关闭

仿照windows的loader实现的pe-loader

标签: windowsimageheaderdescriptornullimport
3383人阅读 评论(0) 收藏 举报
分类:

   本人接触pe文件格式不久,参考网上的一些资料写了一个pe loader,主要是通过把需要加载的文件的所所有section加载到相应的RVA上,然后进行重定位处理、导入表和导出表处理、资源段处理。由于本loader.exe会被加载到0x0f400000处,因此可以把0x400000给被加载的文件预留了,这样可以避免重定位所带来的性能损耗。导入表的处理主要是通过调用GetProcAddress获取导入表中函数的地址。导出表一般仅在dll中使用,而此主要是用于load exe文件,所以不用做任何处理。资源段处理资料不多,我这里好像有些问题,加载console程序可以正常执行,但是当加载一部分gui程序则不能成功,而令一些gui程序则会成功。望高手能指教一二。
    下面是源代码部分:

view plaincopy to clipboardprint?
/* 
 *LocalFile是对读文件操作的一个简单封装 
 */ 
//LocalFile.h  
#pragma once  
 
class CLocalFile  
{  
public:  
    CLocalFile(const char * name);  
    ~CLocalFile(void);  
 
    int Read(size_t offset, size_t size, void *ppBuf);  
 
    size_t GetSize() const { return m_size;}  
 
private:  
    HANDLE           m_fd;  
    size_t          m_size;  
};  
 
//LocalFile.cpp  
#include "LocalFile.h"  
 
CLocalFile::CLocalFile(const char * name)  
{  
    assert(NULL != name);  
    assert(0 != name[0]);  
 
    m_fd = CreateFileA(name, GENERIC_READ,  
                        FILE_SHARE_READ, NULL,  
                        OPEN_EXISTING,  
                        FILE_ATTRIBUTE_NORMAL, NULL);  
    if (INVALID_HANDLE_VALUE == m_fd) {  
        printf("Open file %s failed, error: %d!/n",name, GetLastError());  
        return ;  
    }  
 
    m_size = GetFileSize(m_fd, NULL);  
    return;  
}  
 
CLocalFile::~CLocalFile(void)  
{  
    if (NULL != m_fd) {  
        CloseHandle(m_fd);  
    }  
}  
 
int CLocalFile::Read(size_t offset,  
                     size_t size,  
                     void * pBuf)  
{  
    DWORD ret;  
    ULONG rdsize;  
 
    ret = SetFilePointer(m_fd, offset, NULL, FILE_BEGIN);  
    if (INVALID_SET_FILE_POINTER == ret) {  
        ret = GetLastError();  
        printf("Seek file failed, error: %d!/n", ret);  
        return ret;  
    }  
 
    if (!ReadFile(m_fd, pBuf, size, &rdsize, NULL)) {  
        ret = GetLastError();  
        printf("Read file failed, error: %d/n", ret);  
        return ret;  
    }  
 
    return 0;  
}  
 
//loader.cpp  
 
#include "LocalFile.h"  
 
/*把该loader.exe的加载地址设置为0x0f400000,从而可以把0x00400000地址 
 *预留给将要被加载的程序,从而可以避免因地址重定位而带来的性能损耗。 
 */ 
#pragma comment(linker, "/BASE:0x0f400000")  
 
inline int CDECL DebugPrint(const char *fmt,...)  
{  
    int nLength = 0;  
#if defined(_DEBUG)  
    va_list ap;  
    va_start(ap, fmt);  
    nLength = vprintf(fmt, ap);  
    va_end(ap);  
#endif  
    return nLength;  
}  
 
void DumpPeInfo(PeInfo *pInfo)  
{  
    DebugPrint("------------headers info------------/n" /  
               "imageBase:        0x%x. /n" /  
               "entryPoint:       0x%x. /n" /  
               "sections:         0x%x. /n" /  
               "imageSize:        0x%x. /n" /  
               "exportRva:        0x%x. /n" /  
               "exportSize:       0x%x. /n" /  
               "importRva:        0x%x. /n" /  
               "importSize:       0x%x. /n" /  
               "resourceRva:      0x%x. /n" /  
               "resourceSize:     0x%x. /n" /  
               "relocRva:         0x%x. /n" /  
               "relocSize:        0x%x. /n" /  
               "debugRva:         0x%x. /n" /  
               "debugSize:        0x%x. /n" /  
               "offsetSections:   0x%x. /n" /  
               "fileType:         %s. /n",  
                pInfo->imageBase,  
                pInfo->entryPoint,  
                pInfo->sections,  
                pInfo->imageSize,  
                pInfo->exRva,  
                pInfo->exSize,  
                pInfo->imRva,  
                pInfo->imSize,  
                pInfo->resRva,  
                pInfo->resSize,  
                pInfo->relocRva,  
                pInfo->relocSize,  
                pInfo->dbgRva,  
                pInfo->dbgSize,  
                pInfo->offsetSection,  
                pInfo->fileType == 0 ? "exe":"dll");  
}  
 
BOOL IsPEFile(CLocalFile& lf)  
{  
    IMAGE_DOS_HEADER dh;  
    IMAGE_NT_HEADERS nh;  
 
    lf.Read(0, sizeof(IMAGE_DOS_HEADER), &dh);  
    if (IMAGE_DOS_SIGNATURE != dh.e_magic) {  
        return FALSE;  
    }  
 
    lf.Read(dh.e_lfanew, sizeof(IMAGE_NT_HEADERS), &nh);  
    if (IMAGE_NT_SIGNATURE != nh.Signature) {  
        return FALSE;  
    }  
 
    return TRUE;  
}  
 
BOOL ParseNTHeader(CLocalFile &lf, PeInfo &pe)  
{  
    IMAGE_DOS_HEADER dh;  
    IMAGE_NT_HEADERS nh;  
    PIMAGE_FILE_HEADER pfh;  
    PIMAGE_OPTIONAL_HEADER32 poh;  
 
    lf.Read(0, sizeof(IMAGE_DOS_HEADER), &dh);  
    pe.offsetSection = dh.e_lfanew + sizeof(IMAGE_NT_HEADERS);  
    lf.Read(dh.e_lfanew, sizeof(IMAGE_NT_HEADERS), &nh);  
 
    pfh = &nh.FileHeader;  
    poh = &nh.OptionalHeader;  
 
    assert(IMAGE_FILE_MACHINE_I386 == pfh->Machine);  
    assert(pfh->SizeOfOptionalHeader == sizeof(IMAGE_OPTIONAL_HEADER32));  
 
    pe.sections = pfh->NumberOfSections;  
    pe.imageBase = poh->ImageBase;  
    pe.entryPoint = poh->AddressOfEntryPoint;  
    pe.imageSize = poh->SizeOfImage;  
 
    pe.exRva = poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;  
    pe.exSize = poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;  
    pe.imRva = poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;  
    pe.imSize = poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size;  
    pe.resRva = poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress;  
    pe.resSize = poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size;  
    pe.relocRva = poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress;  
    pe.relocSize = poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size;  
    pe.dbgRva = poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG].VirtualAddress;  
    pe.dbgSize = poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG].Size;  
 
    pe.fileType = pfh->Characteristics == IMAGE_FILE_DLL ? IMAGE_FILE_DLL : 0;  
 
    DumpPeInfo(&pe);  
 
    return TRUE;  
}  
 
BOOL LoadSections(CLocalFile &lf, PeInfo &pe, MODULEINFO &mi)  
{  
    PIMAGE_SECTION_HEADER psh, ptmp;  
    DWORD protect = 0, oldProtect = 0;  
    char name[9] = "/0";  
 
    psh = (PIMAGE_SECTION_HEADER)_alloca(pe.sections * sizeof(IMAGE_SECTION_HEADER));  
    if (NULL == psh) {  
        printf("Memory not enough!/n");  
        return FALSE;  
    }  
    lf.Read(pe.offsetSection, pe.sections * sizeof(IMAGE_SECTION_HEADER), psh);  
    ptmp = psh;  
 
    DebugPrint("/n/n------------sections info------------/n" /  
               "name/tVA/tSOD/tPTR/tPTR/tPTL/tNOR/tNOL/tCrt/n");  
 
    /* 循环从被加载的文件中读取各个section内容,并存放在该section所指定的 
     * VirtualAddress地址空间中。 
     */ 
    for (int i = 0; i < pe.sections; ++i, ptmp++) {  
        memcpy(name, ptmp->Name, 8);  
 
        if (NULL != ptmp->PointerToRawData && 0 != ptmp->SizeOfRawData) {  
            lf.Read(ptmp->PointerToRawData,  
                        ptmp->SizeOfRawData,  
                        (void *)((DWORD)mi.lpBaseOfDll + ptmp->VirtualAddress));  
        }  
 
 
        /* 此处代码主要功能是根据各个区段的Characteristics值, 
         * 来设置其所在内存的页属性,但因在RelocPeModule机制重定位时还需要对相关内存 
         * 进行写入,因此此处的代码应该在RelocPeModule函数调用之后才能执行。 
         */ 
#if 0   
        if (ptmp->Characteristics & IMAGE_SCN_MEM_READ) {  
            protect = PAGE_READONLY;  
        }  
        if (ptmp->Characteristics & IMAGE_SCN_MEM_WRITE) {  
            protect = PAGE_READWRITE;  
        }  
        if (ptmp->Characteristics & IMAGE_SCN_MEM_EXECUTE) {  
            if (protect & PAGE_READONLY) {  
                protect = PAGE_EXECUTE_READ;  
            }  
            else if (protect & PAGE_READWRITE) {  
                protect = PAGE_EXECUTE_READWRITE;  
            }  
            else {  
                protect = PAGE_EXECUTE;  
            }  
        }  
 
        if (!VirtualProtect((LPVOID)(ptmp->VirtualAddress + (DWORD)mi.lpBaseOfDll),  
                            ptmp->SizeOfRawData, protect, &oldProtect)) {  
            printf("Set memory protection failed, error: %d/n", GetLastError());  
            return FALSE;  
        }  
#endif  
        DebugPrint("%-8s" /  
                   "0x%x/t" /  
                   "0x%x/t" /  
                   "0x%x/t" /  
                   "0x%x/t" /  
                   "0x%x/t" /  
                   "0x%x/t" /  
                   "0x%x/t" /  
                   "0x%x/n",  
                   name,  
                   ptmp->VirtualAddress,  
                   ptmp->SizeOfRawData,  
                   ptmp->PointerToRawData,  
                   ptmp->PointerToRelocations,  
                   ptmp->PointerToLinenumbers,  
                   ptmp->NumberOfRelocations,  
                   ptmp->NumberOfLinenumbers,  
                   ptmp->Characteristics);  
    }  
 
    return TRUE;  
}  
 
BOOL FixupResource(PIMAGE_RESOURCE_DIRECTORY pRes, DWORD imagebase, int offsetRlc)  
{  
    PIMAGE_RESOURCE_DIRECTORY_ENTRY pEntry;  
    DWORD nEntries;  
 
    nEntries = pRes->NumberOfIdEntries + pRes->NumberOfNamedEntries;  
 
    pEntry = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((DWORD)pRes + sizeof(IMAGE_RESOURCE_DIRECTORY));  
 
    for (DWORD i = 0; i < nEntries; ++i, ++pEntry) {  
 
        if (IMAGE_RESOURCE_DATA_IS_DIRECTORY & pEntry->OffsetToData) {  
            PIMAGE_RESOURCE_DIRECTORY pRes2;  
            PIMAGE_RESOURCE_DIRECTORY_ENTRY pEntry2;  
            DWORD nEntries2;  
 
            pRes2 = (PIMAGE_RESOURCE_DIRECTORY)((DWORD)pRes  
                        + (~IMAGE_RESOURCE_DATA_IS_DIRECTORY & pEntry->OffsetToData));  
            nEntries2 = pRes2->NumberOfIdEntries + pRes2->NumberOfNamedEntries;  
            pEntry2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((DWORD)pRes2 + sizeof(IMAGE_RESOURCE_DIRECTORY));  
              
            for (DWORD j = 0; j < nEntries2; ++j, ++pEntry2) {  
                if (IMAGE_RESOURCE_NAME_IS_STRING & pEntry2->Name) {  
                    PIMAGE_RESOURCE_DIR_STRING_U pDirStr;  
                    pDirStr = (PIMAGE_RESOURCE_DIR_STRING_U)((DWORD)pRes  
                                + (~IMAGE_RESOURCE_NAME_IS_STRING & pEntry2->Name));  
                }  
                if (IMAGE_RESOURCE_DATA_IS_DIRECTORY & pEntry2->OffsetToData) {  
                    PIMAGE_RESOURCE_DIRECTORY pRes3;  
                    PIMAGE_RESOURCE_DIRECTORY_ENTRY pEntry3;  
                    DWORD nEntries3;  
 
                    pRes3 = (PIMAGE_RESOURCE_DIRECTORY)((DWORD)pRes  
                                + (~IMAGE_RESOURCE_DATA_IS_DIRECTORY & pEntry2->OffsetToData));  
                    nEntries3 = pRes3->NumberOfIdEntries + pRes3->NumberOfNamedEntries;  
                    pEntry3 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((DWORD)pRes3 + sizeof(IMAGE_RESOURCE_DIRECTORY));  
 
                    for (DWORD k = 0; k < nEntries3; ++k) {  
                        PIMAGE_RESOURCE_DATA_ENTRY pData;  
 
                        assert(~IMAGE_RESOURCE_DATA_IS_DIRECTORY & pEntry3->OffsetToData);  
 
                        pData = (PIMAGE_RESOURCE_DATA_ENTRY)((DWORD)pRes + pEntry3->OffsetToData);  
                        pData->OffsetToData += (DWORD)imagebase;  
                    }  
                }  
            }  
 
        }  
    }  
 
    return TRUE;  
}  
 
BOOL RelocPeModule(PIMAGE_BASE_RELOCATION pBlc, DWORD imagebase, int offsetRlc)  
{  
    DWORD vaddr, count, offset, type;  
    WORD *items = NULL;  
 
    while (NULL != pBlc->VirtualAddress) {  
        vaddr = imagebase + pBlc->VirtualAddress;  
 
        count = (pBlc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) >> 1;  
        items = (WORD *)((char *)pBlc + sizeof(IMAGE_BASE_RELOCATION));  
 
        for (DWORD i = 0; i < count; ++i) {  
            offset = items[i] & 0x0fff;  
            type = items[i] >> 12;  
 
            if (type == 3) {  
                *(DWORD *)(vaddr + offset) += offsetRlc;  
            }  
        }  
        pBlc = (PIMAGE_BASE_RELOCATION)(items + count);  
    }  
 
    return TRUE;  
}  
 
BOOL FixupExport(PIMAGE_EXPORT_DIRECTORY pExp, DWORD imagebase)  
{  
    return TRUE;  
}  
 
BOOL FixupImport(PIMAGE_IMPORT_DESCRIPTOR pImp, DWORD imagebase)  
{  
    PIMAGE_THUNK_DATA pOrgThunk, pFirstThunk;  
    PIMAGE_IMPORT_BY_NAME pImportName;  
 
    DebugPrint("/n/n------------import table info------------/n");  
 
    while (NULL != pImp->OriginalFirstThunk) {  
        pImp->Name += imagebase;  
 
        DebugPrint("DLL: %s/n", pImp->Name);  
 
        FARPROC fpFun;  
        HINSTANCE hInstance = LoadLibraryA((LPCSTR)pImp->Name);  
        if (NULL == hInstance) {  
            printf("Load library %s failed, error: %d/n", pImp->Name, GetLastError());  
            return FALSE;  
        }  
 
        pOrgThunk = (PIMAGE_THUNK_DATA)(imagebase + pImp->OriginalFirstThunk);  
        pFirstThunk = (PIMAGE_THUNK_DATA)(imagebase + pImp->FirstThunk);  
 
        while (NULL != *(DWORD *)pOrgThunk) {  
            if (pOrgThunk->u1.Ordinal & IMAGE_ORDINAL_FLAG32) {  
                fpFun = GetProcAddress(hInstance, (LPCSTR)(pOrgThunk->u1.Ordinal & 0x0000ffff));  
 
                //DebugPrint("/t0x%x/n", pOrgThunk->u1.Ordinal);  
            }  
            else {  
                pImportName = (PIMAGE_IMPORT_BY_NAME)(imagebase + pOrgThunk->u1.AddressOfData);  
                fpFun = GetProcAddress(hInstance, (LPCSTR)pImportName->Name);  
 
                //DebugPrint("/t%s/n", pImportName->Name);  
            }  
 
            //DebugPrint("/t/t0x%x/n", fpFun);  
 
            pFirstThunk->u1.Ordinal = (LONG)fpFun;  
              
            ++pFirstThunk;  
            ++pOrgThunk;  
        }  
        FreeLibrary(hInstance);  
 
        ++pImp;  
    }  
 
    return TRUE;  
}  
 
int LoadPeModule(const char * name, int argc, _TCHAR* argv[])  
{  
    CLocalFile lf(name);  
    LPVOID addr;  
    PeInfo pe;  
    MODULEINFO mi;  
 
    /* 验证是否为合法的pe文件 */ 
    assert(IsPEFile(lf));  
 
    /* 处理nt header,获取pe文件的相关信息 */ 
    ParseNTHeader(lf, pe);  
 
    /*为image按照imageBase优先原则分配空间地址。 
     *如该空间地址已被reserved或commit,则重新分配一个可用的空间地址, 
     *但此种情况下需要做基址重定位处理。*/ 
    addr = VirtualAlloc((LPVOID)(pe.imageBase),  
                                pe.imageSize,  
                                MEM_RESERVE | MEM_COMMIT,  
                                PAGE_EXECUTE_READWRITE);  
    if (NULL == addr) {  
        printf("VirtualAlloc failed, error: %d/n", GetLastError());  
        addr = VirtualAlloc(NULL, pe.imageSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);  
        if (NULL == addr) {  
            printf("VirtualAlloc failed, error: %d/n", GetLastError());  
            return -1;  
        }  
    }  
    memset((void *)addr, 0, pe.imageSize);  
 
    mi.EntryPoint = (LPVOID)pe.entryPoint;  
    mi.lpBaseOfDll = (LPVOID)addr;  
    mi.SizeOfImage = pe.imageSize;  
 
    /* 把sections加载到内存 */ 
    LoadSections(lf, pe, mi);  
 
    /* 如果实际分配的空间地址和pe文件的基址不一样,则需要做基址重定位处理 */ 
    if ((int)mi.lpBaseOfDll != pe.imageBase) {  
        if (0 == pe.relocSize) {  
            printf("Cannot reloc address!/n");  
            return -1;  
        }  
        PIMAGE_BASE_RELOCATION pBrlc = (PIMAGE_BASE_RELOCATION)((DWORD)mi.lpBaseOfDll + pe.relocRva);  
        RelocPeModule(pBrlc, (DWORD)mi.lpBaseOfDll, (DWORD)mi.lpBaseOfDll - pe.imageBase);  
    }  
 
    /* 如果该pe文件有导出表,则处理导出表区段 */ 
    if (0 != pe.exSize) {  
        PIMAGE_EXPORT_DIRECTORY pExp = (PIMAGE_EXPORT_DIRECTORY)((DWORD)mi.lpBaseOfDll + pe.exRva);  
        FixupExport(pExp, (DWORD)mi.lpBaseOfDll);  
    }  
 
    /* 如果pe文件有资源文件,则需要处理资源区段 */ 
    if (0 != pe.resSize) {  
        PIMAGE_RESOURCE_DIRECTORY pRes = (PIMAGE_RESOURCE_DIRECTORY)((DWORD)mi.lpBaseOfDll + pe.resRva);  
        FixupResource(pRes, (DWORD)mi.lpBaseOfDll, (DWORD)mi.lpBaseOfDll - pe.imageBase);  
    }  
 
    /* 如果pe文件有导入表,则需要处理导入表区段 */ 
    if (0 != pe.imSize) {  
        PIMAGE_IMPORT_DESCRIPTOR pImp = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)mi.lpBaseOfDll + pe.imRva);  
        FixupImport(pImp, (DWORD)mi.lpBaseOfDll);  
    }  
 
    DebugPrint("/n/nentry: 0x%x/n/n", (DWORD)mi.EntryPoint + (DWORD)mi.lpBaseOfDll);  
 
    /* 进入该pe文件的entry pointer,执行该pe文件 */ 
    __asm {  
        push argc;  
        push argv;  
        mov eax, mi.EntryPoint;  
        add eax, mi.lpBaseOfDll;  
        call eax;  
    }  
}  
 
int _tmain(int argc, _TCHAR* argv[])  
{  
    //LoadPeModule("HelloWorld.exe", argc - 1, argv + 1);  
    LoadPeModule("btnlook.exe", argc - 1, argv + 1);  
 
    return 0;  

 

本文来自CSDN博客,转载请标明出处:http://blog.csdn.net/lf8289/archive/2010/02/09/5301269.aspx

0
0

查看评论
* 以上用户言论只代表其个人观点,不代表CSDN网站的观点或立场
    个人资料
    • 访问:1331693次
    • 积分:13431
    • 等级:
    • 排名:第959名
    • 原创:72篇
    • 转载:463篇
    • 译文:0篇
    • 评论:163条
    文章分类
    最新评论