C++ 如何将资源的所有字节嵌入到可执行文件中?
我有一个通过手动映射注入DLL的代码,可以很好地工作(读取磁盘中文件的所有字节),现在我想直接从资源中读取所有这些字节,我已经尝试了以下调整,但直到现在都没有成功 下面是如何直接从磁盘读取文件:C++ 如何将资源的所有字节嵌入到可执行文件中?,c++,visual-c++,visual-studio-2015,embedded-resource,C++,Visual C++,Visual Studio 2015,Embedded Resource,我有一个通过手动映射注入DLL的代码,可以很好地工作(读取磁盘中文件的所有字节),现在我想直接从资源中读取所有这些字节,我已经尝试了以下调整,但直到现在都没有成功 下面是如何直接从磁盘读取文件: bool MapRemoteModule(unsigned long pId, char *module) { IMAGE_DOS_HEADER *dosHd; IMAGE_NT_HEADERS *ntHd; HANDLE hFile = CreateFile(module,
bool MapRemoteModule(unsigned long pId, char *module)
{
IMAGE_DOS_HEADER *dosHd;
IMAGE_NT_HEADERS *ntHd;
HANDLE hFile = CreateFile(module,
GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if(hFile == INVALID_HANDLE_VALUE)
return false;
unsigned int fSize;
if(GetFileAttributes(module) & FILE_ATTRIBUTE_COMPRESSED)
fSize = GetCompressedFileSize(module, NULL);
else
fSize = GetFileSize(hFile, NULL);
unsigned char *dllBin = new unsigned char[fSize];
unsigned int nBytes;
ReadFile(hFile, dllBin, fSize, (LPDWORD)&nBytes, FALSE);
CloseHandle(hFile);
...
// Mapping.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include "resource.h"
#include <windows.h>
#include <tlhelp32.h>
#include <shlwapi.h>
#include <string>
using namespace std;
#pragma comment(lib, "shlwapi.lib")
#define ID_LOADER_DLL MAKEINTRESOURCE(IDR_DLL1)
#define IMAGE_DIRECTORY_ENTRY_IMPORT 1
#define IMAGE_DIRECTORY_ENTRY_BASERELOC 5
#define MakePtr( cast, ptr, addValue ) (cast)( (DWORD_PTR)(ptr) + (DWORD_PTR)(addValue))
#define MakeDelta(cast, x, y) (cast) ( (DWORD_PTR)(x) - (DWORD_PTR)(y))
bool MapRemoteModule(unsigned long pId, LPCSTR ResName);
unsigned long GetProcessIdByName(char *);
HMODULE GetRemoteModuleHandle(unsigned long, char *);
FARPROC GetRemoteProcAddress(unsigned long, char *, char *);
bool FixImports(unsigned long, void *, IMAGE_NT_HEADERS *, IMAGE_IMPORT_DESCRIPTOR *);
bool FixRelocs(void *, void *, IMAGE_NT_HEADERS *, IMAGE_BASE_RELOCATION *, unsigned int);
bool MapSections(HANDLE, void *, void *, IMAGE_NT_HEADERS *);
PIMAGE_SECTION_HEADER GetEnclosingSectionHeader(DWORD, PIMAGE_NT_HEADERS);
LPVOID GetPtrFromRVA(DWORD, PIMAGE_NT_HEADERS, PBYTE);
__declspec(naked) void DllCall_stub(HMODULE hMod)
{
_asm
{
push 0
push 1
push [esp+0Ch]
mov eax, 0xDEADBEEF
call eax
ret
}
}
__declspec(naked) void DC_stubend(void) { }
bool MapRemoteModule(unsigned long pId, LPCSTR ResName)
{
IMAGE_DOS_HEADER *dosHd;
IMAGE_NT_HEADERS *ntHd;
HRSRC hResource;
HGLOBAL hResourceLoaded;
LPBYTE lpBuffer;
hResource = FindResource(NULL, ResName, RT_RCDATA);
if (NULL != hResource)
{
hResourceLoaded = LoadResource(NULL, hResource);
if (NULL != hResourceLoaded)
