PE文件信息浏览

最新推荐文章于 2022-07-20 11:13:57 发布
最新推荐文章于 2022-07-20 11:13:57 发布
阅读量1.9k 收藏 7
点赞数
分类专栏: C/C++ 文章标签: image descriptor header import file dos
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/agoago_2009/article/details/7171070
版权

首先先看看PE文件大体的样子:


还有几个主要的结构体:

typedef struct _IMAGE_NT_HEADERS {
    DWORD Signature;
    IMAGE_FILE_HEADER FileHeader;
    IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;


typedef struct _IMAGE_DOS_HEADER {      // DOS .EXE header
    WORD   e_magic;                     // Magic number
    WORD   e_cblp;                      // Bytes on last page of file
    WORD   e_cp;                        // Pages in file
    WORD   e_crlc;                      // Relocations
    WORD   e_cparhdr;                   // Size of header in paragraphs
    WORD   e_minalloc;                  // Minimum extra paragraphs needed
    WORD   e_maxalloc;                  // Maximum extra paragraphs needed
    WORD   e_ss;                        // Initial (relative) SS value
    WORD   e_sp;                        // Initial SP value
    WORD   e_csum;                      // Checksum
    WORD   e_ip;                        // Initial IP value
    WORD   e_cs;                        // Initial (relative) CS value
    WORD   e_lfarlc;                    // File address of relocation table
    WORD   e_ovno;                      // Overlay number
    WORD   e_res[4];                    // Reserved words
    WORD   e_oemid;                     // OEM identifier (for e_oeminfo)
    WORD   e_oeminfo;                   // OEM information; e_oemid specific
    WORD   e_res2[10];                  // Reserved words
    LONG   e_lfanew;                    // File address of new exe header
  } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;


typedef IMAGE_OPTIONAL_HEADER32             IMAGE_OPTIONAL_HEADER;
typedef PIMAGE_OPTIONAL_HEADER32            PIMAGE_OPTIONAL_HEADER;

typedef struct _IMAGE_OPTIONAL_HEADER {
    //
    // Standard fields.
    //

    WORD    Magic;
    BYTE    MajorLinkerVersion;
    BYTE    MinorLinkerVersion;
    DWORD   SizeOfCode;
    DWORD   SizeOfInitializedData;
    DWORD   SizeOfUninitializedData;
    DWORD   AddressOfEntryPoint;
    DWORD   BaseOfCode;
    DWORD   BaseOfData;

    //
    // NT additional fields.
    //

    DWORD   ImageBase;
    DWORD   SectionAlignment;
    DWORD   FileAlignment;
    WORD    MajorOperatingSystemVersion;
    WORD    MinorOperatingSystemVersion;
    WORD    MajorImageVersion;
    WORD    MinorImageVersion;
    WORD    MajorSubsystemVersion;
    WORD    MinorSubsystemVersion;
    DWORD   Win32VersionValue;
    DWORD   SizeOfImage;
    DWORD   SizeOfHeaders;
    DWORD   CheckSum;
    WORD    Subsystem;
    WORD    DllCharacteristics;
    DWORD   SizeOfStackReserve;
    DWORD   SizeOfStackCommit;
    DWORD   SizeOfHeapReserve;
    DWORD   SizeOfHeapCommit;
    DWORD   LoaderFlags;
    DWORD   NumberOfRvaAndSizes;
    IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;


typedef struct _IMAGE_IMPORT_DESCRIPTOR {
    union {
        DWORD   Characteristics;            // 0 for terminating null import descriptor
        DWORD   OriginalFirstThunk;         // RVA to original unbound IAT (PIMAGE_THUNK_DATA)
    	};
    DWORD   TimeDateStamp;                  // 0 if not bound,
                                            // -1 if bound, and real date\time stamp
                                            //     in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
                                            // O.W. date/time stamp of DLL bound to (Old BIND)

    DWORD   ForwarderChain;                 // -1 if no forwarders
    DWORD   Name;
    DWORD   FirstThunk;                     // RVA to IAT (if bound this IAT has actual addresses)
} IMAGE_IMPORT_DESCRIPTOR;
typedef IMAGE_IMPORT_DESCRIPTOR UNALIGNED *PIMAGE_IMPORT_DESCRIPTOR;

typedef IMAGE_THUNK_DATA32              IMAGE_THUNK_DATA;
typedef struct _IMAGE_THUNK_DATA32 {
    union {
        PBYTE  ForwarderString;
        PDWORD Function;
        DWORD Ordinal;
        PIMAGE_IMPORT_BY_NAME  AddressOfData;
    } u1;
} IMAGE_THUNK_DATA32;
typedef IMAGE_THUNK_DATA32 * PIMAGE_THUNK_DATA32;

