【汇编语言】汇编语言实现简单的PEviewer

【目的】意在理解pe文件结构及其读取方式

.386
.model flat,stdcall
option casemap :none
include \masm32\include\windows.inc
include \masm32\include\masm32.inc
include \masm32\macros\macros.asm
include \masm32\include\kernel32.inc
includelib \masm32\lib\masm32.lib
includelib \masm32\lib\kernel32.lib

.data
hi BYTE "Please input a PE file:",0;输入pe文件的语句
filename BYTE 20 DUP(0);将要输入的文件名输入进这里头
hfile DWORD 0;文件句柄
buf3 DWORD 4000 dup(?);从文件中接收数据的容器
buf4 DWORD 4000 dup(0);
buf5 word 4000 dup(0)

;以下是一些元素名称
IDH BYTE "IMAGE_DOS_HEADER",0
em BYTE "   e_magic:  ",0
el BYTE "   e_lfanew:  ",0

INH BYTE "IMAGE_NT_HEADERS",0
sig BYTE  "   Signature:  ",0

IFH BYTE "IMAGE_FILE_HEADERS",0
nos BYTE "   NumberOfSections:  ",0
tds BYTE "   TimeDateStamp:  ",0
chc BYTE "   Characteics:  ",0

IOH BYTE "IMAGE_OPTIONAL_HEADER",0
aop BYTE "   AddressOfEntryPoint:  ",0
ib BYTE "   ImageBase:  ",0
sa BYTE "   SectionAligment:  ",0
fa BYTE "   FILEAligment:  ",0

endl BYTE 0Ah,0Dh,0;用于换行
.code
main PROC
	invoke StdOut,addr hi
	invoke StdIn, addr filename,20
	;调用createfile程序
	invoke CreateFile, 	addr filename,\
			GENERIC_READ,\
			FILE_SHARE_READ,\
			0,\
			OPEN_EXISTING,\
			FILE_ATTRIBUTE_ARCHIVE,\
			0

	mov hfile, eax;将读取到的文件句柄传入hfile
	;调用setfilepointer程序
	invoke SetFilePointer, hfile,0 ,0,FILE_BEGIN
	;Indicates that the starting point is zero or the beginning of the file.
	;调用readfile程序
	;;;;invoke ReadFile, hfile, addr buf3, 4000, 0, 0
		;文件柄，盛接读取到的数据，读取的字节大小，指向读取的字节数的指针，NULL
		;此时 hfile在e_magic的位置  MZ的那个位置
	invoke ReadFile, hfile, addr buf3,400 , 0 ,0;buf3是文件的入口
	mov esi, offset buf3
	mov eax, dword PTR [esi]
	invoke dw2hex, eax, addr buf4
	mov ax,word PTR[buf4+4]
	mov buf5,ax
	invoke StdOut,addr IDH 
	invoke StdOut,addr endl
	invoke StdOut,addr em
	;invoke StdOut, addr buf4;读出mz
	invoke StdOut,addr buf5
	mov ax,word PTR[buf4+6]
	mov buf5,ax
	invoke StdOut,addr buf5
	invoke StdOut, addr endl;换行
	invoke StdOut, addr el
	add esi,3ch;指到e_lfanew
	mov eax,dword PTR[esi]
	invoke dw2hex,eax,addr buf4
	invoke StdOut,addr buf4
	invoke StdOut,addr endl
	invoke StdOut, addr endl

	invoke StdOut, addr INH
	invoke StdOut, addr endl
	invoke StdOut, addr sig
	mov edx,dword PTR [esi]
	mov esi,offset buf3
	add esi, edx; e_lfanew内存的是nt头相对于文件的偏移地址
	mov eax, dword PTR[esi]    ;此时esi指在signature
	invoke dw2hex, eax,addr buf4
	invoke StdOut, addr buf4
	invoke StdOut, addr endl
	invoke StdOut, addr endl

	invoke StdOut, addr IFH
	invoke StdOut, addr endl
	invoke StdOut, addr nos
	add esi,6h;移动到FileHeader
	mov eax,dword PTR[esi]
	invoke dw2hex, eax,addr buf4
	mov ax,word PTR [buf4+4]
	mov buf5,ax;leeorange13
	invoke StdOut,addr buf5
	mov ax,word PTR[buf4+6]
	mov buf5,ax;leeorange13
	invoke StdOut,addr buf5
	invoke StdOut,addr endl
	invoke StdOut,addr tds
	add esi,2h;移动到了timedatestamp
	mov eax,dword PTR[esi]
	invoke dw2hex,eax, addr buf4
	invoke StdOut,addr buf4
	invoke StdOut, addr endl
	add esi,0eh
	invoke StdOut,addr chc
	mov eax,dword ptr[esi]
	invoke dw2hex, eax,addr buf4
	mov ax,word ptr[buf4+4]
	mov buf5,ax
	invoke StdOut, addr buf5
	mov ax,word ptr[buf4+6]
	mov buf5,ax
	invoke StdOut,addr buf5
	invoke StdOut,addr endl
	invoke StdOut, addr endl


	invoke StdOut,addr IOH
	add esi ,12h;leorange13
	invoke StdOut, addr endl
	invoke StdOut, addr aop
	mov eax, dword ptr[esi]
	invoke dw2hex, eax, addr buf4
	invoke StdOut,addr  buf4
	invoke StdOut, addr endl
	invoke StdOut,addr ib
	add esi,4h;!!!!
	add esi,4h;
	add esi,4h

	mov eax,dword PTR[esi]
	invoke dw2hex,eax,addr buf4
	invoke StdOut, addr buf4

	invoke StdOut,addr endl
	invoke StdOut,addr sa
	add esi,4h
	mov eax,dword PTR[esi]
	invoke dw2hex,eax, addr buf4
	invoke StdOut,addr buf4

	invoke StdOut,addr endl
	add esi,4h
	mov eax,dword ptr[esi]
	invoke StdOut,addr fa
	mov eax,dword PTR[esi]
	invoke dw2hex,eax,addr buf4
	invoke StdOut,addr buf4

	invoke StdOut,addr endl
	invoke CloseHandle , hfile


main ENDP
END main

【流程图】