C++实现远程下载EXE并执行-C++-IT72.COM

C++实现远程下载EXE并执行

Home / C++ MrLee 5月前 281

vs 2008

010 edit编辑器

目标

网络下载一个exe程序，并且在内存中展开，且运行。不需要写在硬盘上。

我先给全部代码，下面是解释部分

// RunExeThread.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <windows.h>
PIMAGE_DOS_HEADER dosHeader;
PIMAGE_NT_HEADERS ntHeader;
PIMAGE_FILE_HEADER fileHeader;
PIMAGE_EXPORT_DIRECTORY exportDirectory;
PIMAGE_SECTION_HEADER  pSectionHeader;
PIMAGE_IMPORT_DESCRIPTOR importDescriptor;
PIMAGE_THUNK_DATA thunkData;
PIMAGE_IMPORT_BY_NAME ordAndName;
PIMAGE_BASE_RELOCATION baseRelocation;
char file[]="路径\\game.exe"; //这是读取文件的路径
LPBYTE lpBaseAddress;
int _tmain(int argc, _TCHAR* argv[])
{
	//将磁盘文件映射到内存中
	HANDLE hcf = CreateFileA(file,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
	HANDLE hcfm = CreateFileMappingA(hcf,NULL,PAGE_READONLY,0,0,0);
	lpBaseAddress=(LPBYTE)MapViewOfFile(hcfm,FILE_MAP_READ,0,0,0);
	//获取一些基本变量
	dosHeader = (PIMAGE_DOS_HEADER)lpBaseAddress;
	int lfanew = dosHeader->e_lfanew;
	ntHeader = (PIMAGE_NT_HEADERS)(lpBaseAddress+lfanew);
	int sizeOfImage = ntHeader->OptionalHeader.SizeOfImage;
	int sizeOfHeader = ntHeader->OptionalHeader.SizeOfHeaders;
	pSectionHeader = (PIMAGE_SECTION_HEADER)(lpBaseAddress+lfanew+sizeof(IMAGE_NT_HEADERS));
	//创建内存空间
	LPBYTE loca = (LPBYTE)VirtualAlloc(NULL,sizeOfImage,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
	//拷贝内存空间
	LPBYTE virseek = (LPBYTE)loca;
	memcpy(loca,lpBaseAddress,sizeOfHeader);
	if(sizeOfHeader%0x1000!=0)
	{
		virseek+=0x1000;
	}
	virseek += (sizeOfHeader/0x1000)*0x1000;
	LPBYTE sectionStartAddr = lpBaseAddress+sizeOfHeader;
	for(int i=0;i<(ntHeader->FileHeader.NumberOfSections);i++,pSectionHeader++)
	{
		int sectionSize = pSectionHeader->Misc.VirtualSize/0x1000;
		if(pSectionHeader->Misc.VirtualSize%0x1000!=0)
		{
			sectionSize++;
		}
		memcpy(virseek,sectionStartAddr,pSectionHeader->SizeOfRawData);
		sectionStartAddr+=pSectionHeader->SizeOfRawData;
		virseek += sectionSize*0x1000;
	}
	//修复IAT表
	ntHeader = (PIMAGE_NT_HEADERS)(loca+lfanew);
	int vAddr = ntHeader->OptionalHeader.DataDirectory[1].VirtualAddress;
	importDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)(loca + vAddr);
	while(importDescriptor->Name)
	{
		HMODULE moduleHandle = LoadLibraryA((LPCSTR)(loca+importDescriptor->Name));
		thunkData = (PIMAGE_THUNK_DATA)(importDescriptor->FirstThunk+loca);
		DWORD * indexAddr = (DWORD *)(importDescriptor->FirstThunk+loca);
		while(thunkData->u1.AddressOfData)
		{
			if(IMAGE_SNAP_BY_ORDINAL(thunkData->u1.AddressOfData))
			{
				LPCSTR addr = (LPCSTR)thunkData->u1.AddressOfData-0x80000000;
				*indexAddr = (DWORD)GetProcAddress(moduleHandle,addr);
			}else{
				ordAndName = (PIMAGE_IMPORT_BY_NAME)(loca + thunkData->u1.AddressOfData);
				*indexAddr = (DWORD)GetProcAddress(moduleHandle,(LPCSTR)(ordAndName->Name));
			}
			thunkData++;
			indexAddr++;
		}
		importDescriptor++;
	}
	//修复重定位表
	baseRelocation = (PIMAGE_BASE_RELOCATION)(loca + (ntHeader->OptionalHeader.DataDirectory[5].VirtualAddress));
	int num;
	WORD *data;
	while(baseRelocation->VirtualAddress+baseRelocation->SizeOfBlock != 0)
	{
		data = (WORD *)((LPBYTE)baseRelocation+0x8);
		num = (baseRelocation->SizeOfBlock-0x8)/sizeof(WORD);
		for(int i = 0;i<num;i++)
		{
			if((DWORD)(data[i]&0x0000F000)==0x00003000)
			{
				DWORD* addr = (DWORD *)(loca+baseRelocation->VirtualAddress+(data[i]&0x00000FFF));
				*addr +=(DWORD)(loca - ntHeader->OptionalHeader.ImageBase);
			}
		}
		baseRelocation = (PIMAGE_BASE_RELOCATION)((LPBYTE)baseRelocation + baseRelocation->SizeOfBlock);
	}
	HANDLE h =CreateThread(0,0,(LPTHREAD_START_ROUTINE)(loca+ntHeader->OptionalHeader.AddressOfEntryPoint),0,0,0);
	DWORD d = WaitForSingleObject(h,INFINITE);
	VirtualFree(loca,0,MEM_RELEASE);
	CloseHandle(hcfm);
	CloseHandle(hcf);
	return 0;
}

以0x1000粒度拷贝到内存

拷贝过程

1.拷贝各个头部，即节区头以上的部分。（PE结构中在可选头中有SizeOfHeaders指明了大小）

2.各个节区块，如下图