From f92abdaf5fd2913581db99698aa211aa23c03f0e Mon Sep 17 00:00:00 2001 From: fwqcuc Date: Thu, 2 Jun 2016 09:43:08 +0800 Subject: [PATCH] =?UTF-8?q?=E5=AD=A6=E7=94=9F=E4=BD=9C=E4=B8=9A=EF=BC=9APE?= =?UTF-8?q?=E8=A7=A3=E6=9E=90?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- by_students/imagehlp_pe/imagehlp_pe.sln | 20 + .../imagehlp_pe/imagehlp_pe/imagehlp_pe.cpp | 505 ++++++++++++++++++ .../imagehlp_pe/imagehlp_pe/imagehlp_pe.h | 14 + .../imagehlp_pe/imagehlp_pe.vcxproj | 74 +++ .../imagehlp_pe/imagehlp_pe.vcxproj.filters | 30 ++ by_students/imagehlp_pe/imagehlp_pe/main.cpp | 24 + 6 files changed, 667 insertions(+) create mode 100644 by_students/imagehlp_pe/imagehlp_pe.sln create mode 100644 by_students/imagehlp_pe/imagehlp_pe/imagehlp_pe.cpp create mode 100644 by_students/imagehlp_pe/imagehlp_pe/imagehlp_pe.h create mode 100644 by_students/imagehlp_pe/imagehlp_pe/imagehlp_pe.vcxproj create mode 100644 by_students/imagehlp_pe/imagehlp_pe/imagehlp_pe.vcxproj.filters create mode 100644 by_students/imagehlp_pe/imagehlp_pe/main.cpp diff --git a/by_students/imagehlp_pe/imagehlp_pe.sln b/by_students/imagehlp_pe/imagehlp_pe.sln new file mode 100644 index 0000000..d2461ed --- /dev/null +++ b/by_students/imagehlp_pe/imagehlp_pe.sln @@ -0,0 +1,20 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio 2012 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "imagehlp_pe", "imagehlp_pe\imagehlp_pe.vcxproj", "{8D3EAD6F-F6FA-483F-8D5E-EEFBF47E0142}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|Win32 = Debug|Win32 + Release|Win32 = Release|Win32 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {8D3EAD6F-F6FA-483F-8D5E-EEFBF47E0142}.Debug|Win32.ActiveCfg = Debug|Win32 + {8D3EAD6F-F6FA-483F-8D5E-EEFBF47E0142}.Debug|Win32.Build.0 = Debug|Win32 + {8D3EAD6F-F6FA-483F-8D5E-EEFBF47E0142}.Release|Win32.ActiveCfg = Release|Win32 + {8D3EAD6F-F6FA-483F-8D5E-EEFBF47E0142}.Release|Win32.Build.0 = Release|Win32 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection +EndGlobal diff --git a/by_students/imagehlp_pe/imagehlp_pe/imagehlp_pe.cpp b/by_students/imagehlp_pe/imagehlp_pe/imagehlp_pe.cpp new file mode 100644 index 0000000..edeac73 --- /dev/null +++ b/by_students/imagehlp_pe/imagehlp_pe/imagehlp_pe.cpp @@ -0,0 +1,505 @@ +#include "imagehlp_pe.h" + +void PrintPeFileFormat(WORD Characteristics){ + printf("File Type:\n"); + if(Characteristics&IMAGE_FILE_RELOCS_STRIPPED) + printf("RELOCS STRIPPED\n"); + if(Characteristics&IMAGE_FILE_EXECUTABLE_IMAGE) + printf("EXECUTABLE IMAGE\n"); + if(Characteristics&IMAGE_FILE_LINE_NUMS_STRIPPED) + printf("LINE_NUMS STRIPPED\n"); + if(Characteristics&IMAGE_FILE_LOCAL_SYMS_STRIPPED) + printf("LOCAL SYMS STRIPPED\n"); + if(Characteristics&IMAGE_FILE_AGGRESIVE_WS_TRIM) + printf("AGGRESIVE WS TRIM\n"); + if(Characteristics&IMAGE_FILE_LARGE_ADDRESS_AWARE) + printf("LARGE ADDRESS AWARE\n"); + if(Characteristics&IMAGE_FILE_BYTES_REVERSED_LO) + printf("BYTES REVERSED LO\n"); + if(Characteristics&IMAGE_FILE_32BIT_MACHINE) + printf("32BIT MACHINE\n"); + if(Characteristics&IMAGE_FILE_DEBUG_STRIPPED) + printf("DEBUG STRIPPED\n"); + if(Characteristics&IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP) + printf("REMOVABLE RUN FROM SWAP\n"); + if(Characteristics&IMAGE_FILE_NET_RUN_FROM_SWAP) + printf("NET_RUN