能力值:
( LV4,RANK:50 )
|
-
-
2 楼
// PeHeaders.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <windows.h>
#include <time.h>
#include <imagehlp.h>
#pragma comment (lib, "imagehlp.lib")
int _tmain(int argc, _TCHAR* argv[])
{
while (TRUE) {
WCHAR cFile[256] = {0};
printf("Please enter the file name and path:");
wscanf(L"%s",cFile);
HANDLE hFile = NULL;
hFile = ::CreateFile((LPCWSTR)cFile,GENERIC_READ,0,NULL,OPEN_EXISTING,NULL,NULL);
if (hFile == INVALID_HANDLE_VALUE){
printf("Create file failed! (%d).\n\n", GetLastError());
system("pause");
return 0;
}
//创建文件映射
HANDLE hMap = NULL;
hMap = ::CreateFileMapping(hFile,NULL,PAGE_READONLY,0,0,0);
if (!hMap){
printf("Create file mapping failed! (%d).\n\n", GetLastError());
system("pause");
return 0;
}
//映射进自己的进程空间
LPVOID pMap = NULL;
pMap = ::MapViewOfFile(hMap,FILE_MAP_READ,0,0,0);
if (!pMap){
printf("Mapping file failed (%d).\n\n", GetLastError());
system("pause");
return 0;
}
//获得DOS头文件指针
PIMAGE_DOS_HEADER pDosHeader = NULL;//DOS头文件
pDosHeader = (PIMAGE_DOS_HEADER)pMap;
//判断DOS头标志 IMAGE_DOS_SIGNATURE 0x5A4D MZ
if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE){
printf("Not DOS Header! (%d).\n\n", GetLastError());
system("pause");
return 0;
}
//获得PE头文件指针
PIMAGE_NT_HEADERS pPeHeaders = NULL;//PE头文件
pPeHeaders = (PIMAGE_NT_HEADERS)((LONG)pMap + pDosHeader->e_lfanew);
//判断PE头标志 IMAGE_NT_SIGNATURE 0x00004550 PE00
if (pPeHeaders->Signature != IMAGE_NT_SIGNATURE){
printf("Not PE Header! (%d).\n\n", GetLastError());
system("pause");
return 0;
}
//打印是否PE32还是PE32+或者ROM
if (pPeHeaders->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC){
printf("PE32\n");
}
else if(pPeHeaders->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC){
printf("PE32+\n");
}
else if(pPeHeaders->OptionalHeader.Magic == IMAGE_ROM_OPTIONAL_HDR_MAGIC){
printf("ROM\n");
}
else{
printf("Unknow!\n\n");
}
//打印可执行文件的目标CPU类型
switch (pPeHeaders->FileHeader.Machine) {
case IMAGE_FILE_MACHINE_I386:
printf("CUP Type: Intel 386\n\n");
break;
case IMAGE_FILE_MACHINE_R3000:
printf("CUP Type: MIPS little-endian, 0x160 big-endian\n\n");
break;
case IMAGE_FILE_MACHINE_R4000:
printf("CUP Type: MIPS little-endian\n\n");
break;
case IMAGE_FILE_MACHINE_R10000:
printf("CUP Type: MIPS little-endian\n\n");
break;
case IMAGE_FILE_MACHINE_WCEMIPSV2:
printf("CUP Type: MIPS little-endian WCE v2\n\n");
break;
case IMAGE_FILE_MACHINE_ALPHA:
printf("CUP Type: Alpha_AXP\n\n");
break;
case IMAGE_FILE_MACHINE_SH3:
printf("CUP Type: SH3 little-endian\n\n");
break;
case IMAGE_FILE_MACHINE_SH3DSP:
printf("CUP Type: SH3E little-endian\n\n");
break;
case IMAGE_FILE_MACHINE_SH3E:
printf("CUP Type: Intel 386\n\n");
break;
case IMAGE_FILE_MACHINE_SH4:
printf("CUP Type: SH4 little-endian\n\n");
break;
case IMAGE_FILE_MACHINE_SH5:
printf("CUP Type: SH5\n\n");
break;
case IMAGE_FILE_MACHINE_ARM:
printf("CUP Type: ARM Little-Endian\n\n");
break;
case IMAGE_FILE_MACHINE_THUMB:
printf("CUP Type: THUMB\n\n");
break;
case IMAGE_FILE_MACHINE_AM33:
printf("CUP Type: AM33\n\n");
break;
case IMAGE_FILE_MACHINE_POWERPC:
printf("CUP Type: IBM PowerPC Little-Endian\n\n");
break;
case IMAGE_FILE_MACHINE_POWERPCFP:
printf("CUP Type: POWERPCFP\n\n");
break;
case IMAGE_FILE_MACHINE_IA64:
printf("CUP Type: Intel 64\n\n");
break;
case IMAGE_FILE_MACHINE_MIPS16:
printf("CUP Type: MIPS16\n\n");
break;
case IMAGE_FILE_MACHINE_ALPHA64:
printf("CUP Type: ALPHA64\n\n");
break;
case IMAGE_FILE_MACHINE_MIPSFPU:
