|
|
|---|---|
|
|
|
|
|
|
|
|
 新年祝福
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
呵呵,代码虽然很多,但是我相信大家还是看得懂吧,这个本来想写个反汇编工具的,由于反汇编引擎和编译器不兼容,所以把其他代码都删了,这里就懒得删了,我还有点浮躁
|
|
|
PE菜鸟第二篇,希望大家不了解PE格式的一起学习,代码很乱,多谢拍砖,具体参考看雪精华10和加密解密第3本,自己搜索下和看下书,
#define WIN32_LEAN_AND_MEAN
[ATTACH]53940[/ATTACH]
#include <windows.h>
#include <commdlg.h>
#include "1.h"
PIMAGE_FILE_HEADER pFileHeadera = NULL;
PIMAGE_OPTIONAL_HEADER pOptionHeader = NULL;
BOOL IsPeFile(LPVOID ImageBase) //判断是否是PE文件结构
{
PIMAGE_DOS_HEADER pDosHeader = NULL; //定义IMAGE_DOS_HEADER结构变量
PIMAGE_NT_HEADERS pNtHeader = NULL; //定义IMAGE_NT_HEADERS结构变量
if(!ImageBase) //判断映像基址,映像基址由下面的MapViewOfFile函数传入进来
return FALSE;
pDosHeader = (PIMAGE_DOS_HEADER) ImageBase; //转换ImageBase为PIMAGE_DOS_HEADER结构变量类型
if(pDosHeader->e_magic != IMAGE_DOS_SIGNATURE) //指向IMAGE_DOS_HEADER结构变量中的e_magic成员,e_magic是0x5A4D,名为IMAGE_DOS_SIGNATURE
return FALSE;
pNtHeader = (PIMAGE_NT_HEADERS32)((DWORD)pDosHeader+pDosHeader->e_lfanew); //从IMAGE_DOS_HEADER结构变量中找到e_lfanew成员里面的起始偏移量和加上映像基址得到PE文件头的指针
if(pNtHeader->Signature != IMAGE_NT_SIGNATURE ) //指向IMAGE_NT_HEADERS结构变量中的Signature成员,Signature是0x4550,名为IMAGE_NT_SIGNATURE
return FALSE;
return TRUE;
}
PIMAGE_NT_HEADERS GetNtHeader(LPVOID ImageBase) //PE头由3部分组成,IMAGE_NT_HEADERS,IMAGE_FILE_HEADER和IMAGE_OPTIONAL_HEADER组成。
{
PIMAGE_DOS_HEADER pDosHeader = NULL;
PIMAGE_NT_HEADERS pNtHeader = NULL;
if(!IsPeFile(ImageBase))
return NULL;
pDosHeader = (PIMAGE_DOS_HEADER)ImageBase; //上面有注释,自己观看
pNtHeader = (PIMAGE_NT_HEADERS32)((DWORD)pDosHeader+pDosHeader->e_lfanew); //上面有注释,自己观看
return pNtHeader;
}
PIMAGE_FILE_HEADER WINAPI GetFileHeader(LPVOID Imagebase)
{
PIMAGE_FILE_HEADER pFileHeader; //PIMAGE_FILE_HEADER类型同下面注释的IMAGE_FILE_HEADER结构类型
PIMAGE_NT_HEADERS pNtHeader = NULL;
pNtHeader = GetNtHeader(Imagebase);
if(!pNtHeader)
return NULL;
pFileHeader = & pNtHeader->FileHeader;
return pFileHeader;
}
//参见这个结构
// typedef struct _IMAGE_NT_HEADERS {
// DWORD Signature;
// IMAGE_FILE_HEADER FileHeader;
// IMAGE_OPTIONAL_HEADER32 OptionalHeader;
// } IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;这两个FileHeader和OptionalHeader成员都被定义了类型,所以返回的类型为就是这个定义的类型
PIMAGE_OPTIONAL_HEADER GetOptionalHeader(LPVOID ImageBase)
{
PIMAGE_OPTIONAL_HEADER pOptionHeader = NULL; // PIMAGE_OPTIONAL_HEADER32 类型同上面注释中的类型,这里名字不一样是因为有一个typedef,typedef PIMAGE_OPTIONAL_HEADER32 PIMAGE_OPTIONAL_HEADER;
PIMAGE_NT_HEADERS pNtHeader = NULL;
pNtHeader = GetNtHeader(ImageBase);
if(!pNtHeader)
return NULL;
pOptionHeader = & pNtHeader->OptionalHeader;
return pOptionHeader;
}
void OpenFileA(HWND hwnd)
{ HANDLE hFile;
HANDLE hMapping;
LPVOID ImageBase;
char szFileName[MAX_PATH] = {0};
TCHAR Buff[100];
OPENFILENAME ofn;
