[原创]IDEntity 1.2 source-编程技术-看雪-安全社区|安全招聘|kanxue.com

[原创]IDEntity 1.2 source

2006-6-4 10:08 7178

[原创]IDEntity 1.2 source

moodsky

2006-6-4 10:08

7178

一个模仿PEID的东西，打算有时间全部重新写，所以把代码发上来给大家，代码很简单！

unit Unit1;

interface

uses
  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
  Dialogs, WinSkinData, ExtCtrls, StdCtrls, Menus, ComCtrls;

type
  TForm1 = class(TForm)
SkinData1: TSkinData;
Label1: TLabel;
Button1: TButton;
Edit1: TEdit;
GroupBox1: TGroupBox;
Panel1: TPanel;
Panel2: TPanel;
Panel3: TPanel;
Panel4: TPanel;
Panel5: TPanel;
Panel6: TPanel;
Panel7: TPanel;
Panel8: TPanel;
Label2: TLabel;
Label3: TLabel;
Label4: TLabel;
Label5: TLabel;
Label6: TLabel;
Label7: TLabel;
Label8: TLabel;
Label9: TLabel;
MainMenu1: TMainMenu;
File1: TMenuItem;
Exit1: TMenuItem;
ool1: TMenuItem;
EPSigns1: TMenuItem;
mmPlugins: TMenuItem;
Help1: TMenuItem;
About1: TMenuItem;
GroupBox2: TGroupBox;
OpenDialog1: TOpenDialog;
Button2: TButton;
Edit2: TEdit;
Label10: TLabel;
Panel9: TPanel;
Label11: TLabel;
mmiSkin: TMenuItem;
N1Skin1: TMenuItem;
N2skin1: TMenuItem;
N3Skin1: TMenuItem;
N4Skin1: TMenuItem;
Panel10: TPanel;
Button3: TButton;
Label12: TLabel;
Label13: TLabel;
Label14: TLabel;
Label15: TLabel;
Image1: TImage;
Label16: TLabel;
Label17: TLabel;
Label18: TLabel;
Label19: TLabel;
CheckBox1: TCheckBox;
procedure FormCreate(Sender: TObject);
procedure Button1Click(Sender: TObject);
procedure Exit1Click(Sender: TObject);
procedure EPSigns1Click(Sender: TObject);
procedure Button3Click(Sender: TObject);
procedure About1Click(Sender: TObject);
procedure Button2Click(Sender: TObject);
procedure CheckBox1Click(Sender: TObject);
procedure mmPluginsClick(Sender: TObject);
  private
procedure LoadPlugins;
procedure pluginsMenuItemClick(Sender: TObject);
{ Private declarations }
  public
{ Public declarations }
  end;

type
  Entity = record //定义结构
name: string; //标识
id: string; //特征码
  end;

type
  DLL_RET_MSG = record //Plugins中的结构，应该是DLL返回的信息
szMsgText: PChar;
szMsgHead: PChar;
dRetVal: DWORD;
dRetExVal: DWORD;
dFlags: DWORD;
  end;

const
  ScanByteNum = 800; //检测OEP长度

var
  Form1: TForm1;
  Sing: array of Entity; //Entity载体
  Count: integer; //记载Sing总数

implementation

{$R *.dfm}

function ReadSings(FileName: string): Boolean; //读取外部Sings文件
var
  F: TextFile;
  AllLine: array of string;
  tmp: string;
  i, len, p: integer;
begin
  //showmessage(application.ExeName);
  i := 0; //初值
  tmp := '';
  ReadSings := False;
  AssignFile(F, FileName);
  Reset(F); //至文件头
  while not eof(F) do begin
readln(F, tmp);
inc(i);
  end;
  Count := i; //记总Sing数
  Form1.Panel9.Caption := inttostr(Count);
  Reset(F); //至文件头
  SetLength(AllLine, Count); //分配空间
  i := 0;
  while not eof(F) do begin
readln(F, AllLine[i]);
inc(i);
  end;
  CloseFile(F); //结束后关闭文件

