, I have employed a trick, that causes in the second time again, the instruction pointer (EIP) traveling towards the original OEP by the structured exception handler.

Hide Copy Code

<FONT color=gray><FONT color=black>_main_0:

    pushad  // save the registers context in stack

    call _main_1

_main_1:    

    pop ebp

    sub ebp,offset _main_1 // get base ebp

    //---------------- support dll, ocx  -----------------

_support_dll_0:</FONT> 

    jmp _support_dll_1 // <FONT color=red>nop; nop; // << trick</FONT> // in the second time OEP

    <FONT color=black>jmp _support_dll_2</FONT>

_support_dll_1:

    //----------------------------------------------------

    

    ...

    

    //---------------- support dll, ocx  1 ---------------

    mov edi,[ebp+_p_dwImageBase]

    add edi,[edi+03Ch]// edi -> IMAGE_NT_HEADERS

    mov ax,word ptr [edi+016h]// edi -> image_nt_headers->FileHeader.Characteristics

    test ax,<FONT color=green>IMAGE_FILE_DLL</FONT>

    jz _support_dll_2

        mov ax, <FONT color=red>9090h // << trick</FONT>

        mov word ptr [ebp+_support_dll_0],ax</FONT>

<FONT color=black>_support_dll_2:

    //----------------------------------------------------

    ...

    into OEP by SEH ...</FONT>

I hope you have caught the trick in the preceding code, but this is not all of it, we have problem in ImageBase, when the library has been loaded in different image bases by the main program. We should write some code to find the real image base and store it to use forward.

Hide Copy Code

    <FONT color=gray>mov eax,<FONT color=green>[esp+24h]</FONT> // the real imagebase

    mov ebx,<FONT color=green>[esp+30h]</FONT> // oep

    cmp eax,ebx

    ja _no_dll_pe_file_0

        cmp word ptr [eax],IMAGE_DOS_SIGNATURE

        jne _no_dll_pe_file_0

            mov [ebp+_p_dwImageBase],eax

_no_dll_pe_file_0:</FONT>

This code finds the real image base by investigating the stack information. By using the real image base and the formal image base, we should correct all memory calls inside the image program!! Don't be afraid, it will be done simply by the relocating the table information.

7.2 Implement Relocation Table

To understand the relocation table better, you can take a look at the section 6.6 of Microsoft Portable Executable and Common Object File Format Specification document. The relocation table contains many packages to relocate the information related to the virtual address inside the virtual memory image. Each package comprise of a 8 bytes header to exhibit the base virtual address and the number of data, demonstrated by theIMAGE_BASE_RELOCATION data structure.

Hide Copy Code

typedef struct _IMAGE_BASE_RELOCATION { DWORD VirtualAddress; DWORD SizeOfBlock; } IMAGE_BASE_RELOCATION, *PIMAGE_BASE_RELOCATION;

Table 7 - The Relocation Table

Block[1]	VirtualAddress
	SizeOfBlock
	type:4	offset:12	type:4	offset:12
	type:4	offset:12	type:4	offset:12
	type:4	offset:12	type:4	offset:12
	...	...	...	...
	type:4	offset:12	00	00
Block[2]	VirtualAddress
	SizeOfBlock
	type:4	offset:12	type:4	offset:12
	type:4	offset:12	type:4	offset:12
	type:4	offset:12	type:4	offset:12
	...	...	...	...
	type:4	offset:12	00	00
...	...
Block[n]	VirtualAddress
	SizeOfBlock
	type:4	offset:12	type:4	offset:12
	type:4	offset:12	type:4	offset:12
	type:4	offset:12	type:4	offset:12
	...	...	...	...
	type:4	offset:12	00	00

Table 7 illustrates the main idea of the relocation table. Furthermore, you can upload a DLL or an OCX file inOllyDbg to observe the relocation table, the ".reloc" section through Memory map window. By the way, we find the position of the relocation table by using the following code in our project:

Hide Copy Code

DWORD dwVirtualAddress = image_nt_headers->

  OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].

  VirtualAddress;

DWORD dwSize = image_nt_headers->

  OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size;

By OllyDbg, we have the same as the following for the ".reloc" section, by using the Long Hex viewer mode. In this example, the base virtual address is 0x1000 and the size of the block is 0x184.

Hide Copy Code

008E1000 : 00001000  00000184  30163000  30403028

008E1010 : 30683054  308C3080  30AC309C  30D830CC

008E1020 : 30E030DC  30E830E4  30F030EC  310030F4

008E1030 : 3120310D  315F3150  31A431A0  31C031A8

008E1040 : 31D031CC  31F431EC  31FC31F8  32043200

008E1050 : 320C3208  32143210  324C322C  32583254

008E1060 : 3260325C  32683264  3270326C  32B03274

It relocates the data in the subsequent virtual addresses:

Hide Copy Code

0x1000 + 0x0000 = 0x1000

0x1000 + 0x0016 = 0x1016

0x1000 + 0x0028 = 0x1028

0x1000 + 0x0040 = 0x1040

0x1000 + 0x0054 = 0x1054

...

Each package performs the relocation by using consecutive 4 bytes form its internal information. The first byte refers to the type of relocation and the next three bytes are the offset which must be used with the base virtual address and the image base to correct the image information.

type	offset
03	00	00	00

What is the type

The type can be one of the following values:

IMAGE_REL_BASED_ABSOLUTE (0): no effect.
IMAGE_REL_BASED_HIGH (1): relocate by the high 16 bytes of the base virtual address and the offset.
IMAGE_REL_BASED_LOW (2): relocate by the low 16 bytes of the base virtual address and the offset.
IMAGE_REL_BASED_HIGHLOW (3): relocate by the base virtual address and the offset.

What is done in the relocation?

