标题:用Delphi编写Windows PE文件随机区段名器
链接:http://www.unpack.cn/viewthread.php?tid=16931
作者:pathletboy
日期:2007-8-31 23:00代码:
unit MainFormUnit;
{
Written by pathletboy
2007.08.31
}
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls;
type
TForm1 = class(TForm)
Label1: TLabel;
Button1: TButton;
OpenDialog1: TOpenDialog;
Memo1: TMemo;
Button2: TButton;
procedure Button2Click(Sender: TObject);
procedure Button1Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
implementation
{$R *.dfm}
function CheckValidPE(F: string): Byte; //检查PE文件有效性
var
FS: TFileStream;
doshead: IMAGE_DOS_HEADER;
pehead: IMAGE_NT_HEADERS;
begin
if not (FileExists(F)) then
begin //判断文件是否存在
result := 0;
exit;
end;
try
try
FS := TFileStream.Create(F, fmOpenRead);
if FS.Size < $1000 then
begin //判断文件大小,小于0x1000的判定为非有效PE
result := 0;
exit;
end;
FS.ReadBuffer(doshead, sizeof(IMAGE_DOS_HEADER));
if doshead.e_magic <> IMAGE_DOS_SIGNATURE then
begin //判断Dos头
result := 0;
exit;
end;
FS.Seek(doshead._lfanew, SoFromBeginning);
FS.ReadBuffer(pehead, sizeof(IMAGE_NT_HEADERS));
if pehead.Signature <> IMAGE_NT_SIGNATURE then
begin //判断PE头
result := 0;
exit;
end;
if pehead.FileHeader.Characteristics and IMAGE_FILE_DLL = IMAGE_FILE_DLL
{//判断是EXE还是DLL}then
result := 2
else
result := 1;
except
result := 0;
end
finally
FS.Free;
end;
end;
function GetRandomSectionName: string;
var
I: Integer;
B: Byte;
begin
Result := '';
randomize;
for I := 1 to 8 do
begin
B := 32 + Random(Ord('z') - 32);
Result := Result + Chr(B);
end;
end;
function ProcessRandomSectionNames(F: string; Mem TMemo): Boolean; //处理随机区段名
var
FS: TFileStream;
doshead: IMAGE_DOS_HEADER;
pehead: IMAGE_NT_HEADERS;
sectionhead: IMAGE_SECTION_HEADER;
i: Cardinal;
sectionname: array[0..8] of char;
randomname: string;
begin
try
try
FS := TFileStream.Create(F, fmOpenReadWrite);
FS.Read(doshead, sizeof(IMAGE_DOS_HEADER)); //读取DOS头
FS.Seek(doshead._lfanew, SoFromBeginning);
FS.Read(pehead, sizeof(IMAGE_NT_HEADERS)); //读取PE头
Memo.Lines.Add(format('发现%d个区段.',
[pehead.FileHeader.NumberOfSections]));
for i := 1 to pehead.FileHeader.NumberOfSections do
begin
FS.Read(sectionhead, sizeof(IMAGE_SECTION_HEADER));
copymemory(@sectionname, @sectionhead.Name, 8);
Memo.Lines.Add(format('正在处理第%d个区段,原区段名为[%s]',
[i, sectionname]));
randomname := GetRandomSectionName; //随机区段名
copymemory(@sectionname, @randomname[1], 8);
copymemory(@sectionhead.Name, @randomname[1], 8);
FS.Seek(-sizeof(IMAGE_SECTION_HEADER), soFromCurrent);
FS.Write(sectionhead, sizeof(IMAGE_SECTION_HEADER));
Memo.Lines.Add(format('第%d个区段名已被处理为[%s]', [i,
sectionname]));
end;
result := true;
except
result := false;
end
finally
FS.Free;
end;
end;
procedure TForm1.Button1Click(Sender: TObject);
var
filetype: byte;
begin
if OpenDialog1.Execute then
begin
Label1.Caption := OpenDialog1.FileName;
filetype := CheckValidPE(Label1.Caption);
case filetype of
0: Memo1.Lines.Add(format('文件%s是非有效的PE文件',
[Label1.Caption]));
1: Memo1.Lines.Add(format('文件%s是有效的PE文件[EXE]',
[Label1.Caption]));
2: Memo1.Lines.Add(format('文件%s是有效的PE文件[DLL]',
[Label1.Caption]));
end;
if filetype > 0 then
Button2.Enabled := True
else
Button2.Enabled := False;
end;
end;
procedure TForm1.Button2Click(Sender: TObject);
begin
if ProcessRandomSectionNames(Label1.Caption, Memo1) then
Memo1.Lines.Add('处理完毕!')
else
Memo1.Lines.Add('处理失败!');
end;
end.函数CheckValidPE 检测PE有效性,及判断PE文件为EXE或DLL
函数GetRandomSectionName 生成随机区段名
函数ProcessRandomSectionNames 处理随机区段名
附件为代码及编译好的EXE
下载链接:http://www.unpack.cn/attachment.php?aid=11254
减小字体
增大字体