功能:
01:展示输出表信息
02: 展示输入表信息
03:资源表信息
04:重定位表信息
05:绑定导入表信息
难点:
01: 定义全局变量, 区别每个点击按钮, 使用一个对话框,分别对消息进行接收
02: 读取PE信息, 对每个表的信息进行展示
03: 字符串的使用方法 sprintf strcat 的用法
04 SendMessage
实例展示:
主要代码:
001 | VOID SetPeFileInfo(HWND hwndDlg,LPSTR lpszFile) |
003 | HWND hInfoMation = GetDlgItem(hwndDlg,IDC_EDIT_INFOMATION); |
004 | TCHAR InfoStr[200240]={0}; |
007 | LPVOID pFileBuffer = NULL; |
008 | pFileBuffer= ReadPEFile(lpszFile); |
015 | PIMAGE_DOS_HEADER pDosHeader = NULL; |
016 | PIMAGE_NT_HEADERS pNTHeader = NULL; |
017 | PIMAGE_FILE_HEADER pPEHeader = NULL; |
018 | PIMAGE_OPTIONAL_HEADER32 pOptionHeader = NULL; |
019 | PIMAGE_SECTION_HEADER pSectionHeader = NULL; |
020 | PIMAGE_DATA_DIRECTORY DataDirectory=NULL; |
023 | pDosHeader = (PIMAGE_DOS_HEADER)pFileBuffer; |
024 | pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pFileBuffer+pDosHeader->e_lfanew); |
025 | pPEHeader = (PIMAGE_FILE_HEADER)(((DWORD)pNTHeader)+4); |
026 | pOptionHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)pPEHeader+IMAGE_SIZEOF_FILE_HEADER); |
027 | pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader+pPEHeader->SizeOfOptionalHeader); |
030 | DataDirectory = pOptionHeader->DataDirectory; |
047 | DWORD Export_Directory_Address = DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; |
048 | DWORD Export_Directory_Size = DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; |
050 | if(Export_Directory_Size == 0) |
052 | haveDirectory = FALSE; |
053 | MessageBox(0,TEXT("没有输出表"),TEXT("错误"),0); |
056 | haveDirectory = TRUE; |
060 | FoA = RVAToFileOffset(pFileBuffer,Export_Directory_Address); |
062 | PIMAGE_EXPORT_DIRECTORY pExDirectory = NULL; |
063 | pExDirectory = (PIMAGE_EXPORT_DIRECTORY)((DWORD)pFileBuffer + FoA); |
066 | sprintf(rn,"输出表基本信息 : \r\n"); |
069 | sprintf(rn,"Characteristics: %08X\r\n",pExDirectory->Characteristics); |
071 | sprintf(rn,"TimeDateStamp: %08X\r\n",pExDirectory->TimeDateStamp); |
073 | sprintf(rn,"MajorVersion: %08X\r\n",pExDirectory->MajorVersion); |
075 | sprintf(rn,"MinorVersion: %08X\r\n",pExDirectory->MinorVersion); |
077 | sprintf(rn,"Name: %08X\r\n",pExDirectory->Name); |
079 | sprintf(rn,"Base: %08X\r\n",pExDirectory->Base); |
081 | sprintf(rn,"NumberOfFunctions: %08X\r\n",pExDirectory->NumberOfFunctions); |
083 | sprintf(rn,"NumberOfNames: %08X\r\n",pExDirectory->NumberOfNames); |
085 | sprintf(rn,"AddressOfFunctions: %08X\r\n",pExDirectory->AddressOfFunctions); |
087 | sprintf(rn,"AddressOfNames: %08X\r\n",pExDirectory->AddressOfNames); |
089 | sprintf(rn,"AddressOfNameOrdinals: %08X\r\n-------------\r\n",pExDirectory->AddressOfNameOrdinals); |
094 | DWORD ExAddressOfFunctions = pExDirectory->AddressOfFunctions; |
095 | DWORD ExAddressOfFunctionsFoA = RVAToFileOffset(pFileBuffer,ExAddressOfFunctions); |
096 | DWORD ExNumberOfFunctions = pExDirectory->NumberOfFunctions; |
098 | PDWORD pExAddressOfFunctions = NULL; |
