Use the program to modify PE so that it displays a message box

The program can extract a file name from the command line, or a dialog box is required to select a file that must be a valid PE executable file. If the function messageboxa in the dynamic-link library USER32.dll is used in the program, a new instruction is added to the program to display a message box, and if this function is not used, the file is no longer modified. Because I have a superficial understanding of PE format documents, the procedure may not be perfect, only for beginners to refer to, master to see, can make some improvement ideas!

This program in the runtime to modify the code snippet, the compilation method can refer to "series 11: Write data to code snippets."

This program does not increase the source program size, not suitable for manual processing of PE file operations.

----------------------------------------------------------------------
; File name: 19.asm
This article uses the code shader of old Luo to handle, in this to the elder Luo expresses thanks!
.386
. Model Flat,stdcall
Option Casemap:none
Include Windows.inc
Include Kernel32.inc
Include User32.inc
Include Comdlg32.inc
Includelib Kernel32.lib
Includelib User32.lib
Includelib Comdlg32.lib
. Data
Ofn openfilename <0> Open File dialog box to use this structure
FileName DB 256 dup (0)
Caption db ' GetCommandLine ', 0
Filterstring db ' executable file (*.exe) ', 0, ' *.exe ', 0,0; file filter string
DialogTitle db ' Please select the file to open ', 0
MessageTitle db ' Your chosen file ', 0
Nofileerror DB ' program does not have a select file, cannot continue! ', 0
ErrorTitle db ' warning ', 0
Errorpeformat db ' Invalid PE format file ', 0
Rightpeformat db ' Valid PE format file ', 0
Szdll db ' USER32.dll ', 0
Szfunction db ' MessageBoxA ', 0
ErrorMessage db ' The MessageBoxA function is not used in the selected file! ', 0
Cannotmodify db ' original code section is not enough to drop the new section! ', 0
Okmodify DB ' selected program has been successfully modified! ', 0
. Data?
hfile DD?
Hmap DD?
PMAPADDR DD?
Ptext DD?
Prdata DD?
Msgboxa DD?
Getfilenamefromcommandline Proto:lpstr
Modifyfile Proto:lpstr
. Code
Start
Call GetFileName;
. if eax==null; no file name
Invoke Messagebox,null,addr nofileerror,addr errortitle,mb_iconexclamation
. else
Call WinMain; modify file
. endif
Invoke Exitprocess,null
WinMain proc
Invoke CreateFile, \; Open file, which has several functions
addr filename,\; point to the file name string you want to open
Generic_read or generic_write, \; Open files have read and write permissions
File_share_read or file_share_write,\; others can read and write to this file
NULL, \; 95 without
Open_existing, \; The file you want to open must exist
File_attribute_normal,\ Properties of files
NULL; 95 must be null
. If eax!=invalid_handle_value to determine if the file is turned on properly
MOV hfile, eax; save file handle
Invoke CreateFileMapping, \; creat File Mapping Object
hfile, \ Identifies the file from which to create a mapping object
NULL, \; ignored
Page_readwrite, \; access
0, \ high-order bits of the maximum size
0, \ low-order bits of the maximum size
NULL; The mapping object is created without a name
. if Eax!=null;
MOV Hmap,eax The return value are a handle to the File-mapping object
Invoke Mapviewoffile,hmap,file_map_write,0,0,null; map files to memory
. If Eax!=null
MOV pmapaddr,eax; Save the first address of the returned memory block
Invoke Modifyfile,pmapaddr; Modify memory block contents
Invoke unmapviewoffile,pmapaddr; unlock file mappings
. endif
Invoke Closehandle,hmap; Close memory-mapped file
. endif
Invoke CloseHandle, hfile; Close file
. endif
Ret
WinMain ENDP
; Get the file name to process
; Return: If eax=null indicates that no file name is provided for processing
; otherwise eax point to the filename address
GetFileName Proc
Invoke Getfilenamefromcommandline,addr FileName
. If Eax==null
Call Getfilenamefromdialog
. endif
Ret
GetFileName ENDP
