三个文件分别是类定义文件pefile.h;类实现文件pefile.cpp;类调用文件petype.cpp.
#ifndef PE_FILE_H
#define PE_FILE_H
#include "windows.h" #define ISMZHEADER (*(WORD*)File_memory == 0x5a4d)
#define ISPEHEADER (*(WORD*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c)) == 0x4550)
#define ISPE32MAGIC (*(WORD*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c) + sizeof(IMAGE_FILE_HEADER) + 4) == 0x10b)
#define ISPE64MAGIC (*(WORD*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c) + sizeof(IMAGE_FILE_HEADER) + 4) == 0x20b)
#define ISPEROMMAGIC (*(WORD*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c) + sizeof(IMAGE_FILE_HEADER) + 4) == 0x107) #define X_PE_32 32
#define X_PE_64 64 #define READ_ERRO 0x0
#define NOT_PE_FILE 0x200
#define PE_FILE 0x100
#define PE64_FILE 0x40
#define PE32_FILE 0x20
#define ROM_IMAGE 0x10
#define EXE_FILE 0x8
#define DLL_FILE 0x4
#define SYS_FILE 0x2
#define OTHER_FILE 0x1 typedef struct X_IMAGE_NT_HEADERS32 {
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} MX_IMAGE_NT_HEADERS32; typedef struct X_IMAGE_NT_HEADERS64 {
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER64 OptionalHeader;
} MX_IMAGE_NT_HEADERS64; typedef struct X_IMAGE_NT_HEADERS {
DWORD systembit;
union {
MX_IMAGE_NT_HEADERS32* Ntheader32;
MX_IMAGE_NT_HEADERS64* Ntheader64;
};
} MX_IMAGE_NT_HEADERS; typedef struct X_IMPORT_FUNCTION {
union{
DWORD Flag32;
UINT64 Flag64;
}uf;
union {
DWORD* FunOrdinal32;
UINT64* FunOrdinal64;
char* FunName;
}ud;
} MX_IMPORT_FUNCTION; typedef struct X_EXPORT_FUNCTION {
DWORD Flag;
union {
DWORD FunOrdinal;
char* FunName;
}ud;
} MX_EXPORT_FUNCTION; typedef struct X_RESOURCE_TYPE {
DWORD Flag;
union {
DWORD ResourceID;
char* ResourceName;
}u;
} MX_RESOURCE_TYPE; class XPEFILE
{
public:
XPEFILE(char* lpFileName);
virtual ~XPEFILE();
int GetType();
int GetSize();
IMAGE_DOS_HEADER* GetDosHeader();
IMAGE_FILE_HEADER* GetFileHeader();
VOID GetNTHeader(MX_IMAGE_NT_HEADERS* ntheader);
IMAGE_SECTION_HEADER* GetSectionInfo();
int Rva2Raw(DWORD* lpaddress);
int Raw2Rva(DWORD* lpaddress);
int CheckImportDll(char* dllname);
int CheckImportFun(char* dllname, MX_IMPORT_FUNCTION* importfun);
int CheckExportFun(MX_EXPORT_FUNCTION* exportfun);
IMAGE_RESOURCE_DATA_ENTRY* GetFileResource(MX_RESOURCE_TYPE* resourcetype1, MX_RESOURCE_TYPE* resourcetype2); private:
void* File_memory;
int File_size;
int File_type;
}; #endif

