EXE加锁器 只是思路

 代码有点乱 但是我不想整理

// AddBoxDlg.cpp : 实现文件
//

#include "stdafx.h"
#include "AddBox.h"
#include "AddBoxDlg.h"
#include "afxdialogex.h"
#include "PEInfo.h"
#include <ImageHlp.h>
#ifdef _DEBUG
#define new DEBUG_NEW
#endif
#define MAX_SECDATA_SIZE 2048
#pragma comment (lib,"Dbghelp.lib")


// 用于应用程序“关于”菜单项的 CAboutDlg 对话框

char szTargetPath[MAX_PATH] = "D:\Target.exe";          //目标文件的路径
char szPatchPath[MAX_PATH] = "D:\helloworld_1.exe";    //补丁文件的路径
char szModifyPEPath[MAX_PATH] = "D:\haha.exe";     //修改后生成新文件的路径

class CAboutDlg : public CDialogEx
{
public:
    CAboutDlg();

// 对话框数据
#ifdef AFX_DESIGN_TIME
    enum { IDD = IDD_ABOUTBOX };
#endif

    protected:
    virtual void DoDataExchange(CDataExchange* pDX);    // DDX/DDV 支持

// 实现
protected:
    DECLARE_MESSAGE_MAP()
};

CAboutDlg::CAboutDlg() : CDialogEx(IDD_ABOUTBOX)
{
}

void CAboutDlg::DoDataExchange(CDataExchange* pDX)
{
    CDialogEx::DoDataExchange(pDX);
}

BEGIN_MESSAGE_MAP(CAboutDlg, CDialogEx)
END_MESSAGE_MAP()


// CAddBoxDlg 对话框



CAddBoxDlg::CAddBoxDlg(CWnd* pParent /*=NULL*/)
    : CDialogEx(IDD_ADDBOX_DIALOG, pParent)
    , m_strPEFilePath(_T(""))
    , m_strBoxTitle(_T(""))
    , m_strBoxContent(_T(""))
{
    m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME);
}

void CAddBoxDlg::DoDataExchange(CDataExchange* pDX)
{
    CDialogEx::DoDataExchange(pDX);
    DDX_Text(pDX, IDC_EDIT1, m_strPEFilePath);
    DDX_Text(pDX, IDC_EDIT2, m_strBoxTitle);
    DDX_Text(pDX, IDC_EDIT3, m_strBoxContent);
}

BEGIN_MESSAGE_MAP(CAddBoxDlg, CDialogEx)
    ON_WM_SYSCOMMAND()
    ON_WM_PAINT()
    ON_WM_QUERYDRAGICON()
    ON_BN_CLICKED(IDC_BUTTON_SCAN, &CAddBoxDlg::OnBnClickedButtonScan)
    ON_BN_CLICKED(IDOK, &CAddBoxDlg::OnBnClickedOk)
END_MESSAGE_MAP()


// CAddBoxDlg 消息处理程序

BOOL CAddBoxDlg::OnInitDialog()
{
    CDialogEx::OnInitDialog();

    // 将“关于...”菜单项添加到系统菜单中。

    // IDM_ABOUTBOX 必须在系统命令范围内。
    ASSERT((IDM_ABOUTBOX & 0xFFF0) == IDM_ABOUTBOX);
    ASSERT(IDM_ABOUTBOX < 0xF000);

    CMenu* pSysMenu = GetSystemMenu(FALSE);
    if (pSysMenu != NULL)
    {
        BOOL bNameValid;
        CString strAboutMenu;
        bNameValid = strAboutMenu.LoadString(IDS_ABOUTBOX);
        ASSERT(bNameValid);
        if (!strAboutMenu.IsEmpty())
        {
            pSysMenu->AppendMenu(MF_SEPARATOR);
            pSysMenu->AppendMenu(MF_STRING, IDM_ABOUTBOX, strAboutMenu);
        }
    }

    // 设置此对话框的图标。  当应用程序主窗口不是对话框时，框架将自动
    //  执行此操作
    SetIcon(m_hIcon, TRUE);            // 设置大图标
    SetIcon(m_hIcon, FALSE);        // 设置小图标

    // TODO: 在此添加额外的初始化代码

    return TRUE;  // 除非将焦点设置到控件，否则返回 TRUE
}

void CAddBoxDlg::OnSysCommand(UINT nID, LPARAM lParam)
{
    if ((nID & 0xFFF0) == IDM_ABOUTBOX)
    {
        CAboutDlg dlgAbout;
        dlgAbout.DoModal();
    }
    else
    {
        CDialogEx::OnSysCommand(nID, lParam);
    }
}