{
lpBuffer = (LPBYTE) LockResource(hResourceLoaded);
if (NULL != lpBuffer)
{
unsigned int fSize = 0;
fSize = SizeofResource(NULL, hResource);
if (fSize > 0)
{
unsigned char *dllBin = lpBuffer;
unsigned int nBytes = fSize;
dosHd = MakePtr(IMAGE_DOS_HEADER *, dllBin, 0);
if(dosHd->e_magic != IMAGE_DOS_SIGNATURE)
{
delete dllBin;
return false;
}
ntHd = MakePtr(IMAGE_NT_HEADERS *, dllBin, dosHd->e_lfanew);
if(ntHd->Signature != IMAGE_NT_SIGNATURE)
{
delete dllBin;
return false;
}
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pId);
if(!hProcess)
return false;
void *moduleBase = VirtualAllocEx(hProcess,
NULL,
ntHd->OptionalHeader.SizeOfImage,
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
if(!moduleBase)
return false;
void *stubBase = VirtualAllocEx(hProcess,
NULL,
MakeDelta(SIZE_T, DC_stubend, DllCall_stub),
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
if(!stubBase)
return false;
IMAGE_IMPORT_DESCRIPTOR *impDesc = (IMAGE_IMPORT_DESCRIPTOR *)GetPtrFromRVA(
(DWORD)(ntHd->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress),
ntHd,
(PBYTE)dllBin);
if(ntHd->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size)
{
if(!FixImports(pId,
(unsigned char *)dllBin,
ntHd,
impDesc)) return FALSE;
};
IMAGE_BASE_RELOCATION *reloc = (IMAGE_BASE_RELOCATION *)GetPtrFromRVA(
(DWORD)(ntHd->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress),
ntHd,
(PBYTE)dllBin);
if(ntHd->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size)
{
FixRelocs(dllBin,
moduleBase,
ntHd,
reloc,
ntHd->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size);
}
else
{
return false;
};
WriteProcessMemory(hProcess,
moduleBase,
dllBin,
ntHd->FileHeader.SizeOfOptionalHeader + sizeof(ntHd->FileHeader) + sizeof(ntHd->Signature),
(SIZE_T *)&nBytes);
MapSections(hProcess, moduleBase, dllBin, ntHd);
VirtualProtect((LPVOID)DllCall_stub,
MakeDelta(SIZE_T, DC_stubend, DllCall_stub),
PAGE_EXECUTE_READWRITE,
(DWORD *)&nBytes);
*MakePtr(unsigned long *, DllCall_stub, 9) =
MakePtr(unsigned long, moduleBase, ntHd->OptionalHeader.AddressOfEntryPoint);
WriteProcessMemory(hProcess,
stubBase,
(LPVOID)DllCall_stub,
MakeDelta(SIZE_T, DC_stubend, DllCall_stub),
(SIZE_T *)&nBytes);
CreateRemoteThread(hProcess,
NULL,
0,
(LPTHREAD_START_ROUTINE)stubBase,
moduleBase,
0,
NULL);
delete dllBin;
return true;
}
}
}
}
return false;
}
bool MapSections(HANDLE hProcess, void *moduleBase, void *dllBin, IMAGE_NT_HEADERS *ntHd)
{
IMAGE_SECTION_HEADER *header = IMAGE_FIRST_SECTION(ntHd);
unsigned int nBytes = 0;
unsigned int virtualSize = 0;
unsigned int n = 0;
for(unsigned int i = 0; ntHd->FileHeader.NumberOfSections; i++)
