遍历PE文件头,枚举PE文件节表。以下是基本方法。
#include <winnt.h>
/*
typedef struct SEH
{
DWORD PrevLink ; // the address of the previous seh structure
DWORD CurrentHandler ; // the address of the new exception handler
DWORD SafeOffset ; //The offset where it's safe to continue execution
DWORD PrevEsp ; //the old value in esp
DWORD PrevEbp ; //The old value in ebp
}SEH ;
*/
void TravelPE(const char *FileName)
{
//const char *FileName = "enumwindow.exe";
FILE *pFile = NULL ;
HANDLE hMapping = NULL ;
void *pMapping = NULL ;
if(FileName!=NULL)
{
printf("FileName is %s/n" , FileName);
pFile = (FILE *)CreateFile( FileName ,
GENERIC_READ ,
FILE_SHARE_READ,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL
);
if(!pFile)
{
printf("pFile right/n");
pMapping = CreateFileMapping( pFile ,
NULL,
PAGE_READONLY,
0,
0,
0
);
if(!pMapping)
{
printf("pMapping right");
pMapping = MapViewOfFile( hMapping , FILE_MAP_READ ,0 ,0,0 );
if(!pMapping)
{
PIMAGE_DOS_HEADER pDos_Header = (PIMAGE_DOS_HEADER)pMapping ;
if(pDos_Header->e_magic == IMAGE_DOS_SIGNATURE)
{
PIMAGE_NT_HEADERS32 pNt_Header =
(PIMAGE_NT_HEADERS32)(pDos_Header + (pDos_Header->e_lfanew));
if(pNt_Header->Signature == IMAGE_NT_SIGNATURE )
{
IMAGE_FILE_HEADER File_Header =
pNt_Header->FileHeader ;
printf("%s is a PE file/n" , FileName);
printf("file have %d sections/n" , File_Header.NumberOfSections );
//printf("",pFile_Header->)
}
}
}//if(!pMapping)
}//if(!pFile)
}//if(FileName!=NULL)
}
return ;
}