pefile.h

#include "stdafx.h"
#include "windows.h"
#include "pefile.h"
#include "winnls.h" XPEFILE::XPEFILE(char* strFileName)
{
HANDLE hfile;
unsigned long sizehigh;
void* lpmemory; File_memory = NULL;
File_type = READ_ERRO; hfile = CreateFile(strFileName, GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,,OPEN_EXISTING,FILE_FLAG_SEQUENTIAL_SCAN,);
if (hfile != INVALID_HANDLE_VALUE)
{
File_size = GetFileSize(hfile, &sizehigh);
lpmemory = LocalAlloc(LPTR,File_size);
if(ReadFile(hfile,lpmemory,File_size,&sizehigh,) != NULL)
{
File_memory = lpmemory;
}
CloseHandle(hfile);
}
} XPEFILE::~XPEFILE()
{
if (File_memory == NULL)
{
LocalFree(File_memory);
}
} int XPEFILE::GetSize()
{
return File_size;
} int XPEFILE::GetType()
{
MX_IMAGE_NT_HEADERS32* ntheader32;
MX_IMAGE_NT_HEADERS64* ntheader64; File_type = READ_ERRO; if (File_memory == NULL)
{
return File_type;
}
File_type = NOT_PE_FILE;
if(ISMZHEADER && ISPEHEADER)
{
File_type = PE_FILE;
}
if (File_type == PE_FILE)
{
if (ISPE32MAGIC)
{
File_type = File_type | PE32_FILE;
ntheader32 = (MX_IMAGE_NT_HEADERS32*) ((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c));
if (ntheader32->FileHeader.Characteristics & IMAGE_FILE_DLL)
{
File_type = File_type | DLL_FILE;
}
else if ((ntheader32->OptionalHeader.Subsystem & IMAGE_SUBSYSTEM_WINDOWS_CUI)||(ntheader32->OptionalHeader.Subsystem & IMAGE_SUBSYSTEM_WINDOWS_GUI))
{
File_type = File_type | EXE_FILE;
}
else if ((ntheader32->OptionalHeader.Subsystem & IMAGE_SUBSYSTEM_NATIVE)||(ntheader32->OptionalHeader.Subsystem & IMAGE_SUBSYSTEM_NATIVE_WINDOWS))
{
File_type = File_type | SYS_FILE;
}
}
if (ISPE64MAGIC)
{
File_type = File_type | PE64_FILE;
ntheader64 = (MX_IMAGE_NT_HEADERS64*) ((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c));
if (ntheader64->FileHeader.Characteristics & IMAGE_FILE_DLL)
{
File_type = File_type | DLL_FILE;
}
else if ((ntheader64->OptionalHeader.Subsystem & IMAGE_SUBSYSTEM_WINDOWS_CUI)|(ntheader64->OptionalHeader.Subsystem & IMAGE_SUBSYSTEM_WINDOWS_GUI))
{
File_type = File_type | EXE_FILE;
}
else if ((ntheader32->OptionalHeader.Subsystem & IMAGE_SUBSYSTEM_NATIVE)||(ntheader32->OptionalHeader.Subsystem & IMAGE_SUBSYSTEM_NATIVE_WINDOWS))
{
File_type = File_type | SYS_FILE;
}
}
if (ISPEROMMAGIC)
{
File_type = File_type | ROM_IMAGE;
}
}
return File_type;
} IMAGE_DOS_HEADER* XPEFILE::GetDosHeader()
{
IMAGE_DOS_HEADER* dosheader;
if (ISMZHEADER && ISPEHEADER)
{
dosheader = (IMAGE_DOS_HEADER*) File_memory;
return dosheader;
}
return NULL;
} VOID XPEFILE::GetNTHeader(MX_IMAGE_NT_HEADERS* ntheader)
{
if (ISMZHEADER && ISPEHEADER && ISPE32MAGIC)
{
ntheader->systembit = X_PE_32;
ntheader->Ntheader32 = (MX_IMAGE_NT_HEADERS32*) ((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c));
}
else if (ISMZHEADER && ISPEHEADER && ISPE64MAGIC)
{
ntheader->systembit = X_PE_64;
ntheader->Ntheader64 = (MX_IMAGE_NT_HEADERS64*) ((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c));
}
else
{
ntheader->systembit = NULL;
}
} IMAGE_SECTION_HEADER* XPEFILE::GetSectionInfo()
{
IMAGE_SECTION_HEADER* sectioninfo;
MX_IMAGE_NT_HEADERS32* ntheader32;
MX_IMAGE_NT_HEADERS64* ntheader64; if (ISMZHEADER && ISPEHEADER && ISPE32MAGIC)
{
ntheader32 = (MX_IMAGE_NT_HEADERS32*) ((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c));
sectioninfo = (IMAGE_SECTION_HEADER*)((BYTE*)ntheader32 + sizeof(ntheader32->Signature) + ntheader32->FileHeader.SizeOfOptionalHeader + sizeof(ntheader32->FileHeader));
return sectioninfo;
}
if (ISMZHEADER && ISPEHEADER && ISPE64MAGIC)
{
ntheader64 = (MX_IMAGE_NT_HEADERS64*) ((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c));
sectioninfo = (IMAGE_SECTION_HEADER*)((BYTE*)ntheader64 + sizeof(ntheader64->Signature) + ntheader64->FileHeader.SizeOfOptionalHeader + sizeof(ntheader64->FileHeader));
return sectioninfo;
}
return NULL;
} IMAGE_FILE_HEADER* XPEFILE::GetFileHeader()
{
if (ISMZHEADER && ISPEHEADER)
{
return (IMAGE_FILE_HEADER*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c) +);
}
else
{
return NULL;
}
} int XPEFILE::Rva2Raw(DWORD* lpaddress)
{
IMAGE_FILE_HEADER* fileheader;
IMAGE_SECTION_HEADER* sectionheader;
int numberofsection, secnumber1, notinsection; notinsection = ;
secnumber1 = ;
sectionheader = GetSectionInfo();
fileheader = GetFileHeader();
numberofsection = fileheader->NumberOfSections;
while (secnumber1 < numberofsection)
{
if((sectionheader[secnumber1].VirtualAddress <= *lpaddress) && ((sectionheader[secnumber1].VirtualAddress + sectionheader[secnumber1].Misc.VirtualSize) > *lpaddress))
{
*lpaddress = (*lpaddress - sectionheader[secnumber1].VirtualAddress + sectionheader[secnumber1].PointerToRawData);
if ((sectionheader[secnumber1].PointerToRawData <= *lpaddress) && ((sectionheader[secnumber1].PointerToRawData + sectionheader[secnumber1].SizeOfRawData) > *lpaddress))
{
notinsection = ;
secnumber1 += numberofsection;
}
}
secnumber1++;
}
if (notinsection)
{
return ;
}
return (secnumber1 - numberofsection);
} int XPEFILE::Raw2Rva(DWORD* lpaddress)
{
IMAGE_FILE_HEADER* fileheader;
IMAGE_SECTION_HEADER* sectionheader;
int numberofsection, secnumber1, notinsection; notinsection = ;
secnumber1 = ;
sectionheader = GetSectionInfo();
fileheader = GetFileHeader();
numberofsection = fileheader->NumberOfSections;
while (secnumber1 < numberofsection)
{
if((sectionheader[secnumber1].PointerToRawData <= *lpaddress) && ((sectionheader[secnumber1].PointerToRawData + sectionheader[secnumber1].SizeOfRawData) > *lpaddress))
{
*lpaddress = (*lpaddress - sectionheader[secnumber1].PointerToRawData + sectionheader[secnumber1].VirtualAddress);
if ((sectionheader[secnumber1].VirtualAddress <= *lpaddress) && ((sectionheader[secnumber1].VirtualAddress + sectionheader[secnumber1].Misc.VirtualSize) > *lpaddress))
{
notinsection = ;
secnumber1 += numberofsection;
}
}
secnumber1++;
}
if (notinsection)
{
return ;
}
return (secnumber1 - numberofsection);
} int XPEFILE::CheckImportDll(char* dllname)
{
MX_IMAGE_NT_HEADERS* ntheader;
ntheader = new MX_IMAGE_NT_HEADERS;
DWORD importaddress;
int sectionnumber;
IMAGE_IMPORT_DESCRIPTOR* importdesc;
int returnvalue; returnvalue = ;
GetNTHeader(ntheader);
if (ntheader->systembit == X_PE_32)
{
importaddress = ntheader->Ntheader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
sectionnumber = Rva2Raw(&importaddress);
if (sectionnumber)
{
importdesc = (IMAGE_IMPORT_DESCRIPTOR*) (importaddress + (BYTE*)File_memory);
while(importdesc->Characteristics||importdesc->FirstThunk||importdesc->ForwarderChain||importdesc->Name||importdesc->TimeDateStamp)
{
DWORD namerva = (importdesc->Name);
if (Rva2Raw(&namerva))
{
char* b = (char*)(namerva + (BYTE*)File_memory);
if (!(stricmp((char*)(namerva + (BYTE*)File_memory) , dllname)))
{
returnvalue = ;
break;
}
}
importdesc += ;
}
}
}
else if (ntheader->systembit == X_PE_64)
