PEViewerPE文件查看器编写

已于 2023-02-26 14:07:07 修改
阅读量703 收藏 2
点赞数
分类专栏: 逆向分析 文章标签: 算法 c++ 数据结构 windows
于 2023-02-26 14:05:43 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_36286899/article/details/129225981
版权

需要一点PE文件的知识,参考文章
https://blog.csdn.net/freeking101/article/details/102752048
按照这两张图片来的
在这里插入图片描述
在这里插入图片描述
一些主要的函数

//PE文件大部分地址以RVA形式存在,但是在文件中RVA需要转换才能定位到
DWORD RvaToRaw(DWORD rva,PIMAGE_SECTION_HEADER* pImage_Section_Header_Arr,int NumOfSections);
//判断dest目标区域的size个字节是否为空
bool ifZero(void* dest,int size);

//保存IMAGE_DOS_HEADER结构体到FilePath文件中
void SaveImageDosHeader(char* FilePath,IMAGE_DOS_HEADER* pImage_Dos_Header);
//保存IMAGE_NT_HEADERS结构体到FilePath文件中
void SaveImageNtHeaders(char* FilePath,IMAGE_NT_HEADERS* pImage_Nt_Headers);
//保存IMAGE_FILE_HEADER结构体到FilePath文件中
void SaveImageFileHeader(char* FilePath,IMAGE_FILE_HEADER* pImage_File_Header);

保存IMAGE_OPTIONAL_HEADER结构体到FilePath文件中
void SaveImageOptionalHeader(char* FilePath,IMAGE_OPTIONAL_HEADER* pImage_Optional_Header);
保存IMAGE_DATA_DIRECTORY结构体到FilePath文件中,因为有很多个,所以写成数组了
void SaveImageDataDirectoryArr(char* FilePath,IMAGE_DATA_DIRECTORY* pImage_Data_Directory_Arr,int NumOfImageDataDirectory);

//保存IMAGE_IMPORT_DESCRIPTOR结构体到FilePath文件中,因为也有很多个,所以写成数组了
void SaveImageImportDescriptorArr(char* FilePath,PIMAGE_IMPORT_DESCRIPTOR* pImage_Import_Descriptor_Arr,int NumOfImageImportDescriptor,char** Dll_Name_Arr,int NumOfImage_Import_Descriptor,char*** Dll_Functions_Name_Arr, int* NumOfFunctionsDllArr);

//保存IMAGE_SECTION_HEADER结构体到FilePath文件中,因为有很多哥所以写成数组了
void SaveImageSectionHeaderArr(char* FilePath,PIMAGE_SECTION_HEADER* pImage_Section_Header_Arr,int NumOfSections);
保存每一个IMAGE_DOS_HEADER结构体到FilePath文件中
void SavePerImageSectionHeader(FILE* file,IMAGE_SECTION_HEADER* pImage_Section_Header);

程序效果

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

完整思路

1.打开文件

    printf("请输入文件名:\n");
    char FilePath[256];
    scanf("%s",FilePath);
	FILE* file = fopen(FilePath,"r");
	if( !file ) {
        printf("无法打开文件!\n");
		return 0;
	}

2.获取相关信息

2.1 获取IMAGE_DOS_HEADER结构体
	//读取dos文件头
	IMAGE_DOS_HEADER* pImage_Dos_Header = new IMAGE_DOS_HEADER;
	fread(pImage_Dos_Header,sizeof(IMAGE_DOS_HEADER),1,file);

	if( pImage_Dos_Header->e_magic != (DWORD)('Z'*256+'M') ){
        printf("DOS开头不是MZ!\n");
		return 0;
	}
	
    SaveImageDosHeader("IMAGE_DOS_HEADER.txt",pImage_Dos_Header);

DOS头都是以MZ开头的,由于小段存放的缘故这里Z在高位,如果不是MZ开头的话直接退出

2.2 获取IMAGE_NT_HEADERS结构体
	//读取PE文件头
	fseek(file,pImage_Dos_Header->e_lfanew,SEEK_SET);
	IMAGE_NT_HEADERS* pImage_Nt_Headers = new IMAGE_NT_HEADERS;
	fread(pImage_Nt_Headers,sizeof(IMAGE_NT_HEADERS),1,file);

	if ( pImage_Nt_Headers->Signature != (DWORD)('E'*256+'P') ){
        printf("PE开头不是PE!\n");
		return 0;
	}
	
    SaveImageNtHeaders("IMAGE_NT_FILE_HEADERS.txt",pImage_Nt_Headers);

IMAGE_DOS_HEADER结构体中的e_lfanew指向了IMAGE_NT_HEADERS,这里利用它定位IMAGE_NT_HEADERS

PE头结构体一定是以PE开头的,与上文的MZ同理验证

2.2.1读取IMAGE_FILE_HEADER结构体
	//读取IMAGE_FILE_HEADER结构体
	IMAGE_FILE_HEADER* pImage_File_Header = new IMAGE_FILE_HEADER;
	fseek(file,pImage_Dos_Header->e_lfanew+4,SEEK_SET);
	fread(pImage_File_Header,sizeof(IMAGE_FILE_HEADER),1,file);
	