printf("CUP Type: MIPSFPU\n\n");
break;
/*case IMAGE_FILE_MACHINE_AXP64:
printf("CUP Type: AXP64\n\n");
break;*/
case IMAGE_FILE_MACHINE_TRICORE:
printf("CUP Type: TRICORE\n\n");
break;
case IMAGE_FILE_MACHINE_CEF:
printf("CUP Type: CEF\n\n");
break;
case IMAGE_FILE_MACHINE_EBC:
printf("CUP Type: EFI Byte Code\n\n");
break;
case IMAGE_FILE_MACHINE_AMD64:
printf("CUP Type: AMD64 (K8)\n\n");
break;
case IMAGE_FILE_MACHINE_M32R:
printf("CUP Type: M32R little-endian\n\n");
break;
case IMAGE_FILE_MACHINE_CEE:
printf("CUP Type: CEE\n\n");
break;
default:
printf("CUP Type: UNKNOWN\n\n");
break;
}
//打印PE头信息IMAGE_NT_HEADERS
printf("|--PE HEADERS\n"
"\t|--DWORD\tpPeHeaders.Signature:\t0x%08x\t(%s)\n" \
//pPeHeaders.FileHeader
"\t|--STRUCT\tpPeHeaders.FileHeader\n" \
"\t\t|--WORD\t\tMachine:\t\t0x%08x\n" \
"\t\t|--WORD\t\tNumberOfSections:\t0x%08x\n" \
"\t\t|--DWORD\tTimeDateStamp:\t\t0x%08x\n" \
"\t\t|--DWORD\tPointerToSymbolTable:\t0x%08x\n" \
"\t\t|--DWORD\tNumberOfSymbols:\t0x%08x\n" \
"\t\t|--WORD\t\tSizeOfOptionalHeader:\t0x%08x\n" \
"\t\t|--WORD\t\tCharacteristics:\t0x%08x\n" \
//pPeHeaders.OptionalHeader
"\t|--STRUCT\tpPeHeaders.OptionalHeader\n" \
"\t\t|--WORD\t\tMagic:\t\t\t\t0x%08x\n" \
"\t\t|--WORD\t\tMajorLinkerVersion:\t\t0x%08x\n" \
"\t\t|--DWORD\tMinorLinkerVersion:\t\t0x%08x\n" \
"\t\t|--DWORD\tSizeOfCode:\t\t\t0x%08x\n" \
"\t\t|--DWORD\tSizeOfInitializedData:\t\t0x%08x\n" \
"\t\t|--WORD\t\tSizeOfUninitializedData:\t0x%08x\n" \
"\t\t|--WORD\t\tAddressOfEntryPoint:\t\t0x%08x\n" \
"\t\t|--WORD\t\tBaseOfCode:\t\t\t0x%08x\n" \
"\t\t|--WORD\t\tBaseOfData:\t\t\t0x%08x\n" \
"\t\t|--DWORD\tImageBase:\t\t\t0x%08x\n" \
"\t\t|--DWORD\tSectionAlignment:\t\t0x%08x\n" \
"\t\t|--DWORD\tFileAlignment:\t\t\t0x%08x\n" \
"\t\t|--WORD\t\tMajorOperatingSystemVersion:\t0x%08x\n" \
"\t\t|--WORD\t\tMinorOperatingSystemVersion:\t0x%08x\n" \
"\t\t|--WORD\t\tMajorImageVersion:\t\t0x%08x\n" \
"\t\t|--WORD\t\tMinorImageVersion:\t\t0x%08x\n" \
"\t\t|--DWORD\tMajorSubsystemVersion:\t\t0x%08x\n" \
"\t\t|--DWORD\tMinorSubsystemVersion:\t\t0x%08x\n" \
"\t\t|--DWORD\tWin32VersionValue:\t\t0x%08x\n" \
"\t\t|--WORD\t\tSizeOfImage:\t\t\t0x%08x\n" \
"\t\t|--WORD\t\tSizeOfHeaders:\t\t\t0x%08x\n" \
"\t\t|--WORD\t\tCheckSum:\t\t\t0x%08x\n" \
"\t\t|--WORD\t\tSubsystem:\t\t\t0x%08x\n" \
"\t\t|--DWORD\tDllCharacteristics:\t\t0x%08x\n" \
"\t\t|--DWORD\tSizeOfStackReserve:\t\t0x%08x\n" \
"\t\t|--DWORD\tSizeOfStackCommit:\t\t0x%08x\n" \
"\t\t|--WORD\t\tSizeOfHeapReserve:\t\t0x%08x\n" \
"\t\t|--WORD\t\tSizeOfHeapCommit:\t\t0x%08x\n" \
"\t\t|--WORD\t\tLoaderFlags:\t\t\t0x%08x\n" \
"\t\t|--WORD\t\tNumberOfRvaAndSizes:\t\t0x%08x\n",
//pPeHeaders.Signature
pPeHeaders->Signature,&pPeHeaders->Signature, // PE,0,0
//pPeHeaders.FileHeader
pPeHeaders->FileHeader.Machine, // 文件运行所要求的CPU平台
pPeHeaders->FileHeader.NumberOfSections, // 文件的节数目
pPeHeaders->FileHeader.TimeDateStamp, // 文件创建日期和时间
pPeHeaders->FileHeader.PointerToSymbolTable, // 用于调试
pPeHeaders->FileHeader.NumberOfSymbols, // 用于调试
pPeHeaders->FileHeader.SizeOfOptionalHeader, // 指示紧随本结构之后的OptionalHeader结构大小,必须为有效值
pPeHeaders->FileHeader.Characteristics, // 文件信息标志
//pPeHeaders.OptionalHeader
pPeHeaders->OptionalHeader.Magic, // 标记
pPeHeaders->OptionalHeader.MajorLinkerVersion, // 链接器的主版本号
pPeHeaders->OptionalHeader.MinorLinkerVersion, // 链接器的次版本号
pPeHeaders->OptionalHeader.SizeOfCode, // 可执行代码的长度
pPeHeaders->OptionalHeader.SizeOfInitializedData, // 初始化数据的长度(数据段)
