-
-
[旧帖] [原创]命令行PE分析工具VC源碼,求邀請碼 0.00雪花
-
发表于: 2012-9-29 17:49 1449
-
近日無事,把以前塵封的寫過的東西放上來分享下。
程序使用VC6.0編譯
使用了自定義的程序入口EntryPoint
所以鏈接時應指明/ENTRY:EntryPoint才可以
程序的功能:
檢測PE有效性
輸出IMAGE_NT_HEADERS32信息
輸出Section Headers信息
輸出Import Table信息
輸出Export Table信息
用法:PEx <PE filename>
代碼:
程序使用了ntdll,相關頭文件和庫在ntdll附件中。
程序是原創的,證據:
能給個邀請碼么?
程序使用VC6.0編譯
使用了自定義的程序入口EntryPoint
所以鏈接時應指明/ENTRY:EntryPoint才可以
程序的功能:
檢測PE有效性
輸出IMAGE_NT_HEADERS32信息
輸出Section Headers信息
輸出Import Table信息
輸出Export Table信息
用法:PEx <PE filename>
代碼:
#include <windows.h> #include <ntdll.h> #ifndef IMAGE_SIZEOF_DOS_HEADER #define IMAGE_SIZEOF_DOS_HEADER 0x40 #endif #ifndef IMAGE_SIZEOF_IMPORT_DESCRIPTOR #define IMAGE_SIZEOF_IMPORT_DESCRIPTOR 0x14 #endif #ifndef IMAGE_SIZEOF_EXPORT_DIR #define IMAGE_SIZEOF_EXPORT_DIR 0x28 #endif #ifndef INVALID_RVA #define INVALID_RVA 0xFFFFFFFF #endif //We Assume that the Maximum Number of Export(s) of Each Dll is 4096 #ifndef MAX_NRTHUNK #define MAX_NRTHUNK 4096 #endif #define ConMsg(str,strlength) WriteConsole(hConO,str,strlength,NULL,NULL) //#define SaveTxt(formatstr,...) sprintf(szTxtBuf,formatstr,VARARGS) #define DrawTxt(strlength) ConMsg(szTxtBuf,strlength) //Console //kernel32,ntdll /* void __stdcall DrawTxt(DWORD dwlen) { ConMsg(szTxtBuf,dwlen); } */ DWORD RVA2RawPtr(DWORD RVA,IMAGE_SECTION_HEADER *pScnHd,DWORD NumberOfSections) { if(RVA<pScnHd[0].VirtualAddress) return RVA; else { DWORD i; for(i=0;i<NumberOfSections;++i) if(RVA>=pScnHd[i].VirtualAddress && RVA<pScnHd[i].VirtualAddress+pScnHd[i].Misc.VirtualSize) return RVA-(pScnHd[i].VirtualAddress-pScnHd[i].PointerToRawData); return INVALID_RVA; } } void EntryPoint() { LPTSTR szArg1=GetCommandLine(); HANDLE hConO=GetStdHandle(STD_OUTPUT_HANDLE); //DWORD dwTxtWri; if(*szArg1=='\"')//Strip Quotations of Arg0 { do ++szArg1; while(*szArg1=='\"'); szArg1=strchr(szArg1,'\"'); do ++szArg1; while(*szArg1=='\"'); } if(szArg1=strchr(szArg1,' '))//szArg1 May Be a Null String before Calling strch {//First Space Exists LPSTR szChr=szArg1; for(;*szChr;++szChr)//Replace Quotations of Arg1 with Space Character if(*szChr=='\"') *szChr=' '; do ++szArg1; while(*szArg1==' '); if(!*szArg1) goto LBL_USAGE; else//Arg1 Exists { //HANDLE hFile; HFILE hFile; //if((hFile=CreateFile(szArg1,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL))==INVALID_HANDLE_VALUE) if((hFile=_lopen(szArg1,OF_READ))==HFILE_ERROR) ConMsg("Unable to Open File!",20); else { LONG iFileSize=GetFileSize((HANDLE)hFile,NULL); if(!iFileSize || !~iFileSize)//iFileSize==0 || iFileSize==0xFFFFFFFF ConMsg("Invalid Filesize!",17); else//Valid PE File Size {//[Read DOS Header] IMAGE_DOS_HEADER DosHd; //if(!ReadFile(hFile,&DosHd,IMAGE_SIZEOF_DOS_HEADER,&dwTxtWri,NULL)) if(_lread(hFile,&DosHd,IMAGE_SIZEOF_DOS_HEADER)==HFILE_ERROR) ConMsg("Error Reading DOS Header!",25); else if(DosHd.e_magic!