By relocation, some values inside the virtual memory are corrected according to the current image base by the".reloc" section packages.

delta_ImageBase = current_ImageBase - image_nt_headers->OptionalHeader.ImageBase

Hide Copy Code

mem[ current_ImageBase + 0x1000 ] = 

   mem[ current_ImageBase + 0x1000 ] + delta_ImageBase ;

mem[ current_ImageBase + 0x1016 ] = 

   mem[ current_ImageBase + 0x1016 ] + delta_ImageBase ;

mem[ current_ImageBase + 0x1028 ] = 

   mem[ current_ImageBase + 0x1028 ] + delta_ImageBase ;

mem[ current_ImageBase + 0x1040 ] = 

   mem[ current_ImageBase + 0x1040 ] + delta_ImageBase ;

mem[ current_ImageBase + 0x1054 ] = 

  mem[ current_ImageBase + 0x1054 ] + delta_ImageBase ;

...

I have employed the following code from Morphine packer to implement the relocation.

Hide Shrink PE打补丁技术大全

Copy Code

    <FONT color=gray>...

_reloc_fixup:

    mov eax,[ebp+_p_dwImageBase]

    mov edx,eax

    mov ebx,eax

    add ebx,[ebx+3Ch] // edi -> IMAGE_NT_HEADERS

    mov ebx,[ebx+034h]// edx ->image_nt_headers->OptionalHeader.ImageBase

    <FONT color=red>sub edx,ebx // edx -> reloc_correction // delta_ImageBase</FONT>

    je _reloc_fixup_end

    mov ebx,[ebp+_p_dwRelocationVirtualAddress]

    test ebx,ebx

    jz _reloc_fixup_end

    add ebx,eax

_reloc_fixup_block:

    mov eax,[ebx+004h]          //ImageBaseRelocation.SizeOfBlock

    test eax,eax

    jz _reloc_fixup_end

    lea ecx,[eax-008h]

    shr ecx,001h

    lea edi,[ebx+008h]

_reloc_fixup_do_entry:

        movzx eax,word ptr [edi]//Entry

        push edx

        mov edx,eax

        shr eax,00Ch            //Type = Entry >> 12

        mov esi,[ebp+_p_dwImageBase]//ImageBase

        and dx,00FFFh

        add esi,[ebx]

        add esi,edx

        pop edx

_reloc_fixup_HIGH:              // IMAGE_REL_BASED_HIGH  

        dec eax

        jnz _reloc_fixup_LOW

            mov eax,edx

            shr eax,010h        //HIWORD(Delta)

            jmp _reloc_fixup_LOW_fixup        

_reloc_fixup_LOW:               // IMAGE_REL_BASED_LOW 

            dec eax

        jnz _reloc_fixup_HIGHLOW

        movzx eax,dx            //LOWORD(Delta)

_reloc_fixup_LOW_fixup:

            <FONT color=red>add word ptr [esi],ax// mem[x] = mem[x] + delta_ImageBase</FONT>

        jmp _reloc_fixup_next_entry

_reloc_fixup_HIGHLOW:           // IMAGE_REL_BASED_HIGHLOW

            dec eax

        jnz _reloc_fixup_next_entry

        <FONT color=red>add [esi],edx           // mem[x] = mem[x] + delta_ImageBase</FONT>

_reloc_fixup_next_entry:

        inc edi

        inc edi                 //Entry++

        loop _reloc_fixup_do_entry

_reloc_fixup_next_base:

    add ebx,[ebx+004h]

    jmp _reloc_fixup_block

_reloc_fixup_end:

    ...</FONT>

7.3 Build a Special Import table

In order to support the OLE-ActiveX Control registration, we should present an appropriate import table to our target OCX and DLL file.

Therefore, I have established an import table by the following string:

Hide Shrink PE打补丁技术大全

Copy Code

const char *sz_IT_OCX_strings[]= { "Kernel32.dll", "LoadLibraryA", "GetProcAddress", "GetModuleHandleA", 0, "User32.dll", "GetKeyboardType", "WindowFromPoint", 0, "AdvApi32.dll", "RegQueryValueExA", "RegSetValueExA", "StartServiceA", 0, "Oleaut32.dll", "SysFreeString", "CreateErrorInfo", "SafeArrayPtrOfIndex", 0, "Gdi32.dll", "UnrealizeObject", 0, "Ole32.dll", "CreateStreamOnHGlobal", "IsEqualGUID", 0, "ComCtl32.dll", "ImageList_SetIconSize", 0, 0, };

Without these API functions, the library can not be loaded, and moreover the DllregisterServer() andDllUregisterServer() will not operate. In CPECryptor::CryptFile, I have distinguished between EXE files and DLL files in the initialization of the new import table object during creation:

Hide Copy Code

if(( image_nt_headers->FileHeader.Characteristics 

             & IMAGE_FILE_DLL ) == IMAGE_FILE_DLL )

{

    ImportTableMaker = new CITMaker( IMPORT_TABLE_OCX ); } else { ImportTableMaker = new CITMaker( IMPORT_TABLE_EXE ); }

8 Preserve the Thread Local Storage

By using Thread Local Storage (TLS), a program is able to execute a multithreaded process, this performance mostly is used by Borland linkers: Delphi and C++ Builder. When you pack a PE file, you should take care to keep clean the TLS, otherwise, your packer will not support Borland Delphi and C++ Builder linked EXE files. To comprehend TLS, I refer you to section 6.7 of the Microsoft Portable Executable and Common Object File Format Specification document, you can observe the TLS structure by IMAGE_TLS_DIRECTORY32 in winnt.h.

