📄 pe-tut5.html
字号:
<br>
.endif <br>
invoke UnmapViewOfFile, pMapping <br>
.else <br>
invoke MessageBox, 0, addr FileMappingError, addr AppName, MB_OK+MB_ICONERROR
<br>
.endif <br>
invoke CloseHandle,hMapping
<br>
.else <br>
invoke MessageBox, 0,
addr FileOpenMappingError, addr AppName, MB_OK+MB_ICONERROR <br>
.endif <br>
invoke CloseHandle, hFile <br>
.else <br>
invoke MessageBox, 0, addr FileOpenError,
addr AppName, MB_OK+MB_ICONERROR <br>
.endif <br>
.endif <br>
invoke ExitProcess, 0 <br>
invoke InitCommonControls <br>
start endp <br>
<br>
SEHHandler proc uses edx pExcept:DWORD,pFrame:DWORD,pContext:DWORD,pDispatch:DWORD
<br>
mov edx,pFrame <br>
assume edx:ptr SEH <br>
mov eax,pContext <br>
assume eax:ptr CONTEXT <br>
push [edx].SafeOffset <br>
pop [eax].regEip <br>
push [edx].PrevEsp <br>
pop [eax].regEsp <br>
push [edx].PrevEbp <br>
pop [eax].regEbp <br>
mov ValidPE, FALSE <br>
mov eax,ExceptionContinueExecution <br>
ret <br>
SEHHandler endp <br>
<br>
DlgProc proc uses edi esi hDlg:DWORD, uMsg:DWORD, wParam:DWORD, lParam:DWORD
<br>
LOCAL lvc:LV_COLUMN <br>
LOCAL lvi:LV_ITEM <br>
.if uMsg==WM_INITDIALOG <br>
mov esi, lParam <br>
mov lvc.imask,LVCF_FMT or LVCF_TEXT or LVCF_WIDTH
or LVCF_SUBITEM <br>
mov lvc.fmt,LVCFMT_LEFT <br>
mov lvc.lx,80 <br>
mov lvc.iSubItem,0 <br>
mov lvc.pszText,offset SectionName <br>
invoke SendDlgItemMessage,hDlg,IDC_SECTIONLIST,LVM_INSERTCOLUMN,0,addr
lvc inc lvc.iSubItem <br>
mov lvc.fmt,LVCFMT_RIGHT <br>
mov lvc.pszText,offset VirtualSize <br>
invoke SendDlgItemMessage,hDlg,IDC_SECTIONLIST,LVM_INSERTCOLUMN,1,addr
lvc <br>
inc lvc.iSubItem <br>
mov lvc.pszText,offset VirtualAddress <br>
invoke SendDlgItemMessage,hDlg,IDC_SECTIONLIST,LVM_INSERTCOLUMN,2,addr
lvc <br>
inc lvc.iSubItem <br>
mov lvc.pszText,offset SizeOfRawData <br>
invoke SendDlgItemMessage,hDlg,IDC_SECTIONLIST,LVM_INSERTCOLUMN,3,addr
lvc <br>
inc lvc.iSubItem <br>
mov lvc.pszText,offset RawOffset <br>
invoke SendDlgItemMessage,hDlg,IDC_SECTIONLIST,LVM_INSERTCOLUMN,4,addr
lvc <br>
inc lvc.iSubItem <br>
mov lvc.pszText,offset Characteristics <br>
invoke SendDlgItemMessage,hDlg,IDC_SECTIONLIST,LVM_INSERTCOLUMN,5,addr
lvc <br>
mov ax, NumberOfSections <br>
movzx eax,ax <br>
mov edi,eax <br>
mov lvi.imask,LVIF_TEXT <br>
mov lvi.iItem,0 <br>
assume esi:ptr IMAGE_SECTION_HEADER <br>
.while edi>0 <br>
mov lvi.iSubItem,0 <br>
invoke RtlZeroMemory,addr buffer,9
<br>
invoke lstrcpyn,addr buffer,addr
[esi].Name1,8 <br>
lea eax,buffer <br>
mov lvi.pszText,eax <br>
invoke SendDlgItemMessage,hDlg,IDC_SECTIONLIST,LVM_INSERTITEM,0,addr
lvi <br>
invoke wsprintf,addr buffer,addr
template,[esi].Misc.VirtualSize <br>
lea eax,buffer <br>
mov lvi.pszText,eax <br>
inc lvi.iSubItem <br>
invoke SendDlgItemMessage,hDlg,IDC_SECTIONLIST,LVM_SETITEM,0,addr
lvi <br>
invoke wsprintf,addr buffer,addr
template,[esi].VirtualAddress <br>
lea eax,buffer <br>
mov lvi.pszText,eax <br>
inc lvi.iSubItem <br>
invoke SendDlgItemMessage,hDlg,IDC_SECTIONLIST,LVM_SETITEM,0,addr
lvi <br>
invoke wsprintf,addr buffer,addr
template,[esi].SizeOfRawData <br>
lea eax,buffer <br>
mov lvi.pszText,eax <br>
inc lvi.iSubItem <br>
invoke SendDlgItemMessage,hDlg,IDC_SECTIONLIST,LVM_SETITEM,0,addr
lvi <br>
invoke wsprintf,addr buffer,addr
template,[esi].PointerToRawData <br>
lea eax,buffer <br>
mov lvi.pszText,eax <br>
inc lvi.iSubItem <br>
invoke SendDlgItemMessage,hDlg,IDC_SECTIONLIST,LVM_SETITEM,0,addr
