从PE结构取调试信息 代码

最新推荐文章于 2021-05-21 21:20:40 发布
最新推荐文章于 2021-05-21 21:20:40 发布
阅读量1.8k 收藏 4
点赞数 1
分类专栏: 从PE结构取调试信息 代码 文章标签: 从PE结构取调试信息 代码

不解释 直接上代码


///
//
// DebugDir.cpp 
//
// DebugDir example source code 
// 
// Author: Oleg Starodumov (www.debuginfo.com)
//
//


///
// Include files 
//

#include <windows.h>
#include <tchar.h>

#include <crtdbg.h>
#include <stdio.h>
#include <limits.h>


///
// Helper macros 
//

// Thanks to Matt Pietrek 
#define MakePtr( cast, ptr, addValue ) (cast)( (DWORD_PTR)(ptr) + (DWORD_PTR)(addValue))


///
// CodeView debug information structures 
//

#define CV_SIGNATURE_NB10   '01BN'
#define CV_SIGNATURE_RSDS   'SDSR'

// CodeView header 
struct CV_HEADER 
{
	DWORD CvSignature; // NBxx
	LONG  Offset;      // Always 0 for NB10
};

// CodeView NB10 debug information 
// (used when debug information is stored in a PDB 2.00 file) 
struct CV_INFO_PDB20 
{
	CV_HEADER  Header; 
	DWORD      Signature;       // seconds since 01.01.1970
	DWORD      Age;             // an always-incrementing value 
	BYTE       PdbFileName[1];  // zero terminated string with the name of the PDB file 
};

// CodeView RSDS debug information 
// (used when debug information is stored in a PDB 7.00 file) 
struct CV_INFO_PDB70 
{
	DWORD      CvSignature; 
	GUID       Signature;       // unique identifier 
	DWORD      Age;             // an always-incrementing value 
	BYTE       PdbFileName[1];  // zero terminated string with the name of the PDB file 
};


///
// Function declarations 
//

LPCTSTR ProcessCmdLine( int argc, TCHAR* argv[] ); 
bool CheckDosHeader( PIMAGE_DOS_HEADER pDosHeader ); 
bool CheckNtHeaders( PIMAGE_NT_HEADERS pNtHeaders ); 
bool CheckSectionHeaders( PIMAGE_NT_HEADERS pNtHeaders ); 
bool CheckDebugDirectory( PIMAGE_DEBUG_DIRECTORY pDebugDir, DWORD DebugDirSize ); 
bool IsPE32Plus( PIMAGE_OPTIONAL_HEADER pOptionalHeader, bool& bPE32Plus ); 
bool GetDebugDirectoryRVA( PIMAGE_OPTIONAL_HEADER pOptionalHeader, DWORD& DebugDirRva, DWORD& DebugDirSize );
bool GetFileOffsetFromRVA( PIMAGE_NT_HEADERS pNtHeaders, DWORD Rva, DWORD& FileOffset ); 
void DumpDebugDirectoryEntries( LPBYTE pImageBase, PIMAGE_DEBUG_DIRECTORY pDebugDir, DWORD DebugDirSize ); 
void DumpDebugDirectoryEntry( LPBYTE pImageBase, PIMAGE_DEBUG_DIRECTORY pDebugDir ); 
void DumpCodeViewDebugInfo( LPBYTE pDebugInfo, DWORD DebugInfoSize ); 
void DumpMiscDebugInfo( LPBYTE pDebugInfo, DWORD DebugInfoSize ); 
LPCTSTR DebugTypeToStr( DWORD DebugType ); 
void DumpGuid( GUID& Guid ); 


///
// main 
//

int main(  ) 
{
	// Process the command line and obtain the file name 

	LPCTSTR FileName = L"C:\\Windows\\Sysnative\\bootvid.dll"; 

	if( FileName == 0 ) 
		return 0; 

	_tprintf( _T("File: %s \n"), FileName ); 


	// Process the file 

	HANDLE hFile      = NULL; 
	HANDLE hFileMap   = NULL; 
	LPVOID lpFileMem  = 0; 

	do 
	{
		// Open the file and map it into memory 

		hFile = CreateFile( FileName, GENERIC_READ, FILE_SHARE_READ, NULL, 
			OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); 

		if( ( hFile == INVALID_HANDLE_VALUE ) || ( hFile == NULL ) ) 
		{
			_tprintf( _T("Error: Cannot open the file. Error code: %u \n"), GetLastError() ); 
			break; 
		}

		hFileMap = CreateFileMapping( hFile, NULL, PAGE_READONLY, 0, 0, NULL ); 

		if( hFileMap == NULL ) 
		{
			_tprintf( _T("Error: Cannot open the file mapping object. Error code: %u \n"), GetLastError() ); 
			break; 
		}

		lpFileMem = MapViewOfFile( hFileMap, FILE_MAP_READ, 0, 0, 0 ); 

		if( lpFileMem == 0 ) 
		{
			_tprintf( _T("Error: Cannot map the file. Error code: %u \n"), GetLastError() ); 
			break; 
		}


		// Is it a valid PE executable ? 

		PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)lpFileMem; 

		if( !CheckDosHeader( pDosHeader ) )
		{
			_tprintf( _T("Error: File is not a PE executable.\n") ); 
			break; 
		}

		PIMAGE_NT_HEADERS pNtHeaders = MakePtr( PIMAGE_NT_HEADERS, pDosHeader, pDosHeader->e_lfanew );

		if( !CheckNtHeaders( pNtHeaders ) ) 
		{
			_tprintf( _T("Error: File is not a PE executable.\n") ); 
			break; 
		}

		if( !CheckSectionHeaders( pNtHeaders ) ) 
		{
			_tprintf( _T("Error: File is not a PE executable.\n") ); 
			break; 
		}


		// Look up the debug directory 

		DWORD DebugDirRva   = 0; 
		DWORD DebugDirSize  = 0; 

		if( !GetDebugDirectoryRVA( &pNtHeaders->OptionalHeader, DebugDirRva, DebugDirSize ) ) 
		{
			_tprintf( _T("Error: File is not a PE executable.\n") ); 
			break; 
		}

		if( ( DebugDirRva == 0 ) || ( DebugDirSize == 0 ) ) 
		{
			_tprintf( _T("Debug directory not found.\n") ); 
			break; 
		}

		DWORD DebugDirOffset = 0; 

		if( !GetFileOffsetFromRVA( pNtHeaders, DebugDirRva, DebugDirOffset ) ) 
		{
			_tprintf( _T("Debug directory not found.\n") ); 
			break; 
		}

		PIMAGE_DEBUG_DIRECTORY pDebugDir = MakePtr( PIMAGE_DEBUG_DIRECTORY, lpFileMem, DebugDirOffset ); 

		if( !CheckDebugDirectory( pDebugDir, DebugDirSize ) ) 
		{
			_tprintf( _T("Error: Debug directory is not valid.\n") ); 
			break; 
		}


		// Display information about every entry in the debug directory 

		DumpDebugDirectoryEntries( (LPBYTE)lpFileMem, pDebugDir, DebugDirSize ); 


	}
	while( 0 ); 


	// Cleanup 

	if( lpFileMem != 0 ) 
	{
		if( !UnmapViewOfFile( lpFileMem ) ) 
		{
			_tprintf( _T("Error: Cannot unmap the file. Error code: %u \n"), GetLastError() ); 
			_ASSERT( 0 ); 
		}
	}

	if( hFileMap != NULL ) 
	{
		if( !CloseHandle( hFileMap ) ) 
		{
			_tprintf( _T("Error: Cannot close the file mapping object. Error code: %u \n"), GetLastError() ); 
			_ASSERT( 0 ); 
		}
	}

	if( ( hFile != NULL ) && ( hFile != INVALID_HANDLE_VALUE ) ) 
	{
		if( !CloseHandle( hFile ) ) 
		{
			_tprintf( _T("Error: Cannot close the file. Error code: %u \n"), GetLastError() ); 
			_ASSERT( 0 ); 
		}
	}


