PE文件查看源代码

最新推荐文章于 2023-07-07 08:42:36 发布

denglin_123

最新推荐文章于 2023-07-07 08:42:36 发布

阅读量293

点赞数

文章标签： image descriptor header import file dos

本文链接：https://blog.csdn.net/denglin_123/article/details/6490488

版权

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <conio.h>

#define addr(rva) (void *)((char *)((char *)pBasePoint+pSectionHead->PointerToRawData)+((DWORD)(rva)-pSectionHead->VirtualAddress))

int main(int argc,char *argv[]){

IMAGE_DOS_HEADER *pDosHead;
IMAGE_NT_HEADERS *pPeHead;
IMAGE_SECTION_HEADER *pSectionHead;
HANDLE hFile, hMapping;
char *pBasePoint;
//Create the File Handle
hFile = ::CreateFile(argv[1], GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
if(hFile == INVALID_HANDLE_VALUE){
  return 0;
}
if(!(hMapping = ::CreateFileMapping(hFile, 0, PAGE_READONLY|SEC_COMMIT, 0, 0, 0))){
  goto end;
  return 0;
}
if(!(pBasePoint = (char *)MapViewOfFile(hMapping, FILE_MAP_READ, 0, 0, 0))){
  goto end;
  return 0;
}
//Check is the File is PE File
pDosHead = (IMAGE_DOS_HEADER *)pBasePoint;
if(pDosHead->e_magic != IMAGE_DOS_SIGNATURE){
  goto end;
}
pPeHead = (IMAGE_NT_HEADERS *)(pBasePoint + pDosHead->e_lfanew);
if(pPeHead->Signature != IMAGE_NT_SIGNATURE){
  goto end;
}
printf("运行平台 : /t");
if(pPeHead->FileHeader.Machine == IMAGE_FILE_MACHINE_I386){
  printf("X86CPU/n");
}else{
  printf("未X86CPU/n");
}
//打印PE文件头中的一些重要信息
printf("节数目：/t%d/n",pPeHead->FileHeader.NumberOfSections);
printf("创建时间：/t%X/n",pPeHead->FileHeader.TimeDateStamp);
printf("PointerToSymbolTable:/t%X/n",pPeHead->FileHeader.PointerToSymbolTable);
printf("NumberOfSymbols:/t%X/n",pPeHead->FileHeader.NumberOfSymbols);
printf("SizeOfOptionalHeader:/t%X/n",pPeHead->FileHeader.SizeOfOptionalHeader);
printf("Characteristics:/t%X/n",pPeHead->FileHeader.Characteristics);
//列出Optional Header信息
printf("进入点：/t%x/n",pPeHead->OptionalHeader.AddressOfEntryPoint);
printf("载入地址：/t%x/n",pPeHead->OptionalHeader.ImageBase);
printf("内存对齐：/t%x/n",pPeHead->OptionalHeader.SectionAlignment);
printf("文件对齐：/t%x/n",pPeHead->OptionalHeader.FileAlignment);
printf("MajorSubsystemVersion：/t%x/n",pPeHead->OptionalHeader.MajorSubsystemVersion);
printf("MinorSubsystemVersion：/t%x/n",pPeHead->OptionalHeader.MinorSubsystemVersion);
printf("映像大小：/t%x/n",pPeHead->OptionalHeader.SizeOfImage);
printf("头大小：/t%x/n",pPeHead->OptionalHeader.SizeOfHeaders);
printf("界面：/t%x/n",pPeHead->OptionalHeader.Subsystem);

printf("节数目 : /t%d/n", pPeHead->FileHeader.NumberOfSections);
printf("创建时间: /t%x/n", pPeHead->FileHeader.TimeDateStamp);
printf("PointerToSymbolTable: /t%x/n", pPeHead->FileHeader.PointerToSymbolTable);
for(int i = 0; i < pPeHead->FileHeader.NumberOfSections; ++i){
  pSectionHead = (IMAGE_SECTION_HEADER *)((char *)pPeHead + sizeof(*pPeHead) + i * sizeof(*pSectionHead));
  printf("/n节名称: /n");
  for(int j = 0; j < sizeof(pSectionHead->Name); ++j){
   if(pSectionHead->Name[j] == 0){
    break;
   }
   putch(pSectionHead->Name[j]);
  }
  printf("/n本节的RVA: /t%x/n", pSectionHead->VirtualAddress);
  printf("映射尺寸: /t%x/n", pSectionHead->SizeOfRawData);
  printf("文件数据偏移: /t%x/n", pSectionHead->PointerToRawData);
  printf("节属性: /t/%x/n", pSectionHead->Characteristics);
}
//导入表//遍历节表查找导入表的位置
for(int i = 0; i < pPeHead->FileHeader.NumberOfSections; ++i){
  IMAGE_DATA_DIRECTORY *pData = &pPeHead->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
  pSectionHead = (IMAGE_SECTION_HEADER *)((char*)pPeHead + sizeof( *pPeHead ) + i * sizeof(*pSectionHead));
  if(pData->VirtualAddress >= pSectionHead->VirtualAddress && pData->VirtualAddress + pData->Size <= pSectionHead->VirtualAddress+pSectionHead->SizeOfRawData);{
   IMAGE_IMPORT_DESCRIPTOR *pImport = (IMAGE_IMPORT_DESCRIPTOR *)addr(pData->VirtualAddress);
   while(pImport->Name){
    IMAGE_THUNK_DATA *imThunk_data = (IMAGE_THUNK_DATA *)addr(pImport->Characteristics);
    printf("/n导入模块: %s/n/n", (char *)addr(pImport->Name));
    while(imThunk_data->u1.Ordinal){
     if(IMAGE_SNAP_BY_ORDINAL(imThunk_data->u1.Ordinal)){
      printf("/t导入ID: /t%d/n", IMAGE_ORDINAL(imThunk_data->u1.Ordinal));
     }else{
      IMAGE_IMPORT_BY_NAME *imImport_Name = (IMAGE_IMPORT_BY_NAME *)addr(imThunk_data->u1.AddressOfData);
      printf("/t导入函数: /t/%s/n", (char *)imImport_Name->Name);
     }
     imThunk_data++;
    }
    pImport++;
   }
   break;
  }
}
end:
if(hFile){
  CloseHandle(hFile);
  hFile = NULL;
}
if(hMapping){
  CloseHandle(hMapping);
  hMapping = NULL;
}
return 0;
}