=IMAGE_DOS_SIGNATURE)//0x4D5A='M''Z' ConMsg("Invalid DOS Signature!",22); else if(DosHd.e_lfanew<4 || DosHd.e_lfanew>=iFileSize) ConMsg("Invalid PE Header Address!",26); else//Valid DOS Header {//[Read NT Headers] IMAGE_NT_HEADERS32 NtHds; //SetFilePointer(hFile,DosHd.e_lfanew,NULL,FILE_BEGIN); _llseek(hFile,DosHd.e_lfanew,FILE_BEGIN); //if(!ReadFile(hFile,&NtHds,IMAGE_SIZEOF_NT_OPTIONAL32_HEADER,&dwTxtWri,NULL)) //0x60=IMAGE_SIZEOF_NT_OPTIONAL32_HEADER(0xE0)-8*0x10 if(_lread(hFile,&NtHds,4+IMAGE_SIZEOF_FILE_HEADER)==HFILE_ERROR) goto LBL_ERRNTHD; //ConMsg("Error Reading NT Headers!",25); else if(NtHds.Signature!=IMAGE_NT_SIGNATURE) ConMsg("Invalid PE Signature!",21); //else if(IMAGE_SIZEOF_NT_OPTIONAL32_HEADER-(IMAGE_NUMBEROF_DIRECTORY_ENTRIES-NtHds.OptionalHeader.NumberOfRvaAndSizes)*sizeof(IMAGE_DATA_DIRECTORY)!=NtHds.FileHeader.SizeOfOptionalHeader) //Valid NT Headers 1 //[Read Optional Header] else if(_lread(hFile,&NtHds.OptionalHeader,IMAGE_SIZEOF_NT_OPTIONAL32_HEADER)==HFILE_ERROR) LBL_ERRNTHD: ConMsg("Error Reading NT Headers!",25); else if(NtHds.OptionalHeader.Magic!=IMAGE_NT_OPTIONAL_HDR32_MAGIC) ConMsg("Machine Type Not I386!",22); else//Valid Optional Header {//[Read Section Headers (Section Table)] HANDLE hHeap; IMAGE_SECTION_HEADER *pScnHd; DWORD dwScnSizeTotal=(NtHds.FileHeader.NumberOfSections<<5)+(NtHds.FileHeader.NumberOfSections<<3);//NtHds.FileHeader.NumberOfSections*IMAGE_SIZEOF_SECTION_HEADER(40) //NtHds.OptionalHeader.NumberOfRvaAndSizes=(NtHds.FileHeader.SizeOfOptionalHeader-0x60)>>3; if(!(hHeap=HeapCreate(0,0,0))) ConMsg("Error Creating Local Heap!",26); //HeapCreate Success else { if(!(pScnHd=HeapAlloc(hHeap,0,dwScnSizeTotal))) ConMsg("Error Allocating Heap!",22); else//HeapAlloc Success { //SetFilePointer(hFile,NtHds.FileHeader.SizeOfOptionalHeader-IMAGE_SIZEOF_NT_OPTIONAL32_HEADER,NULL,FILE_CURRENT);//Normally It's the Same with not Moving FilePointer _llseek(hFile,NtHds.FileHeader.SizeOfOptionalHeader-IMAGE_SIZEOF_NT_OPTIONAL32_HEADER,FILE_CURRENT);//Theoretically It's the Same with not Moving FilePointer //if(!ReadFile(hFile,pScnHd,dwScnSizeTotal,&dwTxtWri,NULL)) if(_lread(hFile,pScnHd,dwScnSizeTotal)==HFILE_ERROR) ConMsg("Error Reading Section Headers!",30); else { DWORD i; //DWORD SectionAlignmentMask; DWORD FileAlignmentMask; for(i=0;i<NtHds.FileHeader.NumberOfSections;++i) if(pScnHd[i].VirtualAddress%NtHds.OptionalHeader.SectionAlignment) { ConMsg("Volatile Virtual Address Space!",31); goto LBL_VVAS; } if(1) { CHAR szDirStr[16][28]= {"Export Table:","Import Table:","Resource Table:", "Exception Table:","Certificate Table:","Base Relocation Table:", "Debug:","Architecture:","Global Ptr:","TLS Table:", "Load Config Table:","Bound Import:","IAT:","Delay Import Descriptor:", "CLR Runtime Header:","Reserved:"}; DWORD dwDirLen[16]={13,13,15,16,18,22,6,13,11,10,18,13,4,24,19,9}; CHAR szTxtBuf[1336]; LPSTR szTxtBuf2=szTxtBuf+668; DWORD j; //Print Header Messages sprintf(szTxtBuf, "********************IMAGE DOS HEADER********************\n" "DOS Magic:\t\t\t\t\t%04X\n" "File Address of New Exe Header:\t\t\t%08X\n\n" "PE Signature:\t\t\t\t\t%08X\n" "********************IMAGE FILE HEADER*******************\n" "Machine:\t\t\t\t\t%04X\n" "NumberofSections:\t\t\t\t%04X\n" "Time Date Stamp:\t\t\t\t%08X\n" "PointertoSymbolTable:\t\t\t\t%08X\n" "Number of Symbols:\t\t\t\t%08X\n" "SizeofOptionalHeader:\t\t\t\t%08X\n" "Characteristics:\t\t\t\t%08X\n\n" "******************IMAGE OPTIONAL HEADER*****************\n" "Magic:\t\t\t\t\t\t%04X\n" "MajorLinkVersion:\t\t\t\t%#-3d\n" "MinorLinkVersion:\t\t\t\t%#-3d\n" "SizeofCode:\t\t\t\t\t%08X\n" "SizeofInitializedData:\t\t\t\t%08X\n" "SizeofUnData:\t\t\t\t\t%08X\n" "AddressofEntryPoint:\t\t\t\t%08X\n" "BaseofCode:\t\t\t\t\t%08X\n" "BaseofData:\t\t\t\t\t%08X\n\n" "ImageBase:\t\t\t\t\t%08X\n" "SectionAlignment:\t\t\t\t%08X\n" "FileAlignment:\t\t\t\t\t%08X\n" "MajorOSVersion:\t\t\t\t\t%#-6d\n" "MinorOSVersion:\t\t\t\t\t%#-6d\n" "MajorImageVersion:\t\t\t\t%#-6d\n" "MinorImageVersion:\t\t\t\t%#-6d\n" "MajorSubsystemVersion:\t\t\t\t%#-6d\n" "MinorSubsystemVersion:\t\t\t\t%#-6d\n" "Win32VersionValue:\t\t\t\t%08X\n" "SizeOfImage:\t\t\t\t\t%08X\n" "SizeOfHeaders:\t\t\t\t\t%08X\n" "CheckSum:\t\t\t\t\t%08X\n" "Subsystem:\t\t\t\t\t%04X\n" "DllCharacteristics:\t\t\t\t%04X\n" "SizeofStackReserve:\t\t\t\t%08X\n" "SizeofStackCommit:\t\t\t\t%08X\n" "SizeofHeapReserve:\t\t\t\t%08X\n" "SizeofHeapCommit:\t\t\t\t%08X\n" "LoaderFlags:\t\t\t\t\t%08X\n" "NumberOfRvaAndSizes:\t\t\t\t%08X\n\n" "<-----IMAGE DATA DIRECTORY----->\n", DosHd.e_magic, DosHd.e_lfanew, NtHds.Signature, NtHds.FileHeader.Machine, NtHds.FileHeader.NumberOfSections, NtHds.FileHeader.TimeDateStamp, NtHds.FileHeader.PointerToSymbolTable, NtHds.FileHeader.NumberOfSymbols, NtHds.FileHeader.SizeOfOptionalHeader, NtHds.FileHeader.Characteristics, NtHds.OptionalHeader.Magic, NtHds.OptionalHeader.MajorLinkerVersion, NtHds.OptionalHeader.MinorLinkerVersion, NtHds.OptionalHeader.SizeOfCode, NtHds.OptionalHeader.SizeOfInitializedData, NtHds.OptionalHeader.SizeOfUninitializedData, NtHds.OptionalHeader.AddressOfEntryPoint, NtHds.OptionalHeader.BaseOfCode, NtHds.OptionalHeader.BaseOfData, NtHds.OptionalHeader.ImageBase, NtHds.OptionalHeader.SectionAlignment, NtHds.OptionalHeader.FileAlignment, NtHds.OptionalHeader.MajorOperatingSystemVersion, NtHds.OptionalHeader.MinorOperatingSystemVersion, NtHds.OptionalHeader.MajorImageVersion, NtHds.OptionalHeader.MinorImageVersion, NtHds.OptionalHeader.MajorSubsystemVersion