  SetLength(Sing, Count);
  for i := 0 to Count - 1 do begin
p := pos('=', AllLine[i]);
len := length(AllLine[i]);
Sing[i].name := copy(AllLine[i], 2, p - 2);
Sing[i].id := copy(AllLine[i], p + 1, len - length(Sing[i].name) - 3);
if Sing[i].name <> '' then
   ReadSings := true;
  end;
  //showmessage(sing[count-1].name) ;
  //showmessage(sing[count-1].id) ;
end;

function IsPeFile(FileName: string): Boolean;
var //检测PE文件
  PEDosHead: TImageDosHeader;
  PENTHead: TImageNtHeaders;
  PeFile: integer;
begin
  IsPeFile := False;
  PeFile := FileOpen(FileName, fmOpenRead or fmShareDenyNone);
  try
FileSeek(PeFile, 0, soFromBeginning);
FileRead(PeFile, PEDosHead, SizeOf(PEDosHead));
FileSeek(PeFile, PEDosHead._lfanew, soFromBeginning);
FileRead(PeFile, PENTHead, SizeOf(PENTHead));

  finally
FileClose(PeFile);
  end;
  if (PENTHead.Signature = IMAGE_NT_SIGNATURE) then begin
IsPeFile := true;
  end;
end;

function RawScan(FileName: string): integer;
var //计算raw
  PEDosHead: TImageDosHeader;
  PENTHead: TImageNtHeaders;
  PESectionHead: array of TImageSectionHeader;

  m_file, i, EpofSection, PVA, RVA, RAW: integer;
begin
  m_file := FileOpen(FileName, fmOpenRead or fmShareDenyNone); //只读和其它任意

  try
FileSeek(m_file, 0, soFromBeginning); //将指针挪至文件头
FileRead(m_file, PEDosHead, SizeOf(PEDosHead)); //读PEDosHead结构
FileSeek(m_file, PEDosHead._lfanew, soFromBeginning); //将指针挪至_lfanew = $003c
FileRead(m_file, PENTHead, SizeOf(PENTHead)); //读PENTHead结构
SetLength(PESectionHead, PENTHead.FileHeader.NumberOfSections); //NumberOfSections区段数

for i := 0 to PENTHead.FileHeader.NumberOfSections - 1 do
   FileRead(m_file, PESectionHead[i], SizeOf(PESectionHead[i])); //读PESectionHead结构

  finally
FileClose(m_file);
  end;

  for i := 0 to PENTHead.FileHeader.NumberOfSections - 1 do begin //检测EP所在段
PVA := PESectionHead[i].VirtualAddress; //段的偏移地址
//showmessage(inttohex(pva,8));
RVA := PENTHead.OptionalHeader.AddressOfEntryPoint; //程序入口Rva
//showmessage(inttohex(PESectionHead[i].PointerToRawData,8));
if (PVA - RVA) > 0 then begin
   EpofSection := i - 1;
   break;
end;
  end;
  //?tmpExeOffSet:=FPEDosHead._lfanew+SizeOf(TImageNTHeaders)-SizeOf(TImageOptionalHeader);
  //?showmessage(inttostr(PEDosHead._lfanew + sizeof(PENTHead) - sizeof(PESectionHead)));
  RAW := PENTHead.OptionalHeader.AddressOfEntryPoint - PESectionHead[EpofSection].VirtualAddress + PESectionHead[EpofSection].PointerToRawData;
  //PESectionHead[EpofSection].VirtualAddress:块rva
  //PESectionHead[EpofSection].PointerToRawData:块基于文件的偏移量
  Form1.Panel1.Caption := inttohex(PENTHead.OptionalHeader.AddressOfEntryPoint, 8);
  Form1.Panel2.Caption := inttohex(RAW, 8);
  Form1.Panel3.Caption := inttohex(PENTHead.OptionalHeader.ImageBase, 8); ;
  Form1.Panel4.Caption := inttohex(PENTHead.OptionalHeader.SizeOfImage, 8); ;
  Form1.Panel5.Caption := inttohex(PENTHead.OptionalHeader.SectionAlignment, 8); ;
  Form1.Panel6.Caption := inttohex(PENTHead.OptionalHeader.FileAlignment, 8); ;
  Form1.Panel7.Caption := inttohex(PENTHead.OptionalHeader.SizeOfHeaders, 8); ;
  Form1.Panel8.Caption := inttohex(PENTHead.OptionalHeader.CheckSum, 8); ;
  RawScan := RAW; //返回文件入口偏移