Hide Copy Code

typedef struct _IMAGE_TLS_DIRECTORY32 { DWORD StartAddressOfRawData; DWORD EndAddressOfRawData; DWORD AddressOfIndex; DWORD AddressOfCallBacks; DWORD SizeOfZeroFill; DWORD Characteristics; } IMAGE_TLS_DIRECTORY32, * PIMAGE_TLS_DIRECTORY32;

To keep safe the TLS directory, I have copied it in a special place inside the loader:

Hide Copy Code

<FONT color=gray>...

_tls_dwStartAddressOfRawData:   dword_type(0xCCCCCCCC)

_tls_dwEndAddressOfRawData:     dword_type(0xCCCCCCCC)

_tls_dwAddressOfIndex:          dword_type(0xCCCCCCCC)

_tls_dwAddressOfCallBacks:      dword_type(0xCCCCCCCC)

_tls_dwSizeOfZeroFill:          dword_type(0xCCCCCCCC)

_tls_dwCharacteristics:         dword_type(0xCCCCCCCC)

...</FONT>

It is necessary to correct the TLS directory entry in the Optional Header:

Hide Copy Code

if(image_nt_headers->

  OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].

  VirtualAddress!=0)

{

    memcpy(&pDataTable->image_tls_directory,

           image_tls_directory,

           sizeof(IMAGE_TLS_DIRECTORY32)); dwOffset=DWORD(pData1)-DWORD(pNewSection); dwOffset+=sizeof(t_DATA_1)-sizeof(IMAGE_TLS_DIRECTORY32); image_nt_headers-> OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS]. VirtualAddress=dwVirtualAddress + dwOffset; }

9 Inject your code

We are ready to place our code inside the new section. Our code is a "Hello World!" message by MessageBox()from user32.dll.

Hide Copy Code

    <FONT color=gray>...

    push MB_OK | MB_ICONINFORMATION

    lea eax,[ebp+_p_szCaption] push eax lea eax,[ebp+_p_szText] push eax push NULL call _jmp_MessageBox // MessageBox(NULL, szText, szCaption, MB_OK | MB_ICONINFORMATION) ; ...</FONT>

PE Maker - Step 5

Download source files - 71.7 Kb

你可能感兴趣的:(技术)