pPeHeaders->OptionalHeader.SizeOfUninitializedData, // 未初始化数据的长度(bss段)
pPeHeaders->OptionalHeader.AddressOfEntryPoint, // 代码的入口RVA地址,程序从这儿开始执行
pPeHeaders->OptionalHeader.BaseOfCode, // 可执行代码起始位置
pPeHeaders->OptionalHeader.BaseOfData, // 初始化数据起始位置
pPeHeaders->OptionalHeader.ImageBase, // 载入程序首选的VA地址
pPeHeaders->OptionalHeader.SectionAlignment, // 段加载后在内存中的对齐方式
pPeHeaders->OptionalHeader.FileAlignment, // 段在文件中的对齐方式
pPeHeaders->OptionalHeader.MajorOperatingSystemVersion, // 操作系统主版本号
pPeHeaders->OptionalHeader.MinorOperatingSystemVersion, // 操作系统次版本号
pPeHeaders->OptionalHeader.MajorImageVersion, // 程序主版本号
pPeHeaders->OptionalHeader.MinorImageVersion, // 程序次版本号
pPeHeaders->OptionalHeader.MajorSubsystemVersion, // 子系统主版本号
pPeHeaders->OptionalHeader.MinorSubsystemVersion, // 子系统次版本号
pPeHeaders->OptionalHeader.Win32VersionValue, // 目前都为0
pPeHeaders->OptionalHeader.SizeOfImage, // 程序调入后占用内存大小(字节),等于所有段的长度之和
pPeHeaders->OptionalHeader.SizeOfHeaders, // 所有文件头的长度之和(从文件开始到第一个段之间的大小)
pPeHeaders->OptionalHeader.CheckSum, // 校验和
pPeHeaders->OptionalHeader.Subsystem, // NT子系统
pPeHeaders->OptionalHeader.DllCharacteristics, // Dll状态
pPeHeaders->OptionalHeader.SizeOfStackReserve, // 保留堆栈大小
pPeHeaders->OptionalHeader.SizeOfStackCommit, // 启动后实际申请的堆栈数,可随实际情况变大
pPeHeaders->OptionalHeader.SizeOfHeapReserve, // 保留堆大小
pPeHeaders->OptionalHeader.SizeOfHeapCommit, // 实际堆大小
pPeHeaders->OptionalHeader.LoaderFlags, // 装载标志
pPeHeaders->OptionalHeader.NumberOfRvaAndSizes); // 下面的目录表入口个数
//打印IMAGE_DATA_DIRECTORY结构
printf("\t\t|--STRUCT\tpPeHeaders.OptionalHeader.DataDirectory\n");
for (int i=0;i<IMAGE_NUMBEROF_DIRECTORY_ENTRIES;i++){
printf("\t\t\t|--STRUCT\tDataDirectory[%d]\n" \
"\t\t\t\t|--WORD\tVirtualAddress:\t0x%08x\n" \
"\t\t\t\t|--WORD\tSize:\t\t0x%08x\n" ,
i,
pPeHeaders->OptionalHeader.DataDirectory[i].VirtualAddress,
pPeHeaders->OptionalHeader.DataDirectory[i].Size);
}
printf("\n");
//关闭打开的句柄,释放资源
::UnmapViewOfFile(pMap);
::CloseHandle(hMap);
::CloseHandle(hFile);
}
system("pause");
return 0;
}
|
能力值:
( LV4,RANK:50 )
|
-
-
3 楼
// PESectionHeaders.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <windows.h>
#include <time.h>
#include <imagehlp.h>
#pragma comment (lib, "imagehlp.lib")
int _tmain(int argc, _TCHAR* argv[])
{
while (TRUE) {
WCHAR cFile[256] = {0};
printf("Please enter the file name and path:");
wscanf(L"%s",cFile);
HANDLE hFile = NULL;
hFile = ::CreateFile((LPCWSTR)cFile,GENERIC_READ,0,NULL,OPEN_EXISTING,NULL,NULL);
if (hFile == INVALID_HANDLE_VALUE){
printf("Create file failed! (%d).\n\n", GetLastError());
system("pause");
return 0;
}
//创建文件映射
HANDLE hMap = NULL;
hMap = ::CreateFileMapping(hFile,NULL,PAGE_READONLY,0,0,0);
if (!hMap){
printf("Create file mapping failed! (%d).\n\n", GetLastError());
system("pause");
return 0;
}
//映射要自己进程的空间
LPVOID pMap = NULL;
pMap = ::MapViewOfFile(hMap,FILE_MAP_READ,0,0,0);
if (!pMap){
printf("Mapping file failed (%d).\n\n", GetLastError());
system("pause");
return 0;
}
//获得DOS头文件指针
PIMAGE_DOS_HEADER pDosHeader = NULL;//DOS头文件
pDosHeader = (PIMAGE_DOS_HEADER)pMap;
//判断DOS头标志 IMAGE_DOS_SIGNATURE 0x5A4D MZ
if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE){
printf("Not DOS Header! (%d).\n\n", GetLastError());
system("pause");
return 0;
}
//获得PE头文件指针
PIMAGE_NT_HEADERS pPeHeaders = NULL;//PE头文件
pPeHeaders = (PIMAGE_NT_HEADERS)((LONG)pMap + pDosHeader->e_lfanew);
//判断PE头标志 IMAGE_NT_SIGNATURE 0x00004550 PE00
