PE头结构解析(代码实现)

图表实现在:https://www.cnblogs.com/juicyhumberger/articles/17064764.html

#include "stdafx.h"

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

//#define F_PATH "C:\\cntflx\\ipmsg.exe"

int* OpenFile()

{

    FILE* PointToFile = NULL;

    int FileSize = 0;

    int* StrBuffer = NULL;

    int Num = 0;

    //打开文件

    if ((PointToFile = fopen("C:\\WINDOWS\\system32\\notepad.exe","rb")) == NULL) {

        printf("打开文件失败!\n");

        exit(1);

    }

    //获取文件大小

    fseek(PointToFile,0,2);

    FileSize = ftell(PointToFile);

    //重定位指针

    fseek(PointToFile,0,0);

    //buffer指向申请的堆

    StrBuffer = (int*)(malloc(FileSize));

    if (!StrBuffer)

    {

        printf("堆空间分配失败!\n");

        free(StrBuffer);

        return 0;

    }

    //读取文件内容

    Num = fread(StrBuffer,FileSize,1,PointToFile);

    if (!Num)

    {

        printf("读取文件内容失败!\n");

        free(StrBuffer);

        return 0;

    }

    //关闭文件

    fclose(PointToFile);

    //将缓冲区内的文件内容的地址返回到调用函数的地方

    return StrBuffer;

}

int* FileSizes = OpenFile();

int PrintfNtHeaders()

{

    //文件指针

    unsigned int* PointBuffer = (unsigned int*)FileSizes;

    unsigned short* pBuffer = (unsigned short*)PointBuffer;

    unsigned char* pcBuffer = (unsigned char*)PointBuffer;

    //判断MZ和PE的标志

    unsigned short Cmp1 = 0x5A4D;

    unsigned int Cmp2 = 0x00004550;

    //判断文件是否读取成功

    if(!PointBuffer)

    {

        printf("文件读取失败!\n");

        free(PointBuffer);

        return 0;

    }

    //判断是否为MZ标志

    if (*pBuffer != Cmp1)

    {

        printf("不是有效MZ标志!\n");

        printf("%X\n",*pBuffer);

        free(PointBuffer);

        return 0;

    }

    printf("*********打印DOS头*********\n");

    printf("e_magic:\t\t\t%X\n",*(pBuffer));

    printf("e_ifanew:\t\t\t%08X\n\n\n",*(PointBuffer+15));

    //判断是否为PE标志

    if (*(PointBuffer+56) != Cmp2)

    {

        printf("不是有效的PE标志!\n");

        printf("%X\n",*(PointBuffer+56));

        free(PointBuffer);

        return 0;

    }

    printf("*********打印标准PE文件头*********\n");

    printf("PE标志:\t\t\t\t%X\n",*(PointBuffer+56));

    printf("Machine:\t\t\t%04X\n",*(pBuffer+114));

    printf("NumberOfSection:\t\t%04X\n",*(pBuffer+115));

    printf("TimeDateStamp:\t\t\t%08X\n",*(PointBuffer+58));

    printf("PointerToSymbolTable:\t\t%08X\n",*(PointBuffer+59));

    printf("NumberOfSymbols:\t\t%08X\n",*(PointBuffer+60));

    printf("SizeOfOptionalHeader:\t\t%04X\n",*(pBuffer+122));

    printf("Chrarcteristics:\t\t%04X\n\n\n",*(pBuffer+123));

    printf("*********打印标准可选PE头*********\n");

    printf("Magic:\t\t\t\t%04X\n", *(pBuffer+124));

    printf("MajorLinkerVersion:\t\t%02X\n", *(pcBuffer+250));

    printf("MinorLinkerVersion:\t\t%02X\n", *(pcBuffer+251));

    printf("SizeOfCode:\t\t\t%08X\n", *(PointBuffer+63));

    printf("SizeOfInitializedData:\t\t%08X\n", *(PointBuffer+64));

