我正在使用 IDA pro 并将“
C:\Windows\System32\notepad.exe
”复制到“D:\notepad.exe
”进行代码测试。
以下是“IDA View-A”选项卡的内容:
.text:0000000140001000 ; File Name : D:\notepad.exe
.text:0000000140001000 ; Format : Portable executable for AMD64 (PE)
.text:0000000140001000 ; Imagebase : 140000000
.text:0000000140001000 ; Hash : BDD4ADCD
.text:0000000140001000 ; Section 1. (virtual address 00001000)
.text:0000000140001000 ; Virtual size : 000247FF ( 149503.)
.text:0000000140001000 ; Section size in file : 00024800 ( 149504.)
.text:0000000140001000 ; Offset to raw data for section: 00000400
.text:0000000140001000 ; Flags 60000020: Text Executable Readable
.text:0000000140001000 ; Alignment : default
.text:0000000140001000 ; ===========================================================================
.text:0000000140001000
.text:0000000140001000 ; Segment type: Pure code
.text:0000000140001000 ; Segment permissions: Read/Execute
.text:0000000140001000 _text segment para public 'CODE' use64
.text:0000000140001000 assume cs:_text
.text:0000000140001000 ;org 140001000h
.text:0000000140001000 assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
.text:0000000140001000 byte_140001000 db 8 dup(0CCh) ; DATA XREF: HEADER:000000014000012C↑o
.text:0000000140001000 ; HEADER:0000000140000214↑o
.text:0000000140001008
.text:0000000140001008 ; =============== S U B R O U T I N E =======================================
.text:0000000140001008
.text:0000000140001008
.text:0000000140001008 sub_140001008 proc near ; CODE XREF: sub_14001FDD0+6D↓p
.text:0000000140001008 ; sub_14001FEDC+6D↓p ...
.text:0000000140001008
.text:0000000140001008 var_68 = dword ptr -68h
.text:0000000140001008 var_30 = dword ptr -30h
.text:0000000140001008 var_2C = dword ptr -2Ch
.text:0000000140001008 var_20 = dword ptr -20h
.text:0000000140001008 var_1C = dword ptr -1Ch
.text:0000000140001008 var_18 = qword ptr -18h
.text:0000000140001008 arg_20 = qword ptr 28h
.text:0000000140001008 arg_28 = qword ptr 30h
.text:0000000140001008
.text:0000000140001008 ; __unwind { // __GSHandlerCheck
.text:0000000140001008 mov r11, rsp
.text:000000014000100B sub rsp, 88h
.text:0000000140001012 mov rax, cs:__security_cookie
.text:0000000140001019 xor rax, rsp
以下是“Hex View-1”选项卡的内容:
0000000140001000 CC CC CC CC CC CC CC CC 4C 8B DC 48 81 EC 88 00 ÌÌÌÌÌÌÌÌL‹ÜH.ìˆ.
0000000140001010 00 00 48 8B 05 57 F4 02 00 48 33 C4 48 89 44 24 ..H‹.Wô..H3ÄH‰D$
0000000140001020 70 48 8B 84 24 B8 00 00 00 45 33 C9 49 89 43 D8 pH‹„$¸...E3ÉI‰CØ
我要更换
.text:0000000140001012 mov rax, cs:__security_cookie
与
.text:0000000140001012 retn
这是PowerShell代码:
$bytes = [System.IO.File]::ReadAllBytes("D:\notepad.exe")
$offset = 0x0001012
$bytes[$offset] = 0xC3
[System.IO.File]::WriteAllBytes("D:\notepad.exe", $bytes)
但是并没有按预期工作,上面的PowerShell代码有什么问题?