    SaveImageFileHeader("IMAGE_FILE_HEADER.txt",pImage_File_Header);

	//区块数量
	int NumberOfSections = pImage_File_Header->NumberOfSections;

这里的fseek是为了跳过IMAGE_NT_HEADERS的前4个字节的Signature数据,NumberOfSections是区块表的数量,后面会用到的

2.2.2读取IMAGE_OPTIONAL_HEADER结构体
	//读取IMAGE_OPTIONAL_HEADER
	IMAGE_OPTIONAL_HEADER* pImage_Optional_Header = new IMAGE_OPTIONAL_HEADER;
	fread(pImage_Optional_Header,sizeof(IMAGE_OPTIONAL_HEADER),1,file);
    
    SaveImageOptionalHeader("IMAGE_OPTIONAL_HEADER.txt",pImage_Optional_Header);

    //IMAGE_OPTIONAL_HEADER大小
    int SizeOfOptionalHeader = pImage_File_Header->SizeOfOptionalHeader;
2.2.2.1读取IMAGE_DATA_DIRECTORY数据目录表
    //读取IMAGE_DATA_DIRETORY数据目录表
    SaveImageDataDirectoryArr("IMAGE_DATA_DIRECTORY_ARR.txt",pImage_Optional_Header->DataDirectory,IMAGE_NUMBEROF_DIRECTORY_ENTRIES);
2.2.2.1.1读取导入表IMAGE_IMPORT_DESCRIPTOR(重点)
    //读取导入表IMAGE_DIRECTORY_ENTRY_IMPORT 1
    DWORD raw = RvaToRaw(pImage_Optional_Header->DataDirectory[1].VirtualAddress,pImage_Section_Header_Arr,NumberOfSections);
    fseek(file,raw,SEEK_SET);
    PIMAGE_IMPORT_DESCRIPTOR* pImage_Import_Descriptor_Arr = new PIMAGE_IMPORT_DESCRIPTOR;
    int NumOfImage_Import_Descriptor = 0;
    do{
        pImage_Import_Descriptor_Arr[NumOfImage_Import_Descriptor] = new IMAGE_IMPORT_DESCRIPTOR;
        fread(pImage_Import_Descriptor_Arr[NumOfImage_Import_Descriptor],sizeof(IMAGE_IMPORT_DESCRIPTOR),1,file);
        if(ifZero(pImage_Import_Descriptor_Arr[NumOfImage_Import_Descriptor],sizeof(IMAGE_IMPORT_DESCRIPTOR)/2)){
            break;
        }
        NumOfImage_Import_Descriptor++;
    }while(true);

    //导入表中dll的name数组
    char** Dll_Name_Arr = new char*[NumOfImage_Import_Descriptor];
    //导入表中每个dll的函数名字数组
    char*** Dll_Functions_Name_Arr = new char**[NumOfImage_Import_Descriptor];
    char temp[256] = {0};
    int NumOfFunctionsDllArr[256] = {0};
    for(int i = 0;i < NumOfImage_Import_Descriptor; i++){
        DWORD raw = RvaToRaw(pImage_Import_Descriptor_Arr[i]->Name,pImage_Section_Header_Arr,NumberOfSections);
        fseek(file,raw,SEEK_SET);
        //fscanf(file,"%s",temp);
        fgets(temp,32,file);
        Dll_Name_Arr[i] = new char[strlen(temp)+1];
        strcpy(Dll_Name_Arr[i],temp);
        NumOfFunctionsDllArr[i] = 0;
        raw = RvaToRaw(pImage_Import_Descriptor_Arr[i]->FirstThunk,pImage_Section_Header_Arr,NumberOfSections);
        //temp2记录OriginalFirstThunk的Import_Thunk_Data的地址
        DWORD temp2 = 0;
        DWORD pos = raw;
        const int max_funcions_per_dll = 100;
        Dll_Functions_Name_Arr[i] = new char*[max_funcions_per_dll];
        do{
            fseek(file,pos,SEEK_SET);
            fread(&temp2,sizeof(DWORD),1,file);
            if(!temp2) break;
            raw = RvaToRaw(temp2,pImage_Section_Header_Arr,NumberOfSections);
            fseek(file,raw,SEEK_SET);
            fgets(temp,256,file);
            Dll_Functions_Name_Arr[i][NumOfFunctionsDllArr[i]] =  new char[strlen(temp)+1];
            strcpy(Dll_Functions_Name_Arr[i][NumOfFunctionsDllArr[i]],temp+2);
            NumOfFunctionsDllArr[i]++;
            pos = pos + sizeof(DWORD);
        }while(temp2);
    }
    SaveImageImportDescriptorArr("IMAGE_IMPORT_DESCRIPTOR_ARR.txt",pImage_Import_Descriptor_Arr,NumOfImage_Import_Descriptor,Dll_Name_Arr,NumOfImage_Import_Descriptor,Dll_Functions_Name_Arr,NumOfFunctionsDllArr);
2.3 读取区块表Section Table
	//读取IMAGE_SECTION_TABLE
	PIMAGE_SECTION_HEADER* pImage_Section_Header_Arr = new PIMAGE_SECTION_HEADER[NumberOfSections];
	for(int i = 0;i < NumberOfSections;i++ ) {
        pImage_Section_Header_Arr[i] = new IMAGE_SECTION_HEADER;
		fread(pImage_Section_Header_Arr[i],sizeof(IMAGE_SECTION_HEADER),1,file);
	}