    printf("SizeOfUninitializedData:\t%08X\n", *(PointBuffer+65));

    printf("AddressOfEntryPoint:\t\t%08X\n", *(PointBuffer+66));

    printf("BaseOfCode:\t\t\t%08X\n", *(PointBuffer+67));

    printf("BaseOfData:\t\t\t%08X\n", *(PointBuffer+68));

    printf("ImageBase:\t\t\t%08X\n", *(PointBuffer+69));

    printf("SectionAlignment:\t\t%08X\n", *(PointBuffer+70));

    printf("FileAlignment:\t\t\t%08X\n", *(PointBuffer+71));

    printf("MajorOperatingSystemVersion:\t%04X\n", *(pBuffer+144));

    printf("MinorOperatingSystemVersion:\t%04X\n", *(pBuffer+145));

    printf("MajorImageVersion:\t\t%04X\n", *(pBuffer+146));

    printf("MinorImageVersion:\t\t%04X\n", *(pBuffer+147));

    printf("MajorSubsystemVersion:\t\t%04X\n", *(pBuffer+148));

    printf("MinorSubsystemVersion:\t\t%04X\n", *(pBuffer+149));

    printf("Win32VersionValue:\t\t%08X\n", *(PointBuffer+75));

    printf("SizeOfImage:\t\t\t%08X\n", *(PointBuffer+76));

    printf("SizeOfHeaders:\t\t\t%08X\n", *(PointBuffer+77));

    printf("CheckSum:\t\t\t%08X\n", *(PointBuffer+78));

    printf("Subsystem:\t\t\t%04X\n", *(pBuffer+158));

    printf("DllCharacteristics:\t\t%04X\n", *(pBuffer+159));

    printf("SizeOfStackReserve:\t\t%08X\n", *(PointBuffer+80));

    printf("SizeOfStackCommit:\t\t%08X\n", *(PointBuffer+81));

    printf("SizeOfHeapReserve:\t\t%08X\n", *(PointBuffer+82));

    printf("SizeOfHeapCommit:\t\t%08X\n", *(PointBuffer+83));

    printf("LoaderFlags:\t\t\t%08X\n", *(PointBuffer+84));

    printf("NumberOfRvaAndSizes:\t\t%08X\n\n\n", *(PointBuffer+85));

    printf("*********打印PE节表成员信息*********\n");

/*

Name:                   0x000001d8     [.text]      [名称,长度:8位(16字节)的ASCII码.]

Misc:                     0x000001e0     00007748     [V(VS),内存中大小(对齐前的长度).]

VirtualAddress:         0x000001e4     00001000     [V(VO),内存中偏移(该块的RVA).]

SizeOfRawData:          0x000001e8     00007800     [R(RS),文件中大小(对齐后的长度).]

PointerToRawData:       0x000001ec     00000400     [R(RO),文件中偏移.]

PointerToRelocation:    0x000001f0     00000000     [在OBJ文件中使用,重定位的偏移.]

PointerToLinenumbers:   0x000001f4     00000000     [行号表的偏移,提供调试.]

NumberOfRelocations:    0x000001f6     0000         [在OBJ文件中使用,重定位项数目.]

NumberOfLinenumbers:    0x000001f8     0000         [行号表中行号的数目.]

Characteristics:        0x000001fc     60000020     [标志(块属性):20000000h 40000000h 00000020h ]

*/

    printf("*********打印PE节表[.text]成员信息*********\n");

    printf("Name:\t\t\t\t0x%08X%08X\n", (*(PointBuffer+119)),(*(PointBuffer+118)));

    printf("Misc:\t\t\t\t0x%08X\n", *(PointBuffer+120));

    printf("VirtualAddress:\t\t\t0x%08X\n", *(PointBuffer+121));

    printf("SizeOfRawData:\t\t\t0x%08X\n", *(PointBuffer+122));

    printf("PointerToRawData:\t\t0x%08X\n", *(PointBuffer+123));

    printf("PointerToRelocation:\t\t0x%08X\n", *(PointBuffer+124));

