小甲鱼PE结构工具篇1——记录
四年级 记叙文 2648字 137人浏览 Trista_60

头文件定义MAP_FILE_STRUCT的结构存放有关信息

typedef struct _MAP_FILE_STRUCT

{

HANDLE hFile; //文件句柄

HANDLE hMapping; //映射文件句柄

HANDLE ImageBase; //映像基址

}MAP_FILE_STRUCT,*PMAP_FILE_STRUCT;

文件格式检查

IMAGE_DOS_HEADER STRUCT

{

+0h WORD e_magic // Magic DOS signature MZ(4Dh 5Ah) DOS 可执行文件标记 。。。。。

+3ch DWORD e_lfanew // Offset to start of PE header 指向PE 文件头

} PIMAGE_DOS_HEADER ENDS

PIMAGE_DOS_HEADER pDH=NULL;

判断pDH->e_magic=='MZ';并通过pDH->e_lfanew找到IMAGE_NT_HEADERS STRUCT

IMAGE_NT_HEADERS STRUCT

{

+0h DWORD Signature //

+4h IMAGE_FILE_HEADER FileHeader //

+18h IMAGE_OPTIONAL_HEADER32 OptionalHeader //

} PIMAGE_NT_HEADERS ENDS

PIMAGE_NT_HEADERS pNTH=NULL;

检测pNATH->Signature=='PE';

BOOL IsPEFile(LPVOID ImageBase)

{

PIMAGE_DOS_HEADER pDH=NULL;

IMAGE_NT_HEADERS pNTH=NULL;

if(!ImageBase)

return FALSE;

pDH=(IMAGE_DOS_HEADER STRUCT)ImageBase;

if(pDH->e_magic!=IMAGE_DOS_SIGNATURE)// IMAGE_DOS_SIGNATURE='MZ' return FALSE;

pNtH=(PIMAGE_NT_HEADERS)((DWORD)pDH+pDH->e_Ifanew);

if(pNATH->Signature!=IMAGE_NT_SIGNATURE)//IMAGE_NT_SIGNATURE='PE' return FALSE;

return TRUE;

}

FileHeader 读取

FileOptionalHeader 读取

typedef struct _IMAGE_FILE_HEADER

{

+04h WORD Machine; // 运行平

+06h WORD NumberOfSections; // 文件的区块数目

+08h DWORD TimeDateStamp; // 文件创建日期和时间

+0Ch DWORD PointerToSymbolTable; // 指向符号表(主要用于调

试)

+10h DWORD NumberOfSymbols; // 符号表中符号个数(同上)

+14h WORD SizeOfOptionalHeader; //IMAGE_OPTIONAL_HEADER32 结构大小 +16h WORD Characteristics; // 文件属性

} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;

PIMAGE_NT_HEADERS GetNtHeaders(LPVOID ImageBase)

{

if(!IsPEFile(ImageBase))

return FALSE;

PIMAGE_DOS_HEADER pDH=NULL;

IMAGE_NT_HEADERS pNTH=NULL;

pDH=(IMAGE_DOS_HEADER STRUCT)ImageBase;

pNtH=(PIMAGE_NT_HEADERS)((DWORD)pDH+pDH->e_Ifanew);

return pNtH;

}

FileHeader 读取

IMAGE_FILE_HEADER GetFileHeaders(LPVOID ImageBase)

{

PIMAGE_DOS_HEADER pDH=NULL;

PIMAGE_NT_HEADERS pNTH=NULL;

PIMAGE_FILE_HEADER pFH=NULL;

if(!IsPEFile(ImageBase))

return FALSE;

pDH=(IMAGE_DOS_HEADER STRUCT)ImageBase;

pNtH=(PIMAGE_NT_HEADERS)((DWORD)pDH+pDH->e_Ifanew);

pFH=&pNtH->FileHeader; //(结构中的结构需要先取一层地址 —>优先级大于&)

return pFH;

}

FileOptionalHeader 读取

IMAGE_PTIONAL_HEADER GetOptionalFileHeaders(LPVOID ImageBase)

{

PIMAGE_DOS_HEADER pDH=NULL;

PIMAGE_NT_HEADERS pNTH=NULL;

PIMAGE_PTIONAL_HEADER pFH=NULL;

if(!IsPEFile(ImageBase))

return FALSE;

pDH=(IMAGE_DOS_HEADER STRUCT)ImageBase;

pNtH=(PIMAGE_NT_HEADERS)((DWORD)pDH+pDH->e_Ifanew);

pOH=&pNtH->OptionalFileHeader; //(结构中的结构需要先取一层地址 —>

优先级大于&)

return pOH;

}

wsprintf()函数

wsprintf(Buff,"%04lX",pFH->Machine); //04:4位,lX:长16进制 wsprintf(Buff,"%08lX",pFH->Machine); //08:8位,lX:长16进制

数据目录表读取

区块表读取

输出表读取

输入表读取