WindowsPE

// windows pe code; // by:lostgg#include <windows.h>#include <stdio.h>#include <ctime>#define ERROR_HANDLE(cc,ret)\{\cc;\returnret;\}struct MPEStruct{PIMAGE_DOS_HEADER pDos;PIMAGE_NT_HEADERS pNt ;//= (PIMAGE_NT_HEADERS)((LONG)lpMapAddress + pDos->e_lfanew);PIMAGE_SECTION_HEADER pSection;PIMAGE_IMPORT_DESCRIPTOR pImport;PIMAGE_EXPORT_DIRECTORY  pExport;};int VaToVf(PIMAGE_SECTION_HEADER fristSection,u_long count,u_long address,u_long baseaddr){PIMAGE_SECTION_HEADER tmpPSections = fristSection;for(int i = 0; i != count; ++i){tmpPSections = fristSection + i;if(address > tmpPSections->VirtualAddress &&address < (tmpPSections->VirtualAddress + tmpPSections->Misc.VirtualSize)){return (address - tmpPSections->VirtualAddress + tmpPSections->PointerToRawData + baseaddr);}}return 0;}int main(int argc,char* argv[]){//打开文件HANDLE hFile = CreateFile("D:\\cc.exe",GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);if(hFile == INVALID_HANDLE_VALUE)ERROR_HANDLE(printf("CreateFile Error:%d\r\n",GetLastError()),0);//创建映射对象HANDLE hMapFile = CreateFileMapping(hFile,NULL,PAGE_READONLY,0,0,0);if(hMapFile == NULL)ERROR_HANDLE(printf("CreateFileMapping Error:%d\r\n",GetLastError()),0);//获取映射对象地址LPVOID lpMapAddress = MapViewOfFile(hMapFile,FILE_MAP_READ,0,0,0);if(lpMapAddress == NULL)ERROR_HANDLE(printf("MapViewOfFile Error:%d\r\n",GetLastError()),0);MPEStruct pe;//自定义PE结构的结构体pe.pDos = (PIMAGE_DOS_HEADER)lpMapAddress;//DOS头pe.pNt = (PIMAGE_NT_HEADERS)((LONG)lpMapAddress + pe.pDos->e_lfanew); //从DOS头获取NT头的文件偏移printf("CPU:%x\r\n",pe.pNt->FileHeader.Machine);printf("Section table count:%d\r\n",pe.pNt->FileHeader.NumberOfSections);time_t utm = pe.pNt->FileHeader.TimeDateStamp;//u_long type to tm_t;tm _tm;localtime_s(&_tm,&utm);printf("Create time:%d-%d-%d %d:%d:%d\r\n",_tm.tm_year + 1900,_tm.tm_mon + 1,_tm.tm_mday,_tm.tm_hour,_tm.tm_min,_tm.tm_sec);/*---------------------------------此处判断有问题↓Question1 star--------------------------------------------------------------------------------------------------------------------------------*/if((pe.pNt->FileHeader.Characteristics & IMAGE_FILE_32BIT_MACHINE))printf("FileType:exe\r\n");else if((pe.pNt->FileHeader.Characteristics & IMAGE_FILE_DLL))printf("FileType:dll\r\n");elseprintf("Unknown type:0x%xh\r\n",pe.pNt->FileHeader.Characteristics);/*---------------------------------此处判断有问题↑Question1 end--------------------------------------------------------------------------------------------------------------------------------*/printf("Base address:0x%p\r\n",/*程序基地址*/pe.pNt->OptionalHeader.ImageBase);printf("Run address :0x%p\r\n",/*基地址+偏移地址*/pe.pNt->OptionalHeader.ImageBase + pe.pNt->OptionalHeader.AddressOfEntryPoint);//节表pe.pSection = (PIMAGE_SECTION_HEADER)((int)&pe.pNt->OptionalHeader + pe.pNt->FileHeader.SizeOfOptionalHeader);//输出节表名字PIMAGE_SECTION_HEADER tmpPSection = 0;for(int i = 0;i != pe.pNt->FileHeader.NumberOfSections; ++i){tmpPSection = pe.pSection + i;printf("Block:%s\r\n",/*块的名字 例如.text*/tmpPSection->Name);printf("Property:0x%x\r\n",/*块的属性,例如共享,只读 ---根据输出的值查询MSDN*/tmpPSection->Characteristics);}//输出表if(pe.pNt->OptionalHeader.DataDirectory[0].VirtualAddress == 0 ){printf("--------------------------------------------------\r\n");printf("                 no find explort information      \r\n");printf("--------------------------------------------------\r\n");}else{//输出表信息 此处没有写. 方法同下输入表.}if(pe.pNt->OptionalHeader.DataDirectory[1].VirtualAddress == 0 ){printf("--------------------------------------------------\r\n");printf("                 no find import information!      \r\n");printf("--------------------------------------------------\r\n");}else{//输入表信息pe.pImport = (PIMAGE_IMPORT_DESCRIPTOR)VaToVf(pe.pSection,pe.pNt->FileHeader.NumberOfSections,pe.pNt->OptionalHeader.DataDirectory[1].VirtualAddress,(u_long)lpMapAddress);PIMAGE_IMPORT_DESCRIPTOR tpImport = pe.pImport;while(tpImport->Name){const char* str = (const char*)VaToVf(pe.pSection,pe.pNt->FileHeader.NumberOfSections,tpImport->Name,(u_long)lpMapAddress);printf("--------------------------------------------------\r\n");printf("                 Import File:%s                     \r\n",str);printf("--------------------------------------------------\r\n");PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)VaToVf(pe.pSection,pe.pNt->FileHeader.NumberOfSections,tpImport->OriginalFirstThunk,(u_long)lpMapAddress);if(pThunk == 0)continue;while(pThunk->u1.Function){const char* funname = (const char*)VaToVf(pe.pSection,pe.pNt->FileHeader.NumberOfSections,pThunk->u1.AddressOfData + 2,(u_long)lpMapAddress);printf("Import funciton:%s\r\n",funname);pThunk++;}tpImport++;}}return 0;}