关于堆已损坏,求帮助
#pragma once#define _CRT_SECURE_NO_WARNINGS
#include<Windows.h>
#include<iostream>
#define FILE_ADDRESS "F:\\ipmsg_new.exe"
#define FILE_name "E:\\ipmsg.exe"
#define MessageBox1 0x7475FDE6
#define SHELL_CODESIZE 0x12
BYTE SHELL_CODE[] = {
0x6A,0x00,0x6A,0x00,0x6A,0x00,0x6A,0x00,
0xE8,0x00,0x00,0x00,0x00,
0xE9,0x00,0x00,0x00,0x00
};
using namespace std;
int FILE_SIZE=0;
static DWORD FILE_open(LPSTR FILE_lujing, LPVOID *FILE_BUFFER)
{
FILE *NAME = NULL;
LPVOID TEP_FILEBUFFER = NULL;
NAME=fopen(FILE_lujing, "rb");
if (!NAME)
{
cout << "打开文件失败" << endl;
return 0;
}
fseek(NAME, 0, SEEK_END);//设置指针
FILE_SIZE = ftell(NAME);
fseek(NAME, 0, SEEK_SET);//设置指针
TEP_FILEBUFFER = malloc(FILE_SIZE);
if (!TEP_FILEBUFFER)
{
cout << "分配内存空间失败" << endl;
fclose(NAME);
return 0;
}
size_t n=fread(TEP_FILEBUFFER, 1, FILE_SIZE, NAME);
if (!n)
{
cout << "文件读入失败" << endl;
free(TEP_FILEBUFFER);
fclose(NAME);
return 0;
}
*FILE_BUFFER = TEP_FILEBUFFER;
TEP_FILEBUFFER = NULL;
fclose(NAME);
return FILE_SIZE;
}
static DWORD FILE_IMAGE_BUFFER(LPVOID FILE_BUFFER, LPVOID *IMAGE_BUFFER)//修改为加节状态
{
PIMAGE_DOS_HEADER PDOS_header = NULL;
PIMAGE_NT_HEADERS NT_header = NULL;
PIMAGE_FILE_HEADER PE_HEADER = NULL;
PIMAGE_OPTIONAL_HEADER32 P_OPTIONAL_HEADER = NULL;
PIMAGE_SECTION_HEADER PSECTION_HEADER = NULL;
LPVOID TEPIMAGEBUFFER = NULL;
if (FILE_BUFFER == NULL)
{
cout << "文件指针无效" << endl;
return 0;
}
if (*((PWORD)FILE_BUFFER) != IMAGE_DOS_SIGNATURE)
{
cout << "这个文件不是有效的MZ标志" << endl;
return 0;
}
PDOS_header = (PIMAGE_DOS_HEADER)FILE_BUFFER;
if (*((PDWORD)((DWORD)FILE_BUFFER +PDOS_header->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
cout << "不是有效的PE标志" << endl;
return 0;
}
NT_header = (PIMAGE_NT_HEADERS)(PDWORD)((DWORD)FILE_BUFFER + PDOS_header->e_lfanew);
PE_HEADER = (PIMAGE_FILE_HEADER)(((DWORD)NT_header) + 4);
P_OPTIONAL_HEADER = (PIMAGE_OPTIONAL_HEADER32)((DWORD)PE_HEADER + IMAGE_SIZEOF_FILE_HEADER);
PSECTION_HEADER = (PIMAGE_SECTION_HEADER)((DWORD)P_OPTIONAL_HEADER + PE_HEADER->SizeOfOptionalHeader);
TEPIMAGEBUFFER = malloc(P_OPTIONAL_HEADER->SizeOfImage);
if (!TEPIMAGEBUFFER)
{
cout << "分配空间失败" << endl;
return 0;
}
memset(TEPIMAGEBUFFER, 0, P_OPTIONAL_HEADER->SizeOfImage);
memcpy(TEPIMAGEBUFFER, PDOS_header, P_OPTIONAL_HEADER->SizeOfHeaders);
PIMAGE_SECTION_HEADER TempPSECTION_HEADER = PSECTION_HEADER;
for (int i = 0; i < PE_HEADER->NumberOfSections; i++, TempPSECTION_HEADER++)
{
memcpy((void*)((DWORD)TEPIMAGEBUFFER + TempPSECTION_HEADER->VirtualAddress), (void*)((DWORD)PDOS_header + TempPSECTION_HEADER->PointerToRawData), TempPSECTION_HEADER->SizeOfRawData);
}
*IMAGE_BUFFER = TEPIMAGEBUFFER;
TEPIMAGEBUFFER = NULL;
return P_OPTIONAL_HEADER->SizeOfImage;
