PE分析
阅读原文时间:2023年07月08日阅读:4

1 #include
2 #include
3 #include "resource.h"
4
5
6
7 BOOL CALLBACK DlgProc(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam);
8
9 //Pe文件处理函数声明
10
11 BOOL IsPeFile(LPVOID ImageBase);
12 PIMAGE_NT_HEADERS    GetNtHeader(LPVOID    ImageBase);
13 PIMAGE_FILE_HEADER    WINAPI    GetFileHeader(LPVOID    Imagebase);
14 PIMAGE_OPTIONAL_HEADER    GetOptionalHeader(LPVOID    ImageBase);
15
16 int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowcmd)
17 {
18 DialogBox(hInstance, MAKEINTRESOURCE(IDD_DIALOG), NULL, DlgProc);
19
20 return 0;
21 }
22
23
24 BOOL CALLBACK DlgProc(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam)
25 {
26
27
28 OPENFILENAME    FileName  = { 0,0,0 }, *lpFileName  = &FileName;
29 HANDLE            hFile, hFileMap;
30 TCHAR            szPe[] = "\"PE File(*.exe)\" \0*.exe;*.dll;*.scr;*.fon;*.drv;\0\"*.All File(*.*) \0*.*\0\0";
31 TCHAR            szFileName[256] = { "" };
32
33 LPVOID            lpMemory;
34
35 TCHAR            Buff[16];
36 PIMAGE_FILE_HEADER    pFileHeader  = NULL;
37 PIMAGE_OPTIONAL_HEADER    pOptionHeader  = NULL;
38
39 switch (message)
40 {
41 case    WM_INITDIALOG:
42 break;
43 case    WM_CLOSE:
44
45 EndDialog(hDlg, NULL);
46 break;
47
48 case    WM_COMMAND:
49 switch (LOWORD(wParam))
50 {
51 case    IDM_OPEN:
52 FileName.hInstance  = (HINSTANCE)hDlg;
53 FileName.hwndOwner  = hDlg;
54 FileName.lStructSize  = sizeof(OPENFILENAME);
55 FileName.lpstrFilter  = szPe;
56 FileName.lpstrFile  = szFileName;
57 FileName.Flags  = OFN_FILEMUSTEXIST || OFN_PATHMUSTEXIST;
58 FileName.nMaxFile  = sizeof(szFileName);
59
60
61 if (!GetOpenFileName(lpFileName))
62 {
63 MessageBox(hDlg, "GetOpenFileName 调用失败", "ERROR", NULL);
64 break;
65 }
66
67 SetDlgItemText(hDlg, IDC_FILENAME, szFileName);
68
69 hFile  = CreateFile(FileName.lpstrFile, // open pe file 
70
71 GENERIC_READ, // open for reading 
72
73 FILE_SHARE_READ || FILE_SHARE_WRITE, // share for reading 
74
75 NULL, // no security 
76
77 OPEN_EXISTING, // existing file only 
78
79 FILE_ATTRIBUTE_NORMAL, // normal file 
80
81 NULL); // no attr. template 
82
83
84 if (hFile  == INVALID_HANDLE_VALUE)
85 {
86 MessageBox(hDlg, "Could not open file.", "ERROR", MB_ICONERROR);
87 break;// process error 
88
89 }
90
91 if (GetFileSize(hFile, NULL) != 0)
92 {
93 hFileMap  = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL);
94 if (hFileMap != 0)
95 {
96 lpMemory  = MapViewOfFile(hFileMap, FILE_MAP_READ, NULL, NULL, NULL);
97 }
98 }
99
100 if (IsPeFile(lpMemory))
101 {
102
103 pFileHeader  = GetFileHeader(lpMemory);
104 pOptionHeader  = GetOptionalHeader(lpMemory);
105 if (!(pFileHeader&&pOptionHeader))
106 {
107 MessageBox(hDlg, "获取文件头指针失败", "PEINFO", MB_ICONERROR);
108 break;
109 }
110 else
111 {
112 wsprintf(Buff, "%04lX", pFileHeader->Machine);
113 SetDlgItemText(hDlg, IDC_MACHINE, Buff);
114
115 wsprintf(Buff, "%04lX", pFileHeader->NumberOfSections);
116 SetDlgItemText(hDlg, IDC_NUMSECTION, Buff);
