PE分析
1 #include<windows.h>
2 #include<RichEdit.h>
3 #include "resource.h"
4
5
6
7 BOOL CALLBACK DlgProc(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam);
8
9 //Pe文件处理函数声明
10
11 BOOL IsPeFile(LPVOID ImageBase);
12 PIMAGE_NT_HEADERS GetNtHeader(LPVOID ImageBase);
13 PIMAGE_FILE_HEADER WINAPI GetFileHeader(LPVOID Imagebase);
14 PIMAGE_OPTIONAL_HEADER GetOptionalHeader(LPVOID ImageBase);
15
16 int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowcmd)
17 {
18 DialogBox(hInstance, MAKEINTRESOURCE(IDD_DIALOG), NULL, DlgProc);
19
20 return 0;
21 }
22
23
24 BOOL CALLBACK DlgProc(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam)
25 {
26
27
28 OPENFILENAME FileName = { 0,0,0 }, *lpFileName = &FileName;
29 HANDLE hFile, hFileMap;
30 TCHAR szPe[] = "\"PE File(*.exe)\" \0*.exe;*.dll;*.scr;*.fon;*.drv;\0\"*.All File(*.*) \0*.*\0\0";
31 TCHAR szFileName[256] = { "" };
32
33 LPVOID lpMemory;
34
35 TCHAR Buff[16];
36 PIMAGE_FILE_HEADER pFileHeader = NULL;
37 PIMAGE_OPTIONAL_HEADER pOptionHeader = NULL;
38
39 switch (message)
40 {
41 case WM_INITDIALOG:
42 break;
43 case WM_CLOSE:
44
45 EndDialog(hDlg, NULL);
46 break;
47
48 case WM_COMMAND:
49 switch (LOWORD(wParam))
50 {
51 case IDM_OPEN:
52 FileName.hInstance = (HINSTANCE)hDlg;
53 FileName.hwndOwner = hDlg;
54 FileName.lStructSize = sizeof(OPENFILENAME);
55 FileName.lpstrFilter = szPe;
56 FileName.lpstrFile = szFileName;
57 FileName.Flags = OFN_FILEMUSTEXIST || OFN_PATHMUSTEXIST;
58 FileName.nMaxFile = sizeof(szFileName);
59
60
61 if (!GetOpenFileName(lpFileName))
62 {
63 MessageBox(hDlg, "GetOpenFileName 调用失败", "ERROR", NULL);
64 break;
65 }
66
67 SetDlgItemText(hDlg, IDC_FILENAME, szFileName);
68
69 hFile = CreateFile(FileName.lpstrFile, // open pe file
70
71 GENERIC_READ, // open for reading
72
73 FILE_SHARE_READ || FILE_SHARE_WRITE, // share for reading
74
75 NULL, // no security
76
77 OPEN_EXISTING, // existing file only
78
79 FILE_ATTRIBUTE_NORMAL, // normal file
80
81 NULL); // no attr. template
82
83
84 if (hFile == INVALID_HANDLE_VALUE)
85 {
86 MessageBox(hDlg, "Could not open file.", "ERROR", MB_ICONERROR);
87 break;// process error
88
89 }
90
91 if (GetFileSize(hFile, NULL) != 0)
92 {
93 hFileMap = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL);
94 if (hFileMap != 0)
95 {
96 lpMemory = MapViewOfFile(hFileMap, FILE_MAP_READ, NULL, NULL, NULL);
97 }
98 }
99
100 if (IsPeFile(lpMemory))
101 {
102
103 pFileHeader = GetFileHeader(lpMemory);
104 pOptionHeader = GetOptionalHeader(lpMemory);
105 if (!(pFileHeader&&pOptionHeader))
106 {
107 MessageBox(hDlg, "获取文件头指针失败", "PEINFO", MB_ICONERROR);
108 break;
109 }
110 else
111 {
112 wsprintf(Buff, "%04lX", pFileHeader->Machine);
113 SetDlgItemText(hDlg, IDC_MACHINE, Buff);
114
115 wsprintf(Buff, "%04lX", pFileHeader->NumberOfSections);
116 SetDlgItemText(hDlg, IDC_NUMSECTION, Buff);
117
118 wsprintf(Buff, "%04lX", pOptionHeader->Magic);
119 SetDlgItemText(hDlg, IDC_MAGIC, Buff);
120
121 wsprintf(Buff, "%08lX", pOptionHeader->AddressOfEntryPoint);
122 SetDlgItemText(hDlg, IDC_ENTERPOINT, Buff);
123
124 wsprintf(Buff, "%08lX", pOptionHeader->DataDirectory[0].VirtualAddress);
125 SetDlgItemText(hDlg, IDC_EDIT_RVA_EXPORT, Buff);
126
127 wsprintf(Buff, "%08lX", pOptionHeader->DataDirectory[0].Size);
128 SetDlgItemText(hDlg, IDC_EDIT_SIZE_EXPORT, Buff);
129
130 wsprintf(Buff, "%08lX", pOptionHeader->DataDirectory[1].VirtualAddress);
131 SetDlgItemText(hDlg, IDC_EDIT_RVA_IMPORT, Buff);
132
133 wsprintf(Buff, "%08lX", pOptionHeader->DataDirectory[1].Size);
134 SetDlgItemText(hDlg, IDC_EDIT_SIZE_IMPORT, Buff);
135
136 wsprintf(Buff, "%08lX", pOptionHeader->DataDirectory[2].VirtualAddress);
137 SetDlgItemText(hDlg, IDC_EDIT_RVA_RES, Buff);
138
139 wsprintf(Buff, "%08lX", pOptionHeader->DataDirectory[2].Size);
140 SetDlgItemText(hDlg, IDC_EDIT_SIZE_RES, Buff);
141
142
143
144 }
145
146
147 }
148 else
149 {
150 MessageBox(hDlg, "你选择的不是PE文件", "error", MB_ICONERROR);
151 UnmapViewOfFile(lpMemory);
152 CloseHandle(hFileMap);
153 CloseHandle(hFile);
154 }
155 UnmapViewOfFile(lpMemory);
156 CloseHandle(hFileMap);
157 CloseHandle(hFile);
158
159 break;
160
161
162 }
163
164
165 }
166 return FALSE;
167 }
168
169 BOOL IsPeFile(LPVOID ImageBase) //判断是否是PE文件结构
170
171 {
172 PIMAGE_DOS_HEADER pDosHeader = NULL;
173 PIMAGE_NT_HEADERS pNtHeader = NULL;
174
175 if (!ImageBase)
176 return FALSE;
177 pDosHeader = (PIMAGE_DOS_HEADER)ImageBase;
178 if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
179 return FALSE;
180 pNtHeader = (PIMAGE_NT_HEADERS32)((DWORD)pDosHeader + pDosHeader->e_lfanew);
181 if (pNtHeader->Signature != IMAGE_NT_SIGNATURE )
182 return FALSE;
183 return TRUE;
184 }
185
186 //FileHeader 内容的读取
187
188
189 PIMAGE_NT_HEADERS GetNtHeader(LPVOID ImageBase) //获取NT结构指针
190
191 {
192 PIMAGE_DOS_HEADER pDosHeader = NULL;
193 PIMAGE_NT_HEADERS pNtHeader = NULL;
194
195 if (!IsPeFile(ImageBase))
196 return NULL;
197 pDosHeader = (PIMAGE_DOS_HEADER)ImageBase;
198 pNtHeader = (PIMAGE_NT_HEADERS32)((DWORD)pDosHeader + pDosHeader->e_lfanew);
199 return pNtHeader;
200 }
201
202 PIMAGE_FILE_HEADER WINAPI GetFileHeader(LPVOID Imagebase)
203 {
204 PIMAGE_FILE_HEADER pFileHeader;
205 PIMAGE_NT_HEADERS pNtHeader = NULL;
206 pNtHeader = GetNtHeader(Imagebase);
207 if (!pNtHeader)
208 return NULL;
209 pFileHeader = &pNtHeader->FileHeader;
210 return pFileHeader;
211 }
212
213 PIMAGE_OPTIONAL_HEADER GetOptionalHeader(LPVOID ImageBase)
214 {
215 PIMAGE_OPTIONAL_HEADER pOptionHeader = NULL;
216 PIMAGE_NT_HEADERS pNtHeader = NULL;
217 pNtHeader = GetNtHeader(ImageBase);
218 if (!pNtHeader)
219 return NULL;
220 pOptionHeader = &pNtHeader->OptionalHeader;
221 return pOptionHeader;
222 }
PE分析的更多相关文章
- 初步了解PE分析
尝试编写代码获取PE文件的信息. 首先使用 CreateFile打开一个PE文件并返回一个用于访问该对象的handle. HANDLE CreateFile( LPCTSTR lpFileName, ...