if (pPeHeaders->Signature != IMAGE_NT_SIGNATURE){
printf("Not PE Header! (%d).\n\n", GetLastError());
system("pause");
return 0;
}
//获得Section头文件指针
PIMAGE_SECTION_HEADER pSectionHeaders = NULL;//Section节区
pSectionHeaders = (PIMAGE_SECTION_HEADER)((LONG)pPeHeaders + sizeof(pPeHeaders->Signature) + sizeof(pPeHeaders->FileHeader) + pPeHeaders->FileHeader.SizeOfOptionalHeader);
//打印节的名称
printf("Section Infomation: (%d)\n",pPeHeaders->FileHeader.NumberOfSections);
printf("---------------------------------------------------------------------------------------------------------------------------------\n");
printf("|Name \t|VirtualAddress\t\t|Misc.VirtualSize\t|SizeOfRawData\t\t|PointerToRawData\t|Characteristics\n");
printf("---------------------------------------------------------------------------------------------------------------------------------\n");
for (int i = 0;i < pPeHeaders->FileHeader.NumberOfSections; i++){
printf("|%s \t|0x%08x\t\t|0x%08x\t\t|0x%08x\t\t|0x%08x\t\t\t|0x%08x\n",
pSectionHeaders->Name,
pSectionHeaders->VirtualAddress,
pSectionHeaders->Misc.VirtualSize,
pSectionHeaders->PointerToRawData,
pSectionHeaders->SizeOfRawData,
pSectionHeaders->Characteristics);
printf("---------------------------------------------------------------------------------------------------------------------------------\n");
pSectionHeaders++;
}
printf("\n");
//关闭打开的句柄,释放资源
::UnmapViewOfFile(pMap);
::CloseHandle(hMap);
::CloseHandle(hFile);
}
system("pause");
return 0;
}
|
能力值:
( LV4,RANK:50 )
|
-
-
4 楼
// PEImportTable.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <windows.h>
#include <time.h>
#include <imagehlp.h>
#pragma comment (lib, "imagehlp.lib")
int _tmain(int argc, _TCHAR* argv[])
{
while (TRUE) {
WCHAR cFile[256] = {0};
printf("Please enter the file name and path:");
wscanf(L"%s",cFile);
HANDLE hFile = NULL;
hFile = ::CreateFile((LPCWSTR)cFile,GENERIC_READ,0,NULL,OPEN_EXISTING,NULL,NULL);
if (hFile == INVALID_HANDLE_VALUE){
printf("Create file failed! (%d).\n\n", GetLastError());
system("pause");
return 0;
}
//创建文件映射
HANDLE hMap = NULL;
hMap = ::CreateFileMapping(hFile,NULL,PAGE_READONLY,0,0,0);
if (!hMap){
printf("Create file mapping failed! (%d).\n\n", GetLastError());
system("pause");
return 0;
}
//映射要自己进程的空间
LPVOID pMap = NULL;
pMap = ::MapViewOfFile(hMap,FILE_MAP_READ,0,0,0);
if (!pMap){
printf("Mapping file failed (%d).\n\n", GetLastError());
system("pause");
return 0;
}
//后面计算文件偏移的时候要用到的
ULONG dwImageBase = (ULONG)pMap;
//获得DOS头文件指针
PIMAGE_DOS_HEADER pDosHeader = NULL;//DOS头文件
pDosHeader = (PIMAGE_DOS_HEADER)pMap;
//判断DOS头标志 IMAGE_DOS_SIGNATURE 0x5A4D MZ
if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE){
printf("Not DOS Header! (%d).\n\n", GetLastError());
system("pause");
return 0;
}
//获得PE头文件指针
PIMAGE_NT_HEADERS pPeHeaders = NULL;//PE头文件
pPeHeaders = (PIMAGE_NT_HEADERS)((LONG)pMap + pDosHeader->e_lfanew);
//判断PE头标志 IMAGE_NT_SIGNATURE 0x00004550 PE00
if (pPeHeaders->Signature != IMAGE_NT_SIGNATURE){
printf("Not PE Header! (%d).\n\n", GetLastError());
system("pause");
return 0;
}
//获得输入表指针
//这个函数返回的是内存映像中的文件偏移量
PIMAGE_IMPORT_DESCRIPTOR pImportTable = (PIMAGE_IMPORT_DESCRIPTOR)::ImageRvaToVa(pPeHeaders, pMap, pPeHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress, NULL);
//tm *pTime; //时间结构,用于返回一个格林威治时间
//如果没有输入表就打印信息并返回
if (pImportTable == NULL) {
printf("Can't find import table!\n\n");
system("pause");
return 0;
}
//打印输入表
printf("Image import table infomation:\n");
