Analyze PE file headers?

{ You'll need a OpenDialog to open a Exe-File and a Memo to show the file informations }

{

  Man braucht einen OpenDialog um eine Exe-Datei zu öffnen und ein Memo,

  um die Informationen anzuzeigen.

}

procedure DumpDOSHeader(const h: IMAGE_DOS_HEADER; Lines: TStrings);

begin

  Lines.Add('Dump of DOS file header');

  Lines.Add(Format('Magic number: %d', [h.e_magic]));

  Lines.Add(Format('Bytes on last page of file: %d', [h.e_cblp]));

  Lines.Add(Format('Pages in file: %d', [h.e_cp]));

  Lines.Add(Format('Relocations: %d', [h.e_crlc]));

  Lines.Add(Format('Size of header in paragraphs: %d', [h.e_cparhdr]));

  Lines.Add(Format('Minimum extra paragraphs needed: %d', [h.e_minalloc]));

  Lines.Add(Format('Maximum extra paragraphs needed: %d', [h.e_maxalloc]));

  Lines.Add(Format('Initial (relative) SS value: %d', [h.e_ss]));

  Lines.Add(Format('Initial SP value: %d', [h.e_sp]));

  Lines.Add(Format('Checksum: %d', [h.e_csum]));

  Lines.Add(Format('Initial IP value: %d', [h.e_ip]));

  Lines.Add(Format('Initial (relative) CS value: %d', [h.e_cs]));

  Lines.Add(Format('File address of relocation table: %d', [h.e_lfarlc]));

  Lines.Add(Format('Overlay number: %d', [h.e_ovno]));

  Lines.Add(Format('OEM identifier (for e_oeminfo): %d', [h.e_oemid]));

  Lines.Add(Format('OEM information; e_oemid specific: %d', [h.e_oeminfo]));

  Lines.Add(Format('File address of new exe header: %d', [h._lfanew]));

  Lines.Add('');

end;

procedure DumpPEHeader(const h: IMAGE_FILE_HEADER; Lines: TStrings);

var

  dt: TDateTime;

begin

  Lines.Add('Dump of PE file header');

  Lines.Add(Format('Machine: %4x', [h.Machine]));

  case h.Machine of

    IMAGE_FILE_MACHINE_UNKNOWN : Lines.Add(' MACHINE_UNKNOWN ');

    IMAGE_FILE_MACHINE_I386: Lines.Add(' Intel 386. ');

    IMAGE_FILE_MACHINE_R3000: Lines.Add(' MIPS little-endian, 0x160 big-endian ');

    IMAGE_FILE_MACHINE_R4000: Lines.Add(' MIPS little-endian ');

    IMAGE_FILE_MACHINE_R10000: Lines.Add(' MIPS little-endian ');

    IMAGE_FILE_MACHINE_ALPHA: Lines.Add(' Alpha_AXP ');

    IMAGE_FILE_MACHINE_POWERPC: Lines.Add(' IBM PowerPC Little-Endian ');

    // some values no longer defined in winnt.h

    $14D: Lines.Add(' Intel i860');

    $: Lines.Add(' Motorola 68000');

    $: Lines.Add(' PA RISC');

    else

      Lines.Add(' unknown machine type');

  end; { Case }

  Lines.Add(Format('NumberOfSections: %d', [h.NumberOfSections]));

  Lines.Add(Format('TimeDateStamp: %d', [h.TimeDateStamp]));

  dt := EncodeDate(, , ) + h.Timedatestamp / SecsPerDay;

  Lines.Add(FormatDateTime(' c', dt));

  Lines.Add(Format('PointerToSymbolTable: %d', [h.PointerToSymbolTable]));

  Lines.Add(Format('NumberOfSymbols: %d', [h.NumberOfSymbols]));

  Lines.Add(Format('SizeOfOptionalHeader: %d', [h.SizeOfOptionalHeader]));

  Lines.Add(Format('Characteristics: %d', [h.Characteristics]));

  if (IMAGE_FILE_DLL and h.Characteristics) <>  then

    Lines.Add(' file is a DLL')

  else if (IMAGE_FILE_EXECUTABLE_IMAGE and h.Characteristics) <>  then

    Lines.Add(' file is a program');

  Lines.Add('');

end;

procedure DumpOptionalHeader(const h: IMAGE_OPTIONAL_HEADER; Lines: TStrings);

begin

  Lines.Add('Dump of PE optional file header');

  Lines.Add(Format('Magic: %d', [h.Magic]));

  case h.Magic of

    $: Lines.Add(' ROM image');

    $10b: Lines.Add(' executable image');

    else

      Lines.Add(' unknown image type');

  end; { If }

  Lines.Add(Format('MajorLinkerVersion: %d', [h.MajorLinkerVersion]));