- ASLR pe 分析
ASLR 转:http://www.cnblogs.com/dliv3/p/6411814.html 3ks @author:dlive 微软从windows vista/windows server ...
- 开源安全:PE分析
https://github.com/JusticeRage/Manalyze.git https://github.com/JusticeRage/Manalyze https://www.free ...
- PE文件格式分析
PE文件格式分析 PE 的意思是 Portable Executable(可移植的执行体).它是 Win32环境自身所带的执行文件格式.它的一些特性继承自Unix的Coff(common object ...
- 【逆向知识】PE ASLR
1.知识点 微软从windows vista/windows server 2008(kernel version 6.0)开始采用ASLR技术,主要目的是为了防止缓冲区溢出 ASLR技术会使PE文件 ...
- windows类书的学习心得(转载)
原文网址:http://www.blogjava.net/sound/archive/2008/08/21/40499.html 现在的计算机图书发展的可真快,很久没去书店,昨日去了一下,真是感叹万千 ...
- Delphi是座宝山,有待挖掘
Delphi是座宝山,有待挖掘1. VCL源码是座宝山,把纷繁复杂的Windows编程封装到短短几个类里,不超过8000行代码,还额外包括许多其它的技巧2. RTL是座宝山,方便程序员使用底层运算,不 ...
- windows类书的学习心得
原文网址:http://www.blogjava.net/sound/archive/2008/08/21/40499.html 现在的计算机图书发展的可真快,很久没去书店,昨日去了一下,真是感叹万千 ...
- Linux调试工具
1. 使用printf调试 #ifdef DEBUG Printf(“valriable x has value = %d\n”, x) #endif 然后在编译选项中加入-DDEBUG 更复杂的调试 ...
随机推荐
- C++:数据类型
/** * C++ 数据类型 : https://www.runoob.com/cplusplus/cpp-data-types.html * * 布尔: bool * 字符: char 1 个字节 ...
- 祝贺|合肥.NET俱乐部第二期技术沙龙活动圆满成功
热烈祝贺合肥.NET俱乐部第二期技术沙龙圆满成功,感恩参与活动的每一位小伙伴!正是因为有你们才促成了这次聚会的成功.现对此次活动进行简单回顾并附上精彩的活动图片,每一位参与活动者名单,以及此次活动讲师 ...
- 微信小程序云开发-云存储-上传单张照片到云存储并显示到页面上
一.wxml文件 页面上写上传图片的按钮,按钮绑定chooseImg. <button bindtap="chooseImg" type="primary" ...
- 在Linux下安装node及npm
1.解压 # tar Jxf node-v12.18.3-linux-x64.tar.xz 2.移动到指定目录 # mv node-v12.18.3-linux-x64 /usr/local/nod ...
- Cent OS 7 本地yum源配置与安装
一.本地yum源 1.添加一个新的yum源配置文件dvd.repo(文件名字自定义) vi etc/yum.repos.d 添加新的内容: name=rhel_dvd ...
- Java字节码增强技术
简单介绍下几种java字节码增强技术. ASM ASM是一个Java字节码操控框架,它能被用来动态生成类或者增强既有类的功能.ASM可以直接产生class文件,也可以在类被加载入Java虚拟机之前动态 ...
- 轮播图 -- view, swiper
效果图 制作步骤: 一.创建一个page 二.编写demo.wxml写界面元素 <!--miniprogram/pages/demo/demo.wxml--> <view class ...
- Java规范的三种注释方式:
1.单行注释 // //单行注释 2.多行注释 /* */ /* 多行 注释 */ 3.文档注释[java特有的] /** */ ◆注释内容可以被JDK提供的工具javadoc所解析,生成一套以网页文 ...
- 论文笔记:(CVPR2019)Relation-Shape Convolutional Neural Network for Point Cloud Analysis
目录 摘要 一.引言 二.相关工作 基于视图和体素的方法 点云上的深度学习 相关性学习 三.形状意识表示学习 3.1关系-形状卷积 建模 经典CNN的局限性 变换:从关系中学习 通道提升映射 3.2性 ...
- js控制单选按钮选中某一项
<!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>& ...