移动端城市区县二级联动选择功能实现包 good2know
本文还有配套的精品资源，点击获取简介：本项目是一套为移动端设计的jQuery实现方案，用于简化用户在选择城市和区县时的流程。它包括所有必需文件：HTML、JavaScript、CSS及图片资源。通过动态更新下拉菜单选项，实现城市到区县的联动效果，支持数据异步加载。开发者可以轻松集成此功能到移动网站或应用，并可基于需求进行扩展和优化。1.jQuery移动端解决方案概述jQuery技术简介jQuery
Git 与 GitHub 的对比与使用指南一念& 其它 git github
Git与GitHub的对比与使用指南在软件开发中，Git和GitHub是两个密切相关但本质不同的工具。下面我将逐步解释它们的定义、区别、核心概念以及如何协同使用，确保内容真实可靠，基于广泛的技术实践。1.什么是Git？Git是一个分布式版本控制系统，由LinusTorvalds于2005年创建。它的核心功能是跟踪代码文件的变化，帮助开发者管理项目历史记录、协作和回滚错误。Git是开源的，可以在本地
英伟达靠什么支撑起了4万亿？AI泡沫还能撑多久？
英伟达市值突破4万亿美元，既是AI算力需求爆发的直接体现，也暗含市场对未来的狂热预期。其支撑逻辑与潜在风险并存，而AI泡沫的可持续性则取决于技术、商业与地缘政治的复杂博弈。⚙️一、英伟达4万亿市值的核心支撑因素技术垄断与生态壁垒硬件优势：英伟达GPU在AI训练市场占有率超87%，H100芯片的FP16算力达1979TFLOPS，领先竞品3-5倍。CUDA生态：400万开发者构建的软件护城河，成为A
Flowable 实战落地核心：选型决策与坑点破解练习时长两年半的程序员小胡 Flowable 流程引擎实战指南低代码 BPMN 流程引擎 flowable 后端 java
在企业级流程引擎的落地过程中，选型的准确性和坑点的预见性直接决定项目成败。本文聚焦Flowable实战中最关键的“选型决策”与“常见坑点”，结合真实项目经验，提供可落地的解决方案。一、流程引擎选型：从业务本质出发1.1选型的三大核心维度企业在选择流程引擎时，需避免陷入“技术崇拜”，应回归业务本质。评估Flowable是否适用，可从三个维度判断：业务复杂度若流程涉及动态审批链（如按金额自动升级审批）
企业级区块链平台Hyperchain核心原理剖析 boyedu 区块链区块链企业级区块链平台 Hyperchain
Hyperchain作为国产自主可控的企业级联盟区块链平台，其核心原理围绕高性能共识、隐私保护、智能合约引擎及可扩展架构展开，通过多模块协同实现企业级区块链网络的高效部署与安全运行。以下从核心架构、关键技术、性能优化、安全机制、应用场景五个维度展开剖析：一、核心架构：分层解耦与模块化设计Hyperchain采用分层架构，将区块链功能解耦为独立模块，支持灵活组合与扩展：P2P网络层由验证节点（VP）
Aop +反射实现方法版本动态切换
需求分析在做技术选型的时候一直存在着两个声音，mongo作为数据库比较mysql好，mysql做为该数据比mongo好。当然不同数据库都有有着自己的优势，我们在做技术选型的时候无非就是做到对数据库的扬长避短。mysql最大的优势就是支持事务，事务的五大特性保证的业务可靠性，随之而来的就是事务会产生的问题：脏读、幻读、不可重复度，当然我们也会使用不同的隔离级别来解决。（最典型的业务问题：银行存取钱）
最新阿里四面面试真题46道：面试技巧+核心问题+面试心得风平浪静如码
前言做技术的有一种资历，叫做通过了阿里的面试。这些阿里Java相关问题，都是之前通过不断优秀人才的铺垫总结的，先自己弄懂了再去阿里面试，不然就是去丢脸，被虐。希望对大家帮助，祝面试成功，有个更好的职业规划。一，阿里常见技术面1、微信红包怎么实现。2、海量数据分析。3、测试职位问的线程安全和非线程安全。4、HTTP2.0、thrift。5、面试电话沟通可能先让自我介绍。6、分布式事务一致性。7、ni
深入理解汇编语言子程序设计与系统调用网安spinage 汇编语言开发语言汇编算法
本文将全面解析汇编语言中子程序设计的核心技术以及系统调用的实现方法，涵盖参数传递的多种方式、堆栈管理、API调用等关键知识点，并提供实际案例演示。一、子程序设计：参数传递的艺术1.寄存器传参：高效简洁.386.modelflat,stdcalloptioncasemap:none.dataxdd5;定义变量ydd6sumdd?.code;函数定义：addxy1addxy1procpushebpmo
编程算法：技术创新的引擎与业务增长的核心驱动力
在数字经济时代，算法已成为推动技术创新与业务增长的隐形引擎。从存内计算突破冯·诺依曼瓶颈，到动态规划优化万亿级金融交易，编程算法正在重塑产业竞争格局。一、存内计算：突破冯·诺依曼瓶颈的算法革命1.1存内计算的基本原理传统计算架构中90%的能耗消耗在数据搬运上。存内计算（Processing-in-Memory）通过直接在存储单元执行计算，实现能效10-100倍提升：#传统计算vs存内计算能耗模型i
基于redis的Zset实现作者的轻量级排名周童學 Java redis 数据库缓存
基于redis的Zset实现轻量级作者排名系统在今天的技术架构中，Redis是一种广泛使用的内存数据存储系统，尤其在需要高效检索和排序的场景中表现优异。在本篇博客中，我们将深入探讨如何使用Redis的有序集合（ZSet）构建一个高效的笔记排行榜系统，并提供相关代码示例和详细的解析。1.功能背景与需求假设我们有一个笔记分享平台，用户可以发布各种笔记，系统需要根据用户发布的笔记数量来生成一个实时更新的
【焦点咨询的“无为”】邹庆会，持续分享第690天，2020年1月23日邹庆会
焦点课堂上，刘老师强调，焦点咨询师要“无为”，当时我就很困惑：我们“无为”，我们什么都不做，那来访者找我们做什么呢？那我们又怎么样来引领来访者呢？又怎么样让来访者在咨询当中有更多的收获呢？带着这个困惑，我逐渐在咨询中，包括在陪伴儿子的过程中，试着慢慢地放下期待、忘掉技术，寻找“无为”的感觉，寻找“无为”的痕迹，以及“无为”之后的一些效果的呈现。也慢慢的悟出一些自己的感受和体会。就像《道德经》中所说
5G基站信号加速器！AD8021ARZ-REEL7亚德诺超低噪声高速电压放大器专利失真消除技术! 深圳市尚想信息技术有限公司 5G通信高速运放 ADI黑科技 8K视频医疗超声
AD8021ARZ-REEL7ADI：重新定义高速放大器的性能极限！一、产品简介AD8021ARZ-REEL7是ADI（亚德诺半导体）推出的超低噪声高速电压反馈放大器，采用XFCB工艺和专利失真消除技术，专为4K/8K视频处理、医疗成像、5G通信等超高频应用设计。以1.8GHz带宽和0.1nV/√Hz超低噪声，成为高速信号调理的终极解决方案！二、五大颠覆性优势军工级信号保真度1.8GHz-3dB带
北斗短报文兜底、5G-A增强：AORO P1100三防平板构建应急通信网络
公网中断的灾区现场，泥石流阻断了最后一条光缆。一支救援队却在废墟间有序穿行，队长手中的三防平板正闪烁着北斗卫星信号，定位坐标与伤亡信息化作一行行短报文，穿透通信孤岛直达指挥中心。这是AOROP1100三防平板搭载的北斗短报文功能在应急救援中的真实场景，更代表了工业移动终端在极端环境下的能力跃迁。AOROP1100三防平板作为遨游通讯2025年推出的旗舰三防设备，AOROP1100三防平板的技术基底
猎板 PCB 控深槽工艺：5G 基站散热模块的关键支撑猎板PCB黄浩 5G 运维数据库
PCB控深槽工艺在5G基站散热模块中的关键作用：猎板PCB的技术突破在5G基站的密集高频信号与高功率运行环境下，散热性能直接决定了设备的稳定性和寿命。猎板PCB通过创新性的控深槽工艺（控深锣/控深铣），结合材料科学与结构优化，为5G基站散热模块提供了高精度、高可靠性的解决方案，有效攻克了高热负荷下的技术瓶颈。一、5G基站散热的核心挑战热负荷激增：5G基站的射频功放（PA）、电源管理模块等器件功耗显