{
importaddress = ntheader->Ntheader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
sectionnumber = Rva2Raw(&importaddress);
if (sectionnumber)
{
importdesc = (IMAGE_IMPORT_DESCRIPTOR*) (importaddress + (BYTE*)File_memory);
while(importdesc->Characteristics||importdesc->FirstThunk||importdesc->ForwarderChain||importdesc->Name||importdesc->TimeDateStamp)
{
DWORD namerva = (importdesc->Name);
if (Rva2Raw(&namerva))
{
if (!(stricmp((char*)(namerva + (BYTE*)File_memory) , dllname)))
{
returnvalue = ;
break;
}
}
importdesc += ;
}
} }
return returnvalue;
} int XPEFILE::CheckImportFun(char* dllname, MX_IMPORT_FUNCTION* importfun)
{
MX_IMAGE_NT_HEADERS* ntheader;
ntheader = new MX_IMAGE_NT_HEADERS;
DWORD importaddress;
int sectionnumber;
IMAGE_IMPORT_DESCRIPTOR* importdesc;
IMAGE_THUNK_DATA32* data32;
IMAGE_THUNK_DATA64* data64;
IMAGE_IMPORT_BY_NAME* funname;
DWORD funoridinal;
UINT64 funoridinal64;
int returnvalue; returnvalue = ;
GetNTHeader(ntheader);
if (ntheader->systembit == X_PE_32)
{
importaddress = ntheader->Ntheader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
sectionnumber = Rva2Raw(&importaddress);
if (sectionnumber)
{
importdesc = (IMAGE_IMPORT_DESCRIPTOR*) (importaddress + (BYTE*)File_memory);
while(importdesc->Characteristics||importdesc->FirstThunk||importdesc->ForwarderChain||importdesc->Name||importdesc->TimeDateStamp)
{
if (returnvalue == ) break;
DWORD namerva = (importdesc->Name);
if (Rva2Raw(&namerva))
{
if (!(stricmp((char*)(namerva + (BYTE*)File_memory) , dllname)))
{
// returnvalue = 2;
DWORD data32rva = importdesc->OriginalFirstThunk;
if (!Rva2Raw(&data32rva)) continue;
data32 = (IMAGE_THUNK_DATA32*)(data32rva + (BYTE*)File_memory);
while (data32->u1.Ordinal)
{
funoridinal = data32->u1.Ordinal;
if ((funoridinal & 0x80000000) != importfun->uf.Flag32)
{
data32 += ;
continue;
}
funoridinal = data32->u1.Ordinal;
if ((funoridinal & 0x80000000) == 0x80000000)
{
funoridinal = data32->u1.Ordinal;
funoridinal = funoridinal &0x7fffffff;
if (funoridinal == *(DWORD*)importfun->ud.FunOrdinal32)
{
returnvalue = ;
break;
}
data32 += ;
continue;
}
else
{
DWORD funnamerva =(DWORD) data32->u1.AddressOfData;
if (Rva2Raw(&funnamerva))
{
funname = (IMAGE_IMPORT_BY_NAME*)(funnamerva + (BYTE*)File_memory);
if (!(stricmp((char*)funname->Name , importfun->ud.FunName)))
{
returnvalue = ;
break;
}
}
data32 += ;
continue;
}
}
break;
}
}
importdesc += ;
}
}
}
else if (ntheader->systembit == X_PE_64)
{
importaddress = ntheader->Ntheader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
sectionnumber = Rva2Raw(&importaddress);
if (sectionnumber)
{
importdesc = (IMAGE_IMPORT_DESCRIPTOR*) (importaddress + (BYTE*)File_memory);
while(importdesc->Characteristics||importdesc->FirstThunk||importdesc->ForwarderChain||importdesc->Name||importdesc->TimeDateStamp)
{
if (returnvalue == ) break;
DWORD namerva = (importdesc->Name);
if (Rva2Raw(&namerva))
{
char* aa = (char*)(namerva + (BYTE*)File_memory);
if (!(stricmp((char*)(namerva + (BYTE*)File_memory) , dllname)))
{
// returnvalue = 2;
DWORD data64rva = importdesc->OriginalFirstThunk;
if (!Rva2Raw(&data64rva)) continue;
data64 = (IMAGE_THUNK_DATA64*)(data64rva + (BYTE*)File_memory);
while (data64->u1.Ordinal)
{
funoridinal64 = data64->u1.Ordinal;
if ((funoridinal64 & 0x8000000000000000) != importfun->uf.Flag64)
{
data64 += ;
continue;
}
funoridinal64 = data64->u1.Ordinal;
