仿LordPE获取PE结构
乍一看LordPE一个小工具一般般,真的动手做起来才知道技术含量高的很。
当前只是获取到PE结构并打印,仅此而已。
PE.h
#pragma once
#include <stdio.h>
#include <stdarg.h> #include <Windows.h>
#include <time.h> HANDLE m_hFile = NULL; // 文件句柄
HANDLE m_hMap = NULL; // 文件映射句柄
LPVOID m_lpBase = NULL; // 映射基址
DWORD m_dwLen = ; // 文件数据大小
IMAGE_DOS_HEADER *m_pDosHeader = NULL; // Dos头
IMAGE_NT_HEADERS *m_pNtHeaders = NULL; // NT头
IMAGE_SECTION_HEADER *m_pSecHeader = NULL; /*
读取PE磁盘文件
fileUrl:文件路径
lpSaveData:保存数据的指针
成功返回数据大小,失败返回0.
*/
DWORD ReadPeFile(char *fileUrl, LPVOID lpSaveData); VOID DestroryFunc(void);
PE.cpp
#include "PE.h" DWORD ReadPeFile(char *fileUrl, LPVOID lpSaveData)
{
m_hFile = CreateFile(fileUrl, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (m_hFile == INVALID_HANDLE_VALUE)
{
printf("[ReadPeFile]:Can't open file!\n");
return ;
}
m_hMap = CreateFileMapping(m_hFile, NULL, PAGE_READWRITE | SEC_IMAGE, , , );
if (!m_hMap)
{
printf("[ReadPeFile]:Can't create filemap!\n");
return ;
}
m_lpBase = MapViewOfFile(m_hMap, FILE_MAP_READ | FILE_MAP_WRITE, , , );
if (!m_lpBase)
{
printf("[ReadPeFile]:MapViewOfFile bad!\n");
return ;
}
m_dwLen = GetFileSize(m_hFile, &m_dwLen);
m_pDosHeader = (PIMAGE_DOS_HEADER)m_lpBase;
if (m_pDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
{
printf("[ReadPeFile]:Not is pe file!\n");
return ;
}
m_pNtHeaders = (PIMAGE_NT_HEADERS)((DWORD)m_lpBase + m_pDosHeader->e_lfanew);
if (m_pNtHeaders->Signature != IMAGE_NT_SIGNATURE)
{
printf("[ReadPeFile]:Not is execut programmer!\n");
return ;
}
m_pSecHeader = (PIMAGE_SECTION_HEADER)((DWORD)&(m_pNtHeaders->OptionalHeader) + m_pNtHeaders->FileHeader.SizeOfOptionalHeader);
return m_dwLen;
} VOID DestroryFunc(void)
{
CloseHandle(m_hMap);
CloseHandle(m_hFile);
UnmapViewOfFile(m_lpBase);
} LPCSTR _getMachineName(WORD wMachine)
{
char *name = (char *)malloc(); switch (wMachine)
{
case :
lstrcpy(name, "Unknown");
break;
case 0x14c:
lstrcpy(name, "Intel 386");
break;
case 0x0162:
lstrcpy(name, "MIPS little-endian, 0x160 big-endian");
break;
case 0x0166:
lstrcpy(name, "MIPS little-endian");
break;
case 0x0168:
lstrcpy(name, "MIPS little-endian");
break;
case 0x0169:
lstrcpy(name, "MIPS little-endian WCE v2");
break;
case 0x0184:
lstrcpy(name, "Alpha_AXP");
break;
case 0x01a2:
lstrcpy(name, "SH3 little-endian");
break;
case 0x01a4:
lstrcpy(name, "SH3E little-endian");
break;
case 0x01a6:
lstrcpy(name, "SH4 little-endian");
break;
case 0x01a8:
lstrcpy(name, "SH5");
break;
case 0x01c0:
lstrcpy(name, "ARM Little-Endian");
break;
case 0x01c2:
lstrcpy(name, "ARM Thumb/Thumb-2 Little-Endian");
break;
case 0x01c4:
lstrcpy(name, "ARM Thumb-2 Little-Endian");
break;
case 0x01F0:
lstrcpy(name, "IBM PowerPC Little-Endian");
break;
case 0x0200:
lstrcpy(name, "Intel 64");
break;
case 0x0266:
lstrcpy(name, "MIPS");
break;
case 0x0284:
lstrcpy(name, "ALPHA64");
break;
case 0x0366:
lstrcpy(name, "MIPS");
break;
case 0x0466:
lstrcpy(name, "MIPS");
break;
case 0x0520:
lstrcpy(name, "Infineon");