元宇宙中的视觉技术：虚拟化身与场景生成 xcLeigh 计算机视觉CV 元宇宙虚拟化身场景生成 AIGC 数字孪生
元宇宙中的视觉技术：虚拟化身与场景生成前言一、元宇宙与视觉技术的深度关联1.1元宇宙概念深度剖析1.2视觉技术：元宇宙的“灵魂之窗”二、虚拟化身：数字世界的“第二自我”2.1虚拟化身技术的深度解析2.1.1核心技术构成2.1.2技术实现原理与流程2.2虚拟化身的应用领域及案例展示2.2.1游戏娱乐领域2.2.2教育培训领域三、场景生成：构建元宇宙的虚拟天地3.1场景生成技术全景透视3.1.1关键技
处于停机等非正常状态_设备非正常停机管理指导办法
设备非正常停机管理指导办法一、设备非正常停机的范围：1、维护、维修不良：未遵守设备维护及维修规程，导致维护、维修质量无法满足设备运行的技术、环境要求而造成的设备停机，例如：未按维护保养计划保养、维护质量不到位、违章检修，故障维修不彻底，润滑缺油或变质等。2、违章操作：未按照设备操作规程及作业文件等操作而造成的设备停机。3、设备点检缺失：是指设备操作者及维修人员未严格按照点检标准有效地对设备各部位进
DPDK 技术详解：榨干网络性能的“瑞士军刀”
你是否曾感觉，即使拥有顶级的服务器和万兆网卡，你的网络应用也总是“喂不饱”硬件，性能总差那么一口气？传统的网络处理方式，就像在高速公路上设置了太多的收费站和检查点，限制了数据包的“奔跑”速度。今天，我们要深入探讨一个能够打破这些瓶颈，让你的网络应用快到飞起的“黑科技”——DPDK(DataPlaneDevelopmentKit，数据平面开发套件)。这不仅仅是一个工具包，更是一种全新的网络处理哲学。
【Coze搞钱实战】3. 避坑指南：对话流设计中的6个致命错误（真实案例） AI_DL_CODE Coze平台对话流设计客服Bot避坑用户流失封号风险智能客服配置故障修复指南
摘要：对话流设计是智能客服Bot能否落地的核心环节，直接影响用户体验与业务安全。本文基于50+企业Bot部署故障分析，聚焦导致用户流失、投诉甚至封号的6大致命错误：无限循环追问、人工移交超时、敏感词过滤缺失、知识库冲突、未处理否定意图、跨平台适配失败。通过真实案例拆解每个错误的表现形式、技术根因及工业级解决方案，提供可直接复用的Coze配置代码、工作流模板和检测工具。文中包含对话流健康度检测工具使
Deepseek技术深化：驱动大数据时代颠覆性变革的未来引擎荣华富贵8 spring boot 搜索引擎后端缓存 redis
在大数据时代，信息爆炸和数据驱动的决策逐渐重塑各行各业。作为一项前沿技术，Deepseek正在引领新一轮技术革新，颠覆传统数据处理与分析方式。本文将从理论原理、应用场景和前沿代码实践三个层面，深入剖析Deepseek技术如何为大数据时代提供颠覆性变革的解决方案。一、技术背景与核心思想1.1大数据挑战与机遇在数据量呈指数级增长的背景下，传统数据处理方法面临数据存储、计算效率和信息提取精度的诸多挑战。
大模型量化终极对决：FP8 vs AWQ INT4，谁才是性能与精度的王者？曦紫沐大模型人工智能大模型量化 FP8 AWQ_INT4
摘要在大模型部署与优化中，量化技术是突破性能瓶颈的关键。FP8量化与AWQINT4量化作为当前主流方案，分别以“高精度”和“极致压缩”为核心优势。本文通过表格对比二者的数据格式、精度损失、硬件依赖及适用场景，助您在不同需求下精准选择最优方案。一、数据格式：浮点与整数的底层差异FP8量化采用浮点数（FP8），包含E4M3（4位阶码+3位尾数）和E5M2（5位阶码+2位尾数）两种格式，保留动态范围；而
分布式链路追踪系统架构设计：从理论到企业级实践 ma451152002 java 分布式系统架构
分布式链路追踪系统架构设计：从理论到企业级实践本文深入探讨分布式链路追踪系统的架构设计原理、关键技术实现和企业级应用实践，为P7架构师提供完整的技术方案参考。目录引言：分布式链路追踪的重要性核心概念与技术原理系统架构设计数据模型与协议标准核心组件架构设计性能优化与扩展性设计企业级实施策略技术选型与对比分析监控与运维体系未来发展趋势P7架构师面试要点引言：分布式链路追踪的重要性微服务架构下的挑战在现
中原焦点团队党秀丽分享276天，约练268次，5月29日，周五润物无声dang
第十二次课，答疑解惑。1.咨询约练过程中遇到来访者上来就说想处理情绪，可是聊的过程中他又不想具体聊他的情绪怎么产生的，多久了，就是希望用外化技术处理他的情绪，我除了好奇是什么让他希望用外化呢，也用阳谋告诉他，外化前也是需要具体的聊聊这个情绪的，还可以怎么做呢？给他安全感这一块大概怎么做呢？不想具体说有他的道理，聊聊情绪大概是什么事儿？专业的认识，专业度的认可。不带功利心，转介几次的不太好，信任程度
Android 媒体播放开发完全指南安卓开发者 Android Jetpack android 媒体 python
引言在当今移动应用生态中，媒体播放功能已成为许多应用的核心组成部分。无论是音乐流媒体应用、视频平台、播客客户端还是游戏应用，都需要强大的媒体播放能力。Android平台提供了丰富的API来支持各种媒体播放场景。本文将全面介绍Android媒体播放的开发技术，从基础到高级功能实现。一、Android媒体播放基础1.1支持的媒体格式Android原生支持多种媒体格式：音频：MP3、AAC、FLAC、W
Android Slices：让应用功能在系统级交互中触手可及安卓开发者 Android Jetpack android 交互 gitee
引言在当今移动应用生态中，用户每天要面对数十个甚至上百个应用的选择，如何让自己的应用在关键时刻触达用户，成为开发者面临的重要挑战。Google在Android9Pie中引入的Slices技术，正是为了解决这一痛点而生。本文将全面介绍AndroidSlices的概念、实现方法、应用场景以及最佳实践，帮助开发者掌握这一提升用户参与度的强大工具。什么是AndroidSlices？AndroidSlice
从振动信号到精准预警：AI 如何重塑工业设备健康管理？缘华工业智维人工智能计算机视觉边缘计算信息与通信
在智能制造浪潮席卷全球的当下，工业生产正经历着从传统模式向智能化、数字化转型的深刻变革。在这场变革中，AI驱动的振动分析技术犹如一颗璀璨新星，成为工业设备可靠运行的“健康卫士”。它通过在设备关键部位部署振动传感器，如同医生为患者听诊般实时采集设备运行时的振动信号，再借助强大的人工智能算法对这些“工业脉搏”进行深度解析，从而实现对工业设备从故障预警到寿命预测的全周期精准守护。一、AI振动分析：设备状
基于DeepSeek的下一代大型游戏开发革命：架构、核心技术与项目管理实践 Liudef06小白特殊专栏人工智能 AIGC 架构人工智能 deepseek
基于DeepSeek的下一代大型游戏开发革命：架构、核心技术与项目管理实践DeepSeek大模型正重塑游戏开发范式，本文将深入解析如何利用这一革命性技术构建下一代大型游戏，涵盖从架构设计到项目管理的全流程实践。目录DeepSeek游戏引擎核心架构1.1神经符号系统融合架构1.2动态世界生成引擎智能NPC与剧情系统2.1角色人格建模技术2.2动态叙事生成算法大型项目管理体系3.1敏捷-AI混合开发流
魔搭平台实战：手把手教你训练SDXL模型，解锁AI绘画新纪元 Liudef06小白特殊专栏 AIGC 人工智能 AI作画人工智能 AIGC
魔搭平台实战：手把手教你训练SDXL模型，解锁AI绘画新纪元随着多模态AI技术的爆发式发展，StableDiffusionXL（SDXL）等文生图模型正在彻底重塑创意产业工作流。本文将深入解析如何在魔搭平台高效训练SDXL模型，并探讨AI绘画技术对设计行业的革命性影响。一、SDXL模型架构解析1.1双文本编码器设计SDXL采用双文本编码器架构，显著提升提示词理解能力：#SDXL文本编码器结构示意c