    SaveImageSectionHeaderArr("IMAGE_SECTION_HEADER_ARR.txt",pImage_Section_Header_Arr,NumberOfSections);

完整代码

#include <stdio.h>
#include <windows.h>
#include <winnt.h>

DWORD RvaToRaw(DWORD rva,PIMAGE_SECTION_HEADER* pImage_Section_Header_Arr,int NumOfSections);
bool ifZero(void* dest,int size);

void SaveImageDosHeader(char* FilePath,IMAGE_DOS_HEADER* pImage_Dos_Header);
void SaveImageNtHeaders(char* FilePath,IMAGE_NT_HEADERS* pImage_Nt_Headers);
void SaveImageFileHeader(char* FilePath,IMAGE_FILE_HEADER* pImage_File_Header);

void SaveImageOptionalHeader(char* FilePath,IMAGE_OPTIONAL_HEADER* pImage_Optional_Header);
void SaveImageDataDirectoryArr(char* FilePath,IMAGE_DATA_DIRECTORY* pImage_Data_Directory_Arr,int NumOfImageDataDirectory);

void SaveImageImportDescriptorArr(char* FilePath,PIMAGE_IMPORT_DESCRIPTOR* pImage_Import_Descriptor_Arr,int NumOfImageImportDescriptor,char** Dll_Name_Arr,int NumOfImage_Import_Descriptor,char*** Dll_Functions_Name_Arr, int* NumOfFunctionsDllArr);

void SaveImageSectionHeaderArr(char* FilePath,PIMAGE_SECTION_HEADER* pImage_Section_Header_Arr,int NumOfSections);
void SavePerImageSectionHeader(FILE* file,IMAGE_SECTION_HEADER* pImage_Section_Header);


int main(){

	//打开文件
    printf("请输入文件名:\n");
    char FilePath[256];
    scanf("%s",FilePath);

	//获取相关信息
	FILE* file = fopen(FilePath,"r");
	if( !file ) {
        printf("无法打开文件!\n");
		return 0;
	}
	//读取dos文件头
	IMAGE_DOS_HEADER* pImage_Dos_Header = new IMAGE_DOS_HEADER;
	fread(pImage_Dos_Header,sizeof(IMAGE_DOS_HEADER),1,file);

	if( pImage_Dos_Header->e_magic != (DWORD)('Z'*256+'M') ){
        printf("DOS开头不是MZ!\n");
		return 0;
	}
	
    SaveImageDosHeader("IMAGE_DOS_HEADER.txt",pImage_Dos_Header);

	//读取PE文件头
	fseek(file,pImage_Dos_Header->e_lfanew,SEEK_SET);
	IMAGE_NT_HEADERS* pImage_Nt_Headers = new IMAGE_NT_HEADERS;
	fread(pImage_Nt_Headers,sizeof(IMAGE_NT_HEADERS),1,file);

	if ( pImage_Nt_Headers->Signature != (DWORD)('E'*256+'P') ){
        printf("PE开头不是PE!\n");
		return 0;
	}
	
    SaveImageNtHeaders("IMAGE_NT_FILE_HEADERS.txt",pImage_Nt_Headers);

	//读取IMAGE_FILE_HEADER结构体
	IMAGE_FILE_HEADER* pImage_File_Header = new IMAGE_FILE_HEADER;
	fseek(file,pImage_Dos_Header->e_lfanew+4,SEEK_SET);
	fread(pImage_File_Header,sizeof(IMAGE_FILE_HEADER),1,file);
	
    SaveImageFileHeader("IMAGE_FILE_HEADER.txt",pImage_File_Header);

	//区块数量
	int NumberOfSections = pImage_File_Header->NumberOfSections;
	
	//读取IMAGE_OPTIONAL_HEADER
	IMAGE_OPTIONAL_HEADER* pImage_Optional_Header = new IMAGE_OPTIONAL_HEADER;
	fread(pImage_Optional_Header,sizeof(IMAGE_OPTIONAL_HEADER),1,file);
    
    SaveImageOptionalHeader("IMAGE_OPTIONAL_HEADER.txt",pImage_Optional_Header);

    //IMAGE_OPTIONAL_HEADER大小
    int SizeOfOptionalHeader = pImage_File_Header->SizeOfOptionalHeader;

    //读取IMAGE_DATA_DIRETORY数据目录表
    SaveImageDataDirectoryArr("IMAGE_DATA_DIRECTORY_ARR.txt",pImage_Optional_Header->DataDirectory,IMAGE_NUMBEROF_DIRECTORY_ENTRIES);