break;
case 0x0EBC:
lstrcpy(name, "EFI Byte Code");
break;
case 0x8664:
lstrcpy(name, "AMD64 (K8)");
break;
case 0x9041:
lstrcpy(name, "M32R little-endian");
break;
default:
free(name);
return NULL;
break;
}
return name;
} VOID _printFormat(char *dataName, WORD *dataAddr, int nSize)
{
printf("\t%s:", dataName);
for (int i = ; i < (int)( - strlen(dataName)); i++)
{
printf(" ");
}
printf("0x");
for (int i = ; i < nSize; i++)
{
printf("%04X", dataAddr[i]);
}
printf("\n");
} VOID test_PrintPeInfo(void)
{
char infoTmp[] = { }; printf("->DOS Header\n");
_printFormat("e_magic", &m_pDosHeader->e_magic, );
_printFormat("e_cblp", &m_pDosHeader->e_cblp, );
_printFormat("e_cp", &m_pDosHeader->e_cp, );
_printFormat("e_crlc", &m_pDosHeader->e_crlc, );
_printFormat("e_cparhdr", &m_pDosHeader->e_cparhdr, );
_printFormat("e_minalloc", &m_pDosHeader->e_minalloc, );
_printFormat("e_maxalloc", &m_pDosHeader->e_maxalloc, );
_printFormat("e_ss", &m_pDosHeader->e_ss, );
_printFormat("e_sp", &m_pDosHeader->e_sp, );
_printFormat("e_csum", &m_pDosHeader->e_csum, );
_printFormat("e_ip", &m_pDosHeader->e_ip, );
_printFormat("e_cs", &m_pDosHeader->e_cs, );
_printFormat("e_lfarlc", &m_pDosHeader->e_lfarlc, );
_printFormat("e_ovno", &m_pDosHeader->e_ovno, );
_printFormat("e_res", m_pDosHeader->e_res, );
_printFormat("e_oeminfo", &m_pDosHeader->e_oemid, );
_printFormat("e_oeminfo", &m_pDosHeader->e_oeminfo, );
_printFormat("e_res2", m_pDosHeader->e_res2, );
printf("\te_lfanew: 0x%08X\n\n", m_pDosHeader->e_lfanew); printf("->File Header\n");
printf("\tMachine: 0x%04X (%s)\n", m_pNtHeaders->FileHeader.Machine,_getMachineName(m_pNtHeaders->FileHeader.Machine));
printf("\tNumberOfSections: 0x%04X\n", m_pNtHeaders->FileHeader.NumberOfSections);
struct tm Tm = { };
gmtime_s(&Tm, (time_t *)&(m_pNtHeaders->FileHeader.TimeDateStamp));
printf("\tTimeDateStamp: 0x%04X (%d/%d/%d %d:%d:%d)\n", m_pNtHeaders->FileHeader.TimeDateStamp, Tm.tm_year + , Tm.tm_mon + , Tm.tm_mday, Tm.tm_hour, Tm.tm_min, Tm.tm_sec);
printf("\tPointerToSymbolTable: 0x%04X\n", m_pNtHeaders->FileHeader.PointerToSymbolTable);
printf("\tNumberOfSymbols: 0x%04X\n", m_pNtHeaders->FileHeader.NumberOfSymbols);
printf("\tSizeOfOptionalHeader: 0x%04X\n", m_pNtHeaders->FileHeader.SizeOfOptionalHeader);
printf("\tCharacteristics: 0x%04X\n\n", m_pNtHeaders->FileHeader.Characteristics); printf("->Optional Header\n");
printf("\tMagic: 0x%04X",m_pNtHeaders->OptionalHeader.Magic);
switch (m_pNtHeaders->OptionalHeader.Magic)
{
case IMAGE_NT_OPTIONAL_HDR32_MAGIC:
printf(" (HDR32_MAGIC)\n");
break;
case IMAGE_NT_OPTIONAL_HDR64_MAGIC:
printf(" (HDR64_MAGIC)\n");
break;
case IMAGE_ROM_OPTIONAL_HDR_MAGIC:
printf(" (ROM_MAGIC)\n");
break;
default:
printf(" (Unknown)\n");
break;
}
printf("\tMajorLinkerVersion: 0x%02X\n", m_pNtHeaders->OptionalHeader.MajorLinkerVersion);
printf("\tMinorLinkerVersion: 0x%02X -> %d.%02d\n", m_pNtHeaders->OptionalHeader.MinorLinkerVersion,m_pNtHeaders->OptionalHeader.MajorLinkerVersion,m_pNtHeaders->OptionalHeader.MinorLinkerVersion);