if ((funoridinal64 & 0x8000000000000000) == 0x8000000000000000)
{
funoridinal64 = data64->u1.Ordinal;
funoridinal64 = funoridinal64 &0x7fffffffffffffff;
if (funoridinal64 == *(UINT64*)importfun->ud.FunOrdinal64)
{
returnvalue = ;
break;
}
data64 += ;
continue;
}
else
{
DWORD funnamerva =(DWORD) data64->u1.AddressOfData;
if (Rva2Raw(&funnamerva))
{
funname = (IMAGE_IMPORT_BY_NAME*)(funnamerva + (BYTE*)File_memory);
if (!(stricmp((char*)funname->Name , importfun->ud.FunName)))
{
returnvalue = ;
break;
}
}
data64 += ;
continue;
}
}
break;
}
}
importdesc += ;
}
} }
return returnvalue;
} int XPEFILE::CheckExportFun(MX_EXPORT_FUNCTION* exportfun)
{
MX_IMAGE_NT_HEADERS* ntheader;
ntheader = new MX_IMAGE_NT_HEADERS;
IMAGE_EXPORT_DIRECTORY* exportdir; GetNTHeader(ntheader);
exportdir = NULL;
if (ntheader->systembit == X_PE_32)
{
DWORD namerva = (ntheader->Ntheader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
DWORD namesize = (ntheader->Ntheader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size);
if ((namerva == )&&(namesize == )) return false;
if (Rva2Raw(&namerva))
{
exportdir = (IMAGE_EXPORT_DIRECTORY*)(namerva + (BYTE*)File_memory);
}
}
else if (ntheader->systembit == X_PE_64)
{
DWORD namerva = (ntheader->Ntheader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
DWORD namesize = (ntheader->Ntheader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size);
if ((namerva == ) &&(namesize == )) return false;
if (Rva2Raw(&namerva))
{
exportdir = (IMAGE_EXPORT_DIRECTORY*)(namerva + (BYTE*)File_memory);
}
}
if (exportfun->Flag == )
{
if ((exportfun->ud.FunOrdinal >= exportdir->Base) && (exportfun->ud.FunOrdinal <= exportdir->NumberOfFunctions + exportdir->Base))
{
return true;
}
return false;
}
if (exportfun->Flag == )
{ DWORD funnamerva = exportdir->AddressOfNames;
if (Rva2Raw(&funnamerva))
{
DWORD* funnamelistrva = (DWORD*)(funnamerva + (BYTE*)File_memory);
for (UINT i = ; i < exportdir->NumberOfFunctions ; i++)
{
DWORD namerva = funnamelistrva[i];
if (Rva2Raw(&namerva))
{
char* funname = (char*)(namerva + (BYTE*)File_memory);
if (!(stricmp(funname , exportfun->ud.FunName)))
{
return true;
}
}
}
}
}
return false;
} IMAGE_RESOURCE_DATA_ENTRY* XPEFILE::GetFileResource(MX_RESOURCE_TYPE* resourcetype1, MX_RESOURCE_TYPE* resourcetype2)
{
IMAGE_RESOURCE_DATA_ENTRY* resourcedata;
MX_IMAGE_NT_HEADERS* ntheader;
ntheader = new MX_IMAGE_NT_HEADERS;
IMAGE_RESOURCE_DIRECTORY* resourcebase;
IMAGE_RESOURCE_DIRECTORY* resourcedir;
char str[];
char* funnamestr = str; GetNTHeader(ntheader);
//获取文件的ntheader,需要对ntheader判断其是32位还是64位pe
if (ntheader->systembit == X_PE_32)
{
DWORD resourcerva= (ntheader->Ntheader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress);
DWORD resourcesize = (ntheader->Ntheader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size);
if ((resourcerva == )&&(resourcesize == )) return false;
if (Rva2Raw(&resourcerva))
{
resourcebase = (IMAGE_RESOURCE_DIRECTORY*)(resourcerva + (BYTE*)File_memory);
}
}
//计算32位pe文件的资源基址
else if (ntheader->systembit == X_PE_64)
{
DWORD resourcerva = (ntheader->Ntheader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress);
DWORD resourcesize = (ntheader->Ntheader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size);
if ((resourcerva == ) &&(resourcesize == )) return false;
if (Rva2Raw(&resourcerva))
{
resourcebase = (IMAGE_RESOURCE_DIRECTORY*)(resourcerva + (BYTE*)File_memory);
