首页
社区
课程
招聘
[原创]IDEntity 1.2 source
发表于: 2006-6-4 10:08 7834

[原创]IDEntity 1.2 source

2006-6-4 10:08
7834

一个模仿PEID的东西,打算有时间全部重新写,所以把代码发上来给大家,代码很简单!

unit Unit1;

interface

uses
  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
  Dialogs, WinSkinData, ExtCtrls, StdCtrls, Menus, ComCtrls;

type
  TForm1 = class(TForm)
    SkinData1: TSkinData;
    Label1: TLabel;
    Button1: TButton;
    Edit1: TEdit;
    GroupBox1: TGroupBox;
    Panel1: TPanel;
    Panel2: TPanel;
    Panel3: TPanel;
    Panel4: TPanel;
    Panel5: TPanel;
    Panel6: TPanel;
    Panel7: TPanel;
    Panel8: TPanel;
    Label2: TLabel;
    Label3: TLabel;
    Label4: TLabel;
    Label5: TLabel;
    Label6: TLabel;
    Label7: TLabel;
    Label8: TLabel;
    Label9: TLabel;
    MainMenu1: TMainMenu;
    File1: TMenuItem;
    Exit1: TMenuItem;
    ool1: TMenuItem;
    EPSigns1: TMenuItem;
    mmPlugins: TMenuItem;
    Help1: TMenuItem;
    About1: TMenuItem;
    GroupBox2: TGroupBox;
    OpenDialog1: TOpenDialog;
    Button2: TButton;
    Edit2: TEdit;
    Label10: TLabel;
    Panel9: TPanel;
    Label11: TLabel;
    mmiSkin: TMenuItem;
    N1Skin1: TMenuItem;
    N2skin1: TMenuItem;
    N3Skin1: TMenuItem;
    N4Skin1: TMenuItem;
    Panel10: TPanel;
    Button3: TButton;
    Label12: TLabel;
    Label13: TLabel;
    Label14: TLabel;
    Label15: TLabel;
    Image1: TImage;
    Label16: TLabel;
    Label17: TLabel;
    Label18: TLabel;
    Label19: TLabel;
    CheckBox1: TCheckBox;
    procedure FormCreate(Sender: TObject);
    procedure Button1Click(Sender: TObject);
    procedure Exit1Click(Sender: TObject);
    procedure EPSigns1Click(Sender: TObject);
    procedure Button3Click(Sender: TObject);
    procedure About1Click(Sender: TObject);
    procedure Button2Click(Sender: TObject);
    procedure CheckBox1Click(Sender: TObject);
    procedure mmPluginsClick(Sender: TObject);
  private
    procedure LoadPlugins;
    procedure pluginsMenuItemClick(Sender: TObject);
    { Private declarations }
  public
    { Public declarations }
  end;

type
  Entity = record //定义结构
    name: string; //标识
    id: string; //特征码
  end;

type
  DLL_RET_MSG = record //Plugins中的结构,应该是DLL返回的信息
    szMsgText: PChar;
    szMsgHead: PChar;
    dRetVal: DWORD;
    dRetExVal: DWORD;
    dFlags: DWORD;
  end;

const
  ScanByteNum = 800; //检测OEP长度

var
  Form1: TForm1;
  Sing: array of Entity; //Entity载体
  Count: integer; //记载Sing总数

implementation

{$R *.dfm}

function ReadSings(FileName: string): Boolean; //读取外部Sings文件
var
  F: TextFile;
  AllLine: array of string;
  tmp: string;
  i, len, p: integer;
begin
  //showmessage(application.ExeName);
  i := 0; //初值
  tmp := '';
  ReadSings := False;
  AssignFile(F, FileName);
  Reset(F); //至文件头
  while not eof(F) do begin
    readln(F, tmp);
    inc(i);
  end;
  Count := i; //记总Sing数
  Form1.Panel9.Caption := inttostr(Count);
  Reset(F); //至文件头
  SetLength(AllLine, Count); //分配空间
  i := 0;
  while not eof(F) do begin
    readln(F, AllLine[i]);
    inc(i);
  end;
  CloseFile(F); //结束后关闭文件

