//拉伸文件
void FileBuffer_To_ImageBuffer(void* pFileBuffer,void** pImageBuffer)
{
PIMAGE_DOS_HEADER pDosHeader = NULL;
PIMAGE_NT_HEADERS pNTHeader = NULL;
PIMAGE_FILE_HEADER pPEHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 pOptionHeader = NULL;
PIMAGE_SECTION_HEADER pSectionHeader = NULL;
pDosHeader=(PIMAGE_DOS_HEADER)pFileBuffer;
pNTHeader=(PIMAGE_NT_HEADERS)((DWORD*)pFileBuffer+pDosHeader->e_lfanew);
pPEHeader=(PIMAGE_FILE_HEADER)((BYTE*)pNTHeader+sizeof(DWORD));
pOptionHeader=(PIMAGE_OPTIONAL_HEADER32)((BYTE*)pPEHeader+IMAGE_SIZEOF_FILE_HEADER);
pSectionHeader=(PIMAGE_SECTION_HEADER)((BYTE*)pOptionHeader+pPEHeader->SizeOfOptionalHeader);
void* pTempFileBuffer=NULL;
//判断是否含有有效MZ和PE标志
if (*(PWORD)pFileBuffer != IMAGE_DOS_SIGNATURE)
{
printf("无有效的MZ标志\n");
}
if (*(PDWORD)((DWORD)pFileBuffer + pDosHeader->e_lfanew) != IMAGE_NT_SIGNATURE)
{
printf("无有效的PE标志\n");
}
//开辟空间
pTempFileBuffer=malloc(pOptionHeader->SizeOfImage);
if (!pTempFileBuffer)
{
printf("pTempFileBuffer空间申请失败...");
}
//移动头和节表
memset(pTempFileBuffer,0,pOptionHeader->SizeOfImage);
memcpy(pTempFileBuffer,pFileBuffer,pOptionHeader->SizeOfHeaders);//由src指向地址为起始地址的连续n个字节的数据复制到以destin指向地址为起始地址的空间内。函数返回一个指向dest的指针。
//节区循环拷贝
for(int i=0;i<pPEHeader->NumberOfSections;i++)
{
memcpy((PVOID)((DWORD)pTempFileBuffer+pSectionHeader[i].Misc.VirtualSize),(PVOID)((DWORD)pFileBuffer+pSectionHeader[i].PointerToRawData),pSectionHeader[i].SizeOfRawData);
}
*pImageBuffer = pTempFileBuffer;
pTempFileBuffer=NULL;
}
PE解析器中的拉伸文件函数
最新推荐文章于 2024-05-18 16:18:30 发布