}
}
//计算64位pe文件的资源基址
resourcedir = resourcebase;
if (!resourcedir) return NULL;
//以上代码分win32和win64两种情况分别获取文件可选头中数据目录表中的资源项数据,判断其不为空。
//返回的是资源数据的raw起始地址resourcebase DWORD resourcenum = resourcedir->NumberOfIdEntries + resourcedir->NumberOfNamedEntries;
IMAGE_RESOURCE_DIRECTORY_ENTRY* resourcedirentry = (IMAGE_RESOURCE_DIRECTORY_ENTRY*)((BYTE*)resourcedir + sizeof(IMAGE_RESOURCE_DIRECTORY));
DWORD dataoffset = ;
for (UINT i = ; i < resourcenum; i++)
{
if (resourcetype1->Flag == (resourcedirentry->Name & 0x80000000))
{
if (resourcetype1->Flag == 0x0)
{
//是通过id调用
if (resourcetype1->u.ResourceID == resourcedirentry->Name)
{
//是要获取的资源类型
dataoffset = resourcedirentry->OffsetToData;
break;
}
}
else if (resourcetype1->Flag == 0x80000000)
{
//是通过名字调用
IMAGE_RESOURCE_DIR_STRING_U* resourcetypename = (IMAGE_RESOURCE_DIR_STRING_U*)((BYTE*)resourcedir + (resourcedirentry->Name & 0x7FFFFFFF));
memset(funnamestr,0x0,0x100);
WideCharToMultiByte(CP_ACP,NULL,resourcetypename->NameString,resourcetypename->Length,funnamestr,0x255,,);
if (!stricmp(resourcetype1->u.ResourceName, funnamestr))
{
//是要获取的资源类型
dataoffset = resourcedirentry->OffsetToData;
break;
}
}
}
resourcedirentry += ;
}
if (!dataoffset) return NULL;
//以上部分是匹配资源的第一级目录中也就是资源的type是否为需要获取的type,返回的数据为资源目录项指针IMAGE_RESOURCE_DIRECTORY_ENTRY.OffsetToData if (!(dataoffset & 0x80000000)) return NULL;
//如果二级目录就是数据,不符合资源的层级结构,目前也没有发现有此类资源结构,直接返回null。
if (dataoffset & 0x80000000)
{
resourcedir = (IMAGE_RESOURCE_DIRECTORY*)((unsigned char*)resourcebase + (dataoffset & 0x7fffffff));
resourcenum = resourcedir->NumberOfIdEntries + resourcedir->NumberOfNamedEntries;
resourcedirentry = (IMAGE_RESOURCE_DIRECTORY_ENTRY*)((BYTE*)resourcedir + sizeof(IMAGE_RESOURCE_DIRECTORY));
dataoffset = ;
for (UINT i = ; i < resourcenum; i++)
{
if (resourcetype2->Flag == (resourcedirentry->Name & 0x80000000))
{
if (resourcetype2->Flag == 0x0)
{
//是通过id调用
if (resourcetype2->u.ResourceID == resourcedirentry->Name)
{
//是要获取的资源id
dataoffset = resourcedirentry->OffsetToData;
break;
}
}
else if (resourcetype2->Flag == 0x80000000)
{
//是通过名字调用
IMAGE_RESOURCE_DIR_STRING_U* resourcetypename = (IMAGE_RESOURCE_DIR_STRING_U*)((BYTE*)resourcedir + (resourcedirentry->Name & 0x7FFFFFFF));
memset(funnamestr,0x0,0x100);
WideCharToMultiByte(CP_ACP,NULL,resourcetypename->NameString,resourcetypename->Length,funnamestr,0x255,,);
if (!stricmp(resourcetype2->u.ResourceName, funnamestr))
{
//是要获取的资源id
dataoffset = resourcedirentry->OffsetToData;
break;
}
}
}
resourcedirentry += ;
}
}
//以上部分是匹配资源的第二级目录中也就是资源的id是否为需要获取的id,返回的数据为资源目录项指针IMAGE_RESOURCE_DIRECTORY_ENTRY.OffsetToData if (!(dataoffset & 0x80000000)) return NULL;
//如果三级目录就是数据,不符合资源的层级结构,目前也没有发现有此类资源结构,直接返回null。
if (dataoffset & 0x80000000)
{
resourcedir = (IMAGE_RESOURCE_DIRECTORY*)((unsigned char*)resourcebase + (dataoffset & 0x7fffffff));
resourcenum = resourcedir->NumberOfIdEntries + resourcedir->NumberOfNamedEntries;
if (resourcenum != ) return NULL;
IMAGE_RESOURCE_DIRECTORY_ENTRY* resourcedirentry = (IMAGE_RESOURCE_DIRECTORY_ENTRY*)((BYTE*)resourcedir + sizeof(IMAGE_RESOURCE_DIRECTORY));
dataoffset = resourcedirentry->OffsetToData;
}
//以上部分是从第三级目录中读取第四级结构的偏移 if ((dataoffset & 0x80000000)) return NULL;
//如果第四级不是数据,不符合资源的层级结构,目前也没有发现有此类资源结构,直接返回null。
resourcedata = (IMAGE_RESOURCE_DATA_ENTRY*)((unsigned char*)resourcebase + dataoffset);
return resourcedata;
//返回要获取的资源数据的数据结构
}