    printf("PointerToLinenumbers:\t\t0x%08X\n", *(PointBuffer+125));

    printf("NumberOfRelocations:\t\t0x%04X\n", *(pBuffer+251));

    printf("NumberOfLinenumbers:\t\t0x%04X\n", *(pBuffer+252));

    printf("Characteristics:\t\t0x%08X\n\n\n", *(PointBuffer+127));

    printf("*********打印PE节表[.data]成员信息*********\n");

    printf("Name:\t\t\t\t0x%08X%08X\n", (*(PointBuffer+129)),(*(PointBuffer+128)));

    printf("Misc:\t\t\t\t0x%08X\n", *(PointBuffer+130));

    printf("VirtualAddress:\t\t\t0x%08X\n", *(PointBuffer+131));

    printf("SizeOfRawData:\t\t\t0x%08X\n", *(PointBuffer+132));

    printf("PointerToRawData:\t\t0x%08X\n", *(PointBuffer+133));

    printf("PointerToRelocation:\t\t0x%08X\n", *(PointBuffer+134));

    printf("PointerToLinenumbers:\t\t0x%08X\n", *(PointBuffer+135));

    printf("NumberOfRelocations:\t\t0x%04X\n", *(pBuffer+271));

    printf("NumberOfLinenumbers:\t\t0x%04X\n", *(pBuffer+272));

    printf("Characteristics:\t\t0x%08X\n\n\n", *(PointBuffer+137));

    printf("*********打印PE节表[.rsrc]成员信息*********\n");

    printf("Name:\t\t\t\t0x%08X%08X\n", (*(PointBuffer+139)),(*(PointBuffer+138)));

    printf("Misc:\t\t\t\t0x%08X\n", *(PointBuffer+140));

    printf("VirtualAddress:\t\t\t0x%08X\n", *(PointBuffer+141));

    printf("SizeOfRawData:\t\t\t0x%08X\n", *(PointBuffer+142));

    printf("PointerToRawData:\t\t0x%08X\n", *(PointBuffer+143));

    printf("PointerToRelocation:\t\t0x%08X\n", *(PointBuffer+144));

    printf("PointerToLinenumbers:\t\t0x%08X\n", *(PointBuffer+145));

    printf("NumberOfRelocations:\t\t0x%04X\n", *(pBuffer+291));

    printf("NumberOfLinenumbers:\t\t0x%04X\n", *(pBuffer+292));

    printf("Characteristics:\t\t0x%08X\n\n\n", *(PointBuffer+147));

    free(PointBuffer);

    return 0;

}

int main()

{

    PrintfNtHeaders();

     OpenFile();

     return 0;

}

PE头结构解析(代码实现)的更多相关文章

  1. RTP头结构解析

    RTP包头前12个固定字节机构图: 0                   1                   2                   3 0 1 2 3 4 5 6 7 8 9 ...

  2. PE头详细分析

    目录 PE头详细分析 0x00 前言 0x01 PE文件介绍 0x02 PE头详细分析 DOS头解析 NT头解析 标准PE头解析 可选PE头解析 可选PE头结构 基址 代码段地址 数据段地址 OEP程 ...

  3. 手写PE结构解析工具

    PE格式是 Windows下最常用的可执行文件格式,理解PE文件格式不仅可以了解操作系统的加载流程,还可以更好的理解操作系统对进程和内存相关的管理知识,而有些技术必须建立在了解PE文件格式的基础上,如 ...

  4. Win32汇编-编写PE结构解析工具

    汇编语言(assembly language)是一种用于电子计算机.微处理器.微控制器或其他可编程器件的低级语言,亦称为符号语言.在汇编语言中,用助记符(Mnemonics)代替机器指令的操作码,用地 ...

  5. pe头

    1.dos头 结构: struct _IMAGE_DOS_HEADER {     WORD e_magic;     WORD e_cblp;     WORD e_cp;     WORD e_c ...