	//读取IMAGE_SECTION_TABLE
	PIMAGE_SECTION_HEADER* pImage_Section_Header_Arr = new PIMAGE_SECTION_HEADER[NumberOfSections];
	for(int i = 0;i < NumberOfSections;i++ ) {
        pImage_Section_Header_Arr[i] = new IMAGE_SECTION_HEADER;
		fread(pImage_Section_Header_Arr[i],sizeof(IMAGE_SECTION_HEADER),1,file);
	}

    SaveImageSectionHeaderArr("IMAGE_SECTION_HEADER_ARR.txt",pImage_Section_Header_Arr,NumberOfSections);

    //读取导出表IMAGE_DIRECTORY_ENTRY_EMPORT 0

    //读取导入表IMAGE_DIRECTORY_ENTRY_IMPORT 1
    DWORD raw = RvaToRaw(pImage_Optional_Header->DataDirectory[1].VirtualAddress,pImage_Section_Header_Arr,NumberOfSections);
    fseek(file,raw,SEEK_SET);
    PIMAGE_IMPORT_DESCRIPTOR* pImage_Import_Descriptor_Arr = new PIMAGE_IMPORT_DESCRIPTOR;
    int NumOfImage_Import_Descriptor = 0;
    do{
        pImage_Import_Descriptor_Arr[NumOfImage_Import_Descriptor] = new IMAGE_IMPORT_DESCRIPTOR;
        fread(pImage_Import_Descriptor_Arr[NumOfImage_Import_Descriptor],sizeof(IMAGE_IMPORT_DESCRIPTOR),1,file);
        if(ifZero(pImage_Import_Descriptor_Arr[NumOfImage_Import_Descriptor],sizeof(IMAGE_IMPORT_DESCRIPTOR)/2)){
            break;
        }
        NumOfImage_Import_Descriptor++;
    }while(true);

    //导入表中dll的name数组
    char** Dll_Name_Arr = new char*[NumOfImage_Import_Descriptor];
    //导入表中每个dll的函数名字数组
    char*** Dll_Functions_Name_Arr = new char**[NumOfImage_Import_Descriptor];
    char temp[256] = {0};
    int NumOfFunctionsDllArr[256] = {0};
    for(int i = 0;i < NumOfImage_Import_Descriptor; i++){
        DWORD raw = RvaToRaw(pImage_Import_Descriptor_Arr[i]->Name,pImage_Section_Header_Arr,NumberOfSections);
        fseek(file,raw,SEEK_SET);
        //fscanf(file,"%s",temp);
        fgets(temp,32,file);
        Dll_Name_Arr[i] = new char[strlen(temp)+1];
        strcpy(Dll_Name_Arr[i],temp);
        NumOfFunctionsDllArr[i] = 0;
        raw = RvaToRaw(pImage_Import_Descriptor_Arr[i]->FirstThunk,pImage_Section_Header_Arr,NumberOfSections);
        //temp2记录OriginalFirstThunk的Import_Thunk_Data的地址
        DWORD temp2 = 0;
        DWORD pos = raw;
        const int max_funcions_per_dll = 100;
        Dll_Functions_Name_Arr[i] = new char*[max_funcions_per_dll];
        do{
            fseek(file,pos,SEEK_SET);
            fread(&temp2,sizeof(DWORD),1,file);
            if(!temp2) break;
            raw = RvaToRaw(temp2,pImage_Section_Header_Arr,NumberOfSections);
            fseek(file,raw,SEEK_SET);
            fgets(temp,256,file);
            Dll_Functions_Name_Arr[i][NumOfFunctionsDllArr[i]] =  new char[strlen(temp)+1];
            strcpy(Dll_Functions_Name_Arr[i][NumOfFunctionsDllArr[i]],temp+2);
            NumOfFunctionsDllArr[i]++;
            pos = pos + sizeof(DWORD);
        }while(temp2);
    }
    SaveImageImportDescriptorArr("IMAGE_IMPORT_DESCRIPTOR_ARR.txt",pImage_Import_Descriptor_Arr,NumOfImage_Import_Descriptor,Dll_Name_Arr,NumOfImage_Import_Descriptor,Dll_Functions_Name_Arr,NumOfFunctionsDllArr);
    //读取导入函数地址表IMAGE_DIRECTORY_ENTRY_IAT 12
    fclose(file);
    return 0;
}

