〾堯仸〾的天空--没心情写了/

〾堯仸〾发表于 2006/1/27 18:49:18

#include "pe.h" int main (int argc, char* argv[]){ HANDLE hFile; HANDLE hFileMapping; LPVOID lpFileBase; PIMAGE_DOS_HEADER pdosHeader; // pe-dos PIMAGE_NT_HEADERS pNTHeader; // pe头 PIMAGE_SECTION_HEADER pSectionHeader; //pe节表 char filemane[1024] = "test.dll"; //分析的文件 hFile = CreateFile( filemane, GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ,NULL,OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL,0); if(hFile == INVALID_HANDLE_VALUE) { printf("ctreatefile error !\n"); getchar(); return 0; } hFileMapping = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL); if( hFileMapping == 0) { CloseHandle(hFile); printf(" error CreateFiling()\n"); return 0; } lpFileBase = MapViewOfFile(hFileMapping, FILE_MAP_READ,0,0,0); if(lpFileBase == 0) { CloseHandle(hFileMapping); CloseHandle(hFile); printf("couldn't map view of file with mapfile\n"); } // dos 头 pdosHeader = (PIMAGE_DOS_HEADER)lpFileBase; // 正正的pe头 pNTHeader = (PIMAGE_NT_HEADERS)((BYTE *)pdosHeader + pdosHeader->e_lfanew); printf("\n********dos header*********\n"); printf("\n****nt header signatue*****\n"); //pe标志 printf("Signatue:%x\n", pNTHeader->Signature); printf("\n****nt header fileheader***\n"); //运行的平台 printf("machine:%x\n", pNTHeader->FileHeader.Machine); //文件节的个数 printf("NumberOfSections:%x\n", pNTHeader->FileHeader.NumberOfSections); //optionalHeader的大小 printf("SizeOfOptionalHeader:%x\n", pNTHeader->FileHeader.SizeOfOptionalHeader); //文件信息(dll or exe ) printf("Characterstics:%x\n", pNTHeader->FileHeader.Characteristics); printf("\n***nt header optional******\n"); //程序的入口 printf("AddessOfEntryPoint:%x\n", pNTHeader->OptionalHeader.AddressOfEntryPoint); // 程序的优先载入点 printf("imageBase:%x\n", pNTHeader->OptionalHeader.ImageBase); //程序的子系统 printf("SubSystem:%x\n", pNTHeader->OptionalHeader.Subsystem); //不明白，难道是那个16个的东西 int i; for(i=0; i< (pNTHeader->OptionalHeader.NumberOfRvaAndSizes); i++) { printf("%2d",i); printf("size:%x\t",pNTHeader->OptionalHeader.DataDirectory[i].Size); printf("var:%x\n", pNTHeader->OptionalHeader.DataDirectory[i].VirtualAddress); } printf("\n******Scetions Table*******\n"); //节的个数 WORD SectionNumber = pNTHeader->FileHeader.NumberOfSections; printf("section of number:%d\n ", SectionNumber); //节的内容 for(i = 0; i < SectionNumber; i++) { pSectionHeader = (PIMAGE_SECTION_HEADER) ((char*) pNTHeader + sizeof(IMAGE_NT_HEADERS) + i*sizeof(IMAGE_SECTION_HEADER)); //节的名字 printf("name:%s\n", pSectionHeader->Name); //节的RVA printf("VAddress:%x\t", pSectionHeader->VirtualAddress); //节的文件偏移 printf("PToRawData:%x\t",pSectionHeader->PointerToRawData); //节的大小 printf("sRawData:%x\t",pSectionHeader->SizeOfRawData); //节的属性 printf("C:%x\t\n\n",pSectionHeader->Characteristics); } DWORD dwTuck; DWORD dwRVA; DWORD dwOffset; PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor; PIMAGE_THUNK_DATA pThunkData; PIMAGE_IMPORT_BY_NAME pImportByName; printf("*****import Table*****\n"); dwOffset = 0; pImportDescriptor = NULL; dwRVA = pNTHeader->OptionalHeader.DataDirectory[i].VirtualAddress; dwOffset = RVA2Offset(dwRVA,pNTHeader); if(dwOffset == 0) { printf("can't get offset for import descriptor\n"); return FALSE; } else { printf("**%s\n***", (char*)lpFileBase + dwOffset); printf("dwoffset:%x\n\n",dwOffset); } /* 原来自己什么多不懂 ,没有心情写下了 for (int i = 0; i < argc; i++ ) { //printf( "%d\n", argc); printf( "%s", argv[i]); }*/ return 0;} pe.h #include<windows.h>#include<stdio.h>#include<string.h> DWORD RVA2Offset( DWORD dwRVA,PIMAGE_NT_HEADERS pNTHeaders){ DWORD dwIndex; DWORD dwsectionNumber; DWORD dwStart; DWORD dwEnd; DWORD dwOffset; PIMAGE_SECTION_HEADER pSectionHeader; dwOffset = 0; dwIndex = 0; dwsectionNumber = pNTHeaders->FileHeader.NumberOfSections; while( dwIndex < dwsectionNumber) { pSectionHeader = (PIMAGE_SECTION_HEADER) ( (char*)pNTHeaders+sizeof(IMAGE_NT_HEADERS) + dwIndex* sizeof(IMAGE_SECTION_HEADER)); dwStart = pSectionHeader->VirtualAddress; dwEnd = pSectionHeader->SizeOfRawData + dwStart; if(dwRVA <= dwEnd && dwRVA >= dwStart) { dwOffset = pSectionHeader->PointerToRawData + dwRVA - dwStart; break; } else { dwIndex ++; continue; } } return dwOffset ;}

阅读全文(2140) | 回复(0) | 编辑 | 精华

发表评论：

昵称：
密码：
主页：
标题：

验证码： (不区分大小写,请仔细填写,输错需重写评论内容！)