[VB6]ReAlign PE Header

  • So ich bring mal Schwung in die VB Section
    Hier ein Source um den PE-Header sozusagen aktualisieren, hilft z.b. um nicht als Dropper erkannt zu werden.


    Modul:

    Code
    1. Public Declare Sub CopyMemory Lib &quot;kernel32&quot; Alias &quot;RtlMoveMemory&quot; (Dest As Any, Src As Any, ByVal L As Long)Public Type IMAGE_DOS_HEADER e_magic As Integer ' Magic number e_cblp As Integer ' Bytes on last page of file e_cp As Integer ' Pages in file e_crlc As Integer ' Relocations e_cparhdr As Integer ' Size of header in paragraphs e_minalloc As Integer ' Minimum extra paragraphs needed e_maxalloc As Integer ' Maximum extra paragraphs needed e_ss As Integer ' Initial (relative) SS value e_sp As Integer ' Initial SP value e_csum As Integer ' Checksum e_ip As Integer ' Initial IP value e_cs As Integer ' Initial (relative) CS value e_lfarlc As Integer ' File address of relocation table e_ovno As Integer ' Overlay number e_res(0 To 3) As Integer ' Reserved words e_oemid As Integer ' OEM identifier (for e_oeminfo) e_oeminfo As Integer ' OEM information; e_oemid specific e_res2(0 To 9) As Integer ' Reserved words e_lfanew As Long ' File address of new exe headerEnd TypePublic Type IMAGE_FILE_HEADER Machine As Integer NumberOfSections As Integer TimeDateStamp As Long PointerToSymbolTable As Long NumberOfSymbols As Long SizeOfOptionalHeader As Integer characteristics As IntegerEnd TypePublic Type IMAGE_DATA_DIRECTORY VirtualAddress As Long Size As LongEnd TypePublic Type IMAGE_OPTIONAL_HEADER Magic As Integer MajorLinkerVersion As Byte MinorLinkerVersion As Byte SizeOfCode As Long SizeOfInitializedData As Long SizeOfUnitializedData As Long AddressOfEntryPoint As Long BaseOfCode As Long BaseOfData As Long ImageBase As Long SectionAlignment As Long FileAlignment As Long MajorOperatingSystemVersion As Integer MinorOperatingSystemVersion As Integer MajorImageVersion As Integer MinorImageVersion As Integer MajorSubsystemVersion As Integer MinorSubsystemVersion As Integer W32VersionValue As Long SizeOfImage As Long SizeOfHeaders As Long CheckSum As Long SubSystem As Integer DllCharacteristics As Integer SizeOfStackReserve As Long SizeOfStackCommit As Long SizeOfHeapReserve As Long SizeOfHeapCommit As Long LoaderFlags As Long NumberOfRvaAndSizes As Long DataDirectory(0 To 15) As IMAGE_DATA_DIRECTORYEnd TypePublic Type IMAGE_NT_HEADERS Signature As Long FileHeader As IMAGE_FILE_HEADER OptionalHeader As IMAGE_OPTIONAL_HEADEREnd TypePublic Type IMAGE_SECTION_HEADER SecName As String * 8 VirtualSize As Long VirtualAddress As Long SizeOfRawData As Long PointerToRawData As Long PointerToRelocations As Long PointerToLinenumbers As Long NumberOfRelocations As Integer NumberOfLinenumbers As Integer characteristics As LongEnd TypePublic Sub PatchEOF(strFile As String) Dim idh As IMAGE_DOS_HEADER Dim inh As IMAGE_NT_HEADERS Dim ish As IMAGE_SECTION_HEADER Dim FileData As String Dim ExeData() As Byte Dim ExeLen As Long Dim strpath As String 'Get binary data to file and convert to byte array FileData = GetFileData(strFile) ExeData = StrConv(FileData, vbFromUnicode) 'Copy ExeData into IMAGE_DOS_HEADER and check if it's valid CopyMemory idh, ExeData(0), 64 If idh.e_magic <> &amp;amp;amp;amp;amp;H5A4D Then Debug.Print &quot;Not Valid EXE!&quot; Exit Sub End If 'Copy ExeData into IMAGE_NT_HEADER and check if it's valid CopyMemory inh, ExeData(idh.e_lfanew), 248 If inh.Signature <> &amp;amp;amp;amp;amp;H4550 Then Debug.Print &quot;Not Valid EXE!&quot; Exit Sub End If 'Copy the last secion into IMAGE_SECTION_HEADER CopyMemory ish, ExeData(idh.e_lfanew + 248 + (inh.FileHeader.NumberOfSections - 1) * 40), 40 'Get length of EXE from headers ExeLen = ish.PointerToRawData + ish.SizeOfRawData 'Set SizeOfRawData to cover EOF data ish.SizeOfRawData = ish.SizeOfRawData + (Len(FileData) - ExeLen + 2) 'Copy IMAGE_SECTION_HEADER back into ExeData CopyMemory ExeData(idh.e_lfanew + 248 + (inh.FileHeader.NumberOfSections - 1) * 40), ish, 40 'Convert from byte array to string, and save file FileData = StrConv(ExeData(), vbUnicode) SaveFileData strFile, FileDataEnd SubPublic Function GetFileData(strFile As String) As StringDim strData As StringOpen strFile For Binary Access Read Lock Write As #1 strData = String$(LOF(1), Chr$(0)) Get #1, , strDataClose #1GetFileData = strDataEnd FunctionPublic Sub SaveFileData(strFile As String, strData As String)Open strFile For Output As #1 Print #1, strDataClose #1End Sub


    Und aufrufen tut ihr es so:

    Code
    1. PatchEOF("C:\Server.exe")


    Mfg
    Slay2oo7


    P.S: Credit liegt bei TheRouge

  • An alle die das Benutzen..
    Es wird die EOF-Daten Bifrost "zerst?ren" am Besten ihr Buildet schreibt EOF-Daten rein und dann ReAlignt PE-Header!




    Du sagst, du spürst die Ohnmacht, denn der Feind ist ach so stark
    Und er will dich niederhalten mit Geschrei durch Bein und Mark
    Mit Verboten und Zensur kann er zwar den Kampf erschweren
    Doch niemals wird ein Richterspruch den freien Geist bekehren.


    Fürchte lieber Deutschlands Untergang als die Reden der Vasallen
    Derer, die der Lüge dienen, denn schon bald werden sie fallen.