printf("-------------------------------------------------------------------\n");
for (int i = 0; pImportTable->Name != NULL; i++){
//pTime = gmtime((time_t *)::ImageRvaToVa(pPeHeaders, pMap, pImportTable->TimeDateStamp, NULL)); //把时间戳转换为字符串
//打印IMAGE_IMPORT_DESCRIPTOR结构的一些信息
printf("%d. IMAGE_IMPORT_DESCRIPTOR\n\tOriginalFirstThunk:\t0x%08x\tOffset:0x%08x\n\tTimeDateStamp:\t\t0x%08x\t%s\n\tForwarderChain:\t\t0x%08x\n\tName:\t\t\t0x%08x\tOffset:0x%08x\t%s\n\tFirstThunk:\t\t0x%08x\tOffset:0x%08x\n\n",
i + 1,
pImportTable->OriginalFirstThunk, (ULONG)::ImageRvaToVa(pPeHeaders, pMap, pImportTable->OriginalFirstThunk, NULL) - dwImageBase, //减去起始地址才是在文件中的偏移量
pImportTable->TimeDateStamp, "GMT",
pImportTable->ForwarderChain,
pImportTable->Name, (ULONG)::ImageRvaToVa(pPeHeaders, pMap, pImportTable->Name, NULL) - dwImageBase, //RVA & Offset
::ImageRvaToVa(pPeHeaders, pMap, pImportTable->Name, NULL), //字符串
pImportTable->FirstThunk, (ULONG)::ImageRvaToVa(pPeHeaders, pMap, pImportTable->FirstThunk, NULL) - dwImageBase); //减去起始地址才是在文件中的偏移量
//打印输出函数列表
//注意有的时候pImportTable->OriginalFirstThunk会是NULL值,这个时候pImageThunkData就要取pImportTable->OriginalFirstThunk
PIMAGE_THUNK_DATA pImageThunkData = (PIMAGE_THUNK_DATA)::ImageRvaToVa(pPeHeaders, pMap, pImportTable->OriginalFirstThunk, NULL) != NULL ? (IMAGE_THUNK_DATA *)::ImageRvaToVa(pPeHeaders, pMap, pImportTable->OriginalFirstThunk, NULL) : pImageThunkData = (IMAGE_THUNK_DATA *)::ImageRvaToVa(pPeHeaders, pMap, pImportTable->FirstThunk, NULL);
PIMAGE_IMPORT_BY_NAME pImageImportByName = NULL;
printf("\tHint\t\tAPI Name\n");
printf("\t-----------------------------------------------------------\n");
for (int j = 0; pImageThunkData->u1.AddressOfData != NULL ; j++){
if (!(pImageThunkData->u1.AddressOfData & IMAGE_ORDINAL_FLAG)) { //IMAGE_THUNK_DATA如果最高位为0,名字
pImageImportByName = (PIMAGE_IMPORT_BY_NAME)::ImageRvaToVa(pPeHeaders, pMap, pImageThunkData->u1.AddressOfData, NULL);
printf("\t0x%08x\t%s\n", pImageImportByName->Hint, pImageImportByName->Name);
}
else { //IMAGE_THUNK_DATA如果最高位为1,序号--pImageThunkData->u1.AddressOfData的低16位就是序号
printf("\t0x%08x\n", (pImageThunkData->u1.AddressOfData) & 0xffff);
}
pImageThunkData++;
}
printf("\n");
pImportTable++;
}
//关闭打开的句柄,释放资源
::UnmapViewOfFile(pMap);
::CloseHandle(hMap);
::CloseHandle(hFile);
}
system("pause");
return 0;
}
|
能力值:
( LV2,RANK:10 )
|
-
-
5 楼
顶一个,感谢LZ分享!
|
能力值:
( LV2,RANK:10 )
|
-
-
6 楼
感觉分享 
|
能力值:
( LV4,RANK:50 )
|
-
-
7 楼
// PEExportTable.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <windows.h>
#include <time.h>
#include <imagehlp.h>
#pragma comment (lib, "imagehlp.lib")
int _tmain(int argc, _TCHAR* argv[])
{
while (1) {
WCHAR cFile[256] = {0};
printf("Please enter the file name and path:");
wscanf(L"%s",cFile);
HANDLE hFile = NULL;
hFile = ::CreateFile((LPCWSTR)cFile,GENERIC_READ,0,NULL,OPEN_EXISTING,NULL,NULL);
if (hFile == INVALID_HANDLE_VALUE){
printf("Create file failed! (%d).\n\n", GetLastError());
system("pause");
return 0;
}
//创建文件映射
HANDLE hMap = NULL;
hMap = ::CreateFileMapping(hFile,NULL,PAGE_READONLY,0,0,0);
if (!hMap){
printf("Create file mapping failed! (%d).\n\n", GetLastError());
system("pause");
return 0;
}
//映射要自己进程的空间
LPVOID pMap = NULL;
pMap = ::MapViewOfFile(hMap,FILE_MAP_READ,0,0,0);
if (!pMap){
printf("Mapping file failed (%d).\n\n", GetLastError());
system("pause");
return 0;
}
//后面计算文件偏移的时候要用到的
ULONG dwImageBase = (ULONG)pMap;
//获得DOS头文件指针