; If eax=null indicates that the processed file cannot be extracted from the command line
getfilenamefromcommandline proc uses ESI EDI, LPSTRING:LPSTR
MOV edi,lpstring
Invoke getcommandline; Fetch command line arguments
MOV esi,eax
XOR Eax,eax
Cld
G1:
Lodsb
CMP al, ' '; Does the program name entry start with double quotes?
JNZ G3
G2:
Lodsb
CMP al, ' "'; double quotes indicate end of program item name
JNZ G2
G3:
Lodsb
CMP al, '; There is always a space after the program item name
JNZ G3
G4:
Lodsb
CMP al,0, no parameters, turn over
JZ G7
CMP al, '; Skipping invalid characters, may be spaces, or it may be a tab
JZ G4
CMP al,9
JZ G4
CMP al, ' "'; File name entries also start with double quotes?
JNZ G5
Stosb
G4P:
Lodsb
Stosb
CMP al, ' "'; double quotes indicate the end of the filename item!
JNZ g4p
JMP G6
G5:
Stosb
Lodsb
CMP al,0
JZ G6
CMP al, '; if the filename entry does not use double quotes, the Space, tab, or 0 indicates the end of the file name entry
JZ G6
CMP al,9
JNZ G5
G6:
Xor Al,al, ending with ASCII code 0
Stosb
MOV eax,lpstring
G7:
Ret
Getfilenamefromcommandline ENDP
; Show open dialog box asking the user to select a file to process
Getfilenamefromdialog proc
mov ofn.lstructsize,sizeof ofn; size of structure
mov ofn.lpstrfilter,offset filterstring; file filter
mov ofn.lpstrfile,offset filename; location of filename
mov ofn.nmaxfile,256; maximum length of file name
mov ofn. Flags,ofn_filemustexist or Ofn_hidereadonly or ofn_longnames
mov ofn.lpstrtitle,offset dialogtitle; " Open the title of the dialog box
Invoke Getopenfilename,addr ofn; Show Open dialog box
. If Eax!=null
Lea Eax,filename
. endif
Ret
Getfilenamefromdialog ENDP
; Modifying the contents of a memory block is equivalent to modifying the contents of a file
modifyfile proc uses ebx esi edi,lpbufferaddress:lpstr
mov edi,lpbufferaddress, memory block address
Call Checkpevalid
. If Eax==null
Invoke Messagebox,null,addr errorpeformat,addr errortitle,mb_iconexclamation
. else
If a valid PE, then the address of the PE head in EDI
Invoke Messagebox,null,addr rightpeformat,addr messagetitle,mb_iconinformation
Call Inidata, setting. Text and. Rdata position
Call Havemessagebox
. If eax!=0
Call Addcode
. If eax==0
Invoke Messagebox,null,addr cannotmodify,addr errortitle,mb_iconexclamation
. else
Invoke Messagebox,null,addr okmodify,addr messagetitle,mb_iconinformation
. endif
. else
Invoke Messagebox,null,addr errormessage,addr errortitle,mb_iconexclamation
. endif
. endif
Ret
Modifyfile ENDP
; Check the PE file tag to determine its validity
If effective, eax point to PE head
; otherwise eax=0
checkpevalid proc
XOR Eax,eax
Assume Edi:ptr Image_dos_header
. if [Edi].e_magic==image_dos_signature; Is there a DOS header tag
Add Edi,[edi].e_lfanew
Assume Edi:ptr image_nt_headers
. if [edi]. Signature==image_nt_signature whether there is a PE header tag
mov eax,edi; eax pointing PE head
. endif
. endif
Ret
Checkpevalid ENDP
; Check to see if the MessageBoxA function is used in the program
; return: no use, eax=null.
; EAX with the address of the cell containing the entry of the function
Havemessagebox proc
The Mov esi,prdata esi points to the. rdata in the section table.
Assume Esi:ptr Image_section_header
MOV Eax,[esi]. Pointertorawdata. Rdata the absolute offset in a file
MOV Ebx,[esi]. Virtualaddress. Rdata in memory VRA
Sub Eax,ebx
Add eax,pmapaddr; plus the starting position of the file in memory
MOV ecx,eax
Assume Edi:ptr image_nt_headers
Add Eax,[edi]. OptionalHeader.DataDirectory.VirtualAddress \
+sizeof image_data_directory
mov esi,eax, ESI point. rdata section
Assume Esi:ptr Image_import_descriptor
HAVE1:
MOV Eax,[esi]. Name1
or Eax,eax
JZ end2; end, turn!
Add eax,ecx to address in file memory block
Push ECX
Invoke lstrcmp,eax,addr Szdll; see if referencing USER32.dll libraries
Pop ecx
or Eax,eax
JZ Have3; There are references, turn!
Add Esi,sizeof Image_import_descriptor
JMP Have1; Continue testing Next
Have3:
Call Checkfunction
End2:; end, no USER32.Dll library
Ret