// 如果向对话框添加最小化按钮，则需要下面的代码
//  来绘制该图标。  对于使用文档/视图模型的 MFC 应用程序，
//  这将由框架自动完成。

void CAddBoxDlg::OnPaint()
{
    if (IsIconic())
    {
        CPaintDC dc(this); // 用于绘制的设备上下文

        SendMessage(WM_ICONERASEBKGND, reinterpret_cast<WPARAM>(dc.GetSafeHdc()), 0);

        // 使图标在工作区矩形中居中
        int cxIcon = GetSystemMetrics(SM_CXICON);
        int cyIcon = GetSystemMetrics(SM_CYICON);
        CRect rect;
        GetClientRect(&rect);
        int x = (rect.Width() - cxIcon + 1) / 2;
        int y = (rect.Height() - cyIcon + 1) / 2;

        // 绘制图标
        dc.DrawIcon(x, y, m_hIcon);
    }
    else
    {
        CDialogEx::OnPaint();
    }
}

//当用户拖动最小化窗口时系统调用此函数取得光标
//显示。
HCURSOR CAddBoxDlg::OnQueryDragIcon()
{
    return static_cast<HCURSOR>(m_hIcon);
}



void CAddBoxDlg::OnBnClickedButtonScan()
{
    // TODO: 在此添加控件通知处理程序代码
    static const TCHAR* szFileFilter = TEXT("PE File(*.exe)|*.exe||");
    CFileDialog filedlg(TRUE, 0, 0, 4 | 2, szFileFilter);
    if (IDOK == filedlg.DoModal())
    {
        m_strPEFilePath = filedlg.GetPathName();
        this->UpdateData(FALSE);
    }
}


void CAddBoxDlg::OnBnClickedOk()
{
    // TODO: 在此添加控件通知处理程序代码
    UpdateData(TRUE);
    //验证用户输入的合法性
    //if (m_strPEFilePath.IsEmpty())
    //{
    //    MessageBox(TEXT("请选择目标PE文件路径"));
    //    return;
    //}

    //if (m_strBoxTitle.IsEmpty())
    //{
    //    MessageBox(TEXT("请输入目标PE弹出对话框标题"));
    //    return;
    //}

    //if (m_strBoxContent.IsEmpty())
    //{
    //    MessageBox(TEXT("请输入目标PE弹出对话框内容"));
    //    return;
    //}

    ////加载并链接到用户所选择PE文件的映像
    //FILEMAPITEM OldFileMap = { 0 }, NewFileMap = { 0 };
    //if (!PEInfo.CreateFileMap(m_strPEFilePath.GetBuffer(0), &OldFileMap))
    //{
    //    MessageBox(TEXT("创建目标PE文件映像失败!"));
    //    return;
    //}

    ////将OldFileMap基本信息保存到PEInfo中
    //PEInfo.GetBaseInfo(&OldFileMap);

    ////初始化新区块头
    //PEInfo.InitNewSectionHeader();

    //TCHAR szNewFilePathName[MAX_PATH] = { 0 };
    //BYTE pSectionData[MAX_SECDATA_SIZE] = { 0 };

    ////生成新区块数据并修正新区块头
    //DWORD dwSecDataSize = GenSecData(pSectionData, OldFileMap.ImageBase);
    //if (dwSecDataSize > PEInfo.NewSectionHeader.SizeOfRawData)
    //{
    //    PEInfo.NewSectionHeader.SizeOfRawData = dwSecDataSize;
    //    PEInfo.AdjustSectionSize();
    //}

    ////得到要建立的PE_Box.exe路径
    //CString strTempPath = m_strPEFilePath;
    //strTempPath.SetAt(strTempPath.GetLength() - 4, 0);
    //wsprintf(szNewFilePathName, TEXT("%s%s"), strTempPath, TEXT("_box.exe"));

    ////创建一个新的映像
    //DWORD dwNewFileSize = PEInfo.NewSectionHeader.PointerToRawData + PEInfo.NewSectionHeader.SizeOfRawData;
    //if (!PEInfo.CreateNewFileMap(szNewFilePathName, dwNewFileSize, &NewFileMap))
    //{
    //    MessageBox(TEXT("创建新的映像文件失败!"));
    //    DeleteFile(szNewFilePathName);
    //    return;
    //}

