一、什么是pe文件
PE文件的全称是Portable Executable,意为可移植的可执行的文件,常见的EXE、DLL、OCX、SYS、COM都是PE文件
二、pe文件作用
pe文件结构是表示符合pe文件结构(如:exe、dll)的文件信息 ,更像一个说明二进制文件信息的说明书。
三、Dos头结构IMAGE_DOS_HEA
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
WORD e_magic; // Magic number
WORD e_cblp; // Bytes on last page of file
WORD e_cp; // Pages in file
WORD e_crlc; // Relocations
WORD e_cparhdr; // Size of header in paragraphs
WORD e_minalloc; // Minimum extra paragraphs needed
WORD e_maxalloc; // Maximum extra paragraphs needed
WORD e_ss; // Initial (relative) SS value
WORD e_sp; // Initial SP value
WORD e_csum; // Checksum
WORD e_ip; // Initial IP value
WORD e_cs; // Initial (relative) CS value
WORD e_lfarlc; // File address of relocation table
WORD e_ovno; // Overlay number
WORD e_res[4]; // Reserved words
WORD e_oemid; // OEM identifier (for e_oeminfo)
WORD e_oeminfo; // OEM information; e_oemid specific
WORD e_res2[10]; // Reserved words
LONG e_lfanew; // File address of new exe header
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
Dos头结构体中比较重要的两个字段:e_magic和e_lfanew,e_magic是一个WWORD类型,用来判断是否是"MZ"标志,当值为IMAGE_DOS_SIGNATURE表示有效,只有是有效的"MZ"标志,e_lfanew偏移才有效.。e_lfanew是一个偏移量,通过这个偏移量我们可以获取到NT头数据.
四、Nt头结构IMAGE_NT_HEADERS
typedef struct _IMAGE_NT_HEADERS64 {
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER64 OptionalHeader;
} IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64;typedef struct _IMAGE_NT_HEADERS {
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
可以看出来Nt头是区分32位和64位的,我们可以通过IMAGE_FILE_HEADER结构体中Machine成员区分32位程序和64位程序,Machine等于IMAGE_FILE_MACHINE_I386表示32位程序。
五、内存地址到文件地址映射
由于pe文件无论在磁盘和内存中存放都会进行对齐,但他们的对齐值会不相同。因此读取文件需要进行地址偏移转换。
//内存地址到文件地址映射
int rva2raw(PIMAGE_SECTION_HEADER pSections, int nNumOfSections, int nRva)
{
int ret = 0;
for (int i = 0; i < nNumOfSections; ++i)
{
//这边i+1没有越界因为在最节区末尾会添加一个空的节区
if (pSections[i].VirtualAddress <= static_cast<DWORD>(nRva) && static_cast<DWORD>(nRva) < pSections[i + 1].VirtualAddress )
{
//文件地址 = 内存偏移地址 - 该段起始地址 + 文件起始到该段偏移
ret = nRva - pSections[i].VirtualAddress + pSections[i].PointerToRawData;
break;
}
}
return ret;
}
六、完整代码
main程序
#include <iostream>
#include <fstream>
#include <windows.h>
//内存地址到文件地址映射
int rva2raw(PIMAGE_SECTION_HEADER pSections, int nNumOfSections, int nRva)
{
int ret = 0;
for (int i = 0; i < nNumOfSections; ++i)
{
//这边i+1没有越界因为在最节区末尾会添加一个空的节区
if (pSections[i].VirtualAddress <= static_cast<DWORD>(nRva) && static_cast<DWORD>(nRva) < pSections[i + 1].VirtualAddress )
{
//文件地址 = 内存偏移地址 - 该段起始地址 + 文件起始到该段偏移
ret = nRva - pSections[i].VirtualAddress + pSections[i].PointerToRawData;
break;
}
}
return ret;
}
int printDllSymbols(const std::string& dllPath)
{
if (dllPath.empty())
{
std::cout << "文件路径为空,请传入正确的文件路径!" << std::endl;
return -1;
}
std::ifstream peFile(dllPath, std::ios::binary | std::ios::in);
if (!peFile)
{
std::cout << "dll文件打开失败,ErrorNo=" << GetLastError() << std::endl;
return -1;
}
//读取DOS头信息
IMAGE_DOS_HEADER dosHeader;
peFile.read((char*)&dosHeader, sizeof(IMAGE_DOS_HEADER));
if (dosHeader.e_magic != IMAGE_DOS_SIGNATURE)
{
std::cout << "不是有效的MZ标志" << std::endl;
peFile.close();
return -1;
}
//读取pe标志和File头
DWORD signature;
peFile.seekg(dosHeader.e_lfanew, std::ios::beg);
peFile.read((char*)&signature, sizeof(DWORD));
if (signature != IMAGE_NT_SIGNATURE)
{
std::cout << "不是有效的PE标志" << std::endl;
peFile.close();
return -1;
}
IMAGE_FILE_HEADER fileHeader;
peFile.seekg(dosHeader.e_lfanew + sizeof(DWORD), std::ios::beg);
peFile.read((char*)&fileHeader, sizeof(IMAGE_FILE_HEADER));
WORD numberOfSections = 0;
DWORD virtualAddress = 0;
