📄 unit1.~pas
字号:
{*******************************************************}
{ FileName WinDump }
{ Function PEFile analyze }
{ Authors sjctheworld }
{ E_mail sjctheworld@sohu.com }
{ Copyright (c) 2004-2005 }
{ }
{ Thanks Matt Pietrek }
{*******************************************************}
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, Menus, StdCtrls, ComCtrls,shellapi;
type
//my_type
TFlag_DES = record
flag:DWORD;
name:string;
end;
TImageFileHeaderCharacteristics = array[0..9] of Tflag_des;
TSectionCharacteristics = array[0..12] of Tflag_des;
TImageDirectoryNames = array[0..12] of string;
//This Record No include Borland windows file
Tu = record
case Integer of
0: (Characteristics: DWORD;);
1: (OriginalFirstThunk: DWORD;);
end;
pImageImportDescriptor = ^TImageImportDescriptor;
_IMAGE_IMPORT_DESCRIPTOR = record
u:tu;
TimedateStamp: DWORD;
ForwarderChina: DWORD;
Name: DWORD;
FirstThunk: DWORD;
end;
TImageImportDescriptor = _IMAGE_IMPORT_DESCRIPTOR;
IMAGE_IMPORT_DESCRIPTOR = _IMAGE_IMPORT_DESCRIPTOR;
Tu1 = record
case Integer of
0: (Forwarderstring: DWORD);
1: (myFunction: DWORD);
2: (Ordinal: DWORD);
3: (AddressOfData: DWORD);
end;
pImageThunkData = ^TImageThunkData;
_IMAGE_THUNK_DATA = record
u1:Tu1;
end;
TImageThunkData = _IMAGE_THUNK_DATA;
IMAGE_THUNK_DATA = _IMAGE_THUNK_DATA;
pImageImportByName = ^TImageImportByName;
_IMAGE_IMPORT_BY_NAME = record
Hint: WORD;
Name:array [0..99] of byte;
end;
TImageImportByName = _IMAGE_IMPORT_BY_NAME;
IMAGE_IMPORT_BY_NAME = _IMAGE_IMPORT_BY_NAME;
//end;
TForm1 = class(TForm)
OpenDialog1: TOpenDialog;
MainMenu1: TMainMenu;
File1: TMenuItem;
Help1: TMenuItem;
Set1: TMenuItem;
open1: TMenuItem;
Save1: TMenuItem;
N1: TMenuItem;
Exit1: TMenuItem;
About1: TMenuItem;
Memo1: TMemo;
SaveDialog1: TSaveDialog;
StatusBar1: TStatusBar;
N2: TMenuItem;
DisplayDos1: TMenuItem;
DisplayFile1: TMenuItem;
DisplayOptional1: TMenuItem;
N3: TMenuItem;
DisplayAll1: TMenuItem;
Set2: TMenuItem;
English1: TMenuItem;
Chinese1: TMenuItem;
Op1: TMenuItem;
Displyset1: TMenuItem;
Pre1: TMenuItem;
MainMenu2: TMainMenu;
N4: TMenuItem;
V1: TMenuItem;
O1: TMenuItem;
L1: TMenuItem;
H1: TMenuItem;
A1: TMenuItem;
E1: TMenuItem;
C1: TMenuItem;
ColorDialog1: TColorDialog;
FontDialog1: TFontDialog;
DistplayFontset1: TMenuItem;
procedure Exit1Click(Sender: TObject);
procedure open1Click(Sender: TObject);
procedure About1Click(Sender: TObject);
procedure Chinese1Click(Sender: TObject);
procedure E1Click(Sender: TObject);
procedure Memo1Click(Sender: TObject);
private
{ Private declarations }
procedure analyzepe(FileName:string);//----------------
procedure DumpExeFile(PEDosHeader:PImageDosHeader);
procedure DumpFileHeader(PEFileHeader:pImageFileHeader);
procedure DumpOptionalHeader(PEOptionalHeader:pImageOptionalHeader);
procedure DumpSectionTable(section:pImageSectionHeader;cSections:integer);
//procedure DumpResourceSection(base:Longword;peNTHeader:pImageNtHeaders);
procedure DumpImportsSection(base:LongWord;peNTHeader:pImageNtHeaders);
procedure DumpExportsSection(base:LongWord;peNTHeader:pImageNtHeaders);
function GetEnclosingSectionHeader(rva:DWORD;peNTHeader:pImageNtHeaders)
:pImageSectionHeader;
public
{ Public declarations }
end;
var
Form1: TForm1;
const
ImageFileHeaderCharacteristics:TImageFileHeaderCharacteristics =
(
