-
-
[旧帖] [原创]命令行PE分析工具VC源碼,求邀請碼 0.00雪花
-
发表于: 2012-9-29 17:49
-
近日無事,把以前塵封的寫過的東西放上來分享下。
程序使用VC6.0編譯
使用了自定義的程序入口EntryPoint
所以鏈接時應指明/ENTRY:EntryPoint才可以
程序的功能:
檢測PE有效性
輸出IMAGE_NT_HEADERS32信息
輸出Section Headers信息
輸出Import Table信息
輸出Export Table信息
用法:PEx <PE filename>
代碼:
程序使用了ntdll,相關頭文件和庫在ntdll附件中。
程序是原創的,證據:
能給個邀請碼么?
程序使用VC6.0編譯
使用了自定義的程序入口EntryPoint
所以鏈接時應指明/ENTRY:EntryPoint才可以
程序的功能:
檢測PE有效性
輸出IMAGE_NT_HEADERS32信息
輸出Section Headers信息
輸出Import Table信息
輸出Export Table信息
用法:PEx <PE filename>
代碼:
#include <windows.h>
#include <ntdll.h>
#ifndef IMAGE_SIZEOF_DOS_HEADER
#define IMAGE_SIZEOF_DOS_HEADER 0x40
#endif
#ifndef IMAGE_SIZEOF_IMPORT_DESCRIPTOR
#define IMAGE_SIZEOF_IMPORT_DESCRIPTOR 0x14
#endif
#ifndef IMAGE_SIZEOF_EXPORT_DIR
#define IMAGE_SIZEOF_EXPORT_DIR 0x28
#endif
#ifndef INVALID_RVA
#define INVALID_RVA 0xFFFFFFFF
#endif
//We Assume that the Maximum Number of Export(s) of Each Dll is 4096
#ifndef MAX_NRTHUNK
#define MAX_NRTHUNK 4096
#endif
#define ConMsg(str,strlength) WriteConsole(hConO,str,strlength,NULL,NULL)
//#define SaveTxt(formatstr,...) sprintf(szTxtBuf,formatstr,VARARGS)
#define DrawTxt(strlength) ConMsg(szTxtBuf,strlength)
//Console
//kernel32,ntdll
/*
void __stdcall DrawTxt(DWORD dwlen)
{
ConMsg(szTxtBuf,dwlen);
}
*/
DWORD RVA2RawPtr(DWORD RVA,IMAGE_SECTION_HEADER *pScnHd,DWORD NumberOfSections)
{
if(RVA<pScnHd[0].VirtualAddress)
return RVA;
else
{
DWORD i;
for(i=0;i<NumberOfSections;++i)
if(RVA>=pScnHd[i].VirtualAddress
&& RVA<pScnHd[i].VirtualAddress+pScnHd[i].Misc.VirtualSize)
return RVA-(pScnHd[i].VirtualAddress-pScnHd[i].PointerToRawData);
return INVALID_RVA;
}
}
void EntryPoint()
{
LPTSTR szArg1=GetCommandLine();
HANDLE hConO=GetStdHandle(STD_OUTPUT_HANDLE);
//DWORD dwTxtWri;
if(*szArg1=='\"')//Strip Quotations of Arg0
{
do
++szArg1;
while(*szArg1=='\"');
szArg1=strchr(szArg1,'\"');
do
++szArg1;
while(*szArg1=='\"');
}
if(szArg1=strchr(szArg1,' '))//szArg1 May Be a Null String before Calling strch
{//First Space Exists
LPSTR szChr=szArg1;
for(;*szChr;++szChr)//Replace Quotations of Arg1 with Space Character
if(*szChr=='\"')
*szChr=' ';
do
++szArg1;
while(*szArg1==' ');
if(!*szArg1)
goto LBL_USAGE;
else//Arg1 Exists
{
//HANDLE hFile;
HFILE hFile;
//if((hFile=CreateFile(szArg1,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL))==INVALID_HANDLE_VALUE)
if((hFile=_lopen(szArg1,OF_READ))==HFILE_ERROR)
