PeCheck
早上起来看到这个代码 整理一下
// PETableDlg.cpp : 实现文件
// #include "stdafx.h"
#include "PECheck.h"
#include "PETableDlg.h"
#include "afxdialogex.h" // CPETableDlg 对话框 #define MakePtr(a,b,c) ((a)((char*)b+c)) extern
ULONG g_SelectTab;
extern
int dpix; UINT g_Column_Count_DirTable = ;
COLUMNSTRUCT g_Column_DirTableList[] =
{
{ L"Name", }, //ldr
{ L"RVA", }, //传递
{ L"Size", }, //
{L"RAW", },
{L"所属区块", }
}; UINT g_Column_Count_SectionTable = ;
COLUMNSTRUCT g_Column_SectionTableList[] =
{
{ L"Name", }, //ldr
{ L"RVA", }, //传递
{ L"内存区块大小(未对齐)", }, //
{L"文件偏移(offset)", },
{L"文件大小", }
}; UINT g_Column_Count_ImportTable = ;
COLUMNSTRUCT g_Column_ImportTableList[] =
{
{ L"函数序号", }, //ldr
{ L"函数名", }, //传递
{ L"函数地址", }, //
{L"导入模块",}
}; UINT g_Column_Count_ExportTable = ;
COLUMNSTRUCT g_Column_ExportTableList[] =
{
{ L"函数序号", }, //ldr
{ L"函数名", }, //传递
{ L"函数地址", }, //
{L"RVA", },
{L"Offset", }
}; UINT g_Column_Count_RelocTable = ;
COLUMNSTRUCT g_Column_RelocTableList[] =
{
{ L"重定位表RVA", }, //ldr
{L"重定位表Offset",},
{ L"重定位结构大小", }, //传递
{ L"TypeOffset", },
{L"重定位项RVA",},
{L"重定位项Offset",},
{L"需要重定位的数据",}
}; WCHAR wzDirTable[][] = {L"导出表地址",L"导入名称表",L"资源表",L"异常表",L"证书",L"重定向表",L"调试",L"版权",L"全局指针",L"LTS",L"加载配置",L"绑定导入表",L"导入地址表(IAT)",L"延迟加载导入表",L".NET 运行时"}; IMPLEMENT_DYNAMIC(CPETableDlg, CDialog) CPETableDlg::CPETableDlg(CWnd* pParent /*=NULL*/)
: CDialog(CPETableDlg::IDD, pParent)
, m_Table1(_T(""))
, m_Table2(_T(""))
, m_Table3(_T(""))
, m_Table4(_T(""))
, m_EditTable1(_T(""))
, m_EditTable2(_T(""))
, m_EditTable3(_T(""))
, m_EditTable4(_T(""))
{ } CPETableDlg::~CPETableDlg()
{
} void CPETableDlg::DoDataExchange(CDataExchange* pDX)
{
CDialog::DoDataExchange(pDX);
DDX_Control(pDX, IDC_LIST1, m_ListTable);
DDX_Text(pDX, IDC_STATIC_TABLE1, m_Table1);
DDX_Text(pDX, IDC_STATIC_TABLE2, m_Table2);
DDX_Text(pDX, IDC_STATIC_TABLE3, m_Table3);
DDX_Text(pDX, IDC_STATIC_TABLE4, m_Table4);
DDX_Text(pDX, IDC_EDIT_TABLE1, m_EditTable1);
DDX_Text(pDX, IDC_EDIT_TABLE2, m_EditTable2);
DDX_Text(pDX, IDC_EDIT_TABLE3, m_EditTable3);
DDX_Text(pDX, IDC_EDIT_TABLE4, m_EditTable4);
} BEGIN_MESSAGE_MAP(CPETableDlg, CDialog)
// ON_EN_CHANGE(IDC_EDIT4, &CPETableDlg::OnEnChangeEdit4)
END_MESSAGE_MAP() // CPETableDlg 消息处理程序 //void CPETableDlg::OnEnChangeEdit4()
//{
// // TODO: 如果该控件是 RICHEDIT 控件,它将不
// // 发送此通知,除非重写 CDialog::OnInitDialog()
// // 函数并调用 CRichEditCtrl().SetEventMask(),
// // 同时将 ENM_CHANGE 标志“或”运算到掩码中。
//
// // TODO: 在此添加控件通知处理程序代码
//} VOID
CPETableDlg::ShowPeTable(CHAR* FileData,PETYPE PeType)
{
UpdateData(TRUE); switch(g_SelectTab)
{
case :
{
//m_GroupStatic.Format(L"目录表详细信息");
m_Table1.Format(L"");
m_Table2.Format(L"");
m_Table3.Format(L"");
m_Table4.Format(L""); ShowDataDirTable(FileData,PeType);
break;
} case :
{
//m_GroupStatic.Format(L"区块表详细信息");
m_Table1.Format(L"");
m_Table2.Format(L"");
m_Table3.Format(L"");
m_Table4.Format(L""); ShowSectionTable(FileData,PeType);
break;
} case :
{
//m_GroupStatic.Format(L"导入表详细信息"); m_Table1.Format(L"输入表RVA");
m_Table2.Format(L"");
m_Table3.Format(L"");
m_Table4.Format(L""); ShowImportTable(FileData,PeType);
break;
} case :
{
//m_GroupStatic.Format(L"导出表详细信息"); m_Table1.Format(L"模块真实名称");
m_Table2.Format(L"函数地址数组RVA");
m_Table3.Format(L"函数名字指针RVA");
m_Table4.Format(L"导出序号数组RVA"); m_EditTable1.Format(L""); ShowExportTable(FileData,PeType);
break;
} case :
{
m_Table1.Format(L"");
m_Table2.Format(L"");
m_Table3.Format(L"");
m_Table4.Format(L"");
ShowRelocTable(FileData,PeType); break;
} default:
break;
} UpdateData(FALSE);
} VOID
CPETableDlg::ShowDataDirTable(CHAR* szFileData,PETYPE PeType)
{ PIMAGE_NT_HEADERS32 NtHead = NULL;
PIMAGE_NT_HEADERS64 NtHeader64 = NULL;
PIMAGE_NT_HEADERS32 NtHeader32 = NULL;
IMAGE_OPTIONAL_HEADER32 OptionHead32;
IMAGE_OPTIONAL_HEADER64 OptionHead64;
PIMAGE_SECTION_HEADER SectionHeader = NULL; ULONG DataDirTable = ;
ULONG DataSize = ;
ULONG_PTR DataRaw = ; CString strRVA;
CString strSize;
CString strSection;
CString strRaw; while(m_ListTable.DeleteColumn());
m_ListTable.DeleteAllItems(); m_ListTable.SetExtendedStyle(LVS_EX_FULLROWSELECT|LVS_EX_GRIDLINES|LVS_EX_HEADERDRAGDROP); UINT i = ;
for (i = ;i<g_Column_Count_DirTable;i++)
{
m_ListTable.InsertColumn(i, g_Column_DirTableList[i].szTitle,LVCFMT_LEFT,(int)(g_Column_DirTableList[i].nWidth*(dpix/96.0)));
} if (szFileData==NULL)
{
return;
} PIMAGE_DOS_HEADER DosHead = (PIMAGE_DOS_HEADER)szFileData; //ReadFile()返回的szFileData地址 switch(PeType)
{
case PE:
{
NtHeader32 = (PIMAGE_NT_HEADERS32)((ULONG)szFileData+DosHead->e_lfanew);
OptionHead32 = NtHeader32->OptionalHeader; for (int i = ;i<OptionHead32.NumberOfRvaAndSizes;i++)
{
DataDirTable = OptionHead32.DataDirectory[i].VirtualAddress;
DataSize = OptionHead32.DataDirectory[i].Size; //得到数据块在文件中的偏移
DataRaw = RVATwoOffset(NtHeader32,DataDirTable); //计算数据块属于哪个节中
SectionHeader = GetSectionHeaderFromRva(DataDirTable,(PIMAGE_NT_HEADERS)NtHeader32); strRVA.Format(L"0x%X",DataDirTable);
strSize.Format(L"0x%X",DataSize);
strSection = SectionHeader->Name;
strRaw.Format(L"0x%X",DataRaw); int n = m_ListTable.GetItemCount();
int j = m_ListTable.InsertItem(n, wzDirTable[i]);
m_ListTable.SetItemText(j, , strRVA);
m_ListTable.SetItemText(j, , strSize);
m_ListTable.SetItemText(j,,strRaw);