它们之间的联系:



信息看到这么多,开始实现:

#include <stdio.h>
#include <windows.h> 

//   define区 
#define   MakePtr(   cast,   ptr,   addValue   )   (cast)(   (DWORD)(ptr)   +   (addValue)   ) 
#define   MAX_NAME_LEN   256 

//   全局变量区 
FILE   *hFile   =   NULL; 
IMAGE_DOS_HEADER   dos_header; 
IMAGE_NT_HEADERS   nt_header; 
IMAGE_SECTION_HEADER   *psection_header; 

IMAGE_IMPORT_DESCRIPTOR   *pimport_descriptor;   //   输入表描述符 
int         numOfImportDescriptor;   //   输入表项数 


bool   openFile(char   *   filename) 
{ 
	hFile   =   fopen(filename,   "rb "); 
	if(!hFile) 
	{ 
		printf( "open   file   error\n "); 
		return   false; 
	} 
	return   true; 
} 

void   closeFile() 
{ 
	fclose(hFile); 
} 

bool   readDosHeader() 
{ 
	size_t   num   =   fread(&dos_header,   sizeof(dos_header),   1,   hFile); 
	if(num!=1) 
	{ 
		printf( "open   dos   header   error\n "); 
		return   false; 
	} 
	else 
		return   true; 
} 

bool   readNtHeader() 
{ 
	int   offset   =   dos_header.e_lfanew; 
	if(fseek(hFile,   offset,   SEEK_SET)!=0) 
		return   false; 
	size_t   num   =   fread(&nt_header,   sizeof(IMAGE_NT_HEADERS),   1,   hFile); 
	if(num   !=   1) 
	{ 
		printf( "read   nt   header   error\n "); 
		return   false; 
	} 
	return   true; 
	
} 

bool   readSectionHeaders() 
{ 
	//   没有重定位,所以必须在readNtHeader()之后调用 
	int   sectionNum   =   nt_header.FileHeader.NumberOfSections; 
	psection_header   =   new   IMAGE_SECTION_HEADER[sectionNum]; 
	size_t   num   =   fread(psection_header,   sizeof(IMAGE_SECTION_HEADER),   sectionNum,   hFile); 
	if(num   !=   sectionNum) 
	{ 
		printf( "read   section   header   error\n "); 
		return   false; 
	} 
	
	return   true; 
} 

bool   readImportDescriptor() 
{ 
	//   读取输入描述符 
	int   offset   =   nt_header.OptionalHeader.DataDirectory[1].VirtualAddress; 
	int   size   =   nt_header.OptionalHeader.DataDirectory[1].Size; 
	pimport_descriptor   =   (IMAGE_IMPORT_DESCRIPTOR   *)new   char[size]; 
	if(fseek(hFile,   offset,   SEEK_SET)!=0) 
		return   false; 
	size_t   num   =   fread(pimport_descriptor,   size,   1,   hFile); 
	if(num   !=   1) 
	{ 
		printf( "read   import   descriptor   header   error\n "); 
		return   false; 
	} 
	numOfImportDescriptor   =   size/sizeof(IMAGE_IMPORT_DESCRIPTOR)-1; 
	
	return   true; 
} 

void   displayImportFunction(IMAGE_IMPORT_DESCRIPTOR   &import_descriptor) 
{ 
	int   offset   =   import_descriptor.OriginalFirstThunk; 
	if(fseek(hFile,   offset,   SEEK_SET)!=0) 
		return; 
	IMAGE_THUNK_DATA   imageThunkData; 
	for(;;) 
	{ 
		size_t   iRead   =   fread(&imageThunkData,   sizeof(IMAGE_THUNK_DATA),   1,   hFile); 
		if(iRead   !=   1) 
		{ 
			printf( "read   thunk   data   error\n "); 
			return; 
		} 
		if(*((DWORD   *)(&imageThunkData))   ==   0) 
			break; 
		