ConMsg("Unable to Open File!",20);
else
{
LONG iFileSize=GetFileSize((HANDLE)hFile,NULL);
if(!iFileSize || !~iFileSize)//iFileSize==0 || iFileSize==0xFFFFFFFF
ConMsg("Invalid Filesize!",17);
else//Valid PE File Size
{//[Read DOS Header]
IMAGE_DOS_HEADER DosHd;
//if(!ReadFile(hFile,&DosHd,IMAGE_SIZEOF_DOS_HEADER,&dwTxtWri,NULL))
if(_lread(hFile,&DosHd,IMAGE_SIZEOF_DOS_HEADER)==HFILE_ERROR)
ConMsg("Error Reading DOS Header!",25);
else if(DosHd.e_magic!=IMAGE_DOS_SIGNATURE)//0x4D5A='M''Z'
ConMsg("Invalid DOS Signature!",22);
else if(DosHd.e_lfanew<4 || DosHd.e_lfanew>=iFileSize)
ConMsg("Invalid PE Header Address!",26);
else//Valid DOS Header
{//[Read NT Headers]
IMAGE_NT_HEADERS32 NtHds;
//SetFilePointer(hFile,DosHd.e_lfanew,NULL,FILE_BEGIN);
_llseek(hFile,DosHd.e_lfanew,FILE_BEGIN);
//if(!ReadFile(hFile,&NtHds,IMAGE_SIZEOF_NT_OPTIONAL32_HEADER,&dwTxtWri,NULL))
//0x60=IMAGE_SIZEOF_NT_OPTIONAL32_HEADER(0xE0)-8*0x10
if(_lread(hFile,&NtHds,4+IMAGE_SIZEOF_FILE_HEADER)==HFILE_ERROR)
goto LBL_ERRNTHD;
//ConMsg("Error Reading NT Headers!",25);
else if(NtHds.Signature!=IMAGE_NT_SIGNATURE)
ConMsg("Invalid PE Signature!",21);
//else if(IMAGE_SIZEOF_NT_OPTIONAL32_HEADER-(IMAGE_NUMBEROF_DIRECTORY_ENTRIES-NtHds.OptionalHeader.NumberOfRvaAndSizes)*sizeof(IMAGE_DATA_DIRECTORY)!=NtHds.FileHeader.SizeOfOptionalHeader)
//Valid NT Headers 1
//[Read Optional Header]
else if(_lread(hFile,&NtHds.OptionalHeader,IMAGE_SIZEOF_NT_OPTIONAL32_HEADER)==HFILE_ERROR)
LBL_ERRNTHD:
ConMsg("Error Reading NT Headers!",25);
else if(NtHds.OptionalHeader.Magic!=IMAGE_NT_OPTIONAL_HDR32_MAGIC)
ConMsg("Machine Type Not I386!",22);
else//Valid Optional Header
{//[Read Section Headers (Section Table)]
HANDLE hHeap;
IMAGE_SECTION_HEADER *pScnHd;
DWORD dwScnSizeTotal=(NtHds.FileHeader.NumberOfSections<<5)+(NtHds.FileHeader.NumberOfSections<<3);//NtHds.FileHeader.NumberOfSections*IMAGE_SIZEOF_SECTION_HEADER(40)
//NtHds.OptionalHeader.NumberOfRvaAndSizes=(NtHds.FileHeader.SizeOfOptionalHeader-0x60)>>3;
if(!(hHeap=HeapCreate(0,0,0)))
ConMsg("Error Creating Local Heap!",26);
//HeapCreate Success
else
{
if(!(pScnHd=HeapAlloc(hHeap,0,dwScnSizeTotal)))
ConMsg("Error Allocating Heap!",22);
else//HeapAlloc Success
{
//SetFilePointer(hFile,NtHds.FileHeader.SizeOfOptionalHeader-IMAGE_SIZEOF_NT_OPTIONAL32_HEADER,NULL,FILE_CURRENT);//Normally It's the Same with not Moving FilePointer