m_ListTable.SetItemText(j,,strSection); } break;
} case PE64:
{
NtHeader64 = (PIMAGE_NT_HEADERS64)((ULONG)szFileData+DosHead->e_lfanew); OptionHead64 = NtHeader64->OptionalHeader; for (int i = ;i<OptionHead64.NumberOfRvaAndSizes;i++)
{
DataDirTable = OptionHead64.DataDirectory[i].VirtualAddress;
DataSize = OptionHead64.DataDirectory[i].Size; DataRaw = RVATwoOffset64(NtHeader64,DataDirTable); SectionHeader = GetSectionHeaderFromRva(DataDirTable,(PIMAGE_NT_HEADERS)NtHeader64); strRVA.Format(L"0x%X",DataDirTable);
strSize.Format(L"0x%X",DataSize);
strSection = SectionHeader->Name;
strRaw.Format(L"0x%X",DataRaw); int n = m_ListTable.GetItemCount();
int j = m_ListTable.InsertItem(n, wzDirTable[i]);
m_ListTable.SetItemText(j, , strRVA);
m_ListTable.SetItemText(j, , strSize);
m_ListTable.SetItemText(j,,strRaw);
m_ListTable.SetItemText(j,,strSection); } break;
}
default:
break; }
} PIMAGE_SECTION_HEADER
CPETableDlg::GetSectionHeaderFromRva(ULONG RVA,PIMAGE_NT_HEADERS NtHeader) //判断RVA是在那个节表当中
{
ULONG i = ; //Nt头得到节表
PIMAGE_SECTION_HEADER SectionHeader = IMAGE_FIRST_SECTION(NtHeader); //Nt头中的File头中有区块表的个数 区块表是若干SECTION_HEADER个数据结构,个数是在文件头的NumberofSection中
for (i=;i<NtHeader->FileHeader.NumberOfSections;i++,SectionHeader++)
{ if ((RVA>=SectionHeader->VirtualAddress)&&
(RVA<(SectionHeader->VirtualAddress + SectionHeader->Misc.VirtualSize)))
{
return SectionHeader;
}
} return NULL;
} DWORD RVATwoOffset(PIMAGE_NT_HEADERS32 NTHeader, ULONG ulRVA)
{
PIMAGE_SECTION_HEADER SectionHeader =
(PIMAGE_SECTION_HEADER)((ULONG)NTHeader + sizeof(IMAGE_NT_HEADERS)); //获得节表 for(int i = ; i < NTHeader->FileHeader.NumberOfSections; i++)
{
//查询导出表是属于哪个节的
/***********************************************************************
SectionHeader[i].VirtualAddress 节起始的RVA 0x1000
SectionHeader[i].SizeOfRawData 节在文件上的大小
SectionHeader[i].PointerToRawData 这是节基于文件的偏移量,PE 装载器通过本域值找到节数据在文件中的位置 假如导出表在.txt节中
SectionHeader[i].PointerToRawData == 0x200 SectionHeader[i].VirtualAddress == 0x1000
ulRVA = 0x1030 那么导出表在文件中的偏移就是0x230 返回
***********************************************************************/
if(ulRVA >= SectionHeader[i].VirtualAddress && ulRVA <
(SectionHeader[i].VirtualAddress
+ SectionHeader[i].SizeOfRawData))
{
//文件偏移
return SectionHeader[i].PointerToRawData +
(ulRVA - SectionHeader[i].VirtualAddress);
}
} return ;
} ULONG_PTR RVATwoOffset64(PIMAGE_NT_HEADERS64 NTHeader, ULONG_PTR ulRVA)
{
PIMAGE_SECTION_HEADER SectionHeader =
(PIMAGE_SECTION_HEADER)((ULONG_PTR)NTHeader + sizeof(IMAGE_NT_HEADERS64)); //获得节表 for(int i = ; i < NTHeader->FileHeader.NumberOfSections; i++)
{
//查询导出表是属于哪个节的
/***********************************************************************
SectionHeader[i].VirtualAddress 节起始的RVA 0x1000
SectionHeader[i].SizeOfRawData 节在文件上的大小
SectionHeader[i].PointerToRawData 这是节基于文件的偏移量,PE 装载器通过本域值找到节数据在文件中的位置 假如导出表在.txt节中
SectionHeader[i].PointerToRawData == 0x200 SectionHeader[i].VirtualAddress == 0x1000
ulRVA = 0x1030 那么导出表在文件中的偏移就是0x230 返回
***********************************************************************/
if(ulRVA >= SectionHeader[i].VirtualAddress && ulRVA <
(SectionHeader[i].VirtualAddress
+ SectionHeader[i].SizeOfRawData))
{
//文件偏移
return SectionHeader[i].PointerToRawData +
(ulRVA - SectionHeader[i].VirtualAddress);
}
} return ;
} VOID
CPETableDlg::ShowSectionTable(CHAR* szFileData,PETYPE PeType)
{
PIMAGE_NT_HEADERS NtHead = NULL;
PIMAGE_NT_HEADERS64 NtHeader64 = NULL;
PIMAGE_NT_HEADERS32 NtHeader32 = NULL; IMAGE_FILE_HEADER FileHeader; ULONG DataSize = ;
PIMAGE_SECTION_HEADER SectionHeader; CString SectionName;
CString strRVA;
CString strRSize; CString strOffset;
CString strVsize; while(m_ListTable.DeleteColumn());
m_ListTable.DeleteAllItems(); //CRect rect;
//GetWindowRect(rect);
////设置ListContrl在对话框中的位置
//if (m_ListTable.m_hWnd != NULL)
//{
// CRect rc;
// rc.left = 0;
// rc.top = 0;
// rc.right = rect.Width() - 10;
// rc.bottom = rect.Height() - 35;
// m_ListTable.MoveWindow(rc);
//} m_ListTable.SetExtendedStyle(LVS_EX_FULLROWSELECT|LVS_EX_GRIDLINES|LVS_EX_HEADERDRAGDROP); UINT i = ;
for (i = ;i<g_Column_Count_SectionTable;i++)
{
m_ListTable.InsertColumn(i, g_Column_SectionTableList[i].szTitle,LVCFMT_LEFT,(int)(g_Column_SectionTableList[i].nWidth*(dpix/96.0)));
} if (szFileData==NULL)
{
return;
} PIMAGE_DOS_HEADER DosHead = (PIMAGE_DOS_HEADER)szFileData; //获得节表
if (PeType==PE)
{
NtHeader32 = (PIMAGE_NT_HEADERS32)((ULONG)szFileData+DosHead->e_lfanew);
FileHeader = NtHeader32->FileHeader;
SectionHeader = (PIMAGE_SECTION_HEADER)((ULONG_PTR)NtHeader32 + sizeof(IMAGE_NT_HEADERS32));
}
else
{
NtHeader64 = (PIMAGE_NT_HEADERS64)((ULONG)szFileData+DosHead->e_lfanew);
FileHeader = NtHeader64->FileHeader; SectionHeader = (PIMAGE_SECTION_HEADER)((ULONG_PTR)NtHeader64 + sizeof(IMAGE_NT_HEADERS64));
} for (int i = ;i<FileHeader.NumberOfSections;i++,SectionHeader++)
{
SectionName = SectionHeader->Name;
strRVA.Format(L"0x%x",SectionHeader->VirtualAddress);
strRSize.Format(L"0x%x",SectionHeader->Misc.VirtualSize); strOffset.Format(L"0x%x",SectionHeader->PointerToRawData);
strVsize.Format(L"0x%x",SectionHeader->SizeOfRawData); int n = m_ListTable.GetItemCount();
int j = m_ListTable.InsertItem(n, SectionName);