DWORD RvaToRaw(DWORD rva,PIMAGE_SECTION_HEADER* pImage_Section_Header_Arr,int NumOfSections){
    int pos_in_sections = NumOfSections - 1;
    //查找在第几个SECTION里
    for(int i = 0;i < NumOfSections - 1;i++ ){
        if(pImage_Section_Header_Arr[i]->VirtualAddress <= rva && rva <= pImage_Section_Header_Arr[i+1]->VirtualAddress){
            pos_in_sections = i;
        }
    }
    DWORD raw = rva - pImage_Section_Header_Arr[pos_in_sections]->VirtualAddress + pImage_Section_Header_Arr[pos_in_sections]->PointerToRawData;
    return raw;
}
bool ifZero(void* dest,int size){
    for(int i = 0;i < size;i++ ){
        if(((BYTE*)dest)[i]){
            return false;
        }
    }
    return true;
}
void SaveImageDosHeader(char* FilePath,IMAGE_DOS_HEADER* pImage_Dos_Header){
    FILE* file = fopen(FilePath,"w");
    fputs("IMAGE_DOS_HEADER:\n",file);
    fprintf(file,"\t->e_magic\t = 0x%08X\n",pImage_Dos_Header->e_magic);
    fprintf(file,"\t->e_cblp\t = 0x%08X\n",pImage_Dos_Header->e_cblp);
    fprintf(file,"\t->e_cp\t = 0x%08X\n",pImage_Dos_Header->e_cp);
    fprintf(file,"\t->e_crlc\t = 0x%08X\n",pImage_Dos_Header->e_crlc);
    fprintf(file,"\t->e_cparhdr\t = 0x%08X\n",pImage_Dos_Header->e_cparhdr);
    fprintf(file,"\t->e_minalloc\t = 0x%08X\n",pImage_Dos_Header->e_minalloc);
    fprintf(file,"\t->e_maxalloc\t = 0x%08X\n",pImage_Dos_Header->e_maxalloc);
    fprintf(file,"\t->e_ss\t = 0x%08X\n",pImage_Dos_Header->e_ss);
    fprintf(file,"\t->e_sp\t = 0x%08X\n",pImage_Dos_Header->e_sp);
    fprintf(file,"\t->e_csum\t = 0x%08X\n",pImage_Dos_Header->e_csum);
    fprintf(file,"\t->e_ip\t = 0x%08X\n",pImage_Dos_Header->e_ip);
    fprintf(file,"\t->e_cs\t = 0x%08X\n",pImage_Dos_Header->e_cs);
    fprintf(file,"\t->e_lfarlc\t = 0x%08X\n",pImage_Dos_Header->e_lfarlc);
    fprintf(file,"\t->e_ovno\t = 0x%08X\n",pImage_Dos_Header->e_ovno);
    fprintf(file,"\t->e_res[4]\t = 0x%08X\n",pImage_Dos_Header->e_res);
    fprintf(file,"\t->e_oemid\t = 0x%08X\n",pImage_Dos_Header->e_oemid);
    fprintf(file,"\t->e_oeminfo\t = 0x%08X\n",pImage_Dos_Header->e_oeminfo);
    fprintf(file,"\t->e_res2[10]\t = 0x%08X\n",pImage_Dos_Header->e_res2);
    fprintf(file,"\t->e_lfanew\t = 0x%08X\n",pImage_Dos_Header->e_lfanew);
    fclose(file);
}
void SaveImageNtHeaders(char* FilePath,IMAGE_NT_HEADERS* pImage_Nt_Headers){
    FILE* file = fopen(FilePath,"w");
    fprintf(file,"IMAGE_NT_HEADERS\n");
    fprintf(file,"\t->Signature\t = 0x%08X\n",pImage_Nt_Headers->Signature);
    fprintf(file,"\t->IMAGE_FILE_HEADER\t = 0x%08X\n",pImage_Nt_Headers->FileHeader);
    fprintf(file,"\t->IMAGE_OPTIONAL_HEADER32\t = 0x%08X\n",pImage_Nt_Headers->OptionalHeader);
    fclose(file);
}
void SaveImageFileHeader(char* FilePath,IMAGE_FILE_HEADER* pImage_File_Header){
    FILE* file = fopen(FilePath,"w");
    fprintf(file,"IMAGE_FILE_HEADER\n");
    fprintf(file,"\t->Machine\t = 0x%08X\n",pImage_File_Header->Machine);
    fprintf(file,"\t->NumberOfSections\t = 0x%08X\n",pImage_File_Header->NumberOfSections);
    fprintf(file,"\t->TimeDateStamp\t = 0x%08X\n",pImage_File_Header->TimeDateStamp);
    fprintf(file,"\t->PointerToSymbolTable\t = 0x%08X\n",pImage_File_Header->PointerToSymbolTable);
    fprintf(file,"\t->NumberOfSymbols\t = 0x%08X\n",pImage_File_Header->NumberOfSymbols);
    fprintf(file,"\t->SizeOfOptionalHeader\t = 0x%08X\n",pImage_File_Header->SizeOfOptionalHeader);
    fprintf(file,"\t->Characteristics\t = 0x%08X\n",pImage_File_Header->Characteristics);
    fclose(file);
}
void SaveImageOptionalHeader(char* FilePath,IMAGE_OPTIONAL_HEADER* pImage_Optional_Header){
    FILE* file = fopen(FilePath,"w");
    fprintf(file,"IMAGE_OPTIONAL_HEADER\n");
    fprintf(file,"\t->Magic\t = 0x%08X\n",pImage_Optional_Header->Magic);
    fprintf(file,"\t->MajorLinkerVersion\t = 0x%08X\n",pImage_Optional_Header->MajorLinkerVersion);