_llseek(hFile,NtHds.FileHeader.SizeOfOptionalHeader-IMAGE_SIZEOF_NT_OPTIONAL32_HEADER,FILE_CURRENT);//Theoretically It's the Same with not Moving FilePointer
//if(!ReadFile(hFile,pScnHd,dwScnSizeTotal,&dwTxtWri,NULL))
if(_lread(hFile,pScnHd,dwScnSizeTotal)==HFILE_ERROR)
ConMsg("Error Reading Section Headers!",30);
else
{
DWORD i;
//DWORD SectionAlignmentMask;
DWORD FileAlignmentMask;
for(i=0;i<NtHds.FileHeader.NumberOfSections;++i)
if(pScnHd[i].VirtualAddress%NtHds.OptionalHeader.SectionAlignment)
{
ConMsg("Volatile Virtual Address Space!",31);
goto LBL_VVAS;
}
if(1)
{
CHAR szDirStr[16][28]=
{"Export Table:","Import Table:","Resource Table:",
"Exception Table:","Certificate Table:","Base Relocation Table:",
"Debug:","Architecture:","Global Ptr:","TLS Table:",
"Load Config Table:","Bound Import:","IAT:","Delay Import Descriptor:",
"CLR Runtime Header:","Reserved:"};
DWORD dwDirLen[16]={13,13,15,16,18,22,6,13,11,10,18,13,4,24,19,9};
CHAR szTxtBuf[1336];
LPSTR szTxtBuf2=szTxtBuf+668;
DWORD j;
//Print Header Messages
sprintf(szTxtBuf,
"********************IMAGE DOS HEADER********************\n"
"DOS Magic:\t\t\t\t\t%04X\n"
"File Address of New Exe Header:\t\t\t%08X\n\n"
"PE Signature:\t\t\t\t\t%08X\n"
"********************IMAGE FILE HEADER*******************\n"
"Machine:\t\t\t\t\t%04X\n"
"NumberofSections:\t\t\t\t%04X\n"
"Time Date Stamp:\t\t\t\t%08X\n"
"PointertoSymbolTable:\t\t\t\t%08X\n"
"Number of Symbols:\t\t\t\t%08X\n"
"SizeofOptionalHeader:\t\t\t\t%08X\n"
"Characteristics:\t\t\t\t%08X\n\n"
"******************IMAGE OPTIONAL HEADER*****************\n"
"Magic:\t\t\t\t\t\t%04X\n"
"MajorLinkVersion:\t\t\t\t%#-3d\n"
"MinorLinkVersion:\t\t\t\t%#-3d\n"
"SizeofCode:\t\t\t\t\t%08X\n"
"SizeofInitializedData:\t\t\t\t%08X\n"
"SizeofUnData:\t\t\t\t\t%08X\n"
"AddressofEntryPoint:\t\t\t\t%08X\n"
"BaseofCode:\t\t\t\t\t%08X\n"
"BaseofData:\t\t\t\t\t%08X\n\n"
"ImageBase:\t\t\t\t\t%08X\n"
"SectionAlignment:\t\t\t\t%08X\n"
"FileAlignment:\t\t\t\t\t%08X\n"
"MajorOSVersion:\t\t\t\t\t%#-6d\n"
"MinorOSVersion:\t\t\t\t\t%#-6d\n"
"MajorImageVersion:\t\t\t\t%#-6d\n"
"MinorImageVersion:\t\t\t\t%#-6d\n"
"MajorSubsystemVersion:\t\t\t\t%#-6d\n"
"MinorSubsystemVersion:\t\t\t\t%#-6d\n"
"Win32VersionValue:\t\t\t\t%08X\n"
"SizeOfImage:\t\t\t\t\t%08X\n"
"SizeOfHeaders:\t\t\t\t\t%08X\n"
"CheckSum:\t\t\t\t\t%08X\n"
"Subsystem:\t\t\t\t\t%04X\n"
