初次解析PE

来源：互联网发布：游戏帧数限制软件编辑：程序博客网时间：2024/05/29 18:51

知识点补充

=======================================================================================================
1.LPVOID
LPVOID,是一个没有类型的指针，也就是说你可以将LPVOID类型的变量赋值给任意类型的指针。
比如在参数传递时就可以把任意类型传递给一个LPVOID类型为参数的方法，然后在方法内再将这个“任意类型”从传递时的“LPVOID类型”转换回来

2.LPSTR
在WINNT.H中有如下定义：
typedef char CHAR;
typedef CHAR *LPSTR,*PSTR
也就是说LPSTR与PSTR定义的变量与char *定义的变量完全相同，都可以作为指向字符串的指针
不过，LPSTR的字面意思是指向字符串的长指针（相对于16位而言），PSTR的字面意思是指向字符串的指针，但是由于32位的普及，从Visual C++ 6.0开始它们完全相同，没有任何区别，只是由于习惯大家还分别在不同的地方使用它们

3.void *memset(void *s,int c,size_t n)
作用：将已开辟内存空间 s 的首 n 个字节的值设为值 c。

4.sprintf,swprintf
用于将格式化的数据写入字符串。使用这两个方法需要包含<stdio.h>头文件
原型：
int sprintf( char *buffer, const char *format [, argument] ... );
int swprintf( wchar_t *buffer, const wchar_t *format [, argument] ... );

5.HANDLE CreateFile(
LPCTSTR lpFileName, //指向文件名的指针
DWORD dwDesiredAccess, //访问模式
DWORD dwShareMode, //共享模式
LPSECURITY_ATTRIBUTES lpSecurityAttributes, //指向安全属性的指针
DWORD dwCreationDispostion , //如何创建
DWORD dwFlagsAndAttributes, //文件属性
HANDLE hTemplateFile ); //用于复制文件的句柄

/////////////////////////////////////////////////////////////////////////////////////
使用文件映射的方式进行共享数据:
先要使用函数CreateFileMapping来创建一个想共享的文件数据句柄，
然后使用MapViewOfFile来获取共享的内存地址，
然后使用OpenFileMapping函数在另一个进程里打开共享文件的名称，
这样就可以实现不同的进程共享数据
/////////////////////////////////////////////////////////////////////////////////////

5.HANDLE CreateFileMapping(
HANDLE hFile, //创建共享文件的句柄
LPSECURITY_ATTRIBUTES lpFileMappingAttributes,//文件共享的属性
DWORD flProtect, //当文件映射时读写文件的属性
DWORD dwMaximumSizeHigh, //文件共享的大小高位字节
DWORD dwMaximumSizeLow, //文件共享的大小高位字节
LPCTSTR lpName );//共享文件对象名称

6.LPVOID MapViewOfFile(
HANDLE hFileMappingObject, //共享文件对象
DWORD dwDesiredAccess, //文件共享属性
DWORD dwFileOffsetHigh, //文件共享区的偏移地址
DWORD dwFileOffsetLow, //文件共享区的偏移地址
DWORD dwNumberOfBytesToMap );//共享数据长度

=========================================================================================
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
WORD e_magic; // Magic number
WORD e_cblp; // Bytes on last page of file
WORD e_cp; // Pages in file
WORD e_crlc; // Relocations
WORD e_cparhdr; // Size of header in paragraphs
WORD e_minalloc; // Minimum extra paragraphs needed
WORD e_maxalloc; // Maximum extra paragraphs needed
WORD e_ss; // Initial (relative) SS value
WORD e_sp; // Initial SP value
WORD e_csum; // Checksum
WORD e_ip; // Initial IP value
WORD e_cs; // Initial (relative) CS value
WORD e_lfarlc; // File address of relocation table
WORD e_ovno; // Overlay number
WORD e_res[4]; // Reserved words
WORD e_oemid; // OEM identifier (for e_oeminfo)
WORD e_oeminfo; // OEM information; e_oemid specific
WORD e_res2[10]; // Reserved words
LONG e_lfanew; // File address of new exe header
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;

typedef struct _IMAGE_NT_HEADERS {
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;

typedef struct _IMAGE_FILE_HEADER {
WORD Machine;
WORD NumberOfSections;
DWORD TimeDateStamp;
DWORD PointerToSymbolTable;
DWORD NumberOfSymbols;
WORD SizeOfOptionalHeader;
WORD Characteristics;
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;