pefile.cpp

// TEST.cpp : Defines the entry point for the console application.
// #include "stdafx.h"
#include "pefile.h"
#include <iostream> int main(int argc, char* argv[])
{
int filetype;
IMAGE_DOS_HEADER* dosheader;
MX_IMAGE_NT_HEADERS* ntheader;
IMAGE_SECTION_HEADER* sectioninfo;
DWORD address;
int a,b,c,d,e; ntheader = new MX_IMAGE_NT_HEADERS;
address = 0x39000; char* file = "c:\\64.exe";
char* dllname = "kernel32.dll";
char* funname = "CreateFileA";
MX_IMPORT_FUNCTION* impfun;
impfun = new MX_IMPORT_FUNCTION;
impfun->uf.Flag64 = ;
impfun->ud.FunName = funname;
MX_EXPORT_FUNCTION* expfun;
expfun = new MX_EXPORT_FUNCTION;
expfun->Flag = ;
expfun->ud.FunName = funname;
MX_RESOURCE_TYPE* resourcetype1;
MX_RESOURCE_TYPE* resourcetype2;
char* rtypename = "KERNEL"; IMAGE_RESOURCE_DATA_ENTRY* resoursedataentry;
resourcetype1 = new MX_RESOURCE_TYPE;
resourcetype2 = new MX_RESOURCE_TYPE; resourcetype1->Flag = 0x80000000;
resourcetype1->u.ResourceName = rtypename; resourcetype2->Flag = 0x0;
resourcetype2->u.ResourceID = ; XPEFILE pefile1(file); filetype = pefile1.GetType();
dosheader = pefile1.GetDosHeader();
pefile1.GetNTHeader(ntheader);
sectioninfo = pefile1.GetSectionInfo(); a=pefile1.Raw2Rva(&address);
b=pefile1.Rva2Raw(&address);
c=pefile1.CheckImportDll(dllname);
d=pefile1.CheckImportFun(dllname, impfun);
e=pefile1.CheckExportFun(expfun); resoursedataentry = pefile1.GetFileResource(resourcetype1, resourcetype2); system("pause");
return ;
}

petype.cpp

简单PE类代码的更多相关文章

  1. 玩转TypeScript(1) --定义简单的类

    相对于JavaScript来说,TypeScript增强了强制类型,同时添加了一系列的面向对象的特性,包含:静态类型(Static typing).类(Classes).接口(Interfaces). ...

  2. JSON生成c#类代码小工具

    JSON生成c#类代码小工具 为什么写这么个玩意 最近的项目中需要和一个服务端程序通讯,而通讯的协议是基于流行的json,由于是.net,所以很简单的从公司代码库里找到了Newtonsoft.dll( ...

  3. php分页类代码带分页样式效果(转)

    php分页类代码,有漂亮的分页样式风格 时间:2016-03-16 09:16:03来源:网络 导读:不错的php分页类代码,将类文件与分页样式嵌入,实现php查询结果的精美分页,对研究php分页原理 ...

