Analyze PE file headers?

{ You'll need a OpenDialog to open a Exe-File and a Memo to show the file informations }

{

  Man braucht einen OpenDialog um eine Exe-Datei zu öffnen und ein Memo,

  um die Informationen anzuzeigen.

}

procedure DumpDOSHeader(const h: IMAGE_DOS_HEADER; Lines: TStrings);

begin

  Lines.Add('Dump of DOS file header');

  Lines.Add(Format('Magic number: %d', [h.e_magic]));

  Lines.Add(Format('Bytes on last page of file: %d', [h.e_cblp]));

  Lines.Add(Format('Pages in file: %d', [h.e_cp]));

  Lines.Add(Format('Relocations: %d', [h.e_crlc]));

  Lines.Add(Format('Size of header in paragraphs: %d', [h.e_cparhdr]));

  Lines.Add(Format('Minimum extra paragraphs needed: %d', [h.e_minalloc]));

  Lines.Add(Format('Maximum extra paragraphs needed: %d', [h.e_maxalloc]));

  Lines.Add(Format('Initial (relative) SS value: %d', [h.e_ss]));

  Lines.Add(Format('Initial SP value: %d', [h.e_sp]));

  Lines.Add(Format('Checksum: %d', [h.e_csum]));

  Lines.Add(Format('Initial IP value: %d', [h.e_ip]));

  Lines.Add(Format('Initial (relative) CS value: %d', [h.e_cs]));

  Lines.Add(Format('File address of relocation table: %d', [h.e_lfarlc]));

  Lines.Add(Format('Overlay number: %d', [h.e_ovno]));

  Lines.Add(Format('OEM identifier (for e_oeminfo): %d', [h.e_oemid]));

  Lines.Add(Format('OEM information; e_oemid specific: %d', [h.e_oeminfo]));

  Lines.Add(Format('File address of new exe header: %d', [h._lfanew]));

  Lines.Add('');

end;

procedure DumpPEHeader(const h: IMAGE_FILE_HEADER; Lines: TStrings);

var

  dt: TDateTime;

begin

  Lines.Add('Dump of PE file header');

  Lines.Add(Format('Machine: %4x', [h.Machine]));

  case h.Machine of

    IMAGE_FILE_MACHINE_UNKNOWN : Lines.Add(' MACHINE_UNKNOWN ');

    IMAGE_FILE_MACHINE_I386: Lines.Add(' Intel 386. ');

    IMAGE_FILE_MACHINE_R3000: Lines.Add(' MIPS little-endian, 0x160 big-endian ');

    IMAGE_FILE_MACHINE_R4000: Lines.Add(' MIPS little-endian ');

    IMAGE_FILE_MACHINE_R10000: Lines.Add(' MIPS little-endian ');

    IMAGE_FILE_MACHINE_ALPHA: Lines.Add(' Alpha_AXP ');

    IMAGE_FILE_MACHINE_POWERPC: Lines.Add(' IBM PowerPC Little-Endian ');

    // some values no longer defined in winnt.h

    $14D: Lines.Add(' Intel i860');

    $: Lines.Add(' Motorola 68000');

    $: Lines.Add(' PA RISC');

    else

      Lines.Add(' unknown machine type');

  end; { Case }

  Lines.Add(Format('NumberOfSections: %d', [h.NumberOfSections]));

  Lines.Add(Format('TimeDateStamp: %d', [h.TimeDateStamp]));

  dt := EncodeDate(, , ) + h.Timedatestamp / SecsPerDay;

  Lines.Add(FormatDateTime(' c', dt));

  Lines.Add(Format('PointerToSymbolTable: %d', [h.PointerToSymbolTable]));

  Lines.Add(Format('NumberOfSymbols: %d', [h.NumberOfSymbols]));

  Lines.Add(Format('SizeOfOptionalHeader: %d', [h.SizeOfOptionalHeader]));

  Lines.Add(Format('Characteristics: %d', [h.Characteristics]));

  if (IMAGE_FILE_DLL and h.Characteristics) <>  then

    Lines.Add(' file is a DLL')

  else if (IMAGE_FILE_EXECUTABLE_IMAGE and h.Characteristics) <>  then

    Lines.Add(' file is a program');

  Lines.Add('');

end;

procedure DumpOptionalHeader(const h: IMAGE_OPTIONAL_HEADER; Lines: TStrings);

begin

  Lines.Add('Dump of PE optional file header');

  Lines.Add(Format('Magic: %d', [h.Magic]));

  case h.Magic of

    $: Lines.Add(' ROM image');

    $10b: Lines.Add(' executable image');

    else

      Lines.Add(' unknown image type');

  end; { If }

  Lines.Add(Format('MajorLinkerVersion: %d', [h.MajorLinkerVersion]));

  Lines.Add(Format('MinorLinkerVersion: %d', [h.MinorLinkerVersion]));

  Lines.Add(Format('SizeOfCode: %d', [h.SizeOfCode]));

  Lines.Add(Format('SizeOfInitializedData: %d', [h.SizeOfInitializedData]));

  Lines.Add(Format('SizeOfUninitializedData: %d', [h.SizeOfUninitializedData]));

  Lines.Add(Format('AddressOfEntryPoint: %d', [h.AddressOfEntryPoint]));

  Lines.Add(Format('BaseOfCode: %d', [h.BaseOfCode]));

  Lines.Add(Format('BaseOfData: %d', [h.BaseOfData]));

  Lines.Add(Format('ImageBase: %d', [h.ImageBase]));

  Lines.Add(Format('SectionAlignment: %d', [h.SectionAlignment]));

  Lines.Add(Format('FileAlignment: %d', [h.FileAlignment]));

  Lines.Add(Format('MajorOperatingSystemVersion: %d', [h.MajorOperatingSystemVersion]));

  Lines.Add(Format('MinorOperatingSystemVersion: %d', [h.MinorOperatingSystemVersion]));

  Lines.Add(Format('MajorImageVersion: %d', [h.MajorImageVersion]));

  Lines.Add(Format('MinorImageVersion: %d', [h.MinorImageVersion]));

  Lines.Add(Format('MajorSubsystemVersion: %d', [h.MajorSubsystemVersion]));

  Lines.Add(Format('MinorSubsystemVersion: %d', [h.MinorSubsystemVersion]));

  Lines.Add(Format('Win32VersionValue: %d', [h.Win32VersionValue]));

  Lines.Add(Format('SizeOfImage: %d', [h.SizeOfImage]));

  Lines.Add(Format('SizeOfHeaders: %d', [h.SizeOfHeaders]));

  Lines.Add(Format('CheckSum: %d', [h.CheckSum]));

  Lines.Add(Format('Subsystem: %d', [h.Subsystem]));

  case h.Subsystem of

    IMAGE_SUBSYSTEM_NATIVE:

      Lines.Add(' Image doesn''t require a subsystem. ');

    IMAGE_SUBSYSTEM_WINDOWS_GUI:

      Lines.Add(' Image runs in the Windows GUI subsystem. ');

    IMAGE_SUBSYSTEM_WINDOWS_CUI:

      Lines.Add(' Image runs in the Windows character subsystem. ');

    IMAGE_SUBSYSTEM_OS2_CUI:

      Lines.Add(' image runs in the OS/2 character subsystem. ');

    IMAGE_SUBSYSTEM_POSIX_CUI:

      Lines.Add(' image run in the Posix character subsystem. ');

    else

      Lines.Add(' unknown subsystem')

  end; { Case }

  Lines.Add(Format('DllCharacteristics: %d', [h.DllCharacteristics]));

  Lines.Add(Format('SizeOfStackReserve: %d', [h.SizeOfStackReserve]));

  Lines.Add(Format('SizeOfStackCommit: %d', [h.SizeOfStackCommit]));

  Lines.Add(Format('SizeOfHeapReserve: %d', [h.SizeOfHeapReserve]));

  Lines.Add(Format('SizeOfHeapCommit: %d', [h.SizeOfHeapCommit]));

  Lines.Add(Format('LoaderFlags: %d', [h.LoaderFlags]));

  Lines.Add(Format('NumberOfRvaAndSizes: %d', [h.NumberOfRvaAndSizes]));

end;

// Example Call, Beispielaufruf:

procedure TForm1.Button1Click(Sender: TObject);

var

  fs: TFilestream;

  signature: DWORD;

  dos_header: IMAGE_DOS_HEADER;

  pe_header: IMAGE_FILE_HEADER;

  opt_header: IMAGE_OPTIONAL_HEADER;

begin

  memo1.Clear;

  with Opendialog1 do

  begin

    Filter := 'Executables (*.EXE)|*.EXE';

    if Execute then

    begin

      fs := TFilestream.Create(FileName, fmOpenread or fmShareDenyNone);

      try

        fs.read(dos_header, SizeOf(dos_header));

        if dos_header.e_magic <> IMAGE_DOS_SIGNATURE then

        begin

          memo1.Lines.Add('Invalid DOS file header');

          Exit;

        end;

        DumpDOSHeader(dos_header, memo1.Lines);

        fs.seek(dos_header._lfanew, soFromBeginning);

        fs.read(signature, SizeOf(signature));

        if signature <> IMAGE_NT_SIGNATURE then

        begin

          memo1.Lines.Add('Invalid PE header');

          Exit;

        end;

        fs.read(pe_header, SizeOf(pe_header));

        DumpPEHeader(pe_header, memo1.Lines);

        if pe_header.SizeOfOptionalHeader >  then

        begin

          fs.read(opt_header, SizeOf(opt_header));

          DumpOptionalHeader(opt_header, memo1.Lines);

        end;

      finally

        fs.Free;

      end; { finally }

    end;

  end;

end;

Delphi : Analyze PE file headers?的更多相关文章

  1. PE File.

    Figure 1 - PE File The CLR header stores information to indicate that the PE file is a .NET executab ...

