PE分析
1 #include<windows.h>
2 #include<RichEdit.h>
3 #include "resource.h"
4
5
6
7 BOOL CALLBACK DlgProc(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam);
8
9 //Pe文件处理函数声明
10
11 BOOL IsPeFile(LPVOID ImageBase);
12 PIMAGE_NT_HEADERS GetNtHeader(LPVOID ImageBase);
13 PIMAGE_FILE_HEADER WINAPI GetFileHeader(LPVOID Imagebase);
14 PIMAGE_OPTIONAL_HEADER GetOptionalHeader(LPVOID ImageBase);
15
16 int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowcmd)
17 {
18 DialogBox(hInstance, MAKEINTRESOURCE(IDD_DIALOG), NULL, DlgProc);
19
20 return 0;
21 }
22
23
24 BOOL CALLBACK DlgProc(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam)
25 {
26
27
28 OPENFILENAME FileName = { 0,0,0 }, *lpFileName = &FileName;
29 HANDLE hFile, hFileMap;
30 TCHAR szPe[] = "\"PE File(*.exe)\" \0*.exe;*.dll;*.scr;*.fon;*.drv;\0\"*.All File(*.*) \0*.*\0\0";
31 TCHAR szFileName[256] = { "" };
32
33 LPVOID lpMemory;
34
35 TCHAR Buff[16];
36 PIMAGE_FILE_HEADER pFileHeader = NULL;
37 PIMAGE_OPTIONAL_HEADER pOptionHeader = NULL;
38
39 switch (message)
40 {
41 case WM_INITDIALOG:
42 break;
43 case WM_CLOSE:
44
45 EndDialog(hDlg, NULL);
46 break;
47
48 case WM_COMMAND:
49 switch (LOWORD(wParam))
50 {
51 case IDM_OPEN:
52 FileName.hInstance = (HINSTANCE)hDlg;
53 FileName.hwndOwner = hDlg;
54 FileName.lStructSize = sizeof(OPENFILENAME);
55 FileName.lpstrFilter = szPe;
56 FileName.lpstrFile = szFileName;
57 FileName.Flags = OFN_FILEMUSTEXIST || OFN_PATHMUSTEXIST;
58 FileName.nMaxFile = sizeof(szFileName);
59
60
61 if (!GetOpenFileName(lpFileName))
62 {
63 MessageBox(hDlg, "GetOpenFileName 调用失败", "ERROR", NULL);
64 break;
65 }
66
67 SetDlgItemText(hDlg, IDC_FILENAME, szFileName);
68
69 hFile = CreateFile(FileName.lpstrFile, // open pe file
70
71 GENERIC_READ, // open for reading
72
73 FILE_SHARE_READ || FILE_SHARE_WRITE, // share for reading
74
75 NULL, // no security
76
77 OPEN_EXISTING, // existing file only
78
79 FILE_ATTRIBUTE_NORMAL, // normal file
80
81 NULL); // no attr. template
82
83
84 if (hFile == INVALID_HANDLE_VALUE)
85 {
86 MessageBox(hDlg, "Could not open file.", "ERROR", MB_ICONERROR);
87 break;// process error
88
89 }
90
91 if (GetFileSize(hFile, NULL) != 0)
92 {
93 hFileMap = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL);
94 if (hFileMap != 0)
95 {
96 lpMemory = MapViewOfFile(hFileMap, FILE_MAP_READ, NULL, NULL, NULL);
97 }
98 }
99
100 if (IsPeFile(lpMemory))
101 {
102
103 pFileHeader = GetFileHeader(lpMemory);
104 pOptionHeader = GetOptionalHeader(lpMemory);
105 if (!(pFileHeader&&pOptionHeader))
106 {
107 MessageBox(hDlg, "获取文件头指针失败", "PEINFO", MB_ICONERROR);
108 break;
109 }
110 else
111 {
112 wsprintf(Buff, "%04lX", pFileHeader->Machine);
113 SetDlgItemText(hDlg, IDC_MACHINE, Buff);
114
115 wsprintf(Buff, "%04lX", pFileHeader->NumberOfSections);
116 SetDlgItemText(hDlg, IDC_NUMSECTION, Buff);
117
118 wsprintf(Buff, "%04lX", pOptionHeader->Magic);
