我觉得要真正弄懂pe最好的方式就是自己写程序获得pe的相关信息,所以就按照在上所学的,尝试自己写代码,当然为了能直观的体现出思路,我写的是控制台的代码,而且也没有加入防错措施,主要是为了自己理解,同样也是和像我这样的菜鸟分享,大牛对于我这么菜的代码可以直接飘过,好了不多说了,直接贴代码,一共分六个帖子贴出,每个帖子获得pe结构的一项内容,之所以不把代码写在一起,是为了大家(还是那句话,和我一样的菜鸟)好理解。
// PEDosHeader.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <windows.h>
#include <time.h>
#include <imagehlp.h>
#pragma comment (lib, "imagehlp.lib")
int _tmain(int argc, _TCHAR* argv[])
{
while (TRUE) {
WCHAR cFile[256] = {0};
printf("Please enter the file name and path:");
wscanf(L"%s",cFile);
HANDLE hFile = NULL;
hFile = ::CreateFile((LPCWSTR)cFile,GENERIC_READ,0,NULL,OPEN_EXISTING,NULL,NULL);
if (hFile == INVALID_HANDLE_VALUE){
printf("Create file failed! (%d).\n", GetLastError());
printf("\n");
system("pause");
return 0;
}
//创建文件映射
HANDLE hMap = NULL;
hMap = ::CreateFileMapping(hFile,NULL,PAGE_READONLY,0,0,0);
if (!hMap){
printf("Create file mapping failed! (%d).\n\n", GetLastError());
system("pause");
return 0;
}
//映射要自己进程的空间
LPVOID pMap = NULL;
pMap = ::MapViewOfFile(hMap,FILE_MAP_READ,0,0,0);
if (!pMap){
printf("Mapping file failed (%d).\n\n", GetLastError());
system("pause");
return 0;
}
//获得DOS头文件指针
PIMAGE_DOS_HEADER pDosHeader = NULL;
pDosHeader = (PIMAGE_DOS_HEADER)pMap;
//判断DOS头标志IMAGE_DOS_SIGNATURE 0x5A4D MZ
if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE){
printf("Not DOS Header! (%d).\n\n", GetLastError());
system("pause");
return 0;
}
//打印DOS头信息
printf("|--DosHeader\n" \
"\t|--WORD\te_magic:\t0x%08x\t%s\n" \
"\t|--WORD\te_cblp:\t\t0x%08x\n" \
"\t|--WORD\te_cp:\t\t0x%08x\n" \
"\t|--WORD\te_crlc:\t\t0x%08x\n" \
"\t|--WORD\te_cparhdr:\t0x%08x\n" \
"\t|--WORD\te_minalloc:\t0x%08x\n" \
"\t|--WORD\te_maxalloc:\t0x%08x\n" \
"\t|--WORD\te_ss:\t\t0x%08x\n" \
"\t|--WORD\te_sp:\t\t0x%08x\n" \
"\t|--WORD\te_csum:\t\t0x%08x\n" \
"\t|--WORD\te_ip:\t\t0x%08x\n" \
"\t|--WORD\te_cs:\t\t0x%08x\n" \
"\t|--WORD\te_lfarlc:\t0x%08x\n" \
"\t|--WORD\te_ovno:\t\t0x%08x\n" \
"\t|--WORD\te_res:\n" \
"\t\t|--WORD\te_res[0]:\t0x%08x\n" \
"\t\t|--WORD\te_res[1]:\t0x%08x\n" \
"\t\t|--WORD\te_res[2]:\t0x%08x\n" \
"\t\t|--WORD\te_res[3]:\t0x%08x\n" \
"\t|--WORD\te_oemid:\t0x%08x\n" \
"\t|--WORD\te_oeminfo:\t0x%08x\n" \
"\t|--WORD\te_res2:\n" \
"\t\t|--WORD\te_res2[0]:\t0x%08x\n" \
"\t\t|--WORD\te_res2[1]:\t0x%08x\n" \
"\t\t|--WORD\te_res2[2]:\t0x%08x\n" \
"\t\t|--WORD\te_res2[3]:\t0x%08x\n" \
"\t\t|--WORD\te_res2[4]:\t0x%08x\n" \
"\t\t|--WORD\te_res2[5]:\t0x%08x\n" \
"\t\t|--WORD\te_res2[6]:\t0x%08x\n" \
"\t\t|--WORD\te_res2[7]:\t0x%08x\n" \
"\t\t|--WORD\te_res2[8]:\t0x%08x\n" \
"\t\t|--WORD\te_res2[9]:\t0x%08x\n" \
"\t|--LONG\te_lfanew:\t0x%08x\n\n",
pDosHeader->e_magic,&pDosHeader->e_magic, //魔术数字,IMAGE_DOS_SIGNATURE 0x5A4D MZ
pDosHeader->e_cblp, //文件最后页的字节数\
pDosHeader->e_cp, //文件页数
pDosHeader->e_crlc, //重定义元素个数
pDosHeader->e_cparhdr, //头部尺寸,以段落为单位
pDosHeader->e_minalloc, //所需的最小附加段
pDosHeader->e_maxalloc, //所需的最大附加段
pDosHeader->e_ss, //初始的SS值(相对偏移量)
pDosHeader->e_sp, //初始的SP值
pDosHeader->e_csum, //校验和
pDosHeader->e_ip, //初始的IP值
pDosHeader->e_cs, //初始的CS值(相对偏移量)
pDosHeader->e_lfarlc, //重分配表文件地址
pDosHeader->e_ovno, //覆盖号
pDosHeader->e_res[0], //保留字
pDosHeader->e_res[1],
pDosHeader->e_res[2],
pDosHeader->e_res[3],
pDosHeader->e_oemid, //OEM标识符
pDosHeader->e_oeminfo, //OEM信息
pDosHeader->e_res2[0], //保留字
pDosHeader->e_res2[1],
pDosHeader->e_res2[2],
pDosHeader->e_res2[3],
pDosHeader->e_res2[4],
pDosHeader->e_res2[5],
pDosHeader->e_res2[6],
pDosHeader->e_res2[7],
pDosHeader->e_res2[8],
pDosHeader->e_res2[9],
pDosHeader->e_lfanew); // 新exe头部的文件地址
//关闭打开的句柄,释放资源
::UnmapViewOfFile(pMap);
::CloseHandle(hMap);
::CloseHandle(hFile);
}
system("pause");
return 0;
}
作者 陈卫华
如对本文有疑问,
点击进行留言回复!!
我要评论
网友评论