	// Complete 

	return 0; 
}


///
// Functions 
//

// 
// Process command line and display usage information, if necessary 
// 
// Return value: If command line parameters are correct, the function 
//   returns a pointer to the file name specified by the user. 
//   If command line parameters are incorrect, the function returns null. 
// 
LPCTSTR ProcessCmdLine( int argc, TCHAR* argv[] ) 
{
	if( argc < 2 ) 
	{
		_tprintf( _T("Usage: %s FileName \n"), argv[0] ); 
		return 0; 
	}

	return argv[1]; 
}

// 
// Check IMAGE_DOS_HEADER and determine whether the file is a PE executable 
// (according to the header contents) 
// 
// Return value: "true" if the header is valid and the file is a PE executable, 
//   "false" otherwise 
// 
bool CheckDosHeader( PIMAGE_DOS_HEADER pDosHeader ) 
{
	// Check whether the header is valid and belongs to a PE executable 

	if( pDosHeader == 0 ) 
	{
		_ASSERT( 0 ); 
		return false; 
	}

	if( IsBadReadPtr( pDosHeader, sizeof(IMAGE_DOS_HEADER) ) )
	{
		// Invalid header 
		return false; 
	}

	if( pDosHeader->e_magic != IMAGE_DOS_SIGNATURE ) 
	{
		// Not a PE executable 
		return false; 
	}

	return true; 
}

// 
// Check IMAGE_NT_HEADERS and determine whether the file is a PE executable 
// (according to the headers' contents) 
// 
// Return value: "true" if the headers are valid and the file is a PE executable, 
//   "false" otherwise 
// 
bool CheckNtHeaders( PIMAGE_NT_HEADERS pNtHeaders ) 
{
	// Check the signature 

	if( pNtHeaders == 0 ) 
	{
		_ASSERT( 0 ); 
		return false; 
	}

	if( IsBadReadPtr( pNtHeaders, sizeof(pNtHeaders->Signature) ) ) 
	{
		// Invalid header 
		return false; 
	}

	if( pNtHeaders->Signature != IMAGE_NT_SIGNATURE ) 
	{
		// Not a PE executable 
		return false; 
	}


	// Check the file header 

	if( IsBadReadPtr( &pNtHeaders->FileHeader, sizeof(IMAGE_FILE_HEADER) ) )
	{
		// Invalid header 
		return false; 
	}

	if( IsBadReadPtr( &pNtHeaders->OptionalHeader, pNtHeaders->FileHeader.SizeOfOptionalHeader ) ) 
	{
		// Invalid size of the optional header 
		return false; 
	}


	// Determine the format of the header 

	// If true, PE32+, otherwise PE32
	bool bPE32Plus = false; 

	if( !IsPE32Plus( &pNtHeaders->OptionalHeader, bPE32Plus ) ) 
	{
		// Probably invalid IMAGE_OPTIONAL_HEADER.Magic 
		return false; 
	}


	// Complete 

	return true; 
}

// 
// Lookup the section headers and check whether they are valid 
// 
// Return value: "true" if the headers are valid, "false" otherwise 
// 
bool CheckSectionHeaders( PIMAGE_NT_HEADERS pNtHeaders ) 
{
	if( pNtHeaders == 0 ) 
	{
		_ASSERT( 0 ); 
		return false; 
	}

	PIMAGE_SECTION_HEADER pSectionHeaders = IMAGE_FIRST_SECTION( pNtHeaders ); 

	if( IsBadReadPtr( pSectionHeaders, pNtHeaders->FileHeader.NumberOfSections * sizeof(IMAGE_SECTION_HEADER) ) ) 
	{
		// Invalid header 
		return false; 
	}

	return true; 
}

// 
// Checks whether the debug directory is valid 
// 
// Return value: "true" if the debug directory is valid, "false" if it is not 
// 
bool CheckDebugDirectory( PIMAGE_DEBUG_DIRECTORY pDebugDir, DWORD DebugDirSize ) 
{
	if( ( pDebugDir == 0 ) || ( DebugDirSize == 0 ) ) 
	{
		_ASSERT( 0 ); 
		return false; 
	}