Havemessagebox ENDP
; ESI points to Image_import_descriptor structure
If there is a MessageBoxA function, the EAX contains the cell address (which holds the function entry)
; otherwise eax=0
checkfunction proc
Assume Esi:ptr Image_import_descriptor
MOV Edx,[esi]. Firstthunk to () the address of a cell (that holds a function entry)
MOV Ebx,[esi]. Originalfirstthunk
Add ebx,ecx ebx point to Image_thunk_data structure in memory block
Check1:
MOV EAX,[EBX]
or Eax,eax
JZ Check3
Add eax,ecx; eax point to a function string in a block of memory
Push ECX
Push edx
Invoke Lstrcmp,eax,addr szfunction; is MessageBoxA?
Pop edx
Pop ecx
or Eax,eax
JZ Check2
Add ebx,4
Add edx,4
JMP Check1
Check2:
MOV Eax,edx
CHECK3:
Ret
Checkfunction ENDP
; EDI points to PE Header
Inidata proc
Assume Edi:ptr image_nt_headers
MOV Ebx,[edi]. Optionalheader.numberofrvaandsizes
Lea ESI,[EDI+8*EBX]. OptionalHeader.DataDirectory.VirtualAddress
When ESI points to the section table
INIDATA1:
mov eax,dword ptr [esi]
CMP Eax,7865742eh; is. text?
JNZ IniData2
MOV Ptext,esi
JMP IniData3
INIDATA2:
CMP Eax,6164722eh; Is it rdata?
JZ INIDATA4
INIDATA3:
Add Esi,sizeof Image_section_header
JMP IniData1
INIDATA4:
MOV Prdata,esi
Ret
Inidata ENDP
; Add the code to the original program!
Addcode proc
MOV Esi,ptext
Assume Esi:ptr Image_section_header
Call Modifycode; Modify the new instruction Section
Assume Edi:ptr image_nt_headers
MOV Eax,[esi]. Misc.virtualsize the length of the original instruction
MOV Ebx,[esi]. Pointertorawdata the absolute position of a command in a file
Add Ebx,eax, after pointing to the original command
Add Ebx,pmapaddr in memory for this location
Add Eax,firstrunlen; plus the length of the new instruction
CMP Eax,[esi]. Sizeofrawdata; Compared with the adjusted section length
JA AddCode1; No more orders, no more.
Push EAX
MOV Eax,[edi]. Optionalheader.baseofcode the original code at the beginning
Add Eax,[esi]. Misc.virtualsize; Point to a new entrance
mov [edi]. Optionalheader.addressofentrypoint,eax Modify the instruction entry point to our program
Pop eax
mov [esi]. Misc.virtualsize,eax; set new code segment length
mov Ecx,firstrunlen; the length of the new instruction
Cld
mov esi,offset firstrun; point to new instructions
mov edi,ebx; setting the destination address in a file memory block
Rep MOVSB; Add additional instructions to the original command
Ret
AddCode1:
XOR Eax,eax; Failed to modify the original program, return to Eax=0
Ret
Addcode ENDP
; eax include the entry address
Modifycode proc
Assume Edi:ptr image_nt_headers
Add Eax,[edi]. Optionalheader.imagebase; Adjust the value of a eax
mov mustmodify1,eax; set MessageBoxA entry address
MOV Eax,[edi]. Optionalheader.addressofentrypoint the entry address of the original program VRA
MOV Edx,[edi]. Optionalheader.baseofcode the first byte of the VRA after the new addition program is calculated
Add Edx,[esi]. Misc.virtualsize
Add Edx,firstrunlen
Sub Eax,edx, direct addressing within segments
MOV mustmodify2,eax; Modify this value to move to the original command to continue execution
Ret
Modifycode ENDP
This is the part that is added to the other program to be executed first
FirstRun proc
Push mb_iconinformation the icon in the message box
Call FirstRun1 the title of the message box
DB ' Sweet welcome ', 0
FIRSTRUN1:
Call FirstRun2 text content of message box
DB ' This is the information that is displayed first after the program has been modified! ', 0
FIRSTRUN2:
Push NULL
MustModify1 Equ This dword+2 to modify here so that it can perform the MessageBoxA function properly
Call Msgboxa
MustModify2 Equ This dword+1 to modify here so that it can go to the original program to execute
JMP start
FirstRun ENDP
Firstrunlen equ $-firstrun; Calculate the length of the new code
End Start
------------------------------------------------------------------------------

Postscript:

For the preparation of this program, the MM are to the gas cry, for several days ignore me, said I do not have her psychological, difficult Ah, man!