m_ListTable.SetItemText(j, , strRVA);
m_ListTable.SetItemText(j, , strRSize);
m_ListTable.SetItemText(j,,strOffset);
m_ListTable.SetItemText(j,,strVsize); } UpdateData(FALSE); } VOID
CPETableDlg::ShowImportTable(CHAR* szFileData,PETYPE PeType)
{
PIMAGE_NT_HEADERS NtHead = NULL;
PIMAGE_THUNK_DATA ImportOriFirstThunk = NULL;
PIMAGE_IMPORT_BY_NAME OrdinalName = NULL;
PIMAGE_NT_HEADERS64 NtHeader64 = NULL;
PIMAGE_NT_HEADERS32 NtHeader32 = NULL; IMAGE_OPTIONAL_HEADER32 OptionHead32;
IMAGE_OPTIONAL_HEADER64 OptionHead64;
IMAGE_DATA_DIRECTORY ImportDirectory = {};
PIMAGE_IMPORT_DESCRIPTOR ImportTable = NULL;
ULONG_PTR ImportSize = ;
ULONG_PTR ImportDiff = ;
ULONG ulIndex = ; ULONG_PTR ulFuncRVA = ; CString strFuncName,strDllName;
CString strIndex = ; while(m_ListTable.DeleteColumn());
m_ListTable.DeleteAllItems(); m_ListTable.SetExtendedStyle(LVS_EX_FULLROWSELECT|LVS_EX_GRIDLINES|LVS_EX_HEADERDRAGDROP); UINT i = ;
for (i = ;i<g_Column_Count_ImportTable;i++)
{
m_ListTable.InsertColumn(i, g_Column_ImportTableList[i].szTitle,LVCFMT_LEFT,(int)(g_Column_ImportTableList[i].nWidth*(dpix/96.0)));
} if (szFileData==NULL)
{
return;
} PIMAGE_DOS_HEADER DosHead = (PIMAGE_DOS_HEADER)szFileData; NtHead = (PIMAGE_NT_HEADERS)((ULONG)szFileData+DosHead->e_lfanew); switch(PeType)
{
case PE:
{
NtHeader32 = (PIMAGE_NT_HEADERS32)NtHead;
OptionHead32 = NtHeader32->OptionalHeader; ImportDirectory = OptionHead32.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]; m_EditTable1.Format(L"0x%p",ImportDirectory); if (ImportDirectory.Size==)
{
return;
} ImportTable = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)szFileData+ RVATwoOffset(NtHeader32,ImportDirectory.VirtualAddress)); while (ImportTable->Name)
{
char* DllName = (char*)((ULONG_PTR)szFileData+ RVATwoOffset(NtHeader32,ImportTable->Name));
strDllName = DllName; ImportOriFirstThunk = (PIMAGE_THUNK_DATA)((ULONG_PTR)szFileData + RVATwoOffset(NtHeader32,ImportTable->OriginalFirstThunk)); while(ImportOriFirstThunk->u1.Function)
{ int n = m_ListTable.GetItemCount();
strIndex.Format(L"%d",ulIndex);
int j = m_ListTable.InsertItem(n, strIndex); //判断是以序数导入还是以Name导入
//最高位为1说明以序数导入 序号值为低31位
int Temp = ImportOriFirstThunk->u1.Ordinal&0x80000000; if (Temp)
{
Temp = ImportOriFirstThunk->u1.Ordinal&0x7fffffff;
strIndex.Format(L"%d",Temp);
m_ListTable.SetItemText(j,,strIndex);
}
else
{
OrdinalName = (PIMAGE_IMPORT_BY_NAME)((ULONG_PTR)szFileData + RVATwoOffset(NtHeader32,ImportOriFirstThunk->u1.AddressOfData));
char* FuncName = (char*)OrdinalName->Name;
strFuncName = FuncName; ulFuncRVA = (ULONG_PTR)((ULONG_PTR)szFileData + RVATwoOffset(NtHeader32,ImportOriFirstThunk->u1.ForwarderString)); m_ListTable.SetItemText(j,,strFuncName); } m_ListTable.SetItemText(j,,strDllName); ulIndex++;
ImportOriFirstThunk++; } ImportTable++;
} break;
}
case PE64:
{
NtHeader64 = (PIMAGE_NT_HEADERS64)NtHead;
OptionHead64 = NtHeader64->OptionalHeader; ImportDirectory = OptionHead64.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
if (ImportDirectory.Size==)
{
return;
} ImportTable = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)szFileData+ RVATwoOffset64(NtHeader64,ImportDirectory.VirtualAddress)); while (ImportTable->Name)
{
char* DllName = (char*)((ULONG_PTR)szFileData+ RVATwoOffset64(NtHeader64,ImportTable->Name));
strDllName = DllName; ImportOriFirstThunk = (PIMAGE_THUNK_DATA)((ULONG_PTR)szFileData + RVATwoOffset64(NtHeader64,ImportTable->OriginalFirstThunk)); while(ImportOriFirstThunk->u1.Function)
{ int n = m_ListTable.GetItemCount();
strIndex.Format(L"%d",ulIndex);
int j = m_ListTable.InsertItem(n, strIndex); INT64 Temp = ImportOriFirstThunk->u1.Ordinal&0x8000000000000000; if (Temp)
{
Temp = ImportOriFirstThunk->u1.Ordinal&0x7fffffffffffffff;
strIndex.Format(L"%d",Temp);
m_ListTable.SetItemText(j,,strIndex);
}
else
{
OrdinalName = (PIMAGE_IMPORT_BY_NAME)((ULONG_PTR)szFileData + RVATwoOffset64(NtHeader64,ImportOriFirstThunk->u1.AddressOfData));
char* FuncName = (char*)OrdinalName->Name;
strFuncName = FuncName;
m_ListTable.SetItemText(j,,strFuncName);
} m_ListTable.SetItemText(j,,strDllName); ulIndex++;
ImportOriFirstThunk++; } ImportTable++;
} break;
} default:
break; }
} VOID
CPETableDlg::ShowRelocTable(CHAR* szFileData,PETYPE PeType)
{
PIMAGE_NT_HEADERS NtHead = NULL;
PIMAGE_NT_HEADERS64 NtHeader64 = NULL;
PIMAGE_NT_HEADERS32 NtHeader32 = NULL;
IMAGE_OPTIONAL_HEADER32 OptionHead32;
IMAGE_OPTIONAL_HEADER64 OptionHead64;
IMAGE_DATA_DIRECTORY RelocDirectory = {}; PIMAGE_BASE_RELOCATION RelocTable = NULL;
ULONG_PTR RelocRVA = ;
ULONG_PTR BlocSize = ;
ULONG_PTR RelocDataOffset = ; CString strRelocRVA,strRelocOffset,strRelocDataRVA,strRelcoDataOffset,strRelocDataOffset,strRelocData,strRelocSize;
CString strTypeOffset,strSizeOfBlock; while(m_ListTable.DeleteColumn());
m_ListTable.DeleteAllItems(); m_ListTable.SetExtendedStyle(LVS_EX_FULLROWSELECT|LVS_EX_GRIDLINES|LVS_EX_HEADERDRAGDROP); UINT i = ;
for (i = ;i<g_Column_Count_RelocTable;i++)
{
m_ListTable.InsertColumn(i, g_Column_RelocTableList[i].szTitle,LVCFMT_LEFT,(int)(g_Column_RelocTableList[i].nWidth*(dpix/96.0)));
} if (szFileData==NULL)
{
return;
} PIMAGE_DOS_HEADER DosHead = (PIMAGE_DOS_HEADER)szFileData;