// dtd_10.cpp : Defines the entry point for the console application.//#include "stdafx.h"#include <windows.h>#include <time.h>typedef struct _MAP_FILE_STRUCT{HANDLE hFile;HANDLE hMapping;LPVOID ImageBase;} MAP_FILE_STRUCT, *PMAP_FILE_STRUCT;bool LoadFile(LPTSTR lpFileName, PMAP_FILE_STRUCT pstMapFile){if (lpFileName == NULL){return false;}HANDLE hFile;HANDLE hMapping;LPVOID ImageBase;memset(pstMapFile, 0, sizeof(MAP_FILE_STRUCT));hFile = CreateFile(lpFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);if (!hFile){return false;}hMapping = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, 0);if (!hMapping){CloseHandle(hFile);return false;}ImageBase = MapViewOfFile(hMapping, FILE_MAP_READ, 0, 0, 0);if (!ImageBase){CloseHandle(hFile);CloseHandle(hMapping);return false;}pstMapFile->hFile = hFile;pstMapFile->hMapping = hMapping;pstMapFile->ImageBase = ImageBase;return true;}void UnLoadFile(PMAP_FILE_STRUCT pstMapFile){if (pstMapFile->hFile){CloseHandle(pstMapFile->hFile);}if (pstMapFile->hMapping){CloseHandle(pstMapFile->hMapping);}if (pstMapFile->ImageBase){UnmapViewOfFile(pstMapFile->ImageBase);}}bool IsPEFile(LPVOID ImageBase){PIMAGE_DOS_HEADER pDH = NULL;PIMAGE_NT_HEADERS32 pNtH = NULL;if (!ImageBase){return false;}pDH = (PIMAGE_DOS_HEADER)ImageBase;if (pDH->e_magic != IMAGE_DOS_SIGNATURE)  //"MZ"{return false;}pNtH = (PIMAGE_NT_HEADERS32) ( (DWORD)pDH + pDH->e_lfanew);if (pNtH->Signature != IMAGE_NT_SIGNATURE) //"PE"{return false;}return true;}// _IMAGE_NT_HEADERSPIMAGE_NT_HEADERS GetNtHeaders(LPVOID ImageBase){PIMAGE_DOS_HEADER pDH = NULL;PIMAGE_NT_HEADERS pNtH = NULL;if (!IsPEFile(ImageBase)){return NULL;}pDH = (PIMAGE_DOS_HEADER)ImageBase;pNtH = (PIMAGE_NT_HEADERS)((DWORD)pDH + pDH->e_lfanew);return pNtH;}// _IMAGE_FILE_HEADERPIMAGE_FILE_HEADER GetFileHeader(LPVOID ImageBase){PIMAGE_NT_HEADERS pNtH = GetNtHeaders(ImageBase);if (!pNtH){return NULL;}return &(pNtH->FileHeader);}// _IMAGE_OPTIOANAL_HEADERPIMAGE_OPTIONAL_HEADER GetOptionalHeader(LPVOID ImageBase){PIMAGE_NT_HEADERS pNtH = GetNtHeaders(ImageBase);if (!pNtH){return NULL;}return &(pNtH->OptionalHeader);}void ShowFileHeaderInfo(PMAP_FILE_STRUCT stMapFile){char strTmp[1024] = {0};PIMAGE_FILE_HEADER pFH = NULL;PIMAGE_OPTIONAL_HEADER pOH = NULL;pFH = GetFileHeader(stMapFile->ImageBase);if (!pFH){printf("Get File Header failed!\n");return;}// format timetime_t t = pFH->TimeDateStamp;char strTime[26] = {0};tm* ptmBegin = localtime(&t);strftime(strTime, 26, "%Y/%m/%d %H:%M:%S", ptmBegin);// result to HEXchar *strFileHeaderFormat ="\IMAGE_FILE_HEADER:\n\Machine:                   %04lX\n\NumberOfSections:          %04lX\n\TimeDateStamp:             %s (%04lX)\n\PointerToSymbolTable:      %08X\n\NumberOfSymbols:           %08lX\n\SizeOfOptionalHeader:      %04lX\n\Characteristics:           %04lX\n\n\";sprintf(strTmp, strFileHeaderFormat, pFH->Machine, pFH->NumberOfSections, strTime, pFH->TimeDateStamp, pFH->PointerToSymbolTable, pFH->NumberOfSymbols,        pFH->SizeOfOptionalHeader, pFH->Characteristics);printf("%s", strTmp);memset(strTmp, 0, sizeof(strTmp));char *strFileOptHeaderFormat = "\IMAGE_OPTIONAL_HEADER:\n\Entry Point:              %08lX\n\Image Base:               %08lX\n\Code Base:                %08lX\n\Data Base:                %08lX\n\Image Size:               %08lX\n\Headers Size:             %08lX\n\Section Alignment:        %08lX\n\File Alignment:           %08lX\n\Subsystem:                %08lX\n\Check Sum:                %04lX\n\Dll Flags:                %04lX\n\";pOH= GetOptionalHeader(stMapFile->ImageBase);if (!pOH){printf("Get File Optional Header failed!\n");return;}sprintf(strTmp, strFileOptHeaderFormat, pOH->AddressOfEntryPoint, pOH->ImageBase, pOH->BaseOfCode, pOH->BaseOfData,        pOH->SizeOfImage, pOH->SizeOfHeaders, pOH->SectionAlignment, pOH->FileAlignment, pOH->Subsystem, pOH->CheckSum, pOH->DllCharacteristics);printf("%s", strTmp);}MAP_FILE_STRUCT stMapFile = { NULL, NULL, NULL };int main(){LPTSTR filePath = TEXT("c:\\D\\StuPE.exe");UnLoadFile(&stMapFile);if (!LoadFile(filePath, &stMapFile)){return -1;}if (!IsPEFile(stMapFile.ImageBase)){UnLoadFile(&stMapFile);return -1;}ShowFileHeaderInfo(&stMapFile);UnLoadFile(&stMapFile);return 0;}

[2017-05-01]

0 0