}
static DWORD CopyIMAGEtoNEWBUFFER(LPVOID INMAGEBUFFER, LPVOID* NEWBUFFER)//已修改MOLLOC值
{
PIMAGE_DOS_HEADER PDOS_header = NULL;
PIMAGE_NT_HEADERS NT_header = NULL;
PIMAGE_FILE_HEADER PE_HEADER = NULL;
PIMAGE_OPTIONAL_HEADER32 P_OPTIONAL_HEADER = NULL;
PIMAGE_SECTION_HEADER PSECTION_HEADER = NULL;
LPVOID TEMPNEWBUFFER = NULL;
DWORD NUMBEROFSECTION = 0;
if (!INMAGEBUFFER)
{
cout << "缓冲区指针无效" << endl;
return 0;
}
if (*((PWORD)INMAGEBUFFER) != IMAGE_DOS_SIGNATURE)
{
cout << "这个文件不是有效的MZ标志" << endl;
return 0;
}
PDOS_header = (PIMAGE_DOS_HEADER)INMAGEBUFFER;
if (*((PDWORD)((DWORD)INMAGEBUFFER+ PDOS_header->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
cout << "不是有效的PE标志" << endl;
return 0;
}
NT_header = (PIMAGE_NT_HEADERS)(PDWORD)((DWORD)INMAGEBUFFER + PDOS_header->e_lfanew);
PE_HEADER = (PIMAGE_FILE_HEADER)(((DWORD)NT_header) + 4);
P_OPTIONAL_HEADER = (PIMAGE_OPTIONAL_HEADER32)((DWORD)PE_HEADER + IMAGE_SIZEOF_FILE_HEADER);
PSECTION_HEADER = (PIMAGE_SECTION_HEADER)((DWORD)P_OPTIONAL_HEADER + PE_HEADER->SizeOfOptionalHeader);
TEMPNEWBUFFER = malloc(FILE_SIZE+4096);
memset(TEMPNEWBUFFER, 0, FILE_SIZE + 4096);
memcpy(TEMPNEWBUFFER, PDOS_header, P_OPTIONAL_HEADER->SizeOfHeaders);
PIMAGE_SECTION_HEADER TEPPSECTION_HEADER = PSECTION_HEADER;
for (int i = 0; i < PE_HEADER->NumberOfSections; i++, TEPPSECTION_HEADER++)
{
memcpy((void*)((DWORD)TEMPNEWBUFFER + TEPPSECTION_HEADER->PointerToRawData), (void*)((DWORD)PDOS_header + TEPPSECTION_HEADER->VirtualAddress), TEPPSECTION_HEADER->SizeOfRawData);
}
*NEWBUFFER = TEMPNEWBUFFER;
TEMPNEWBUFFER = NULL;
TEPPSECTION_HEADER = NULL;
return 1;
}
static DWORD WRITEFILETOPATCH(LPSTR ADDRESS, LPVOID *NEWBUFFER)
{
if (!*NEWBUFFER)
{
cout << "内存地址无效" << endl;
return 0;
}
FILE* FILE_NEW = fopen(ADDRESS, "wb");
fwrite(*NEWBUFFER, 1, FILE_SIZE, FILE_NEW);
fclose(FILE_NEW);
return 1;
}
static DWORD AddMessageBoxA()
{
PIMAGE_DOS_HEADER PDOS_header = NULL;
PIMAGE_NT_HEADERS NT_header = NULL;
PIMAGE_FILE_HEADER PE_HEADER = NULL;
PIMAGE_OPTIONAL_HEADER32 P_OPTIONAL_HEADER = NULL;
PIMAGE_SECTION_HEADER PSECTION_HEADER = NULL;
LPVOID FILE_BUFFER=NULL;
LPVOID IMAGE_BUFFER = NULL;
LPVOID NEWBUFFER = NULL;
PBYTE CODEBEGIN=NULL;
FILE_open(FILE_name, &FILE_BUFFER);
if (!FILE_BUFFER)
{
cout << "分配空间失败" << endl;
return 0;
}
FILE_IMAGE_BUFFER(FILE_BUFFER, &IMAGE_BUFFER);
PDOS_header = (PIMAGE_DOS_HEADER)IMAGE_BUFFER;
NT_header = (PIMAGE_NT_HEADERS)(PDWORD)((DWORD)IMAGE_BUFFER + PDOS_header->e_lfanew);
PE_HEADER = (PIMAGE_FILE_HEADER)(((DWORD)NT_header) + 4);
P_OPTIONAL_HEADER = (PIMAGE_OPTIONAL_HEADER32)((DWORD)PE_HEADER + IMAGE_SIZEOF_FILE_HEADER);
PSECTION_HEADER = (PIMAGE_SECTION_HEADER)((DWORD)P_OPTIONAL_HEADER + PE_HEADER->SizeOfOptionalHeader);