"DllCharacteristics:\t\t\t\t%04X\n"
"SizeofStackReserve:\t\t\t\t%08X\n"
"SizeofStackCommit:\t\t\t\t%08X\n"
"SizeofHeapReserve:\t\t\t\t%08X\n"
"SizeofHeapCommit:\t\t\t\t%08X\n"
"LoaderFlags:\t\t\t\t\t%08X\n"
"NumberOfRvaAndSizes:\t\t\t\t%08X\n\n"
"<-----IMAGE DATA DIRECTORY----->\n",
DosHd.e_magic,
DosHd.e_lfanew,
NtHds.Signature,
NtHds.FileHeader.Machine,
NtHds.FileHeader.NumberOfSections,
NtHds.FileHeader.TimeDateStamp,
NtHds.FileHeader.PointerToSymbolTable,
NtHds.FileHeader.NumberOfSymbols,
NtHds.FileHeader.SizeOfOptionalHeader,
NtHds.FileHeader.Characteristics,
NtHds.OptionalHeader.Magic,
NtHds.OptionalHeader.MajorLinkerVersion,
NtHds.OptionalHeader.MinorLinkerVersion,
NtHds.OptionalHeader.SizeOfCode,
NtHds.OptionalHeader.SizeOfInitializedData,
NtHds.OptionalHeader.SizeOfUninitializedData,
NtHds.OptionalHeader.AddressOfEntryPoint,
NtHds.OptionalHeader.BaseOfCode,
NtHds.OptionalHeader.BaseOfData,
NtHds.OptionalHeader.ImageBase,
NtHds.OptionalHeader.SectionAlignment,
NtHds.OptionalHeader.FileAlignment,
NtHds.OptionalHeader.MajorOperatingSystemVersion,
NtHds.OptionalHeader.MinorOperatingSystemVersion,
NtHds.OptionalHeader.MajorImageVersion,
NtHds.OptionalHeader.MinorImageVersion,
NtHds.OptionalHeader.MajorSubsystemVersion,
NtHds.OptionalHeader.MinorSubsystemVersion,
NtHds.OptionalHeader.Win32VersionValue,
NtHds.OptionalHeader.SizeOfImage,
NtHds.OptionalHeader.SizeOfHeaders,
NtHds.OptionalHeader.CheckSum,
NtHds.OptionalHeader.Subsystem,
NtHds.OptionalHeader.DllCharacteristics,
NtHds.OptionalHeader.SizeOfStackReserve,
NtHds.OptionalHeader.SizeOfStackCommit,
NtHds.OptionalHeader.SizeOfHeapReserve,
NtHds.OptionalHeader.SizeOfHeapCommit,
NtHds.OptionalHeader.LoaderFlags,
NtHds.OptionalHeader.NumberOfRvaAndSizes);
DrawTxt(1335);
for(i=0;i<NtHds.OptionalHeader.NumberOfRvaAndSizes;++i)
{
sprintf(szTxtBuf,
"%X#:\n"
"%s\n"
"--------------------------------\n"
"RVA:\t\t\t%08X\n"
"Size:\t\t\t%08X\n\n",
i,
szDirStr[i],
NtHds.OptionalHeader.DataDirectory[i].VirtualAddress,
NtHds.OptionalHeader.DataDirectory[i].Size);
DrawTxt(dwDirLen[i]+72);
}
ConMsg("******************IMAGE SECTION HEADERS*****************\n",57);
for(i=0;i<NtHds.FileHeader.NumberOfSections;++i)
{
sprintf(szTxtBuf,
"%X#:\n"
"Name:\t\t\t\t\t\t%#-8s\t\n"
"VirtualSize:\t\t\t\t\t%08X\n"
"RVA:\t\t\t\t\t\t%08X\n"
"SizeofRawData:\t\t\t\t\t%08X\n"
"PointerToRawData:\t\t\t\t%08X\n"