if (fileHeader.Machine == IMAGE_FILE_MACHINE_I386)
{
std::cout << "有效的32位程序!" << std::endl;
IMAGE_NT_HEADERS32 ntHeader;
peFile.seekg(dosHeader.e_lfanew, std::ios::beg);
peFile.read((char*)&ntHeader, sizeof(IMAGE_NT_HEADERS32));
numberOfSections = ntHeader.FileHeader.NumberOfSections;
virtualAddress = ntHeader.OptionalHeader.DataDirectory[0].VirtualAddress;
}
else
{
std::cout << "有效的64位程序!" << std::endl;
IMAGE_NT_HEADERS64 ntHeader;
peFile.seekg(dosHeader.e_lfanew, std::ios::beg);
peFile.read((char*)&ntHeader, sizeof(IMAGE_NT_HEADERS64));
numberOfSections = ntHeader.FileHeader.NumberOfSections;
virtualAddress = ntHeader.OptionalHeader.DataDirectory[0].VirtualAddress;
}
if (!virtualAddress)
{
std::cout << "文件没有导出符号" << std::endl;
peFile.close();
return -1;
}
//读取节区头
PIMAGE_SECTION_HEADER pSecHeader = new IMAGE_SECTION_HEADER[numberOfSections];
peFile.read((char*)pSecHeader,sizeof(IMAGE_SECTION_HEADER)* numberOfSections);
//计算导出表的RAW
int nExportOfSet = rva2raw(pSecHeader, numberOfSections, virtualAddress);
if (!nExportOfSet)
{
std::cout << "计算导出表RAW错误" << std::endl;
peFile.close();
delete[] pSecHeader;
return -1;
}
//读取导出表
IMAGE_EXPORT_DIRECTORY exportDic;
peFile.seekg(nExportOfSet,std::ios::beg);
peFile.read((char*)&exportDic,sizeof(IMAGE_EXPORT_DIRECTORY));
int nAddressNum = exportDic.NumberOfFunctions;
//获取导出函数名称
int* pFuncName = new int[nAddressNum];
peFile.seekg(rva2raw(pSecHeader,numberOfSections,exportDic.AddressOfNames),std::ios::beg);
peFile.read((char*)pFuncName,nAddressNum*sizeof(int));
//获取导出函数序号
short* pFuncOrder = new short[nAddressNum];
peFile.seekg(rva2raw(pSecHeader, numberOfSections, exportDic.AddressOfNameOrdinals), std::ios::beg);
peFile.read((char*)pFuncOrder, nAddressNum*sizeof(short));
//获取导出函数地址
int* pFuncAddress = new int[nAddressNum];
peFile.seekg(rva2raw(pSecHeader, numberOfSections, exportDic.AddressOfFunctions), std::ios::beg);
peFile.read((char*)pFuncAddress, nAddressNum * sizeof(int));
//遍历导出函数
char functionName[MAX_PATH];
std::cout << "index\t" << "|" << "id\t" << "|" << "RVA\t" << "|" << "Name\t" << "|" << std::endl;
for (int i = 0; i < nAddressNum; ++i)
{
memset(functionName,0, MAX_PATH);
peFile.seekg(rva2raw(pSecHeader,numberOfSections,pFuncName[i]),std::ios::beg);
peFile.read(functionName,MAX_PATH);
std::cout << std::dec << i << "\t|";
std::cout << std::hex << pFuncOrder[i] << "\t|";
std::cout << pFuncAddress[i] << "\t|";
std::cout << functionName << "\t|";
std::cout << std::endl;
}
peFile.close();
delete[] pSecHeader;
delete[] pFuncName;
delete[] pFuncOrder;
delete[] pFuncAddress;
return 0;
}
int main(int argc, char** argv)
{
std::string dllPath = "D:\\algorithmDll.dll";
if (argc >= 2)
{
dllPath = argv[1];
}
std::cout << "dllPath = "<< dllPath << std::endl;
int ret = printDllSymbols(dllPath);
system("pause");
return ret;
}
dll程序:
algorithm.h
#ifndef __ALGORITHM__H_
#define __ALGORITHM__H_
extern "C" {
//加法
__declspec(dllexport) int __stdcall add(int a,int b);
//减法
__declspec(dllexport) int __stdcall sub(int a, int b);
//乘法
__declspec(dllexport) int __stdcall mul(int a, int b);
//除法
__declspec(dllexport) int __stdcall div(int a, int b);
}
#endif
algorithm.cpp
#include "algorithom.h"
//加法
__declspec(dllexport) int __stdcall add(int a, int b)
{
return a + b;
}
//减法
__declspec(dllexport) int __stdcall sub(int a, int b)
{
return a - b;
}
//乘法
__declspec(dllexport) int __stdcall mul(int a, int b)
{
return a * b;
}
//除法
__declspec(dllexport) int __stdcall div(int a, int b)
{
if (b == 0)
{
return 0;
}
return a / b;
}
七、输出结果
dependency查看结果
欢迎关注微信公众号:
交流QQ群:936367534