NtHead = (PIMAGE_NT_HEADERS)((ULONG)szFileData+DosHead->e_lfanew); switch (PeType)
{
case PE:
{
NtHeader32 = (PIMAGE_NT_HEADERS32)NtHead;
OptionHead32 = NtHeader32->OptionalHeader; RelocDirectory = OptionHead32.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC]; if (RelocDirectory.Size==)
{
return;
} RelocTable = (PIMAGE_BASE_RELOCATION)((ULONG_PTR)szFileData+ RVATwoOffset(NtHeader32,RelocDirectory.VirtualAddress)); do
{
ULONG_PTR NumOfReloc=(RelocTable->SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))/; SHORT MiniOffset = ; PSHORT RelocData =(PSHORT)((ULONG_PTR)RelocTable+sizeof(IMAGE_BASE_RELOCATION)); for (i=; i<NumOfReloc; i++)
{
PULONG_PTR RelocAddress = ;//需要重定位的地址 if (((*RelocData)>>)==IMAGE_REL_BASED_DIR64||((*RelocData)>>)==IMAGE_REL_BASED_HIGHLOW)//判断重定位类型是否为IMAGE_REL_BASED_HIGHLOW[32]或IMAGE_REL_BASED_DIR64[64]
{
MiniOffset = (*RelocData)&0xfff; RelocDataOffset = (ULONG_PTR)RVATwoOffset(NtHeader32,MiniOffset+RelocTable->VirtualAddress); strSizeOfBlock.Format(L"0x%x",RelocTable->SizeOfBlock);
strTypeOffset.Format(L"0x%x",(*RelocData)); strRelocRVA.Format(L"0x%x",RelocTable->VirtualAddress);
strRelocOffset.Format(L"0x%x",RVATwoOffset(NtHeader32,RelocTable->VirtualAddress)); strRelocDataRVA.Format(L"0x%x",MiniOffset+RelocTable->VirtualAddress);
strRelocDataOffset.Format(L"0x%x",RelocDataOffset); strRelocData.Format(L"0x%x",*(PULONG_PTR)((ULONG_PTR)szFileData+ RelocDataOffset)); int n = m_ListTable.GetItemCount();
int j = m_ListTable.InsertItem(n, strRelocRVA);
m_ListTable.SetItemText(j, , strRelocOffset);
m_ListTable.SetItemText(j, , strSizeOfBlock);
m_ListTable.SetItemText(j,,strTypeOffset);
m_ListTable.SetItemText(j,,strRelocDataRVA);
m_ListTable.SetItemText(j,,strRelocDataOffset);
m_ListTable.SetItemText(j,,strRelocData); } RelocData++;
} RelocTable=(PIMAGE_BASE_RELOCATION)((ULONG_PTR)RelocTable+RelocTable->SizeOfBlock); } while (RelocTable->VirtualAddress); break;
} case PE64:
{
NtHeader64 = (PIMAGE_NT_HEADERS64)NtHead;
OptionHead64 = NtHeader64->OptionalHeader; RelocDirectory = OptionHead64.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC]; if (RelocDirectory.Size==)
{
return;
} RelocTable = (PIMAGE_BASE_RELOCATION)((ULONG_PTR)szFileData+ RVATwoOffset64(NtHeader64,RelocDirectory.VirtualAddress)); do
{
ULONG_PTR NumOfReloc=(RelocTable->SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))/; SHORT MiniOffset = ;
PUSHORT RelocData =(PUSHORT)((ULONG_PTR)RelocTable+sizeof(IMAGE_BASE_RELOCATION)); for (i=; i<NumOfReloc; i++)
{
PULONG_PTR RelocAddress = ;//需要重定位的地址 if (((*RelocData)>>)==IMAGE_REL_BASED_DIR64)//判断重定位类型是否为IMAGE_REL_BASED_HIGHLOW[32]或IMAGE_REL_BASED_DIR64[64]
{
MiniOffset = (*RelocData)&0xfff; RelocDataOffset = (ULONG_PTR)RVATwoOffset64(NtHeader64,MiniOffset+RelocTable->VirtualAddress); strSizeOfBlock.Format(L"0x%x",RelocTable->SizeOfBlock);
strTypeOffset.Format(L"0x%x",(*RelocData)); strRelocRVA.Format(L"0x%x",RelocTable->VirtualAddress);
strRelocOffset.Format(L"0x%x",RVATwoOffset64(NtHeader64,RelocTable->VirtualAddress)); strRelocDataRVA.Format(L"0x%x",MiniOffset+RelocTable->VirtualAddress);
strRelocDataOffset.Format(L"0x%x",RVATwoOffset64(NtHeader64,MiniOffset+RelocTable->VirtualAddress)); strRelocData.Format(L"0x%x",*(PULONG_PTR)((ULONG_PTR)szFileData+ RelocDataOffset)); int n = m_ListTable.GetItemCount();
int j = m_ListTable.InsertItem(n, strRelocRVA);
m_ListTable.SetItemText(j, , strRelocOffset);
m_ListTable.SetItemText(j, , strSizeOfBlock);
m_ListTable.SetItemText(j,,strTypeOffset);
m_ListTable.SetItemText(j,,strRelocDataRVA);
m_ListTable.SetItemText(j,,strRelocDataOffset);
m_ListTable.SetItemText(j,,strRelocData); } RelocData++;
} RelocTable=(PIMAGE_BASE_RELOCATION)((ULONG_PTR)RelocTable+RelocTable->SizeOfBlock); } while (RelocTable->VirtualAddress); break;
} default:
break;
} }
VOID
CPETableDlg::ShowExportTable(CHAR* szFileData,PETYPE PeType)
{
PIMAGE_NT_HEADERS NtHead = NULL;
PIMAGE_NT_HEADERS64 NtHeader64 = NULL;
PIMAGE_NT_HEADERS32 NtHeader32 = NULL;
IMAGE_OPTIONAL_HEADER32 OptionHead32;
IMAGE_OPTIONAL_HEADER64 OptionHead64;
IMAGE_DATA_DIRECTORY ExportDirectory = {};
PIMAGE_EXPORT_DIRECTORY ExportTable = NULL; ULONG_PTR NameOfArrayRVA = NULL;
ULONG* NameOfArray = NULL;
ULONG_PTR OrdinalsOfArrayRVA = NULL;
WORD* OrdinalsOfArray = NULL;
ULONG_PTR FuncAddressOfArrayRVA = NULL;
ULONG* FuncAddressOfArray = NULL;
ULONG_PTR FuncAdress = NULL; CString strIndex, strFuncName,strFuncAddr,strRVA,strOffset; while(m_ListTable.DeleteColumn());
m_ListTable.DeleteAllItems(); m_ListTable.SetExtendedStyle(LVS_EX_FULLROWSELECT|LVS_EX_GRIDLINES|LVS_EX_HEADERDRAGDROP); UINT i = ;
for (i = ;i<g_Column_Count_ExportTable;i++)
{
m_ListTable.InsertColumn(i, g_Column_ExportTableList[i].szTitle,LVCFMT_LEFT,(int)(g_Column_ExportTableList[i].nWidth*(dpix/96.0)));
} if (szFileData==NULL)
{
return;
} PIMAGE_DOS_HEADER DosHead = (PIMAGE_DOS_HEADER)szFileData;
NtHead = (PIMAGE_NT_HEADERS)((ULONG)szFileData+DosHead->e_lfanew); switch(PeType)
{
case PE:
{
NtHeader32 = (PIMAGE_NT_HEADERS32)NtHead;
OptionHead32 = NtHeader32->OptionalHeader; ExportDirectory = OptionHead32.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
if (ExportDirectory.Size==)
{
return;