FROM SWAP\n"); + if(Characteristics&IMAGE_FILE_SYSTEM) + printf("SYSTEM\n"); + if(Characteristics&IMAGE_FILE_DLL) + printf("DLL\n"); + if(Characteristics&IMAGE_FILE_UP_SYSTEM_ONLY) + printf("UP SYSTEM ONLY\n"); + if(Characteristics&IMAGE_FILE_BYTES_REVERSED_HI) + printf("BYTES REVERSED HI\n"); +} + +int GetPeHeaders(char*path) +{ + /**********START**********/ + HANDLE hFile,hFileMap; + OFSTRUCT OpenBuff; + DWORD dwSectionCount; + DWORD dwSection=0; + LPVOID lpFile; + PIMAGE_DOS_HEADER pDosHeader; + PIMAGE_NT_HEADERS pNtHeaders; + PIMAGE_SECTION_HEADER pSectionHeader; + + /**********PEļ**********/ + printf("Dump of file %s:\n",path); + + hFile = (HANDLE)OpenFile( + path, + &OpenBuff, + OF_READ + ); + + if(hFile==INVALID_HANDLE_VALUE) + return -1; + + hFileMap = CreateFileMapping( + hFile, + 0, + PAGE_READONLY, + 0, + 0, + 0 + ); + + lpFile = MapViewOfFile(hFileMap,FILE_MAP_READ,0,0,0); + + /**********IMAGE_DOS_HEADER**********/ + pDosHeader = (PIMAGE_DOS_HEADER)lpFile; + printf("IMAGE_DOS_HEADERṹ:\n"); + printf("e_magic : %04x\n",pDosHeader->e_magic); + printf("e_cblp : %04x\n",pDosHeader->e_cblp); + printf("e_cp : %04x\n",pDosHeader->e_cp); + printf("e_crlc : %04x\n",pDosHeader->e_crlc); + printf("e_cparhdr : %04x\n",pDosHeader->e_cparhdr); + printf("e_minalloc : %04x\n",pDosHeader->e_minalloc); + printf("e_maxalloc : %04x\n",pDosHeader->e_maxalloc); + printf("e_ss : %04x\n",pDosHeader->e_ss); + printf("e_sp : %04x\n",pDosHeader->e_sp); + printf("e_csum : %04x\n",pDosHeader->e_csum); + printf("e_ip : %04x\n",pDosHeader->e_ip); + printf("e_cs : %04x\n",pDosHeader->e_cs); + printf("e_lfarlc : %04x\n",pDosHeader->e_lfarlc); + printf("e_ovno : %04x\n",pDosHeader->e_ovno); + printf("e_res[0] : %04x\n",pDosHeader->e_res[0]); + printf("e_oemid : %04x\n",pDosHeader->e_oemid); + printf("e_oeminfo : %04x\n",pDosHeader->e_oeminfo); + printf("res2[0] : %04x\n",pDosHeader->e_res2[0]); + printf("lfanew : %08x\n",pDosHeader->e_lfanew); + + /**********IMAGE_NT_HEADER**********/ + printf("\nIMAGE_NT_HEADERṹ:\n"); + pNtHeaders = (PIMAGE_NT_HEADERS)((DWORD)lpFile+pDosHeader->e_lfanew); + + /**********PEļ־**********/ + printf("Signature : %04X\n",pNtHeaders->Signature); + if((pDosHeader->e_magic ==IMAGE_DOS_SIGNATURE)&&(pNtHeaders->Signature== IMAGE_NT_SIGNATURE)) + printf("ЧPEļ\n"); + else + printf("ЧPEļ\n"); + + /**********IMAGE_FILE_HEADER**********/ + printf("\nIMAGE_FILE_HEADERṹ:\n"); + printf("Machine: %04X\n",pNtHeaders->FileHeader.Machine); + printf("NumberOfSections : %04X\n",pNtHeaders->FileHeader.NumberOfSections); + printf("TimeDateStamp: %08X\n",pNtHeaders->FileHeader.TimeDateStamp); + printf("PointerToSymbolTable : %08X\n",pNtHeaders->FileHeader.PointerToSymbolTable); + printf("NumberOfSymbols: %08X\n",pNtHeaders->FileHeader.NumberOfSymbols); + printf("SizeOfOptionalHeader : %04X\n",pNtHeaders->FileHeader.SizeOfOptionalHeader); + printf("Characteristics: %04X\n",pNtHeaders->FileHeader.Characteristics); + PrintPeFileFormat(pNtHeaders->FileHeader.Characteristics); + + /**********IMAGE_OPTION_HEADER**********/ + printf("\nIMAGE_OPTION_HEADERṹ:\n"); + printf("Magic : %04X\n",pNtHeaders->OptionalHeader.Magic); + printf("MajorLinkerVersion : %02X\n",pNtHeaders->OptionalHeader.MajorLinkerVersion); + printf("MinorLinkerVersion : %02X\n",pNtHeaders->OptionalHeader.MinorLinkerVersion); + printf("SizeOfCode : %08X\n",pNtHeaders->OptionalHeader.SizeOfCode); + printf("SizeOfInitializedData : %08X\n",pNtHeaders->OptionalHeader.SizeOfInitializedData); + printf("SizeOfUninitializedData : %08X\n",pNtHeaders->OptionalHeader.SizeOfUninitializedData); + printf("AddressOfEntryPoint : %08X\n",pNtHeaders->OptionalHeader.AddressOfEntryPoint); + printf("BaseOfCode : %08X\n",pNtHeaders->OptionalHeader.BaseOfCode); + printf("BaseOfData : %08X\n",pNtHeaders->OptionalHeader.BaseOfData); + printf("ImageBase : %08X\n",pNtHeaders->OptionalHeader.ImageBase); + printf("SectionAlignment : %08X\n",pNtHeaders->OptionalHeader.SectionAlignment); + printf("FileAlignment : %08X\n",pNtHeaders->OptionalHeader.FileAlignment); + printf("MajorOperatingSystemVersion : %04X\n",pNtHeaders->OptionalHeader.MajorOperatingSystemVersion); + printf("MinorOperatingSystemVersion : %04X\n",pNtHeaders->OptionalHeader.MinorOperatingSystemVersion); + printf("MajorImageVersion : %04X\n",pNtHeaders->OptionalHeader.MajorImageVersion); + printf("MinorImageVersion : %04X\n",pNtHeaders->OptionalHeader.MinorImageVersion); + printf("MajorSubsystemVersion : %04X\n",pNtHeaders->OptionalHeader.MajorSubsystemVersion); + printf("MinorSubsystemVersion : %04X\n",pNtHeaders->OptionalHeader.MinorSubsystemVersion); + printf("Win32VersionValue : %08X\n",pNtHeaders->OptionalHeader.Win32VersionValue); + printf("SizeOfImage : %08X\n",pNtHeaders->OptionalHeader.SizeOfImage); + printf("SizeOfHeaders : %08X\n",pNtHeaders->OptionalHeader.SizeOfHeaders); + printf("CheckSum : %08X\n",pNtHeaders->OptionalHeader.CheckSum); + printf("Subsystem : %04X\n",pNtHeaders->OptionalHeader.Subsystem); + printf("DllCharacteristics : %04X\n",pNtHeaders->OptionalHeader.DllCharacteristics); + printf("SizeOfStackReserve : %08X\n",pNtHeaders->OptionalHeader.SizeOfStackReserve); + printf("SizeOfStackCommit : %08X\n",pNtHeaders->OptionalHeader.SizeOfStackCommit); + printf("SizeOfHeapReserve : %08X\n",pNtHeaders->OptionalHeader.SizeOfHeapReserve); + printf("SizeOfHeapCommit : %08X\n",pNtHeaders->OptionalHeader.SizeOfHeapCommit); + printf("LoaderFlags : %08X\n",pNtHeaders->OptionalHeader.LoaderFlags); + printf("NumberOfRvaAndSizes : %08X\n",pNtHeaders->OptionalHeader.NumberOfRvaAndSizes); + printf("EXPORT DIRECTORY VA : %08X\n",pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); + printf("EXPORT DIRECTORY Size : %08X\n",pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size); + printf("IMPORT DIRECTORY VA : %08X\n",pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); + printf("IMPORT DIRECTORY Size : %08X\n",pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size); + printf("Resource Directory VA : %08X\n",pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress); + printf("Resource Directory Size : %08X\n",pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size); + printf("Exception Directory VA : %08X\n",pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXCEPTION].VirtualAddress); + printf("Exception Directory Size : %08X\n",pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXCEPTION].Size); + printf("Security Directory VA : %08X\n",pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress); + printf("Security