量子计算解决气候变化：科学家找到了新方法大力出奇迹985 量子计算
气候变化已成为全球面临的严峻挑战，传统计算方法在应对与之相关的复杂问题时存在诸多局限。而量子计算作为新兴技术，为解决气候变化难题带来曙光。本文深入剖析科学家利用量子计算应对气候变化的新方法。量子计算凭借独特的量子比特与量子特性，在加速气候模型计算、优化模型参数、预测极端天气事件等方面展现出巨大优势。同时，在可再生能源整合、电网管理、碳捕获等实际应用场景中也发挥着重要作用。尽管目前面临硬件和算法等方
AI 生成虚拟宠物：24 小时陪你聊天解闷大力出奇迹985 人工智能宠物
本文围绕AI生成虚拟宠物展开，介绍这类依托人工智能技术诞生的虚拟伙伴，能实现24小时不间断陪伴聊天，为人们解闷。文中详细阐述其技术基础，包括自然语言处理、机器学习等；分析多样功能，如个性化互动、情绪回应等；探讨在独居人群、压力大者等不同群体中的应用场景，最后总结其为人们生活带来的积极影响及未来发展潜力，展现AI虚拟宠物在陪伴领域的独特价值。一、AI生成虚拟宠物的诞生背景与技术基石在快节奏的现代社会
java实习生40多天有感别拿爱情当饭吃
从5月15日开始，我开始第一步步入社会，我今年大三，在一家上市互联网公司做一名实习生，主要做java后端开发。开始的时候，觉得公司的环境挺不错的，不过因为公司在CBD，所以隔壁的午饭和晚饭都要20+RMB，而且还吃不饱，这让我感觉挺郁闷的。一到下午，我就会犯困（因为饿）。因此，我又不得不买一些干粮在公司屯着。关于技术，有一个比较大的项目在需求调研当中，我们做实习生，就是辅助项目经理，测试功能，并且
springmvc 下 freemarker页面枚举的遍历输出杨白白 enum freemarker
spring mvc freemarker 中遍历枚举 1枚举类型有一个本地方法叫values（），这个方法可以直接返回枚举数组。所以可以利用这个遍历。 enum public enum BooleanEnum { TRUE(Boolean.TRUE, "是"), FALSE(Boolean.FALSE, "否");
实习简要总结 byalias 工作
来白虹不知不觉中已经一个多月了，因为项目还在需求分析及项目架构阶段，自己在这段时间都是在学习相关技术知识，现在对这段时间的工作及学习情况做一个总结：（1）工作技能方面大体分为两个阶段，Java Web 基础阶段和Java EE阶段 1）Java Web阶段在这个阶段，自己主要着重学习了 JSP, Servlet, JDBC, MySQL，这些知识的核心点都过了一遍，也
Quartz——DateIntervalTrigger触发器 eksliang quartz
转载请出自出处：http://eksliang.iteye.com/blog/2208559 一.概述 simpleTrigger 内部实现机制是通过计算间隔时间来计算下次的执行时间，这就导致他有不适合调度的定时任务。例如我们想每天的 1：00AM 执行任务，如果使用 SimpleTrigger，间隔时间就是一天。注意这里就会有一个问题，即当有 misfired 的任务并且恢复执行时，该执行时间
Unix快捷键 18289753290 unix Unix；快捷键;
复制，删除，粘贴： dd:删除光标所在的行 &nbs
获取Android设备屏幕的相关参数酷的飞上天空 android
包含屏幕的分辨率以及屏幕宽度的最大dp 高度最大dp TextView text = (TextView)findViewById(R.id.text); DisplayMetrics dm = new DisplayMetrics(); text.append("getResources().ge
要做物联网？先保护好你的数据蓝儿唯美数据
根据Beecham Research的说法，那些在行业中希望利用物联网的关键领域需要提供更好的安全性。在Beecham的物联网安全威胁图谱上，展示了那些可能产生内外部攻击并且需要通过快速发展的物联网行业加以解决的关键领域。 Beecham Research的技术主管Jon Howes说：“之所以我们目前还没有看到与物联网相关的严重安全事件，是因为目前还没有在大型客户和企业应用中进行部署，也就
Java取模（求余）运算随便小屋 java
整数之间的取模求余运算很好求，但几乎没有遇到过对负数进行取模求余，直接看下面代码： /** * * @author Logic * */ public class Test { public static void main(String[] args) { // TODO A
SQL注入介绍 aijuans sql注入
二、SQL注入范例这里我们根据用户登录页面 <form action="" > 用户名：<input type="text" name="username"><br/> 密码：<input type="password" name="passwor
优雅代码风格 aoyouzi 代码
总结了几点关于优雅代码风格的描述：代码简单：不隐藏设计者的意图，抽象干净利落，控制语句直截了当。接口清晰：类型接口表现力直白，字面表达含义，API 相互呼应以增强可测试性。依赖项少：依赖关系越少越好，依赖少证明内聚程度高，低耦合利于自动测试，便于重构。没有重复：重复代码意味着某些概念或想法没有在代码中良好的体现，及时重构消除重复。战术分层：代码分层清晰，隔离明确，
布尔数组百合不是茶 java 布尔数组
androi中提到了布尔数组; 布尔数组默认的是false, 并且只会打印false或者是true 布尔数组的例子; 根据字符数组创建布尔数组 char[] c = {'p','u','b','l','i','c'}; //根据字符数组的长度创建布尔数组的个数 boolean[] b = new bool
web.xml之welcome-file-list、error-page bijian1013 java web.xml servlet error-page
welcome-file-list 1.定义： <welcome-file-list> <welcome-file>login.jsp</welcome> </welcome-file-list> 2.作用：用来指定WEB应用首页名称。 error-page1.定义： <error-page&g
richfaces 4 fileUpload组件删除上传的文件 sunjing clear Richfaces 4 fileupload
页面代码 <h:form id="fileForm"> <rich:
技术文章备忘 bit1129 技术文章
Zookeeper http://wenku.baidu.com/view/bab171ffaef8941ea76e05b8.html http://wenku.baidu.com/link?url=8thAIwFTnPh2KL2b0p1V7XSgmF9ZEFgw4V_MkIpA9j8BX2rDQMPgK5l3wcs9oBTxeekOnm5P3BK8c6K2DWynq9nfUCkRlTt9uV
org.hibernate.hql.ast.QuerySyntaxException: unexpected token: on near line 1解决方案白糖_ Hibernate
文章摘自：http://blog.csdn.net/yangwawa19870921/article/details/7553181 在编写HQL时，可能会出现这种代码： select a.name,b.age from TableA a left join TableB b on a.id=b.id 如果这是HQL，那么这段代码就是错误的，因为HQL不支持
sqlserver按照字段内容进行排序 bozch 按照内容排序
在做项目的时候，遇到了这样的一个需求：从数据库中取出的数据集，首先要将某个数据或者多个数据按照地段内容放到前面显示，例如:从学生表中取出姓李的放到数据集的前面； select * fro
编程珠玑-第一章-位图排序 bylijinnan java 编程珠玑
import java.io.BufferedWriter; import java.io.File; import java.io.FileWriter; import java.io.IOException; import java.io.Writer; import java.util.Random; public class BitMapSearch {
Java关于==和equals chenbowen00 java
关于==和equals概念其实很简单，一个是比较内存地址是否相同，一个比较的是值内容是否相同。虽然理解上不难，但是有时存在一些理解误区，如下情况： 1、 String a = "aaa"; a=="aaa"; ==> true 2、 new String("aaa")==new String("aaa
[IT与资本]软件行业需对外界投资热情保持警惕 comsci it
我还是那个看法,软件行业需要增强内生动力,尽量依靠自有资金和营业收入来进行经营,避免在资本市场上经受各种不同类型的风险,为企业自主研发核心技术和产品提供稳定,温和的外部环境... 如果我们在自己尚未掌握核心技术之前,企图依靠上市来筹集资金,然后使劲往某个领域砸钱,然
oracle 数据块结构 daizj oracle 块数据块块结构行目录
oracle 数据块是数据库存储的最小单位，一般为操作系统块的N倍。其结构为：块头－－〉空行－－〉数据，其实际为纵行结构。块的标准大小由初始化参数DB_BLOCK_SIZE指定。具有标准大小的块称为标准块（Standard Block）。块的大小和标准块的大小不同的块叫非标准块（Nonstandard Block）。同一数据库中，Oracle9i及以上版本支持同一数据库中同时使用标
github上一些觉得对自己工作有用的项目收集 dengkane github
github上一些觉得对自己工作有用的项目收集技能类 markdown语法中文说明回到顶部全文检索 elasticsearch bigdesk elasticsearch管理插件回到顶部 nosql mapdb 支持亿级别map, list, 支持事务. 可考虑做为缓存使用 C
初二上学期难记单词二 dcj3sjt126com english word
dangerous 危险的 panda 熊猫 lion 狮子 elephant 象 monkey 猴子 tiger 老虎 deer 鹿 snake 蛇 rabbit 兔子 duck 鸭 horse 马 forest 森林 fall 跌倒；落下 climb 爬；攀登 finish 完成；结束 cinema 电影院；电影 seafood 海鲜；海产食品 bank 银行
8、mysql外键(FOREIGN KEY)的简单使用 dcj3sjt126com mysql
一、基本概念 1、MySQL中“键”和“索引”的定义相同，所以外键和主键一样也是索引的一种。不同的是MySQL会自动为所有表的主键进行索引，但是外键字段必须由用户进行明确的索引。用于外键关系的字段必须在所有的参照表中进行明确地索引，InnoDB不能自动地创建索引。 2、外键可以是一对一的，一个表的记录只能与另一个表的一条记录连接，或者是一对多的，一个表的记录与另一个表的多条记录连接。 3、如
java循环标签 Foreach shuizhaosi888 标签 java循环 foreach
1. 简单的for循环 public static void main(String[] args) { for (int i = 1, y = i + 10; i < 5 && y < 12; i++, y = i * 2) { System.err.println("i=" + i + " y="
Spring Security（05）——异常信息本地化 234390216 exception Spring Security 异常信息本地化
异常信息本地化 Spring Security支持将展现给终端用户看的异常信息本地化，这些信息包括认证失败、访问被拒绝等。而对于展现给开发者看的异常信息和日志信息（如配置错误）则是不能够进行本地化的，它们是以英文硬编码在Spring Security的代码中的。在Spring-Security-core-x
DUBBO架构服务端告警Failed to send message Response javamingtingzhao 架构 DUBBO
废话不多说，警告日志如下，不知道有哪位遇到过，此异常在服务端抛出(服务器启动第一次运行会有这个警告)，后续运行没问题，找了好久真心不知道哪里错了。 WARN 2015-07-18 22:31:15,272 com.alibaba.dubbo.remoting.transport.dispatcher.ChannelEventRunnable.run(84)
JS中Date对象中几个用法 leeqq JavaScript Date 最后一天
近来工作中遇到这样的两个需求 1. 给个Date对象，找出该时间所在月的第一天和最后一天 2. 给个Date对象，找出该时间所在周的第一天和最后一天需求1中的找月第一天很简单，我记得api中有setDate方法可以使用使用setDate方法前，先看看getDate var date = new Date(); console.log(date); // Sat J
MFC中使用ado技术操作数据库你不认识的休道人 sql mfc
1.在stdafx.h中导入ado动态链接库 #import"C:\Program Files\Common Files\System\ado\msado15.dll" no_namespace rename("EOF","end")2.在CTestApp文件的InitInstance()函数中domodal之前写::CoIniti
Android Studio加速 rensanning android studio
Android Studio慢、吃内存！启动时后会立即通过Gradle来sync & build工程。（1）设置Android Studio a) 禁用插件 File -> Settings... Plugins 去掉一些没有用的插件。比如：Git Integration、GitHub、Google Cloud Testing、Google Cloud
各数据库的批量Update操作 tomcat_oracle java oracle sql mysql sqlite
MyBatis的update元素的用法与insert元素基本相同，因此本篇不打算重复了。本篇仅记录批量update操作的 sql语句，懂得SQL语句，那么MyBatis部分的操作就简单了。　　注意：下列批量更新语句都是作为一个事务整体执行，要不全部成功，要不全部回滚。 MSSQL的SQL语句　WITH R AS（　　SELECT 'John' as name, 18 as
html禁止清除input文本输入缓存 xp9802 input
多数浏览器默认会缓存input的值，只有使用ctl+F5强制刷新的才可以清除缓存记录。如果不想让浏览器缓存input的值，有2种方法：方法一：在不想使用缓存的input中添加 autocomplete="off"; eg: <input type="text" autocomplete="off" name

