C++打印PE文件头信息Demo

来源：互联网发布：软件生命周期模型有编辑：程序博客网时间：2024/05/17 09:29

PE文件格式被组织为一个线性的数据流，它由一个MS-DOS头部开始，接着是一个是模式的程序残余以及一个PE文件标志，这之后紧接着PE文件头和可选头部。这些之后是所有的段头部，段头部之后跟随着所有的段实体。文件的结束处是一些其它的区域，其中是一些混杂的信息，包括重分配信息、符号表信息、行号信息以及字串表数据。

PE文件主要信息按顺序

IMAGE_DOS_HEADER MS-DOS MZ头部

DOS STUB MS-DOS 实模式残余程序

NTSIGNATURE PE文件标识

IMAGE_FILE_HEADER PE文件头

IMAGE_OPTIONAL_HEADER PE可选头

IMAGE_SECTION_HEADER 多个段

包括.text .bss .rdata等

更详细的信息请参考：http://www.vckbase.com/document/viewdoc/?id=1334

下面给出将头文件打印出来的源码：

PE.h

#ifndef _X_PE_H_#define _X_PE_H_//获取PE头基地址#define SIZE_OF_NT_SIGNATURE sizeof(DWORD)#define NTSIGNATURE(a) ((LPVOID)((BYTE *)a + ((PIMAGE_DOS_HEADER)a)->e_lfanew - 1))#define PEFHDROFFSET(a) ((LPVOID)((BYTE *)a + ((PIMAGE_DOS_HEADER)a)->e_lfanew - 1 + SIZE_OF_NT_SIGNATURE))#define OPTHDROFFSET(a) ((LPVOID)((BYTE *)a + ((PIMAGE_DOS_HEADER)a)->e_lfanew - 1 + SIZE_OF_NT_SIGNATURE + sizeof(IMAGE_FILE_HEADER)))DWORD WINAPI ImageFileType (LPVOID lpFile);#endif

PE.cpp

#include <windows.h>#include <stdio.h>#include <iostream>#include "pe.h"using namespace std;//PE文件类型判断DWORD WINAPI ImageFileType (LPVOID lpFile){/* 首先出现的是DOS文件标志 */if (*(USHORT *)lpFile == IMAGE_DOS_SIGNATURE){/* 由DOS头部决定PE文件头部的位置 */if (LOWORD (*(DWORD *)NTSIGNATURE (lpFile)) ==IMAGE_OS2_SIGNATURE ||LOWORD (*(DWORD *)NTSIGNATURE (lpFile)) ==IMAGE_OS2_SIGNATURE_LE)return (DWORD)LOWORD(*(DWORD *)NTSIGNATURE (lpFile));else if (*(DWORD *)NTSIGNATURE (lpFile) ==IMAGE_NT_SIGNATURE)return IMAGE_NT_SIGNATURE;elsereturn IMAGE_DOS_SIGNATURE;}else/* 不明文件种类 */return 0;}int main(){//业务信息参考//http://www.vckbase.com/document/viewdoc/?id=1334CHAR szBuf[2048];FILE* pFile=fopen("E://task//Win32//Debug//win32.exe","r");//这里加载一个PE文件int iRead=fread(szBuf,1,2048,pFile);//MZ-DOS头IMAGE_DOS_HEADER* dos;dos=(IMAGE_DOS_HEADER*)szBuf;cout.setf(ios::hex,ios::basefield);//设置十六进制显示数值cout.setf(ios::showbase|ios::uppercase);//设置0x头和大写cout<<"dos->e_magic="<<dos->e_magic<<endl;cout<<"dos->e_lfanew="<<dos->e_lfanew<<endl;cout<<"NTSIGNATURE="<<*(DWORD *)NTSIGNATURE(szBuf)<<endl;cout<<"ImageFileType="<<ImageFileType(szBuf)<<" is ";switch(ImageFileType(szBuf)){case IMAGE_DOS_SIGNATURE://MZcout<<"IMAGE_DOS_SIGNATURE"<<endl;break;case IMAGE_OS2_SIGNATURE://NEcout<<"IMAGE_OS2_SIGNATURE"<<endl;break;case IMAGE_OS2_SIGNATURE_LE:cout<<"IMAGE_OS2_SIGNATURE_LE"<<endl;break;case IMAGE_NT_SIGNATURE:cout<<"IMAGE_NT_SIGNATURE"<<endl;}cout<<"PEFHDROFFSET="<<PEFHDROFFSET(szBuf)<<endl;//PE必选头PIMAGE_FILE_HEADER header =(PIMAGE_FILE_HEADER)PEFHDROFFSET(szBuf);cout<<"Machine="<<header->Machine<<endl;cout<<"区段数NumberOfSections="<<header->NumberOfSections<<endl;cout<<"建立时间TimeDateStamp="<<header->TimeDateStamp<<endl;cout<<"PointerToSymbolTable="<<header->PointerToSymbolTable<<endl;cout<<"可选头部大小SizeOfOptionalHeader="<<header->SizeOfOptionalHeader<<endl;cout<<"特征Characteristics="<<header->Characteristics<<endl;//PE可选头PIMAGE_OPTIONAL_HEADER opHeader=(PIMAGE_OPTIONAL_HEADER)OPTHDROFFSET(szBuf);cout<<"魔术字Magic="<<opHeader->Magic<<endl;//0x010B为.EXE，0x0107为ROM映像cout<<"连接器主版本MajorLinkerVersion="<<(short)opHeader->MajorLinkerVersion<<endl;cout<<"连接器副版本MinorLinkerVersion="<<(short)opHeader->MinorLinkerVersion<<endl;cout<<"可执行代码大小SizeOfCode="<<opHeader->SizeOfCode<<endl;cout<<"已初始化的数据大小SizeOfInitializedData="<<opHeader->SizeOfInitializedData<<endl;cout<<"未初始化的数据大小SizeOfUninitializedData="<<opHeader->SizeOfUninitializedData<<endl;cout<<"入口点AddressOfEntryPoint="<<opHeader->AddressOfEntryPoint<<endl;cout<<"代码基址(.text段)BaseOfCode="<<opHeader->BaseOfCode<<endl;cout<<"数据基址(.bss段)BaseOfData="<<opHeader->BaseOfData<<endl;cout<<"映像基址ImageBase"<<opHeader->ImageBase<<endl;//进程映像地址空间中的首选基地址,Windows NT的Microsoft Win32 SDK链接器将这个值默认设为0x00400000，但是你可以使用-BASE:linker开关改变这个值。 cout<<"区段对齐SectionAlignment="<<opHeader->SectionAlignment<<endl;cout<<"FileAlignment="<<opHeader->FileAlignment<<endl;cout<<"NT主版本号MajorOperatingSystemVersion="<<opHeader->MajorOperatingSystemVersion<<endl;cout<<"NT副版本号MinorOperatingSystemVersion="<<opHeader->MinorOperatingSystemVersion<<endl;cout<<"应用程序主版本号MajorImageVersion="<<opHeader->MajorImageVersion<<endl;cout<<"应用程序副版本号MinorImageVersion="<<opHeader->MinorImageVersion<<endl;cout<<"Win32子系统主版本号MajorSubsystemVersion="<<opHeader->MajorSubsystemVersion<<endl;cout<<"Win32子系统副版本号MinorSubsystemVersion="<<opHeader->MinorSubsystemVersion<<endl;cout<<"SizeOfImage="<<opHeader->SizeOfImage<<endl;cout<<"头大小SizeOfHeaders="<<opHeader->SizeOfHeaders<<endl;cout<<"校验和CheckSum="<<opHeader->CheckSum<<endl;//私有算法cout<<"子系统Subsystem="<<opHeader->Subsystem<<endl;cout<<"DllCharacteristics="<<opHeader->DllCharacteristics<<endl;cout<<"SizeOfStackReserve="<<opHeader->SizeOfStackReserve<<endl;cout<<"SizeOfStackCommit="<<opHeader->SizeOfStackCommit<<endl;cout<<"SizeOfHeapReserve="<<opHeader->SizeOfHeapReserve<<endl;cout<<"SizeOfHeapCommit="<<opHeader->SizeOfHeapCommit<<endl;cout<<"LoaderFlags="<<opHeader->LoaderFlags<<endl;cout<<"NumberOfRvaAndSizes="<<opHeader->NumberOfRvaAndSizes<<endl;cout<<"导出表RVA:"<<opHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress<<endl;cout<<"导出表大小:"<<opHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size<<endl;cout<<"导入表RVA:"<<opHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress<<endl;cout<<"导入表大小:"<<opHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size<<endl;cout<<"资源RVA:"<<opHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress<<endl;cout<<"资源大小:"<<opHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size<<endl;cout<<"TLSRVA:"<<opHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress<<endl;cout<<"TLS大小:"<<opHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size<<endl;cout<<"调试RVA:"<<opHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG].VirtualAddress<<endl;cout<<"调试:"<<opHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG].Size<<endl;cout<<sizeof(IMAGE_OPTIONAL_HEADER)<<endl;PIMAGE_SECTION_HEADER ps=(PIMAGE_SECTION_HEADER)((BYTE*)opHeader+sizeof(IMAGE_OPTIONAL_HEADER));//打印所有的段信息for (int i=0;i<header->NumberOfSections;i++){cout<<endl;cout<<"Name="<<ps[i].Name<<endl;cout<<"PhysicalAddress="<<ps[i].Misc.PhysicalAddress<<endl;cout<<"VirtualSize="<<ps[i].Misc.VirtualSize<<endl;cout<<"VirtualAddress="<<ps[i].VirtualAddress<<endl;cout<<"SizeOfRawData="<<ps[i].SizeOfRawData<<endl;cout<<"PointerToRawData="<<ps[i].PointerToRawData<<endl;cout<<"PointerToRelocations="<<ps[i].PointerToRelocations<<endl;cout<<"PointerToLinenumbers="<<ps[i].PointerToLinenumbers<<endl;cout<<"NumberOfRelocations="<<ps[i].NumberOfRelocations<<endl;cout<<"NumberOfLinenumbers="<<ps[i].NumberOfLinenumbers<<endl;cout<<"Characteristics="<<ps[i].Characteristics<<endl;}return 0;}