Directory Size : %08X\n",pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].Size); + printf("Base Relocation Table VA : %08X\n",pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress); + printf("Base Relocation Table Size : %08X\n",pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size); + printf("Debug Directory VA : %08X\n",pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG].VirtualAddress); + printf("Debug Directory Size : %08X\n",pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG].Size); + printf("Architecture Specific Data VA : %08X\n",pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_ARCHITECTURE].VirtualAddress); + printf("Architecture Specific Data Size : %08X\n",pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_ARCHITECTURE].Size); + printf("RVA of GP VA : %08X\n",pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_GLOBALPTR].VirtualAddress); + printf("RVA of GP Size : %08X\n",pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_GLOBALPTR].Size); + printf("TLS Directory VA : %08X\n",pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress); + printf("TLS Directory Size : %08X\n",pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size); + printf("Load Configuration Directory VA : %08X\n",pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress); + printf("Load Configuration Directory Size : %08X\n",pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size); + printf("Bound Import Directory in headers VA : %08X\n",pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress); + printf("Bound Import Directory in headers Size: %08X\n",pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size); + printf("Import Address Table VA : %08X\n",pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress); + printf("Import Address Table Size : %08X\n",pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size); + printf("Delay Load Import Descriptors VA : %08X\n",pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT].VirtualAddress); + printf("Delay Load Import Descriptors Size : %08X\n",pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT].Size); + printf("COM Runtime descriptor VA : %08X\n",pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress); + printf("COM Runtime descriptor Size : %08X\n",pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size); + + /**********IMAGE_SECTION_HEADER**********/ + dwSectionCount = pNtHeaders->FileHeader.NumberOfSections; + pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pNtHeaders+sizeof(IMAGE_NT_HEADERS)); + printf("\nIMAGE_SECTION_HEADERṹ:\n"); + for(;dwSection < dwSectionCount;pSectionHeader++,dwSection++){ + printf("SECTION_HEADER#%d:\n",dwSection+1); + printf("Name : %s\n",pSectionHeader->Name); + printf("VirtualAddress : %08x\n",pSectionHeader->VirtualAddress); + printf("SizeOfRawData : %08x\n",pSectionHeader->SizeOfRawData); + printf("PointerToRawData : %08x\n",pSectionHeader->PointerToRawData); + printf("PointerToRelocations : %08x\n",pSectionHeader->PointerToRelocations); + printf("PointerToLinenumbers : %08x\n",pSectionHeader->PointerToLinenumbers); + printf("NumberOfRelocations : %04x\n",pSectionHeader->NumberOfRelocations); + printf("NumberOfLinenumbers : %04x\n",pSectionHeader->NumberOfLinenumbers); + printf("Characteristics : %08x\n",pSectionHeader->Characteristics); + } + + /**********END**********/ + UnmapViewOfFile(lpFile); + CloseHandle(hFileMap); + CloseHandle(hFile); + return 0; +} + +int GetPeImportTable(char*path) +{ + /**********START**********/ + HANDLE hFile,hFileMap; + OFSTRUCT OpenBuff; + DWORD dwImportDirectoryVA,dwSectionCount,dwSection=0,dwRawOffset; + LPVOID lpFile; + PIMAGE_DOS_HEADER pDosHeader; + PIMAGE_NT_HEADERS pNtHeaders; + PIMAGE_SECTION_HEADER pSectionHeader; + PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor; + PIMAGE_THUNK_DATA pThunkData; + + /**********PEļ**********/ + hFile = (HANDLE)OpenFile( + path, + &OpenBuff, + OF_READ + ); + printf("Dump of file %s:\n",path); + if(hFile==INVALID_HANDLE_VALUE) + return -1; + hFileMap = CreateFileMapping( + hFile, + 0, + PAGE_READONLY, + 0, + 0, + 0 + ); + + lpFile = MapViewOfFile( + hFileMap, + FILE_MAP_READ, + 0, + 0, + 0 + ); + + /**********жǷΪPEļʾPEļʽ**********/ + pDosHeader = (PIMAGE_DOS_HEADER)lpFile; + pNtHeaders = (PIMAGE_NT_HEADERS)((DWORD)lpFile+pDosHeader->e_lfanew); + if((pDosHeader->e_magic ==IMAGE_DOS_SIGNATURE)&&(pNtHeaders->Signature== IMAGE_NT_SIGNATURE)) + printf("ЧPEļ\n"); + else + printf("ЧPEļ\n"); + PrintPeFileFormat(pNtHeaders->FileHeader.Characteristics); + /**********IMAGE_IMPORT_DERECTORY**********/ + pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pNtHeaders+sizeof(IMAGE_NT_HEADERS)); + dwSectionCount = pNtHeaders->FileHeader.NumberOfSections; + dwImportDirectoryVA = pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; + if(dwImportDirectoryVA){ + printf("Section contains the following imports:\n"); + for(;dwSection < dwSectionCount && pSectionHeader->VirtualAddress <= dwImportDirectoryVA;pSectionHeader++,dwSection++); + pSectionHeader--; + dwRawOffset = (DWORD)lpFile+pSectionHeader->PointerToRawData-pSectionHeader->VirtualAddress; + pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)(dwRawOffset+dwImportDirectoryVA); + for(;pImportDescriptor->Name!=0;pImportDescriptor++) + { + printf("\nDLL Name: %s\n",dwRawOffset+pImportDescriptor->Name); + pThunkData = (PIMAGE_THUNK_DATA)(dwRawOffset+pImportDescriptor->FirstThunk); + for(;pThunkData->u1.AddressOfData != 0;pThunkData++){ + printf("Function: %s\n",(dwRawOffset+pThunkData->u1.Function+2)); + } + } + } + else + printf("\nSection has no imports.\n"); + /**********END**********/ + UnmapViewOfFile(lpFile); + CloseHandle(hFileMap); + CloseHandle(hFile); + return 0; +} + +int GetPeExportTable(char*path) +{ + /**********START**********/ + HANDLE hFile,hFileMap; + OFSTRUCT OpenBuff; + DWORD dwExportDirectoryVA,dwSectionCount,dwSection,dwRawOffset; + LPVOID lpFile; + PIMAGE_DOS_HEADER pDosHeader; + PIMAGE_NT_HEADERS pNtHeaders; + PIMAGE_SECTION_HEADER pSectionHeader; + PIMAGE_EXPORT_DIRECTORY pExportDirectory; + /**********PEļ**********/ + hFile = (HANDLE)OpenFile( + path, + &OpenBuff, + OF_READ + ); + + printf("Dump of file %s:\n",path); + if(hFile==INVALID_HANDLE_VALUE) + return -1; + hFileMap = CreateFileMapping( + hFile, + 0, + PAGE_READONLY, + 0, + 0, + 0 + ); + + lpFile = MapViewOfFile( + hFileMap, + FILE_MAP_READ, + 0, + 0, + 0 + ); + + /**********жǷΪPEļʾPEļʽ**********/ + pDosHeader = (PIMAGE_DOS_HEADER)lpFile; + pNtHeaders = (PIMAGE_NT_HEADERS)((DWORD)lpFile+pDosHeader->e_lfanew); + if((pDosHeader->e_magic ==IMAGE_DOS_SIGNATURE)&&(pNtHeaders->Signature== IMAGE_NT_SIGNATURE)) + printf("ЧPEļ\n"); + else + printf("ЧPEļ\n"); + PrintPeFileFormat(pNtHeaders->FileHeader.Characteristics); + + /**********IMAGE_EXPORT_DERECTORY**********/ + dwExportDirectoryVA = pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; + if(dwExportDirectoryVA){ + printf("\nSection contains the following exports:\n"); + pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pNtHeaders+sizeof(IMAGE_NT_HEADERS)); + dwSectionCount = pNtHeaders->FileHeader.NumberOfSections; + for(;dwSection < dwSectionCount && pSectionHeader->VirtualAddress <= dwExportDirectoryVA;pSectionHeader++,dwSection++); + pSectionHeader--; + dwRawOffset = (DWORD)lpFile+pSectionHeader->PointerToRawData-pSectionHeader->VirtualAddress; + pExportDirectory=(PIMAGE_EXPORT_DIRECTORY)(dwRawOffset+dwExportDirectoryVA); + printf("Name: %s\n",dwRawOffset+pExportDirectory->Name); + printf("NumberOfFunctions: %d\n",pExportDirectory->NumberOfFunctions); + printf("NumberOfNames: %d\n",pExportDirectory->NumberOfNames); + if (pExportDirectory->AddressOfNames != NULL && pExportDirectory->AddressOfFunctions != NULL) + { + PVOID names = (BYTE*)(dwRawOffset+pExportDirectory->AddressOfNames); + PVOID funcs = (BYTE*)(dwRawOffset+pExportDirectory->AddressOfFunctions); + for (DWORD i = 0; i < pExportDirectory->NumberOfNames; i++) + printf("%d %s\n",i+1,dwRawOffset+((DWORD*)names)[i]); + } + } + else + printf("\nSection has no exports.\n"); + /**********END**********/ + UnmapViewOfFile(lpFile); + CloseHandle(hFileMap); + CloseHandle(hFile); + return 0; +} + +int GetPeTable(char*path) +{ + /**********START**********/ + HANDLE hFile,hFileMap; + OFSTRUCT OpenBuff; + DWORD dwImportDirectoryVA,dwExportDirectoryVA,dwSectionCount,dwSection=0,dwRawOffset; + LPVOID lpFile; + PIMAGE_DOS_HEADER pDosHeader; + PIMAGE_NT_HEADERS pNtHeaders; + PIMAGE_SECTION_HEADER pImSectionHeader; + PIMAGE_SECTION_HEADER pExSectionHeader; + PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor; + PIMAGE_THUNK_DATA pThunkData; + PIMAGE_EXPORT_DIRECTORY pExportDirectory; + /**********PEļ**********/ + hFile = (HANDLE)OpenFile( + path, + &OpenBuff, + OF_READ + ); + + printf("Dump of file %s:\n",path); + + if(hFile==INVALID_HANDLE_VALUE) + return -1; + + hFileMap = CreateFileMapping( + hFile, + 0, + PAGE_READONLY, + 0, + 0, + 0 + ); + + lpFile = MapViewOfFile( + hFileMap, + FILE_MAP_READ, + 0, + 0, + 0 + ); + + /**********жǷΪPEļʾPEļʽ**********/ + pDosHeader = (PIMAGE_DOS_HEADER)lpFile; + pNtHeaders = (PIMAGE_NT_HEADERS)((DWORD)lpFile+pDosHeader->e_lfanew); + if((pDosHeader->e_magic ==IMAGE_DOS_SIGNATURE)&&(pNtHeaders->Signature== IMAGE_NT_SIGNATURE)) + printf("ЧPEļ\n"); + else + printf("ЧPEļ\n"); + PrintPeFileFormat(pNtHeaders->FileHeader.Characteristics); + + pImSectionHeader = pExSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pNtHeaders+sizeof(IMAGE_NT_HEADERS)); + dwSectionCount = pNtHeaders->FileHeader.NumberOfSections; + /**********IMAGE_IMPORT_DERECTORY**********/ + dwImportDirectoryVA = pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; + if(dwImportDirectoryVA){ + printf("\nSection contains the following imports:\n"); + for(dwSection=0;dwSection < dwSectionCount && pImSectionHeader->VirtualAddress <= dwImportDirectoryVA;pImSectionHeader++,dwSection++); + pImSectionHeader--; + dwRawOffset = (DWORD)lpFile+pImSectionHeader->PointerToRawData-pImSectionHeader->VirtualAddress; + pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)(dwRawOffset+dwImportDirectoryVA); + for(;pImportDescriptor->Name!