099 | pExAddressOfFunctions = (PDWORD)((DWORD)pFileBuffer + ExAddressOfFunctionsFoA); |
102 | sprintf(rn,"每个函数地址表信息: \r\n"); |
107 | for(k=0;k<ExNumberOfFunctions;k++) |
110 | sprintf(rn,"%d : %08X\r\n",k,*pExAddressOfFunctions); |
113 | pExAddressOfFunctions++; |
115 | sprintf(rn,"-----------------\r\n"); |
119 | sprintf(rn,"函数名称表: \r\n"); |
123 | DWORD ExAddressOfNames = pExDirectory->AddressOfNames; |
124 | DWORD ExAddressOfNamesFoA = RVAToFileOffset(pFileBuffer,ExAddressOfNames); |
125 | DWORD ExNumberOfNames = pExDirectory->NumberOfNames; |
127 | PDWORD pExAddressOfNames = NULL; |
128 | pExAddressOfNames = (PDWORD)((DWORD)pFileBuffer + ExAddressOfNamesFoA); |
130 | for(k=0;k<ExNumberOfNames;k++) |
134 | sprintf(rn,"%d : %08X\r\n",k,*pExAddressOfNames); |
138 | PDWORD NameAddress = (PDWORD)RVAToFileOffset(pFileBuffer,*pExAddressOfNames); |
140 | printf("%s \n",(char*)((DWORD)pFileBuffer + (DWORD)NameAddress)); |
142 | sprintf(rn,"%s \r\n",(char*)((DWORD)pFileBuffer + (DWORD)NameAddress)); |
148 | sprintf(rn,"-----------------\r\n"); |
154 | sprintf(rn,"函数序号表: \r\n"); |
157 | DWORD ExAddressOfNameOrdinals = pExDirectory->AddressOfNameOrdinals; |
158 | DWORD ExAddressOfNameOrdinalsFoA = RVAToFileOffset(pFileBuffer,ExAddressOfNameOrdinals); |
159 | ExNumberOfNames = pExDirectory->NumberOfNames; |
160 | PWORD pExAddressOfNameOrdinals = NULL; |
161 | pExAddressOfNameOrdinals = (PWORD)((DWORD)pFileBuffer + ExAddressOfNameOrdinalsFoA); |
163 | for(k=0;k<ExNumberOfNames;k++) |
166 | sprintf(rn,"%d : %08X \r\n",k,*pExAddressOfNameOrdinals); |
169 | pExAddressOfNameOrdinals++; |
173 | sprintf(rn,"-----------------\r\n"); |
175 | SendMessage(hInfoMation,WM_SETTEXT,0,(long)InfoStr); |
186 | sprintf(rn,"输入表基本信息 : \r\n"); |
191 | IMAGE_DATA_DIRECTORY pImportDirectory = DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]; |
193 | DWORD ImportVirtualAddress = pImportDirectory.VirtualAddress; |
194 | DWORD ImportFoa = RVAToFileOffset(pFileBuffer,ImportVirtualAddress); |
196 | if(pImportDirectory.Size == 0) |
198 | haveDirectory = FALSE; |
199 | MessageBox(0,TEXT("没有输入表"),TEXT("错误"),0); |
202 | haveDirectory = TRUE; |
206 | sprintf(rn,"ImportVirtualAddress: %08X \r\n",ImportVirtualAddress); |
208 | sprintf(rn,"Size: %08X \r\n",pImportDirectory.Size); |
210 | sprintf(rn,"ImportFoa: %08X \r\n",ImportFoa); |
216 | PIMAGE_IMPORT_DESCRIPTOR pImportDes = NULL; |
217 | pImportDes = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)pFileBuffer + ImportFoa); |
219 | while(pImportDes->OriginalFirstThunk != 0x0 && pImportDes->FirstThunk != 0x0 ) |
222 | sprintf(rn,"OriginalFirstThunk: %08X \r\n",pImportDes->OriginalFirstThunk); |
224 | DWORD pNameAddress = RVAToFileOffset(pFileBuffer,pImportDes->Name); |
225 | PSTR pDllName = (PSTR)((DWORD)pFileBuffer + pNameAddress); |
227 | sprintf(rn,"name: %s \r\n",pDllName); |