printf("\tSizeOfCode: 0x%08X\n", m_pNtHeaders->OptionalHeader.SizeOfCode);
printf("\tSizeOfInitializedData: 0x%08X\n", m_pNtHeaders->OptionalHeader.SizeOfInitializedData);
printf("\tSizeOfUninitializedData: 0x%08X\n", m_pNtHeaders->OptionalHeader.SizeOfUninitializedData);
printf("\tAddressOfEntryPoint: 0x%08X\n", m_pNtHeaders->OptionalHeader.AddressOfEntryPoint);
printf("\tBaseOfCode: 0x%08X\n", m_pNtHeaders->OptionalHeader.BaseOfCode);
printf("\tBaseOfData: 0x%08X\n", m_pNtHeaders->OptionalHeader.BaseOfData);
printf("\tImageBase: 0x%08X\n", m_pNtHeaders->OptionalHeader.ImageBase);
printf("\tSectionAlignment: 0x%08X\n", m_pNtHeaders->OptionalHeader.SectionAlignment);
printf("\tFileAlignment: 0x%08X\n", m_pNtHeaders->OptionalHeader.FileAlignment);
printf("\tMajorOperatingSystemVersion: 0x%08X\n", m_pNtHeaders->OptionalHeader.MajorOperatingSystemVersion);
printf("\tMinorOperatingSystemVersion: 0x%08X -> %d.%02d\n", m_pNtHeaders->OptionalHeader.MinorOperatingSystemVersion, m_pNtHeaders->OptionalHeader.MajorOperatingSystemVersion, m_pNtHeaders->OptionalHeader.MinorOperatingSystemVersion);
printf("\tMajorImageVersion: 0x%08X\n", m_pNtHeaders->OptionalHeader.MajorImageVersion);
printf("\tMinorImageVersion: 0x%08X -> %d.%02d\n", m_pNtHeaders->OptionalHeader.MinorImageVersion, m_pNtHeaders->OptionalHeader.MajorImageVersion, m_pNtHeaders->OptionalHeader.MinorImageVersion);
printf("\tMajorSubsystemVersion: 0x%08X\n", m_pNtHeaders->OptionalHeader.MajorSubsystemVersion);
printf("\tMinorSubsystemVersion: 0x%08X -> %d.%02d\n", m_pNtHeaders->OptionalHeader.MinorSubsystemVersion, m_pNtHeaders->OptionalHeader.MajorSubsystemVersion, m_pNtHeaders->OptionalHeader.MinorSubsystemVersion);
printf("\tWin32VersionValue: 0x%08X\n", m_pNtHeaders->OptionalHeader.Win32VersionValue);
printf("\tSizeOfImage: 0x%08X\n", m_pNtHeaders->OptionalHeader.SizeOfImage);
printf("\tSizeOfHeaders: 0x%08X\n", m_pNtHeaders->OptionalHeader.SizeOfHeaders);
printf("\tCheckSum: 0x%08X\n", m_pNtHeaders->OptionalHeader.CheckSum);
printf("\tSubsystem: 0x%04X", m_pNtHeaders->OptionalHeader.Subsystem);
switch (m_pNtHeaders->OptionalHeader.Subsystem)
{
case IMAGE_SUBSYSTEM_UNKNOWN:
printf(" (Unknown)\n");
break;
case IMAGE_SUBSYSTEM_NATIVE:
printf(" (Driver And SysPro)\n");
break;
case IMAGE_SUBSYSTEM_WINDOWS_GUI:
printf(" (Windows_GUI)\n");
break;
case IMAGE_SUBSYSTEM_WINDOWS_CUI:
printf(" (Windows_CUI)\n");
break;
case IMAGE_SUBSYSTEM_OS2_CUI:
printf(" (OS/2_CUI)\n");
break;
case IMAGE_SUBSYSTEM_POSIX_CUI:
printf(" (POSIX_CUI)\n");
break;
case IMAGE_SUBSYSTEM_WINDOWS_CE_GUI:
printf(" (WinCE_GUI)\n");
break;
case IMAGE_SUBSYSTEM_EFI_APPLICATION:
printf(" (EFI)\n");
break;
case IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER:
printf(" (EFI_Driver)\n");
break;
case IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER:
printf(" (EFI_Dirver Run-Time)\n");
break;
case IMAGE_SUBSYSTEM_EFI_ROM:
printf(" (EFI_ROM)\n");
break;
case IMAGE_SUBSYSTEM_XBOX:
printf(" (XBox)\n");
break;
case IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION:
printf(" (Boot Application)\n");
break;
default:
printf(" (Unknown!)");
break;
}
printf("\tDllCharacteristics: 0x%04X\n", m_pNtHeaders->OptionalHeader.DllCharacteristics);
printf("\tSizeOfStackReserve: 0x%08X\n", m_pNtHeaders->OptionalHeader.SizeOfStackReserve);
printf("\tSizeOfStackCommit: 0x%08X\n", m_pNtHeaders->OptionalHeader.SizeOfStackCommit);
printf("\tSizeOfHeapReserve: 0x%08X\n", m_pNtHeaders->OptionalHeader.SizeOfHeapReserve);
printf("\tLoaderFlags: 0x%08X\n", m_pNtHeaders->OptionalHeader.LoaderFlags);
printf("\tNumberOfRvaAndSizes: 0x%08X\n\n", m_pNtHeaders->OptionalHeader.NumberOfRvaAndSizes); printf("\tDataDirectory(16) RVA Size\n");
printf("\t----------------- ---------- ----------\n");
for (DWORD dwI = ; dwI < m_pNtHeaders->OptionalHeader.NumberOfRvaAndSizes; dwI++)
{
switch (dwI)
{
case :
printf("\t%-29s", "ExportTable");
break;
case :
printf("\t%-29s", "ImportTable");
break;
case :
printf("\t%-29s", "Resource");
break;
case :
printf("\t%-29s", "Exception");
break;
case :
printf("\t%-29s", "Security");
break;
case :
printf("\t%-29s", "Relocation");
break;
case :
printf("\t%-29s", "Debug");
break;
case :
printf("\t%-29s", "Copyright");
break;
case :
printf("\t%-29s", "GlobalPtr");
break;
case :
printf("\t%-29s", "TLSTable");
break;
case :
printf("\t%-29s", "LoadConfig");
break;
case :
printf("\t%-29s", "BoundImport");
break;
case :
printf("\t%-29s", "IAT");
break;
case :
printf("\t%-29s", "DelayImport");
break;
case :
printf("\t%-29s", "COM");
break;
case :
printf("\t%-29s", "Reserved");
break;
default:
printf("\t%-29s", "Unknown");
break;
}
printf("0x%08X 0x%08X", m_pNtHeaders->OptionalHeader.DataDirectory[dwI].VirtualAddress, m_pNtHeaders->OptionalHeader.DataDirectory[dwI].Size);
for (WORD wI = ; wI < m_pNtHeaders->FileHeader.NumberOfSections; wI++)
{
// 如果该数据目录的起始地址>某节起始地址 && 该数据目录的结束地址<某节结束地址,那么就说明该数据目录存在此节中.
if ((m_pSecHeader[wI].VirtualAddress <= m_pNtHeaders->OptionalHeader.DataDirectory[dwI].VirtualAddress) && ((m_pSecHeader[wI].VirtualAddress + m_pSecHeader[wI].Misc.VirtualSize) >= (m_pNtHeaders->OptionalHeader.DataDirectory[dwI].VirtualAddress + m_pNtHeaders->OptionalHeader.DataDirectory[dwI].Size)))
{
printf(" (\"%s\")", m_pSecHeader[wI].Name);
break;
}
}
printf("\n");
}
return;
} int main(void)
{ LPVOID lpData = NULL;
printf("Hello Pe!\n");
ReadPeFile("C:\\Users\\Hades\\Desktop\\测试程序.exe", lpData);
test_PrintPeInfo();
DestroryFunc();
system("pause");
return ;
}
效果图:
以后有机会我要一步步的仿造出LordPE的所有功能。
仿LordPE获取PE结构的更多相关文章
- 【PE结构】由浅入深PE基础学习-菜鸟手动查询导出表、相对虚拟地址(RVA)与文件偏移地址转换(FOA)
0 前言 此篇文章想写如何通过工具手查导出表.PE文件代码编程过程中的原理.文笔不是很好,内容也是查阅了很多的资料后整合出来的.希望借此加深对PE文件格式的理解,也希望可以对看雪论坛有所贡献.因为了解 ...
- 手写PE结构解析工具
PE格式是 Windows下最常用的可执行文件格式,理解PE文件格式不仅可以了解操作系统的加载流程,还可以更好的理解操作系统对进程和内存相关的管理知识,而有些技术必须建立在了解PE文件格式的基础上,如 ...
- 【转】pe结构详解
(一)基本概念 PE(Portable Execute)文件是Windows下可执行文件的总称,常见的有DLL,EXE,OCX,SYS等, 事实上,一个文件是否是PE文件与其扩展名无关,PE文件可以是 ...
- 羽夏笔记——PE结构(不包含.Net)
写在前面 本笔记是由本人独自整理出来的,图片来源于网络.本人非计算机专业,可能对本教程涉及的事物没有了解的足够深入,如有错误,欢迎批评指正. 如有好的建议,欢迎反馈.码字不易,如果本篇文章有帮助你 ...
- 修改记事本PE结构弹计算器Shellcode
目录 修改记事本PE结构弹计算器Shellcode 0x00 前言 0x01 添加新节 修改节数量 节表位置 添加新节表信息 0x02 添加弹计算器Shellcode 修改代码 0x03 修改入口点 ...
- 羽夏壳世界—— PE 结构(上)
羽夏壳世界之 PE 结构(上),介绍难度较低的基本 PE 相关结构体.
- Greenplum获取表结构
最近在折腾greenplum,遇到一个蛋疼的问题,那就是获取表结构,也就是建表语句.大家都知道在MySQL里面是非常easy的,show create table table_name 就搞定了,在g ...
- Sql中获取表结构(字段名称,类型,长度,说明)
Sql中获取表结构(字段名称,类型,长度,说明) SELECT TableName = OBJECT_NAME(c.object_id), ColumnsName = c.name, Descript ...
- PE结构学习笔记--关于AddressOfEntryPoint位置在文件中怎么确定问题
第一次学习PE结构,也不知道有没有更好的办法. 1.AddressOfEntryPoint 这个成员在OptionalHeader里面,OptionalHeader的类型是一个IMAGE_OPTION ...
随机推荐
- javaSE练习2——流程控制_2.1
一.企业发放的奖金根据利润提成.利润低于或等于10万元时,奖金可提10%:利润高于10万元,低于20万元时,低于10万元的部分按10%提成,高于10万元的部分,可提成7.5%:20万到40万之间时,高 ...
- 从零开始的全栈工程师——html篇1
全栈工程师也可以叫web 前端 H5主要是网站 app 小程序 公众号这一块 HTML篇 html(超文本标记语言,标记通用标记语言下的一个应用.) “超文本”就是指页面内可以包含图片.链接,甚至音乐 ...
- 【转载】win7mysql5.7.18免安装配置教程
闲着没事,装个mysql试试,小编以前都是用的linux,感觉mysql安装就是傻瓜式操作啊,第一次在windows系统上装,感觉出了很多问题,现在将整个过程分享给大家,希望大家在安装的时候少走弯路. ...
- 【阿里云产品公测】PTS压力测试服务器性能
作者:阿里云用户xsnjxjj 在PTS服务之前,经常使用webbench来对服务器进行压力测试,在看到阿里云PTS服务的介绍以后,深深的被PTS强大的功能所吸引 非常感谢阿里云团队给予的测试 ...
- 【Linux】Linux入门及常见基本操作命令详解
本文基于 Red Hat Enterprise Linux 6 一.Linux 入门体验 1.1 root用户登陆 1.2 图形化与纯字符模式切换 init 5 - 图形模式 init 3 - 纯字符 ...
- Web测试中定位bug方法
在web测试过程中,经常会遇到页面中内容或数据显示错误,甚至不显示,第一反应就是BUG,没错,确实是BUG.进一步了解这个BUG的问题出在那里,是测试人员需要掌握的,可以简单的使用浏览器自带开发者工具 ...
- 论文投稿Cover letter
转自:http://blog.sciencenet.cn/blog-479412-686426.html,感谢分享! 1.第一次投稿Cover letter:主要任务是介绍文章主要创新以及声明没有一稿 ...
- python随机生成手机号码
一句话生成电话号码random.choice(['139','188','185','136','158','151'])+"".join(random.choice(" ...
- 新发布 | Azure镜像市场正式上线
由世纪互联运营的 Azure 镜像市场于2016年9月21日正式落地中国市场,在客户和软件开发商间搭建起了一站式门户.来自全球和本地领先软件开发商并基于 Azure 的云应用.云服务和解决方案在门户中 ...
- 从零搭建docker+jenkins 自动化部署环境
从零搭建docker+jenkins+node.js自动化部署环境 本次案例基于CentOS 7系统 适合有一定docker使用经验的人阅读 适合有一定linux命令使用经验的人阅读 1.docker ...