"PointerToRelocations:\t\t\t\t%08X\n"
"PointerToLinenumbers:\t\t\t\t%08X\n"
"NumberOfRelocations:\t\t\t\t%04X\n"
"NumberOfLinenumbers:\t\t\t\t%04X\n"
"Characteristics:\t\t\t\t%08X\n\n",
i,
pScnHd[i].Name,
pScnHd[i].Misc.VirtualSize,
pScnHd[i].VirtualAddress,
pScnHd[i].SizeOfRawData,
pScnHd[i].PointerToRawData,
pScnHd[i].PointerToRelocations,
pScnHd[i].PointerToLinenumbers,
pScnHd[i].NumberOfRelocations,
pScnHd[i].NumberOfLinenumbers,
pScnHd[i].Characteristics);
DrawTxt(284);
}
//SectionAlignmentMask=NtHds.OptionalHeader.SectionAlignment-1;
FileAlignmentMask=NtHds.OptionalHeader.FileAlignment-1;
//[Fix SizeOfRawData and PointerToRawData]
for(i=0;i<NtHds.FileHeader.NumberOfSections;++i)
{
if(pScnHd[i].SizeOfRawData && (pScnHd[i].VirtualAddress%NtHds.OptionalHeader.SectionAlignment))
{
pScnHd[i].SizeOfRawData=(pScnHd[i].SizeOfRawData+FileAlignmentMask) & (0xFFFFFFFF^FileAlignmentMask);
pScnHd[i].PointerToRawData=pScnHd[i].PointerToRawData & (0xFFFFFFFF^FileAlignmentMask);
}
}
//[Read Import Table]
//if(NtHds.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size % IMAGE_SIZEOF_IMPORT_DESCRIPTOR)
// ConMsg("Invalid Sizeof Import Descriptors!",34);
//else
if(NtHds.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress)
{
if((i=RVA2RawPtr(NtHds.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress,pScnHd,NtHds.FileHeader.NumberOfSections))==INVALID_RVA)
ConMsg("Error Searching Import Descriptors!",35);
else
{
IMAGE_IMPORT_DESCRIPTOR **pImpD;
IMAGE_THUNK_DATA32 **pThunk;
DWORD *pdwNrFn;
DWORD dwNrImpD=NtHds.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size / IMAGE_SIZEOF_IMPORT_DESCRIPTOR;
pImpD=HeapAlloc(hHeap,0,dwNrImpD<<2);
//sprintf(szTxtBuf,"%08X\n",i);
//DrawTxt(9);
_llseek(hFile,i,FILE_BEGIN);
for(i=0;i<dwNrImpD;++i)
{
pImpD[i]=HeapAlloc(hHeap,0,IMAGE_SIZEOF_IMPORT_DESCRIPTOR);
_lread(hFile,pImpD[i],IMAGE_SIZEOF_IMPORT_DESCRIPTOR);
if(pImpD[i]->OriginalFirstThunk==0 && pImpD[i]->TimeDateStamp==0
&& pImpD[i]->ForwarderChain==0 && pImpD[i]->Name==0 && pImpD[i]->FirstThunk==0)
break;
}
dwNrImpD=i;
pThunk=HeapAlloc(hHeap,0,dwNrImpD<<2);
pdwNrFn=HeapAlloc(hHeap,0,dwNrImpD<<2);
//We Try OriginalFirstThunk and then FirstThunk
for(i=0;i<dwNrImpD;++i)
{
pThunk[i]=HeapAlloc(hHeap,0,MAX_NRTHUNK<<2);
if(!(j=pImpD[i]->OriginalFirstThunk))
j=pImpD[i]->FirstThunk;//Use FirstThunk if OriginalFirstThunk==NULL
_llseek(hFile,RVA2RawPtr(j,pScnHd,NtHds.FileHeader.NumberOfSections),FILE_BEGIN);
for(j=0;j<MAX_NRTHUNK;++j)
{
_lread(hFile,&pThunk[i][j],4);
if(pThunk[i][j].u1.AddressOfData==NULL)//
{
pdwNrFn[i]=j;
break;
}
}
}
//Print Import Messages
ConMsg("****************IMAGE IMPORT DESCRIPTORS****************\n",57);
for(i=0;i<dwNrImpD;++i)
{
sprintf(szTxtBuf,
"OriginalFirstThunkRVA:\t\t\t\t%08X\n"
"TimeDateStamp:\t\t\t\t\t%08X\n"
"ForwarderChain:\t\t\t\t\t%08X\n"
"NameRVA:\t\t\t\t\t%08X",
pImpD[i]->OriginalFirstThunk,
pImpD[i]->TimeDateStamp,
pImpD[i]->ForwarderChain,
pImpD[i]->Name);
DrawTxt(113);
_llseek(hFile,RVA2RawPtr(pImpD[i]->Name,pScnHd,NtHds.FileHeader.NumberOfSections),FILE_BEGIN);
_lread(hFile,szTxtBuf2,MAX_PATH);
//j=sprintf(szTxtBuf,"\t%s\n",szTxtBuf2);
DrawTxt(sprintf(szTxtBuf,"\t%s\n",szTxtBuf2));
sprintf(szTxtBuf,
"FirstThunkRVA:\t\t\t\t\t%08X\n",
pImpD[i]->FirstThunk);
DrawTxt(28);
for(j=0;j<pdwNrFn[i];++j)
{
if(IMAGE_SNAP_BY_ORDINAL32(pThunk[i][j].u1.Ordinal))
{
sprintf(szTxtBuf,"Ordinal: %04X\n",IMAGE_ORDINAL32(pThunk[i][j].u1.Ordinal));
DrawTxt(14);
}
else
{
sprintf(szTxtBuf,"Thunk: %08X",pThunk[i][j].u1.Ordinal);
DrawTxt(15);
_llseek(hFile,RVA2RawPtr(pThunk[i][j].u1.Ordinal,pScnHd,NtHds.FileHeader.NumberOfSections),FILE_BEGIN);
_lread(hFile,szTxtBuf,2);
sprintf(szTxtBuf,"\t\tHint: %04X",*(WORD *)szTxtBuf);
DrawTxt(12);
_lread(hFile,szTxtBuf2,MAX_PATH);
DrawTxt(sprintf(szTxtBuf,"\tName: %s\n",szTxtBuf2));
}
}
}
}
}
//[Read Export Table]
if(NtHds.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress)
{
if((i=RVA2RawPtr(NtHds.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress,pScnHd,NtHds.FileHeader.NumberOfSections))==INVALID_RVA)
ConMsg("\nError Searching Export Directory!",33);
else
{
DWORD k;
IMAGE_EXPORT_DIRECTORY *pExpD=HeapAlloc(hHeap,0,IMAGE_SIZEOF_EXPORT_DIR);
WORD *pdwIdxNm;
DWORD *pdwExpNm;
LPSTR *lppExpNm;
DWORD *pdwExpFn;
DWORD *pdwRIdxFn;
_llseek(hFile,i,FILE_BEGIN);
_lread(hFile,pExpD,IMAGE_SIZEOF_EXPORT_DIR);
//sprintf(szTxtBuf,"%08X",i);
//DrawTxt(8);
ConMsg("\n\n*****************IMAGE EXPORT DIRECTORY*****************",58);
sprintf(szTxtBuf,
"\nCharacteristics:\t\t\t\t%08X\n"
"TimeDateStamp:\t\t\t\t\t%08X\n"
"MajorVersion:\t\t\t\t\t%04X\n"
"MinorVersion:\t\t\t\t\t%04X\n"
"NameRVA:\t\t\t\t\t%08X\t",
pExpD->Characteristics,
pExpD->TimeDateStamp,
pExpD->MajorVersion,
pExpD->MinorVersion,
pExpD->Name);
DrawTxt(126);
