#include "windows.h"
#include <iostream>
using namespace std;
#define NTSIGNATURE(a) ((LPVOID)((BYTE *)a + \
((PIMAGE_DOS_HEADER)a)->e_lfanew))
/*
const int SIZE_OF_NT_SIGNATURE = 4;
#define PEHEADOFFSET(a) ((LPVOID)((BYTE *)a + \
((PIMAGE_DOS_HEADER)a)->e_lfanew)+SIZE_OF_NT_SIGNATURE)
*/
class PEUtil{
public:
static bool IsPeFile(LPVOID lp){
//DWORD ImageType=ImageFileType(lp);
//if(ImageType!=
/*if(lp==NULL)return false;
PIMAGE_DOS_HEADER pImage_Dos_Header=(PIMAGE_DOS_HEADER)lp;
if(pImage_Dos_Header->e_magic!=IMAGE_DOS_SIGNATURE)return false;
PIMAGE_NT_HEADERS32 pImage_Nt_Header=GetNtHeader(lp);
if(pImage_Nt_Header->Signature!=IMAGE_NT_SIGNATURE)return false;
return true;*/
return ImageFileType(lp)==IMAGE_NT_SIGNATURE;
}
static PIMAGE_NT_HEADERS GetNtHeader(PBYTE lp){
if(IsPeFile(lp)==false)return NULL;
return (PIMAGE_NT_HEADERS32)NTSIGNATURE(lp);
}
static PIMAGE_FILE_HEADER GetFileHeader(PBYTE lp){
PIMAGE_NT_HEADERS pNtHeader=GetNtHeader(lp);
if(pNtHeader==NULL)return NULL;
return PIMAGE_FILE_HEADER(&pNtHeader->FileHeader);
}
static PIMAGE_OPTIONAL_HEADER GetOptionalHeader(PBYTE lp){
PIMAGE_NT_HEADERS pNtHeader=GetNtHeader(lp);
if(pNtHeader==NULL)return NULL;
return PIMAGE_OPTIONAL_HEADER(&pNtHeader->OptionalHeader);
}
static PIMAGE_SECTION_HEADER GetSectionHeader(PBYTE lp){
PIMAGE_NT_HEADERS pnh=GetNtHeader(lp);
PIMAGE_SECTION_HEADER pch=(PIMAGE_SECTION_HEADER)((PBYTE)pnh+sizeof(IMAGE_NT_HEADERS));
return pch;
}
static LPVOID IMAGE_DIRECTORY_OFFSET(PBYTE lp,DWORD index){
PIMAGE_FILE_HEADER pfh=GetFileHeader(lp);
PIMAGE_OPTIONAL_HEADER poh=GetOptionalHeader(lp);
PIMAGE_SECTION_HEADER psh=GetSectionHeader(lp);
int nSections=pfh->NumberOfSections;
if(index>=poh->NumberOfRvaAndSizes){
return NULL;
}
LPVOID virtualDirAddr=(LPVOID)poh->DataDirectory[index].VirtualAddress;
int i=0;
while(i<nSections){
if(psh->VirtualAddress<=DWORD(virtualDirAddr)&&
psh->VirtualAddress+psh->SizeOfRawData>DWORD(virtualDirAddr)){
break;
}
++psh;
++i;
}
if(i>=nSections)return NULL;
return (LPVOID)(((int)lp+(int)virtualDirAddr-psh->VirtualAddress) +
(int)psh->PointerToRawData);
//return NULL;
}
private:
static DWORD WINAPI ImageFileType (LPVOID lpFile)
{
/* 首先出現(xiàn)的是DOS文件標(biāo)志 */
if (*(USHORT *)lpFile == IMAGE_DOS_SIGNATURE)
{
/* 由DOS頭部決定PE文件頭部的位置 */
if (LOWORD (*(DWORD *)NTSIGNATURE (lpFile)) ==
IMAGE_OS2_SIGNATURE ||
LOWORD (*(DWORD *)NTSIGNATURE (lpFile)) ==
IMAGE_OS2_SIGNATURE_LE)
return (DWORD)LOWORD(*(DWORD *)NTSIGNATURE (lpFile));
else if (*(DWORD *)NTSIGNATURE (lpFile) ==
IMAGE_NT_SIGNATURE)
return IMAGE_NT_SIGNATURE;
else
return IMAGE_DOS_SIGNATURE;
}
else
/* 不明文件種類 */
return 0;
}
};
int _tmain(int argc, _TCHAR* argv[])
{
LPCWSTR filepath=TEXT("D://STLPort/MemoryMap.exe");
HANDLE hFile = CreateFile(filepath,GENERIC_READ|GENERIC_WRITE,
FILE_SHARE_READ,NULL,OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
if(hFile==INVALID_HANDLE_VALUE){
cout<<"CreateFile Error"<<endl;
return -1;
}
//IMAGE_NT_HEADERS32
HANDLE hFileMapping = CreateFileMapping(hFile,NULL,PAGE_READWRITE,0,0,L"testFileMapping");
PBYTE pByte=(PBYTE)MapViewOfFile(hFileMapping,FILE_MAP_ALL_ACCESS,0,0,0);
//cout<<hex<<PEUtil::GetOptionalHeader(pByte)->ImageBase<<endl;
int nSections=PEUtil::GetFileHeader(pByte)->NumberOfSections;
cout<<nSections<<endl;
PIMAGE_SECTION_HEADER psh=PEUtil::GetSectionHeader(pByte);
for(int i=0;i<nSections;i++){
cout<<psh->Name<<" "<<psh->VirtualAddress<<" "<<psh->PointerToRawData<<endl;
psh++;
}
/*cout<<IsPeFile(pByte);
PIMAGE_NT_HEADERS32 pImage=GetNtHeader(pByte);
cout<<hex<<pImage->Signature<<endl;
cout<<pImage->FileHeader.Machine<<endl;
//cout<<hex<<ImageFileType(pByte)<<endl;
//cout<<PEHEADOFFSET(pByte)
//cout<<pByte<<endl;*/
return 0;
}
有時(shí)間總結(jié),待續(xù)...
#include "windows.h"
#include <iostream>
//#include "dlltest.h"
#include <vector>
#include <string>
using namespace std;
//#pragma comment(lib,"dlltest.lib")
typedef int (*pf)(void);
#define NTSIGNATURE(a) ((LPVOID)((BYTE *)a + \
((PIMAGE_DOS_HEADER)a)->e_lfanew))
/*
const int SIZE_OF_NT_SIGNATURE = 4;
#define PEHEADOFFSET(a) ((LPVOID)((BYTE *)a + \
((PIMAGE_DOS_HEADER)a)->e_lfanew)+SIZE_OF_NT_SIGNATURE)
*/
typedef struct tagImportDirectory
{
DWORD dwRVAFunctionNameList;
DWORD dwUseless1;
DWORD dwUseless2;
DWORD dwRVAModuleName;
DWORD dwRVAFunctionAddressList;
} IMAGE_IMPORT_MODULE_DIRECTORY, *PIMAGE_IMPORT_MODULE_DIRECTORY;
class PEUtil{
public:
static bool IsPeFile(LPVOID lp){
//DWORD ImageType=ImageFileType(lp);
//if(ImageType!=
/*if(lp==NULL)return false;
PIMAGE_DOS_HEADER pImage_Dos_Header=(PIMAGE_DOS_HEADER)lp;
if(pImage_Dos_Header->e_magic!=IMAGE_DOS_SIGNATURE)return false;
PIMAGE_NT_HEADERS32 pImage_Nt_Header=GetNtHeader(lp);
if(pImage_Nt_Header->Signature!=IMAGE_NT_SIGNATURE)return false;
return true;*/
return ImageFileType(lp)==IMAGE_NT_SIGNATURE;
}
static PIMAGE_NT_HEADERS GetNtHeader(PBYTE lp){
if(IsPeFile(lp)==false)return NULL;
return (PIMAGE_NT_HEADERS32)NTSIGNATURE(lp);
}
static PIMAGE_FILE_HEADER GetFileHeader(PBYTE lp){
PIMAGE_NT_HEADERS pNtHeader=GetNtHeader(lp);
if(pNtHeader==NULL)return NULL;
return PIMAGE_FILE_HEADER(&pNtHeader->FileHeader);
}
static PIMAGE_OPTIONAL_HEADER GetOptionalHeader(PBYTE lp){
PIMAGE_NT_HEADERS pNtHeader=GetNtHeader(lp);
if(pNtHeader==NULL)return NULL;
return PIMAGE_OPTIONAL_HEADER(&pNtHeader->OptionalHeader);
}
static PIMAGE_SECTION_HEADER GetSectionHeader(PBYTE lp){
PIMAGE_NT_HEADERS pnh=GetNtHeader(lp);
PIMAGE_SECTION_HEADER pch=(PIMAGE_SECTION_HEADER)((PBYTE)pnh+sizeof(IMAGE_NT_HEADERS));
return pch;
}
static PIMAGE_SECTION_HEADER GetSectionHeaderByName(PBYTE lp,LPCSTR name){
int nSections=GetFileHeader(lp)->NumberOfSections;
PIMAGE_SECTION_HEADER psh=GetSectionHeader(lp);
for(int i=0;i<nSections;i++){
//cout<<psh->Name<<" "<<psh->VirtualAddress<<" "<<psh->PointerToRawData<<endl;
if(strcmp((char*)psh->Name,name)==0)
return psh;
psh++;
}
return NULL;
}
static LPVOID IMAGE_DIRECTORY_OFFSET(PBYTE lp,DWORD index){
PIMAGE_FILE_HEADER pfh=GetFileHeader(lp);
PIMAGE_OPTIONAL_HEADER poh=GetOptionalHeader(lp);
PIMAGE_SECTION_HEADER psh=GetSectionHeader(lp);
int nSections=pfh->NumberOfSections;
if(index>=poh->NumberOfRvaAndSizes){
return NULL;
}
LPVOID virtualDirAddr=(LPVOID)poh->DataDirectory[index].VirtualAddress;
int i=0;
while(i<nSections){
if(psh->VirtualAddress<=DWORD(virtualDirAddr)&&
