文章作者：Nonsenser
信息来源：邪恶八进制信息安全团队（www.eviloctal.com）
原始连接：http://www.nonsenser.com/blog/article.asp?id=5

复制内容到剪贴板

代码:

.386
.model stdcall,flat
option casemap:none

include windows.inc
include kernel32.inc
includelib kernel32.lib
include user32.inc
includelib user32.lib
include comdlg32.inc
includelib comdlg32.lib

SectionAdd proto lpNTHeader:DWORD,lpSectionTable:DWORD,lpSectionName:DWORD,dwAddSize:DWORD
GetAlignedAddr proto AlignNum:DWORD,lpAddress:DWORD

.data
ofn OPENFILENAME <>
szAppName db "SectionAdd Version 1.0 By:Nonsener 2006",0
FilterString db "Executable Files (*.exe)",0,"*.exe",0
db "All Files (*.*)",0,"*.*",0,0
FileOpenError db "Cannot open the file!",0
FileOpenMappingError db "Cannot open file for memory mapping!",0
FileMappingError db "Cannot mapping the file into memory!",0
FileValidExe db "This file is a valid executable file!",0
FileInvalidExe db "This file is not a valid executable file!",0
OkMessage db "Section added Successfully!",0
szError db "Failed maybe because not enough room in pe header,file format invalid or a bad PE head and so on",0
szRoom db "There is not enough room in pe header",0
szBakEx db ".bak",0
szAdd db "fuck",0,0,0,0
addlen db 4
buffer db 512 dup (0)

.data?
hFile DWORD ?
hFileMapping DWORD ?
pMem DWORD ?
hInst DWORD ?
dwFileSize DWORD ?
dwFinalSize DWORD ?
szBakup db 512 dup (?)

.code
start:
invoke GetModuleHandle,NULL
mov hInst,eax
mov ofn.lStructSize,SIZEOF OPENFILENAME
push hInst
pop ofn.hInstance
mov ofn.lpstrFilter,offset FilterString
mov ofn.lpstrFile,offset buffer
mov ofn.nMaxFile,512
mov ofn.Flags,OFN_FILEMUSTEXIST or OFN_PATHMUSTEXIST or OFN_LONGNAMES or OFN_EXPLORER
invoke GetOpenFileName,addr ofn
or eax,eax
jnz _CreateFile
invoke MessageBox,NULL,offset FileOpenError,offset szAppName,MB_OK
xor eax,eax
ret
_CreateFile:
invoke lstrcpy,offset szBakup,offset buffer
invoke lstrcat,offset szBakup,offset szBakEx
invoke CreateFile,offset buffer,\
GENERIC_READ+GENERIC_WRITE,\
FILE_SHARE_READ,NULL,\
OPEN_EXISTING,\
FILE_ATTRIBUTE_NORMAL,\
NULL
cmp eax,INVALID_HANDLE_VALUE
jnz _GlobalAlloc
invoke MessageBox,NULL,offset FileOpenMappingError,offset szAppName,MB_OK
xor eax,eax
ret
_GlobalAlloc:
mov hFile,eax
invoke GetFileSize,hFile,0
mov dwFileSize,eax
add eax,1000h                          ;这里大小合适就行,用于给增加的区段提供内存空间
add eax,2000h
invoke CreateFileMapping,hFile,NULL,PAGE_READWRITE,0,eax,NULL
or eax,eax
jnz _MappingFile
invoke MessageBox,NULL,offset FileMappingError,offset szAppName,MB_OK
invoke CloseHandle,hFile
xor eax,eax
ret
_MappingFile:
mov hFileMapping,eax
invoke MapViewOfFile,hFileMapping,FILE_MAP_ALL_ACCESS,0,0,0
mov pMem,eax
mov edi,pMem
or eax,eax
jnz _CheckExe
jmp _ProgramExit
_CheckExe:                            ;检查文件格式是否合法
cmp WORD ptr [edi],&#39;ZM&#39;
jne _InvalidExe
mov ebx,[edi+3ch]
add edi,ebx ;edi----------->NT_HEADER
mov esi,edi
cmp WORD ptr [edi],&#39;EP&#39;
jne _InvalidExe
xor ecx,ecx
mov cx,WORD ptr [edi+06h] ;Store NumberOfSections in------------>ecx
xor ebx,ebx
mov bx,WORD ptr [edi+14h]
add edi,18h
add edi,ebx ;Now edi---------->SectionTable
;至此  esi指向NT Header
;      edi指向节表开始
;      ecx存储节数
invoke SectionAdd,esi,edi,offset szAdd,100h
or eax,eax
je _Error
_SectionAddedOK:
invoke UnmapViewOfFile,pMem
invoke MessageBox,NULL,offset OkMessage,offset szAppName,MB_OK
jmp _ProgramExit
_InvalidExe:
invoke MessageBox,NULL,offset FileInvalidExe,offset szAppName,MB_OK
jmp _ProgramExit
_Error:
invoke MessageBox,NULL,offset szError,offset szAppName,MB_OK
_ProgramExit:
invoke CloseHandle,hFileMapping
invoke CloseHandle,hFile
invoke ExitProcess,0
ret

;下面是添加区段的具体实现代码
;参数 lpNTHeader指向NT Header,lpSectionTable指向节表,lpSectionName指向要添加的节名,dwAddSize要添加节的大小.
;返回值:返回非0表示添加成功,返回0表示失败
SectionAdd proc lpNTHeader:DWORD,lpSectionTable:DWORD,lpSectionName:DWORD,dwAddSize:DWORD

LOCAL dwVirtualSize:DWORD
LOCAL lpVirtualAddr:DWORD
LOCAL dwSizeofRaw:DWORD
LOCAL lpPointToRaw:DWORD

pushad
mov esi,lpNTHeader
mov eax,dwAddSize
mov dwVirtualSize,eax
mov edi,lpSectionTable

cmp DWORD ptr [esi+38h],0
je _OnError
cmp DWORD ptr [esi+3ch],0
je _OnError
_MoveTo:
add edi,28h
loop _MoveTo ;Move to the last section table item
mov ecx,0ah
mov edx,28h
_CheckRoom:
cmp DWORD ptr [edx+edi],0
jne _RoomNotEnough
add edx,4
loop _CheckRoom

push edi
push esi

xor ecx,ecx
mov cl,8
mov esi,lpSectionName
rep movsb

pop esi
pop edi

sub edi,28h
mov eax,DWORD ptr [edi+0ch]
add eax,DWORD ptr [edi+08h]
mov ebx,DWORD ptr [esi+38h] ;ebx---------->Section Alignment
push eax
push ebx
call GetAlignedAddr
mov lpVirtualAddr,eax

mov eax,DWORD ptr [edi+14h]
add eax,DWORD ptr [edi+10h]
mov ebx,DWORD ptr [esi+3ch] ;ebx---------->File Alignment
push eax
push ebx
call GetAlignedAddr
mov lpPointToRaw,eax

mov eax,dwVirtualSize
mov ebx,DWORD ptr [esi+3ch]
push eax
push ebx
call GetAlignedAddr
mov dwVirtualSize,eax

mov ebx,DWORD ptr [esi+3ch]
push eax
push ebx
call GetAlignedAddr
mov dwSizeofRaw,eax

mov ebx,lpVirtualAddr
add ebx,eax ;Modify the ImageSize field
mov dwFinalSize,ebx
mov DWORD ptr [esi+50h],ebx
inc WORD ptr [esi+06h] ;Modify the NumberofSections

add edi,28h　　　　　　　　　　　　　　;填充所添加节的节表项
mov eax,dwVirtualSize
mov DWORD ptr [edi+08h],eax
mov eax,lpVirtualAddr
mov DWORD ptr [edi+0ch],eax
mov eax,dwSizeofRaw
mov DWORD ptr [edi+10h],eax
mov eax,lpPointToRaw
mov DWORD ptr [edi+14h],eax
mov DWORD ptr [edi+24h],0E0000020h　　　　　　;修改节属性（可以按自己的意愿修改）
popad
jmp _AddedSuccessful
_RoomNotEnough:
invoke MessageBox,0,offset szRoom,offset szAppName,0
_OnError:
xor eax,eax
ret
_AddedSuccessful:
mov eax,1
ret
SectionAdd endp

;GetAlignedAddr　计算经过文件对齐或者节对齐后的地址
;AlignNum　　　　文件或者节按次大小对齐
;lpAddress　　　　欲对其进行对齐处理的地址
;返回值：　　　　　直接返回对齐后的地址
GetAlignedAddr proc uses ebx,AlignNum:DWORD,lpAddress:DWORD
mov eax,lpAddress
mov ebx,AlignNum
xor edx,edx
_ThisLoop:
push eax
div ebx
pop eax
test edx,edx
je _GetIt
inc eax
jmp _ThisLoop
_GetIt:
ret
GetAlignedAddr endp
end start

不是吧..用汇编写的啊~~..你牛B了..

作者的代码写的十分规范，严谨，条理清晰，编程功力可见一斑，值得学习。但是加区段修改入口点感染PE文件，卡巴斯基会报New Virus。期待作者更好的作品。

写得不错，但是给你一个建议：适当使用@@标号,好象更方便些。不然的话，起标号名和起变量名一样令人伤脑筋。