if((i=RVA2RawPtr(pExpD->Name,pScnHd,NtHds.FileHeader.NumberOfSections))!=INVALID_RVA)
{
_llseek(hFile,i,FILE_BEGIN);
_lread(hFile,szTxtBuf2,MAX_PATH);
//j=;
DrawTxt(sprintf(szTxtBuf,"%s",szTxtBuf2));
}
sprintf(szTxtBuf,
"\nBase:\t\t\t\t\t\t%08X\n"
"NumberOfFunctions:\t\t\t\t%08X\n"
"NumberOfNames:\t\t\t\t\t%08X\n"
"AddressOfFunctions:\t\t\t\t%08X\n"
"AddressOfNames:\t\t\t\t\t%08X\n"
"AddressOfNameOrdinals:\t\t\t\t%08X\n",
pExpD->Base,
pExpD->NumberOfFunctions,
pExpD->NumberOfNames,
pExpD->AddressOfFunctions,
pExpD->AddressOfNames,
pExpD->AddressOfNameOrdinals);
DrawTxt(176);
//[Construct NameOrdinals Array]
pdwIdxNm=HeapAlloc(hHeap,0,pExpD->NumberOfNames<<1);
_llseek(hFile,RVA2RawPtr(pExpD->AddressOfNameOrdinals,pScnHd,NtHds.FileHeader.NumberOfSections),FILE_BEGIN);
_lread(hFile,pdwIdxNm,pExpD->NumberOfNames<<1);
//[Construct NameRVA Array]
pdwExpNm=HeapAlloc(hHeap,0,pExpD->NumberOfNames<<2);
_llseek(hFile,RVA2RawPtr(pExpD->AddressOfNames,pScnHd,NtHds.FileHeader.NumberOfSections),FILE_BEGIN);
_lread(hFile,pdwExpNm,pExpD->NumberOfNames<<2);
//[Construct Name Array]
lppExpNm=HeapAlloc(hHeap,0,pExpD->NumberOfNames<<2);
for(i=0;i<pExpD->NumberOfNames;++i)
{
lppExpNm[i]=HeapAlloc(hHeap,0,MAX_PATH);
_llseek(hFile,RVA2RawPtr(pdwExpNm[i],pScnHd,NtHds.FileHeader.NumberOfSections),FILE_BEGIN);
_lread(hFile,lppExpNm[i],MAX_PATH);
}
//[Construct Function Array]
pdwExpFn=HeapAlloc(hHeap,0,pExpD->NumberOfFunctions<<2);
_llseek(hFile,RVA2RawPtr(pExpD->AddressOfFunctions,pScnHd,NtHds.FileHeader.NumberOfSections),FILE_BEGIN);
_lread(hFile,pdwExpFn,pExpD->NumberOfFunctions<<2);
//[Construct Reverse Index]
pdwRIdxFn=HeapAlloc(hHeap,0,pExpD->NumberOfFunctions<<2);
for(i=j=0;i<pExpD->NumberOfFunctions;++i)
{
pdwRIdxFn[i]=-1;
for(k=j;k<pExpD->NumberOfNames;++k)
{
if(pdwIdxNm[k]==i)
{
pdwRIdxFn[i]=k;
++j;
break;
}
}
}
for(i=0;i<pExpD->NumberOfFunctions;++i)
{
sprintf(szTxtBuf,
"\nOrdinal: %04X\t"
"RVA: %08X",
i+pExpD->Base,
pdwExpFn[i]);
DrawTxt(28);
if(pdwRIdxFn[i]!=-1)
{
//j=sprintf(szTxtBuf,"\tName: %s",lppExpNm[pdwRIdxFn[i]]);
DrawTxt(sprintf(szTxtBuf,"\tName: %s",lppExpNm[pdwRIdxFn[i]]));
}
}
}
}
}
LBL_VVAS:
if(0) {}
}
}
HeapDestroy(hHeap);
}
}
}
}
//CloseHandle(hFile);
_lclose(hFile);
}
}
}
else
LBL_USAGE:
ConMsg("PEx PEfilename",14);
}程序使用了ntdll,相關頭文件和庫在ntdll附件中。
程序是原創的,證據:
能給個邀請碼么?
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