    fprintf(file,"\t->MinorLinkerVersion\t = 0x%08X\n",pImage_Optional_Header->MinorLinkerVersion);
    fprintf(file,"\t->SizeOfCode\t = 0x%08X\n",pImage_Optional_Header->SizeOfCode);
    fprintf(file,"\t->SizeOfInitializedData\t = 0x%08X\n",pImage_Optional_Header->SizeOfInitializedData);
    fprintf(file,"\t->SizeOfUninitializedData\t = 0x%08X\n",pImage_Optional_Header->SizeOfUninitializedData);
    fprintf(file,"\t->AddressOfEntryPoint\t = 0x%08X\n",pImage_Optional_Header->AddressOfEntryPoint);
    fprintf(file,"\t->BaseOfCode\t = 0x%08X\n",pImage_Optional_Header->BaseOfCode);
    fprintf(file,"\t->ImageBase\t = 0x%08X\n",pImage_Optional_Header->ImageBase);
    fprintf(file,"\t->SectionAlignment\t = 0x%08X\n",pImage_Optional_Header->SectionAlignment);
    fprintf(file,"\t->FileAlignment\t = 0x%08X\n",pImage_Optional_Header->FileAlignment);
    fprintf(file,"\t->MajorOperatingSystemVersion\t = 0x%08X\n",pImage_Optional_Header->MajorOperatingSystemVersion);
    fprintf(file,"\t->MinorOperatingSystemVersion\t = 0x%08X\n",pImage_Optional_Header->MinorOperatingSystemVersion);
    fprintf(file,"\t->MajorImageVersion\t = 0x%08X\n",pImage_Optional_Header->MajorImageVersion);
    fprintf(file,"\t->MinorImageVersion\t = 0x%08X\n",pImage_Optional_Header->MinorImageVersion);
    fprintf(file,"\t->MajorSubsystemVersion\t = 0x%08X\n",pImage_Optional_Header->MajorSubsystemVersion);
    fprintf(file,"\t->MinorSubsystemVersion\t = 0x%08X\n",pImage_Optional_Header->MinorSubsystemVersion);
    fprintf(file,"\t->Win32VersionValue\t = 0x%08X\n",pImage_Optional_Header->Win32VersionValue);
    fprintf(file,"\t->SizeOfImage\t = 0x%08X\n",pImage_Optional_Header->SizeOfImage);
    fprintf(file,"\t->SizeOfHeaders\t = 0x%08X\n",pImage_Optional_Header->SizeOfHeaders);
    fprintf(file,"\t->CheckSum\t = 0x%08X\n",pImage_Optional_Header->CheckSum);
    fprintf(file,"\t->Subsystem\t = 0x%08X\n",pImage_Optional_Header->Subsystem);
    fprintf(file,"\t->DllCharacteristics\t = 0x%08X\n",pImage_Optional_Header->DllCharacteristics);
    fprintf(file,"\t->SizeOfStackReserve\t = 0x%08X\n",pImage_Optional_Header->SizeOfStackCommit);
    fprintf(file,"\t->SizeOfStackCommit\t = 0x%08X\n",pImage_Optional_Header->SizeOfStackReserve);
    fprintf(file,"\t->SizeOfHeapReserve\t = 0x%08X\n",pImage_Optional_Header->SizeOfHeapReserve);
    fprintf(file,"\t->SizeOfHeapCommit\t = 0x%08X\n",pImage_Optional_Header->SizeOfHeapCommit);
    fprintf(file,"\t->LoaderFlags\t = 0x%08X\n",pImage_Optional_Header->LoaderFlags);
    fprintf(file,"\t->NumberOfRvaAndSizes\t = 0x%08X\n",pImage_Optional_Header->NumberOfRvaAndSizes);
    fprintf(file,"\t->DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]\t = 0x%08X\n",pImage_Optional_Header->DataDirectory);
    fclose(file);
}
void SaveImageDataDirectoryArr(char* FilePath,IMAGE_DATA_DIRECTORY* pImage_Data_Directory_Arr,int NumOfImageDataDirectory){
    FILE* file = fopen(FilePath,"w");
    fprintf(file,"IMAGE_DATA_DIRECTORY_ARR\n");
    for(int i = 0;i < NumOfImageDataDirectory;i++ ){
        fprintf(file,"IMAGE_DATA_DIRECTORY_ARR[%d]\n",i);
        fprintf(file,"IMAGE_DATA_DIRECTORY:\n");
        fprintf(file,"\t->VirtualAddress\t = 0x%08X\n",(pImage_Data_Directory_Arr+i)->VirtualAddress);
        fprintf(file,"\t->Size\t = 0x%08X\n",(pImage_Data_Directory_Arr+i)->Size);
        fprintf(file,"\n");
    }
    fclose(file);
}
void SaveImageSectionHeaderArr(char* FilePath,PIMAGE_SECTION_HEADER* pImage_Section_Header_Arr,int NumOfSections){
    FILE* file = fopen(FilePath,"w");
    fprintf(file,"IMAGE_SECTION_HEADER_ARR\n");
    for( int i = 0;i < NumOfSections;i++ ){
        fprintf(file,"IMAGE_SECTION_HEADER_ARR[%d]\n",i);
        SavePerImageSectionHeader(file,pImage_Section_Header_Arr[i]);
        fprintf(file,"\n");
    }
    fclose(file);
}