PIMAGE_DOS_HEADER pDosHeader = NULL;//DOS头文件
pDosHeader = (PIMAGE_DOS_HEADER)pMap;
//判断DOS头标志 IMAGE_DOS_SIGNATURE 0x5A4D MZ
if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE){
printf("Not DOS Header! (%d).\n\n", GetLastError());
system("pause");
return 0;
}
//获得PE头文件指针
PIMAGE_NT_HEADERS pPeHeaders = NULL;//PE头文件
pPeHeaders = (PIMAGE_NT_HEADERS)((LONG)pMap + pDosHeader->e_lfanew);
//判断PE头标志 IMAGE_NT_SIGNATURE 0x00004550 PE00
if (pPeHeaders->Signature != IMAGE_NT_SIGNATURE){
printf("Not PE Header! (%d).\n\n", GetLastError());
system("pause");
return 0;
}
//打印输出表
//获得输出表指针
if (!pPeHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress) {
printf("Can't find export table!\n\n");
system("pause");
return 0;
}
PIMAGE_EXPORT_DIRECTORY pExportTable = (PIMAGE_EXPORT_DIRECTORY)::ImageRvaToVa(pPeHeaders, pMap, pPeHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress, NULL);
//打印IMAGE_EXPORT_DIRECTORY各个域的值
printf("Image export table infomation:\n");
printf("-------------------------------------------------------------------\n");
printf("IMAGE_EXPORT_DESCRIPTOR\n\tCharacteristics:\t0x%08x\n\tTimeDateStamp:\t\t0x%08x\n\tMajorVersion:\t\t0x%08x\n\tMinorVersion:\t\t0x%08x\n\tName:\t\t\t0x%08x\tOffset:0x%08x\t%s\n\tBase:\t\t\t0x%08x\n\tNumberOfFunctions:\t0x%08x\t%d\n\tNumberOfNames:\t\t0x%08x\t%d\n\tAddressOfFunctions:\t0x%08x\tOffset:0x%08x\n\tAddressOfNames:\t\t0x%08x\tOffset:0x%08x\n\tAddressOfNameOrdinals:\t0x%08x\tOffset:0x%08x\n\n",
pExportTable->Characteristics,
pExportTable->TimeDateStamp,
pExportTable->MajorVersion,
pExportTable->MinorVersion,
pExportTable->Name, (ULONG)::ImageRvaToVa(pPeHeaders, pMap, pExportTable->Name, NULL) - dwImageBase, //RVA & Offset
::ImageRvaToVa(pPeHeaders, pMap, pExportTable->Name, NULL), //字符串
pExportTable->Base,
pExportTable->NumberOfFunctions,
pExportTable->NumberOfFunctions, //函数个数
pExportTable->NumberOfNames,
pExportTable->NumberOfNames, //有符号名称的函数个数
pExportTable->AddressOfFunctions, (ULONG)::ImageRvaToVa(pPeHeaders, pMap, pExportTable->AddressOfFunctions, NULL) - dwImageBase, //函数的地址表 RVA & Offset
pExportTable->AddressOfNames, (ULONG)::ImageRvaToVa(pPeHeaders, pMap, pExportTable->AddressOfNames, NULL) - dwImageBase, //函数的名称表 RVA & Offset
pExportTable->AddressOfNameOrdinals, (ULONG)::ImageRvaToVa(pPeHeaders, pMap, pExportTable->AddressOfNameOrdinals, NULL) - dwImageBase); //函数的序号表 RVA & Offset
//打印输出函数序号、偏移、符号名称
printf("\tOrdinal\t\t\tRVA(Offset)\t\tSymbol Name\n");
printf("\t-----------------------------------------------------------\n");
//一般情况下这样处理是没问题的,但是如果序号不是连贯的就有问题了
PDWORD pdwSymbolName = NULL;
PDWORD pdwFunction = NULL;
PWORD pdwOrdinal = NULL;
pdwOrdinal = (PWORD)::ImageRvaToVa(pPeHeaders,pMap,(ULONG)pExportTable->AddressOfNameOrdinals, NULL);
pdwFunction = (PDWORD)::ImageRvaToVa(pPeHeaders,pMap,(ULONG)pExportTable->AddressOfFunctions, NULL);
pdwSymbolName = (PDWORD)::ImageRvaToVa(pPeHeaders,pMap,(ULONG)pExportTable->AddressOfNames, NULL);
//打印出按名字导出的函数
for (UINT m = 0; m < (ULONG)pExportTable->AddressOfFunctions; m++) {
for (UINT n = 0; n < (ULONG)pExportTable->NumberOfNames; n++) {
if (m == pdwOrdinal[n]) {
printf("\t(%d)\t0x%08x\t0x%08x(0x%08x)\t0x%08x:(0x%08x)%s\n",
pdwOrdinal[n] + pExportTable->Base, //序号十进制
pdwOrdinal[n] + pExportTable->Base, //序号十六进制
pdwFunction[m], //函数入口地址(RVA)
(ULONG)::ImageRvaToVa(pPeHeaders, pMap, (ULONG)pdwFunction[m], NULL) - dwImageBase, //函数入口地址Offset)减去起始地址才是在文件中的偏移量
pdwSymbolName[n], //名字(RVA)