  Lines.Add(Format('MinorLinkerVersion: %d', [h.MinorLinkerVersion]));

  Lines.Add(Format('SizeOfCode: %d', [h.SizeOfCode]));

  Lines.Add(Format('SizeOfInitializedData: %d', [h.SizeOfInitializedData]));

  Lines.Add(Format('SizeOfUninitializedData: %d', [h.SizeOfUninitializedData]));

  Lines.Add(Format('AddressOfEntryPoint: %d', [h.AddressOfEntryPoint]));

  Lines.Add(Format('BaseOfCode: %d', [h.BaseOfCode]));

  Lines.Add(Format('BaseOfData: %d', [h.BaseOfData]));

  Lines.Add(Format('ImageBase: %d', [h.ImageBase]));

  Lines.Add(Format('SectionAlignment: %d', [h.SectionAlignment]));

  Lines.Add(Format('FileAlignment: %d', [h.FileAlignment]));

  Lines.Add(Format('MajorOperatingSystemVersion: %d', [h.MajorOperatingSystemVersion]));

  Lines.Add(Format('MinorOperatingSystemVersion: %d', [h.MinorOperatingSystemVersion]));

  Lines.Add(Format('MajorImageVersion: %d', [h.MajorImageVersion]));

  Lines.Add(Format('MinorImageVersion: %d', [h.MinorImageVersion]));

  Lines.Add(Format('MajorSubsystemVersion: %d', [h.MajorSubsystemVersion]));

  Lines.Add(Format('MinorSubsystemVersion: %d', [h.MinorSubsystemVersion]));

  Lines.Add(Format('Win32VersionValue: %d', [h.Win32VersionValue]));

  Lines.Add(Format('SizeOfImage: %d', [h.SizeOfImage]));

  Lines.Add(Format('SizeOfHeaders: %d', [h.SizeOfHeaders]));

  Lines.Add(Format('CheckSum: %d', [h.CheckSum]));

  Lines.Add(Format('Subsystem: %d', [h.Subsystem]));

  case h.Subsystem of

    IMAGE_SUBSYSTEM_NATIVE:

      Lines.Add(' Image doesn''t require a subsystem. ');

    IMAGE_SUBSYSTEM_WINDOWS_GUI:

      Lines.Add(' Image runs in the Windows GUI subsystem. ');

    IMAGE_SUBSYSTEM_WINDOWS_CUI:

      Lines.Add(' Image runs in the Windows character subsystem. ');

    IMAGE_SUBSYSTEM_OS2_CUI:

      Lines.Add(' image runs in the OS/2 character subsystem. ');

    IMAGE_SUBSYSTEM_POSIX_CUI:

      Lines.Add(' image run in the Posix character subsystem. ');

    else

      Lines.Add(' unknown subsystem')

  end; { Case }

  Lines.Add(Format('DllCharacteristics: %d', [h.DllCharacteristics]));

  Lines.Add(Format('SizeOfStackReserve: %d', [h.SizeOfStackReserve]));

  Lines.Add(Format('SizeOfStackCommit: %d', [h.SizeOfStackCommit]));

  Lines.Add(Format('SizeOfHeapReserve: %d', [h.SizeOfHeapReserve]));

  Lines.Add(Format('SizeOfHeapCommit: %d', [h.SizeOfHeapCommit]));

  Lines.Add(Format('LoaderFlags: %d', [h.LoaderFlags]));

  Lines.Add(Format('NumberOfRvaAndSizes: %d', [h.NumberOfRvaAndSizes]));

end;

// Example Call, Beispielaufruf:

procedure TForm1.Button1Click(Sender: TObject);

var

  fs: TFilestream;

  signature: DWORD;

  dos_header: IMAGE_DOS_HEADER;

  pe_header: IMAGE_FILE_HEADER;

  opt_header: IMAGE_OPTIONAL_HEADER;

begin

  memo1.Clear;

  with Opendialog1 do

  begin

    Filter := 'Executables (*.EXE)|*.EXE';

    if Execute then

    begin

      fs := TFilestream.Create(FileName, fmOpenread or fmShareDenyNone);

      try

        fs.read(dos_header, SizeOf(dos_header));

        if dos_header.e_magic <> IMAGE_DOS_SIGNATURE then

        begin

          memo1.Lines.Add('Invalid DOS file header');

          Exit;

        end;

        DumpDOSHeader(dos_header, memo1.Lines);

        fs.seek(dos_header._lfanew, soFromBeginning);

        fs.read(signature, SizeOf(signature));

        if signature <> IMAGE_NT_SIGNATURE then

        begin

          memo1.Lines.Add('Invalid PE header');

          Exit;

        end;

        fs.read(pe_header, SizeOf(pe_header));

        DumpPEHeader(pe_header, memo1.Lines);

        if pe_header.SizeOfOptionalHeader >  then

        begin

          fs.read(opt_header, SizeOf(opt_header));

          DumpOptionalHeader(opt_header, memo1.Lines);

        end;

      finally

        fs.Free;

      end; { finally }

    end;

  end;

end;

Delphi : Analyze PE file headers?的更多相关文章

  1. PE File.

    Figure 1 - PE File The CLR header stores information to indicate that the PE file is a .NET executab ...