	if( IsBadReadPtr( pDebugDir, DebugDirSize ) ) 
	{
		// Invalid debug directory 
		return false; 
	}

	if( DebugDirSize < sizeof(IMAGE_DEBUG_DIRECTORY) ) 
	{
		// Invalid size of the debug directory 
		return false; 
	}

	return true; 
}

// 
// Check whether the specified IMAGE_OPTIONAL_HEADER belongs to 
// a PE32 or PE32+ file format 
// 
// Return value: "true" if succeeded (bPE32Plus contains "true" if the file 
//  format is PE32+, and "false" if the file format is PE32), 
//  "false" if failed 
// 
bool IsPE32Plus( PIMAGE_OPTIONAL_HEADER pOptionalHeader, bool& bPE32Plus ) 
{
	// Note: The function does not check the header for validity. 
	// It assumes that the caller has performed all the necessary checks. 

	// IMAGE_OPTIONAL_HEADER.Magic field contains the value that allows 
	// to distinguish between PE32 and PE32+ formats 

	if( pOptionalHeader->Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC ) 
	{
		// PE32 
		bPE32Plus = false; 
	}
	else if( pOptionalHeader->Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC ) 
	{
		// PE32+
		bPE32Plus = true; 
	}
	else 
	{
		// Unknown value -> Report an error 
		bPE32Plus = false; 
		return false; 
	}

	return true; 

}

// 
// Returns (in [out] parameters) the RVA and size of the debug directory, 
// using the information in IMAGE_OPTIONAL_HEADER.DebugDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG]
// 
// Return value: "true" if succeeded, "false" if failed
// 
bool GetDebugDirectoryRVA( PIMAGE_OPTIONAL_HEADER pOptionalHeader, DWORD& DebugDirRva, DWORD& DebugDirSize ) 
{
	// Check parameters 

	if( pOptionalHeader == 0 ) 
	{
		_ASSERT( 0 ); 
		return false; 
	}


	// Determine the format of the PE executable 

	bool bPE32Plus = false; 

	if( !IsPE32Plus( pOptionalHeader, bPE32Plus ) ) 
	{
		// Probably invalid IMAGE_OPTIONAL_HEADER.Magic
		return false; 
	}


	// Obtain the debug directory RVA and size 

	if( bPE32Plus ) 
	{
		PIMAGE_OPTIONAL_HEADER64 pOptionalHeader64 = (PIMAGE_OPTIONAL_HEADER64)pOptionalHeader; 

		DebugDirRva = pOptionalHeader64->DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG].VirtualAddress; 

		DebugDirSize = pOptionalHeader64->DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG].Size; 
	}
	else 
	{
		PIMAGE_OPTIONAL_HEADER32 pOptionalHeader32 = (PIMAGE_OPTIONAL_HEADER32)pOptionalHeader; 

		DebugDirRva = pOptionalHeader32->DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG].VirtualAddress; 

		DebugDirSize = pOptionalHeader32->DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG].Size; 
	}

	if( ( DebugDirRva == 0 ) && ( DebugDirSize == 0 ) ) 
	{
		// No debug directory in the executable -> no debug information 
		return true; 
	}
	else if( ( DebugDirRva == 0 ) || ( DebugDirSize == 0 ) )
	{
		// Inconsistent data in the data directory 
		return false; 
	}


	// Complete 

	return true; 

}

// 
// The function walks through the section headers, finds out the section 
// the given RVA belongs to, and uses the section header to determine 
// the file offset that corresponds to the given RVA 
// 
// Return value: "true" if succeeded, "false" if failed 
// 
bool GetFileOffsetFromRVA( PIMAGE_NT_HEADERS pNtHeaders, DWORD Rva, DWORD& FileOffset ) 
{
	// Check parameters 

	if( pNtHeaders == 0 ) 
	{
		_ASSERT( 0 ); 
		return false; 
	}


	// Look up the section the RVA belongs to 

	bool bFound = false; 

	PIMAGE_SECTION_HEADER pSectionHeader = IMAGE_FIRST_SECTION( pNtHeaders ); 

	for( int i = 0; i < pNtHeaders->FileHeader.NumberOfSections; i++, pSectionHeader++ ) 
	{
		DWORD SectionSize = pSectionHeader->Misc.VirtualSize; 

		if( SectionSize == 0 ) // compensate for Watcom linker strangeness, according to Matt Pietrek 
			pSectionHeader->SizeOfRawData; 

		if( ( Rva >= pSectionHeader->VirtualAddress ) && 
			( Rva < pSectionHeader->VirtualAddress + SectionSize ) ) 
		{
			// Yes, the RVA belongs to this section 
			bFound = true; 
			break; 
		}
	}

	if( !bFound ) 
	{
		// Section not found 
		return false; 
	}


	// Look up the file offset using the section header 

	INT Diff = (INT)( pSectionHeader->VirtualAddress - pSectionHeader->PointerToRawData ); 

	FileOffset = Rva - Diff; 


	// Complete 

	return true; 

}

// 
// Walk through each entry in the debug directory and display information about it 
// 
void DumpDebugDirectoryEntries( LPBYTE pImageBase, PIMAGE_DEBUG_DIRECTORY pDebugDir, DWORD DebugDirSize ) 
{
	// Check parameters 

	if( !CheckDebugDirectory( pDebugDir, DebugDirSize ) ) 
	{
		_ASSERT( 0 ); 
		return; 
	}

	if( pImageBase == 0 ) 
	{
		_ASSERT( 0 ); 
		return; 
	}


	// Determine the number of entries in the debug directory 

	int NumEntries = DebugDirSize / sizeof(IMAGE_DEBUG_DIRECTORY); 

	if( NumEntries == 0 ) 
	{
		_ASSERT( 0 ); 
		return; 
	}

	_tprintf( _T("Number of entries in debug directory: %d \n"), NumEntries ); 


	// Display information about every entry 

	for( int i = 1; i <= NumEntries; i++, pDebugDir++ ) 
	{
		_tprintf( _T("\nDebug directory entry %d: \n"), i ); 

		DumpDebugDirectoryEntry( pImageBase, pDebugDir ); 
	}

}

// 
// Display information about debug directory entry 
// 
void DumpDebugDirectoryEntry( LPBYTE pImageBase, PIMAGE_DEBUG_DIRECTORY pDebugDir ) 
{
	// Check parameters 

	if( pDebugDir == 0 ) 
	{
		_ASSERT( 0 ); 
		return; 
	}

	if( pImageBase == 0 ) 
	{
		_ASSERT( 0 ); 
		return; 
	}


	// Display information about the entry 

	if( pDebugDir->Type != IMAGE_DEBUG_TYPE_UNKNOWN ) 
	{
		_tprintf( _T("Type: %u ( %s ) \n"), pDebugDir->Type, DebugTypeToStr(pDebugDir->Type) ); 

		_tprintf( _T("TimeStamp: %08x  Characteristics: %x  MajorVer: %u  MinorVer: %u \n"), 
			pDebugDir->TimeDateStamp, pDebugDir->Characteristics, pDebugDir->MajorVersion, pDebugDir->MinorVersion ); 

		_tprintf( _T("Size: %u  RVA: %08x  FileOffset: %08x  \n"), pDebugDir->SizeOfData, 
			pDebugDir->AddressOfRawData, pDebugDir->PointerToRawData ); 
	}
	else 
	{
		_tprintf( _T("Type: Unknown.\n") ); 
	}


	// Display additional information for some interesting debug information types 

	LPBYTE pDebugInfo = pImageBase + pDebugDir->PointerToRawData; 

	if( pDebugDir->Type == IMAGE_DEBUG_TYPE_CODEVIEW ) 
	{
		DumpCodeViewDebugInfo( pDebugInfo, pDebugDir->SizeOfData ); 
	}
	else if( pDebugDir->Type == IMAGE_DEBUG_TYPE_MISC ) 
	{
		DumpMiscDebugInfo( pDebugInfo, pDebugDir->SizeOfData ); 
	}

}

// 
// Display information about CodeView debug information block 
// 
void DumpCodeViewDebugInfo( LPBYTE pDebugInfo, DWORD DebugInfoSize ) 
{
	// Check parameters 

	if( ( pDebugInfo == 0 ) || ( DebugInfoSize == 0 ) ) 
		return; 

	if( IsBadReadPtr( pDebugInfo, DebugInfoSize ) ) 
		return; 

	if( DebugInfoSize < sizeof(DWORD) ) // size of the signature 
		return; 


	// Determine the format of the information and display it accordingly 

	DWORD CvSignature = *(DWORD*)pDebugInfo; 

	if( CvSignature == CV_SIGNATURE_NB10 ) 
	{
		// NB10 -> PDB 2.00 

		CV_INFO_PDB20* pCvInfo = (CV_INFO_PDB20*)pDebugInfo; 

		if( IsBadReadPtr( pDebugInfo, sizeof(CV_INFO_PDB20) ) ) 
			return;

		if( IsBadStringPtrA( (CHAR*)pCvInfo->PdbFileName, UINT_MAX ) ) 
			return; 

		_tprintf( _T("CodeView format: NB10 \n") ); 

		printf( "Signature: %08x  Age: %u  \n", pCvInfo->Signature, pCvInfo->Age ); 

		printf( "PDB File: %s \n", pCvInfo->PdbFileName ); 

	}
	else if( CvSignature == CV_SIGNATURE_RSDS ) 
	{
		// RSDS -> PDB 7.00 

		CV_INFO_PDB70* pCvInfo = (CV_INFO_PDB70*)pDebugInfo; 

		if( IsBadReadPtr( pDebugInfo, sizeof(CV_INFO_PDB70) ) ) 
			return;

		if( IsBadStringPtrA( (CHAR*)pCvInfo->PdbFileName, UINT_MAX ) ) 
			return; 

		_tprintf( _T("CodeView format: RSDS \n") ); 

		_tprintf( _T("Signature: ") ); 
		DumpGuid( pCvInfo->Signature ); 

		printf( "  Age: %u  \n", pCvInfo->Age ); 

		printf( "PdbFile: %s \n", pCvInfo->PdbFileName ); 

	}
	else 
	{
		// Other CodeView format 

		CHAR* pSig = (CHAR*)&CvSignature; 

		printf( "CodeView signature: %c%c%c%c \n", pSig[0], pSig[1], pSig[2], pSig[3] ); 

		if( ( pSig[0] == 'N' ) && ( pSig[1] == 'B' ) ) // One of NBxx formats 
		{
			CV_HEADER* pCvHeader = (CV_HEADER*)pDebugInfo; 

			_tprintf( _T("CodeView information offset: %08x\n"), pCvHeader->Offset ); 
		}
	}

}

// 
// Display information about Misc debug information block 
// 
void DumpMiscDebugInfo( LPBYTE pDebugInfo, DWORD DebugInfoSize ) 
{
	// Check parameters 

	if( ( pDebugInfo == 0 ) || ( DebugInfoSize == 0 ) ) 
		return; 

	if( IsBadReadPtr( pDebugInfo, DebugInfoSize ) ) 
		return; 

	if( DebugInfoSize < sizeof(IMAGE_DEBUG_MISC) ) 
		return; 


	// Display information 

	PIMAGE_DEBUG_MISC pMiscInfo = (PIMAGE_DEBUG_MISC)pDebugInfo; 

	_tprintf( _T("Data type: %u  Length: %u  Format: %s \n"), pMiscInfo->DataType, 
		pMiscInfo->Length, pMiscInfo->Unicode ? _T("Unicode") : _T("ANSI") ); 

	if( pMiscInfo->DataType == IMAGE_DEBUG_MISC_EXENAME ) 
	{
		// Yes, it should refer to a DBG file 

		if( pMiscInfo->Unicode ) 
		{
			if( !IsBadStringPtrW( (WCHAR*)pMiscInfo->Data, UINT_MAX ) ) 
				wprintf( L"File: %s \n", (WCHAR*)pMiscInfo->Data ); 
		}
		else // ANSI 
		{
			if( !IsBadStringPtrA( (CHAR*)pMiscInfo->Data, UINT_MAX ) ) 
				printf( "File: %s \n", (CHAR*)pMiscInfo->Data ); 
		}
	}

}

LPCTSTR DebugTypeToStr( DWORD DebugType ) 
{
	switch( DebugType ) 
	{
	case IMAGE_DEBUG_TYPE_UNKNOWN: 
		return _T("Unknown"); 
		break; 

	case IMAGE_DEBUG_TYPE_COFF: 
		return _T("COFF"); 
		break; 

	case IMAGE_DEBUG_TYPE_CODEVIEW: 
		return _T("CodeView"); 
		break; 

	case IMAGE_DEBUG_TYPE_FPO: 
		return _T("FPO"); 
		break; 

	case IMAGE_DEBUG_TYPE_MISC: 
		return _T("MISC"); 
		break; 

	case IMAGE_DEBUG_TYPE_EXCEPTION: 
		return _T("Exception"); 
		break; 

	case IMAGE_DEBUG_TYPE_FIXUP: 
		return _T("Fixup"); 
		break; 

	case IMAGE_DEBUG_TYPE_OMAP_TO_SRC: 
		return _T("OMAP-to-SRC"); 
		break; 

	case IMAGE_DEBUG_TYPE_OMAP_FROM_SRC: 
		return _T("OMAP-from-SRC"); 
		break; 

	case IMAGE_DEBUG_TYPE_BORLAND: 
		return _T("Borland"); 
		break; 

	default: 
		return _T("Unknown"); 
		break; 
	}

	_ASSERT( 0 ); 

	return _T("Unknown"); 

}

void DumpGuid( GUID& Guid ) 
{
	_tprintf( _T("{%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}"), 
		Guid.Data1, Guid.Data2, Guid.Data3, Guid.Data4[0], Guid.Data4[1], Guid.Data4[2], 
		Guid.Data4[3], Guid.Data4[4], Guid.Data4[5], Guid.Data4[6], Guid.Data4[7] ); 
}




nLif
关注
专栏目录
C++软件调试与异常排查从入门到精通系列文章汇总
dvlinker的技术专栏
06-29 17万+
根据近几年排查软件异常的实践与经验,系统地讲解了C++软件异常常见原因与常用排查方法,以图文并茂的方式给出具体的分析实例,带领大家逐步掌握C++软件异常排查的相关技术与要领。
PE文件解析-调试、版权与.NET信息(COM表)
zhyulo的博客
01-06 2947
一、映像调试信息     PE文件头可选映像头中数据目录表的第7成员IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG]指向映像调试信息,它保存在PE文件中,通常在".debug"区段。   映像调试信息是一个IMAGE_DEBUG_DIRECTORY结构体数组,该结构体定义如下: typedef struct _I...
软件调试笔记54 - 调试符号 : PE文件中的调试信息
imJaron的博客
12-13 962
简单PE代码
weixin_30265171的博客
05-17 137
三个文件分别是类定义文件pefile.h;类实现文件pefile.cpp;类调用文件petype.cpp. #ifndef PE_FILE_H #define PE_FILE_H #include "windows.h" #define ISMZHEADER (*(WORD*)File_memory == 0x5a4d) #define ISPEHEAD...
PE代码注入
windows小菜鸡的博客
08-15 1414
PE文件入口地址EntryPoint指向了PE文件开始执行的位置,关于PE文件的具体格式,大家可以自行百度。 本代码主要实现了在32位可执行程序中注入了一个弹窗 。其主要原理是修改EntryPoint地址处的内容,指向自己代码的地方,然后执行完毕后,再跳转到原入口的地址。 其中值得注意的几点: (1)需要关闭PE的地址随机化功能,可以通过修改OptionHeader头中的DllCharacteristics = 0x8100,来绕过地址随机化。 (2)计算E8和E9的时候,CALL 偏移:跳转地址 = 当前
PE文件格式学习(九):调试表(DebugDirectory)
tutucoo
11-07 1445
微软官方参考文档:https://docs.microsoft.com/en-us/windows/desktop/debug/pe-format#debug-type
易语言PE结构查看
07-21
PE结构是Windows系统中的核心组成部分,它包含了代码、数据、资源等所有构成可执行程序的元素。了解和分析PE结构对于软件开发者、逆向工程师和安全研究人员都非常重要。以下是对易语言中PE结构查看涉及的关键知识点...
pdf格式Pe文件结构图及工具源码,pe文件结构详解,C,C++
09-10
- **调试信息**:包含了帮助调试程序的额外信息。 - **TLS(线程局部存储)**:用于为每个线程分配私有数据的区域。 - **PE尾部**:有时包含一些额外信息,如NT签名。 2. **查看PE文件工具**: 提供的工具用C++...
PE结构查看.rar
04-05
标题中的“PE结构查看”指的是在Windows操作系统中对可执行文件(.exe或.dll)的分析,这些文件基于Portable Executable (PE) 文件格式。PE格式是Microsoft为32位和64位Windows系统设计的一种文件格式,用于存储编译...
PE网上源代码
04-26
PE是一个很久的工具源码
最小PE程序代码
01-18
最小PE的程序样例,每次修改后的程序,打包在一个压缩包
PE调试器C语言
05-26
软件断点、内存断点、硬件断点、条件断点,单步步入 步过,DUMP文件、模块解析。
win32下PE文件(可执行文件)的常用分析与调试工具
05-02
内含多种工具,可对win32平台下的PE文件进行调试和分析,有利于进行PE文件的学习与深入研究
pe代码注射
05-18 1063
/*思路:把一个download && execute shellcode改装注射到pe文件的空闲字节处 enjoy it!*/#include #include//#define        CODESIZE    439typedef    struct    _DISKLIST        //用于保存磁盘驱动器信息的链表{    _DISKLIST    *next;   
PE中添加代码
个人笔记
05-21 331
PE中写入Shellcode需要用到的数据必须掌握的知识实现步骤 需要用到的数据 AddressOfEntryPoint ImageBase SizeofRawData VirtualSize 必须掌握的知识 实现的功能:执行完添加的代码后,跳回原来的入口。 硬编码知识: call : E8 X=[(真正跳转的地址-(E8下一行的指令地址))] //X得出来的地址必须是内存加载时的地址 jmp : E9 [同上公式] 变式:X = 真正跳转的地址-(E8当前地址+5) 注:下一行地址 = 当前地址+
PE文件相关代码
无题
11-08 769
;WIN32汇编无输入表调用API .386 .model flat,stdcall option casemap:none ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; Include 文件定义 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
解析PE文件代码
qq_43445167的博客
07-03 662
图形界面暂时没做出来 暑假学学QT 读文件只能在主函数里写文件路径 , 是有点low… (流下了没技术的泪水) 头文件代码: #pragma once #include<Windows.h> class CPe { private: PTCHAR ptcFilePath; //PE文件路径 IMAGE_DOS_HEADER pe_cDosHeader; I...
学习PE文件格式后编写的简单代码(C代码)
黑子工作室
07-17 1847
/* * 近日学习pe文件格式,写了一个简单的分析程序 * 个人网站:http://ggg82.126.com * 电子邮件:ggg82@163.com * QQ:358416653 * * 本程序在win2000+vc6平台编译通过 * 学习参考:看学论坛 */#include #include #include #include #incl
C++代码解析PE文件结构与特性
PE文件分析是Windows编程和逆向工程中的核心技能,涵盖了文件结构调试信息、延迟导入等多个方面,而C++是实现这一功能的强大工具。通过理解和应用这些知识,开发者可以深入理解程序的内部运作,进行调试、安全分析...
评论 2
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值