{
if(nBytes >= ntHd->OptionalHeader.SizeOfImage)
break;
WriteProcessMemory(hProcess,
MakePtr(LPVOID, moduleBase, header->VirtualAddress),
MakePtr(LPCVOID, dllBin, header->PointerToRawData),
header->SizeOfRawData,
(LPDWORD)&n);
virtualSize = header->VirtualAddress;
header++;
virtualSize = header->VirtualAddress - virtualSize;
nBytes += virtualSize;
VirtualProtectEx(hProcess,
MakePtr(LPVOID, moduleBase, header->VirtualAddress),
virtualSize,
header->Characteristics & 0x00FFFFFF,
NULL);
}
return true;
}
bool FixImports(unsigned long pId, void *base, IMAGE_NT_HEADERS *ntHd, IMAGE_IMPORT_DESCRIPTOR *impDesc)
{
char *module;
bool retfix=1;
char tempstr[MAX_PATH]="";
while((module = (char *)GetPtrFromRVA((DWORD)(impDesc->Name), ntHd, (PBYTE)base)))
{
if(!GetRemoteModuleHandle(pId, module))
{
retfix=0;
break;
};
IMAGE_THUNK_DATA *itd =
(IMAGE_THUNK_DATA *)GetPtrFromRVA((DWORD)(impDesc->FirstThunk), ntHd, (PBYTE)base);
while(itd->u1.AddressOfData)
{
IMAGE_IMPORT_BY_NAME *iibn;
iibn = (IMAGE_IMPORT_BY_NAME *)GetPtrFromRVA((DWORD)(itd->u1.AddressOfData), ntHd, (PBYTE)base);
itd->u1.Function = MakePtr(DWORD, GetRemoteProcAddress(pId,
module,
(char *)iibn->Name), 0);
itd++;
}
impDesc++;
}
return retfix;
}
bool FixRelocs(void *base, void *rBase, IMAGE_NT_HEADERS *ntHd, IMAGE_BASE_RELOCATION *reloc, unsigned int size)
{
unsigned long ImageBase = ntHd->OptionalHeader.ImageBase;
unsigned int nBytes = 0;
unsigned long delta = MakeDelta(unsigned long, rBase, ImageBase);
while(1)
{
unsigned long *locBase =
(unsigned long *)GetPtrFromRVA((DWORD)(reloc->VirtualAddress), ntHd, (PBYTE)base);
unsigned int numRelocs = (reloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);
if(nBytes >= size) break;
unsigned short *locData = MakePtr(unsigned short *, reloc, sizeof(IMAGE_BASE_RELOCATION));
for(unsigned int i = 0; i < numRelocs; i++)
{
if(((*locData >> 12) & IMAGE_REL_BASED_HIGHLOW))
*MakePtr(unsigned long *, locBase, (*locData & 0x0FFF)) += delta;
locData++;
}
nBytes += reloc->SizeOfBlock;
reloc = (IMAGE_BASE_RELOCATION *)locData;
}
return true;
}
FARPROC GetRemoteProcAddress(unsigned long pId, char *module, char *func)
{
HMODULE remoteMod = GetRemoteModuleHandle(pId, module);
HMODULE localMod = GetModuleHandle(module);
unsigned long delta = MakeDelta(unsigned long, remoteMod, localMod);
return MakePtr(FARPROC, GetProcAddress(localMod, func), delta);
}
HMODULE GetRemoteModuleHandle(unsigned long pId, char *module)
{
MODULEENTRY32 modEntry;
HANDLE tlh = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pId);
modEntry.dwSize = sizeof(MODULEENTRY32);
Module32First(tlh, &modEntry);
do
{