ZeroMemory(&ofn, sizeof(OPENFILENAME));
ofn.lStructSize = sizeof(OPENFILENAME);
ofn.lpstrFile = szFileName;
ofn.nMaxFile = MAX_PATH;
ofn.lpstrFilter = "Exe Files(*.exe)\0*.exe\0All Files(*.*)\0*.*\0\0";
ofn.nFilterIndex = 1;
if( !GetOpenFileName(&ofn) )
{
Sleep(1000);
}
wsprintf(Buff,"%s",ofn.lpstrFile);
SetDlgItemText(hwnd,IDE_Edit,Buff);
hFile=CreateFile(szFileName,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);//创建文件
if (!hFile){;}
hMapping=CreateFileMapping(hFile,NULL,PAGE_READONLY,0,0,NULL); //创建文件映像
if(!hMapping)
{
CloseHandle(hFile);
}
ImageBase=MapViewOfFile(hMapping,FILE_MAP_READ,0,0,0); //映射文件基址
if(!ImageBase)
{
CloseHandle(hMapping);
CloseHandle(hFile);
}
if(!IsPeFile(ImageBase))
{
MessageBox(hwnd,"不是PE文件!","提示信息",MB_ICONERROR);
return ;
}
else
pFileHeadera = GetFileHeader(ImageBase);
pOptionHeader = GetOptionalHeader(ImageBase);
if(!(pFileHeadera&&pOptionHeader))
{
MessageBox(hwnd,"获取文件头失败","PEINFO",MB_ICONERROR);
return ;
}
wsprintf(Buff,"%08lX",pFileHeadera->Machine); //IMAGE_FILE_HEADER结构内容读取,下面一样,具体观看http://bbs.pediy.com/showthread.php?t=100823
SetDlgItemText(hwnd,IDE_Machine,Buff);
wsprintf(Buff,"%08lX",pFileHeadera->NumberOfSections);
SetDlgItemText(hwnd,IDE_NumberOfSections,Buff);
wsprintf(Buff,"%08lX",pFileHeadera->TimeDateStamp);
SetDlgItemText(hwnd,IDE_TimeDateStamp,Buff);
wsprintf(Buff,"%08lX",pFileHeadera->PointerToSymbolTable);
SetDlgItemText(hwnd,IDE_PointerToSymbolTable,Buff);
wsprintf(Buff,"%08lX",pFileHeadera->NumberOfSymbols);
SetDlgItemText(hwnd,IDE_NumberOfSymbols,Buff);
wsprintf(Buff,"%08lX",pFileHeadera->SizeOfOptionalHeader);
SetDlgItemText(hwnd,IDE_SizeOfOptionalHeader,Buff);
wsprintf(Buff,"%08lX",pFileHeadera->Characteristics);
SetDlgItemText(hwnd,IDE_Characteristics,Buff);
}
BOOL CALLBACK DialogProc(HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lParam)
{
switch(uMsg)
{
case WM_INITDIALOG:
return TRUE;
case WM_CLOSE:
DestroyWindow(hwndDlg);
return TRUE;
case WM_COMMAND:
switch(LOWORD(wParam))
{
case 4003:
OpenFileA(hwndDlg);
return FALSE;
case 4005:
return FALSE;
}
}
return FALSE;
}
int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
{
WNDCLASSEX wcx;
wcx.cbSize = sizeof(wcx);
wcx.hInstance = hInstance;
wcx.hIcon = LoadIcon(hInstance, MAKEINTRESOURCE(IDI_ICON));
wcx.hIconSm = LoadIcon(hInstance, MAKEINTRESOURCE(IDI_ICON));
// The user interface is a modal dialog box
return DialogBox(hInstance, MAKEINTRESOURCE(1001), NULL, DialogProc);
} |
|
|
|
|
|
|
|
|
 临渊羡渔,不如退而结网,慢慢来,送你一句话:路再长,一步一步也能走完,路再短,不迈开脚步永远无法达到,坚持走自己的路,一步一步慢慢来就行了~~加油,希望你能坚持下去~~
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
哈哈
 ,只是看到IsPEFile这种奇怪函数名字的好奇心而已,然后google了一下。。。
|
|
|
|
|
|
|
|
|
|
