Theory:
The self modifying code technology is a method that encrypts the code or data in executable files to prevent others from using reverse engineering tools for Static Analysis of programs, only when the program is running can code and data be decrypted to run the program normally and access data. This article introduces this technology through a simple example.
The required runtime environment vc6. The program is compiled into the release version.. In this article, we will modify the content of a function in the code segment during program execution. By default, the code segment generated by our compilation is a readable executable attribute. Therefore, we need to use a pre-compiled command.
# Pragma comment (linker, "/section:. Text, ERW ")
It tells the link program to modify the code segment named ". Text" when the code is generated. The segment attribute is "ERW", indicating executable, readable, and writable, respectively. Of course, you can also add the "/section:. Text, ERW" option directly in the compilation options without using the pre-compiled command # pragma comment.
#include "windows.h"#pragma comment(linker, "/SECTION:.text,ERW")int lnth1;char szDlgTitle[] = "SMC example";char Phony[] = "This is lst call of proc";char Replc[] = "This is 2nd call of proc";char ttl1[] = "Original Code";char ttl2[] = "ReplaceMent Code";void CalledProc();void EndCalledProc();void RepalceMentProc();void EndRepalceMentProc();int APIENTRY WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow){// TODO: Place code here.CalledProc();int lnth1 = (char *)EndRepalceMentProc - (char *)RepalceMentProc;memcpy((char *)CalledProc,(char *)RepalceMentProc,lnth1); CalledProc();return 0;} void CalledProc(){MessageBox(0,Phony,ttl1,MB_OK); }void EndCalledProc(){} void RepalceMentProc(){MessageBox(0,Replc,ttl2,MB_OK|MB_ICONEXCLAMATION);} void EndRepalceMentProc(){ }
Analysis:
In this example, we first run the calledproc function to display a MessageBox. then, we use the repalcementproc function to modify the calledproc function during running. In C, the function name represents the first address of the function. to calculate the length of the function body, we define an empty function behind the function. using the formula below, we can roughly calculate the length of the function body. The main reason is that there is still a gap between functions.
Int lnth1 = (char *) endrepalcementproc-(char *) repalcementproc;
Because the code snippet attribute is writable, we use the following code here
Memcpy (char *) calledproc, (char *) repalcementproc, lnth1 );
Use the machine code in the repalcementproc function to replace the original machine code in the calledproc function.
When calledproc is called again, the code of the repalcementproc function is actually executed. Note: there is still a long distance between the article and the actual application. The length of repalcementproc cannot be longer than calledproc ();. Although endcalledproc is added in the middle, but it cannot be too long. You cannot place the modified Code on the stack, and then change the address of calledproc.