=0;pImportDescriptor++) + { + printf("\nDLL Name: %s\n",dwRawOffset+pImportDescriptor->Name); + pThunkData = (PIMAGE_THUNK_DATA)(dwRawOffset+pImportDescriptor->FirstThunk); + for(;pThunkData->u1.AddressOfData != 0;pThunkData++){ + if(pThunkData->u1.Function&0x80000000) //Խ + break; + printf("Function: %s\n",(dwRawOffset+pThunkData->u1.Function+2)); + } + } + } + else + printf("\nSection has no imports.\n"); + + /**********IMAGE_EXPORT_DERECTORY**********/ + dwExportDirectoryVA = pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; + if(dwExportDirectoryVA){ + printf("\nSection contains the following exports:\n"); + for(dwSection=0;dwSection < dwSectionCount && pExSectionHeader->VirtualAddress <= dwExportDirectoryVA;pExSectionHeader++,dwSection++); + pExSectionHeader--; + dwRawOffset = (DWORD)lpFile+pExSectionHeader->PointerToRawData-pExSectionHeader->VirtualAddress; + pExportDirectory=(PIMAGE_EXPORT_DIRECTORY)(dwRawOffset+dwExportDirectoryVA); + printf("Name: %s\n",dwRawOffset+pExportDirectory->Name); + printf("NumberOfFunctions: %d\n",pExportDirectory->NumberOfFunctions); + printf("NumberOfNames: %d\n",pExportDirectory->NumberOfNames); + if (pExportDirectory->AddressOfNames != NULL && pExportDirectory->AddressOfFunctions != NULL) + { + PVOID names = (BYTE*)(dwRawOffset+pExportDirectory->AddressOfNames); + PVOID funcs = (BYTE*)(dwRawOffset+pExportDirectory->AddressOfFunctions); + for (DWORD i = 0; i < pExportDirectory->NumberOfNames; i++) + printf("%d %s\n",i+1,dwRawOffset+((DWORD*)names)[i]); + } + } + else + printf("\nSection has no exports.\n"); + + /**********END**********/ + UnmapViewOfFile(lpFile); + CloseHandle(hFileMap); + CloseHandle(hFile); + return 0; +} + +/* +int GetPeImportTable0(char*path){ + printf("Dump of file %s:\n",path); + HMODULE module = LoadLibrary(path); + if(module==NULL) + return -1; + PIMAGE_NT_HEADERS header = (PIMAGE_NT_HEADERS)((BYTE *)module + ((PIMAGE_DOS_HEADER)module)->e_lfanew); + PIMAGE_IMPORT_DESCRIPTOR imports = (PIMAGE_IMPORT_DESCRIPTOR)((BYTE*)module + header->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); + PIMAGE_THUNK_DATA pThunkData; + printf("Section contains the following imports:\n"); + for(;imports->Name!=0;imports++) + { + printf("DLL Name: %s\n",(BYTE*) module+imports->Name); + pThunkData = (PIMAGE_THUNK_DATA)((BYTE*) module+imports->FirstThunk); + for(;pThunkData->u1.AddressOfData != 0;pThunkData++) + printf("Function: %s\n",((BYTE*) module+pThunkData->u1.Function+2)); + } + if(FreeLibrary(module)==0) + return -2; + return 0; +} + +int GetPeExportTable0(char*path) { + printf("Dump of file %s:\n",path); + HMODULE module = LoadLibrary(path); + if(module==NULL) + return -1; + PIMAGE_NT_HEADERS header = (PIMAGE_NT_HEADERS)((BYTE *)module + ((PIMAGE_DOS_HEADER)module)->e_lfanew); + PIMAGE_EXPORT_DIRECTORY exports = (PIMAGE_EXPORT_DIRECTORY)((BYTE*)module + header->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); + + printf("Section contains the following exports:\n"); + if (exports->AddressOfNames != NULL && exports->AddressOfFunctions != NULL) + { + PVOID names = (BYTE*) module + exports->AddressOfNames; + PVOID funcs = (BYTE*) module + exports->AddressOfFunctions; + + for(DWORD i = 0;i < exports->NumberOfNames;i++){ + char* name = (char*)((BYTE*) module + ((DWORD*) names)[i]); + printf("%d %s\n",i+1,name); + } + } + if(FreeLibrary(module)==0) + return -2; + return 0; +}*/ \ No newline at end of file diff --git a/by_students/imagehlp_pe/imagehlp_pe/imagehlp_pe.h b/by_students/imagehlp_pe/imagehlp_pe/imagehlp_pe.h new file mode 100644 index 0000000..d7c83d2 --- /dev/null +++ b/by_students/imagehlp_pe/imagehlp_pe/imagehlp_pe.h @@ -0,0 +1,14 @@ +#include +#include + +void PrintPeFileFormat(WORD Characteristics); +int GetPeHeaders(char*path); +int GetPeTable(char*path); +int GetPeImportTable(char*path); +int GetPeExportTable(char*path); + +/* +int GetPeImportTable0(char*path); +int GetPeExportTable0(char*path); +int GetPeFormat(char*path); +*/ \ No newline at end of file diff --git a/by_students/imagehlp_pe/imagehlp_pe/imagehlp_pe.vcxproj b/by_students/imagehlp_pe/imagehlp_pe/imagehlp_pe.vcxproj new file mode 100644 index 0000000..f4887d9 --- /dev/null +++ b/by_students/imagehlp_pe/imagehlp_pe/imagehlp_pe.vcxproj @@ -0,0 +1,74 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + + {8D3EAD6F-F6FA-483F-8D5E-EEFBF47E0142} + imagehlp_pe + + + + Application + true + v140 + MultiByte + + + Application + false + v140 + true + MultiByte + + + + + + + + + + + + + + + Level3 + Disabled + + + true + + + + + Level3 + MaxSpeed + true + true + + + true + true + true + + + + + + + + + + + + + \ No newline at end of file diff --git a/by_students/imagehlp_pe/imagehlp_pe/imagehlp_pe.vcxproj.filters b/by_students/imagehlp_pe/imagehlp_pe/imagehlp_pe.vcxproj.filters new file mode 100644 index 0000000..1dd429f --- /dev/null +++ b/by_students/imagehlp_pe/imagehlp_pe/imagehlp_pe.vcxproj.filters @@ -0,0 +1,30 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hpp;hxx;hm;inl;inc;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + 源文件 + + + 源文件 + + + + + 头文件 + + + \ No newline at end of file diff --git a/by_students/imagehlp_pe/imagehlp_pe/main.cpp b/by_students/imagehlp_pe/imagehlp_pe/main.cpp new file mode 100644 index 0000000..3668e13 --- /dev/null +++ b/by_students/imagehlp_pe/imagehlp_pe/main.cpp @@ -0,0 +1,24 @@ +#include "imagehlp_pe.h" + +int main(int argc,char **argv){ + int ret; + //ret = GetPeHeaders("d:\\study\\test.exe"); + //ret = GetPeImportTable("d:\\study\\test.exe"); + //ret = GetPeExportTable("d:\\study\\test.exe"); + //ret = GetPeTable("d:\\study\\test.exe"); + + //ret = GetPeHeaders("d:\\study\\system32.dll"); + //ret = GetPeImportTable("d:\\study\\system32.dll"); + //ret = GetPeExportTable("d:\\study\\system32.dll"); + //ret = GetPeTable("d:\\study\\system32.dll"); + + //ret = GetPeHeaders("d:\\study\\steam_api.dll"); + //ret = GetPeImportTable("d:\\study\\steam_api.dll"); + //ret = GetPeExportTable("d:\\study\\steam_api.dll"); + //ret = GetPeTable("d:\\study\\steam_api.dll"); + + ret = GetPeHeaders(argv[1]); + ret = GetPeTable(argv[1]); + getchar(); + return ret; +} \ No newline at end of file