} ExportTable = (PIMAGE_EXPORT_DIRECTORY)((ULONG_PTR)szFileData+ RVATwoOffset(NtHeader32,ExportDirectory.VirtualAddress)); CHAR* DllName = (CHAR*)((ULONG_PTR)szFileData + RVATwoOffset(NtHeader32,ExportTable->Name)); m_EditTable1.Format(L"%S",DllName); //
NameOfArrayRVA = (ULONG_PTR)(ExportTable->AddressOfNames);
m_EditTable3.Format(L"0x%p",NameOfArrayRVA);
NameOfArrayRVA = RVATwoOffset(NtHeader32,NameOfArrayRVA);
NameOfArray = (ULONG*)((ULONG_PTR)szFileData + NameOfArrayRVA);
CHAR* wzFuncName = NULL; //
OrdinalsOfArrayRVA = (ULONG_PTR)ExportTable->AddressOfNameOrdinals;
m_EditTable4.Format(L"0x%p",OrdinalsOfArrayRVA);
OrdinalsOfArrayRVA = RVATwoOffset(NtHeader32,OrdinalsOfArrayRVA);
OrdinalsOfArray = (WORD*)((ULONG_PTR)szFileData + OrdinalsOfArrayRVA); //
FuncAddressOfArrayRVA = (ULONG_PTR)ExportTable->AddressOfFunctions;
m_EditTable2.Format(L"0x%p",FuncAddressOfArrayRVA);
FuncAddressOfArrayRVA = RVATwoOffset(NtHeader32,FuncAddressOfArrayRVA);
FuncAddressOfArray = (ULONG*)((ULONG_PTR)szFileData + FuncAddressOfArrayRVA); for (int i=;i<ExportTable->NumberOfNames;i++)
{
wzFuncName = (CHAR*)((ULONG_PTR)szFileData+RVATwoOffset(NtHeader32,NameOfArray[i]));
FuncAdress =(ULONG_PTR)szFileData + RVATwoOffset(NtHeader32,FuncAddressOfArray[OrdinalsOfArray[i]]); strIndex.Format(L"%d",OrdinalsOfArray[i]);
strFuncName.Format(L"%S",wzFuncName);
strFuncAddr.Format(L"0x%x",FuncAdress);
strRVA.Format(L"0x%x",FuncAddressOfArray[OrdinalsOfArray[i]]);
strOffset.Format(L"0x%x",RVATwoOffset(NtHeader32,FuncAddressOfArray[OrdinalsOfArray[i]])); int n = m_ListTable.GetItemCount();
int j = m_ListTable.InsertItem(n, strIndex);
m_ListTable.SetItemText(j, , strFuncName);
m_ListTable.SetItemText(j, , strFuncAddr);
m_ListTable.SetItemText(j,,strRVA);
m_ListTable.SetItemText(j,,strOffset); } break;
} case PE64:
{
NtHeader64 = (PIMAGE_NT_HEADERS64)NtHead;
OptionHead64 = NtHeader64->OptionalHeader; ExportDirectory = OptionHead64.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
if (ExportDirectory.Size==)
{
return;
} ExportTable = (PIMAGE_EXPORT_DIRECTORY)((ULONG_PTR)szFileData+ RVATwoOffset64(NtHeader64,ExportDirectory.VirtualAddress)); NameOfArrayRVA = (ULONG_PTR)(ExportTable->AddressOfNames);
m_EditTable3.Format(L"0x%p",NameOfArrayRVA);
NameOfArrayRVA = RVATwoOffset64(NtHeader64,NameOfArrayRVA);
NameOfArray = (ULONG*)((ULONG_PTR)szFileData + NameOfArrayRVA);
CHAR* wzFuncName = NULL; OrdinalsOfArrayRVA = (ULONG_PTR)ExportTable->AddressOfNameOrdinals;
m_EditTable4.Format(L"0x%p",OrdinalsOfArrayRVA);
OrdinalsOfArrayRVA = RVATwoOffset64(NtHeader64,OrdinalsOfArrayRVA);
OrdinalsOfArray = (WORD*)((ULONG_PTR)szFileData + OrdinalsOfArrayRVA); FuncAddressOfArrayRVA = (ULONG_PTR)ExportTable->AddressOfFunctions;
m_EditTable2.Format(L"0x%p",FuncAddressOfArrayRVA);
FuncAddressOfArrayRVA = RVATwoOffset64(NtHeader64,FuncAddressOfArrayRVA);
FuncAddressOfArray = (ULONG*)((ULONG_PTR)szFileData + FuncAddressOfArrayRVA); for (int i=;i<ExportTable->NumberOfNames;i++)
{
wzFuncName = (CHAR*)((ULONG_PTR)szFileData+RVATwoOffset64(NtHeader64,NameOfArray[i]));
FuncAdress =(ULONG_PTR)szFileData + RVATwoOffset64(NtHeader64,FuncAddressOfArray[OrdinalsOfArray[i]]); strIndex.Format(L"%d",OrdinalsOfArray[i]);
strFuncName.Format(L"%S",wzFuncName);
strFuncAddr.Format(L"0x%x",FuncAdress);
strRVA.Format(L"0x%x",FuncAddressOfArray[OrdinalsOfArray[i]]);
strOffset.Format(L"0x%x",RVATwoOffset64(NtHeader64,FuncAddressOfArray[OrdinalsOfArray[i]])); int n = m_ListTable.GetItemCount();
int j = m_ListTable.InsertItem(n, strIndex);
m_ListTable.SetItemText(j, , strFuncName);
m_ListTable.SetItemText(j, , strFuncAddr);
m_ListTable.SetItemText(j,,strRVA);
m_ListTable.SetItemText(j,,strOffset); } break;
}
default:
break; } UpdateData(FALSE);
}
#pragma once
#include "afxcmn.h"
enum PETYPE
{
PE = ,
PE64,
Unkonw
};
typedef struct _COLUMNSTRUCT
{
WCHAR* szTitle;
UINT nWidth;
}COLUMNSTRUCT;
// CPETableDlg 对话框 class CPETableDlg : public CDialog
{
DECLARE_DYNAMIC(CPETableDlg) public:
CPETableDlg(CWnd* pParent = NULL); // 标准构造函数
virtual ~CPETableDlg(); // 对话框数据
enum { IDD = IDD_DIALOG_TABLE }; protected:
virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV 支持 DECLARE_MESSAGE_MAP()
public:
// afx_msg void OnEnChangeEdit4();
CListCtrl m_ListTable;
CString m_Table1;
CString m_Table2;
CString m_Table3;
CString m_Table4;
CString m_EditTable1;
CString m_EditTable2;
CString m_EditTable3;
CString m_EditTable4;
VOID CPETableDlg::ShowPeTable(CHAR* FileData,PETYPE PeType);
VOID CPETableDlg::ShowDataDirTable(CHAR* szFileData,PETYPE PeType);
PIMAGE_SECTION_HEADER CPETableDlg::GetSectionHeaderFromRva(ULONG RVA,PIMAGE_NT_HEADERS NtHeader);
VOID CPETableDlg::ShowSectionTable(CHAR* szFileData,PETYPE PeType);
VOID CPETableDlg::ShowImportTable(CHAR* szFileData,PETYPE PeType);
VOID CPETableDlg::ShowExportTable(CHAR* szFileData,PETYPE PeType);
VOID CPETableDlg::ShowRelocTable(CHAR* szFileData,PETYPE PeType);
};
ULONG_PTR RVATwoOffset64(PIMAGE_NT_HEADERS64 NTHeader, ULONG_PTR ulRVA) ;
DWORD RVATwoOffset(PIMAGE_NT_HEADERS32 NTHeader, ULONG ulRVA);
// PECheckDlg.h : 头文件
// #pragma once
#include "afxcmn.h"
#include "PEHeaderDlg.h"
#include "PETableDlg.h"
// CPECheckDlg 对话框 class CPECheckDlg : public CDialogEx
{
// 构造
public:
