本帖最后由 xuliang 于 2012-8-18 18:01 编辑
学PE 有段时间了可一直没时间手动写一个,今天就抽空手写了一个,Min PE并用自己开发的ShellCode远控做测试,运行正常,里面的M.exe上线的是127.0.0.1没有危险代码请放心研究。
教程中把一定要填写的都加了注释,没有注释的直接填零即可!
本人QQ:9**********有问题可联系我
教程下载地址:http://t.cn/zWHFOoL
以下是教程中的结构 _IMAGE_DOS_HEADER = record (64个字节)
e_magic: Word; //4D 5A (MZ)
e_cblp: Word;
e_cp: Word;
e_crlc: Word;
e_cparhdr: Word;
e_minalloc: Word;
e_maxalloc: Word;
e_ss: Word;
e_sp: Word;
e_csum: Word;
e_ip: Word;
e_cs: Word;
e_lfarlc: Word;
e_ovno: Word;
e_res: array [0..3] of Word;
e_oemid: Word;
e_oeminfo: Word;
e_res2: array [0..9] of Word;
e_lfanew: Longint; //40 00 00 00 _IMAGE_NT_HEADERS的文件偏移
end;
_IMAGE_NT_HEADERS = record (248个字节)
Signature: DWORD; //50 45 00 00 (PE)
FileHeader: IMAGE_FILE_HEADER;
OptionalHeader: IMAGE_OPTIONAL_HEADER32;
end;
_IMAGE_FILE_HEADER = record (20个字节)
Machine: WORD; //4C 01 INTEL 386
NumberOfSections: WORD; //01 00 节数
TimeDateStamp: DWORD;
PointerToSymbolTable: DWORD;
NumberOfSymbols: DWORD;
SizeOfOptionalHeader: WORD; //E0 00 OptionalHeader大小
Characteristics: WORD; //03 01 EXE文件
end;
Characteristics:
0:置1表示文件中没有重定向信息 √
1:置1表示文件是可执行文件EXE √
2:置1表示没有行数信息
3:置1表示没有局部符号信息
8:表示希望机器为32位机 √
9:表示没有调试信息
11:置1表示程序不能在网上运行
12:置1表示文件是一个系统文件例如驱动序
13:置1表示文件是一个动态链接库DLL
_IMAGE_OPTIONAL_HEADER = record (224个字节)
Magic: Word; //OB 01
MajorLinkerVersion: Byte;
MinorLinkerVersion: Byte;
SizeOfCode: DWORD;
SizeOfInitializedData: DWORD;
SizeOfUninitializedData: DWORD;
AddressOfEntryPoint: DWORD; //00 10 00 00 OEP RVA 内存入口点1000 //########
BaseOfCode: DWORD;
BaseOfData: DWORD;
ImageBase: DWORD; //00 00 40 00 镜像基址400000
SectionAlignment: DWORD; //00 10 00 00 内存对齐1000
FileAlignment: DWORD; //00 02 00 00 文件对齐200
MajorOperatingSystemVersion: Word;
MinorOperatingSystemVersion: Word;
MajorImageVersion: Word;
MinorImageVersion: Word;
MajorSubsystemVersion: Word; //04 00 子版本号4.0 不然不能显示3D风格
MinorSubsystemVersion: Word;
Win32VersionValue: DWORD;
SizeOfImage: DWORD; //00 20 00 00 整个文件映像到内存的总大小 //########
SizeOfHeaders: DWORD; //00 02 00 00 DOS头+PE头+区表的文件总大小
CheckSum: DWORD;
Subsystem: Word; //子系统 02 00 或 03 00
DllCharacteristics: Word;
SizeOfStackReserve: DWORD;
SizeOfStackCommit: DWORD; //00 20 00 00 最小为2000 这个发现必须
SizeOfHeapReserve: DWORD;
SizeOfHeapCommit: DWORD;
LoaderFlags: DWORD;
NumberOfRvaAndSizes: DWORD; //10 00 00 00 目录表个数16 这个值是表示实际使用了几个如果一个不用可以为0
DataDirectory: array [0..IMAGE_NUMBEROF_DIRECTORY_ENTRIES - 1] of IMAGE_DATA_DIRECTORY;
end;
IMAGE_NUMBEROF_DIRECTORY_ENTRIES = 16;
IMAGE_DIRECTORY_ENTRY_EXPORT = 0;
IMAGE_DIRECTORY_ENTRY_IMPORT = 1;
IMAGE_DIRECTORY_ENTRY_RESOURCE = 2;
IMAGE_DIRECTORY_ENTRY_EXCEPTION = 3;
IMAGE_DIRECTORY_ENTRY_SECURITY = 4;
IMAGE_DIRECTORY_ENTRY_BASERELOC = 5;
IMAGE_DIRECTORY_ENTRY_DEBUG = 6;
IMAGE_DIRECTORY_ENTRY_ARCHITECTURE = 7;
IMAGE_DIRECTORY_ENTRY_GLOBALPTR = 8;
IMAGE_DIRECTORY_ENTRY_TLS = 9;
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG = 10;
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT = 11;
IMAGE_DIRECTORY_ENTRY_IAT = 12;
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT = 13;
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR = 14;
= 15; 预留
_IMAGE_DATA_DIRECTORY = record
VirtualAddress: DWORD; //RVA
Size: DWORD;
end;
_IMAGE_SECTION_HEADER = record
Name: array [0..IMAGE_SIZEOF_SHORT_NAME - 1] of BYTE; //节名
Misc: TImgSecHdrMisc;
VirtualAddress: DWORD; //00 10 00 00 节的起始RVA
SizeOfRawData: DWORD; //00 02 00 00 节的文件大小
PointerToRawData: DWORD; //00 04 00 00 节的起始RAW
PointerToRelocations: DWORD;
PointerToLinenumbers: DWORD;
NumberOfRelocations: WORD;
NumberOfLinenumbers: WORD;
Characteristics: DWORD; //20 00 00 E0 可读可写可执行
end;
IMAGE_SIZEOF_SHORT_NAME = 8;
TImgSecHdrMisc = record
case Integer of
0: (PhysicalAddress: DWORD);
1: (VirtualSize: DWORD); //00 10 00 00 节的虚拟大小
end;
| 
发表于 2012-8-18 16:19
发表于 2012-8-18 19:13