(flag:IMAGE_FILE_RELOCS_STRIPPED ; name:'RELOCS_STRIPPED'),
(flag:IMAGE_FILE_EXECUTABLE_IMAGE ; name:'EXECUTABLE_IMAGE'),
(flag:IMAGE_FILE_LINE_NUMS_STRIPPED ; name:'LINE_NUMS_STRIPPED'),
(flag:IMAGE_FILE_LOCAL_SYMS_STRIPPED ; name:'LOCAL_SYMS_STRIPPED'),
(flag:IMAGE_FILE_BYTES_REVERSED_LO ; name:'BYTES_REVERSED_LO'),
(flag:IMAGE_FILE_32BIT_MACHINE ; name:'32BIT_MACHINE'),
(flag:IMAGE_FILE_DEBUG_STRIPPED ; name:'DEBUG_STRIPPED'),
(flag:IMAGE_FILE_SYSTEM ; name:'SYSTEM'),
(flag:IMAGE_FILE_DLL ; name:'DLL'),
(flag:IMAGE_FILE_BYTES_REVERSED_HI ; name:'BYTES_REVERSED_HI')
);
SectionCharacteristics:TSectionCharacteristics=
(
(flag:IMAGE_SCN_CNT_CODE ; name:'CODE'),
(flag:IMAGE_SCN_CNT_INITIALIZED_DATA ; name:'INITIALIZED_DATA'),
(flag:IMAGE_SCN_CNT_UNINITIALIZED_DATA ; name:'UNINITIALIZED_DATA'),
(flag:IMAGE_SCN_LNK_INFO ; name:'LNK_INFO'),
(flag:IMAGE_SCN_LNK_REMOVE ; name:'LNK_REMOVE'),
(flag:IMAGE_SCN_LNK_COMDAT ; name:'LNK_COMDAT'),
(flag:IMAGE_SCN_MEM_DISCARDABLE ; name:'MEM_DISCARDABLE'),
(flag:IMAGE_SCN_MEM_NOT_CACHED ; name:'MEM_NOT_CACHED'),
(flag:IMAGE_SCN_MEM_NOT_PAGED ; name:'MEM_NOT_PAGED'),
(flag:IMAGE_SCN_MEM_SHARED ; name:'MEM_SHARED'),
(flag:IMAGE_SCN_MEM_EXECUTE ; name:'MEM_EXECUTE'),
(flag:IMAGE_SCN_MEM_READ ; name:'MEM_READ'),
(flag:IMAGE_SCN_MEM_WRITE ; name:'MEM_WRITE')
);
ImageDirectoryNames:TImageDirectoryNames=
(
'EXPORT', 'IMPORT', 'RESOURCE', 'EXCEPTION', 'SECURITY', 'BASERELOC',
'DEBUG', 'COPYRIGHT', 'GLOBALPTR', 'TLS', 'LOAD_CONFIG',
'BOUND_IMPORT', 'IAT'
);
implementation
{$R *.dfm}
procedure TForm1.Exit1Click(Sender: TObject);
begin
close;
end;
procedure TForm1.open1Click(Sender: TObject);
begin
if opendialog1.Execute then
analyzepe(opendialog1.FileName);
end;
procedure Tform1.analyzepe(filename:string);
var
hfile:THandle;
hFileMapping:Thandle;
lpFileBase:pointer;
PEDosHeader:PImageDosHeader;
begin
hFile:=CreateFile(pchar(filename), GENERIC_READ, FILE_SHARE_READ,nil,OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
if hfile=INVALID_HANDLE_VALUE then
begin
MessageDlg('Couldn`t open file with CreateFile().',mtInformation,[mbOk],0);
exit;
end;
//
hfilemapping:=Createfilemapping(hFile, nil, PAGE_READONLY, 0, 0, nil);
if hfilemapping=0 then
begin
CloseHandle(hFile);
messagedlg('Couldn`t open file mapping with CreateFileMapping()',mtInformation,[mbOk],0);
end;
//
lpFileBase:=MapViewOfFile(hFileMapping, FILE_MAP_READ, 0, 0, 0);
if lpFileBase=nil then
begin
CloseHandle(hFileMapping);
CloseHandle(hFile);
messagedlg('Couldn`t map view of file with MapViewOfFile()',mtInformation,[mbOk],0);
exit;
end;
//
memo1.Clear;
memo1.Lines.add('Dump of file'+' '+filename);
//get pedosheader address
PEDosHeader:=PImageDosHeader(lpfilebase);
if PEDosHeader.e_magic=IMAGE_DOS_SIGNATURE then
DumpExeFile(PEDosHeader)
else
messagedlg('unrecognized file format',mtInformation,[mbOk],0);
//free
UnmapViewOfFile(lpFileBase);
CloseHandle(hFileMapping);
CloseHandle(hFile);
end;
procedure Tform1.DumpExeFile(PEDosHeader:PImageDosHeader);
var
PENTHeader:pImageNtHeaders;
PEsectionHeader:pImageSectionHeader;
base:longword;
begin
base:=longword(pedosheader);
//get pentheader address
PENTHeader:=pImageNtHeaders(base+longword(pedosheader._lfanew));
if peNTHeader.Signature <> IMAGE_NT_SIGNATURE then
begin
messagedlg('Not a Portable Executable (PE) EXE',mtInformation,[mbOk],0);