end;

function PeScan(FileName: string; RAW: integer): string;
var //查壳
  Buffer: array[1..ScanByteNum] of byte;
  PeFile, iBytesRead, i, j: integer;
  TempId: array[1..2] of string;
begin
  iBytesRead := 0;
  PeFile := FileOpen(FileName, fmOpenRead or fmShareDenyNone);
  FileSeek(PeFile, RAW, soFromBeginning);
  iBytesRead := FileRead(PeFile, Buffer, ScanByteNum);

  for i := 1 to ScanByteNum do {//连接16进制字串}  begin
TempId[1] := TempId[1] + inttohex(integer(Buffer[i]), 2);
Application.ProcessMessages;

  end;

  for i := 1 to Count - 1 do begin
TempId[2] := TempId[1];
for j := 1 to length(Sing[i].id) do begin
   if Sing[i].id[j] = ':' then
      TempId[2][j] := ':';
end;

if pos(Sing[i].id, TempId[2]) > 0 then begin
   PeScan := Sing[i].name;
   break;
end
else
   PeScan := 'Nothing detected ...';

  end;
  FileClose(PeFile);
end;

procedure TForm1.FormCreate(Sender: TObject);
var
  dllHandle: Thandle;
  Stream: TResourceStream;
  GetSkin: function(const ASkinName: PChar; var Stream: TResourceStream): Boolean;
begin
  Count := 0;
  SetLength(Sing, 0);
  dllHandle := loadlibrary(PChar(ExtractFilePath(ParamStr(0)) + 'DllSkin.dll'));
  if dllHandle = 0 then
exit;
  @GetSkin := GetprocAddress(dllHandle, 'GetSkin');
  if not (@GetSkin = nil) then begin
try
   GetSkin(PChar('skin1'), Stream);
   SkinData1.LoadFromStream(Stream);
   SkinData1.Active := true;
finally
   Stream.Free;
end;
  end;
  //else
//raiselastwin32error;
  ReadSings(ExtractFilePath(Application.ExeName) + 'EPSigns.txt');
  LoadPlugins;
end;

procedure TForm1.LoadPlugins;
var
  searchResult: TSearchRec;
  dllHandle: Thandle;
  Item: TMenuItem;
  pluginsname: string;
  LoadDll: function(): PChar; stdcall;
  //label fileerr;
begin
  SetCurrentDir(ExtractFilePath(ParamStr(0)) + 'Plugins\');
  if FindFirst('*.dll', faAnyFile, searchResult) = 0 then begin
repeat
   //if searchResult.Name ='ImpREC.dll' then
      //goto fileerr;
   dllHandle := loadlibrary(PChar(ExtractFilePath(ParamStr(0)) + '\Plugins\' + searchResult.name));
   //showmessage(searchResult.name);
   if dllHandle = 0 then
      exit;
   @LoadDll := GetprocAddress(dllHandle, 'LoadDll');
   if not (@LoadDll = nil) then begin
      try
      pluginsname := LoadDll;
      //showmessage(pluginsname);
      Item := TMenuItem.Create(mmPlugins);
      Item.OnClick := pluginsMenuItemClick;
      Item.Caption := pluginsname;
      mmPlugins.Add(Item);
      finally
      end;
   end;
   //else
   //raiselastwin32error;
   //ShowMessage(PChar(ExtractFilePath(ParamStr(0))+ 'Plugins\' + searchResult.Name));
   //ShowMessage('File name = '+searchResult.Name);
   //ShowMessage('File size = '+IntToStr(searchResult.Size));
until FindNext(searchResult) <> 0;

