放下代码 PE文件变形之初步 移动PE头
											 程序代码:
程序代码:.386 
.model flat,stdcall 
option casemap:none 
include windows.inc 
include user32.inc 
include kernel32.inc 
include gdi32.inc 
includelib gdi32.lib 
includelib user32.lib 
includelib kernel32.lib 
Message  proto :DWORD
 movfile proto  :dword,:dword,:dword
 IsPeFile proto :dword
 MovPeHead proto :dword,:dword,:dword
.data
     
     szFileName db "E:\stu1\stu2\bin\Debug\main.exe",0
     szEorro    db "file open fail",0
     szCaption  db "PEêμÑé",0
     szsuccesful db "successful!",0
     szpe    db "this is a pe file",0
     szPeMovNo  db "Îļt2»Dèòaòƶˉ",0
     szNoPe     db "this is not PE file",0
.data?
     hFileHanld dword ?
     szbuff  dword 4096 dup (?)
     szreadnum dword ?
     szbuff1    IMAGE_DOS_HEADER <>
     dwPeRav    dword ?
     
.code
     start:
             
            invoke CreateFile,offset szFileName,GENERIC_READ or GENERIC_WRITE,NULL,NULL,OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL
            .IF eax==INVALID_HANDLE_VALUE
                invoke MessageBox,NULL,offset szEorro,offset szCaption,MB_OK
                invoke ExitProcess,NULL
            .endif
            
            mov hFileHanld ,eax
            invoke ReadFile,hFileHanld,offset szbuff, 0400h,offset szreadnum,NULL
            invoke IsPeFile,offset szbuff
            .if eax==0
                invoke MessageBox,NULL,szNoPe,NULL,MB_OK
                jmp over 
            .endif
            mov dwPeRav,eax
            invoke MovPeHead,offset szbuff,0ch,dwPeRav
            
            invoke SetFilePointer,hFileHanld,0,0,FILE_BEGIN
            invoke WriteFile,hFileHanld,offset szbuff,400h,NULL,NULL
            
            
            
         over:  
            invoke ExitProcess,NULL
           Message proc lpstring:dword
               
               invoke MessageBox,NULL,lpstring,offset szCaption,MB_OK
               ret
           Message endp
          movfile proc  dst:dword,src:dword,sizelen:dword
              
              mov edi,dst
              mov esi,src
              mov ecx,sizelen
          next:    movsb
              mov byte ptr [esi-1],0
              loop next
              ret
          movfile endp
          IsPeFile proc lpbuff:dword
              mov esi,lpbuff
              mov eax,0
              assume esi : ptr IMAGE_DOS_HEADER
              .IF [esi].e_magic=="ZM"
                  mov esi,[esi].e_lfanew
                  add esi,lpbuff
                  .if word ptr [esi]=="EP"
                      invoke Message ,offset szpe
                      sub esi,lpbuff
                      mov eax,esi 
                  .endif
                 
              .endif
          
              assume esi : nothing    
              ret
          IsPeFile endp
          
         MovPeHead proc lpDosHead :dword,dwPosition : DWORD,dwPeRav1 :dword
             mov eax,dwPeRav1
             .if dwPosition==eax
                 invoke MessageBox,NULL,offset szPeMovNo,NULL,MB_OK
                 ret
             .endif
              mov esi,lpDosHead
              push esi
              assume esi:ptr IMAGE_DOS_HEADER
              mov esi,[esi].e_lfanew
              add esi,lpDosHead
              assume esi:nothing
              assume esi:ptr IMAGE_NT_HEADERS
              mov  dx,[esi].FileHeader.NumberOfSections
              movzx edx,dx
              mov eax,sizeof(IMAGE_SECTION_HEADER)
              MUL edx
              add eax,sizeof(IMAGE_NT_HEADERS)
              assume esi : nothing
              mov ebx,lpDosHead
              add ebx,dwPosition
              invoke movfile,ebx,esi,eax   
              pop esi
              assume esi : ptr IMAGE_DOS_HEADER
              mov eax,dwPosition
              mov [esi].e_lfanew,eax
              assume esi:nothing
              ret
         MovPeHead endp
     end start[ 本帖最后由 zhu224039 于 2014-3-15 17:20 编辑 ]



 
											





 
	    

 
	