  SetLength(Sing, Count);
  for i := 0 to Count - 1 do begin
    p := pos('=', AllLine[i]);
    len := length(AllLine[i]);
    Sing[i].name := copy(AllLine[i], 2, p - 2);
    Sing[i].id := copy(AllLine[i], p + 1, len - length(Sing[i].name) - 3);
    if Sing[i].name <> '' then
      ReadSings := true;
  end;
  //showmessage(sing[count-1].name) ;
  //showmessage(sing[count-1].id) ;
end;

function IsPeFile(FileName: string): Boolean;
var //检测PE文件
  PEDosHead: TImageDosHeader;
  PENTHead: TImageNtHeaders;
  PeFile: integer;
begin
  IsPeFile := False;
  PeFile := FileOpen(FileName, fmOpenRead or fmShareDenyNone);
  try
    FileSeek(PeFile, 0, soFromBeginning);
    FileRead(PeFile, PEDosHead, SizeOf(PEDosHead));
    FileSeek(PeFile, PEDosHead._lfanew, soFromBeginning);
    FileRead(PeFile, PENTHead, SizeOf(PENTHead));

  finally
    FileClose(PeFile);
  end;
  if (PENTHead.Signature = IMAGE_NT_SIGNATURE) then begin
    IsPeFile := true;
  end;
end;

function RawScan(FileName: string): integer;
var //计算raw
  PEDosHead: TImageDosHeader;
  PENTHead: TImageNtHeaders;
  PESectionHead: array of TImageSectionHeader;

  m_file, i, EpofSection, PVA, RVA, RAW: integer;
begin
  m_file := FileOpen(FileName, fmOpenRead or fmShareDenyNone); //只读和其它任意

  try
    FileSeek(m_file, 0, soFromBeginning); //将指针挪至文件头
    FileRead(m_file, PEDosHead, SizeOf(PEDosHead)); //读PEDosHead结构
    FileSeek(m_file, PEDosHead._lfanew, soFromBeginning); //将指针挪至_lfanew = $003c
    FileRead(m_file, PENTHead, SizeOf(PENTHead)); //读PENTHead结构
    SetLength(PESectionHead, PENTHead.FileHeader.NumberOfSections); //NumberOfSections区段数

    for i := 0 to PENTHead.FileHeader.NumberOfSections - 1 do
      FileRead(m_file, PESectionHead[i], SizeOf(PESectionHead[i])); //读PESectionHead结构

  finally
    FileClose(m_file);
  end;

  for i := 0 to PENTHead.FileHeader.NumberOfSections - 1 do begin //检测EP所在段
    PVA := PESectionHead[i].VirtualAddress; //段的偏移地址
    //showmessage(inttohex(pva,8));
    RVA := PENTHead.OptionalHeader.AddressOfEntryPoint; //程序入口Rva
    //showmessage(inttohex(PESectionHead[i].PointerToRawData,8));
    if (PVA - RVA) > 0 then begin
      EpofSection := i - 1;
      break;
    end;
  end;
  //?tmpExeOffSet:=FPEDosHead._lfanew+SizeOf(TImageNTHeaders)-SizeOf(TImageOptionalHeader);
  //?showmessage(inttostr(PEDosHead._lfanew + sizeof(PENTHead) - sizeof(PESectionHead)));
  RAW := PENTHead.OptionalHeader.AddressOfEntryPoint - PESectionHead[EpofSection].VirtualAddress + PESectionHead[EpofSection].PointerToRawData;
  //PESectionHead[EpofSection].VirtualAddress:块rva
  //PESectionHead[EpofSection].PointerToRawData:块基于文件的偏移量
  Form1.Panel1.Caption := inttohex(PENTHead.OptionalHeader.AddressOfEntryPoint, 8);
  Form1.Panel2.Caption := inttohex(RAW, 8);
  Form1.Panel3.Caption := inttohex(PENTHead.OptionalHeader.ImageBase, 8); ;
  Form1.Panel4.Caption := inttohex(PENTHead.OptionalHeader.SizeOfImage, 8); ;
  Form1.Panel5.Caption := inttohex(PENTHead.OptionalHeader.SectionAlignment, 8); ;
  Form1.Panel6.Caption := inttohex(PENTHead.OptionalHeader.FileAlignment, 8); ;
  Form1.Panel7.Caption := inttohex(PENTHead.OptionalHeader.SizeOfHeaders, 8); ;
  Form1.Panel8.Caption := inttohex(PENTHead.OptionalHeader.CheckSum, 8); ;
  RawScan := RAW; //返回文件入口偏移

end;

function PeScan(FileName: string; RAW: integer): string;
var //查壳
  Buffer: array[1..ScanByteNum] of byte;
  PeFile, iBytesRead, i, j: integer;
  TempId: array[1..2] of string;
begin
  iBytesRead := 0;
  PeFile := FileOpen(FileName, fmOpenRead or fmShareDenyNone);
  FileSeek(PeFile, RAW, soFromBeginning);
  iBytesRead := FileRead(PeFile, Buffer, ScanByteNum);

  for i := 1 to ScanByteNum do {//连接16进制字串}  begin
    TempId[1] := TempId[1] + inttohex(integer(Buffer[i]), 2);
    Application.ProcessMessages;

  end;

  for i := 1 to Count - 1 do begin
    TempId[2] := TempId[1];
    for j := 1 to length(Sing[i].id) do begin
      if Sing[i].id[j] = ':' then
        TempId[2][j] := ':';
    end;

    if pos(Sing[i].id, TempId[2]) > 0 then begin
      PeScan := Sing[i].name;
      break;
    end
    else
      PeScan := 'Nothing detected ...';

  end;
  FileClose(PeFile);
end;

procedure TForm1.FormCreate(Sender: TObject);
var
  dllHandle: Thandle;
  Stream: TResourceStream;
  GetSkin: function(const ASkinName: PChar; var Stream: TResourceStream): Boolean;
begin
  Count := 0;
  SetLength(Sing, 0);
  dllHandle := loadlibrary(PChar(ExtractFilePath(ParamStr(0)) + 'DllSkin.dll'));
  if dllHandle = 0 then
    exit;
  @GetSkin := GetprocAddress(dllHandle, 'GetSkin');
  if not (@GetSkin = nil) then begin
    try
      GetSkin(PChar('skin1'), Stream);
      SkinData1.LoadFromStream(Stream);
      SkinData1.Active := true;
    finally
      Stream.Free;
    end;
  end;
  //else
    //raiselastwin32error;
  ReadSings(ExtractFilePath(Application.ExeName) + 'EPSigns.txt');
  LoadPlugins;
end;

procedure TForm1.LoadPlugins;
var
  searchResult: TSearchRec;
  dllHandle: Thandle;
  Item: TMenuItem;
  pluginsname: string;
  LoadDll: function(): PChar; stdcall;
  //label fileerr;
begin
  SetCurrentDir(ExtractFilePath(ParamStr(0)) + 'Plugins\');
  if FindFirst('*.dll', faAnyFile, searchResult) = 0 then begin
    repeat
      //if searchResult.Name ='ImpREC.dll' then
        //goto fileerr;
      dllHandle := loadlibrary(PChar(ExtractFilePath(ParamStr(0)) + '\Plugins\' + searchResult.name));
      //showmessage(searchResult.name);
      if dllHandle = 0 then
        exit;
      @LoadDll := GetprocAddress(dllHandle, 'LoadDll');
      if not (@LoadDll = nil) then begin
        try
          pluginsname := LoadDll;
          //showmessage(pluginsname);
          Item := TMenuItem.Create(mmPlugins);
          Item.OnClick := pluginsMenuItemClick;
          Item.Caption := pluginsname;
          mmPlugins.Add(Item);
        finally
        end;
      end;
      //else
      //raiselastwin32error;
      //ShowMessage(PChar(ExtractFilePath(ParamStr(0))+ 'Plugins\' + searchResult.Name));
      //ShowMessage('File name = '+searchResult.Name);
      //ShowMessage('File size = '+IntToStr(searchResult.Size));
    until FindNext(searchResult) <> 0;

    // Must free up resources used by these successful finds
    FindClose(searchResult);
  end;
end;

procedure TForm1.pluginsMenuItemClick(Sender: TObject);
var
  searchResult: TSearchRec;
  dllHandle: Thandle;
  pluginsname, FileName: string;
  Item: TMenuItem;
  dllmsg: DLL_RET_MSG;
  Reserved: DWORD;
  LoadDll: function(): PChar; stdcall;
  DoMyJob: function(hMainDlg: HWND; szFname: PChar; lpReserved: DWORD; DRM: DLL_RET_MSG): DWORD; stdcall;
  //DoMyJob: function(DRM: DLL_RET_MSG; lpReserved: DWORD; szFname: Pchar; hMainDlg: HWND): DWORD;stdcall;
begin
  SetCurrentDir(ExtractFilePath(ParamStr(0)) + 'Plugins\');
  if FindFirst('*.dll', faAnyFile, searchResult) = 0 then begin
    repeat
      dllHandle := loadlibrary(PChar(ExtractFilePath(ParamStr(0)) + 'Plugins\' + searchResult.name));
      //showmessage(PChar(ExtractFilePath(ParamStr(0)) + 'Plugins\' + searchResult.name));
      @LoadDll := GetprocAddress(dllHandle, 'LoadDll');
      if not (@LoadDll = nil) then begin
        try
          pluginsname := LoadDll;
          //showmessage(pluginsname);
          if (Sender as TMenuItem).Caption = pluginsname then begin
            @DoMyJob := GetprocAddress(dllHandle, PChar('DoMyJob'));
            if not (@DoMyJob = nil) then begin
              FileName := Edit1.Text;
              if FileName = '' then
                exit;
              DoMyJob(Application.Handle, PChar(FileName), $459734, dllmsg);
              //DoMyJob(dllmsg, Reserved, Pchar(filename), application.Handle);
            end;
          end;
        finally
        end;
      end;
    until FindNext(searchResult) <> 0;
    FindClose(searchResult);
  end;
end;

procedure TForm1.Button1Click(Sender: TObject);
var
  PEDosHead: TImageDosHeader;
  PENTHead: TImageNtHeaders;
  PeFile, i, EpofSection, RAW: integer;
begin
  if OpenDialog1.Execute then begin
    Edit1.Text := OpenDialog1.FileName;
    if IsPeFile(OpenDialog1.FileName) then begin
      i := RawScan(OpenDialog1.FileName);
      Edit2.Text := PeScan(OpenDialog1.FileName, i);
    end;
  end;

end;

procedure TForm1.Exit1Click(Sender: TObject);
begin
  close;
end;

procedure TForm1.EPSigns1Click(Sender: TObject);
begin
  SetCurrentDir(ExtractFilePath(ParamStr(0)));
  winexec('NOTEPAD.EXE EPSigns.txt', 10);
end;

procedure TForm1.Button3Click(Sender: TObject);
begin
  Panel10.Left := 272;
  Panel10.Visible := False;
  GroupBox1.Caption := ' HEADER infomation:';
end;

procedure TForm1.About1Click(Sender: TObject);
begin
  Panel10.Left := 8;
  Panel10.Visible := true;
  GroupBox1.Caption := ' About IDEntity 1.2:';

end;

procedure TForm1.Button2Click(Sender: TObject);
begin
  close;

end;

procedure TForm1.CheckBox1Click(Sender: TObject);
begin
  if CheckBox1.Checked = True then begin
    SetWindowPos(Handle, HWND_TOPMOST, 0, 0, 0, 0, SWP_NOACTIVATE or SWP_SHOWWINDOW or SWP_NOMOVE or SWP_NOSIZE);
  end
  else
    SetWindowPos(Handle, HWND_NOTOPMOST, 0, 0, 0, 0, SWP_NOACTIVATE or SWP_SHOWWINDOW or SWP_NOMOVE or SWP_NOSIZE);

end;

procedure TForm1.mmPluginsClick(Sender: TObject);
begin

end;

end.


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

上传的附件:
收藏
免费 7
支持
分享
最新回复 (6)
雪    币: 50161
活跃值: (20670)
能力值: (RANK:350 )
在线值:
发帖
回帖
粉丝
2
谢谢源码共享
这个版块很冷清,终于有些新东西了。;)
2006-6-4 10:11
0
雪    币: 228
活跃值: (1660)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
多谢楼主提供源码学习。
2006-6-7 20:11
0
雪    币: 214
活跃值: (70)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
4
改成VC的就好了
2006-6-9 13:09
0
雪    币: 227
活跃值: (164)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
楼主辛苦了
2006-6-13 23:59
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
6
不错!!!!
2006-6-15 08:32
0
雪    币: 1041
活跃值: (19)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
7
早就想了解下关于PeiD的查壳的原理、代码,今天终于看到了,不错,还是Delphi,还基本上看得懂,谢了。
2006-6-18 03:11
0
游客
登录 | 注册 方可回帖
返回
//