// Must free up resources used by these successful finds
FindClose(searchResult);
  end;
end;

procedure TForm1.pluginsMenuItemClick(Sender: TObject);
var
  searchResult: TSearchRec;
  dllHandle: Thandle;
  pluginsname, FileName: string;
  Item: TMenuItem;
  dllmsg: DLL_RET_MSG;
  Reserved: DWORD;
  LoadDll: function(): PChar; stdcall;
  DoMyJob: function(hMainDlg: HWND; szFname: PChar; lpReserved: DWORD; DRM: DLL_RET_MSG): DWORD; stdcall;
  //DoMyJob: function(DRM: DLL_RET_MSG; lpReserved: DWORD; szFname: Pchar; hMainDlg: HWND): DWORD;stdcall;
begin
  SetCurrentDir(ExtractFilePath(ParamStr(0)) + 'Plugins\');
  if FindFirst('*.dll', faAnyFile, searchResult) = 0 then begin
repeat
   dllHandle := loadlibrary(PChar(ExtractFilePath(ParamStr(0)) + 'Plugins\' + searchResult.name));
   //showmessage(PChar(ExtractFilePath(ParamStr(0)) + 'Plugins\' + searchResult.name));
   @LoadDll := GetprocAddress(dllHandle, 'LoadDll');
   if not (@LoadDll = nil) then begin
      try
      pluginsname := LoadDll;
      //showmessage(pluginsname);
      if (Sender as TMenuItem).Caption = pluginsname then begin
         @DoMyJob := GetprocAddress(dllHandle, PChar('DoMyJob'));
         if not (@DoMyJob = nil) then begin
            FileName := Edit1.Text;
            if FileName = '' then
            exit;
            DoMyJob(Application.Handle, PChar(FileName), $459734, dllmsg);
            //DoMyJob(dllmsg, Reserved, Pchar(filename), application.Handle);
         end;
      end;
      finally
      end;
   end;
until FindNext(searchResult) <> 0;
FindClose(searchResult);
  end;
end;

procedure TForm1.Button1Click(Sender: TObject);
var
  PEDosHead: TImageDosHeader;
  PENTHead: TImageNtHeaders;
  PeFile, i, EpofSection, RAW: integer;
begin
  if OpenDialog1.Execute then begin
Edit1.Text := OpenDialog1.FileName;
if IsPeFile(OpenDialog1.FileName) then begin
   i := RawScan(OpenDialog1.FileName);
   Edit2.Text := PeScan(OpenDialog1.FileName, i);
end;
  end;

end;

procedure TForm1.Exit1Click(Sender: TObject);
begin
  close;
end;

procedure TForm1.EPSigns1Click(Sender: TObject);
begin
  SetCurrentDir(ExtractFilePath(ParamStr(0)));
  winexec('NOTEPAD.EXE EPSigns.txt', 10);
end;

procedure TForm1.Button3Click(Sender: TObject);
begin
  Panel10.Left := 272;
  Panel10.Visible := False;
  GroupBox1.Caption := ' HEADER infomation:';
end;

procedure TForm1.About1Click(Sender: TObject);
begin
  Panel10.Left := 8;
  Panel10.Visible := true;
  GroupBox1.Caption := ' About IDEntity 1.2:';

end;

procedure TForm1.Button2Click(Sender: TObject);
begin
  close;

end;

procedure TForm1.CheckBox1Click(Sender: TObject);
begin
  if CheckBox1.Checked = True then begin
SetWindowPos(Handle, HWND_TOPMOST, 0, 0, 0, 0, SWP_NOACTIVATE or SWP_SHOWWINDOW or SWP_NOMOVE or SWP_NOSIZE);
  end
  else
SetWindowPos(Handle, HWND_NOTOPMOST, 0, 0, 0, 0, SWP_NOACTIVATE or SWP_SHOWWINDOW or SWP_NOMOVE or SWP_NOSIZE);

end;

procedure TForm1.mmPluginsClick(Sender: TObject);
begin

end;

end.