void SaveImageImportDescriptorArr(char* FilePath,PIMAGE_IMPORT_DESCRIPTOR* pImage_Import_Descriptor_Arr,int NumOfImageImportDescriptor,char** Dll_Name_Arr,int NumOfImage_Import_Descriptor,char*** Dll_Functions_Name_Arr, int* NumOfFunctionsDllArr){
    FILE* file = fopen(FilePath,"w");
    fprintf(file,"IMAGE_IMPORT_DESCRIPTOR_ARR\n");
    for(int i = 0; i < NumOfImageImportDescriptor; i++){
        fprintf(file,"IMAGE_IMPORT_DESCRIPTOR_ARR[%d]:\n",i);
        fprintf(file,"\t->OriginalFirstThunk\t = 0x%08X\n",pImage_Import_Descriptor_Arr[i]->OriginalFirstThunk);
        for(int j = 0;j < NumOfFunctionsDllArr[i];j++ ){
            fprintf(file,"\t->     \t %s \n",Dll_Functions_Name_Arr[i][j]);
        }
        fprintf(file,"\n");
        fprintf(file,"\t->TimeDateStamp\t = 0x%08X\n",pImage_Import_Descriptor_Arr[i]->TimeDateStamp);
        fprintf(file,"\t->ForwarderChain\t = 0x%08X\n",pImage_Import_Descriptor_Arr[i]->ForwarderChain);
        fprintf(file,"\t->Name\t = 0x%08X\n",pImage_Import_Descriptor_Arr[i]->Name);
        fprintf(file,"\t      \t = %s\n\n",Dll_Name_Arr[i]);
        fprintf(file,"\t->FirstThunk\t = 0x%08X\n",pImage_Import_Descriptor_Arr[i]->FirstThunk);
        fprintf(file,"\n");
    }
    fclose(file);
}