exit;
end;
//display fileheader
DumpfileHeader(pImageFileHeader(@pentheader.FileHeader));
//display OptionalHeade
DumpOptionalHeader(pImageOptionalHeader(@peNTHeader.OptionalHeader));
//get pesectionheader address
pesectionheader:=pImageSectionHeader(longword(pentheader)+sizeof(TImageNtHeaders));
//display sectiontable
DumpSectionTable(pesectionheader,peNTHeader.FileHeader.NumberOfSections);
//display ResourceSection
//DumpResourceSection(base,peNTHeader);
//display importtable
DumpImportsSection(base,peNTHeader);
//display exporttable
DumpExportsSection(base,peNTHeader);
end;
procedure TForm1.DumpfileHeader(PEFileHeader:pImageFileHeader);
var
headerFieldWidth:integer;
i:integer;
szMachine:string;
begin
headerFieldWidth:=30;
memo1.Lines.Add('');
memo1.Lines.Add('File Header');
case pefileheader.Machine of
IMAGE_FILE_MACHINE_I386: szMachine := 'i386';
//IMAGE_FILE_MACHINE_I860: szMachine = 'i860';
IMAGE_FILE_MACHINE_R3000: szMachine := 'R3000';
IMAGE_FILE_MACHINE_R4000: szMachine := 'R4000';
IMAGE_FILE_MACHINE_ALPHA: szMachine := 'alpha';
else
szMachine := 'unknown';
end;
memo1.Lines.Add(format(' %-*s%.4x<%s>',[headerFieldWidth,'Machine:',
peFileHeader.Machine, szMachine]));
memo1.Lines.Add(format(' %-*s%.4x',[headerFieldWidth,'Number of Sections:',
peFileHeader.NumberOfSections]));
memo1.Lines.Add(format(' %-*s%.8x',[headerFieldWidth,'TimeDateStamp:',
peFileHeader.TimeDateStamp]));
memo1.Lines.Add(format(' %-*s%.8x',[headerFieldWidth,'PointerToSymbolTable:',
peFileHeader.PointerToSymbolTable]));
memo1.Lines.Add(format(' %-*s%.8x',[headerFieldWidth,'NumberOfSymbols:',
peFileHeader.NumberOfSymbols]));
memo1.Lines.Add(format(' %-*s%.4x',[headerFieldWidth,'SizeOfOptionalHeader:',
peFileHeader.SizeOfOptionalHeader]));
memo1.Lines.Add(format(' %-*s%.4x',[headerFieldWidth,'Characteristics:',
peFileHeader.Characteristics]));
for i:=0 to 9 do
begin
// why this write ????? i don`t know :_<
if (peFileHeader.Characteristics and ImageFileHeaderCharacteristics[i].flag)<>0 then
memo1.Lines.Add(format( ' %s', [ImageFileHeaderCharacteristics[i].name]));
end;
end;
procedure TForm1.DumpOptionalHeader(PEOptionalHeader:pImageOptionalHeader);
var
width:integer;
s:string;
i:integer;
datadirname:string;
begin
width:=30;
memo1.Lines.Add('');
memo1.Lines.Add('Optional Header');
memo1.Lines.Add(format(' %-*s%.4X',[width, 'Magic',
peoptionalHeader.Magic]));
memo1.Lines.Add(format(' %-*s%u.%.2u',[width, 'linker versio',
peoptionalHeader.MajorLinkerVersion,
peoptionalHeader.MinorLinkerVersion]));
memo1.Lines.Add(format(' %-*s%X',[width, 'size of code',
peoptionalHeader.SizeOfCode]));
memo1.Lines.Add(format(' %-*s%X',[width, 'size of initialized data',
peoptionalHeader.SizeOfInitializedData]));
memo1.Lines.Add(format(' %-*s%X',[width, 'size of uninitialized data',
peoptionalHeader.SizeOfUninitializedData]));
memo1.Lines.Add(format(' %-*s%X',[width, 'entrypoint RVA',
peoptionalHeader.AddressOfEntryPoint]));
memo1.Lines.Add(format(' %-*s%X',[width, 'base of code',
peoptionalHeader.BaseOfCode]));
memo1.Lines.Add(format(' %-*s%X',[width, 'base of data',
peoptionalHeader.BaseOfData]));
memo1.Lines.Add(format(' %-*s%X',[width, 'image base',
peoptionalHeader.ImageBase]));
memo1.Lines.Add(format(' %-*s%X',[width, 'section align',
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -