半成品，继续写

// TestShell.cpp : Defines the entry point for the application.

//



#include "stdafx.h"

#include <windows.h>

#include <stdio.h>

#include <stdlib.h>

#include "PEOperate.h"



/*

	以挂起的形式创建进程，

	获取Context

  */



#define KEY 0x56



LPVOID GetLastSecData(LPSTR lpszFile,DWORD &fileSize)

{

	LPVOID pFileBuffer = NULL;

	pFileBuffer= ReadPEFile(lpszFile);

	if(!pFileBuffer)

	{

		printf("文件读取失败\n");

		return NULL;

	}

	

	PIMAGE_DOS_HEADER pDosHeader = NULL;

	PIMAGE_NT_HEADERS pNTHeader = NULL;

	PIMAGE_FILE_HEADER pPEHeader = NULL;

	PIMAGE_OPTIONAL_HEADER32 pOptionHeader = NULL;

	PIMAGE_SECTION_HEADER pSectionHeader = NULL;

	PIMAGE_SECTION_HEADER pSectionHeader_LAST = NULL;



	//Header信息

	pDosHeader = (PIMAGE_DOS_HEADER)pFileBuffer;

	pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pFileBuffer+pDosHeader->e_lfanew);

	pPEHeader = (PIMAGE_FILE_HEADER)(((DWORD)pNTHeader)+4);

	pOptionHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)pPEHeader+IMAGE_SIZEOF_FILE_HEADER);

	pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader+pPEHeader->SizeOfOptionalHeader);

	pSectionHeader_LAST = (PIMAGE_SECTION_HEADER)((DWORD)pSectionHeader+(pPEHeader->NumberOfSections-1)*40);



	int fileLength = pSectionHeader_LAST->PointerToRawData+pSectionHeader_LAST->SizeOfRawData;

	

	//判断是否已经加壳

	if(strcmp((char*)pSectionHeader_LAST->Name,".enSec")!=0)

	{

		MessageBox(0,"没有加壳","错误",0);

		return NULL;

	}

	

	fileSize = pSectionHeader_LAST->SizeOfRawData;

	LPVOID pEncryptBuffer = malloc(fileSize);

	memset(pEncryptBuffer,0,fileSize);

	CHAR* pNew = (CHAR*)pEncryptBuffer;



	CHAR* pOld = (CHAR*)((DWORD)pFileBuffer+pSectionHeader_LAST->PointerToRawData);



	//将最后一个段的数据拷贝到pEncryptBuffer中,并解密

	for(int i=0;i<(int)fileSize;i++)

	{

		pNew[i] = pOld[i]^KEY;

	}



	

	//关闭文件

	free(pFileBuffer);

	return pEncryptBuffer;

}











int APIENTRY WinMain(HINSTANCE hInstance,

                     HINSTANCE hPrevInstance,

                     LPSTR     lpCmdLine,

                     int       nCmdShow)

{

 	// TODO: Place code here.

	

	TCHAR shellDirectory[256]={0};

	GetModuleFileName(NULL,shellDirectory,256);

	//MessageBox(0,shellDirectory,0,0);

	

	DWORD encryptSize = 0;



	LPVOID encryptFileBuffer = NULL;

	encryptFileBuffer = GetLastSecData(shellDirectory,encryptSize);

	

	//失败则结束

	if(encryptFileBuffer == NULL)

	{

		MessageBox(0,"写出失败","失败",0);

		return 0;

	}

	

	//成功，goon

	//WirteToFile(encryptFileBuffer,encryptSize,"C:\\aaa.exe");

	//MessageBox(0,"结束","写出完成",MB_OK);

	

	//以挂起的形式创建进程



	

	

	return 0;

}