119 SetDlgItemText(hDlg, IDC_MAGIC, Buff);
120
121 wsprintf(Buff, "%08lX", pOptionHeader->AddressOfEntryPoint);
122 SetDlgItemText(hDlg, IDC_ENTERPOINT, Buff);
123
124 wsprintf(Buff, "%08lX", pOptionHeader->DataDirectory[0].VirtualAddress);
125 SetDlgItemText(hDlg, IDC_EDIT_RVA_EXPORT, Buff);
126
127 wsprintf(Buff, "%08lX", pOptionHeader->DataDirectory[0].Size);
128 SetDlgItemText(hDlg, IDC_EDIT_SIZE_EXPORT, Buff);
129
130 wsprintf(Buff, "%08lX", pOptionHeader->DataDirectory[1].VirtualAddress);
131 SetDlgItemText(hDlg, IDC_EDIT_RVA_IMPORT, Buff);
132
133 wsprintf(Buff, "%08lX", pOptionHeader->DataDirectory[1].Size);
134 SetDlgItemText(hDlg, IDC_EDIT_SIZE_IMPORT, Buff);
135
136 wsprintf(Buff, "%08lX", pOptionHeader->DataDirectory[2].VirtualAddress);
137 SetDlgItemText(hDlg, IDC_EDIT_RVA_RES, Buff);
138
139 wsprintf(Buff, "%08lX", pOptionHeader->DataDirectory[2].Size);
140 SetDlgItemText(hDlg, IDC_EDIT_SIZE_RES, Buff);
141
142
143
144 }
145
146
147 }
148 else
149 {
150 MessageBox(hDlg, "你选择的不是PE文件", "error", MB_ICONERROR);
151 UnmapViewOfFile(lpMemory);
152 CloseHandle(hFileMap);
153 CloseHandle(hFile);
154 }
155 UnmapViewOfFile(lpMemory);
156 CloseHandle(hFileMap);
157 CloseHandle(hFile);
158
159 break;
160
161
162 }
163
164
165 }
166 return FALSE;
167 }
168
169 BOOL IsPeFile(LPVOID ImageBase) //判断是否是PE文件结构
170
171 {
172 PIMAGE_DOS_HEADER pDosHeader = NULL;
173 PIMAGE_NT_HEADERS pNtHeader = NULL;
174
175 if (!ImageBase)
176 return FALSE;
177 pDosHeader = (PIMAGE_DOS_HEADER)ImageBase;
178 if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
179 return FALSE;
180 pNtHeader = (PIMAGE_NT_HEADERS32)((DWORD)pDosHeader + pDosHeader->e_lfanew);
181 if (pNtHeader->Signature != IMAGE_NT_SIGNATURE )
182 return FALSE;
183 return TRUE;
184 }
185
186 //FileHeader 内容的读取
187
188
189 PIMAGE_NT_HEADERS GetNtHeader(LPVOID ImageBase) //获取NT结构指针
190
191 {
192 PIMAGE_DOS_HEADER pDosHeader = NULL;
193 PIMAGE_NT_HEADERS pNtHeader = NULL;
194
195 if (!IsPeFile(ImageBase))
196 return NULL;
197 pDosHeader = (PIMAGE_DOS_HEADER)ImageBase;
198 pNtHeader = (PIMAGE_NT_HEADERS32)((DWORD)pDosHeader + pDosHeader->e_lfanew);
199 return pNtHeader;
200 }
201
202 PIMAGE_FILE_HEADER WINAPI GetFileHeader(LPVOID Imagebase)
203 {
204 PIMAGE_FILE_HEADER pFileHeader;
205 PIMAGE_NT_HEADERS pNtHeader = NULL;
206 pNtHeader = GetNtHeader(Imagebase);
207 if (!pNtHeader)
208 return NULL;
209 pFileHeader = &pNtHeader->FileHeader;
210 return pFileHeader;
211 }
212
213 PIMAGE_OPTIONAL_HEADER GetOptionalHeader(LPVOID ImageBase)
214 {
215 PIMAGE_OPTIONAL_HEADER pOptionHeader = NULL;
216 PIMAGE_NT_HEADERS pNtHeader = NULL;
217 pNtHeader = GetNtHeader(ImageBase);
218 if (!pNtHeader)
219 return NULL;
220 pOptionHeader = &pNtHeader->OptionalHeader;
221 return pOptionHeader;
222 }
PE分析的更多相关文章
- 初步了解PE分析
尝试编写代码获取PE文件的信息. 首先使用 CreateFile打开一个PE文件并返回一个用于访问该对象的handle. HANDLE CreateFile( LPCTSTR lpFileName, ...
