初次解析PE
来源:互联网 发布:游戏帧数限制软件 编辑:程序博客网 时间:2024/05/29 18:51
知识点补充
=======================================================================================================
1.LPVOID
LPVOID,是一个没有类型的指针,也就是说你可以将LPVOID类型的变量赋值给任意类型的指针。
比如在参数传递时就可以把任意类型传递给一个LPVOID类型为参数的方法,然后在方法内再将这个“任意类型”从传递时的“LPVOID类型”转换回来
2.LPSTR
在WINNT.H中有如下定义:
typedef char CHAR;
typedef CHAR *LPSTR,*PSTR
也就是说LPSTR与PSTR定义的变量与char *定义的变量完全相同,都可以作为指向字符串的指针
不过,LPSTR的字面意思是指向字符串的长指针(相对于16位而言),PSTR的字面意思是指向字符串的指针,但是由于32位的普及,从Visual C++ 6.0开始它们完全相同,没有任何区别,只是由于习惯大家还分别在不同的地方使用它们
3.void *memset(void *s,int c,size_t n)
作用:将已开辟内存空间 s 的首 n 个字节的值设为值 c。
4.sprintf,swprintf
用于将格式化的数据写入字符串。使用这两个方法需要包含<stdio.h>头文件
原型:
int sprintf( char *buffer, const char *format [, argument] ... );
int swprintf( wchar_t *buffer, const wchar_t *format [, argument] ... );
5.HANDLE CreateFile(
LPCTSTR lpFileName, //指向文件名的指针
DWORD dwDesiredAccess, //访问模式
DWORD dwShareMode, //共享模式
LPSECURITY_ATTRIBUTES lpSecurityAttributes, //指向安全属性的指针
DWORD dwCreationDispostion , //如何创建
DWORD dwFlagsAndAttributes, //文件属性
HANDLE hTemplateFile ); //用于复制文件的句柄
/////////////////////////////////////////////////////////////////////////////////////
使用文件映射的方式进行共享数据:
先要使用函数CreateFileMapping来创建一个想共享的文件数据句柄,
然后使用MapViewOfFile来获取共享的内存地址,
然后使用OpenFileMapping函数在另一个进程里打开共享文件的名称,
这样就可以实现不同的进程共享数据
/////////////////////////////////////////////////////////////////////////////////////
5.HANDLE CreateFileMapping(
HANDLE hFile, //创建共享文件的句柄
LPSECURITY_ATTRIBUTES lpFileMappingAttributes,//文件共享的属性
DWORD flProtect, //当文件映射时读写文件的属性
DWORD dwMaximumSizeHigh, //文件共享的大小高位字节
DWORD dwMaximumSizeLow, //文件共享的大小高位字节
LPCTSTR lpName );//共享文件对象名称
6.LPVOID MapViewOfFile(
HANDLE hFileMappingObject, //共享文件对象
DWORD dwDesiredAccess, //文件共享属性
DWORD dwFileOffsetHigh, //文件共享区的偏移地址
DWORD dwFileOffsetLow, //文件共享区的偏移地址
DWORD dwNumberOfBytesToMap );//共享数据长度
=========================================================================================
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
WORD e_magic; // Magic number
WORD e_cblp; // Bytes on last page of file
WORD e_cp; // Pages in file
WORD e_crlc; // Relocations
WORD e_cparhdr; // Size of header in paragraphs
WORD e_minalloc; // Minimum extra paragraphs needed
WORD e_maxalloc; // Maximum extra paragraphs needed
WORD e_ss; // Initial (relative) SS value
WORD e_sp; // Initial SP value
WORD e_csum; // Checksum
WORD e_ip; // Initial IP value
WORD e_cs; // Initial (relative) CS value
WORD e_lfarlc; // File address of relocation table
WORD e_ovno; // Overlay number
WORD e_res[4]; // Reserved words
WORD e_oemid; // OEM identifier (for e_oeminfo)
WORD e_oeminfo; // OEM information; e_oemid specific
WORD e_res2[10]; // Reserved words
LONG e_lfanew; // File address of new exe header
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
typedef struct _IMAGE_NT_HEADERS {
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
typedef struct _IMAGE_FILE_HEADER {
WORD Machine;
WORD NumberOfSections;
DWORD TimeDateStamp;
DWORD PointerToSymbolTable;
DWORD NumberOfSymbols;
WORD SizeOfOptionalHeader;
WORD Characteristics;
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
// dtd_10.cpp : Defines the entry point for the console application.//#include "stdafx.h"#include <windows.h>#include <time.h>typedef struct _MAP_FILE_STRUCT{HANDLE hFile;HANDLE hMapping;LPVOID ImageBase;} MAP_FILE_STRUCT, *PMAP_FILE_STRUCT;bool LoadFile(LPTSTR lpFileName, PMAP_FILE_STRUCT pstMapFile){if (lpFileName == NULL){return false;}HANDLE hFile;HANDLE hMapping;LPVOID ImageBase;memset(pstMapFile, 0, sizeof(MAP_FILE_STRUCT));hFile = CreateFile(lpFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);if (!hFile){return false;}hMapping = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, 0);if (!hMapping){CloseHandle(hFile);return false;}ImageBase = MapViewOfFile(hMapping, FILE_MAP_READ, 