  4. Spring源码学习:第1步--在Spring源码中添加最简单的Demo代码

    为了最大程度地贴近Spring源码并进行学习,一种比较直接的做法是:直接在Spring源码中加入Demo代码,并进行调试. 参照以前使用Spring的经验,Spring最简单的使用方法是:一个实体类. ...

  5. Jedis工具类代码

    安装Redis可以参考 https://www.cnblogs.com/dddyyy/p/9763098.html Redis的学习可以参考https://www.cnblogs.com/dddyyy ...

  6. SOCKET简单爬虫实现代码和使用方法

    抓取一个网页内容非常容易,常见的方式有curl.file_get_contents.socket以及文件操作函数file.fopen等. 下面使用SOCKET下的fsockopen()函数访问Web服 ...

  7. java基础之JDBC三:简单工具类的提取及应用

    简单工具类: public class JDBCSimpleUtils { /** * 私有构造方法 */ private JDBCSimpleUtils() { } /** * 驱动 */ publ ...

  8. C++_类继承1-从一个简单的类开始

    面向对象编程的主要目的之一是:提供可重用的代码.尤其是项目很庞大的时候,重用测试过的代码比重新编码代码要好得多. C++提供了更高层次的重用性.其中之一就是继承这个概念. 一些厂商提供了类库.类库由类 ...

  9. 通过Visual Studio快速生成Json或XML反序列化类代码

    Visual Studio不愧是宇宙第一强的IDE工具,在Json.XML格式漫天飞.反序列化需求遍地走的现在,居然到最近才知道原来微软已经在Visual Studio集成了这么一样的良心功能,自动根 ...

随机推荐

  1. iOS CoreAnimation详解(一) 有关Layer的动画

    以前由于项目需要 也写了一些动画 ,但是知识不系统,很散.这段时间趁着项目完成的空袭,来跟着大神的脚步系统的总结一下iOS中Core Animation的知识点. 原博客地址:http://blog. ...

  2. JAVA设计模式之2-简单工厂模式

    今天来介绍简单工厂模式,工厂模式包括简单工厂模式和抽象工厂模式,今天先讲简单工厂模式,然后引申到抽象工厂模式 在没有工厂模式前,我们创建类是直接new一个对象,比如下面所示,北汽有两个小型SUV,分别 ...

  3. [LeetCode] Find Minimum in Rotated Sorted Array II 寻找旋转有序数组的最小值之二

    Follow up for "Find Minimum in Rotated Sorted Array":What if duplicates are allowed? Would ...

  4. eclipse直接访问数据库

    本文转载至百度经验 http://jingyan.baidu.com/article/a501d80cea3ed4ec630f5e2f.html 以oracle 11g 数据库为例

  5. 修改hosts文件在本地使域名解析到指定IP

    # Additionally, comments (such as these) may be inserted on individual  # lines or following the mac ...

  6. 用 ElementTree 在 Python 中解析 XML

    用 ElementTree 在 Python 中解析 XML 原文: http://eli.thegreenplace.net/2012/03/15/processing-xml-in-python- ...

  7. vue.js第六课

    class与style绑定 绑定HTML class 对象语法 数组语法 绑定内联样式 对象语法 数组语法 自动添加前缀 1.class与style绑定. 数据绑定一个常见需求就是 操作元素的clas ...

  8. 开源遥感平台opticks插件开发指南

    Opticks是一款开源的遥感数据处理平台,与其同类开源软件OSSIM一样,支持种类丰富的数据文件格式,但其最大特点为设计精巧的插件开发模式,在设计技巧上,系统提供了良好的封装特性,即使插件开发者对框 ...

  9. FilenameFilter过滤文件名

    前言: 文件IO是程序设计语言的一个特点,本文将针对Java的File文件名过滤进行测试. 测试目录截图: 测试结果: data.txt output-.txt output-.txt output- ...

  10. 利用animation和text-shadow纯CSS实现loading点点点的效果

    经常在网上看到loading状态时的点点点的动态效果,自己也用JS写了一个,思路是使用一个计数参数,然后在需要添加点的元素后面利用setInterval一个一个加点,当计数到3时,把点变为一个--写完 ...