CPECheckDlg(CWnd* pParent = NULL); // 标准构造函数 // 对话框数据
enum { IDD = IDD_PECHECK_DIALOG }; protected:
virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV 支持
TCHAR m_FilePath[];
CHAR* m_szFileData;
ULONG m_ulLow;
PETYPE PeType; CPEHeaderDlg m_PeHeaderDlg;
CPETableDlg m_PeTableDlg;
// 实现
protected:
HICON m_hIcon; // 生成的消息映射函数
virtual BOOL OnInitDialog();
afx_msg void OnSysCommand(UINT nID, LPARAM lParam);
afx_msg void OnPaint();
afx_msg HCURSOR OnQueryDragIcon();
DECLARE_MESSAGE_MAP()
public:
afx_msg void OnDropFiles(HDROP hDropInfo);
CTabCtrl m_TabMain;
CString m_EditFilePath; BOOL LoadFileData(WCHAR* wzFilePath,CHAR** szFileData,ULONG* ulLow);
BOOL IsPEFile(CHAR* szFileData,PETYPE* PeType);
CString m_EditFileType;
afx_msg void OnTcnSelchangeTabMain(NMHDR *pNMHDR, LRESULT *pResult);
};
// PECheckDlg.cpp : 实现文件
// #include "stdafx.h"
#include "PECheck.h"
#include "PECheckDlg.h"
#include "afxdialogex.h" #ifdef _DEBUG
#define new DEBUG_NEW
#endif CHAR* g_szFileData = NULL;
ULONG g_SelectTab = ;
int dpix;
int dpiy; // 用于应用程序“关于”菜单项的 CAboutDlg 对话框 class CAboutDlg : public CDialogEx
{
public:
CAboutDlg(); // 对话框数据
enum { IDD = IDD_ABOUTBOX }; protected:
virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV 支持 // 实现
protected:
DECLARE_MESSAGE_MAP()
}; CAboutDlg::CAboutDlg() : CDialogEx(CAboutDlg::IDD)
{
} void CAboutDlg::DoDataExchange(CDataExchange* pDX)
{
CDialogEx::DoDataExchange(pDX);
} BEGIN_MESSAGE_MAP(CAboutDlg, CDialogEx)
END_MESSAGE_MAP() // CPECheckDlg 对话框 CPECheckDlg::CPECheckDlg(CWnd* pParent /*=NULL*/)
: CDialogEx(CPECheckDlg::IDD, pParent)
, m_EditFilePath(_T(""))
, m_EditFileType(_T(""))
{
m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME);
m_szFileData = NULL;
} void CPECheckDlg::DoDataExchange(CDataExchange* pDX)
{
CDialogEx::DoDataExchange(pDX);
DDX_Control(pDX, IDC_TAB_MAIN, m_TabMain);
DDX_Text(pDX, IDC_EDIT_DRAGFILE, m_EditFilePath);
DDX_Text(pDX, IDC_FILETYPE, m_EditFileType);
} BEGIN_MESSAGE_MAP(CPECheckDlg, CDialogEx)
ON_WM_SYSCOMMAND()
ON_WM_PAINT()
ON_WM_QUERYDRAGICON()
ON_WM_DROPFILES()
ON_NOTIFY(TCN_SELCHANGE, IDC_TAB_MAIN, &CPECheckDlg::OnTcnSelchangeTabMain)
END_MESSAGE_MAP() // CPECheckDlg 消息处理程序 BOOL CPECheckDlg::OnInitDialog()
{
CDialogEx::OnInitDialog(); // 将“关于...”菜单项添加到系统菜单中。 // IDM_ABOUTBOX 必须在系统命令范围内。
ASSERT((IDM_ABOUTBOX & 0xFFF0) == IDM_ABOUTBOX);
ASSERT(IDM_ABOUTBOX < 0xF000); CMenu* pSysMenu = GetSystemMenu(FALSE);
if (pSysMenu != NULL)
{
BOOL bNameValid;
CString strAboutMenu;
bNameValid = strAboutMenu.LoadString(IDS_ABOUTBOX);
ASSERT(bNameValid);
if (!strAboutMenu.IsEmpty())
{
pSysMenu->AppendMenu(MF_SEPARATOR);
pSysMenu->AppendMenu(MF_STRING, IDM_ABOUTBOX, strAboutMenu);
}
} // 设置此对话框的图标。当应用程序主窗口不是对话框时,框架将自动
// 执行此操作
SetIcon(m_hIcon, TRUE); // 设置大图标
SetIcon(m_hIcon, FALSE); // 设置小图标 // TODO: 在此添加额外的初始化代码
m_TabMain.InsertItem(, _T("PE头")); //
m_TabMain.InsertItem(, _T("目录表")); //
m_TabMain.InsertItem(,_T("区块表"));
m_TabMain.InsertItem(,_T("导入表"));
m_TabMain.InsertItem(,_T("导出表"));
m_TabMain.InsertItem(,_T("重定向表")); m_PeHeaderDlg.Create(IDD_DIALOG_PEHEADER,GetDlgItem(IDC_TAB_MAIN));
m_PeTableDlg.Create(IDD_DIALOG_TABLE,GetDlgItem(IDC_TAB_MAIN)); CRect tabRect; GetWindowRect(&tabRect); CPaintDC dc(this);
dpix = GetDeviceCaps(dc.m_hDC,LOGPIXELSX);
dpiy = GetDeviceCaps(dc.m_hDC,LOGPIXELSY);
tabRect.bottom += (LONG)(+*(dpiy/96.0)); MoveWindow(&tabRect); m_TabMain.GetClientRect(&tabRect); // 获取标签控件客户区Rect
// 调整tabRect,使其覆盖范围适合放置标签页
tabRect.left += ;
tabRect.right -= ;
tabRect.top += ;
tabRect.bottom -= ;
// 根据调整好的tabRect放置m_jzmDlg子对话框,并设置为显示
m_PeHeaderDlg.SetWindowPos(NULL, tabRect.left, tabRect.top, tabRect.Width(), tabRect.Height(), SWP_SHOWWINDOW);
m_PeTableDlg.SetWindowPos(NULL, tabRect.left, tabRect.top, tabRect.Width(), tabRect.Height(), SWP_HIDEWINDOW); return TRUE; // 除非将焦点设置到控件,否则返回 TRUE
} void CPECheckDlg::OnSysCommand(UINT nID, LPARAM lParam)
{
if ((nID & 0xFFF0) == IDM_ABOUTBOX)
{
CAboutDlg dlgAbout;
dlgAbout.DoModal();
}
else
{
CDialogEx::OnSysCommand(nID, lParam);
}
} // 如果向对话框添加最小化按钮,则需要下面的代码
// 来绘制该图标。对于使用文档/视图模型的 MFC 应用程序,
// 这将由框架自动完成。 void CPECheckDlg::OnPaint()
{
if (IsIconic())
{
CPaintDC dc(this); // 用于绘制的设备上下文 SendMessage(WM_ICONERASEBKGND, reinterpret_cast<WPARAM>(dc.GetSafeHdc()), ); // 使图标在工作区矩形中居中
int cxIcon = GetSystemMetrics(SM_CXICON);
int cyIcon = GetSystemMetrics(SM_CYICON);
CRect rect;
GetClientRect(&rect);
int x = (rect.Width() - cxIcon + ) / ;
int y = (rect.Height() - cyIcon + ) / ; // 绘制图标
dc.DrawIcon(x, y, m_hIcon);
}
else
{
CDialogEx::OnPaint();
}
} //当用户拖动最小化窗口时系统调用此函数取得光标
//显示。
HCURSOR CPECheckDlg::OnQueryDragIcon()
{
return static_cast<HCURSOR>(m_hIcon);
} BOOL CPECheckDlg::LoadFileData(WCHAR* wzFilePath,CHAR** szFileData,ULONG* ulLow)
{ HANDLE hFile;
ULONG ulHigh = ;
ULONG ulReturn = ; if (wzFilePath==NULL)//判断文件路径是否为空
{
return FALSE;
} hFile = CreateFileW(wzFilePath,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL); if (hFile==INVALID_HANDLE_VALUE)
{
return -;
} /*
// Case One: calling the function with
// lpFileSizeHigh == NULL // Try to obtain hFile's size
dwSize = GetFileSize (hFile, NULL) ; // If we failed ...
if (dwSize == 0xFFFFFFFF) { // Obtain the error code.
dwError = GetLastError() ; // Deal with that failure.