if(!_stricmp(modEntry.szModule, module))
return modEntry.hModule;
modEntry.dwSize = sizeof(MODULEENTRY32);
}
while(Module32Next(tlh, &modEntry));
return NULL;
}
PIMAGE_SECTION_HEADER GetEnclosingSectionHeader(DWORD rva, PIMAGE_NT_HEADERS pNTHeader)
{
PIMAGE_SECTION_HEADER section = IMAGE_FIRST_SECTION(pNTHeader);
unsigned int i;
for ( i = 0; i < pNTHeader->FileHeader.NumberOfSections; i++, section++ )
{
DWORD size = section->Misc.VirtualSize;
if ( 0 == size )
size = section->SizeOfRawData;
if ( (rva >= section->VirtualAddress) &&
(rva < (section->VirtualAddress + size)))
return section;
}
return 0;
}
LPVOID GetPtrFromRVA( DWORD rva, IMAGE_NT_HEADERS *pNTHeader, PBYTE imageBase )
{
PIMAGE_SECTION_HEADER pSectionHdr;
INT delta;
pSectionHdr = GetEnclosingSectionHeader( rva, pNTHeader );
if ( !pSectionHdr )
return 0;
delta = (INT)(pSectionHdr->VirtualAddress-pSectionHdr->PointerToRawData);
return (PVOID) ( imageBase + rva - delta );
}
int _tmain(int argc, _TCHAR* argv[])
{
ULONG rc;
STARTUPINFO StartupInfo;
PROCESS_INFORMATION ProcessInfo;
memset(&StartupInfo, 0, sizeof(StartupInfo));
StartupInfo.cb = sizeof(STARTUPINFO);
StartupInfo.dwFlags = STARTF_USESHOWWINDOW;
StartupInfo.wShowWindow = SW_HIDE;
if (!CreateProcess( NULL, "c:\\windows\\system32\\notepad.exe", NULL, NULL, FALSE,
CREATE_NEW_CONSOLE,
NULL,
NULL,
&StartupInfo,
&ProcessInfo))
{
return 0;
}
WaitForSingleObject(ProcessInfo.hProcess, 5000);
if(!GetExitCodeProcess(ProcessInfo.hProcess, &rc))
rc = 0;
CloseHandle(ProcessInfo.hThread);
CloseHandle(ProcessInfo.hProcess);
MapRemoteModule(ProcessInfo.dwProcessId, ID_LOADER_DLL);
return 0;
}
//Mapping.cpp:定义控制台应用程序的入口点。
//
#包括“stdafx.h”
#包括“resource.h”
#包括
#包括
#包括
#包括
使用名称空间std;
#pragma注释(lib,“shlwapi.lib”)
#定义ID\u加载程序\u DLL MAKEINTRESOURCE(IDR\u DLL1)
#定义图像\u目录\u条目\u导入1
#定义图像\u目录\u条目\u BASERELOC 5
#定义MakePtr(cast,ptr,addValue)(cast)((DWORD_ptr)(ptr)+(DWORD_ptr)(addValue))
#定义MakeDelta(cast,x,y)(cast)((DWORD_PTR)(x)-(DWORD_PTR)(y))
布尔MapRemoteModule(无符号长pId,LPCSTR重新命名);
无符号长getProcessIDyname(char*);
HMODULE GetRemoteModuleHandle(无符号长,字符*);
FARPROC GetRemoteProcAddress(无符号长,字符*,字符*);
bool FixImports(无符号长、无效*、图像\u NT\u标题*、图像\u导入\u描述符*);
bool FixRelocs(void*、void*、图像头*、图像基重定位*、无符号整数);
布尔映射节(句柄、void*、void*、图像标题*);
PIMAGE_SECTION_HEADER GetEnclosuringSECTIONHEADER(DWORD、PIMAGE_NT_HEADER);
LPVOID GetPtrFromRVA(DWORD、PIMAGE\u NT\u头、PBYTE);
__declspec(裸)空DllCall_存根(HMODULE hMod)
{
_asm
{
推0
推1
按[esp+0Ch]
mov-eax,0xDEADBEEF
呼叫eax
ret
}
}
__declspec(裸)void DC_stubend(void){}
布尔MapRemoteModule(无符号长pId,LPCSTR重新命名)
{
图像_DOS_头*dosHd;
图像\u NT\u标题*ntHd;
HRSRC-hResource;
HGLOBAL-hresourceload;