  6. Windows Pe 第三章 PE头文件(中)

    这一章的上半部分大体介绍了下PE文件头,下半部分是详细介绍里面的内容,这一章一定要多读几遍,好好记记基础概念和知识,方便之后的学习. 简单回忆一下: 3.4  PE文件头部解析 3.4.1 DOS M ...

  7. PE知识复习之PE的各种头属性解析

    PE知识复习之PE的各种头属性解析 一丶DOS头结构体 typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header WORD e_magic; // M ...

  8. 逆向-PE头解析

    目录 PE头解析 数据结构 IMAGE_DOS_HEADER IMAGE_NT_HEADERS 区块 PE头解析 PE 格式是Windows系统下组织可执行文件的格式.PE文件由文件头和对应的数据组成 ...

  9. PE头的应用---插入代码到EXE或DLL文件中

    三.代码实现(DELPHI版本),采用第三种方式实现代码插入. 1. 定义两个类,一个用来实现在内存中建立输入表:一个用来实现对PE头的代码插入. DelphiCode: const MAX_SECT ...

  10. PE格式文件的解析代码

    #include "Global.h" ; //标志,用于表示是否为pe32+文件 ; //标志,用于表示读入的模式,若为0代表是内存读入,不为0,代表是文件打开,此时mode是文 ...

随机推荐

  1. EPSS 解读:与 CVSS 相比,孰美?

    通用漏洞评分系统(CVSS)是当前应用最频繁的评分系统以评估安全漏洞的严重性.但是,由于该系统在评估漏洞和优先级排序方面存在不足而遭受批评.因此,有部分专业人士呼吁使用漏洞利用预测评分系统(EPSS) ...

  2. js逆向之补环境常用代码

    //第一种 补环境的方法 let test1 = { name:"小红" }; test = new Proxy(test1,{ get(target,key){ console. ...

  3. 3_多维数组转一维数组 reduce()

    一,二维数组转一维数组 1 //1. 二维数组转一维数组 2 let arr = [[0,1],[2,3],[4,5]] 3 let newArr = arr.reduce((pre,cur) =&g ...

  4. 痞子衡嵌入式:MCUBootUtility v4.0发布,开始支持MCX啦

    -- 痞子衡维护的 NXP-MCUBootUtility 工具距离上一个大版本(v3.5.0)发布过去 9 个月了,这一次痞子衡为大家带来了版本升级 v4.0.0,这个版本主要有两个重要更新需要跟大家 ...

  5. win32com操作word 第二集:Application&Documents接口

    本课程<win32com操作word API精讲&项目实战>以视频为主,文字教程为辅,公众号ID:一灯编程. 先回答一个网友私信问题: win32com和微软的word接口文档有什 ...

  6. 1. 使用 fluent-bit 采集文件

    1. 使用 fluent-bit 采集文件 简介 Fluent Bit是一款快速.灵活的日志处理器,旨在收集.解析.过滤日志,并将日志发送到远程数据库,以便执行数据分析. 数据分析通常发生在数据存储和 ...

  7. 【力扣】反转链表I和II(迭代和递归)

    前言 有句话叫做:如果面试官跟你看顺眼的话,就给你出一道反转链表,否则就出一道 hard. 所以反转链表不能不会吧,要不面试官想要你都没有机会了. 206. 反转链表 class Solution { ...

  8. Ant Design Table 如何动态自定义?Ant Popover 遮挡?

    项目场景: 基于electron + Vue + node.js + express + mysql + evanpatchouli-mysql + Ant-Design-Vue,编写一款属于自己的轻 ...

  9. Ubuntu 22.04 运行 Appimage 文件

    解决方法 sudo apt-get update sudo apt install fuse libfuse2 chmod a+x *.appimage 参考资料 https://bynss.com/ ...

  10. 踩坑实录---Angular防抖——点击事件

    npx ng g directive DebounceClickDirective --module=app 然后自动生成了2 个文件 CREATE src/app/debounce-click-di ...