当前位置:编程学习 > Delphi >>

用Delphi编写Windows PE文件随机区段名器

链接:http://www.unpack.cn/viewthread.php?tid=16931
作者:pathletboy
日期:2007-8-31 23:00代码:
unit MainFormUnit;
{
Written by pathletboy
2007.08.31
}
interface

uses
   Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
   Dialogs, StdCtrls;

type
   TForm1 = class(TForm)
Label1: TLabel;
Button1: TButton;
OpenDialog1: TOpenDialog;
Memo1: TMemo;
Button2: TButton;
procedure Button2Click(Sender: TObject);
procedure Button1Click(Sender: TObject);
   private
{ Private declarations }
   public
{ Public declarations }
   end;

var
   Form1: TForm1;

implementation

{$R *.dfm}

function CheckValidPE(F: string): Byte; //检查PE文件有效性
var
   FS: TFileStream;
   doshead: IMAGE_DOS_HEADER;
   pehead: IMAGE_NT_HEADERS;
begin
   if not (FileExists(F)) then
   begin //判断文件是否存在
result := 0;
exit;
   end;
   try
try
   FS := TFileStream.Create(F, fmOpenRead);
   if FS.Size < $1000 then
   begin //判断文件大小,小于0x1000的判定为非有效PE
       result := 0;
       exit;
   end;

   FS.ReadBuffer(doshead, sizeof(IMAGE_DOS_HEADER));

   if doshead.e_magic <> IMAGE_DOS_SIGNATURE then
   begin //判断Dos头
       result := 0;
       exit;
   end;

   FS.Seek(doshead._lfanew, SoFromBeginning);
   FS.ReadBuffer(pehead, sizeof(IMAGE_NT_HEADERS));
   if pehead.Signature <> IMAGE_NT_SIGNATURE then
   begin //判断PE头
       result := 0;
       exit;
   end;
   if pehead.FileHeader.Characteristics and IMAGE_FILE_DLL = IMAGE_FILE_DLL
       {//判断是EXE还是DLL}then
       result := 2
   else
       result := 1;

except
   result := 0;
end
   finally
FS.Free;
   end;
end;

function GetRandomSectionName: string;
var
   I: Integer;
   B: Byte;
begin
   Result := ;
   randomize;
   for I := 1 to 8 do
   begin
B := 32 + Random(Ord(z) - 32);
Result := Result + Chr(B);
   end;
end;

function ProcessRandomSectionNames(F: string; Mem TMemo): Boolean; //处理随机区段名
var
   FS: TFileStream;
   doshead: IMAGE_DOS_HEADER;
   pehead: IMAGE_NT_HEADERS;
   sectionhead: IMAGE_SECTION_HEADER;
   i: Cardinal;
   sectionname: array[0..8] of char;
   randomname: string;
begin
   try
try
   FS := TFileStream.Create(F, fmOpenReadWrite);
   FS.Read(doshead, sizeof(IMAGE_DOS_HEADER)); //读取DOS头
   FS.Seek(doshead._lfanew, SoFromBeginning);
   FS.Read(pehead, sizeof(IMAGE_NT_HEADERS));   //读取PE头
   Memo.Lines.Add(format(发现%d个区段.,
       [pehead.FileHeader.NumberOfSections]));
   for i := 1 to pehead.FileHeader.NumberOfSections do
   begin
       FS.Read(sectionhead, sizeof(IMAGE_SECTION_HEADER));
       copymemory(@sectionname, @sectionhead.Name, 8);
       Memo.Lines.Add(format(正在处理第%d个区段,原区段名为[%s],
      [i, sectionname]));
       randomname := GetRandomSectionName; //随机区段名
       copymemory(@sectionname, @randomname[1], 8);
       copymemory(@sectionhead.Name, @randomname[1], 8);
       FS.Seek(-sizeof(IMAGE_SECTION_HEADER), soFromCurrent);
       FS.Write(sectionhead, sizeof(IMAGE_SECTION_HEADER));
       Memo.Lines.Add(format(第%d个区段名已被处理为[%s], [i,
      sectionname]));
   end;
   result := true;
except
   result := false;
end
   finally
FS.Free;
   end;
end;

procedure TForm1.Button1Click(Sender: TObject);
var
   filetype: byte;
begin
   if OpenDialog1.Execute then
   begin
Label1.Caption := OpenDialog1.FileName;
filetype := CheckValidPE(Label1.Caption);
case filetype of
   0: Memo1.Lines.Add(format(文件%s是非有效的PE文件,
      [Label1.Caption]));
   1: Memo1.Lines.Add(format(文件%s是有效的PE文件[EXE],
      [Label1.Caption]));
   2: Memo1.Lines.Add(format(文件%s是有效的PE文件[DLL],
      [Label1.Caption]));
end;
if filetype > 0 then
   Button2.Enabled := True
else
   Button2.Enabled := False;
   end;
end;

procedure TForm1.Button2Click(Sender: TObject);
begin
   if ProcessRandomSectionNames(Label1.Caption, Memo1) then
Memo1.Lines.Add(处理完毕!)
   else
Memo1.Lines.Add(处理失败!);
end;

end.函数CheckValidPE 检测PE有效性,及判断PE文件为EXE或DLL
函数GetRandomSectionName 生成随机区段名
函数ProcessRandomSectionNames 处理随机区段名


附件为代码及编译好的EXE

下载链接:http://www.unpack.cn/attachment.php?aid=11254

 

 

补充:综合编程 , 安全编程 ,
CopyRight © 2012 站长网 编程知识问答 www.zzzyk.com All Rights Reserved
部份技术文章来自网络,