229 | sprintf(rn,"------------------------------- : \r\n"); |
232 | DWORD Thunk_Address = RVAToFileOffset(pFileBuffer,pImportDes->OriginalFirstThunk); |
233 | PIMAGE_THUNK_DATA32 pThunkData = (PIMAGE_THUNK_DATA32)((DWORD)pFileBuffer + Thunk_Address); |
236 | DWORD ImportOrdinal = pThunkData->u1.Ordinal; |
241 | if(ImportOrdinal & IMAGE_ORDINAL_FLAG32) |
243 | sprintf(rn,"按序号导入: %08X \r\n",ImportOrdinal&0x0FFF); |
247 | DWORD ImageNameAddress = RVAToFileOffset(pFileBuffer,ImportOrdinal); |
248 | PIMAGE_IMPORT_BY_NAME pImageName = (PIMAGE_IMPORT_BY_NAME)(DWORD(pFileBuffer)+ImageNameAddress); |
250 | sprintf(rn,"按名字导入: %08X -- %s \r\n",pImageName->Hint,pImageName->Name); |
254 | pThunkData = (PIMAGE_THUNK_DATA32)((DWORD)pThunkData + 4); |
255 | ImportOrdinal = pThunkData->u1.Ordinal; |
258 | sprintf(rn,"------------------------------- : \r\n"); |
261 | DWORD pFirstThunk = (DWORD)pImportDes->FirstThunk; |
262 | printf("FirstThunk:%x \n",pImportDes->FirstThunk); |
264 | sprintf(rn,"FirstThunk:%08X \r\n",pImportDes->FirstThunk); |
266 | sprintf(rn,"------------------------------- : \r\n"); |
269 | DWORD FirstThunk_Address = RVAToFileOffset(pFileBuffer,pFirstThunk); |
270 | PIMAGE_THUNK_DATA32 pNewThunkData = (PIMAGE_THUNK_DATA32)((DWORD)pFileBuffer + FirstThunk_Address); |
273 | DWORD newImportOrdinal = pNewThunkData->u1.Ordinal; |
275 | while(newImportOrdinal) |
279 | if(newImportOrdinal & IMAGE_ORDINAL_FLAG32) |
282 | sprintf(rn,"按序号导入:%08X \r\n",newImportOrdinal&0x0FFF); |
287 | DWORD newImageNameAddress = RVAToFileOffset(pFileBuffer,newImportOrdinal); |
288 | PIMAGE_IMPORT_BY_NAME pNewImageName = (PIMAGE_IMPORT_BY_NAME)(DWORD(pFileBuffer)+newImageNameAddress); |
290 | sprintf(rn,"按名字导入::%08X - %s \r\n",pNewImageName->Hint,pNewImageName->Name); |
295 | pNewThunkData = (PIMAGE_THUNK_DATA32)((DWORD)pNewThunkData + 4); |
296 | newImportOrdinal = pNewThunkData->u1.Ordinal; |
300 | sprintf(rn,"------------------------------- \r\n"); |
302 | pImportDes = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)pImportDes + 20); |
307 | SendMessage(hInfoMation,WM_SETTEXT,0,(long)InfoStr); |
313 | sprintf(rn,"资源表基本信息 : \r\n"); |
316 | IMAGE_DATA_DIRECTORY ResourceDirectory = DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE]; |
318 | DWORD ResourceVirtualAddress = ResourceDirectory.VirtualAddress; |
319 | DWORD ResourceSize = ResourceDirectory.Size; |
323 | haveDirectory = FALSE; |
324 | MessageBox(0,TEXT("没有资源表"),TEXT("错误"),0); |
327 | haveDirectory = TRUE; |
331 | sprintf(rn,"ResourceVirtualAddress :%08X \r\n",ResourceVirtualAddress); |
333 | sprintf(rn,"ResourceSize :%08X \r\n",ResourceSize); |
336 | DWORD dwFoa = RVAToFileOffset(pFileBuffer,ResourceVirtualAddress); |
337 | PIMAGE_RESOURCE_DIRECTORY pResource = (PIMAGE_RESOURCE_DIRECTORY)((DWORD)pFileBuffer + dwFoa); |