psh->VirtualAddress+psh->SizeOfRawData>DWORD(virtualDirAddr)){
break;
}
++psh;
++i;
}
if(i>=nSections)return NULL;
return (LPVOID)(((int)lp+(int)psh->PointerToRawData
+(int)virtualDirAddr-psh->VirtualAddress));
//return NULL;
}
static LPVOID IAT_OFFSET(PBYTE lp){
/*PIMAGE_OPTIONAL_HEADER poh=GetOptionalHeader(lp);
DWORD virtualDirAddr=poh->DataDirectory[12].VirtualAddress;
PIMAGE_IMPORT_MODULE_DIRECTORY pimd;
pimd=(PIMAGE_IMPORT_MODULE_DIRECTORY)IMAGE_DIRECTORY_OFFSET(lp,IMAGE_DIRECTORY_ENTRY_IMPORT);
PIMAGE_SECTION_HEADER idsh;
idsh=GetSectionHeaderByName(lp,".idata");
return (LPVOID)((PBYTE)pimd+(virtualDirAddr-idsh->VirtualAddress));*/
return (LPVOID)((PBYTE)IMAGE_DIRECTORY_OFFSET(lp,12)/*-lp*/);
}
static void GetImportModuleNames(PBYTE lp,vector<PBYTE>& vec){
PIMAGE_IMPORT_MODULE_DIRECTORY pimd;
PIMAGE_SECTION_HEADER idsh;
//pimd 物理地址
pimd=(PIMAGE_IMPORT_MODULE_DIRECTORY)IMAGE_DIRECTORY_OFFSET(lp,IMAGE_DIRECTORY_ENTRY_IMPORT);
idsh=GetSectionHeaderByName(lp,".idata");
//cout<<idsh->Name<<endl;
PBYTE pData=(PBYTE)pimd;
//pid->
//pid->Name
//ImageRvaToVa(
while(pimd->dwRVAModuleName){
//vec.push_back((PBYTE)(pimd+(pimd->dwRVAModuleName-idsh->VirtualAddress)));
vec.push_back((pData+(pimd->dwRVAModuleName-idsh->VirtualAddress)));
++pimd;
}
}
static PIMAGE_IMPORT_MODULE_DIRECTORY GetImportModuleByName(PBYTE lp,LPCSTR name){
PIMAGE_IMPORT_MODULE_DIRECTORY pimd;
PIMAGE_SECTION_HEADER idsh;
pimd=(PIMAGE_IMPORT_MODULE_DIRECTORY)IMAGE_DIRECTORY_OFFSET(lp,IMAGE_DIRECTORY_ENTRY_IMPORT);
idsh=GetSectionHeaderByName(lp,".idata");
//cout<<idsh->Name<<endl;
if(idsh==NULL)return NULL;
PBYTE pData=(PBYTE)pimd;
while(pimd->dwRVAModuleName){
//vec.push_back((PBYTE)(pimd+(pimd->dwRVAModuleName-idsh->VirtualAddress)));
//vec.push_back((pData+(pimd->dwRVAModuleName-idsh->VirtualAddress)));
if(strcmp((char*)(pData+(pimd->dwRVAModuleName-idsh->VirtualAddress)),name)==0){
return pimd;
}
++pimd;
}
return NULL;
}
static void GetImportFunctionNamesByModule(PBYTE lp,vector<PBYTE>& ret){
PIMAGE_IMPORT_MODULE_DIRECTORY pimd;
PIMAGE_SECTION_HEADER idsh;
pimd=(PIMAGE_IMPORT_MODULE_DIRECTORY)IMAGE_DIRECTORY_OFFSET(lp,IMAGE_DIRECTORY_ENTRY_IMPORT);
idsh=GetSectionHeaderByName(lp,".idata");
DWORD dwBase=(DWORD)((PBYTE)pimd - idsh->VirtualAddress);
// DWORD dwBaseAddr=(DWORD)(lp - idsh->VirtualAddress);
LPVOID iat=IAT_OFFSET(lp);
PIMAGE_IMPORT_DESCRIPTOR pid;
pid=(PIMAGE_IMPORT_DESCRIPTOR)IMAGE_DIRECTORY_OFFSET(lp,IMAGE_DIRECTORY_ENTRY_IMPORT);
while(pimd->dwRVAModuleName){
cout<<"------------"<<(char*)(dwBase+pimd->dwRVAModuleName)<<"-----------"<<endl;
DWORD dwFunction=pimd->dwRVAFunctionNameList;
DWORD dwFunctionAddr=pimd->dwRVAFunctionAddressList;
while(dwFunction && *(DWORD*)(dwFunction+dwBase) && *(char*)(*(DWORD*)(dwFunction+dwBase)+dwBase+2)){
cout<<(char*)(*(DWORD*)(dwFunction+dwBase)+dwBase+2)<<" ---rva: ";
cout<<hex<<(dwFunctionAddr)<<endl;
dwFunction+=4;
dwFunctionAddr+=4;
}
++pimd;
}
//vector<PBYTE> moduleSet;
//GetImportModuleNames(lp,moduleSet);
}
private:
static DWORD WINAPI ImageFileType (LPVOID lpFile)
{
/* 首先出現(xiàn)的是DOS文件標(biāo)志 */
if (*(USHORT *)lpFile == IMAGE_DOS_SIGNATURE)
{
/* 由DOS頭部決定PE文件頭部的位置 */
if (LOWORD (*(DWORD *)NTSIGNATURE (lpFile)) ==
IMAGE_OS2_SIGNATURE ||
LOWORD (*(DWORD *)NTSIGNATURE (lpFile)) ==
IMAGE_OS2_SIGNATURE_LE)
return (DWORD)LOWORD(*(DWORD *)NTSIGNATURE (lpFile));
else if (*(DWORD *)NTSIGNATURE (lpFile) ==
IMAGE_NT_SIGNATURE)
return IMAGE_NT_SIGNATURE;
else
return IMAGE_DOS_SIGNATURE;
}
else
/* 不明文件種類 */
return 0;
}
};
int _tmain(int argc, _TCHAR* argv[])
{
LPCWSTR filepath=TEXT("D://STLPort/MemoryMap.exe");
HANDLE hFile = CreateFile(filepath,GENERIC_READ|GENERIC_WRITE,
FILE_SHARE_READ,NULL,OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
if(hFile==INVALID_HANDLE_VALUE){
cout<<"CreateFile Error"<<endl;
return -1;
}
//IMAGE_NT_HEADERS32
HANDLE hFileMapping = CreateFileMapping(hFile,NULL,PAGE_READWRITE,0,0,L"testFileMapping");
PBYTE pByte=(PBYTE)MapViewOfFile(hFileMapping,FILE_MAP_ALL_ACCESS,0,0,0);
cout<<PEUtil::IsPeFile(pByte)<<endl;
//LPVOID p=PEUtil::IAT_OFFSET(pByte);
//cout<<fndlltest()<<endl;
HINSTANCE hInst=LoadLibrary(L"dlltest.dll");
pf lp;
lp=(pf)GetProcAddress(hInst,"fndlltest");
cout<<lp()<<endl;
//cout<<hex<<PEUtil::GetOptionalHeader(pByte)->ImageBase<<endl;
/*int nSections=PEUtil::GetFileHeader(pByte)->NumberOfSections;
cout<<nSections<<endl;
PIMAGE_SECTION_HEADER psh=PEUtil::GetSectionHeader(pByte);
for(int i=0;i<nSections;i++){
cout<<psh->Name<<" "<<psh->VirtualAddress<<" "<<psh->PointerToRawData<<endl;
psh++;
}*/
PIMAGE_SECTION_HEADER psh=PEUtil::GetSectionHeaderByName(pByte,".idata");
cout<<psh->Name<<" "<<psh->VirtualAddress<<" "<<psh->PointerToRawData<<endl;
vector<PBYTE> vec;
/*PEUtil::GetImportModuleNames(pByte,vec);
for(int i=0;i<vec.size();i++){
cout<<vec[i]<<endl;
}*/
PEUtil::GetImportFunctionNamesByModule(pByte,vec);
/*cout<<IsPeFile(pByte);
PIMAGE_NT_HEADERS32 pImage=GetNtHeader(pByte);
cout<<hex<<pImage->Signature<<endl;
cout<<pImage->FileHeader.Machine<<endl;
//cout<<hex<<ImageFileType(pByte)<<endl;
//cout<<PEHEADOFFSET(pByte)
//cout<<pByte<<endl;*/
return 0;
}
posted on 2010-10-12 17:22
小果子 閱讀(727)
評(píng)論(0) 編輯 收藏 引用 所屬分類:
Windows 、
C++