		//   最高位如果为1,表示函数以序号方式输入 
		if(*((DWORD   *)(&imageThunkData))   &   0x80000000) 
		{ 
			DWORD   ordinal   =   *((DWORD   *)(&imageThunkData))   &   0x7fffffff; 
			printf( "                                 Ordinal     %d\n ",ordinal); 
		} 
		else 
		{ 
			//   最高位不为1,表示函数以字符串方式输入 
			long     current   =   ftell(hFile); 
			
			DWORD   offset   =   *((DWORD   *)(&imageThunkData)); 
			WORD     Hint; 
			char     FunctionName[MAX_NAME_LEN]; 
			if(fseek(hFile,   offset,   SEEK_SET)!=0) 
				return; 
			fread(&Hint,   sizeof(WORD),   1,   hFile); 
			int   position=0; 
			for(;;) 
			{ 
				int   ch   =   fgetc(hFile); 
				FunctionName[position++]   =   ch; 
				if(!ch) 
					break; 
			} 
			printf( "                                 %8X     %s\n ",   Hint,   FunctionName); 
			
			fseek(hFile,   current,   SEEK_SET); 
		} 
		
	} 
	
} 

void   displayImportDescriptor() 
{ 
	printf( "   Section   contains   the   following   imports:\n\n "); 
	for(int   num   =   0   ;   num   <   numOfImportDescriptor   ;   num   ++) 
	{ 
		//   首先获取输入表名称 
		char   import_descriptor_name[MAX_NAME_LEN]; 
		int   offset   =   pimport_descriptor[num].Name; 
		if(fseek(hFile,   offset,   SEEK_SET)!=0) 
			return; 
		int   position=0; 
		for(;;) 
		{ 
			int   ch   =   fgetc(hFile); 
			import_descriptor_name[position++]   =   ch; 
			if(!ch) 
				break; 
		} 
		printf( "                 %s\n ",import_descriptor_name); 
		printf( "                                 %X   Import   Address   Table\n ",   pimport_descriptor[num].FirstThunk+nt_header.OptionalHeader.ImageBase); 
		printf( "                                 %X   Import   Name   Table\n ",   pimport_descriptor[num].OriginalFirstThunk+nt_header.OptionalHeader.ImageBase); 
		printf( "                                 %X   time   date   stamp\n ",   pimport_descriptor[num].TimeDateStamp); 
		printf( "                                 %X   Index   of   first   forwarder   reference\n ",   pimport_descriptor[num].ForwarderChain); 
		printf( "\n "); 
		displayImportFunction(pimport_descriptor[num]); 
		printf( "\n "); 
	} 
} 

void   displaySectionTable() 
{ 
	printf( "   Summary:\n\n "); 
	for(int   num   =   0   ;   num   <   nt_header.FileHeader.NumberOfSections   ;   num++) 
	{ 
		printf( "                 %6X     %s\n ",   psection_header[num].SizeOfRawData,   psection_header[num].Name); 
	} 
} 

int   main(int   argc,   char*   argv[]) 
{
	printf("请输入文件路径:\n");
	fflush(stdin);
	char buf[200]={0};
	gets(buf);
	if(!openFile(buf))
		//if(!openFile(argv[1])) 
		return   -1; 
	if(!readDosHeader()) 
		return   -1; 
	if(!readNtHeader()) 
		return   -1; 
	if(!readSectionHeaders()) 
		return   -1; 
	if(!readImportDescriptor()) 
		return   -1; 
	
	displayImportDescriptor(); 
	displaySectionTable(); 
	
	
	closeFile(); 
	return   0; 
}

或者另外一种: 

//++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
//++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#include <stdio.h>
#include <windows.h>
#include <iostream>
#include <string>
using namespace std;

LPVOID LpAddr; 
IMAGE_DOS_HEADER  *m_DosHeader;
IMAGE_NT_HEADERS  *m_NT_Header;
IMAGE_FILE_HEADER *m_Image_File_Head;
IMAGE_OPTIONAL_HEADER32 *m_Image_Optional_Header;
int  GetDosHeader(string scFilePath); //得到了DOSHeader的起始地址 m_DosHeader
void OutputDosHeaderInfo();
void Get_Image_NT_Header_Info();

typedef PVOID
(WINAPI *IMAGERVATOVA)(
					   IN PIMAGE_NT_HEADERS NtHeaders,
					   IN PVOID Base,
					   IN ULONG Rva,
					   IN OUT PIMAGE_SECTION_HEADER *LastRvaSection
					   );
IMAGERVATOVA ImageRvaToVa;


//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
int main(int argc, char *argv[])
{
	HMODULE hMod = LoadLibrary("imagehlp.dll");
	ImageRvaToVa = (IMAGERVATOVA)GetProcAddress(hMod,"ImageRvaToVa");

	char strPath[260]="test.exe";
	gets(strPath);
	GetDosHeader(strPath);
	OutputDosHeaderInfo();
	Get_Image_NT_Header_Info();
	return 1;
}

//++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
int GetDosHeader(string scFilePath)
{
	HANDLE m_Handle = CreateFile(scFilePath.c_str(),GENERIC_READ,0,0,OPEN_EXISTING,0,0);
	if (m_Handle==INVALID_HANDLE_VALUE)
	{
		MessageBox(NULL,"ERROR:","CreateFile Error !",0);
		CloseHandle(m_Handle);
		return 0;
	}
	HANDLE m_hMmap = CreateFileMapping(m_Handle,0,PAGE_READONLY,0,0,NULL);
	if(m_hMmap==NULL)
	{
		string err="CreateFileMapping ERROR!";
		
		MessageBox(NULL,"ERROR:",err.c_str(),0);
		CloseHandle(m_Handle);
		CloseHandle(m_hMmap);
		return 0;
	}
	LpAddr = MapViewOfFile(m_hMmap,FILE_MAP_READ,0,0,0); 
	if (LpAddr==NULL) //映像基址
	{
		MessageBox(NULL,"ERROR:","MapViewOfFile Error !",0);
		CloseHandle(m_Handle);
		CloseHandle(m_hMmap);
		return 0;
	}
	CloseHandle(m_Handle);
	CloseHandle(m_hMmap);
	m_DosHeader = (IMAGE_DOS_HEADER *)LpAddr;
	return 1;
}

//++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
void OutputDosHeaderInfo()
{
	cout<<"==========================================================================\n";
	cout<<"Dos Header:\n\n";
	cout<<"Magic number :"<<(char *)&m_DosHeader->e_magic<<endl;
	cout<<"Magic number :--------------------"<<hex<<m_DosHeader->e_magic<<endl;					// Magic number
    cout<<"Bytes on last page of file:-------"<<hex<<m_DosHeader->e_cblp<<endl;   // Bytes on last page of file
    cout<<"Pages in file: -------------------"<<hex<<m_DosHeader->e_cp<<endl;                       // Pages in file
    cout<<"Relocations: ---------------------"<<hex<<m_DosHeader->e_crlc<<endl;                     // Relocations
    cout<<"Size of header in paragraphs: ----"<<hex<<m_DosHeader->e_cparhdr<<endl;                  // Size of header in paragraphs
    cout<<"Minimum extra paragraphs needed: -"<<hex<<m_DosHeader->e_minalloc<<endl;                 // Minimum extra paragraphs needed
    cout<<" Maximum extra paragraphs needed: "<<hex<<m_DosHeader->e_maxalloc<<endl;                 // Maximum extra paragraphs needed
    cout<<"Initial (relative) SS value: -----"<<hex<<m_DosHeader->e_ss<<endl;                       // Initial (relative) SS value
    cout<<"Initial SP value: ----------------"<<hex<<m_DosHeader->e_sp<<endl;                        // Initial SP value
    cout<<"Checksum: ------------------------"<<hex<<m_DosHeader->e_csum<<endl;                      // Checksum
    cout<<"Initial IP value: ----------------"<<hex<<m_DosHeader->e_ip<<endl;                        // Initial IP value
    cout<<"Initial (relative) CS value: -----"<<hex<<m_DosHeader->e_cs<<endl;                        // Initial (relative) CS value
    cout<<"File address of relocation table: "<<hex<<m_DosHeader->e_lfarlc<<endl;                   // File address of relocation table
    cout<<"Overlay number: ------------------"<<hex<<m_DosHeader->e_ovno<<endl;                      // Overlay number
    cout<<"Reserved words: ------------------"<<hex<<m_DosHeader->e_res[4]<<endl;                   // Reserved words
    cout<<"OEM identifier (for e_oeminfo):---"<<hex<<m_DosHeader->e_oemid<<endl;                     // OEM identifier (for e_oeminfo)
    cout<<"OEM information e_oemid specific: "<<hex<<m_DosHeader->e_oeminfo<<endl;                   // OEM information; e_oemid specific
    cout<<"Reserved words: ------------------"<<hex<<m_DosHeader->e_res2[10]<<endl;                  // Reserved words
    cout<<"File address of new exe header: --"<<hex<<m_DosHeader->e_lfanew<<endl;                    // File address of new exe header
}

//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
void Get_Image_NT_Header_Info()
{
	cout<<"==========================================================================\n";
	cout<<"Image_NT_Header:\n";

	//m_NT_Header = (IMAGE_NT_HEADERS *)(m_DosHeader+m_DosHeader->e_lfanew);
	m_NT_Header = (IMAGE_NT_HEADERS *)((BYTE *)LpAddr+m_DosHeader->e_lfanew);

	printf("Signature: %s\n",(char *)&m_NT_Header->Signature);
	
	//m_Image_File_Head = (IMAGE_FILE_HEADER *)&(m_NT_Header->FileHeader);
	//m_Image_Optional_Header = (IMAGE_OPTIONAL_HEADER32 *)&(m_NT_Header->OptionalHeader);
	m_Image_File_Head = (IMAGE_FILE_HEADER *)((BYTE *)LpAddr+m_DosHeader->e_lfanew + 4);
	m_Image_Optional_Header = (IMAGE_OPTIONAL_HEADER32 *)((BYTE *)LpAddr+m_DosHeader->e_lfanew + 4 + 20);

	cout<<"==========================================================================\n";
	cout<<"IMAGE_FILE_HEADER:\n"<<endl;
	printf("Machine: %X\t",m_Image_File_Head->Machine);	
	if (m_Image_File_Head->Machine == IMAGE_FILE_MACHINE_I386)
	{
		printf("Machine: Intel 386\n");
	}

	cout<<"NumberOfSections: ----- "<<hex<<m_Image_File_Head->NumberOfSections<<endl;
	cout<<"TimeDateStamp: -------- "<<hex<<m_Image_File_Head->TimeDateStamp<<endl;
	cout<<"PointerToSymbolTable:-- "<<hex<<m_Image_File_Head->PointerToSymbolTable<<endl;
	cout<<"NumberOfSymbols: ------ "<<hex<<m_Image_File_Head->NumberOfSymbols<<endl;
	cout<<"SizeOfOptionalHeader:---"<<hex<<m_Image_File_Head->SizeOfOptionalHeader<<endl;
	cout<<"Characteristics: ------ "<<hex<<m_Image_File_Head->Characteristics<<endl;

	cout<<"==========================================================================\n";
	cout<<"IMAGE_OPTIONAL_HEADER :\n"<<endl;
	printf("Magic: %X\n",m_Image_Optional_Header->Magic); // = IMAGE_NT_OPTIONAL_HDR_MAGIC
	printf("ImageBase: %X\n",m_Image_Optional_Header->ImageBase);
	printf("MajorLinkerVersion: %X\n",m_Image_Optional_Header->MajorLinkerVersion);
	printf("MinorLinkerVersion: %X\n",m_Image_Optional_Header->MinorLinkerVersion);
	printf("SizeOfCode: %X\n",m_Image_Optional_Header->SizeOfCode);
	printf("SizeOfInitializedData: %X\n",m_Image_Optional_Header->SizeOfInitializedData);
	printf("SizeOfUninitializedData: %X\n",m_Image_Optional_Header->SizeOfUninitializedData);
	printf("AddressOfEntryPoint: %X\n",m_Image_Optional_Header->AddressOfEntryPoint);
	printf("BaseOfCode: %X\n",m_Image_Optional_Header->BaseOfCode);
	printf("BaseOfData: %X\n",m_Image_Optional_Header->BaseOfData);
	printf("ImageBase: %X\n",m_Image_Optional_Header->ImageBase);
	printf("SectionAlignment: %X\n",m_Image_Optional_Header->SectionAlignment);
	printf("FileAlignment: %X\n",m_Image_Optional_Header->FileAlignment);
	printf("MajorOperatingSystemVersion: %X\n",m_Image_Optional_Header->MajorOperatingSystemVersion);
	printf("MinorImageVersion: %X\n",m_Image_Optional_Header->MinorImageVersion);
	printf("MajorSubsystemVersion: %X\n",m_Image_Optional_Header->MajorSubsystemVersion);
	printf("MinorSubsystemVersion: %X\n",m_Image_Optional_Header->MinorSubsystemVersion);
	printf("Win32VersionValue: %X\n",m_Image_Optional_Header->Win32VersionValue);
	printf("SizeOfImage: %X\n",m_Image_Optional_Header->SizeOfImage);
	printf("SizeOfHeaders: %X\n",m_Image_Optional_Header->SizeOfHeaders);
	printf("CheckSum: %X\n",m_Image_Optional_Header->CheckSum);
	printf("Subsystem: %X-----",m_Image_Optional_Header->Subsystem);
	if (IMAGE_SUBSYSTEM_WINDOWS_GUI ==m_Image_Optional_Header->Subsystem)
	{
		printf("WINDOWS_GUI APP \n");
	}
	if (IMAGE_SUBSYSTEM_WINDOWS_CUI ==m_Image_Optional_Header->Subsystem)
	{
		printf("WINDOWS_CUI APP \n");
	}

	printf("DllCharacteristics: %X\n",m_Image_Optional_Header->DllCharacteristics);
	printf("SizeOfStackReserve: %X\n",m_Image_Optional_Header->SizeOfStackReserve);
	printf("SizeOfStackCommit: %X\n",m_Image_Optional_Header->SizeOfStackCommit);
	printf("SizeOfHeapReserve: %X\n",m_Image_Optional_Header->SizeOfHeapReserve);
	printf("SizeOfHeapCommit: %X\n",m_Image_Optional_Header->SizeOfHeapCommit);
	printf("LoaderFlags: %X\n",m_Image_Optional_Header->LoaderFlags);
	printf("NumberOfRvaAndSizes: %X\n",m_Image_Optional_Header->NumberOfRvaAndSizes);
	cout<<"==========================================================================\n";


	printf("IMPORT: \n");
	IMAGE_IMPORT_DESCRIPTOR *m_PImport = (IMAGE_IMPORT_DESCRIPTOR *)
		 ( (BYTE *)LpAddr + m_Image_Optional_Header->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress );

	while(m_PImport&&m_PImport->FirstThunk&&m_PImport->OriginalFirstThunk) 
	{		
		CHAR *P = (char *)((BYTE*)LpAddr + m_PImport->Name);
		printf("=========================================\nimported DLL's name : %s\n", P);
		
		//IMAGE_THUNK_DATA* pThunk = (IMAGE_THUNK_DATA*)((DWORD)LpAddr + m_PImport->FirstThunk);
		//IMAGE_THUNK_DATA* pThunk = (IMAGE_THUNK_DATA*)((DWORD)LpAddr + m_PImport->FirstThunk);
        IMAGE_THUNK_DATA* pThunk = (IMAGE_THUNK_DATA*)ImageRvaToVa(m_NT_Header,LpAddr,(ULONG)m_PImport->FirstThunk,NULL);
		

		while(pThunk->u1.AddressOfData)   // pThunk->u1.AddressOfData  Function
		{
		 
			//char* name = (char *)((DWORD)LpAddr + pThunk  + 2);
			//char* name = (char *)(*(DWORD*)pThunk + (DWORD)LpAddr + 2);
			//printf("%s\n",name);	
			PVOID pName = ImageRvaToVa(m_NT_Header,LpAddr,(ULONG)pThunk->u1.AddressOfData->Name,NULL);
			printf("%s\n",pName);
			pThunk++;
		}
	
		m_PImport++;
		
	}

	cout<<"==========================================================================\n\n";
	
	printf("EXPORT: \n");
	//IMAGE_EXPORT_DIRECTORY *m_PExport = (IMAGE_EXPORT_DIRECTORY *)
	//	( (BYTE *)LpAddr + m_Image_Optional_Header->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress );
	PIMAGE_EXPORT_DIRECTORY m_PExport = (PIMAGE_EXPORT_DIRECTORY)ImageRvaToVa
		(m_NT_Header,LpAddr,m_NT_Header->OptionalHeader.DataDirectory[0].VirtualAddress,NULL);
	
		CHAR *P = (char *)((BYTE*)LpAddr + m_PExport->Name);
		printf("exported DLL's name : %s\n", P);

		ULONG num=0;
		PULONG pName=NULL;
		PULONG *pAddr=NULL;
		do
		{
			pAddr = (PULONG *)ImageRvaToVa(m_NT_Header,LpAddr,(ULONG)m_PExport->AddressOfFunctions + num*sizeof(num),NULL);
			pName = (PULONG )ImageRvaToVa(m_NT_Header,LpAddr,(ULONG)*pAddr,NULL);
			printf("%s\n",pName);	
			num++;
		}while(pName);

}



Gloveing
关注
  • 0
    点赞
  • 7
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
PE文件浏览器_PE资源浏览
11-07
程序员的好帮手,用于提取和更换EXE和DLL文件中的图标、图形和文字,可以用它来汉化软件。还可以查看PE文件的API函数导入和导出。 本软件发布人主页:http://hi.baidu.com/herbill/ QQ:995600943 欢迎加入我们的QQ群:83827264
PE文件详解
wuwuliuliu0524的博客
12-14 1294
(1)MZ头:长度 40H,即4行乘16位,最前面的5A4D显示是MZ,是EXE标识,最后4个字节000000F0是el_fanew 字段,指向PE文件头地址,即PE文件头指向000000F0处。(2)PE文件头:PE标识往后20字节,PE文件头前2个字节014C是设备型号,之后2个字节0003是是节表数目,表示有3个节表。3、节表:每个节表40字节,节表数目在PE文件头中查看,总共是节表数目×40字节。(2)DOS存根:从MZ头到PE头之间的部分,显示提示字符。(3)PE可选文件头:PE文件头。
PE文件结构详解
神棍之路
07-20 8974
Windows程序的各种界面称为资源,包括加速键(Accelerator)、位图(Bitmap)、光标(Cursor)、对话框(DialogBox)、图标(Icon)、菜单(Menu)、串表(StringTable)、工具栏(Toolbar)和版本信息(VersionInformation)等。执行PE文件前,加载程序在进行重定位的时候,会用PE文件在内存中的实际映像地址减PE文件所要求的映像地址,根据重定位类型的不同将差值添加到相应的地址数据中。...
语义分析代码实现_PE头分析详解和VC++代码实现
weixin_39914825的博客
11-26 166
本文为看雪论坛优秀文章看雪论坛作者ID:菜鸟m号软件安全这课快到期末了,我把之前写的山寨一个PE解析器代码整理复习一下,奈何菜鸟我不太会MFC编程,所以下面的程序主要是在命令行完成。代码最后全部打包压缩上传。PE结构百度图一堆一堆。首先打开文件函数,设置完参数可以让它选择DLL或者EXE文件://取得文件路径部分TCHAR szFilePath[MAX_PATH];OPE...
delphi获取dll的函数列表
youthon
06-15 481
找了几个,终于找到一个好用的 function GetDLLFileExports( szFileName: PChar; mStrings: TStrings ): Boolean; var hFile: THANDLE; hFileMapping: THANDLE; lpFileBase: Pointer; pImg_DOS_Header: PImageDosHe...
Windows PE文件详解
06-04
Windows PE文件结构格式,意义,详细描述PE文件
TIB打开浏览工具
01-07
因为平时只是用下PE版的trueimage备份或恢复,不想在Windows下安装此软件,因为软件太大了,但有时需要从备份中提取部分文件,觉得重新进入PE又有些麻烦,所以特需要一个TIB文件浏览软件,装在windows下,方便随时...
PE Explorer 1.99 R5
08-02
另外,还具备有 W32DASM 软件的反编译能力和PEditor 软件的 PE 文件头编辑功能,可以更容易的分析源代码,修复损坏了的资源,可以处理 PE 格式的文件如:EXE、DLL、DRV、BPL、DPL、SYS、CPL、OCX、SCR 等 32 位可...
Pepper:基于libpePE(x86)和PE +(x64)文件查看器
04-02
PE +数据结构,标头和布局MSDOS标头«丰富»标题NT /文件/可选标题数据目录栏目出口表导入表资源表例外表安全表搬迁表调试表TLS表加载配置目录绑定导入表延迟导入表COM表资源查看器多个二进制文件可以同时浏览通过...
exe文件检查工具(ExEinfo PE)0.0.3.2 中文绿色完美版
08-04
 2、将需要查壳的exe或是dll文件拖到软件里面,当然也可以使用浏览的形式,不过里好像有点小bug,一开始好慢,好像点用了什么资源。  3、有一个选项,可以让你选择快速扫描,或是其它方式,一般我们无需去设置,...
修改文件版本信息PE文件版本信息、资源Version)
tiewen的专栏
04-14 1万+
修改PE文件版本信息(简单演示)
pe文件解析:读取pe信息获取文件资源
热门推荐
天道酬勤
03-01 1万+
查看过关于pe文件分析的文章: (1)http://www.vckbase.com/document/viewdoc/?id=1334 (2)http://www.vckbase.com/document/viewdoc/?id=1335 (3)http://www.cppblog.com/aurain/archive/2009/06/29/88771.html (4)http
Android如何分析native代码,Android 分析Native库的加载过程及x86系统运行arm库的原理...
weixin_28707739的博客
05-26 379
本文主要讲述Android 加载动态链接库的过程,为了分析工作中遇到的一个问题 x86的系统是如何运行arm的动态链接库的。参考博客:https://pqpo.me/2017/05/31/system-loadlibrary/ 深入理解 System.loadLibraryhttps://www.jianshu.com/p/bf8b4a90f825 Android Native库的加载及动态链接h...
获取PE文件信息的封装
Welcome Friends~
11-06 1923
  工作之余,闲来无事,研究了一下PE文件的格式;虽然PE这方面的工具多如牛毛,用起来也非常直观,但是为了自己加深巩固理解,倒不如自己写一个小东东来一探PE究竟。代码如下【具体操纵可以参考注释】:  首先是PEFile.h//--------------------------------------------------------------------// Name:
PE文件解析-资源中的版本信息结构
zhyulo的博客
02-23 2354
一、概述     想要获取一个可执行文件(PE文件)里包含的资源文件,首先要解析可执行文件,得到资源存储的地址及大小,可参考 https://blog.csdn.net/zhyulo/article/details/85717711 。然后,根据资源存储方式,得到各资源的数据内容及其大小,可参考 https://blog.csdn.net/zhyulo/article/details/85930...
PE文件和COFF文件格式分析——节信息
方亮的专栏
09-06 3002
        在《PE文件和COFF文件格式分析——签名、COFF文件头和可选文件头3》中,我们看到一些区块的信息都有偏移指向。而我们本文讨论的节信息是没有任何偏移指向的,所以它是紧跟在可选文件头后面的。(转载请注明来源于breaksoftware的csdn博客)于是该节的起始位置要如此计算 size_t unDwordSize = sizeof(DWORD); // PE\0\0 size...
Android SO库文件头分析
云守护的专栏
07-03 9143
转自:https://blog.micblo.com/2018/02/10/Android-SO%E5%BA%93%E6%96%87%E4%BB%B6%E5%A4%B4%E5%88%86%E6%9E%90/因为项目的需要,我对Android系统加载.so文件有一些些研究,把最近看过的一些大牛的分析和现状结合一下,写篇东西做一下笔记。.so 文件是什么.so 文件是 Shared Object 文件...
PE文件详解------PE文件结构剖析
bobopeng
11-19 4612
一.PE文件结构纵览 PE文件的结构如上图所示,由低地址到高地址分别为:Dos头,PE头,块表,块,调试信息。其中真正的PE文件头是位于Dos头的后面的部分。 上图为利用PE工具打开的一个可执行文件在磁盘中的映射,这就是PE文件的内部信息。 可以看到这个文件的钱两个字节为”4D 5A”,表示的就是Dos头的第一个字段的额信息,标示Dos的头部。在Dos头结构的最后
逆向工程——查看PE文件
sinat_42424364的博客
09-19 4605
dumpbin和objdump工具的使用 1.打开vs2010-&amp;amp;amp;gt;tools-&amp;amp;amp;gt;visual studio prompt vs2017 在帮助文档下使用dumpbin工具查看PE文件的头部信息、节、节表信息 2.在linux系统中装objdump工具并使用(ubuntu系统可以使用apt-get进行安装) 3.使用二进制编辑器winhex,查看实验所用到的二进制程序(exe)...
u盘启动pe还原tib映像文件
最新发布
07-27
10.在Acronis True Image界面中,选择“还原”功能,并浏览到U盘的根目录找到需要还原的TIB映像文件。 11.选择恢复选项,如目标磁盘、目标分区等。 12.点击“开始”按钮开始还原操作。请谨慎选择还原目标,以免...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值