  2. Make the PE file consistent when code not changed

    参考:http://www.mouseos.com/assembly/06.html 参考:http://www.cnblogs.com/tk091/archive/2012/04/18/245617 ...

  3. Inject shellcode into PE file

    先声明这是不免杀的,只是演示. 哔哩哔哩视频 新增节 一般能实现特定功能的shellcode的长度都比较长,可以分到几个节上的空白区,但是这样麻烦啊,或者把最后一个节扩大,但是最后一个节一般没有执行的 ...

  4. PE Header and Export Table for Delphi

    Malware Analysis Tutorial 8: PE Header and Export Table 2. Background Information of PE HeaderAny bi ...

  5. dnSpy PE format ( Portable Executable File Format)

    Portable Executable File Format PE Format  微软官方的 What is a .PE file in the .NET framework? [closed] ...

  6. 《Peering Inside the PE: A Tour of the Win32 Portable Executable File Format》阅读笔记二

    Common Sections The .text section is where all general-purpose code emitted by the compiler or assem ...

  7. [microsoft]PE和COFF文件格式

    前言 我们知道,vs的C/C++编译工具把每一个编译单元(一个.c或.cpp源文件)编译成一个对象文件(.obj文件):然后用链接器把这些对象文件组合一个单个文件(.exe文件),称为可移植的可执行文 ...

  8. Load PE from memory(反取证)(未完)

      Article 1:Loading Win32/64 DLLs "manually" without LoadLibrary() The most important step ...

  9. Delphi DLL制作和加载 Static, Dynamic, Delayed 以及 Shared-Memory Manager

    一 Dll的制作一般分为以下几步:1 在一个DLL工程里写一个过程或函数2 写一个Exports关键字,在其下写过程的名称.不用写参数和调用后缀.二 参数传递1 参数类型最好与window C++的参 ...

随机推荐

  1. es6笔记(2) let 和 const

    let命令 用来声明一个变量,和var非常类似 1.使用let声明的变量,所声明的变量只在命令所在的代码块中有效 { let a = 1; console.log(a); // 这里是可以使用的 } ...

  2. git log查看某一个分支的提交

    如果想查看某一个分支的提交信息:git log 或者是查看分支名:git log $分支名/tag名/远程分支名 查看提交的详情: git log -p

  3. Redis持久化——AOF

    一.是什么? AOF是以日志的形式来记录每个写操作,将Redis执行过的所有写操作记录下来(读操作不做记录),只许追加文件不可以改写文件,Redis启动之初会读取该文件重新构建数据,换言之,Redis ...

  4. ASP.NET应用技巧:非托管COM组件的使用

    众所周知,asp.net是基于通用语言运行库创建的,也就是所谓的托管执行环境.生成的代码称为托管代码.编译器能够从源代码的描述中产生元数据信息,而运行库又从元数据中获得托管代码的信息.而我们编写的组件 ...

  5. 网易与Google合作发布开源UI自动化测试方案 牛逼:Google 方面评价,这可能是目前世界上最好的 Android 游戏自动化测试方案。

    美西时间 3 月 19 日,在 GDC 开幕第一天的 Google 开发者专场,Google 发布了一款由网易研发的 UI 自动化测试方案:Airtest Project.Google 方面评价,这可 ...

  6. 网络抓包神器-Charles使用指南

    http://blog.csdn.net/liulanghk/article/details/46342205 目录 概述 安装 显示模式 PC端抓包 移动应用抓包 其他技能 charles使用问题汇 ...

  7. express-partials使用方法

    1.安装express-partials 方法一:运行cmd用npm install express-partials 方法二:在package.json里面的dependencies添加" ...

  8. nio--自己总结

    阻塞/非阻塞  +  同步/异步 其实,这两者存在本质的区别,面向的对象是不同的. 阻塞/非阻塞:进程/线程需要操作的数据如果尚未就绪,是否妨碍了当前进程/线程的后续操作. 同步/异步:数据如果尚未就 ...

  9. 2016 版 Laravel 系列入门教程

    2016 版 Laravel 系列入门教程 (1) - (5) http://www.golaravel.com/post/2016-ban-laravel-xi-lie-ru-men-jiao-ch ...

  10. centos 监控进程,并自动重启

    编辑Crontab crontab -e 按i进行编辑 */ * * * * /root/monitor.sh # 每分钟运行一遍monitor.sh脚本 * * * /sbin/reboot # 每 ...