    ////拷贝原PE数据
    //memcpy(NewFileMap.ImageBase, OldFileMap.ImageBase, this->PEInfo.NewSectionHeader.PointerToRawData);
    ////将及新区块头拷贝到新文件映像
    //PEInfo.AddNewSectionHeader(&OldFileMap, &NewFileMap, dwNewFileSize);
    ////将新区块内容拷贝到新文件映像
    //LPVOID pvNewSec = (LPVOID)((DWORD)(NewFileMap.ImageBase) + PEInfo.NewSectionHeader.PointerToRawData);
    //memcpy(pvNewSec, pSectionData, this->PEInfo.NewSectionHeader.SizeOfRawData);

    //PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)NewFileMap.ImageBase;
    //PIMAGE_NT_HEADERS pNtHeader = (PIMAGE_NT_HEADERS)((DWORD)NewFileMap.ImageBase + pDosHeader->e_lfanew);
    //PIMAGE_OPTIONAL_HEADER pOptionalHeader = (PIMAGE_OPTIONAL_HEADER)(&pNtHeader->OptionalHeader);

    ////修改输入表大小和位置
    //pOptionalHeader->DataDirectory[1].Size += 0x14;
    //pOptionalHeader->DataDirectory[1].VirtualAddress = PEInfo.NewSectionHeader.VirtualAddress;

    ////清除绑定输入表
    //pOptionalHeader->DataDirectory[11].Size = 0;
    //pOptionalHeader->DataDirectory[11].VirtualAddress = 0;

    ////修改程序入口
    //pOptionalHeader->AddressOfEntryPoint = PEInfo.NewSectionHeader.VirtualAddress + this->dwNewEntryOff;

    ////刷新映像缓冲 并卸载两个文件映像
    //FlushViewOfFile(NewFileMap.ImageBase, dwNewFileSize);
    //PEInfo.DeleteMap(&OldFileMap);
    //PEInfo.DeleteMap(&NewFileMap);

    //MessageBox(TEXT("添加PE _Box成功! 请到目标PE文件所在路径查看"));


    PVOID lpPatchMemory = NULL;
    PVOID lpTargetMemory = NULL;
    ULONG ulPatchSize = 0;
    ULONG ulTargetSize = 0;

    lpTargetMemory = GetFileBaseAddressAndSize(szTargetPath, &ulTargetSize);
    lpPatchMemory = GetFileBaseAddressAndSize(szPatchPath, &ulPatchSize);        //patch 补丁

    InsertPatchFileToTargetFile(lpTargetMemory, lpPatchMemory, ulTargetSize);

    CDialogEx::OnOK();
}


BOOL CAddBoxDlg::InsertPatchFileToTargetFile(PVOID lpTargetMemory, PVOID lpPatchMemory, ULONG ulTargetSize)
{
    DWORD dwFileAlignPatchCodeSize = 0;
    DWORD dwRealPatchCodeSize = 0;
    ULONG ulPathCodeSectionRVA = 0;
    ULONG ULNewFileOEP = 0;
    ULONG ulOldOEP = 0;
    ULONG ulFileAlignment = 0;


    dwRealPatchCodeSize = GetFileInfo(lpPatchMemory, RealSectionSize);        //获得Patch文件未对齐时的大小
    ulPathCodeSectionRVA = GetFileInfo(lpPatchMemory, SectionRVA);              //获得Patch文件所要加载节的RVA
    ulOldOEP = GetFileInfo(lpTargetMemory, AddressOfEntryPoint);
    ulFileAlignment = GetFileInfo(lpTargetMemory, FileAlignment);
    ULNewFileOEP = GetNewFileOEP(lpTargetMemory);
    dwFileAlignPatchCodeSize = Align(dwRealPatchCodeSize, ulFileAlignment);            //align 对齐 返回需要申请的个数

    PVOID NewFileBaseAddress = malloc(ulTargetSize + dwFileAlignPatchCodeSize);
    memset(NewFileBaseAddress, 0, ulTargetSize + dwFileAlignPatchCodeSize);

    memcpy(NewFileBaseAddress, lpTargetMemory, ulTargetSize);
    memcpy((PVOID)((ULONG_PTR)NewFileBaseAddress + ulTargetSize), (PVOID)((ULONG_PTR)lpPatchMemory + ulPathCodeSectionRVA), dwRealPatchCodeSize);


    ModifyPatchCodeJumpAddress(NewFileBaseAddress, ulTargetSize + dwRealPatchCodeSize, ULNewFileOEP, ulOldOEP, dwRealPatchCodeSize);   //修改PatchCode结尾E9跳转地址

    ModifyParameter(NewFileBaseAddress, ulTargetSize, dwFileAlignPatchCodeSize, dwRealPatchCodeSize, ULNewFileOEP);                  //修改最后一节和PE头的参数


    HANDLE hNewFile = CreateFileA(szModifyPEPath, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_ARCHIVE, NULL);
    if (hNewFile == INVALID_HANDLE_VALUE)
    {
        printf("CreateFileA Failed！
");
        return FALSE;
    }
    DWORD dwRet = 0;
    if (WriteFile(hNewFile, NewFileBaseAddress, ulTargetSize + dwFileAlignPatchCodeSize, &dwRet, NULL) == 0)
    {
        printf("WriteFile Failed！
");
        return FALSE;
    }
    else
    {
        printf("Succeed！
");
    }

    return TRUE;


}
VOID CAddBoxDlg::ModifyParameter(PVOID FileBaseAddress, ULONG ulTargetSize, ULONG ulFlieAlignPatchCodeSize, ULONG ulRealPatchCodeSize, ULONG ulNewOEP)
{
    PIMAGE_DOS_HEADER DosHead = (PIMAGE_DOS_HEADER)FileBaseAddress;
    PIMAGE_NT_HEADERS NTHead = (PIMAGE_NT_HEADERS)((ULONG_PTR)DosHead + DosHead->e_lfanew);
    PIMAGE_SECTION_HEADER SectionHead = (PIMAGE_SECTION_HEADER)((ULONG_PTR)NTHead + sizeof(IMAGE_NT_HEADERS));

    ULONG MemoryAlignment = NTHead->OptionalHeader.SectionAlignment;
    ULONG ulNumberOfSection = NTHead->FileHeader.NumberOfSections;

    SectionHead[ulNumberOfSection - 1].Characteristics = 0x60000020;
    SectionHead[ulNumberOfSection - 1].Misc.VirtualSize = SectionHead[ulNumberOfSection - 1].SizeOfRawData + ulRealPatchCodeSize;
    SectionHead[ulNumberOfSection - 1].SizeOfRawData += ulFlieAlignPatchCodeSize;


    NTHead->OptionalHeader.SizeOfImage = Align(SectionHead[ulNumberOfSection - 1].VirtualAddress + SectionHead[ulNumberOfSection - 1].SizeOfRawData, MemoryAlignment);
    NTHead->OptionalHeader.AddressOfEntryPoint = ulNewOEP;
}

VOID CAddBoxDlg::ModifyPatchCodeJumpAddress(PVOID lpNewFileBaseAddress, ULONG NewFileSize, ULONG ULNewFileOEP, ULONG ulOldOEP, ULONG ulRealPatchCodeSize)
{
    UCHAR JmpCode[] = "x00x00x00x00";
    *(int*)JmpCode = (ulOldOEP + 1) - (ULNewFileOEP + ulRealPatchCodeSize);                        //+1越过E9
    memcpy((PVOID)((UCHAR*)lpNewFileBaseAddress + NewFileSize - 5), JmpCode, strlen((char*)JmpCode));    //看内存  E9后有5个非0字节，所以不是-4

}

ULONG CAddBoxDlg::Align(ULONG FileSize, ULONG ulAlignment)
{
    if (FileSize%ulAlignment != 0)
    {
        int Temp = FileSize / ulAlignment;
        return ulAlignment*(Temp + 1);
    }
    else
    {
        return FileSize;
    }
}

ULONG CAddBoxDlg::GetNewFileOEP(PVOID lpTargetMemory)
{
    PIMAGE_DOS_HEADER DosHead = (PIMAGE_DOS_HEADER)lpTargetMemory;
    PIMAGE_NT_HEADERS NTHead = (PIMAGE_NT_HEADERS)((ULONG_PTR)DosHead + DosHead->e_lfanew);
    PIMAGE_SECTION_HEADER SectionHead = (PIMAGE_SECTION_HEADER)((ULONG_PTR)NTHead + sizeof(IMAGE_NT_HEADERS));

    ULONG ulNumberOfSection = NTHead->FileHeader.NumberOfSections;
    ULONG ulNewFileOEP = SectionHead[ulNumberOfSection - 1].VirtualAddress + 
        SectionHead[ulNumberOfSection - 1].SizeOfRawData;
    return ulNewFileOEP;
}
DWORD CAddBoxDlg::GetFileInfo(PVOID FileBaseAddress, PATCH_FILE_INFO Type)
{
    PIMAGE_DOS_HEADER DosHead = (PIMAGE_DOS_HEADER)FileBaseAddress;
    PIMAGE_NT_HEADERS NTHead = (PIMAGE_NT_HEADERS)((ULONG_PTR)DosHead + DosHead->e_lfanew);
    PIMAGE_SECTION_HEADER SectionHead = (PIMAGE_SECTION_HEADER)((ULONG_PTR)NTHead + sizeof(IMAGE_NT_HEADERS));

    DWORD dwEntryPoint = NTHead->OptionalHeader.AddressOfEntryPoint;
    DWORD dwRet = 0;
    if (Type == AddressOfEntryPoint)
    {
        dwRet = dwEntryPoint;
    }
    if (Type == FileAlignment)
    {
        dwRet = NTHead->OptionalHeader.FileAlignment;
    }

    for (int i = 0;i<NTHead->FileHeader.NumberOfSections;i++)
    {
        if (dwEntryPoint >= SectionHead[i].VirtualAddress && dwEntryPoint<SectionHead[i].VirtualAddress + SectionHead[i].SizeOfRawData)
        {

            if (Type == RealSectionSize)
            {
                dwRet = SectionHead[i].Misc.VirtualSize;
            }
            if (Type == SectionRVA)
            {
                dwRet = SectionHead[i].PointerToRawData;
            }

        }

    }

    if (dwRet == NULL)
    {
        printf("GetFileInfo Failed！
");
    }

    return dwRet;

}
PVOID CAddBoxDlg:: GetFileBaseAddressAndSize(char* szFilePath, PULONG ulFileSize)
{
    HANDLE hFile = CreateFileA(szFilePath,
        GENERIC_READ | GENERIC_WRITE, FILE_SHARE_WRITE | FILE_SHARE_WRITE, NULL,
        OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    int a = GetLastError();
    if (hFile == INVALID_HANDLE_VALUE)
    {
        printf("CreateFile Failed！
");
        return NULL;
    }
    *ulFileSize = GetFileSize(hFile, NULL);

    if (!(*ulFileSize))
    {
        printf("GetFileSize Failed！
");
        CloseHandle(hFile);
        return NULL;
    }
    HANDLE hMapFile = CreateFileMapping(
        hFile,
        NULL,
        PAGE_READWRITE,
        0,
        0,
        NULL);

    if (hMapFile == INVALID_HANDLE_VALUE)
    {
        printf("CreateFileMapping Failed！
");
        CloseHandle(hFile);
        return NULL;
    }

    PVOID FileBaseAddress = MapViewOfFile(hMapFile, FILE_MAP_ALL_ACCESS, NULL, NULL, NULL);
    if (FileBaseAddress == NULL)
    {
        CloseHandle(hFile);
        CloseHandle(hMapFile);
        printf("MapViewOfFile Failed！
");
        return NULL;
    }

    return FileBaseAddress;
}


DWORD CAddBoxDlg::GenSecData(PBYTE pData, LPVOID ImageBase)
{
    //相关首部
    PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)ImageBase;
    PIMAGE_NT_HEADERS pNtHeader = (PIMAGE_NT_HEADERS)((DWORD)ImageBase + pDosHeader->e_lfanew);
    PIMAGE_OPTIONAL_HEADER pOptionalHeader = (PIMAGE_OPTIONAL_HEADER)&pNtHeader->OptionalHeader;

    //得到输入表数据
    PIMAGE_DATA_DIRECTORY pImportData = (PIMAGE_DATA_DIRECTORY)(&(pOptionalHeader->DataDirectory[1]));
    PIMAGE_IMPORT_DESCRIPTOR pIID = (PIMAGE_IMPORT_DESCRIPTOR)ImageRvaToVa(pNtHeader,
        ImageBase, pImportData->VirtualAddress, NULL);

    //统计IID数量 用于后面添加新的IID
    this->dwIIDNum = 0;
    while (pIID[this->dwIIDNum].FirstThunk)
    {
        this->dwIIDNum++;
    }
        

    const char szDllName[] = "USER32.dll";
    const char szFunName[] = "MessageBoxA";