.
.
. } // End of error handler //
// Case Two: calling the function with
// lpFileSizeHigh != NULL // Try to obtain hFile's huge size.
dwSizeLow = GetFileSize (hFile, & dwSizeHigh) ; // If we failed ...
if (dwSizeLow == 0xFFFFFFFF
&&
(dwError = GetLastError()) != NO_ERROR ){ // Deal with that failure.
.
.
. } // End of error handler. */ *ulLow = GetFileSize(hFile,&ulHigh); *szFileData = new char[*ulLow + ]; if (ReadFile(hFile,*szFileData,*ulLow,&ulReturn,NULL)==)
{
CloseHandle(hFile);
delete *szFileData;
return FALSE;
} return TRUE; } BOOL CPECheckDlg::IsPEFile(CHAR* szFileData,PETYPE* PeType)
{
PIMAGE_DOS_HEADER DosHead =NULL;
PIMAGE_NT_HEADERS NtHead = NULL;
IMAGE_FILE_HEADER FileHead = {}; DosHead = (PIMAGE_DOS_HEADER)szFileData;
if (DosHead->e_magic!=IMAGE_DOS_SIGNATURE)
{
return FALSE;
} NtHead = (PIMAGE_NT_HEADERS)((ULONG)szFileData+DosHead->e_lfanew); if (NtHead->Signature!=IMAGE_NT_SIGNATURE)
{
return FALSE;
} FileHead = NtHead->FileHeader;
switch(FileHead.Machine) //根据NT头中的FileHeader.Machine判断是哪种PE文件
{
case IMAGE_FILE_MACHINE_IA64:
case IMAGE_FILE_MACHINE_AMD64:
*PeType = PE64;
break; case IMAGE_FILE_MACHINE_I386:
*PeType = PE;
break; default: *PeType = Unkonw;
} return TRUE; } void CPECheckDlg::OnDropFiles(HDROP hDropInfo)
{
// TODO: 在此添加消息处理程序代码和/或调用默认值
UpdateData(TRUE); CRect tabRect;
m_TabMain.GetClientRect(&tabRect); // 获取标签控件客户区Rect
// 调整tabRect,使其覆盖范围适合放置标签页
tabRect.left += ;
tabRect.right -= ;
tabRect.top += ;
tabRect.bottom -= ; DragQueryFile(hDropInfo,,m_FilePath,MAX_PATH);//取得第一个文件的路径 if(_wcsicmp(m_FilePath,m_EditFilePath.GetBuffer()) == )
{
goto END;
} m_EditFilePath = m_FilePath; //得到要检查文件的完整路径 if(LoadFileData(m_FilePath,&m_szFileData,&m_ulLow)==FALSE)
{
free(m_szFileData);
return ;
} g_szFileData = m_szFileData; if(IsPEFile(m_szFileData,&PeType)==FALSE)
{
MessageBox(L"不是PE文件",L"PECheck",); return;
} switch(PeType)
{
case PE:
{
m_EditFileType.Format(L"32位 MZ (0x%p)",(ULONG_PTR)m_szFileData);
break;
} case PE64:
{
m_EditFileType.Format(L"64位 MZ (0x%p)",(ULONG_PTR)m_szFileData);
break;
}
case Unkonw:
{
m_EditFileType = L"未知";
break;
}
default:
break;
}
//m_PeHeaderDlg
m_PeHeaderDlg.SetWindowPos(NULL, tabRect.left, tabRect.top, tabRect.Width(), tabRect.Height(), SWP_SHOWWINDOW);
m_PeHeaderDlg.CheckPEHeader();
UpdateData(FALSE); END: CDialogEx::OnDropFiles(hDropInfo);
} void CPECheckDlg::OnTcnSelchangeTabMain(NMHDR *pNMHDR, LRESULT *pResult)
{
// TODO: 在此添加控件通知处理程序代码 ULONG m_SelectTab = ; m_SelectTab = m_TabMain.GetCurSel();
g_SelectTab = m_SelectTab; CRect tabRect;
m_TabMain.GetClientRect(&tabRect); // 获取标签控件客户区Rect
// 调整tabRect,使其覆盖范围适合放置标签页
tabRect.left += ;
tabRect.right -= ;
tabRect.top += ;
tabRect.bottom -= ; switch(m_SelectTab)
{
case :
{ m_PeHeaderDlg.SetWindowPos(NULL, tabRect.left, tabRect.top, tabRect.Width(), tabRect.Height(), SWP_SHOWWINDOW);
m_PeTableDlg.SetWindowPos(NULL, tabRect.left, tabRect.top, tabRect.Width(), tabRect.Height(), SWP_HIDEWINDOW);
m_PeHeaderDlg.CheckPEHeader(); break;
} case :
case :
case :
case :
case :
{
m_PeHeaderDlg.SetWindowPos(NULL, tabRect.left, tabRect.top, tabRect.Width(), tabRect.Height(), SWP_HIDEWINDOW);
m_PeTableDlg.SetWindowPos(NULL, tabRect.left, tabRect.top, tabRect.Width(), tabRect.Height(), SWP_SHOWWINDOW); m_PeTableDlg.ShowPeTable(m_szFileData,PeType); break;
} } *pResult = ;
}
#pragma once // CPEHeaderDlg 对话框 class CPEHeaderDlg : public CDialog
{
DECLARE_DYNAMIC(CPEHeaderDlg) public:
CPEHeaderDlg(CWnd* pParent = NULL); // 标准构造函数
virtual ~CPEHeaderDlg();
CHAR* m_FileData;
// 对话框数据
enum { IDD = IDD_DIALOG_PEHEADER }; protected:
virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV 支持 DECLARE_MESSAGE_MAP()
public:
CString m_EditFileSign;
CString m_EditNumberofSec;
CString m_EditSizeOfOption;
CString m_EditOptionMagic;
CString m_EditOpEntry;
CString m_EditOpBaseOfData;
CString m_EditOpBaseOfCode;
CString m_EditSectionAligment;
CString m_EditFileAligment;
CString m_EditOpNumOfDir;
CString m_EditOpImageBase;
CString m_NumberofSection; virtual BOOL OnInitDialog();
VOID CPEHeaderDlg::CheckPEHeader();
};
// PEHeaderDlg.cpp : 实现文件
// #include "stdafx.h"
#include "PECheck.h"
#include "PEHeaderDlg.h"
#include "afxdialogex.h" extern CHAR* g_szFileData;
// CPEHeaderDlg 对话框 IMPLEMENT_DYNAMIC(CPEHeaderDlg, CDialog) CPEHeaderDlg::CPEHeaderDlg(CWnd* pParent /*=NULL*/)
: CDialog(CPEHeaderDlg::IDD, pParent)
, m_EditFileSign(_T(""))
, m_EditNumberofSec(_T(""))
, m_EditSizeOfOption(_T(""))
, m_EditOptionMagic(_T(""))
, m_EditOpEntry(_T(""))
, m_EditOpBaseOfData(_T(""))
, m_EditOpBaseOfCode(_T(""))
, m_EditSectionAligment(_T(""))
, m_EditFileAligment(_T(""))
, m_EditOpNumOfDir(_T(""))
, m_EditOpImageBase(_T(""))
{
m_FileData = g_szFileData;
} CPEHeaderDlg::~CPEHeaderDlg()
{
} void CPEHeaderDlg::DoDataExchange(CDataExchange* pDX)
{
CDialog::DoDataExchange(pDX);