LPBYTE-lpBuffer;
hResource=FindResource(NULL,ResName,RT_RCDATA);
if(NULL!=hResource)
{
hResourceLoaded=LoadResource(NULL,hResource);
如果(NULL!=hResourceLoaded)
{
lpBuffer=(LPBYTE)锁资源(hResourceLoaded);
if(NULL!=lpBuffer)
{
无符号整数fSize=0;
fSize=SizeofResource(NULL,hResource);
如果(fSize>0)
{
无符号字符*dllBin=lpBuffer;
无符号整数n字节=fSize;
dosHd=MakePtr(图像头*,dllBin,0);
如果(dosHd->e_magic!=图像\u DOS\u签名)
{
删除dllBin;
返回false;
}
ntHd=MakePtr(图像头*,dllBin,dosHd->e\u lfanew);
如果(第n个->签名!=图像\u NT\u签名)
{
删除dllBin;
返回false;
}
HANDLE hProcess=OpenProcess(PROCESS\u ALL\u ACCESS,FALSE,pId);
如果(!hProcess)
返回false;
void*moduleBase=VirtualAllocEx(hProcess,
无效的
ntHd->OptionalHeader.SizeOfImage,
记住承诺,记住保留,
页面(执行、读写);
if(!moduleBase)
返回false;
void*stubBase=VirtualAllocEx(hProcess,
无效的
MakedDelta(尺寸、DC存根、DllCall存根),
记住承诺,记住保留,
页面(执行、读写);
如果(!stubBase)
返回false;
图像导入描述符*impDesc=(图像导入描述符*)GetPtrFromRVA(
(DWORD)(ntHd->OptionalHeader.DataDirectory[IMAGE\u DIRECTORY\u ENTRY\u IMPORT].VirtualAddress),
第n天,
(PBYTE)dllBin);
if(ntHd->OptionalHeader.DataDirectory[IMAGE\u DIRECTORY\u ENTRY\u IMPORT].Size)
{
如果(!FixImports(pId,
(未签名字符*)dllBin,
第n天,
impDesc)返回FALSE;
};
IMAGE\u BASE\u RELOCATION*reloc=(IMAGE\u BASE\u RELOCATION*)GetPtrFromRVA(
(DWORD)(ntHd->OptionalHeader.DataDirectory[IMAGE\u DIRECTORY\u ENTRY\u BASERELOC].VirtualAddress),
第n天,
(PBYTE)dllBin);
if(ntHd->OptionalHeader.DataDirectory[IMAGE\u DIRECTORY\u ENTRY\u BASERELOC].Size)
{
FixRelocs(dllBin,
模块基,
第n天,
雷洛克,
ntHd->OptionalHeader.DataDirectory[IMAGE\u DIRECTORY\u ENTRY\u BASERELOC].Size);
}
其他的
{
返回false;
};
WriteProcessMemory(hProcess,
模块基,
德尔宾,
ntHd->FileHeader.SizeOfOptionalHeader+sizeof(ntHd->FileHeader)+sizeof(ntHd->Signature),
(大小*)&N字节);
映射部分(HPProcess、moduleBase、dllBin、ntHd);
虚拟保护((LPVOID)DllCall_存根,
MakedDelta(尺寸、DC存根、DllCall存根),
页面_执行_读写,
(DWORD*)和N字节);
*MakePtr(无符号长*,DllCall_存根,9)=
MakePtr(无符号长,模块基,第n个->可选标头。入口点地址);
WriteProcessMemory(hProcess,
斯塔贝斯,
(LPVOID)DllCall_存根,
MakedDelta(尺寸、DC存根、DllCall存根),
(大小*)&N字节);
CreateRemoteThread(HPProcess,
无效的
0,
(LPTHREAD_START_例程)stubBase,
模块基,
0,
无效);
删除dllBin;
返回true;
}
}
}
}
返回false;
}
bool映射节(句柄hProcess、void*moduleBase、void*dllBin、图像头*ntHd)
{
图像\u节\u头*头=图像\u第一节(ntHd);
无符号整数n字节=0;
无符号int-virtualSize=0;
无符号整数n=0;
对于(unsigned int i=0;ntHd->FileHeader.NumberOfSections;i++)
{
如果(n字节>=nTD->OptionalHeader.SizeOfImage)
打破
WriteProcessMemory(hProcess,
MakePtr(LPVOID、moduleBase、header->VirtualAddress),
MakePtr(LPCVOID、dllBin、header->pointer或wdata),
标题->SizeOfRawData,
(德沃德港)及北区;
virtualSize=标题->VirtualAddress;
header++;
virtualSize=标题->VirtualAddress-virtualSize;
n字节+=虚拟化;
VirtualProtectEx(hProcess,
MakePtr(LPVOID,