  2. Make the PE file consistent when code not changed

    参考:http://www.mouseos.com/assembly/06.html 参考:http://www.cnblogs.com/tk091/archive/2012/04/18/245617 ...

  3. Inject shellcode into PE file

    先声明这是不免杀的,只是演示. 哔哩哔哩视频 新增节 一般能实现特定功能的shellcode的长度都比较长,可以分到几个节上的空白区,但是这样麻烦啊,或者把最后一个节扩大,但是最后一个节一般没有执行的 ...

  4. PE Header and Export Table for Delphi

    Malware Analysis Tutorial 8: PE Header and Export Table 2. Background Information of PE HeaderAny bi ...

  5. dnSpy PE format ( Portable Executable File Format)

    Portable Executable File Format PE Format  微软官方的 What is a .PE file in the .NET framework? [closed] ...

  6. 《Peering Inside the PE: A Tour of the Win32 Portable Executable File Format》阅读笔记二

    Common Sections The .text section is where all general-purpose code emitted by the compiler or assem ...

  7. [microsoft]PE和COFF文件格式

    前言 我们知道,vs的C/C++编译工具把每一个编译单元(一个.c或.cpp源文件)编译成一个对象文件(.obj文件):然后用链接器把这些对象文件组合一个单个文件(.exe文件),称为可移植的可执行文 ...

  8. Load PE from memory(反取证)(未完)

      Article 1:Loading Win32/64 DLLs "manually" without LoadLibrary() The most important step ...

  9. Delphi DLL制作和加载 Static, Dynamic, Delayed 以及 Shared-Memory Manager

    一 Dll的制作一般分为以下几步:1 在一个DLL工程里写一个过程或函数2 写一个Exports关键字,在其下写过程的名称.不用写参数和调用后缀.二 参数传递1 参数类型最好与window C++的参 ...

随机推荐

  1. HDU 1875 畅通工程再续 最小生成树问题

    题目描述:输入一个T,表示有T组测试数据,然后每组测试数据有一个C,表示在一个湖里面有C座岛屿,现在要在岛屿之间修建桥,可以修建必须满足的条件是岛与岛之间的距离在10到1000的范围内,然后给出每座岛 ...

  2. 【ARTS】01_05_左耳听风-20181210~1216

    ARTS: Algrothm: leetcode算法题目 Review: 阅读并且点评一篇英文技术文章 Tip/Techni: 学习一个技术技巧 Share: 分享一篇有观点和思考的技术文章 Algo ...

  3. oracle锁表查询,资源占用,连接会话,低效SQL等性能检查

    查询oracle用户名,机器名,锁表对象 select l.session_id sid, s.serial#, l.locked_mode, l.oracle_username, l.os_user ...

  4. MongoDB存储基础教程

    一.MongoDB简介 1. mangodb是一种基于分布式.文件存储的非关系型数据库 2. C++写的,性能高 3. 为web应用提供可扩展的高性能数据存储解决方案 4. 所支持的格式是json格式 ...

  5. Algorithm类介绍(core)

    参考:http://blog.csdn.net/yang_xian521/article/details/7533922

  6. java 组合接口时的名字冲突

    重载方法仅通过返回类型是区分不开的,在打算组合的不同接口中,尽量使用不同的方法名,否则可能导致混乱 //: interfaces/InterfaceCollision.java package obj ...

  7. Nginx+redis的Asp.net

    基于Nginx+redis的Asp.net站点搭建   剧情介绍 在传统的信息系统(比如小规模的ERP\MES系统),往往只是进行简单的应用服务器和数据库服务器的分布式部署,以此来提高应用系统的负载能 ...

  8. NET Core中使用Angular2的Token base身份认证

    下载本文提到的完整代码示例请访问:How to authorization Angular 2 app with asp.net core web api 在ASP.NET Core中使用Angula ...

  9. 【LOJ】#2114. 「HNOI2015」菜肴制作

    题解 把所有边反向 从小到大枚举每个点,把每个点能到达的点挑出来,判完无解后显然是一个DAG,然后在上面求一个编号最大的拓扑序,把这些点全部标记为已选,把每次求得的拓扑序倒序输出 代码 #includ ...

  10. oracle SQL学习总结

    1.候选键.主键和外键约束: create table Employee( id int primary key, name char(20), birthday Date, address varc ...