(ULONG)::ImageRvaToVa(pPeHeaders, pMap, (ULONG)pdwSymbolName[n], NULL) - dwImageBase, //名字(Offset)减去起始地址才是在文件中的偏移量
::ImageRvaToVa(pPeHeaders, pMap, (ULONG)pdwSymbolName[n], NULL));
}
}
}
//关闭打开的句柄,释放资源
::UnmapViewOfFile(pMap);
::CloseHandle(hMap);
::CloseHandle(hFile);
}
system("pause");
return 0;
}
|
能力值:
( LV4,RANK:50 )
|
-
-
8 楼
// PERelocationTable.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <windows.h>
#include <time.h>
#include <imagehlp.h>
#pragma comment (lib, "imagehlp.lib")
int _tmain(int argc, _TCHAR* argv[])
{
while (TRUE) {
WCHAR cFile[256] = {0};
printf("Please enter the file name and path:");
wscanf(L"%s",cFile);
HANDLE hFile = NULL;
hFile = ::CreateFile((LPCWSTR)cFile,GENERIC_READ,0,NULL,OPEN_EXISTING,NULL,NULL);
if (hFile == INVALID_HANDLE_VALUE){
printf("Create file failed! (%d).\n\n", GetLastError());
system("pause");
return 0;
}
//创建文件映射
HANDLE hMap = NULL;
hMap = ::CreateFileMapping(hFile,NULL,PAGE_READONLY,0,0,0);
if (!hMap){
printf("Create file mapping failed! (%d).\n\n", GetLastError());
system("pause");
return 0;
}
//映射要自己进程的空间
LPVOID pMap = NULL;
pMap = ::MapViewOfFile(hMap,FILE_MAP_READ,0,0,0);
if (!pMap){
printf("Mapping file failed (%d).\n\n", GetLastError());
system("pause");
return 0;
}
//后面计算文件偏移的时候要用到的
ULONG dwImageBase = (ULONG)pMap;
//获得DOS头文件指针
PIMAGE_DOS_HEADER pDosHeader = NULL;//DOS头文件
pDosHeader = (PIMAGE_DOS_HEADER)pMap;
//判断DOS头标志 IMAGE_DOS_SIGNATURE 0x5A4D MZ
if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE){
printf("Not DOS Header! (%d).\n\n", GetLastError());
system("pause");
return 0;
}
//获得PE头文件指针
PIMAGE_NT_HEADERS pPeHeaders = NULL;//PE头文件
pPeHeaders = (PIMAGE_NT_HEADERS)((LONG)pMap + pDosHeader->e_lfanew);
//判断PE头标志 IMAGE_NT_SIGNATURE 0x00004550 PE00
if (pPeHeaders->Signature != IMAGE_NT_SIGNATURE){
printf("Not PE Header! (%d).\n\n", GetLastError());
system("pause");
return 0;
}
//重定位信息 - dwImageBase
PIMAGE_BASE_RELOCATION pRelocation = (PIMAGE_BASE_RELOCATION)::ImageRvaToVa(pPeHeaders, pMap, pPeHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress, NULL);
int i = 0;
DWORD dwSize = 0; //用来累计每个块的大小,当块的累计大小和pPeHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size相等时说明块已经到了末尾
PWORD pTypeOffset = NULL; //TypeOffset的指针
do {
dwSize += (DWORD)pRelocation->SizeOfBlock;
printf("%d.Relocation Block:\n", ++i);
printf("---------------------------------------------------------------------------\n");
printf("\tVirtualAddress:\t0x%08x\tOffset:0x%08x\n\tSizeOfBlock:\t0x%08x\n\n",
(pRelocation->VirtualAddress), //
(ULONG)(&(pRelocation->VirtualAddress)) - dwImageBase, //VirtualAddress在文件中的偏移量,也就是VA值存放在文件中的那个位置
pRelocation->SizeOfBlock);
printf("\tType\t\t\t\tRVA\t\tOffset\n");
printf("\t-------------------------------------------------------------------\n");
pTypeOffset = (PWORD)pRelocation + (sizeof(pRelocation->VirtualAddress) + sizeof(pRelocation->SizeOfBlock))/sizeof(WORD); //其实就是4
for (UINT j = 0; j < (UINT)((pRelocation->SizeOfBlock - sizeof(pRelocation->VirtualAddress) - sizeof(pRelocation->SizeOfBlock))/sizeof(WORD));j++) {
switch ((*pTypeOffset & 0xf000) >> 12) { //右移12位
case 0:
printf("\t(%d)IMAGE_REL_BASED_ABSOLUTE\t0x%08x\t0x%08x\n",
(*pTypeOffset & 0xf000) >> 12,
(*pTypeOffset & 0x0fff) + (pRelocation->VirtualAddress),
(ULONG)::ImageRvaToVa(pPeHeaders, pMap, (*pTypeOffset & 0x0fff) + (pRelocation->VirtualAddress), NULL) - dwImageBase);
break;
case 1:
printf("\t(%d)IMAGE_REL_BASED_HIGH\t0x%08x\t0x%08x\n",
