导入表注入

一晚上光搞这个了...................

/**
	导入表注入DLL
	*******注意 导入的DLL中要导出对应的函数。

*/
void* importTableInject(BYTE* fileBuffer,char* dallname){
	//新增一个节，用来放挪动后的导入表，在挪动后的导入表添加新的导入项
	void* newBuffer = addSection(fileBuffer);
	PE pe = resolvePE(newBuffer);
	_IMAGE_IMPORT_DESCRIPTOR* pImportTable = (_IMAGE_IMPORT_DESCRIPTOR*)(VA2FA(fileBuffer, pe.dataDir[1].value) + (int)fileBuffer);
	//记录下原来导入表的的位置
	_IMAGE_IMPORT_DESCRIPTOR* pImportTableStart = pImportTable;
	//计算整个导入表的大小
	int importTableNum = 0;
	while (pImportTable->Name != NULL)
	{

		importTableNum++;
		pImportTable++;
	}
	int len = sizeof(_IMAGE_IMPORT_DESCRIPTOR) * importTableNum;

	//获取最后一个节的地址
	BYTE* cursor = (BYTE*)((int)newBuffer + pe.sectionTable[pe.NumberOfSections.value - 1].PointerToRawData.value);
	int cursorVRA = (int)(pe.sectionTable[pe.NumberOfSections.value - 1].VirtualAddress.value);
	//拷贝导入表到新的位置
	memcpy((void*)cursor, (void*)pImportTableStart,len);
	//修改数据目录
	int* tmp = (int*)((int)newBuffer + pe.dataDir[1].address);
	*tmp = cursorVRA;
	*(int*)((int)tmp + 4) = *(int*)((int)tmp + 4) + sizeof(_IMAGE_IMPORT_DESCRIPTOR);
	//改变游标，到最后一项的后面，在这里新增一项
	cursor += len;
	cursorVRA += len ;

	_IMAGE_IMPORT_DESCRIPTOR* newDll_DESCRIPTOR = (_IMAGE_IMPORT_DESCRIPTOR*)cursor;
	*newDll_DESCRIPTOR = *pImportTableStart;
	//这里*2是因为要留空
	cursor += 2*sizeof(_IMAGE_IMPORT_DESCRIPTOR);
	cursorVRA += 2*sizeof(_IMAGE_IMPORT_DESCRIPTOR);
	//要导入的dll的名称
	memcpy((void*)cursor, (void*)dallname, strlen(dallname)+1);
	newDll_DESCRIPTOR->Name = cursorVRA;
	cursor += strlen(dallname) + 1;
	cursorVRA += strlen(dallname) + 1;

	//修复导入项里的IAT和INT指针，注意留空
	newDll_DESCRIPTOR->FirstThunk = cursorVRA;
	newDll_DESCRIPTOR->OriginalFirstThunk = cursorVRA + 8;
	cursor += 16;
	cursorVRA += 16;

	//修复IAT和INT
	*(int*)(cursor - 8) = cursorVRA;
	*(int*)(cursor - 16) = cursorVRA;
	*(WORD*)cursor = 0x0263;
	//注意+2
	cursor += 2;
	cursorVRA += 2;
	//导入的函数的名称
	memcpy((void*)cursor, "abc", strlen("abc")+1);

	return newBuffer;
}