首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 软件逆向
    3. 发新帖
[原创]MFC 写的一个PEedit
发表于: 2013-12-2 22:48 9351

[原创]MFC 写的一个PEedit

gotmilk 活跃值
2
2013-12-2 22:48
9351
DWORD RVA2Memaddr( DWORD dwVA,DWORD lpiamge,PIMAGE_NT_HEADERS32 pNT32 )
{
    PIMAGE_SECTION_HEADER pSection = IMAGE_FIRST_SECTION(pNT32);
    for ( DWORD i=0; i<=pNT32->FileHeader.NumberOfSections; i++ )
    {
        DWORD dwFileAddr=0;

        if ( dwVA < pSection[i].VirtualAddress )
        {
            DWORD dwAddr= dwVA - pSection[i-1].VirtualAddress-lpiamge;
            dwMemAddr=dwAddr+ pSection[i-1].PointerToRawData;
            return dwMemAddr;
        }
        else  if(dwVA>= pSection[pNT32->FileHeader.NumberOfSections-1].VirtualAddress)
        {
            DWORD dwAddr= dwVA - pSection[pNT32->FileHeader.NumberOfSections-1].VirtualAddress-lpiamge;
            dwMemAddr= dwAddr+ pSection[pNT32->FileHeader.NumberOfSections-1].PointerToRawData;
            return dwMemAddr;
        }
    } 
    return 0;
}
//载入pe文件
PeMisicInfo CPELoad::LoadPEFile(LPCTSTR lpszPath)
{
    DWORD PeFileSize=0;
    LPVOID DumpAddr=nullptr;
    BOOL CanBeRead;
    PIMAGE_NT_HEADERS32 Nt_headers;
    //创建文件映射
    HANDLE hFile=CreateFile(lpszPath,GENERIC_READ|GENERIC_WRITE,FILE_SHARE_WRITE|FILE_SHARE_READ,NULL,OPEN_EXISTING,SECURITY_IMPERSONATION,NULL);
    if(!hFile) goto EndProcess;
    PeFileSize=GetFileSize(hFile,NULL);
    if(PeFileSize==0)goto EndProcess;

    DumpAddr=VirtualAlloc(NULL,PeFileSize,MEM_COMMIT | MEM_RESERVE,PAGE_READWRITE);
    if(!DumpAddr)goto EndProcess;
    DWORD dwRet;

    CanBeRead=ReadFile(hFile,DumpAddr,PeFileSize,&dwRet,NULL);
    int a=GetLastError();
    if(!CanBeRead)goto EndProcess;//判断是不是pe文件
    // 判断是不是pe文件
    BOOL isPeFile=IsPeFile(DumpAddr,PeFileSize,Nt_headers);
    if(!isPeFile) goto EndProcess;
    mypemisc.Dumpaddr=DumpAddr;
    mypemisc.nt_headeras=Nt_headers;
    mypemisc.hFile=hFile;
    mypemisc.lpPath=lpszPath;
    return mypemisc;

EndProcess:
    if(hFile)CloseHandle(hFile);
    ExitProcess(0);


}

void CImportDir::ShowModuleInfo(vector<PIMAGE_SECTION_HEADER> Section)
{
    //删除掉模块栏的所有条目
    m_modulelist.DeleteAllItems();
    //删除所有vector中模块
    mymodulename.clear();
    PeMisicInfo miscinfo=ReturnMiscInfo();
    PIMAGE_NT_HEADERS32 LocalHeaders=miscinfo.nt_headeras;
    DWORD dumpaddr=(DWORD)miscinfo.Dumpaddr;
    m_dumpaddr=dumpaddr;
    WORD optional_header_size=LocalHeaders->FileHeader.SizeOfOptionalHeader;
    PIMAGE_OPTIONAL_HEADER32  Optional_header=&LocalHeaders->OptionalHeader;
    PIMAGE_DATA_DIRECTORY pDataDir = (PIMAGE_DATA_DIRECTORY)Optional_header->DataDirectory;
    //导入表的地址
    DWORD my_export_rva=pDataDir[1].VirtualAddress;
    DWORD Import_Table_Section_ShiftAddr;
    DWORD OA;
   //数据段的RVA
    for(int a=0;a<Section.size();a++)
    {
        if(Section[a]->VirtualAddress>my_export_rva)
        {
            m_OA=OA=Section[a-1]->VirtualAddress-Section[a-1]->PointerToRawData;
            Import_Table_Section_ShiftAddr=my_export_rva-OA;
            break;
        }

    }
    if(Import_Table_Section_ShiftAddr==0xcccccccc)
    {
        MessageBox(L"未初始化",L"错误",MB_OK);
        return;
    }
    //获取输入表信息
    IMAGE_IMPORT_DESCRIPTOR *my_Import_Data=(PIMAGE_IMPORT_DESCRIPTOR)(Import_Table_Section_ShiftAddr+(DWORD)dumpaddr);
  
    PIMAGE_THUNK_DATA32 pInt;
    //判断的条件是因为大多数情况IMAGE_THUNK_DATA 会指向一个IMPORT_BY_NAME 结束的时候会以一个
    //全零的IMAGE_THUNK_DATA结束
    if(pInt=(PIMAGE_THUNK_DATA32)my_Import_Data->OriginalFirstThunk)
    {

        while(my_Import_Data->Name)
        {
            MYIMAGE_IMPORT_DESCRIPTOR my_image_des={0};
            DWORD pszDllName_Addr=my_Import_Data->Name-OA+dumpaddr;
            my_image_des.dllname=pszDllName_Addr;
            my_image_des.my_image_descriptor.FirstThunk=my_Import_Data->FirstThunk;
            my_image_des.my_image_descriptor.OriginalFirstThunk=my_Import_Data->OriginalFirstThunk;
            my_image_des.my_image_descriptor.ForwarderChain=my_Import_Data->ForwarderChain;
            my_image_des.my_image_descriptor.Name=my_Import_Data->Name;
            mymodulename.push_back(my_image_des);
            my_Import_Data++;

        }

        for(int a=0;a<mymodulename.size();a++)
        {
            CString myid;
            myid.Format(L"%d",a);
            char* mychar;
            m_modulelist.InsertItem(LVIF_TEXT | LVIF_STATE,a, myid,(a % 2) == 0 ? LVIS_SELECTED : 0, LVIS_SELECTED,0,0);
            for(int i=1;i<6;i++)
            {
                LPCWCH OutputChar[4]={0};
                CString mymoduleinfo;
                switch (i)
                {
                case 1:
                    MyUtil.ConvertUtf8ToUnicode((char*)mymodulename[a].dllname,*OutputChar);
                    mymoduleinfo.Format(L"%s",*OutputChar);
                    m_modulelist.SetItemText(a,i,mymoduleinfo);
                    break;
                case 2:
mymoduleinfo.Format(L"0x%X",mymodulename[a].my_image_descriptor.OriginalFirstThunk);
                    m_modulelist.SetItemText(a,i,mymoduleinfo);
                    break;
                case 3:
                    mymoduleinfo.Format(L"0x%X",mymodulename[a].my_image_descriptor.ForwarderChain);
                    m_modulelist.SetItemText(a,i,mymoduleinfo);
                    break;
                case 4:
mymoduleinfo.Format(L"0x%X",mymodulename[a].my_image_descriptor.Name);
                    m_modulelist.SetItemText(a,i,mymoduleinfo);
                    break;
                case 5:
mymoduleinfo.Format(L"0x%X",mymodulename[a].my_image_descriptor.FirstThunk);
                    m_modulelist.SetItemText(a,i,mymoduleinfo);
                    break;
                default:
                    break;
                }
            }
        }
    }
}

void CExportDir::GetExportInfo()
{
    LPCWCH outputchar={0};
    LPCWCH outputchar1={0};
    m_exportlistcrl.DeleteAllItems();
    m_vec_myexportinfo.clear();
    PeMisicInfo miscinfo=ReturnMiscInfo();//获取pe基本信息
    PIMAGE_NT_HEADERS32   pNT32    = miscinfo.nt_headeras;
    PIMAGE_DATA_DIRECTORY pDataDir = (PIMAGE_DATA_DIRECTORY)pNT32->OptionalHeader.DataDirectory;
    PIMAGE_DATA_DIRECTORY   pExportDir      = &pDataDir[IMAGE_DIRECTORY_ENTRY_EXPORT];
    if(pExportDir->Size!=0)
    {
    DWORD                   dwExportOfffset = Rva2FileA(pExportDir->VirtualAddress, pNT32);//输出表地文件偏移
    PIMAGE_EXPORT_DIRECTORY pExport         = (PIMAGE_EXPORT_DIRECTORY)((DWORD)miscinfo.Dumpaddr+dwExportOfffset);
    PDWORD pEAT = (PDWORD)((DWORD)miscinfo.Dumpaddr + Rva2FileA(pExport->AddressOfFunctions, pNT32));
    PDWORD pENT = (PDWORD)((DWORD)miscinfo.Dumpaddr + Rva2FileA(pExport->AddressOfNames, pNT32));
    PWORD  pEIT = (PWORD)((DWORD)miscinfo.Dumpaddr  + Rva2FileA(pExport->AddressOfNameOrdinals, pNT32));
    PCHAR exenameaddr=(PCHAR)((DWORD)miscinfo.Dumpaddr + Rva2FileA(pExport->Name, pNT32));  
    mysttring.ConvertUtf8ToUnicode((char*)exenameaddr,outputchar1);
    /////////////////////////////////////////////
    //格式化输出
    m_ExpDirFa.Format(L"0x%X",dwExportOfffset);
    m_funaddr.Format(L"0x%X",pExport->AddressOfFunctions);
    m_funnameaddr.Format(L"0x%X",pExport->AddressOfNames);
    m_funnamenums.Format(L"%d",pExport->NumberOfNames);
    m_char.Format(L"%d",pExport->Characteristics);
    m_exename.Format(L"%s",outputchar1);
    m_funordaddr.Format(L"0x%X",pExport->AddressOfNameOrdinals);
    m_funnums.Format(L"0x%X",pExport->NumberOfFunctions);
    m_baseaddr.Format(L"0x%X",pExport->Base);
    m_namerva.Format(L"0x%X",pExport->Name);
    for ( DWORD dwOrdinal=0; dwOrdinal<pExport->NumberOfFunctions; dwOrdinal++ )
    {
        if ( !pEAT[dwOrdinal] )
            continue;
        for ( DWORD dwIndex=0; dwIndex<pExport->NumberOfFunctions; dwIndex++ )
        {
         EXPORTINFO myexportinfo={0};

            if ( pEIT[dwIndex] == dwOrdinal )
            {
                PCHAR pszFunName = (PCHAR)((DWORD)miscinfo.Dumpaddr+Rva2FileA(pENT[dwIndex], pNT32));
                myexportinfo.Ordinal=pExport->Base+dwOrdinal;
                myexportinfo.FuncRva=pEAT[dwOrdinal];
                mysttring.ConvertUtf8ToUnicode(pszFunName,outputchar);
                myexportinfo.funcname=outputchar;
                m_vec_myexportinfo.push_back(myexportinfo);
                break;
            }
            else if ( dwIndex == pExport->NumberOfFunctions-1 )
            {
                myexportinfo.Ordinal=pExport->Base+dwOrdinal;
                myexportinfo.FuncRva=pEAT[dwOrdinal];
                myexportinfo.funcname=(LPCWCH) L"(Null)" ;
                m_vec_myexportinfo.push_back(myexportinfo);
                break;
            }
          /// free(myexportinfo); 
           
        }

    }
    ///////////////////////////////////./////
    //显示信息
    ////////////////////////////////////////
    UpdateData(FALSE);
    Showinfo();
    }
    else
    {
        MessageBox(L"没有导出表!",L"错误",MB_OK|MB_ICONSTOP);
    }
}

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

上传的附件:
收藏
免费 6
支持
分享
最新回复 (8)
friendanx
雪    币: 7861
活跃值: (2264)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
支持楼主来了,不骄不躁,再接再励,勇往直前。
2013-12-2 22:58
0
asdli
雪    币: 81
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
3
支持楼主
2013-12-3 00:16
0
诶一
雪    币: 10
活跃值: (231)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
4
图文的真是够详细的, 支持下lz。
  话说刚一看才发现15pd的学员竟然 一下子都来发MyLoadpe了..
    继续努力
2013-12-3 02:01
0
kanxue
雪    币: 47147
活跃值: (20425)
能力值: (RANK:350 )
在线值:
发帖
回帖
粉丝
私信
5
帖图的方式不对,建议楼主再编辑一下帖子。
参考这帖教学:http://bbs.pediy.com/showpost.php?postid=292659

最后,文章中图片是以这个形式存在
[ ATTACH ] xxxx [ /ATTACH ]
2013-12-3 09:18
0
小调调
雪    币: 3263
活跃值: (3306)
能力值: ( LV4,RANK:40 )
在线值:
发帖
回帖
粉丝
私信
6
代码写的蛮工整的~
2013-12-3 09:28
0
shmac
雪    币: 505
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
7
不错,支持一下 15PB培训的小伙子们加油
2013-12-3 11:33
0
gotmilk
雪    币: 144
活跃值: (46)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
私信
8
[QUOTE=kanxue;1244072]帖图的方式不对,建议楼主再编辑一下帖子。
参考这帖教学:http://bbs.pediy.com/showpost.php?postid=292659

最后,文章中图片是以这个形式存在
[ ATTACH ] xxxx [ /ATTACH ][/QUOTE]
谢谢坛主,已修改
2013-12-3 23:15
0
anywhere杨
雪    币: 110
活跃值: (527)
能力值: ( LV4,RANK:40 )
在线值:
发帖
回帖
粉丝
私信
9
放的图片,第一张就看不清楚。我下载下来还是看不清。这是多大的分辩率的?
2013-12-6 10:37
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//