    //计算各项数据的摆放偏移
    this->dwDllNameOff = pImportData->Size + 0x14;
    this->dwFunNameOff = this->dwDllNameOff + sizeof(szDllName) + 0x3;
    this->dwIATOff = this->dwFunNameOff + sizeof(szFunName) + 0x4;
    this->dwBoxTitleOff = this->dwIATOff + 12;
    char pTitle[128] = { 0 };
    char pContent[512] = { 0 };
    GetDlgItemTextA(this->GetSafeHwnd(), IDC_EDIT2, pTitle, 128);
    GetDlgItemTextA(this->GetSafeHwnd(), IDC_EDIT3, pContent, 512);
    this->dwBoxContentOff = this->dwBoxTitleOff + strlen(pTitle) + 1;
    this->dwNewEntryOff = this->dwBoxContentOff + strlen(pContent) + 1;

    //写入数据
    //拷贝输入表数据
    memcpy(pData, (LPVOID)pIID, pImportData->Size);

    //写入新输入表条目数据
    //这里新IID的起始地址用dwIIDNum*0x14计算 而不用DataDirectory[1].size(可能有对齐问题，前者偏移140 后者160)
    PIMAGE_IMPORT_DESCRIPTOR pNewIID = PIMAGE_IMPORT_DESCRIPTOR(pData + this->dwIIDNum * 0x14);
    pNewIID->FirstThunk = this->dwIATOff + this->PEInfo.NewSectionHeader.PointerToRawData;
    pNewIID->OriginalFirstThunk = pNewIID->FirstThunk;
    pNewIID->ForwarderChain = 0xFFFFFFFF;
    pNewIID->TimeDateStamp = 0xFFFFFFFF;
    pNewIID->Name = this->PEInfo.NewSectionHeader.PointerToRawData + this->dwDllNameOff;
    //将IAT指向函数名
    *((DWORD*)(pData + this->dwIATOff))
        = this->PEInfo.NewSectionHeader.VirtualAddress + this->dwFunNameOff;
    //写入字符串数据
    memcpy(pData + this->dwDllNameOff, szDllName, sizeof(szDllName));        //DllName
    memcpy(pData + this->dwFunNameOff + 2, szFunName, sizeof(szFunName));    //FunName(前面留两个字节作序号)
    memcpy(pData + this->dwBoxTitleOff, pTitle, strlen(pTitle) + 1);        //BoxTitle
    memcpy(pData + this->dwBoxContentOff, pContent, strlen(pContent) + 1);    //BoxContent



//代码数据(程序入口)
/**********************************
/    pushad
/    push    0
/    push    0x11111111    //指向消息框标题 需修正
/    push    0x11111111    //指向消息框内容 需修正
/    push    0
/    call dword ptr MessageBoxA
/    popad
/    jmp        0x11111111    //指向原始入口     需修正
*/
//写入入口代码
    BYTE pbCode[] = { 0x60, 0x6A, 0x00, 0x68, 0x11, 0x11, 0x11, 0x11,
        0x68, 0x11, 0x11, 0x11, 0x11, 0x6A, 0x00, 0xFF, 0x15, 0xBC, 0xF2, 0x42,
        0x00, 0x61, 0xE9, 0x11, 0x11, 0x11, 0x11 };

    memcpy(pData + this->dwNewEntryOff, pbCode, sizeof(pbCode));

    //计算JMP跳转值
    DWORD dwOldEntryRVA = pOptionalHeader->AddressOfEntryPoint;
    DWORD dwNewEntryRVA = this->PEInfo.NewSectionHeader.VirtualAddress + this->dwNewEntryOff + 22;
    DWORD dwJmpDist = dwOldEntryRVA - dwNewEntryRVA - 5;

    //修正代码块中三个0x11111111待修改操作数
    //修正BoxTitle VA
    *((DWORD*)(pData + this->dwNewEntryOff + 4)) = pOptionalHeader->ImageBase + 
        this->PEInfo.NewSectionHeader.VirtualAddress + this->dwBoxTitleOff;
    //修正BoxContent VA
    *((DWORD*)(pData + this->dwNewEntryOff + 9)) = pOptionalHeader->ImageBase + 
        this->PEInfo.NewSectionHeader.VirtualAddress + this->dwBoxContentOff;
    //修正IAT VA(call ****)
    *((DWORD*)(pData + this->dwNewEntryOff + 17)) = pOptionalHeader->ImageBase + 
        this->PEInfo.NewSectionHeader.VirtualAddress + this->dwIATOff;
    //修正jmp操作数
    *((DWORD*)(pData + this->dwNewEntryOff + 23)) = dwJmpDist;

    return this->dwNewEntryOff + sizeof(pbCode) + 0x10;
}