1. Теперь за форумную активность начисляются биткоины и другие криптоденьги. Подробнее.
    Скрыть объявление
  2. Появилась архивная версия форума arhiv.xaker.name, где собраны темы с 2007 по 2012 год.
    Скрыть объявление

[NODE.JS] Сниппет, добавляющий секцию к PE EXE x86

Тема в разделе "Разное", создана пользователем covetous.eyes, 7 фев 2013.

  1. covetous.eyes
    covetous.eyes Новичок
    Симпатии:
    1
    Я люблю Node JS и ревеср инженеринг, поэтому я создал код объединяющий эти вещи. Этот сниппет NODE.JS добавляет секцию к PE EXE x86. Код может содержать ошибки,но он находиться в активной разработке.

    Код:
    var fs = require('fs');
    
    const PE_DosHeader = 0, PE_NtHeaders = 1, PE_FileHeader = 2, PE_OptionalHeader = 3, PE_SectionHeaders = 4, PE_DataDirectories = 5,
    PE_ExportDirectory = 6, PE_ImportDirectory = 7, PE_ResourceDirectory = 8, PE_ExceptionDirectory = 9, PE_SecurityDirectory = 0xa,
    PE_RelocationDirectory = 0xb, PE_DebugDirectory = 0xc, PE_TLSDirectory = 0xd, PE_ConfigurationDirectory = 0xe,
    PE_BoundImportDirectory = 0xf, PE_ImportAddressTableDirectory = 0x10, PE_DelayImportDirectory = 0x11, PE_DotNETDirectory = 0x12;
    
    String.prototype.rtrim = function() {return this.replace(/\0+$/,"");}
    
    function toSectionNameBuf(s) {
      var buf = new Buffer(8);
      buf.fill(0);
      if (s.length > 8) s = s.slice(0, 8);
      buf.write(s, 0, s.length, 'ascii');
      return(buf);};
    
    function alignBy(v, by) {
     return((v%by)?(1+Math.floor(v/by))*by:v)};
    
    function PEFile(){
      this.buf;
      this.peStrucTable;}
                                                                                                                                 
    PEFile.prototype.OpenPE = function(file) {
      this.buf = fs.readFileSync(file);
      var sig = this.buf.toString('ascii', 0, 2)
      if (sig != 'MZ') return(false);                                                            
      var pHeaderPE = this.buf.readUInt16LE(0x3c);
      if (this.buf.readUInt16LE(pHeaderPE) !== 0x4550) return(false);
      var pDataDirectories = pHeaderPE+0x78;
      this.peStrucTable = [0, pHeaderPE, pHeaderPE+0x4, pHeaderPE+44, pHeaderPE+0xf8, pDataDirectories, pDataDirectories,
        pDataDirectories+0x8, pDataDirectories+0x10, pDataDirectories+0x18, pDataDirectories+0x20, pDataDirectories+0x28,
        pDataDirectories+0x30, pDataDirectories+0x48, pDataDirectories+0x50, pDataDirectories+0x58, pDataDirectories+0x60, 
        pDataDirectories+0x68, pDataDirectories+0x70]; 
      return(true);};                                                  
    
    PEFile.prototype.Save = function(name){
      fs.writeFileSync(name, this.buf);};
    
    PEFile.prototype.readByte = function(ofs) {
      return(this.buf[ofs]);}
    
    PEFile.prototype.readWord = function (ofs) {
      return(this.buf.readUInt16LE(ofs));}
    
    PEFile.prototype.readDWord = function (ofs) {
      return(this.buf.readUInt32LE(ofs));}
    
    PEFile.prototype.readQWord = function (ofs) {
      return(this.buf.readDoubleLE(ofs));}
    
    PEFile.prototype.writeByte = function(ofs, val) {
      this.buf[ofs] = val;}
    
    PEFile.prototype.writeWord = function (ofs, val) {
      this.buf.writeUInt16LE(val, ofs);}
    
    PEFile.prototype.writeDWord = function (ofs, val) {
      this.buf.writeUInt32LE(val, ofs);}
    
    PEFile.prototype.writeQWord = function (ofs, val) {
      this.buf.writeDoubleLE(val, ofs);}
      
    PEFile.prototype.getNumberOfSections = function(n){
      return(this.readWord(this.getOffset(PE_FileHeader)+0x2));};
    
    PEFile.prototype.getOffset = function(n){
      return(this.peStrucTable[n % 0x13]);};  
    
    PEFile.prototype.enumSections = function(fEnumProc, lParam){
      var iSections = this.getNumberOfSections();
      for(var i = 0; i < iSections; i++){
        var pSection = this.getOffset(PE_SectionHeaders) + i*0x28;
        var sName = this.buf.toString('ascii', pSection, pSection+8).rtrim();
        fEnumProc.call(this, i, pSection, sName, lParam);};
      return(true);};
    
    PEFile.prototype.findSection = function(sName){
      var pSection = null;
      this.enumSections( function(i, p, s, name) { if (s == name) {pSection = p;} }, sName);
      return(pSection);}
    
    PEFile.prototype.dumpSection = function(sName) {
      var dwVirtualSize, dwRawSize, dwRawAddr, bufSection, bufSectionHeader = new Buffer(0x28), pSection = this.findSection(sName);
      if (!pSection) return(null);
      this.buf.copy(bufSectionHeader, 0, pSection, pSection+0x28);
      dwRawSize = bufSectionHeader.readUInt32LE(0x10);
      dwVirtualSize = bufSectionHeader.readUInt32LE(0x8);
      dwRawAddr = bufSectionHeader.readUInt32LE(0x14);
      if (dwRawSize < dwVirtualSize) dwVirtualSize = dwRawSize;
      bufSection = new Buffer(dwVirtualSize);
      this.buf.copy(bufSection, 0, dwRawAddr, dwRawAddr+dwVirtualSize);
      return(bufSection);};
    
    PEFile.prototype.addSectionHeader = function(name) {
      var pSectionHeaders = this.getOffset(PE_SectionHeaders), pHeaderOffset = 0x28*this.getNumberOfSections()+pSectionHeaders,
      pFirstSectionData = this.readDWord(pSectionHeaders+0x14);
      if (pFirstSectionData <= pHeaderOffset) return(false);
      this.buf.fill(0, pHeaderOffset, pHeaderOffset+0x28);
      toSectionNameBuf(name).copy(this.buf, pHeaderOffset);
      this.writeDWord(pHeaderOffset+0x24, 0xC0000000);          	
      var pSecNum = this.getOffset(PE_FileHeader)+0x2;
      this.writeWord(pSecNum, this.readWord(pSecNum)+1);
      return(true);};
    
    PEFile.prototype.addSectionEmpty = function(name, size, ch){
      if (!this.addSectionHeader(name)) return false;
      var pSectionHeaders = this.getOffset(PE_SectionHeaders), iSect = this.getNumberOfSections(),
      dwSectionAligment = this.readDWord(this.getOffset(PE_FileHeader)+0x34), 
      dwFileAligment = this.readDWord(this.getOffset(PE_FileHeader)+0x38);
      var pLastSectionHdr = pSectionHeaders+(iSect-2)*0x28;
      var pVA = alignBy(this.readDWord(pLastSectionHdr+0x8), dwSectionAligment)+this.readDWord(pLastSectionHdr+0xC);
      var pRA = alignBy(this.readDWord(pLastSectionHdr+0x10), dwFileAligment)+this.readDWord(pLastSectionHdr+0x14);
      var dwSizeRaw = alignBy(size, dwFileAligment);
      var pNewSectionHdr = pSectionHeaders+(iSect-1)*0x28;
      this.writeDWord(pNewSectionHdr+0x8, size);
      this.writeDWord(pNewSectionHdr+0xC, pVA);
      this.writeDWord(pNewSectionHdr+0x10, dwSizeRaw);
      this.writeDWord(pNewSectionHdr+0x14, pRA);
      var b = new Buffer(dwSizeRaw);
      b.fill(0);
      this.buf = Buffer.concat([this.buf, b]);
      return(true)};
    
    PEFile.prototype.addSection = function(name, buf, ch) {
      this.addSectionEmpty(name, buf.length, ch);
      var pLastSecHdr = this.getOffset(PE_SectionHeaders) + (this.getNumberOfSections()-1)*0x28; 
      buf.copy(this.buf, this.readDWord(pLastSecHdr+0x14));};  
    
    PEFile.prototype.sectionFromRVA = function (rva) {
      var result = null;
      this.enumSections( function(i, p, s, rva){
        var dwVirtualSize = this.readWord(p+0x8), dwVirtualAddress =  this.readWord(p+0xC);
        if (rva >= dwVirtualAddress && rva  < dwVirtualAddress+dwVirtualSize) result = i;}, rva);
      return(result);};
    
    PEFile.prototype.rebuildImageSize = function (){
      var  dwSectionAligment = this.readDWord(this.getOffset(PE_FileHeader)+0x34), 
      pLastSecHdr = this.getOffset(PE_SectionHeaders) + (this.getNumberOfSections()-1)*0x28;
      var dwSizeImage = alignBy(this.readDWord(pLastSecHdr+0x8), dwSectionAligment)+this.readDWord(pLastSecHdr+0xC);
      this.writeDWord(this.getOffset(PE_FileHeader)+0x4C, dwSizeImage);
      return(true)};
    
    var bufX = new Buffer('I LOVE NODE.JS ! \n(c) CovetousEyes', 'ascii');
    var pef = new PEFile();
    pef.OpenPE('test.EXE');
    pef.addSection('.FUNNY', bufX);
    pef.rebuildImageSize();
    pef.Save('testCracked.exe');
    
     

    Вложения:

    • pedemo.rar
      Размер файла:
      2,8 КБ
      Просмотров:
      57
    7 фев 2013

Поделиться этой страницей

Загрузка...