, NtHds.OptionalHeader.MinorSubsystemVersion, NtHds.OptionalHeader.Win32VersionValue, NtHds.OptionalHeader.SizeOfImage, NtHds.OptionalHeader.SizeOfHeaders, NtHds.OptionalHeader.CheckSum, NtHds.OptionalHeader.Subsystem, NtHds.OptionalHeader.DllCharacteristics, NtHds.OptionalHeader.SizeOfStackReserve, NtHds.OptionalHeader.SizeOfStackCommit, NtHds.OptionalHeader.SizeOfHeapReserve, NtHds.OptionalHeader.SizeOfHeapCommit, NtHds.OptionalHeader.LoaderFlags, NtHds.OptionalHeader.NumberOfRvaAndSizes); DrawTxt(1335); for(i=0;i<NtHds.OptionalHeader.NumberOfRvaAndSizes;++i) { sprintf(szTxtBuf, "%X#:\n" "%s\n" "--------------------------------\n" "RVA:\t\t\t%08X\n" "Size:\t\t\t%08X\n\n", i, szDirStr[i], NtHds.OptionalHeader.DataDirectory[i].VirtualAddress, NtHds.OptionalHeader.DataDirectory[i].Size); DrawTxt(dwDirLen[i]+72); } ConMsg("******************IMAGE SECTION HEADERS*****************\n",57); for(i=0;i<NtHds.FileHeader.NumberOfSections;++i) { sprintf(szTxtBuf, "%X#:\n" "Name:\t\t\t\t\t\t%#-8s\t\n" "VirtualSize:\t\t\t\t\t%08X\n" "RVA:\t\t\t\t\t\t%08X\n" "SizeofRawData:\t\t\t\t\t%08X\n" "PointerToRawData:\t\t\t\t%08X\n" "PointerToRelocations:\t\t\t\t%08X\n" "PointerToLinenumbers:\t\t\t\t%08X\n" "NumberOfRelocations:\t\t\t\t%04X\n" "NumberOfLinenumbers:\t\t\t\t%04X\n" "Characteristics:\t\t\t\t%08X\n\n", i, pScnHd[i].Name, pScnHd[i].Misc.VirtualSize, pScnHd[i].VirtualAddress, pScnHd[i].SizeOfRawData, pScnHd[i].PointerToRawData, pScnHd[i].PointerToRelocations, pScnHd[i].PointerToLinenumbers, pScnHd[i].NumberOfRelocations, pScnHd[i].NumberOfLinenumbers, pScnHd[i].Characteristics); DrawTxt(284); } //SectionAlignmentMask=NtHds.OptionalHeader.SectionAlignment-1; FileAlignmentMask=NtHds.OptionalHeader.FileAlignment-1; //[Fix SizeOfRawData and PointerToRawData] for(i=0;i<NtHds.FileHeader.NumberOfSections;++i) { if(pScnHd[i].SizeOfRawData && (pScnHd[i].VirtualAddress%NtHds.OptionalHeader.SectionAlignment)) { pScnHd[i].SizeOfRawData=(pScnHd[i].SizeOfRawData+FileAlignmentMask) & (0xFFFFFFFF^FileAlignmentMask); pScnHd[i].PointerToRawData=pScnHd[i].PointerToRawData & (0xFFFFFFFF^FileAlignmentMask); } } //[Read Import Table] //if(NtHds.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size % IMAGE_SIZEOF_IMPORT_DESCRIPTOR) // ConMsg("Invalid Sizeof Import Descriptors!",34); //else if(NtHds.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress) { if((i=RVA2RawPtr(NtHds.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress,pScnHd,NtHds.FileHeader.NumberOfSections))==INVALID_RVA) ConMsg("Error Searching Import Descriptors!",35); else { IMAGE_IMPORT_DESCRIPTOR **pImpD; IMAGE_THUNK_DATA32 **pThunk; DWORD *pdwNrFn; DWORD dwNrImpD=NtHds.