PE打补丁技术大全

Downloads

Contents

0 Preface

1 Prerequisite

2 Portable Executable file format

2.1 The MS-DOS data

PE Viewer

Table 1 - Portable Executable file format structure

2.2 The Windows NT data

2.3 The Section Headers and Sections

Table 2 - Section names

3 Debugger, Disassembler and some Useful Tools

3.1 Debuggers

3.1.1 SoftICE

Figure 1 - SoftICE Window

3.1.2 OllyDbg

Figure 2 - OllyDbg CPU Window

3.1.3 Which parts are important in a debugger interface?

3.2 Disassembler

3.2.1 Proview disassembler

3.2.2 W32Dasm

3.2.3 IDA Pro

3.3 Some Useful Tools

3.3.1 LordPE

3.3.2 PEiD

3.3.3 Resource Hacker

3.3.4 WinHex

3.3.5 CFF Explorer

4 Add new section and Change OEP

Figure 3

PE Maker - Step 1

CALC.EXE - test file

DynLoader Step 1

4.1 Retrieve and Rebuild PE file

CPELibrary Class Step 1

4.2 Create Data for new Section

CPECryptor Class Step 1

4.3 Some notes regarding creating a new PE file

4.4 Some notes regarding linking this VC Project

5 Store Important Data and Reach Original OEP

PE Maker - Step 2

DynLoader Step 2

5.1 Restore the first Registers Context

5.2 Restore the Original Stack

5.3 Approach OEP by Structured Exception Handling

5.3.1 Implement Exception Handler

How the SEH installation is implemented

Thread Information Block (TIB)

Table 3 - FS segment register and Thread Information Block

5.3.2 Attain OEP by adjusting the Thread Context

Win32 Thread Context structure

Table 4 - CONTEXT

6 Build an Import Table and Reconstruct the Original Import Table

PE Maker - Step 3

6.1 Construct the Client Import Table

Table 5 - The Import Table in file image

Table 6 - The Import Table in virtual memory

6.2 Using other API functions in run-time

JMP DWORD PTR [XXXXXXXX]

6.3 Fix up the Original Import Table

7 Support DLL and OCX

PE Maker - Step 4

7.1 Twice OEP approach

7.2 Implement Relocation Table

Table 7 - The Relocation Table

What is the type

What is done in the relocation?

7.3 Build a Special Import table

8 Preserve the Thread Local Storage

9 Inject your code

PE Maker - Step 5

你可能感兴趣的:(技术)