341 | sprintf(rn,"NumberOfNamedEntries :%08X \r\n",pResource->NumberOfNamedEntries); |
343 | sprintf(rn,"NumberOfIdEntries :%08X \r\n",pResource->NumberOfIdEntries); |
348 | PIMAGE_RESOURCE_DIRECTORY_ENTRY pResdirectoryEntry = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((DWORD)pResource + sizeof(IMAGE_RESOURCE_DIRECTORY)); |
349 | DWORD NumberOfResType = pResource->NumberOfNamedEntries + pResource->NumberOfIdEntries; |
352 | PIMAGE_RESOURCE_DIRECTORY pResICODir=NULL; |
355 | for(DWORD i=0;i<NumberOfResType;i++) |
358 | DWORD NameIsString = pResdirectoryEntry->NameIsString; |
359 | DWORD ResName = pResdirectoryEntry->Name; |
360 | DWORD OffsetToData = pResdirectoryEntry->OffsetToData; |
361 | DWORD DataIsDirectory = pResdirectoryEntry->DataIsDirectory; |
365 | sprintf(rn,"Info: %08X -NameIsString: %08X - Name: %08X -- OffToDa: %08X : IsD - %08X \r\n",i+1,NameIsString,ResName,OffsetToData,DataIsDirectory); |
371 | pResICODir = (PIMAGE_RESOURCE_DIRECTORY)((DWORD)pResource +pResdirectoryEntry->OffsetToDirectory); |
375 | pResdirectoryEntry = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((DWORD)pResdirectoryEntry + 8); |
379 | DWORD NumberOffICO = pResICODir->NumberOfIdEntries + pResICODir->NumberOfNamedEntries; |
381 | sprintf(rn,"NumberOffICO :%08X \r\n",NumberOffICO); |
385 | PIMAGE_RESOURCE_DIRECTORY_ENTRY pICOEntry = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((DWORD)pResICODir + sizeof(IMAGE_RESOURCE_DIRECTORY)); |
387 | PIMAGE_RESOURCE_DIRECTORY pICOContent = NULL; |
389 | for(DWORD j = 0;j<NumberOffICO;j++) |
392 | DWORD NameIsString = pICOEntry->NameIsString; |
393 | DWORD ResName = pICOEntry->Name; |
394 | DWORD OffsetToData = pICOEntry->OffsetToData; |
395 | DWORD DataIsDirectory = pICOEntry->DataIsDirectory; |
400 | sprintf(rn,"Info: %d -NameIsString: %d - Name: %08X -- OffToDa: %08X - IsD - %08X \n",i+1, |
401 | NameIsString,ResName,OffsetToData,DataIsDirectory); |
405 | pICOContent = (PIMAGE_RESOURCE_DIRECTORY)((DWORD)pResource +pICOEntry->OffsetToDirectory); |
407 | DWORD NumberOfICOContent = pICOContent->NumberOfIdEntries + pICOContent->NumberOfNamedEntries; |
409 | sprintf(rn,"NumberOfICOContent :%08X \r\n",NumberOfICOContent); |
414 | PIMAGE_RESOURCE_DIRECTORY_ENTRY pICOGetVS = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((DWORD)pICOContent + sizeof(IMAGE_RESOURCE_DIRECTORY)); |
416 | PIMAGE_DATA_DIRECTORY pDataIco = (PIMAGE_DATA_DIRECTORY)((DWORD)pResource + pICOGetVS->OffsetToDirectory); |
419 | sprintf(rn,"VirtualAddress: %08X, Size: %08X \n",pDataIco->VirtualAddress,pDataIco->Size); |
421 | pICOEntry = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((DWORD)pICOEntry + 8); |
423 | SendMessage(hInfoMation,WM_SETTEXT,0,(long)InfoStr); |
429 | sprintf(rn,"重定位表的基本信息 : \r\n"); |
432 | DWORD BaseReloc_Directory_Address = DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress; |