0, 0, 0);if (!ImageBase){CloseHandle(hFile);CloseHandle(hMapping);return false;}pstMapFile->hFile = hFile;pstMapFile->hMapping = hMapping;pstMapFile->ImageBase = ImageBase;return true;}void UnLoadFile(PMAP_FILE_STRUCT pstMapFile){if (pstMapFile->hFile){CloseHandle(pstMapFile->hFile);}if (pstMapFile->hMapping){CloseHandle(pstMapFile->hMapping);}if (pstMapFile->ImageBase){UnmapViewOfFile(pstMapFile->ImageBase);}}bool IsPEFile(LPVOID ImageBase){PIMAGE_DOS_HEADER pDH = NULL;PIMAGE_NT_HEADERS32 pNtH = NULL;if (!ImageBase){return false;}pDH = (PIMAGE_DOS_HEADER)ImageBase;if (pDH->e_magic != IMAGE_DOS_SIGNATURE) //"MZ"{return false;}pNtH = (PIMAGE_NT_HEADERS32) ( (DWORD)pDH + pDH->e_lfanew);if (pNtH->Signature != IMAGE_NT_SIGNATURE) //"PE"{return false;}return true;}// _IMAGE_NT_HEADERSPIMAGE_NT_HEADERS GetNtHeaders(LPVOID ImageBase){PIMAGE_DOS_HEADER pDH = NULL;PIMAGE_NT_HEADERS pNtH = NULL;if (!IsPEFile(ImageBase)){return NULL;}pDH = (PIMAGE_DOS_HEADER)ImageBase;pNtH = (PIMAGE_NT_HEADERS)((DWORD)pDH + pDH->e_lfanew);return pNtH;}// _IMAGE_FILE_HEADERPIMAGE_FILE_HEADER GetFileHeader(LPVOID ImageBase){PIMAGE_NT_HEADERS pNtH = GetNtHeaders(ImageBase);if (!pNtH){return NULL;}return &(pNtH->FileHeader);}// _IMAGE_OPTIOANAL_HEADERPIMAGE_OPTIONAL_HEADER GetOptionalHeader(LPVOID ImageBase){PIMAGE_NT_HEADERS pNtH = GetNtHeaders(ImageBase);if (!pNtH){return NULL;}return &(pNtH->OptionalHeader);}void ShowFileHeaderInfo(PMAP_FILE_STRUCT stMapFile){char strTmp[1024] = {0};PIMAGE_FILE_HEADER pFH = NULL;PIMAGE_OPTIONAL_HEADER pOH = NULL;pFH = GetFileHeader(stMapFile->ImageBase);if (!pFH){printf("Get File Header failed!\n");return;}// format timetime_t t = pFH->TimeDateStamp;char strTime[26] = {0};tm* ptmBegin = localtime(&t);strftime(strTime, 26, "%Y/%m/%d %H:%M:%S", ptmBegin);// result to HEXchar *strFileHeaderFormat ="\IMAGE_FILE_HEADER:\n\Machine: %04lX\n\NumberOfSections: %04lX\n\TimeDateStamp: %s (%04lX)\n\PointerToSymbolTable: %08X\n\NumberOfSymbols: %08lX\n\SizeOfOptionalHeader: %04lX\n\Characteristics: %04lX\n\n\";sprintf(strTmp, strFileHeaderFormat, pFH->Machine, pFH->NumberOfSections, strTime, pFH->TimeDateStamp, pFH->PointerToSymbolTable, pFH->NumberOfSymbols, pFH->SizeOfOptionalHeader, pFH->Characteristics);printf("%s", strTmp);memset(strTmp, 0, sizeof(strTmp));char *strFileOptHeaderFormat = "\IMAGE_OPTIONAL_HEADER:\n\Entry Point: %08lX\n\Image Base: %08lX\n\Code Base: %08lX\n\Data Base: %08lX\n\Image Size: %08lX\n\Headers Size: %08lX\n\Section Alignment: %08lX\n\File Alignment: %08lX\n\Subsystem: %08lX\n\Check Sum: %04lX\n\Dll Flags: %04lX\n\";pOH= GetOptionalHeader(stMapFile->ImageBase);if (!pOH){printf("Get File Optional Header failed!\n");return;}sprintf(strTmp, strFileOptHeaderFormat, pOH->AddressOfEntryPoint, pOH->ImageBase, pOH->BaseOfCode, pOH->BaseOfData, pOH->SizeOfImage, pOH->SizeOfHeaders, pOH->SectionAlignment, pOH->FileAlignment, pOH->Subsystem, pOH->CheckSum, pOH->DllCharacteristics);printf("%s", strTmp);}MAP_FILE_STRUCT stMapFile = { NULL, NULL, NULL };int main(){LPTSTR filePath = TEXT("c:\\D\\StuPE.exe");UnLoadFile(&stMapFile);if (!LoadFile(filePath, &stMapFile)){return -1;}if (!IsPEFile(stMapFile.ImageBase)){UnLoadFile(&stMapFile);return -1;}ShowFileHeaderInfo(&stMapFile);UnLoadFile(&stMapFile);return 0;}
[2017-05-01]
- 初次解析PE
- pe解析
- PE 经典解析
- C# 解析 PE格式文件
- windows PE结构解析
- Python解析PE文件
- PE格式解析代码
- windows PE结构解析
- PE结构解析;
- PE文件解析
- PE文件结构解析
- PE解析一
- PE文件结构解析
- PE文件格式解析
- PE文件解析代码
- PE文件解析(C#)
- 【EXE PE】vs_version_info全解析
- 使用pefile解析PE文件格式
- Android内存泄露
- ADS-B显示终端7.0
- 新建一个laravel框架
- 5月1日,RunIntClass,每日20行。
- C++实现视频截图
- 初次解析PE
- Java Socket实战之二 多线程通信
- 概念的图解 —— 数学
- 线性表_使用栈实现二进制转换到八进制/十进制/十六进制
- Java Socket实战之三 传输对象
- Vijos 1335题:数独验证
- 集合框架-HashMap和Hashtable的区别
- ACProtect壳2.0版本的分析
- Cocos2d-x lua 3.x VS集成Babelua 环境搭建与代码调试