(*pTypeOffset & 0xf000) >> 12,
(*pTypeOffset & 0x0fff) + (pRelocation->VirtualAddress),
(ULONG)::ImageRvaToVa(pPeHeaders, pMap, (*pTypeOffset & 0x0fff) + (pRelocation->VirtualAddress), NULL) - dwImageBase);
break;
case 2:
printf("\t(%d)IMAGE_REL_BASED_LOW\t0x%08x\t0x%08x\n",
(*pTypeOffset & 0xf000) >> 12,
(*pTypeOffset & 0x0fff) + (pRelocation->VirtualAddress),
(ULONG)::ImageRvaToVa(pPeHeaders, pMap, (*pTypeOffset & 0x0fff) + (pRelocation->VirtualAddress), NULL) - dwImageBase);
break;
case 3:
printf("\t(%d)IMAGE_REL_BASED_HIGHLOW\t0x%08x\t0x%08x\n",
(*pTypeOffset & 0xf000) >> 12,
(*pTypeOffset & 0x0fff) + (pRelocation->VirtualAddress),
(ULONG)::ImageRvaToVa(pPeHeaders, pMap, (*pTypeOffset & 0x0fff) + (pRelocation->VirtualAddress), NULL) - dwImageBase);
break;
case 4:
printf("\t(%d)IMAGE_REL_BASED_HIGHADJ\t0x%08x\t0x%08x\n",
(*pTypeOffset & 0xf000) >> 12,
(*pTypeOffset & 0x0fff) + (pRelocation->VirtualAddress),
(ULONG)::ImageRvaToVa(pPeHeaders, pMap, (*pTypeOffset & 0x0fff) + (pRelocation->VirtualAddress), NULL) - dwImageBase);
break;
case 5:
printf("\t(%d)IMAGE_REL_BASED_MIPS_JMPADDR\t0x%08x\t0x%08x\n",
(*pTypeOffset & 0xf000) >> 12,
(*pTypeOffset & 0x0fff) + (pRelocation->VirtualAddress),
(ULONG)::ImageRvaToVa(pPeHeaders, pMap, (*pTypeOffset & 0x0fff) + (pRelocation->VirtualAddress), NULL) - dwImageBase);
break;
case 9:
printf("\t(%d)IMAGE_REL_BASED_MIPS_JMPADDR16\t0x%08x\t0x%08x\n",
(*pTypeOffset & 0xf000) >> 12,
(*pTypeOffset & 0x0fff) + (pRelocation->VirtualAddress),
(ULONG)::ImageRvaToVa(pPeHeaders, pMap, (*pTypeOffset & 0x0fff) + (pRelocation->VirtualAddress), NULL) - dwImageBase);
//printf("\tIMAGE_REL_BASED_IA64_IMM64\t%d\t\t0x%x\n", (*pTypeOffset & 0xf000) >> 12, (ULONG)((*pTypeOffset & 0x0fff) + (pRelocation->VirtualAddress)));
break;
case 10:
printf("\t(%d)IMAGE_REL_BASED_DIR64\t0x%08x\t0x%08x\n",
(*pTypeOffset & 0xf000) >> 12,
(*pTypeOffset & 0x0fff) + (pRelocation->VirtualAddress),
(ULONG)::ImageRvaToVa(pPeHeaders, pMap, (*pTypeOffset & 0x0fff) + (pRelocation->VirtualAddress), NULL) - dwImageBase);
break;
default:
break;
}
pTypeOffset++;
}
printf("\n");
pRelocation = (PIMAGE_BASE_RELOCATION)((ULONG)pRelocation + (ULONG)pRelocation->SizeOfBlock); //一定要强制转换为无符号数进行运算,然后再强制转换为指针
} while ((DWORD)pPeHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size != dwSize); //根据块的总大小判断是否结束
//关闭打开的句柄,释放资源
::UnmapViewOfFile(pMap);
::CloseHandle(hMap);
::CloseHandle(hFile);
}
system("pause");
return 0;
}
|
能力值:
( LV2,RANK:10 )
|
-
-
9 楼
it is good to learn this topic.
thanks a lot
it will take some time to get familiar with it
|
能力值:
( LV12,RANK:440 )
|
-
-
10 楼
感谢楼主分享,主题合并方便大家学习。
|
能力值:
( LV2,RANK:10 )
|
-
-
11 楼
学以致用。。。
|
能力值:
( LV2,RANK:10 )
|
-
-
12 楼
向你学习.....
|
能力值:
( LV2,RANK:10 )
|
-
-
13 楼
楼主比那个模板软件算法注册机的哥们,更有时间..更有耐心......我更加膜拜你....
大概看了看...真的..晕了....
|
能力值:
( LV6,RANK:90 )
|
-
-
14 楼
正是因为有楼主这样的人才让菜鸟们进步得更快,感谢楼主。
|
能力值:
( LV2,RANK:10 )
|
-
-
15 楼
楼主人才,多多向楼主学习
|
能力值:
( LV2,RANK:10 )
|
-
-
16 楼
好伟大的一个 printf 函数 
|
能力值:
( LV2,RANK:10 )
|
-
-
17 楼
学习。刚来的,就需要好好学习呀。
|
能力值:
( LV2,RANK:10 )
|
-
-
18 楼
感谢楼主~~~
|
能力值:
( LV2,RANK:10 )
|
-
-
19 楼
多谢分享 
|
能力值:
( LV2,RANK:10 )
|
-
-
20 楼
我在写一样的东西,lz的代码让我明白了一些问题。
|
能力值:
( LV2,RANK:10 )
|
-
-
21 楼
LZ相当有才
|
能力值:
( LV2,RANK:10 )
|
-
-
22 楼
作为菜鸟。向楼主多多学习 
|
能力值:
( LV2,RANK:10 )
|
-
-
23 楼
确实要支持一下的...嘿嘿
|
能力值:
( LV2,RANK:10 )
|
-
-
24 楼
路过看看,留下个记号
|
能力值:
( LV2,RANK:10 )
|
-
-
25 楼
感谢 分享
、
我 菜鸟1个
|
|
|
|