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

上传的附件：

identity 1.2 source.rar （480.11kb，175次下载）

收藏・0

点赞・7

打赏

最新回复 (6)
kanxue 雪币： 29414 活跃值： (18695) 能力值： (RANK：350 ) 在线值：发帖 1827 回帖 15214 粉丝 487 关注私信	kanxue 8 2006-6-4 10:11 2 楼 0 谢谢源码共享这个版块很冷清，终于有些新东西了。;)
cd37ycs 雪币： 110 活跃值： (1225) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 409 粉丝 0 关注私信	cd37ycs 2006-6-7 20:11 3 楼 0 多谢楼主提供源码学习。
fengercn 雪币： 214 活跃值： (70) 能力值： ( LV3，RANK：20 ) 在线值：发帖 20 回帖 241 粉丝 0 关注私信	fengercn 2006-6-9 13:09 4 楼 0 改成VC的就好了
damen 雪币： 227 活跃值： (164) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 59 粉丝 1 关注私信	damen 2006-6-13 23:59 5 楼 0 楼主辛苦了
恨哥哥雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 20 粉丝 0 关注私信	恨哥哥 2006-6-15 08:32 6 楼 0 不错！！！！
mfkfpb 雪币： 1041 活跃值： (19) 能力值： ( LV3，RANK：20 ) 在线值：发帖 1 回帖 65 粉丝 0 关注私信	mfkfpb 2006-6-18 03:11 7 楼 0 早就想了解下关于PeiD的查壳的原理、代码，今天终于看到了，不错，还是Delphi，还基本上看得懂，谢了。
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复

moodsky

发帖

238

回帖

330

RANK

关注

私信

他的文章

[求助]谁有做过HTC G3获取ROOT权限的经验？

[分享]Visual Basic Application 6.4

[分享]delphi2007 update3 lite

[转帖]在VB下使用的汇编类

[求助]子程序中ReadProcessMemory返回值问题

关于我们

联系我们

企业服务

看雪公众号

最新回复 (6)
kanxue 雪币： 29414 活跃值： (18695) 能力值： (RANK：350 ) 在线值：发帖 1827 回帖 15214 粉丝 487 关注私信	kanxue 8 2006-6-4 10:11 2 楼 0 谢谢源码共享这个版块很冷清，终于有些新东西了。;)
cd37ycs 雪币： 110 活跃值： (1225) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 409 粉丝 0 关注私信	cd37ycs 2006-6-7 20:11 3 楼 0 多谢楼主提供源码学习。
fengercn 雪币： 214 活跃值： (70) 能力值： ( LV3，RANK：20 ) 在线值：发帖 20 回帖 241 粉丝 0 关注私信	fengercn 2006-6-9 13:09 4 楼 0 改成VC的就好了
damen 雪币： 227 活跃值： (164) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 59 粉丝 1 关注私信	damen 2006-6-13 23:59 5 楼 0 楼主辛苦了
恨哥哥雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 20 粉丝 0 关注私信	恨哥哥 2006-6-15 08:32 6 楼 0 不错！！！！
mfkfpb 雪币： 1041 活跃值： (19) 能力值： ( LV3，RANK：20 ) 在线值：发帖 1 回帖 65 粉丝 0 关注私信	mfkfpb 2006-6-18 03:11 7 楼 0 早就想了解下关于PeiD的查壳的原理、代码，今天终于看到了，不错，还是Delphi，还基本上看得懂，谢了。
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复