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size / IMAGE_SIZEOF_IMPORT_DESCRIPTOR; pImpD=HeapAlloc(hHeap,0,dwNrImpD<<2); //sprintf(szTxtBuf,"%08X\n",i); //DrawTxt(9); _llseek(hFile,i,FILE_BEGIN); for(i=0;i<dwNrImpD;++i) { pImpD[i]=HeapAlloc(hHeap,0,IMAGE_SIZEOF_IMPORT_DESCRIPTOR); _lread(hFile,pImpD[i],IMAGE_SIZEOF_IMPORT_DESCRIPTOR); if(pImpD[i]->OriginalFirstThunk==0 && pImpD[i]->TimeDateStamp==0 && pImpD[i]->ForwarderChain==0 && pImpD[i]->Name==0 && pImpD[i]->FirstThunk==0) break; } dwNrImpD=i; pThunk=HeapAlloc(hHeap,0,dwNrImpD<<2); pdwNrFn=HeapAlloc(hHeap,0,dwNrImpD<<2); //We Try OriginalFirstThunk and then FirstThunk for(i=0;i<dwNrImpD;++i) { pThunk[i]=HeapAlloc(hHeap,0,MAX_NRTHUNK<<2); if(!(j=pImpD[i]->OriginalFirstThunk)) j=pImpD[i]->FirstThunk;//Use FirstThunk if OriginalFirstThunk==NULL _llseek(hFile,RVA2RawPtr(j,pScnHd,NtHds.FileHeader.NumberOfSections),FILE_BEGIN); for(j=0;j<MAX_NRTHUNK;++j) { _lread(hFile,&pThunk[i][j],4); if(pThunk[i][j].u1.AddressOfData==NULL)// { pdwNrFn[i]=j; break; } } } //Print Import Messages ConMsg("****************IMAGE IMPORT DESCRIPTORS****************\n",57); for(i=0;i<dwNrImpD;++i) { sprintf(szTxtBuf, "OriginalFirstThunkRVA:\t\t\t\t%08X\n" "TimeDateStamp:\t\t\t\t\t%08X\n" "ForwarderChain:\t\t\t\t\t%08X\n" "NameRVA:\t\t\t\t\t%08X", pImpD[i]->OriginalFirstThunk, pImpD[i]->TimeDateStamp, pImpD[i]->ForwarderChain, pImpD[i]->Name); DrawTxt(113); _llseek(hFile,RVA2RawPtr(pImpD[i]->Name,pScnHd,NtHds.FileHeader.NumberOfSections),FILE_BEGIN); _lread(hFile,szTxtBuf2,MAX_PATH); //j=sprintf(szTxtBuf,"\t%s\n",szTxtBuf2); DrawTxt(sprintf(szTxtBuf,"\t%s\n",szTxtBuf2)); sprintf(szTxtBuf, "FirstThunkRVA:\t\t\t\t\t%08X\n", pImpD[i]->FirstThunk); DrawTxt(28); for(j=0;j<pdwNrFn[i];++j) { if(IMAGE_SNAP_BY_ORDINAL32(pThunk[i][j].u1.Ordinal)) { sprintf(szTxtBuf,"Ordinal: %04X\n",IMAGE_ORDINAL32(pThunk[i][j].u1.Ordinal)); DrawTxt(14); } else { sprintf(szTxtBuf,"Thunk: %08X",pThunk[i][j].u1.Ordinal); DrawTxt(15); _llseek(hFile,RVA2RawPtr(pThunk[i][j].u1.Ordinal,pScnHd,NtHds.FileHeader.NumberOfSections),FILE_BEGIN); _lread(hFile,szTxtBuf,2); sprintf(szTxtBuf,"\t\tHint: %04X",*(WORD *)szTxtBuf); DrawTxt(12); _lread(hFile,szTxtBuf2,MAX_PATH); DrawTxt(sprintf(szTxtBuf,"\tName: %s\n",szTxtBuf2)); } } } } } //[Read Export Table] if(NtHds.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress) { if((i=RVA2RawPtr(NtHds.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress,pScnHd,NtHds.FileHeader.NumberOfSections))==INVALID_RVA) ConMsg("\nError Searching Export Directory!",33); else { DWORD k; IMAGE_EXPORT_DIRECTORY *pExpD=HeapAlloc(hHeap,0,IMAGE_SIZEOF_EXPORT_DIR); WORD *pdwIdxNm; DWORD *pdwExpNm; LPSTR *lppExpNm; DWORD *pdwExpFn; DWORD *pdwRIdxFn; _llseek(hFile,i,FILE_BEGIN); _lread(hFile,pExpD,IMAGE_SIZEOF_EXPORT_DIR); //sprintf(szTxtBuf,"%08X",i); //DrawTxt(8); ConMsg("\n\n*****************IMAGE EXPORT DIRECTORY*****************",58); sprintf(szTxtBuf, "\nCharacteristics:\t\t\t\t%08X\n" "TimeDateStamp:\t\t\t\t\t%08X\n" "MajorVersion:\t\t\t\t\t%04X\n" "MinorVersion:\t\t\t\t\t%04X\n" "NameRVA:\t\t\t\t\t%08X\t", pExpD->Characteristics, pExpD->TimeDateStamp, pExpD->MajorVersion, pExpD->MinorVersion, pExpD->Name); DrawTxt(126); if((i=RVA2RawPtr(pExpD->Name,pScnHd,NtHds.FileHeader.NumberOfSections))!