📄 pedump.cpp
字号:
//pe.cpp
#include "basefunc.h"
#include "mype.h"
void R3_PEdump_Read(DWORD imte);
void writeOBJ(HANDLE h,PBYTE p,DWORD size);
//#include <stdio.h>
EXC BYTE DOSEXE;
BOOL cmd_PEdump(int argc,PSTR* argv);
void cmd_PEdump_( PSTR fname,DWORD imte );
class CPe_CPP
{
public:
CPe_CPP();
~CPe_CPP();
};
CPe_CPP cinit; //must have a instance data
CPe_CPP::~CPe_CPP()
{
}
CPe_CPP::CPe_CPP()
{
Add_Command ( "PEDUMP", "[filename] [IMTE]",
"Dump PE image to 'dump1.exe',or specify file"
"specify [IMTE] only if you want to dump a 32bit DLL,\n"
"and make sure the DLL is in current context",
0,
cmd_PEdump );
msgl ( "PEDUMP Plugs Initialized..." ) ;
}
void writeOBJ(HANDLE h,PBYTE p,DWORD size)
{
prtl("Writing %x len %x",p,size);
if( size==0 )
return;
while(size> 0x1000){
fwrite(h,(PVOID)p,0x1000);
size -= 0x1000;
p += 0x1000;
}
fwrite(h,(PVOID)p,size);
}
// 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
BOOL cmd_PEdump(int argc,PSTR* argv)
{
if( fPM==0 || fUserVM ){
msgl( "Can not run PEDUMP now" );
return TRUE;
}
PSTR fname = "DUMP1.EXE";
if( argc>0 )
fname = arg1;
DWORD imte;
if( argc==2 )
{
DWORD Number;
if(getNum(arg2,&Number)==FALSE)
return FALSE;
imte = Number;
}
else
{
DWORD d=pw(Pdb+ MTEindex_in_Pdb_2a);
imte = (DWORD)PM[d];
}
Begin_Nest_VMM_Exec();
R3_PEdump_Read(imte);
cmd_PEdump_(fname,imte);
End_Nest_VMM_Exec();
return TRUE;
}
void cmd_PEdump_(PSTR fname,DWORD imte)
{
msgl("PE dump");
DWORD Drva=0,psh,headlen;
// d=pw(Pdb+ MTEindex_in_Pdb_2a);
// PIMTE pimte= PM[d];
PIMTE pimte= (PIMTE)imte;
PmyPE oPE = (PmyPE)pimte->pNTHdr;
#define base oPE->ImageBase
#define nsec oPE->NumberOfSections
#define align oPE->SectionAlignment
// ------------------------------------------
// DWORD d1=U_getaliase_DS_PageIn(base);
// d=pd(d1+0x3c);
// (DWORD)oPE= d1+d;
headlen = oPE->SizeOfOptionalHeader + 24;
if( headlen!= 0xf8 ){
prtl("curious!");
}
psh = (DWORD)oPE+headlen;
prtl("VirtualSize RVA PhysicalSize PhysicalOffset");
// 27aa 1000 2800 400
// 0069 4000 0200 2c00
// 2264 5000 1000 2e00
// 02b0 8000 0400 3e00
// 0384 9000 0400 4200
prtl("----------");
{for( int i=0;i<nsec;i++ ){
PObject_Table p;
(DWORD &)p=psh+i*40;
prtl("%8x %8x %8x %8x",
p->VirtualSize,
p->RVA,
p->PhysicalSize,
p->PhysicalOffset);
p->PhysicalOffset = p->RVA; //important!!!
p->PhysicalSize = p->VirtualSize; //petite 2.1 need this
}
}
// ------------------------------------------
// return 1;
HANDLE h = fopen_create(fname);
if( DWORD(h)==0)
{
return;
}
oPE->AddressOfEntryPoint = User_EIP - base;
DWORD len=0x80+headlen+nsec*40;
msgl("Writing DOS head");
fwrite(h,&DOSEXE,0x80);
prtl("Writing PE head, from %x, len %x+%x",oPE,headlen,nsec*40);
fwrite(h,oPE,headlen); //write PE head
fwrite(h,(PSTR)psh,nsec*40);
// writeOBJ(h,(PSTR)base,oPE->OptionalHeader.SizeOfImage);
// writeOBJ(h,(PSTR)base+len,
// oPE->OptionalHeader.SizeOfImage -len );
DWORD d_max=0;
{for( int i=0;i<nsec;i++ ){
PObject_Table p;
(DWORD &)p=psh+i*40;
DWORD d=p->RVA + p->VirtualSize;
if( d > d_max )
d_max=d;
}
}
writeOBJ(h,(PBYTE)base+len, d_max -len );
fclose(h);
}
EXC void R3_read(PVOID p,DWORD len);
void R3_PEdump_Read(DWORD imte)
{
DWORD d=0,Drva=0,psh,headlen;
// d=pw(Pdb+ MTEindex_in_Pdb_2a);
// PIMTE pimte= PM[d];
PIMTE pimte= (PIMTE)imte;
PmyPE oPE = (PmyPE)pimte->pNTHdr;
#define base oPE->ImageBase
#define nsec oPE->NumberOfSections
#define align oPE->SectionAlignment
// ------------------------------------------
// DWORD d1=U_getaliase_DS_PageIn(base);
// d=pd(d1+0x3c);
// (DWORD)oPE= d1+d;
headlen = oPE->SizeOfOptionalHeader + 24;
psh = (DWORD)oPE+headlen;
DWORD len=0x80+headlen+nsec*40;
R3_read(oPE,headlen); //write PE head
R3_read((PSTR)psh,nsec*40);
DWORD d_max=0;
{for( int i=0;i<nsec;i++ ){
PObject_Table p;
(DWORD &)p=psh+i*40;
DWORD d=p->RVA + p->VirtualSize;
if( d > d_max )
d_max=d;
}
}
R3_read((PSTR)base+len, d_max -len );
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -