通过海哥的滴代码方式写的
#include <stdio.h>
#include <iostream>
#include <Windows.h>
#include <stdlib.h>
#include <string>
#pragma warning(disable : 4996)
LPVOID ReadPEFile()
{
LPVOID FILEbuffer();
int size = NULL;
FILE* fp;
fp = fopen("C:\\Users\\Administrator\\Desktop\\notepad.exe", "rb");
fseek(fp, 0, SEEK_END);
size = ftell(fp);
//printf("占用字节数:%d\n", size);
fseek(fp, 0, SEEK_SET);
//申请内存
LPVOID ptr = NULL;
ptr = malloc(size);
//把exe文件数据导入内存
if (ptr == NULL) { free(ptr); return NULL; }
else { memset(ptr, 0, size);fread(ptr, size, 1, fp); }
fclose(fp);
return ptr;
}
LPVOID PE_Header()
{
LPVOID pFileBuffer = NULL;
PIMAGE_DOS_HEADER pDosBuffer = NULL;
PIMAGE_NT_HEADERS pNTBuffer = NULL;
PIMAGE_FILE_HEADER pStanderd = NULL;
PIMAGE_OPTIONAL_HEADER PEOptionHeader = NULL;
PIMAGE_SECTION_HEADER pSection_Header=NULL;
pFileBuffer = ReadPEFile();
//printf("%08x ", ((LPVOID)pFileBuffer));
//判断传进来的是否为空
if (pFileBuffer==NULL)
{
printf("FileBuffer error!");
free(pFileBuffer);
return 0;
}
//判断DOS头是否是MZ可执行文件;
if (*((PWORD)pFileBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("Error Not PE MZ! ");
free(pFileBuffer);
return 0;
}
//判断如果等于 MZ可执行文件 进行赋值打印 DOS头
pDosBuffer = (PIMAGE_DOS_HEADER)pFileBuffer;
printf("\n\n[*][*][*][*][*]-<DOS->[*][*][*][*][*]\n");
printf("%04x\n", pDosBuffer->e_magic);
printf("%08x\n", pDosBuffer->e_lfanew);
printf("[*][*][*][*][*][*]-[*][*][*][*][*][*]\n");
//判断PE NT偏移是否正确;
//判断PFileBuffer + pDosBuffer->e_lfanew DWORD四字节赋值加 PWORD两字节对比
if (*((PWORD)((DWORD)pFileBuffer+pDosBuffer->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("not NT error!");
free(pFileBuffer);
return 0;
}
//条件不成立 将地址0的pFileBuffer+pDosBuffer->e_lfanew 赋值给pNTBuffer
pNTBuffer = (PIMAGE_NT_HEADERS)((DWORD)pFileBuffer+pDosBuffer->e_lfanew);
printf("\n\n\n\n[*][*][*][*][*]<- PENT标志 ->[*][*][*][*][*]\n");
printf("Signatture %08x\n", pNTBuffer->Signature);
printf("[*][*][*][*][*][*]-[*][*][*][*][*][*][*][*][*][*]\n");
printf("\n\n\n\n\n[*][*][*][*][*]<- 标准PE头 ->[*][*][*][*][*]\n");
pStanderd = (PIMAGE_FILE_HEADER)(((DWORD)pNTBuffer)+4);
printf("Machine %04x\n", pStanderd->Machine);
printf("NumberofSections节表数--> %04x\n", pStanderd->NumberOfSections);
printf("Time date Stamp %08x\n", pStanderd->TimeDateStamp);
printf("pointer To SymbilTable; %08x\n", pStanderd->PointerToSymbolTable);
printf("Number of symbols %08x\n", pStanderd->NumberOfSymbols);
printf("Size of optionalHeader可选PE头的大小--> %04x\n", pStanderd->SizeOfOptionalHeader);
printf("Char acteristics %04x\n",pStanderd->Characteristics);
printf("[*][*][*][*][*][*]-[*][*][*][*][*][*][*][*][*][*]\n");
printf("\n\n\n\n\n[*][*][*][*][*]<- 可选PE头 ->[*][*][*][*][*]\n");
PEOptionHeader = (PIMAGE_OPTIONAL_HEADER)((DWORD)pStanderd+IMAGE_SIZEOF_FILE_HEADER); //IMAGE_SIZEOF_FILE_HEADER 里面存的是标准PE头占用的字节宽度
printf("Magic %04x\n", PEOptionHeader->Magic);
printf("MajorLinkerVersion %02x\n", PEOptionHeader->MajorLinkerVersion);
printf("MinorLinkerVersion; %02x\n", PEOptionHeader->MinorLinkerVersion);
printf("Size of code * %08x\n", PEOptionHeader->SizeOfCode);
printf("Size of InitializedData* %08x\n", PEOptionHeader->SizeOfInitializedData);
printf("Size of UninitializedData* %08x\n", PEOptionHeader->SizeOfUninitializedData);
printf("address of Entry Point* %08x\n", PEOptionHeader->AddressOfEntryPoint);
printf("BaseOfCode;* %08x\n", PEOptionHeader->BaseOfCode);
printf("BaseOfData;* %08x\n", PEOptionHeader->BaseOfData);
printf("image Base %08x\n", PEOptionHeader->ImageBase);
printf("SectionAlignment;* %08x\n", PEOptionHeader->SectionAlignment);
printf("FileAlignment;* %08x\n", PEOptionHeader->FileAlignment);
printf("MajorOperatingSystemVersion; %04x\n", PEOptionHeader->MajorOperatingSystemVersion);
printf("MinorOperatingSystemVersion; %04x\n", PEOptionHeader->MinorOperatingSystemVersion);
printf("MajorImageVersion; %04x\n", PEOptionHeader->MajorImageVersion);
printf("MinorImageVersion; %04x\n", PEOptionHeader->MinorImageVersion);
printf("MajorSubsystemVersion; %04x\n", PEOptionHeader->MajorSubsystemVersion);
printf("MinorSubsystemVersion; %04x\n", PEOptionHeader->MinorSubsystemVersion);
printf("Win32VersionValue; %08x\n", PEOptionHeader->Win32VersionValue);
printf("Size of image* %08x\n", PEOptionHeader->SizeOfImage);
printf("size of Headers* %08x\n", PEOptionHeader->SizeOfHeaders);
printf("CheckSum* %08x\n", PEOptionHeader->CheckSum);
printf("Subsystem; %04x\n", PEOptionHeader->Subsystem);
printf("DllCharacteristics %04x\n", PEOptionHeader->DllCharacteristics);
printf("size of stack Reserve* %08x\n", PEOptionHeader->SizeOfStackReserve);
printf("size of Stack Commit* %08x\n", PEOptionHeader->SizeOfStackCommit);
printf("size of heap reserve* %08x\n", PEOptionHeader->SizeOfHeapReserve);
printf("Size of Heap Commit* %08x\n", PEOptionHeader->SizeOfHeapCommit);
printf("loader Flags %08x\n", PEOptionHeader->LoaderFlags);
printf("Number Of RvaAndSizes目录项数目* %08x\n", PEOptionHeader->NumberOfRvaAndSizes);
printf("\n\n\n\n\n[*][*][*][*][*][*][*][*][*][*][*][*][*][*][*]\n");
free(pFileBuffer);
return 0;
}
int main()
{
ReadPEFile();
PE_Header();
return 0;
}
这个是通过指针自己写的
#include <iostream>
#include <stdio.h>
#include <stdlib.h>
#include <Windows.h>
#pragma warning(disable : 4996)
#define LPVOID void*
LPVOID FILEbuffer()
{
int size = NULL;
FILE* fp;
fp = fopen("C:\\Users\\Administrator\\Desktop\\notepad.exe", "rb");
fseek(fp, 0, SEEK_END);
size = ftell(fp);
//printf("占用字节数:%d\n", size);
fseek(fp, 0, SEEK_SET);
//申请内存
LPVOID ptr = NULL;
ptr = malloc(size);
//把exe文件数据导入内存
if (ptr == NULL) { free(ptr); return NULL; }
else { memset(ptr, 0, size);fread(ptr, size, 1, fp); }
fclose(fp);
return ptr;
}
void PEheader()
{
LPVOID pFilebuffer = NULL;
//开始赋值
int* filesizes = (int*)FILEbuffer();
printf("%08x", *(filesizes+0x38));
unsigned int* pointbuffer = (unsigned int*)filesizes;
unsigned short* psbuffer = (unsigned short*)pointbuffer;
unsigned char* pcbuffer = (unsigned char*)pointbuffer;
if (!pointbuffer)
{
printf("文件读写失败!\n");
return ;
}
//判断是否是有效MZ标志位
short MZhead = 0x5a4d;
if (*psbuffer != MZhead)
{
printf("不是MZ可执行文件!\n");
printf("%x", *psbuffer);
free(pointbuffer);
return;
}
//测试是否是5a4d
//printf("%x", *psbuffer);
//打印PE DOS头
printf("[*][*][*][*][*]PE DOS块[*][*][*][*][*]\n\n");
printf("MZ可执行标记 : %04x\n", *psbuffer);
printf("PE指向地址偏移量: %08x\n\n", *(pointbuffer + 0xF));
printf("[*][*][*][*][*][*][*][*][*][*][*][*]\n");
//判断PE偏移量是否成立
unsigned int* tmp = (unsigned int*)(pcbuffer + 0xE0);
int e = 0x00004550;
if (*tmp != e)
{
printf("error");
return;
}
//打印NT头
printf("\n\n\n[*][*][*][*][*]PE标准头[*][*][*][*][*]\n");
printf("NT: %08x\n", *(tmp));
psbuffer = (unsigned short*)(tmp+1);
printf("标准PE头 machine: %04x\n",*(psbuffer));
printf("Number OF Sections: %04x\n", *(psbuffer+1));
tmp = (unsigned int*)(psbuffer+2);
printf("Time Date Stamp: %08x\n", *tmp);
printf("Pointer ToSymbl Table: %08x\n", *(tmp+1));
printf("Numder of Symbols: %08x\n", *(tmp+2));
psbuffer = (unsigned short*)(tmp + 3);
printf("Size of Option Header: %04x\n", *(psbuffer));
printf("Char actere: %04x\n", *(psbuffer+1));
printf("[*][*][*][*][*][*][*][*][*][*][*][*][*]\n");
printf("\n\n\n[*][*][*][*][*]可选PE标准头[*][*][*][*][*]\n");
printf("magic: %04x\n", *(psbuffer + 2));
pcbuffer = (unsigned char*)(psbuffer + 3);
printf("MajorLinkerVersion %02x\n", *(pcbuffer));
printf("MinorLinkerVersion %02x\n", *(pcbuffer+1));
tmp = (unsigned int*)(pcbuffer+2);
printf("size of code*: %08x\n", *(tmp));
printf("size of initializeData*: %08x\n", *(tmp+1));
printf("SizeOfUninitializedData;*: %08x\n", *(tmp+2));
printf("adderss of EntryPoint*: %08x\n", *(tmp+3));
printf("Base of code*: %08x\n", *(tmp+4));
printf("Base of data*: %08x\n", *(tmp+5));
printf("Image Base*: %08x\n", *(tmp+6));
printf("SectionAlignment*: %08x\n", *(tmp+7));
printf("FileAlifnment: %08x\n", *(tmp+8));
psbuffer = (unsigned short*)(tmp + 9);
printf("MajorOperatingSystemVersion; %04x\n", *psbuffer);
printf("MinorOperatingSystemVersion; %04x\n", *(psbuffer + 1));
printf("MajorImageVersion; %04x\n", *(psbuffer + 2));
printf("MinorImageVersion; %04x\n", *(psbuffer + 3));
printf("MajorSubsystemVersion; %04x\n", *(psbuffer + 4));
printf("MinorSubsystemVersion; %04x\n", *(psbuffer + 5));
tmp = (unsigned int*)(psbuffer + 6);
printf("Win32VersionValue; %08x\n", *(tmp));
printf("Size of image*; %08x\n", *(tmp+1));
printf("size of Headers*; %08x\n", *(tmp+2));
printf("CheckSum*; %08x\n", *(tmp+3));
psbuffer = (unsigned short*)(tmp + 4);
printf("Subsystem; %04x\n", *psbuffer);
printf("Dllcharacteristics; %04x\n", *(psbuffer+1));
tmp = (unsigned int*)(psbuffer + 2);
printf("size of stack Reserve*; %08x\n", *(tmp));
printf("size of stack Commit*; %08x\n", *(tmp+1));
printf("size of Heap Reserve*; %08x\n", *(tmp+2));
printf("size of Heap Commit*; %08x\n", *(tmp+3));
printf("LoaderFlags;; %08x\n", *(tmp+4));
printf("NumberOfRvaAndSizes; %08x\n", *(tmp+5));
printf("[*][*][*][*][*][*][*][*][*][*][*][*][*]\n");
}
int main()
{
FILEbuffer();
PEheader();
return 0;
}