c语言pe文件感染,C语言怎么获得进程的PE文件信息

一、打印Sections信息。下面的程序打印出Windows_Graphics_Programming 1.1中第三个程序“Hello World Version 3:Create a Full-Screen Window"生成的可执行文件的Sections结构字节的信息

#include

#include

char *strPath="C:/c1_hwv3/Debug/c1_hwv3.exe";

int main()

{

IMAGE_DOS_HEADER myDosHeader;

LONG e_lfanew;

FILE *pFile;

pFile=fopen(strPath,"rb+");

fread(&myDosHeader,sizeof(IMAGE_DOS_HEADER),1,pFile);

e_lfanew=myDosHeader.e_lfanew;

IMAGE_FILE_HEADER myFileHeader;

int nSectionCount;

fseek(pFile,(e_lfanew+sizeof(DWORD)),SEEK_SET);

fread(&myFileHeader,sizeof(IMAGE_FILE_HEADER),1,pFile);

nSectionCount=myFileHeader.NumberOfSections;

IMAGE_SECTION_HEADER *pmySectionHeader=

(IMAGE_SECTION_HEADER *)calloc(nSectionCount,sizeof(IMAGE_SECTION_HEADER));

fseek(pFile,(e_lfanew+sizeof(IMAGE_NT_HEADERS)),SEEK_SET);

fread(pmySectionHeader,sizeof(IMAGE_SECTION_HEADER),nSectionCount,pFile);

for(int i=0;i

{

printf("Name: %s\n", pmySectionHeader->Name);

printf("union_PhysicalAddress: %08x\n", pmySectionHeader->Misc.PhysicalAddress);

printf("union_VirtualSize: %04x\n", pmySectionHeader->Misc.VirtualSize);

printf("VirtualAddress: %08x\n", pmySectionHeader->VirtualAddress);

printf("SizeOfRawData: %08x\n", pmySectionHeader->SizeOfRawData);

printf("PointerToRawData: %04x\n", pmySectionHeader->PointerToRawData);

printf("PointerToRelocations: %04x\n", pmySectionHeader->PointerToRelocations);

printf("PointerToLinenumbers: %04x\n", pmySectionHeader->PointerToLinenumbers);

printf("NumberOfRelocations: %04x\n", pmySectionHeader->NumberOfRelocations);

printf("NumberOfLinenumbers: %04x\n", pmySectionHeader->NumberOfLinenumbers);

printf("Charateristics: %04x\n", pmySectionHeader->Characteristics);

}

// pmySectionHeader-=m_nSectionCount;

if(pmySectionHeader!=NULL)

{

free(pmySectionHeader);

pmySectionHeader=NULL;

}

fclose(pFile);

return 0;

}

运行程序打印出如下信息

Name: .text

union_PhysicalAddress: 00022350

union_VirtualSize: 22350

VirtualAddress: 00001000

SizeOfRawData: 00023000

PointerToRawData: 1000

PointerToRelocations: 0000

PointerToLinenumbers: 0000

NumberOfRelocations: 0000

NumberOfLinenumbers: 0000

Charateristics: 60000020

Name: .rdata

union_PhysicalAddress: 00001615

union_VirtualSize: 1615

VirtualAddress: 00024000

SizeOfRawData: 00002000

PointerToRawData: 24000

PointerToRelocations: 0000

PointerToLinenumbers: 0000

NumberOfRelocations: 0000

NumberOfLinenumbers: 0000

Charateristics: 40000040

Name: .data

union_PhysicalAddress: 00005650

union_VirtualSize: 5650

VirtualAddress: 00026000

SizeOfRawData: 00004000

PointerToRawData: 26000

PointerToRelocations: 0000

PointerToLinenumbers: 0000

NumberOfRelocations: 0000

NumberOfLinenumbers: 0000

Charateristics: c0000040

Name: .idata

union_PhysicalAddress: 00000b23

union_VirtualSize: 0b23

VirtualAddress: 0002c000

SizeOfRawData: 00001000

PointerToRawData: 2a000

PointerToRelocations: 0000

PointerToLinenumbers: 0000

NumberOfRelocations: 0000

NumberOfLinenumbers: 0000

Charateristics: c0000040

Name: .reloc

union_PhysicalAddress: 00000f00

union_VirtualSize: 0f00

VirtualAddress: 0002d000

SizeOfRawData: 00001000

PointerToRawData: 2b000

PointerToRelocations: 0000

PointerToLinenumbers: 0000

NumberOfRelocations: 0000

NumberOfLinenumbers: 0000

Charateristics: 42000040

pe文件结构图：

时间，时间，会给我答案 time will give me the answer

再给大家分享一则

#include

#include

#define MAX_SECTION_NUM 16

#define MAX_IMPDESC_NUM 64

HANDLE hHeap;

PIMAGE_DOS_HEADER pDosHeader;

PCHAR pDosStub;

DWORD dwDosStubSize;

DWORD dwDosStubOffset;

PIMAGE_NT_HEADERS pNtHeaders;

PIMAGE_FILE_HEADER pFileHeader;

PIMAGE_OPTIONAL_HEADER32 pOptHeader;

PIMAGE_SECTION_HEADER pSecHeaders;

PIMAGE_SECTION_HEADER pSecHeader[MAX_SECTION_NUM];

WORD wSecNum;

PBYTE pSecData[MAX_SECTION_NUM];

DWORD dwSecSize[MAX_SECTION_NUM];

DWORD dwFileSize;

void OutputPEInMem(HANDLE hd)

{

// 请在这里填入你的代码

DWORD dwBase;

dwBase = (DWORD)hd;

pDosHeader = (PIMAGE_DOS_HEADER)dwBase;

pNtHeaders = (PIMAGE_NT_HEADERS)(dwBase + pDosHeader->e_lfanew);

pOptHeader = &(pNtHeaders->OptionalHeader);

pFileHeader = &(pNtHeaders->FileHeader);

printf("Address Of Entry Point: 0x%08x\n", pOptHeader->AddressOfEntryPoint);

printf("ImageBase: 0x%08x\n", pOptHeader->ImageBase);

printf("Number Of Sections: %d\n", pFileHeader->NumberOfSections);

printf("Size Of Image: 0x%04x\n", pOptHeader->SizeOfImage);

return;

}

int main(int argc, char *argv[])

{

DWORD pid = 0;

pid=atoi(argv[1]);

HANDLE hd=OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid);

LPCSTR lpszFileName = "hello.exe";

LPCSTR lpszInjFileName = "hello_inj0.exe";

OutputPEInMem(hd);

hHeap = GetProcessHeap();

if (! CopyPEFileToMem(lpszFileName)) {

return 1;

}

return 0;

}