=INVALID_RVA) { _llseek(hFile,i,FILE_BEGIN); _lread(hFile,szTxtBuf2,MAX_PATH); //j=; DrawTxt(sprintf(szTxtBuf,"%s",szTxtBuf2)); } sprintf(szTxtBuf, "\nBase:\t\t\t\t\t\t%08X\n" "NumberOfFunctions:\t\t\t\t%08X\n" "NumberOfNames:\t\t\t\t\t%08X\n" "AddressOfFunctions:\t\t\t\t%08X\n" "AddressOfNames:\t\t\t\t\t%08X\n" "AddressOfNameOrdinals:\t\t\t\t%08X\n", pExpD->Base, pExpD->NumberOfFunctions, pExpD->NumberOfNames, pExpD->AddressOfFunctions, pExpD->AddressOfNames, pExpD->AddressOfNameOrdinals); DrawTxt(176); //[Construct NameOrdinals Array] pdwIdxNm=HeapAlloc(hHeap,0,pExpD->NumberOfNames<<1); _llseek(hFile,RVA2RawPtr(pExpD->AddressOfNameOrdinals,pScnHd,NtHds.FileHeader.NumberOfSections),FILE_BEGIN); _lread(hFile,pdwIdxNm,pExpD->NumberOfNames<<1); //[Construct NameRVA Array] pdwExpNm=HeapAlloc(hHeap,0,pExpD->NumberOfNames<<2); _llseek(hFile,RVA2RawPtr(pExpD->AddressOfNames,pScnHd,NtHds.FileHeader.NumberOfSections),FILE_BEGIN); _lread(hFile,pdwExpNm,pExpD->NumberOfNames<<2); //[Construct Name Array] lppExpNm=HeapAlloc(hHeap,0,pExpD->NumberOfNames<<2); for(i=0;i<pExpD->NumberOfNames;++i) { lppExpNm[i]=HeapAlloc(hHeap,0,MAX_PATH); _llseek(hFile,RVA2RawPtr(pdwExpNm[i],pScnHd,NtHds.FileHeader.NumberOfSections),FILE_BEGIN); _lread(hFile,lppExpNm[i],MAX_PATH); } //[Construct Function Array] pdwExpFn=HeapAlloc(hHeap,0,pExpD->NumberOfFunctions<<2); _llseek(hFile,RVA2RawPtr(pExpD->AddressOfFunctions,pScnHd,NtHds.FileHeader.NumberOfSections),FILE_BEGIN); _lread(hFile,pdwExpFn,pExpD->NumberOfFunctions<<2); //[Construct Reverse Index] pdwRIdxFn=HeapAlloc(hHeap,0,pExpD->NumberOfFunctions<<2); for(i=j=0;i<pExpD->NumberOfFunctions;++i) { pdwRIdxFn[i]=-1; for(k=j;k<pExpD->NumberOfNames;++k) { if(pdwIdxNm[k]==i) { pdwRIdxFn[i]=k; ++j; break; } } } for(i=0;i<pExpD->NumberOfFunctions;++i) { sprintf(szTxtBuf, "\nOrdinal: %04X\t" "RVA: %08X", i+pExpD->Base, pdwExpFn[i]); DrawTxt(28); if(pdwRIdxFn[i]!=-1) { //j=sprintf(szTxtBuf,"\tName: %s",lppExpNm[pdwRIdxFn[i]]); DrawTxt(sprintf(szTxtBuf,"\tName: %s",lppExpNm[pdwRIdxFn[i]])); } } } } } LBL_VVAS: if(0) {} } } HeapDestroy(hHeap); } } } } //CloseHandle(hFile); _lclose(hFile); } } } else LBL_USAGE: ConMsg("PEx PEfilename",14); }
程序使用了ntdll,相關頭文件和庫在ntdll附件中。
程序是原創的,證據:
能給個邀請碼么?
赞赏
他的文章
- [求助]请问这个Keygen用的是什么壳,怎么脱? 4490
- [求助]Windows API 如何截取文件 4254
- [求助]如何获取外存储设备的设备名 3480
- [求助]CloseHandle一句是否有必要? 5875
看原图
赞赏
雪币:
留言: