一、PE文件简介
PE文件的全称是Portable Executable,意为可移植的可执行的文件,常见的EXE、DLL、OCX、SYS、COM都是PE文件,PE文件是微软Windows操作系统上的程序文件(可能是间接被执行,如DLL)(百度百科)
PE文件对于底层研究的重要性不言而喻,这里只做简单记录,以供自己学习之用,后面提供了一个山寨版本的PE文件解析器,话不多说,上图:
二、PE文件重要结构体
1、IMAGE_DOS_HEADER
typedef struct _IMAGE_DOS_HEADER
{ // DOS的.EXE头部
USHORT e_magic; // 魔术数字
USHORT e_cblp; // 文件最后页的字节数
USHORT e_cp; // 文件页数
USHORT e_crlc; // 重定义元素个数
USHORT e_cparhdr; // 头部尺寸,以段落为单位
USHORT e_minalloc; // 所需的最小附加段
USHORT e_maxalloc; // 所需的最大附加段
USHORT e_ss; // 初始的SS值(相对偏移量)
USHORT e_sp; // 初始的SP值
USHORT e_csum; // 校验和
USHORT e_ip; // 初始的IP值
USHORT e_cs; // 初始的CS值(相对偏移量)
USHORT e_lfarlc; // 重分配表文件地址
USHORT e_ovno; // 覆盖号
USHORT e_res[4]; // 保留字
USHORT e_oemid; // OEM标识符(相对e_oeminfo)
USHORT e_oeminfo; // OEM信息
USHORT e_res2[10]; // 保留字
LONG e_lfanew; // 新exe头部的文件地址
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;2、IMAGE_FILE_HEADER
typedef struct IMAGE_NT_HERDERS
{
Signature dd?;
FileHeader IMAGE_FILE_HEADER<>;
OptionalHeader IMAGE_OPTIONAL_HEADER;//这里是下面结构体IMAGE_OPTIONAL_HEADER
}
typedef struct _IMAGE_FILE_HEADER {
USHORT Machine;
USHORT NumberOfSections;
ULONG TimeDateStamp;
ULONG PointerToSymbolTable;
ULONG NumberOfSymbols;
USHORT SizeOfOptionalHeader;
USHORT Characteristics;
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;3、IMAGE_OPTIONAL_HEADER
typedef struct _IMAGE_OPTIONAL_HEADER {
//
// 标准域
//
USHORT Magic;
UCHAR MajorLinkerVersion;
UCHAR MinorLinkerVersion;
ULONG SizeOfCode;
ULONG SizeOfInitializedData;
ULONG SizeOfUninitializedData;
ULONG AddressOfEntryPoint;
ULONG BaseOfCode;
ULONG BaseOfData;
//
// NT附加域
//
ULONG ImageBase;
ULONG SectionAlignment;
ULONG FileAlignment;
USHORT MajorOperatingSystemVersion;
USHORT MinorOperatingSystemVersion;
USHORT MajorImageVersion;
USHORT MinorImageVersion;
USHORT MajorSubsystemVersion;
USHORT MinorSubsystemVersion;
ULONG Reserved1;
ULONG SizeOfImage;
ULONG SizeOfHeaders;
ULONG CheckSum;
USHORT Subsystem;
USHORT DllCharacteristics;
ULONG SizeOfStackReserve;
ULONG SizeOfStackCommit;
ULONG SizeOfHeapReserve;
ULONG SizeOfHeapCommit;
ULONG LoaderFlags;
ULONG NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER;4、IMAGE_SECTION_HEADER
typedef struct _IMAGE_SECTION_HEADER {
UCHAR Name[IMAGE_SIZEOF_SHORT_NAME];
union {
ULONG PhysicalAddress;
ULONG VirtualSize;
} Misc;
ULONG VirtualAddress;
ULONG SizeOfRawData;
ULONG PointerToRawData;
ULONG PointerToRelocations;
ULONG PointerToLinenumbers;
USHORT NumberOfRelocations;
USHORT NumberOfLinenumbers;
ULONG Characteristics;
} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;5、IMAGE_RESOURCE_DIRECTORY
typedef struct _IMAGE_RESOURCE_DIRECTORY {
ULONG Characteristics;
ULONG TimeDateStamp;
USHORT MajorVersion;
USHORT MinorVersion;
USHORT NumberOfNamedEntries;
USHORT NumberOfIdEntries;
} IMAGE_RESOURCE_DIRECTORY, *PIMAGE_RESOURCE_DIRECTORY;6、IMAGE_DATA_DIRECTORY
AND IMAGE_EXPORT_DIRECTORY
IMAGE_DATA_DIRECTORY为一个结构体数组,当数组下标为0是,指向EXPORT_DIRECTORY
typedef struct _IMAGE_DATA_DIRECTORY {
DWORD VirtualAddress;//指向导出表的RVA地址(相对地址)
DWORD Size;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
//导入地址表
typedef struct _IMAGE_EXPORT_DIRECTORY
{
DWORD Characteristics;
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
DWORD Name;
DWORD Base;
DWORD NumberOfFunctions;
DWORD NumberOfNames;
DWORD AddressOfFunctions; // 函数RVA
DWORD AddressOfNames; //函数名RVA
DWORD AddressOfNameOrdinals; // 函数索引号RVA
}IMAGE_EXPORT_DIRECTORY,*PIMAGE_EXPORT_DIRECTORY; 7、IMAGE_DATA_DIRECTORY
AND IMAGE_IMPORT_DIRECTORY
IID结构体
IMAGE_DATA_DIRECTORY为一个结构体数组,当数组下标为1是,指向IMPORT_DIRECTORY
typedef struct _IMAGE_DATA_DIRECTORY {
DWORD VirtualAddress;//指向导出表的RVA地址(相对地址)
DWORD Size;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
typedef struct _IMAGE_IMPORT_DESCRIPTOR
{
union
{
DWORD Characteristics;
DWORD OriginalFirstThunk; (PIMAGE_THUNK_DATA)
};
DWORD TimeDateStamp;
(new BIND)
DWORD ForwarderChain;
DWORD Name;
DWORD FirstThunk;
} IMAGE_IMPORT_DESCRIPTOR;三、PE文件解析工具源代码
为何叫山寨版,因为主要源代码参考《加密与解密(第三版)》书上内容,把它改装成了命令行程序,简化了一些编程步骤,供学习之用看起来更简单一点,OK,上代码:
// PEStudy.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include<windows.h>
#include<imageHlp.h>
#include<CommCtrl.h>
#include <iostream>
using namespace std;
#pragma comment(lib,"imageHlp.lib")
#define GETTHUNK(pImportDesc) ((DWORD) \
((PIMAGE_IMPORT_DESCRIPTOR)pImportDesc->OriginalFirstThunk ? \
(PIMAGE_IMPORT_DESCRIPTOR)pImportDesc->OriginalFirstThunk:(PIMAGE_IMPORT_DESCRIPTOR)pImportDesc->FirstThunk \
))
BOOL WriteDataToFile(LPCSTR Data,LPCWSTR FileName)
{
HANDLE hFile;
DWORD dwBytesWritten;
//char *ch="0x0d0x0a";
//lstrcat(Data,ch);
BOOL fSuccess;
hFile = CreateFile(FileName, // file name
GENERIC_READ| GENERIC_WRITE, // r_w
0, // do not share
NULL,// default security
OPEN_ALWAYS, // ALWAYS
FILE_ATTRIBUTE_NORMAL, // normal file
NULL); // no template
if (hFile == INVALID_HANDLE_VALUE)
{
printf ("CreateFile failed with error %d.\n",
GetLastError());
return FALSE;
}
SetFilePointer(hFile,3, NULL, FILE_END);
//lstrcat(Data,"/r/n");
fSuccess = WriteFile(hFile,
Data,
strlen(Data),
&dwBytesWritten,
NULL);
//这里试图给写入txt文件的数据插入换行符,试了几次失败,于是先注释,留待后续完善
//SetFilePointer(hFile,0, NULL, FILE_END);
//SetFilePointer(hFile,0, NULL, FILE_END);
/*
WriteFile(hFile,
"/r/n",
4,
&dwBytesWritten,
NULL);
SetFilePointer(hFile,3, NULL, FILE_END);
*/
if (!fSuccess)
{
printf ("WriteFile failed with error %d.\n",
GetLastError());
return FALSE;
}
else
CloseHandle(hFile);
return TRUE;
}
HANDLE ImageBase;
BOOL IsPEFile(LPTSTR lpFilePath)
{
HANDLE hFile;
HANDLE hMapping;
PIMAGE_DOS_HEADER pDH=NULL;
PIMAGE_NT_HEADERS pNTH=NULL;
hFile=CreateFile(lpFilePath,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,0);
if(!hFile) return FALSE;
hMapping = CreateFileMapping(hFile,NULL,PAGE_READONLY,0,0,NULL);
if(!hMapping)
{
CloseHandle(hFile);
return FALSE;
}
//Get ImageBase
ImageBase=MapViewOfFile(hMapping,FILE_MAP_READ,0,0,0);
if(!ImageBase)
{
CloseHandle(hMapping);
CloseHandle(hFile);
return FALSE;
}
//judge PE File
if(!ImageBase)
{
return FALSE;
}
pDH=(PIMAGE_DOS_HEADER)ImageBase;
if(pDH->e_magic!=IMAGE_DOS_SIGNATURE)
return FALSE;
pNTH=(PIMAGE_NT_HEADERS32)((DWORD)pDH+pDH->e_lfanew);
if (pNTH->Signature != IMAGE_NT_SIGNATURE )
return FALSE;
return TRUE;
}
void ShowFileHeaderInfo(LPVOID LocalImageBase)
{
PIMAGE_DOS_HEADER pDH=NULL;
PIMAGE_NT_HEADERS pNTH=NULL;
PIMAGE_FILE_HEADER pFH=NULL;
pDH=(PIMAGE_DOS_HEADER)LocalImageBase;
pNTH=(PIMAGE_NT_HEADERS)((DWORD)pDH+pDH->e_lfanew);
pFH=&pNTH->FileHeader;
cout<<" Machine:"<<hex <<pFH->Machine<<endl;
cout<<" NumberOfSections:"<<hex <<pFH->NumberOfSections<<endl;
cout<<" TimeDateStamp:"<<hex <<pFH->TimeDateStamp<<endl;
cout<<" Characteristics:"<<hex <<pFH->Characteristics<<endl;
}
void ShowOptionalHeaderInfo(LPVOID LocalImageBase)
{
PIMAGE_DOS_HEADER pDH=NULL;
PIMAGE_NT_HEADERS pNTH=NULL;
PIMAGE_OPTIONAL_HEADER pOH=NULL;
pDH=(PIMAGE_DOS_HEADER)LocalImageBase;
pNTH=(PIMAGE_NT_HEADERS)((DWORD)pDH+pDH->e_lfanew);
pOH=&pNTH->OptionalHeader;
cout<<" AddressOfEntryPoint:"<<hex <<pOH->AddressOfEntryPoint<<endl;
cout<<" BaseOfCode:"<<hex <<pOH->BaseOfCode<<endl;
cout<<" BaseOfData:"<<hex <<pOH->BaseOfData<<endl;
cout<<" ImageBase:"<<hex <<pOH->ImageBase<<endl;
cout<<" MajorOperatingSystemVersion:"<<hex <<pOH->MajorOperatingSystemVersion<<endl;
cout<<" MinorOperatingSystemVersion:"<<hex <<pOH->MinorOperatingSystemVersion<<endl;
cout<<" MajorLinkerVersion:"<<hex <<pOH->MajorLinkerVersion<<endl;
cout<<" MinorLinkerVersion:"<<hex <<pOH->MinorLinkerVersion<<endl;
cout<<" NumberOfRvaAndSizes:"<<hex <<pOH->NumberOfRvaAndSizes<<endl;
}
void ShowDataDirInfo(LPVOID LocalImageBase)
{
PIMAGE_DOS_HEADER pDH=NULL;
PIMAGE_NT_HEADERS pNTH=NULL;
PIMAGE_OPTIONAL_HEADER pOH=NULL;
pDH=(PIMAGE_DOS_HEADER)LocalImageBase;
pNTH=(PIMAGE_NT_HEADERS)((DWORD)pDH+pDH->e_lfanew);
pOH=&pNTH->OptionalHeader;
cout<<" Export table Rva:"<< hex <<pOH->DataDirectory[0].VirtualAddress<<endl;
cout<<" Export table Size:"<< hex <<pOH->DataDirectory[0].Size<<endl;
cout<<" Import table Rva:"<< hex <<pOH->DataDirectory[1].VirtualAddress<<endl;
cout<<" Import table Size:"<< hex <<pOH->DataDirectory[1].Size<<endl;
cout<<" Resourse table Rva:"<< hex <<pOH->DataDirectory[2].VirtualAddress<<endl;
cout<<" Resourse table Size:"<< hex <<pOH->DataDirectory[2].Size<<endl;
}
PIMAGE_SECTION_HEADER GetFirstSectionHeader(LPVOID LocalImageBase)
{
PIMAGE_DOS_HEADER pDH=NULL;
PIMAGE_NT_HEADERS pNTH=NULL;
PIMAGE_SECTION_HEADER pSH=NULL;
pDH=(PIMAGE_DOS_HEADER)LocalImageBase;
pNTH=(PIMAGE_NT_HEADERS)((DWORD)pDH+pDH->e_lfanew);
pSH=IMAGE_FIRST_SECTION(pNTH);
return pSH;
}
void ShowSectionHeaderInfo(LPVOID LocalImageBase)
{
WORD i;
PIMAGE_SECTION_HEADER pSH=NULL;
PIMAGE_DOS_HEADER pDH=NULL;
PIMAGE_NT_HEADERS pNTH=NULL;
PIMAGE_FILE_HEADER pFH=NULL;
pDH=(PIMAGE_DOS_HEADER)LocalImageBase;
pNTH=(PIMAGE_NT_HEADERS)((DWORD)pDH+pDH->e_lfanew);
pFH=&pNTH->FileHeader;
if(!pFH)
return;
pSH=GetFirstSectionHeader(ImageBase);
for( i=0;i<pFH->NumberOfSections;i++)
{
cout<<" Section Name:"<< pSH->Name<<endl;
cout<<" VirtualAddress:"<< hex <<pSH->VirtualAddress<<endl;
cout<<" SizeOfRawData:"<< hex <<pSH->SizeOfRawData<<endl;
cout<<" PointerToRelocations:"<< hex <<pSH->PointerToRelocations<<endl;
cout<<" NumberOfLinenumbers:"<< hex <<pSH->NumberOfLinenumbers<<endl;
cout<<" Characteristics:"<< hex <<pSH->Characteristics<<endl;
++pSH;
}
}
LPVOID RvaToPtr(PIMAGE_NT_HEADERS pNtH,LPVOID ImageBase,DWORD dwRVA)
{
return ImageRvaToVa(pNtH,ImageBase,dwRVA,NULL);
}
PIMAGE_EXPORT_DIRECTORY GetExportDirectory(LPVOID LocalImageBase)
{
PIMAGE_DOS_HEADER pDH=NULL;
PIMAGE_NT_HEADERS pNTH=NULL;
PIMAGE_OPTIONAL_HEADER pOH=NULL;
PIMAGE_EXPORT_DIRECTORY pExportDir=NULL;
pDH=(PIMAGE_DOS_HEADER)LocalImageBase;
pNTH=(PIMAGE_NT_HEADERS)((DWORD)pDH+pDH->e_lfanew);
pOH=&pNTH->OptionalHeader;
//theRVA addr must be turn to VA
pExportDir=(PIMAGE_EXPORT_DIRECTORY)RvaToPtr(pNTH,LocalImageBase,pOH->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
if(!pExportDir)
return NULL;
return pExportDir;
}
void ShowExportDirInfo(LPVOID LocalImageBase)
{
PIMAGE_DOS_HEADER pDH=NULL;
PIMAGE_NT_HEADERS pNTH=NULL;
PIMAGE_OPTIONAL_HEADER pOH=NULL;
PIMAGE_EXPORT_DIRECTORY pExportDir=NULL;
pDH=(PIMAGE_DOS_HEADER)LocalImageBase;
pNTH=(PIMAGE_NT_HEADERS)((DWORD)pDH+pDH->e_lfanew);
pOH=&pNTH->OptionalHeader;
pExportDir=GetExportDirectory(LocalImageBase);
if(!pExportDir)
{
int error= GetLastError();
if(error==0)
cout<<"This File is not include Export Table !"<<endl;
else
cout<<"Can't get Export Directory:( ,error code:"<<error<<endl;
return;
}
cout<<" AddressOfFunctions: "<< hex <<pExportDir->AddressOfFunctions<<endl;
cout<<" AddressOfNameOrdinals: "<< hex <<pExportDir->AddressOfNameOrdinals<<endl;
cout<<" AddressOfNames: "<< hex <<pExportDir->AddressOfNames<<endl;
cout<<" Base: "<< hex <<pExportDir->Base<<endl;
cout<<" MajorVersion: "<< hex <<pExportDir->MajorVersion<<endl;
cout<<" MinorVersion: "<< hex <<pExportDir->MinorVersion<<endl;
cout<<" Characteristics: "<< hex <<pExportDir->Characteristics<<endl;
cout<<" Name: "<< hex <<pExportDir->Name<<endl;
cout<<" NumberOfFunctions: "<< hex <<pExportDir->NumberOfFunctions<<endl;
cout<<" NumberOfNames: "<< hex <<pExportDir->NumberOfNames<<endl;
cout<<" TimeDateStamp: "<< hex <<pExportDir->TimeDateStamp<<endl;
//Sometime the string of name will be error here
cout<<" pExportDir->Name: "<<(char *)ImageRvaToVa(pNTH,LocalImageBase,pExportDir->Name,NULL)<<endl;
}
void ShowExportFuncsInfo(LPVOID LocalImageBase)
{
char *szFuncName;
UINT iNumOfName=0;
PDWORD pdwRvas, pdwNames;
PWORD pwOrds;
UINT i=0,j=0,k=0;
PIMAGE_DOS_HEADER pDH=NULL;
PIMAGE_NT_HEADERS pNTH=NULL;
PIMAGE_OPTIONAL_HEADER pOH=NULL;
PIMAGE_EXPORT_DIRECTORY pExportDir=NULL;
pDH=(PIMAGE_DOS_HEADER)LocalImageBase;
pNTH=(PIMAGE_NT_HEADERS)((DWORD)pDH+pDH->e_lfanew);
pOH=&pNTH->OptionalHeader;
pExportDir=GetExportDirectory(LocalImageBase);
if(!pNTH)
return ;
pExportDir= (PIMAGE_EXPORT_DIRECTORY)GetExportDirectory(LocalImageBase);
if (!pExportDir)
return ;
pwOrds = (PWORD)RvaToPtr(pNTH, LocalImageBase,pExportDir->AddressOfNameOrdinals);
pdwRvas = (PDWORD)RvaToPtr(pNTH, LocalImageBase,pExportDir->AddressOfFunctions);
pdwNames = (PDWORD)RvaToPtr(pNTH, LocalImageBase,pExportDir->AddressOfNames);
if(!pdwRvas)
return;
iNumOfName=pExportDir->NumberOfNames;
for( i=0;i<pExportDir->NumberOfFunctions;i++)
{
if(*pdwRvas)
{
for( j=0;j<iNumOfName;j++)
{
if(i==pwOrds[j])
{
szFuncName=(char*)RvaToPtr(pNTH,LocalImageBase,pdwNames[j]);
//WriteExportFuncsNameToTxtFile
WriteDataToFile(szFuncName,L"NameOfExportFuncs.txt");
//printf pExportDir.Name
// cout<<" pExportDir->Name "<<i+1<<": "<<szFuncName<<endl;
}
}
}
++pdwRvas;
}
}
void ShowImportDirInfo(LPVOID LocalImageBase)
{
DWORD dwDataStartRVA;
PIMAGE_DOS_HEADER pDH=NULL;
PIMAGE_NT_HEADERS pNTH=NULL;
PIMAGE_OPTIONAL_HEADER pOH=NULL;
PIMAGE_IMPORT_DESCRIPTOR pImportDir=NULL;
pDH=(PIMAGE_DOS_HEADER)LocalImageBase;
pNTH=(PIMAGE_NT_HEADERS)((DWORD)pDH+pDH->e_lfanew);
pOH=&pNTH->OptionalHeader;
dwDataStartRVA=pOH->DataDirectory[1].VirtualAddress;
pImportDir=(PIMAGE_IMPORT_DESCRIPTOR)RvaToPtr(pNTH,ImageBase,dwDataStartRVA);
if(!pImportDir)
{
int error= GetLastError();
if(error==0)
cout<<"This File is not include Import Table !"<<endl;
else
cout<<"Can't get Import Directory:( ,error code:"<<error<<endl;
return;
}
while(pImportDir->FirstThunk)
{
cout<<" Characteristics: "<< hex <<pImportDir->Characteristics<<endl;
cout<<" FirstThunk(IAT): "<< hex <<pImportDir->FirstThunk<<endl;
cout<<" ForwarderChain: "<< hex <<pImportDir->ForwarderChain<<endl;
cout<<" TimeDateStamp: "<< hex <<pImportDir->TimeDateStamp<<endl;
cout<<" Name: "<< hex <<pImportDir->Name<<endl;
cout<<" OriginalFirstThunk(INT): "<< hex <<pImportDir->OriginalFirstThunk<<endl;
//Sometime the string of name will be error here
cout<<" pImportDir->Name: "<<(char *)ImageRvaToVa(pNTH,LocalImageBase,pImportDir->Name,NULL)<<endl;
++pImportDir;
}
}
void ShowImportFuncsByDllIndex(LPVOID LocalImageBase)
{
char * szFuncName;
DWORD dwThunk, *pdwThunk=NULL;
int i=0;
DWORD dwDataStartRVA;
PIMAGE_DOS_HEADER pDH=NULL;
PIMAGE_NT_HEADERS pNTH=NULL;
PIMAGE_OPTIONAL_HEADER pOH=NULL;
PIMAGE_IMPORT_DESCRIPTOR pImportDir=NULL;
pDH=(PIMAGE_DOS_HEADER)LocalImageBase;
pNTH=(PIMAGE_NT_HEADERS)((DWORD)pDH+pDH->e_lfanew);
pOH=&pNTH->OptionalHeader;
//get Import Table Addr
dwDataStartRVA=pOH->DataDirectory[1].VirtualAddress;
pImportDir=(PIMAGE_IMPORT_DESCRIPTOR)RvaToPtr(pNTH,ImageBase,dwDataStartRVA);
PIMAGE_IMPORT_BY_NAME pByName=NULL;
//
dwThunk=GETTHUNK(pImportDir);
// pdwRVA=(DWORD *)dwThunk;
pdwThunk=(DWORD*)RvaToPtr(pNTH,ImageBase,dwThunk);
if(!pdwThunk)
return;
while(*pdwThunk)
{
if (HIWORD(*pdwThunk)==0x8000)
{
//szFuncName=cOrd;
}
else
{
pByName =(PIMAGE_IMPORT_BY_NAME)RvaToPtr(pNTH,ImageBase,(DWORD)(*pdwThunk));
if(pByName)
{
szFuncName=(char *)pByName->Name;
//WriteDataToFile
if(!WriteDataToFile(szFuncName,L"NameOfImportFuncs.txt"))
printf("WriteDataToFile Failed!");
}
}
// ++pdwRVA;
++pdwThunk;
}
}
int _tmain(int argc,_TCHAR* argv[] )
{
LPTSTR lpFilePath=argv[1];
if(argc==1) cout<<"cout :argc="<<argc<<" please scanf file path"<<endl;
else
{
if(IsPEFile(lpFilePath))
{
cout<<"-----------------------it is a PE File-------------------------------"<<endl;
cout<<"-----------------------ShowFileHeaderInfo(HEX Value)-----------------"<<endl;
ShowFileHeaderInfo(ImageBase);
cout<<"-----------------------ShowOptionalHeaderInfo(HEX Value)-------------"<<endl;
ShowOptionalHeaderInfo(ImageBase);
cout<<"-----------------------ShowDataDirInfo(HEX Value)--------------------"<<endl;
ShowDataDirInfo(ImageBase);
cout<<"-----------------------ShowSectionHeaderInfo(HEX Value)--------------"<<endl;
ShowSectionHeaderInfo(ImageBase);
cout<<"-----------------------ShowExportDirInfo(HEX Value)------------------"<<endl;
ShowExportDirInfo(ImageBase);
cout<<"-----------------------WriteExportFuncsNameToTxtFile-----------------"<<endl;
ShowExportFuncsInfo(ImageBase);
cout<<"-----------------------ShowImportDirInfo(HEX Value)--- --------------"<<endl;
ShowImportDirInfo(ImageBase);
cout<<"-----------------------WriteImportFuncsNameToTxtFile-----------------"<<endl;
ShowImportFuncsByDllIndex(ImageBase);
}
else
cout<<"it's not a PE File"<<endl;
}
system("pause");
return 0;
}
运行效果:
写的太粗糙,后面再来完善,未完待续…
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