CODEBEGIN = (PBYTE)((DWORD)IMAGE_BUFFER + (PSECTION_HEADER->VirtualAddress + PSECTION_HEADER->Misc.VirtualSize));
memcpy(CODEBEGIN, SHELL_CODE, SHELL_CODESIZE);
DWORD CALLADD = MessageBox1 - ((DWORD)P_OPTIONAL_HEADER->ImageBase + ((DWORD)(CODEBEGIN + 0xD)- (DWORD)IMAGE_BUFFER));
*(PDWORD)(CODEBEGIN + 9) = CALLADD;
DWORD JMPADD = (((DWORD)P_OPTIONAL_HEADER->ImageBase + P_OPTIONAL_HEADER->AddressOfEntryPoint)- (P_OPTIONAL_HEADER->ImageBase+((DWORD)(CODEBEGIN + 0x12) - (DWORD)IMAGE_BUFFER)));
*(PDWORD)(CODEBEGIN + 0xE) = JMPADD;
P_OPTIONAL_HEADER->AddressOfEntryPoint = (DWORD)CODEBEGIN - (DWORD)IMAGE_BUFFER;
CopyIMAGEtoNEWBUFFER(IMAGE_BUFFER, &NEWBUFFER);
WRITEFILETOPATCH(FILE_ADDRESS, &NEWBUFFER);
return 1;
}
static DWORD ADDSECTION_ADDCODE()
{
BYTE NAME[8] = {'t','t','t','t',0};
LPVOID FILE_BUFFER = NULL;
LPVOID IMAGE_BUFFER = NULL;
LPVOID NEWIMAGEBUFFER = NULL;
LPVOID NEWBEFFER = NULL;
PIMAGE_DOS_HEADER PDOS_header = NULL;
PIMAGE_NT_HEADERS NT_header = NULL;
PIMAGE_FILE_HEADER PE_HEADER = NULL;
PIMAGE_OPTIONAL_HEADER32 P_OPTIONAL_HEADER = NULL;
PIMAGE_SECTION_HEADER PSECTION_HEADER = NULL;
FILE_open(FILE_name, &FILE_BUFFER);
FILE_IMAGE_BUFFER(FILE_BUFFER, &IMAGE_BUFFER);
PDOS_header = (PIMAGE_DOS_HEADER)IMAGE_BUFFER;
NT_header = (PIMAGE_NT_HEADERS)(PDWORD)((DWORD)IMAGE_BUFFER + PDOS_header->e_lfanew);
PE_HEADER = (PIMAGE_FILE_HEADER)(((DWORD)NT_header) + 4);
P_OPTIONAL_HEADER = (PIMAGE_OPTIONAL_HEADER32)((DWORD)PE_HEADER + IMAGE_SIZEOF_FILE_HEADER);
PSECTION_HEADER = (PIMAGE_SECTION_HEADER)((DWORD)P_OPTIONAL_HEADER + PE_HEADER->SizeOfOptionalHeader);
PE_HEADER->NumberOfSections = PE_HEADER->NumberOfSections + 1;
P_OPTIONAL_HEADER->SizeOfImage = P_OPTIONAL_HEADER->SizeOfImage + 0x1000;
*(PSECTION_HEADER + 4)->Name = (BYTE)NAME;
(PSECTION_HEADER + 4)->Characteristics = PSECTION_HEADER->Characteristics;
(PSECTION_HEADER + 4)->Misc.VirtualSize = 0x1000;
(PSECTION_HEADER + 4)->VirtualAddress = (PSECTION_HEADER + 3)->VirtualAddress + (PSECTION_HEADER + 3)->Misc.VirtualSize+ (1000-(PSECTION_HEADER + 3)->Misc.VirtualSize%1000);
(PSECTION_HEADER + 4)->SizeOfRawData = 0x1000;
(PSECTION_HEADER + 4)->PointerToRawData = (PSECTION_HEADER + 3)->PointerToRawData + (PSECTION_HEADER + 3)->SizeOfRawData + (1000 - (PSECTION_HEADER + 3)->SizeOfRawData % 1000);
NEWIMAGEBUFFER = malloc(P_OPTIONAL_HEADER->SizeOfImage);
memset(NEWIMAGEBUFFER, 0, P_OPTIONAL_HEADER->SizeOfImage);
memcpy(NEWIMAGEBUFFER, PDOS_header, P_OPTIONAL_HEADER->SizeOfImage);
free(IMAGE_BUFFER);
CopyIMAGEtoNEWBUFFER(NEWIMAGEBUFFER, &NEWBEFFER);
free(NEWIMAGEBUFFER);
WRITEFILETOPATCH(FILE_ADDRESS, &NEWBEFFER);
return 1;
}调试时出现 0xc0000374 堆已损坏 求大神帮忙看一下哪里的问题