117
118 wsprintf(Buff, "%04lX", pOptionHeader->Magic);
119 SetDlgItemText(hDlg, IDC_MAGIC, Buff);
120
121 wsprintf(Buff, "%08lX", pOptionHeader->AddressOfEntryPoint);
122 SetDlgItemText(hDlg, IDC_ENTERPOINT, Buff);
123
124 wsprintf(Buff, "%08lX", pOptionHeader->DataDirectory[0].VirtualAddress);
125 SetDlgItemText(hDlg, IDC_EDIT_RVA_EXPORT, Buff);
126
127 wsprintf(Buff, "%08lX", pOptionHeader->DataDirectory[0].Size);
128 SetDlgItemText(hDlg, IDC_EDIT_SIZE_EXPORT, Buff);
129
130 wsprintf(Buff, "%08lX", pOptionHeader->DataDirectory[1].VirtualAddress);
131 SetDlgItemText(hDlg, IDC_EDIT_RVA_IMPORT, Buff);
132
133 wsprintf(Buff, "%08lX", pOptionHeader->DataDirectory[1].Size);
134 SetDlgItemText(hDlg, IDC_EDIT_SIZE_IMPORT, Buff);
135
136 wsprintf(Buff, "%08lX", pOptionHeader->DataDirectory[2].VirtualAddress);
137 SetDlgItemText(hDlg, IDC_EDIT_RVA_RES, Buff);
138
139 wsprintf(Buff, "%08lX", pOptionHeader->DataDirectory[2].Size);
140 SetDlgItemText(hDlg, IDC_EDIT_SIZE_RES, Buff);
141
142
143
144 }
145
146
147 }
148 else
149 {
150 MessageBox(hDlg, "你选择的不是PE文件", "error", MB_ICONERROR);
151 UnmapViewOfFile(lpMemory);
152 CloseHandle(hFileMap);
153 CloseHandle(hFile);
154 }
155 UnmapViewOfFile(lpMemory);
156 CloseHandle(hFileMap);
157 CloseHandle(hFile);
158
159 break;
160
161
162 }
163
164
165 }
166 return FALSE;
167 }
168
169 BOOL    IsPeFile(LPVOID    ImageBase) //判断是否是PE文件结构
170
171 {
172 PIMAGE_DOS_HEADER    pDosHeader  = NULL;
173 PIMAGE_NT_HEADERS    pNtHeader  = NULL;
174
175 if (!ImageBase)
176 return FALSE;
177 pDosHeader  = (PIMAGE_DOS_HEADER)ImageBase;
178 if (pDosHeader->e_magic  != IMAGE_DOS_SIGNATURE)
179 return FALSE;
180 pNtHeader  = (PIMAGE_NT_HEADERS32)((DWORD)pDosHeader + pDosHeader->e_lfanew);
181 if (pNtHeader->Signature  != IMAGE_NT_SIGNATURE )
182 return    FALSE;
183 return        TRUE;
184 }
185
186 //FileHeader 内容的读取
187
188
189 PIMAGE_NT_HEADERS    GetNtHeader(LPVOID    ImageBase) //获取NT结构指针
190
191 {
192 PIMAGE_DOS_HEADER    pDosHeader  = NULL;
193 PIMAGE_NT_HEADERS    pNtHeader  = NULL;
194
195 if (!IsPeFile(ImageBase))
196 return    NULL;
197 pDosHeader  = (PIMAGE_DOS_HEADER)ImageBase;
198 pNtHeader  = (PIMAGE_NT_HEADERS32)((DWORD)pDosHeader + pDosHeader->e_lfanew);
199 return        pNtHeader;
200 }
201
202 PIMAGE_FILE_HEADER    WINAPI    GetFileHeader(LPVOID    Imagebase)
203 {
204 PIMAGE_FILE_HEADER    pFileHeader;
205 PIMAGE_NT_HEADERS    pNtHeader  = NULL;
206 pNtHeader  = GetNtHeader(Imagebase);
207 if (!pNtHeader)
208 return    NULL;
209 pFileHeader  = &pNtHeader->FileHeader;
210 return    pFileHeader;
211 }
212
213 PIMAGE_OPTIONAL_HEADER    GetOptionalHeader(LPVOID    ImageBase)
214 {
215 PIMAGE_OPTIONAL_HEADER    pOptionHeader  = NULL;
216 PIMAGE_NT_HEADERS    pNtHeader  = NULL;
217 pNtHeader  = GetNtHeader(ImageBase);
218 if (!pNtHeader)
219 return    NULL;
220 pOptionHeader  = &pNtHeader->OptionalHeader;
221 return    pOptionHeader;
222 }

手机扫一扫

移动阅读更方便

阿里云服务器
腾讯云服务器
七牛云服务器