- ASLR pe 分析
ASLR 转:http://www.cnblogs.com/dliv3/p/6411814.html 3ks @author:dlive 微软从windows vista/windows server ...
- 开源安全:PE分析
https://github.com/JusticeRage/Manalyze.git https://github.com/JusticeRage/Manalyze https://www.free ...
- PE文件格式分析
PE文件格式分析 PE 的意思是 Portable Executable(可移植的执行体).它是 Win32环境自身所带的执行文件格式.它的一些特性继承自Unix的Coff(common object ...
- 【逆向知识】PE ASLR
1.知识点 微软从windows vista/windows server 2008(kernel version 6.0)开始采用ASLR技术,主要目的是为了防止缓冲区溢出 ASLR技术会使PE文件 ...
- windows类书的学习心得(转载)
原文网址:http://www.blogjava.net/sound/archive/2008/08/21/40499.html 现在的计算机图书发展的可真快,很久没去书店,昨日去了一下,真是感叹万千 ...
- Delphi是座宝山,有待挖掘
Delphi是座宝山,有待挖掘1. VCL源码是座宝山,把纷繁复杂的Windows编程封装到短短几个类里,不超过8000行代码,还额外包括许多其它的技巧2. RTL是座宝山,方便程序员使用底层运算,不 ...
- windows类书的学习心得
原文网址:http://www.blogjava.net/sound/archive/2008/08/21/40499.html 现在的计算机图书发展的可真快,很久没去书店,昨日去了一下,真是感叹万千 ...
- Linux调试工具
1. 使用printf调试 #ifdef DEBUG Printf(“valriable x has value = %d\n”, x) #endif 然后在编译选项中加入-DDEBUG 更复杂的调试 ...
随机推荐
- GDB常用命令整理
(gdb) break xxx (gdb) b xxx 在源代码指定的某一行设置断点,其中 xxx 用于指定具体打断点的位置. (gdb) run (gdb) r 执行被调试的程序,其会自动在第一个断 ...
- python -- namedtuple元组
- spring-3-spring整合mybatis
版本和依赖 MyBatis-Spring 需要以下版本: maven依赖 <dependency> <groupId>org.mybatis</groupId> & ...
- 虚拟机安装RHEL8.0.0
在VMware Workstations 15.0.0中安装RHEL8.0.0 使用到的软件和主机基本配置 此处宿主机基本硬件配置:i3-7100U 4核,内存:12G 虚拟化软件:VMware Wo ...
- GC垃圾回收机制详解
JVM堆相关知识 为什么先说JVM堆? JVM的堆是Java对象的活动空间,程序中的类的对象从中分配空间,其存储着正在运行着的应用程序用到的所有对象.这些对象的建立方式就是那些new一类的操作 ...
- 痞子衡嵌入式:深扒i.MXRTxxx系列ROM中集成的串行NOR Flash启动SW Reset功能及其应用场合
大家好,我是痞子衡,是正经搞技术的痞子.今天痞子衡给大家介绍的是i.MXRTxxx系列ROM中集成的串行NOR Flash启动SW Reset功能及其应用场合. 在串行 NOR Flash 热启动过程 ...
- 构建前端第9篇之(上)---Vue组件引入,使用
张艳涛写于2020-1-25日 一.想写下vue引入组件和插件的理解 今天是星期一,周末也看俩两天,在这个几天了,比较迷,主要是从开始学习import指令开始的,import 是es6的语法, imp ...
- Spring in Action学习笔记(2)
Spring基础 AOP 面向切面编程 通知.连接点.切点.切面 Spring提供 4 种类型的AOP支持: 基于代理的经典SpringAOP:使用ProxyFactoryBean. 纯POJO切面: ...
- 模版引擎RazorEngine简介
ASP.NET MVC的Razor想必大家都比较熟悉,这里介绍一个独立于ASP.NET的RazorEngine. RazorEngine是一个开源的项目,它的基础就是ASP.NET MVC的Razor ...
- U 跳转中加入变量参数的写法
href="{:U('Message/news?id='.$vo['messageid'].'')}" 就是在U方法里如果参数是变量就用 '.$i.'代替 {$i} <a h ...