void SavePerImageSectionHeader(FILE* file,IMAGE_SECTION_HEADER* pImage_Section_Header){
    fprintf(file,"IMAGE_SECTION_HEADER\n");
    fprintf(file,"\t->Name[IMAGE_SIZEOF_SHORT_NAME]\t = %s\n",pImage_Section_Header->Name);
    fprintf(file,"\t->VirtualSize\t = 0x%08X\n",pImage_Section_Header->Misc);
    fprintf(file,"\t->VirtualAddress\t = 0x%08X\n",pImage_Section_Header->VirtualAddress);
    fprintf(file,"\t->SizeOfRawData\t = 0x%08X\n",pImage_Section_Header->SizeOfRawData);
    fprintf(file,"\t->PointerToRawData\t = 0x%08X\n",pImage_Section_Header->PointerToRawData);
    fprintf(file,"\t->PointerToRelocations\t = 0x%08X\n",pImage_Section_Header->PointerToRelocations);
    fprintf(file,"\t->PointerToLinenumbers\t = 0x%08X\n",pImage_Section_Header->PointerToLinenumbers);
    fprintf(file,"\t->NumberOfRelocations\t = 0x%08X\n",pImage_Section_Header->NumberOfRelocations);
    fprintf(file,"\t->NumberOfLinenumbers\t = 0x%08X\n",pImage_Section_Header->NumberOfLinenumbers);
    fprintf(file,"\t->Characteristics\t = 0x%08X\n",pImage_Section_Header->Characteristics);
    fprintf(file,"\t->Characteristics\t = 0x%08X\n",pImage_Section_Header->Characteristics);
}
倒三五六
关注
  • 0
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
peviewer:一个简单的单页Web应用程序,用于查看PE(便携式可执行文件文件的内容
05-12
PE查看器 PE Viewer是一个简单的单页Web应用程序,用于查看PE(便携式可执行文件文件的内容,该文件Windows操作系统和Mi​​crosoft .NET上的可执行文件。 访问以访问此工具。 该项目仅用于托管单页应用程序,有关任何错误报告和建议,请访问
【汇编语言】汇编语言实现简单的PEviewer
LeeOrange_45的博客
11-07 400
利用汇编语言实现peviewer
探索PE文件的秘密:XPEViewer - 跨平台的PE查看器与编辑器
最新发布
gitblog_00077的博客
05-16 619
探索PE文件的秘密:XPEViewer - 跨平台的PE查看器与编辑器 项目地址:https://gitcode.com/horsicq/XPEViewer 1. 项目介绍 XPEViewer 是一个强大的跨平台工具,专为Windows、Linux和MacOS设计,用于查看和编辑PE(Portable Executable)文件。这款工具不仅仅是一个基本的查看器,它提供了一整套详细的PE文件分析功...
逆向工程核心原理——PE文件格式分析
weixin_46601374的博客
11-19 1962
什么是PE文件PE文件的全称是Portable Executable,意为可移植的可执行的文件 PE文件是指32位可执行文件,也称为PE32。64位的可执行文件称为PE+或PE32+,是PE(PE32)的一种扩展形式(请注意不是PE64)。 常见种类 种 类 主扩展名 种 类 主扩展名 可执行系列 EXE、SCR 驱动程序系列
PE dump 字节码查看器
zhyjhacker的博客
10-21 93
ProcessPeFile.c代码。resource.h 文件内容。PE 文件自己码查看器编写
新完成的PE viewer
草原Song
06-04 1209
    一直以来对PE文件算是比较熟悉了,但是不写一个PE工具是无法达到熟练的地步的,于是就写了这个小东西,PE的分析工具,使用Delphi编写,刚开始使用Filestream就行读文件,后来一想这不是使用内存映射文件的最好时候吗!汗,这才有了突破!
HTML查看器PC,PE文件查看器(PeViewer)
weixin_39668965的博客
06-23 822
PE文件查看器(PeViewer)官方版是一款实用性非常强的的PE文件查看类软件。用户使用PE文件查看器(PeViewer)最新版可以随时查看电脑中的DLL文件,并且还能对数据目录进行导入和导出。PE文件查看器(PeViewer)官方版的右键支持更多的操作,还可以对任何进程的一块符合PE结构的内存块进行分析。相似软件版本说明软件地址0.97.4 官方版查看2.3 官方版查看0.41 最新版查看5....
PCD点云文件查看器
09-13
用于PCD点云文件查看器,支持拖动文件到软件窗口,打开PCD点云文件并显示
STP/STEP/STL文件查看器
10-26
STP/STEP/STL文件查看器是一款轻量级的应用程序,专为处理STP、STEP和STL格式的三维模型文件而设计。这些文件格式在计算机辅助设计(CAD)和制造业领域中广泛使用,用于交换和存储三维几何数据。 1. **STP文件**:...
spr文件查看器
12-03
"Spr文件查看器"是一款专为处理特定类型文件——SPR格式文件而设计的应用程序。在IT领域,软件工具往往针对特定的文件格式或数据结构,以提供有效的管理和查看功能。SPR文件可能源自游戏资源,如角色模型、动画或者...
dll文件查看器64位 win10,win11系统可用
05-13
DLL 可以使用不同的编程语言来编写,如 VB、C、C++ 等。 DLL 也可以被不同的编程语言调用,例如:可以使用 VB 调用 C 语言生成的 DLL 文件。确切的说是调用 DLL中的API函数。只要使用正确的调用格式,就可以直接调用...
PEviewer.zipPEviewPEview
08-04
PEviewPEviewPEviewPEviewPEview
dds文件图片查看器
08-19
DDS文件图片查看器是一款专为处理DDS(DirectDraw Surface)格式图像设计的轻量级工具。DDS是一种由Microsoft开发的纹理贴图格式,广泛应用于3D图形编程、游戏开发和图像处理领域。这款查看器不仅能够打开并显示DDS...
【滴水逆向P77】加载进程(PE查看器)应用程序源码解析
WdIg-2023的博客
05-25 1450
在上一篇文章中讲解了通用控件,做了一个基本的加载进程(PE查看器)的应用程序项目,,大家如果有不懂的可以去看看,由于不是很了解Win32编程,所以有很多东西写出来了,但是不是很理解,所以今天专门来写一篇文章来详细了解一下其中使用到的API,函数,宏和结构体。
【逆向】【PE入门】使用PEView分析PE文件
热门推荐
lanlanla的成长历程
01-08 1万+
目录 什么是PE? 什么是PEView? 分析PE文件 什么是DOS头? IMAGE_DOS_HEADER是干嘛的? DOS块是干嘛的? 什么是NT头? Signatrue? IMAGE_FILE_HEADER? IMAGE_OPTIONAL_HEADER? section头? 1.找到 NT 头的起始偏移地址、结束地址? 什么是PE? 参考博客:htt...
pe字节码查看器&源码window11系统masm编程
weixin_43736741的博客
11-22 361
【代码】pe字节码查看器&源码window11系统masm编程
基于PEview分析PE文件(4-4)
hou09tian的博客
09-03 1257
5 节(section)头 从图3可以看出,PE文件的NT头之后就是节(section)头,每个节头的大小是40字节。在“4.2 IMAGE_FILE_HEADER”中提到,本PE文件包含9个节,可以从图3中找到这9个节对应的节头。表1列出了各节头的对应节的内容。 ...
【2024最新】PE工具箱【下载安装】零基础到大神【附下载链接】
资深程序员,曾自学JAVA,C#,如今从业于网安行业
11-05 599
网络安全行业产业以来,随即新增加了几十个网络安全行业岗位︰网络安全专家、网络安全分析师、安全咨询师、网络安全工程师、安全架构师、安全运维工程师、渗透工程师、信息安全管理员、数据安全工程师、网络安全运营工程师、网络安全应急响应工程师、数据鉴定师、网络安全产品经理、网络安全服务工程师、网络安全培训师、网络安全审计员、威胁情报分析工程师、灾难恢复专业人员、实战攻防专业人员…网上虽然也有很多的学习资源,但基本上都残缺不全的,这是我自己录的网安视频教程,上面路线图的每一个知识点,我都有配套的视频讲解。
编程实现安卓文件查看器
05-19
3. 实现文件浏览器中的文件文件夹的打开和关闭功能,以便用户可以查看文件。 4. 实现文件浏览器中的文件列表,以便用户可以快速浏览文件。 5. 实现文件预览功能,支持常用的文件格式,例如文本文件、图像文件、...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值