DDX_Text(pDX, IDC_EDIT_PEHEASER_SIGN, m_EditFileSign);
DDX_Text(pDX, IDC_NUMBER_SECTION, m_EditNumberofSec);
DDX_Text(pDX, IDC_EDIT_PEHEADER_FILE_NUMBEROFSECTION, m_EditSizeOfOption);
DDX_Text(pDX, IDC_NUMBER_SECTION3, m_EditOptionMagic);
DDX_Text(pDX, IDC_NUMBER_SECTION5, m_EditOpEntry);
DDX_Text(pDX, IDC_NUMBER_SECTION8, m_EditOpBaseOfData);
DDX_Text(pDX, IDC_NUMBER_SECTION2, m_EditOpBaseOfCode);
DDX_Text(pDX, IDC_NUMBER_SECTION6, m_EditSectionAligment);
DDX_Text(pDX, IDC_NUMBER_SECTION7, m_EditFileAligment);
DDX_Text(pDX, IDC_NUMBER_SECTION4, m_EditOpNumOfDir);
DDX_Text(pDX, IDC_NUMBER_SECTION9, m_EditOpImageBase);
} BEGIN_MESSAGE_MAP(CPEHeaderDlg, CDialog)
END_MESSAGE_MAP() // CPEHeaderDlg 消息处理程序 BOOL CPEHeaderDlg::OnInitDialog()
{
CDialog::OnInitDialog(); // TODO: 在此添加额外的初始化 CheckPEHeader();
return TRUE; // return TRUE unless you set the focus to a control
// 异常: OCX 属性页应返回 FALSE
} VOID CPEHeaderDlg::CheckPEHeader()
{
UpdateData(TRUE);
//exture szFileData;
PIMAGE_DOS_HEADER DosHead;
PIMAGE_NT_HEADERS NtHead = NULL;
IMAGE_FILE_HEADER FileHead = {};
ULONG FileKind = ;
PIMAGE_NT_HEADERS64 NtHeader64 = NULL;
PIMAGE_NT_HEADERS32 NtHeader32 = NULL;
IMAGE_OPTIONAL_HEADER32 OptionHead32;
IMAGE_OPTIONAL_HEADER64 OptionHead64; m_FileData = g_szFileData; if (m_FileData == NULL)
{ return ;
}
DosHead = (PIMAGE_DOS_HEADER)m_FileData;
NtHead = (PIMAGE_NT_HEADERS)((ULONG)m_FileData+DosHead->e_lfanew);
CHAR szMagic[] = {};
memcpy(szMagic,(CHAR*)NtHead,); m_EditFileSign = szMagic; FileHead = NtHead->FileHeader;
m_NumberofSection.Format(L"%d",FileHead.NumberOfSections);
m_EditSizeOfOption.Format(L"0x%x",FileHead.SizeOfOptionalHeader);
if (FileHead.Machine == IMAGE_FILE_MACHINE_IA64||FileHead.Machine == IMAGE_FILE_MACHINE_AMD64)
{
FileKind = ; }
else if (FileHead.Machine == IMAGE_FILE_MACHINE_I386)
{
FileKind = ;
} else
{
FileKind = -;
} switch(FileKind)
{
case :{ NtHeader32 = (PIMAGE_NT_HEADERS32)NtHead;
OptionHead32 = NtHeader32->OptionalHeader; if (OptionHead32.Magic==0x0107)
{
m_EditOptionMagic.Format(L"ROM映像");
}
else if (OptionHead32.Magic==0x010B)
{
m_EditOptionMagic.Format(L"可执行映像");
}
else
{
m_EditOptionMagic.Format(L"PE32+");
} m_EditOpEntry.Format(L"0x%x",OptionHead32.AddressOfEntryPoint);
m_EditOpBaseOfData.Format(L"0x%x",OptionHead32.BaseOfData);
m_EditOpBaseOfCode.Format(L"0x%x",OptionHead32.BaseOfCode);
m_EditSectionAligment.Format(L"0x%x",OptionHead32.SectionAlignment);
m_EditFileAligment.Format(L"0x%x",OptionHead32.FileAlignment);
m_EditOpNumOfDir.Format(L"%d",OptionHead32.NumberOfRvaAndSizes);
m_EditOpImageBase.Format(L"0x%x",OptionHead32.ImageBase); break;
} case :
{
NtHeader64 = (PIMAGE_NT_HEADERS64)NtHead;
OptionHead64 = NtHeader64->OptionalHeader; if (OptionHead64.Magic==0x0107)
{
m_EditOptionMagic.Format(L"ROM映像");
}
else if (OptionHead64.Magic==0x010B)
{
m_EditOptionMagic.Format(L"可执行映像");
}
else
{
m_EditOptionMagic.Format(L"PE32+");
} m_EditOpEntry.Format(L"0x%x",OptionHead64.AddressOfEntryPoint);
m_EditOpBaseOfCode.Format(L"0x%x",OptionHead64.BaseOfCode);
m_EditSectionAligment.Format(L"0x%x",OptionHead64.SectionAlignment);
m_EditFileAligment.Format(L"0x%x",OptionHead64.FileAlignment);
m_EditOpNumOfDir.Format(L"%d",OptionHead64.NumberOfRvaAndSizes);
m_EditOpImageBase.Format(L"0x%p",OptionHead64.ImageBase);
break;
} default:
break; } UpdateData(FALSE); }
PeCheck的更多相关文章
- Python-Analysis-Malware
Python恶意软件分析应用-PEfile 0x1.前言 要想对恶意代码快速分析,Python是一门必须要掌握的编程技能.因为它是跨平台的,而且容易阅读和编写.许多开源安全工具也是用Python写的. ...
- 浅谈HookSSDT和和Resume(恢复)SSDT
最近在学HookSSDT和针对Hook的ResumeSSDT,避免自己理解有所偏差,把它们写出来,希望大家不吝赐教.(虽然已经是过时了的技术,但是最起码了解其中的原理,嘿嘿嘿.) 转载注明出处:ht ...
随机推荐
- JS获取当前时间并把时间赋给input表单
<script>window.onload = function(){ function getDate(){ debugger; var today = new Date(); var ...
- 《zw版·Halcon-delphi系列原创教程》 Halcon分类函数004·edge,边缘处理
<zw版·Halcon-delphi系列原创教程> Halcon分类函数004·edge,边缘处理 为方便阅读,在不影响说明的前提下,笔者对函数进行了简化: :: 用符号“**”,替换:“ ...
- SpringMVC集成AOP错误:java lang classnotfoundexception org aspectj lang joinpoint
记录自己出现的问题,Spring AOP 使用测试类测试没问题,在SpringMVC启动服务器时出现java lang classnotfoundexception org aspectj lang ...
- python核心编程学习记录之面向对象编程
未完待续525
- Dynamics AX 2012 R2 安装 AIF IIS上的Web服务
1.为什么使用IIS上的WEB服务 组件? 如果你要在Dynamics AX Service中使用HTTP Adapter,那么你就要安装IIS上的WEB服务 组件.HTTP Adapter会在IIS ...
- 移动端网站的内容触摸滑动-Swiper插件
手机平板等大多移动端站点都会有触摸滑动内容的功能,公司移动端站点(m.muzhiwan.com)的标题广告滑动以及轮播效果就是用的Swiper插件. Swiper就是常用于移动端网站的内容触摸滑动的一 ...
- html与jsp
1. 什么是 HTML 语言? HTML文件有什么特征? 答:HTML是超文本标记语言(Hypertext Mark-up Language)的缩写,主要用来创建与系统平台无关的网页文档.它是目前网络 ...
- 相似性度量(Similarity Measurement)与“距离”(Distance)
在做分类时常常需要估算不同样本之间的相似性度量(Similarity Measurement),这时通常采用的方法就是计算样本间的“距离”(Distance).采用什么样的方法计算距离是很讲究,甚至关 ...
- Windows下WebStorm使用SVN
安装了phpstorm之后,想配置svn,结果在file->settings->Version Contorl->subversion->use conmand line cl ...
- linux 双网卡实现
linux实现双网卡,在虚拟机中创建一个新网卡,NAT方式连接,其中eth0设置为连接外网,目前eth0为自动分配状态,所以将代码注释掉了,eth1设置为连接内网.