新学脱壳,还在大门外转悠,写了这个小东东让大家乐乐。
IDFooler,用于欺骗文件检测工具,目前仅能伪装成VC和DELPHI。VC那个还行,DELPHI这个能骗过FI,骗不过PEID。以前坛子里有大大写过,我这个感觉更“傻瓜”一些。
在98下运行没问题,请各位在不同系统中测试。如果哪位有各种壳和编译器的特征码请赐教。
关键部分的源码:
代码:
void CPEDlg::OnApply() { CFile myFile; _IMAGE_DOS_HEADER myDosHeader; _IMAGE_NT_HEADERS myNtHeader; _IMAGE_SECTION_HEADER mySectionHeader; int NumberOfSections,myBufSize; DWORD VOffset=0,VSize=0,ROffset=0,RSize=0,myVOffset=0,myROffset=0; DWORD OldEP,NewEP,Jmp; BYTE VCBuf[53]={ 0x55,0x8b,0xec,0x6a,0xff,0x68,0x00,0x00, 0x00,0x00,0x68,0x00,0x00,0x00,0x00,0x64, 0xa1,0x00,0x00,0x00,0x00,0x50,0x64,0x89, 0x25,0x00,0x00,0x00,0x00,0x83,0xec,0x68, 0x53,0x56,0x57,0x58,0x58,0x58,0x83,0xc4, 0x68,0x58,0x67,0x64,0xa3,0x00,0x00,0x58, 0x58,0x58,0x58,0x8b,0xe8 }; BYTE DELPHIBuf[10]={ 0x55,0x8b,0xec,0x83,0xc4,0xf4,0x83,0xc4, 0x0c,0x50 }; BYTE myBuf[100]={0}; CString m_bakname=m_filename+".bak"; ::CopyFile((LPCTSTR)m_filename,(LPCTSTR)m_bakname,FALSE); //backup if (!myFile.Open((LPCTSTR)m_filename,CFile::modeReadWrite|CFile::typeBinary,NULL)) return; myFile.Read(&myDosHeader,sizeof(_IMAGE_DOS_HEADER)); if (myDosHeader.e_magic!=IMAGE_DOS_SIGNATURE) { AfxMessageBox("不是有效的MZ文件!",0,0); return; } myFile.Seek(myDosHeader.e_lfanew,CFile::begin); myFile.Read(&myNtHeader,sizeof(_IMAGE_NT_HEADERS)); if (myNtHeader.Signature!=IMAGE_NT_SIGNATURE) { AfxMessageBox("不是有效的PE文件!",0,0); return; } NumberOfSections=myNtHeader.FileHeader.NumberOfSections; myNtHeader.FileHeader.NumberOfSections=NumberOfSections+1; myFile.Seek(myDosHeader.e_lfanew,CFile::begin); myFile.Write(&myNtHeader,sizeof(_IMAGE_NT_HEADERS)); for (int i=0;i<NumberOfSections;i++) { myFile.Read(&mySectionHeader,sizeof(_IMAGE_SECTION_HEADER)); if (mySectionHeader.VirtualAddress>VOffset) { VOffset=mySectionHeader.VirtualAddress; VSize=mySectionHeader.Misc.VirtualSize; } if (mySectionHeader.PointerToRawData>ROffset) { ROffset=mySectionHeader.PointerToRawData; RSize=mySectionHeader.SizeOfRawData; } } //Get the Max Offset while (myVOffset<VOffset+VSize) { myVOffset+=0x1000; } while (myROffset<ROffset+RSize) { myROffset+=0x200; } for (i=0;i<8;i++) mySectionHeader.Name[i]=0; mySectionHeader.Name[0]='R'; mySectionHeader.Name[1]='o'; mySectionHeader.Name[2]='B'; mySectionHeader.Name[3]='a'; mySectionHeader.Misc.VirtualSize=0x1000; mySectionHeader.VirtualAddress=myVOffset; mySectionHeader.SizeOfRawData=0x200; mySectionHeader.PointerToRawData=myROffset; mySectionHeader.Characteristics=0xE0000020; myFile.Write(&mySectionHeader,sizeof(_IMAGE_SECTION_HEADER)); //Add a New Section OldEP=myNtHeader.OptionalHeader.AddressOfEntryPoint; NewEP=myVOffset; myNtHeader.OptionalHeader.AddressOfEntryPoint=NewEP; myNtHeader.OptionalHeader.MajorLinkerVersion=6; myNtHeader.OptionalHeader.MinorLinkerVersion=0; myNtHeader.OptionalHeader.SizeOfImage=myVOffset+0x1000; myFile.Seek(myDosHeader.e_lfanew,CFile::begin); myFile.Write(&myNtHeader,sizeof(_IMAGE_NT_HEADERS)); //write new EntryPoint switch (type) { case TYPE_VC: myBufSize=sizeof(VCBuf); memcpy(myBuf,VCBuf,myBufSize); break; case TYPE_DELPHI: myBufSize=sizeof(DELPHIBuf); memcpy(myBuf,DELPHIBuf,sizeof(DELPHIBuf)); } myFile.SetLength(myROffset+0x200); myFile.Seek(-0x200,CFile::end); myFile.Write(&myBuf,myBufSize); Jmp=OldEP-(NewEP+myBufSize)-5; BYTE JmpBuf=0xE9; myFile.Write(&JmpBuf,1); myFile.Write(&Jmp,sizeof(Jmp)); //write the KeyCode AfxMessageBox("Success!",MB_OK|MB_ICONINFORMATION,0); }
呵呵,没什么技术含量,贻笑大方了