433 | DWORD BaseReloc_Directory_Size = DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; |
434 | FoA = RVAToFileOffset(pFileBuffer,BaseReloc_Directory_Address); |
436 | if(BaseReloc_Directory_Size == 0) |
438 | haveDirectory = FALSE; |
439 | MessageBox(0,TEXT("没有重定位表"),TEXT("错误"),0); |
442 | haveDirectory = TRUE; |
447 | PIMAGE_BASE_RELOCATION pRelocData = (PIMAGE_BASE_RELOCATION)((DWORD)pFileBuffer + FoA); |
450 | while(pRelocData->VirtualAddress||pRelocData->SizeOfBlock) |
452 | DWORD RelocVirtualAddress = pRelocData->VirtualAddress; |
453 | DWORD RelocSize = pRelocData->SizeOfBlock; |
455 | sprintf(rn,"VirtualSize: %08X ,Size: %08X , Number: %08X \r\n",RelocVirtualAddress,RelocSize,(RelocSize-8)/2); |
458 | int k = (RelocSize-8)/2; |
459 | PWORD pMyRelocAddress = NULL; |
460 | pMyRelocAddress = (PWORD)((DWORD)pRelocData+8); |
465 | sprintf(rn,"第%04X个 : 标志 : %08X 偏移 : %08X\r\n",i+1,pMyRelocAddress[i]&0xF000,RelocVirtualAddress+(pMyRelocAddress[i]&0x0FFF)); |
468 | pRelocData = (PIMAGE_BASE_RELOCATION)((DWORD)pRelocData + RelocSize); |
471 | SendMessage(hInfoMation,WM_SETTEXT,0,(long)InfoStr); |
476 | sprintf(rn,"绑定导入表的基本信息 : \r\n"); |
479 | IMAGE_DATA_DIRECTORY pBindImportDirectory = DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT]; |
481 | DWORD BindImportVirtualAddress = pBindImportDirectory.VirtualAddress; |
482 | DWORD BindImportFoa = BindImportVirtualAddress; |
484 | PIMAGE_BOUND_IMPORT_DESCRIPTOR pBindImport = (PIMAGE_BOUND_IMPORT_DESCRIPTOR)((DWORD)pFileBuffer + BindImportFoa); |
486 | if(pBindImportDirectory.Size == 0) |
488 | haveDirectory = FALSE; |
489 | MessageBox(0,TEXT("没有绑定导入表"),TEXT("错误"),0); |
492 | haveDirectory = TRUE; |
497 | while(pBindImport->TimeDateStamp !=0x0) |
500 | DWORD bindTime = pBindImport->TimeDateStamp; |
501 | WORD ModuleName = pBindImport->OffsetModuleName; |
502 | WORD numberModule = pBindImport->NumberOfModuleForwarderRefs; |
505 | PSTR pModuleName = (PSTR)((DWORD)pFileBuffer+(DWORD)BindImportVirtualAddress+ModuleName); |
507 | sprintf(rn,"ModuleName:%s \r\n",pModuleName); |
511 | sprintf(rn,"--numberModule:%08X \r\n",numberModule); |
514 | for(int i=0;i<numberModule;i++) |
516 | PIMAGE_BOUND_FORWARDER_REF pBoundRef = (PIMAGE_BOUND_FORWARDER_REF)((DWORD)pBindImport+i*8); |
517 | pBindImport = (PIMAGE_BOUND_IMPORT_DESCRIPTOR)((DWORD)pBindImport+i*8); |
520 | DWORD refTime = pBoundRef->TimeDateStamp; |
521 | WORD refName = pBoundRef->OffsetModuleName; |
522 | PSTR pRefName = (PSTR)((DWORD)pFileBuffer+(DWORD)BindImportVirtualAddress+refName); |
524 | sprintf(rn," RefName:%s \r\n",pRefName); |
528 | pBindImport = (PIMAGE_BOUND_IMPORT_DESCRIPTOR)((DWORD)pBindImport+8); |
531 | SendMessage(hInfoMation,WM_SETTEXT,0,(long)InfoStr); |
536 | sprintf(rn,"绑定导入表的基本信息 : \r\n"); |
539 | sprintf(rn,"测试使用,未实现 : \r\n"); |
541 | SendMessage(hInfoMation,WM_SETTEXT,0,(long)InfoStr); |
0则评论给“PeTools开发(五)”