lvi <br>
invoke wsprintf,addr buffer,addr
template,[esi].Characteristics <br>
lea eax,buffer <br>
mov lvi.pszText,eax <br>
inc lvi.iSubItem <br>
invoke SendDlgItemMessage,hDlg,IDC_SECTIONLIST,LVM_SETITEM,0,addr
lvi <br>
inc lvi.iItem <br>
dec edi <br>
add esi, sizeof IMAGE_SECTION_HEADER
<br>
.endw <br>
.elseif <br>
uMsg==WM_CLOSE <br>
invoke EndDialog,hDlg,NULL
<br>
.else <br>
mov eax,FALSE <br>
ret <br>
.endif <br>
mov eax,TRUE <br>
ret <br>
DlgProc endp <br>
<br>
ShowSectionInfo proc uses edi <br>
mov edi, pMapping <br>
assume edi:ptr IMAGE_DOS_HEADER <br>
add edi, [edi].e_lfanew <br>
assume edi:ptr IMAGE_NT_HEADERS <br>
mov ax,[edi].FileHeader.NumberOfSections <br>
movzx eax,ax <br>
mov NumberOfSections,eax <br>
add edi,sizeof IMAGE_NT_HEADERS <br>
invoke DialogBoxParam, hInstance, IDD_SECTIONTABLE,NULL, addr DlgProc,
edi<br>
ret <br>
ShowSectionInfo endp <br>
end start </font></p>
<h3><font face="Arial, Helvetica, sans-serif">Analysis:</font></h3>
<p><font face="MS Sans Serif" size="-1">This example reuses the code of the example
in PE tutorial 2. After it verifies that the file is a valid PE, it calls a
function, ShowSectionInfo.</font></p>
<p><font face="Fixedsys">ShowSectionInfo proc uses edi <br>
mov edi, pMapping <br>
assume edi:ptr IMAGE_DOS_HEADER <br>
add edi, [edi].e_lfanew</font><font face="Fixedsys"><br>
assume edi:ptr IMAGE_NT_HEADERS</font></p>
<p><font face="MS Sans Serif" size="-1">We use edi as the pointer to the data
in the PE file. At first, we initialize it to the value of pMapping which is
the address of the DOS header. Then we add the value in <font color="#FFFFCC"><b>e_lfanew</b></font>
to it so it now contains the address of the PE header.</font></p>
<p><font face="Fixedsys"> mov ax,[edi].FileHeader.NumberOfSections<br>
mov NumberOfSections,ax </font></p>
<p><font face="MS Sans Serif" size="-1">Since we need to walk the section table,
we must obtain the number of sections in this file. That's the value in NumberOfSections
member of the file header. Don't forget that this member is of word size.</font></p>
<p><font face="Fixedsys"> add edi,sizeof IMAGE_NT_HEADERS </font></p>
<p><font face="MS Sans Serif" size="-1">Edi currently contains the address of
the PE header. Adding the size of the PE header to it will make it point at
the section table.</font></p>
<p><font face="Fixedsys"> invoke DialogBoxParam, hInstance, IDD_SECTIONTABLE,NULL,
addr DlgProc, edi</font></p>
<p><font face="MS Sans Serif" size="-1">Call <font color="#FFFFCC"><b>DialogBoxParam</b></font>
to show the dialog box containing the listview control. Note that we pass the
address of the section table as its last parameter. This value will be available
in lParam during <font color="#CCFFCC"><b>WM_INITDIALOG</b></font> message.
</font></p>
<p><font face="MS Sans Serif" size="-1">In the dialog box procedure, in response
to WM_INITDIALOG message, we store the value of lParam (address of the section
table) in esi, the number of sections in edi and then dress up the listview
control. When everything is ready, we enter a loop which will insert the info
about each section into the listview control. This part is very simple.</font></p>
<p><font face="Fixedsys"> .while edi>0 <br>
mov lvi.iSubItem,0 </font></p>
<p><font face="MS Sans Serif" size="-1">Put this string in the first column.</font></p>
<p><font face="Fixedsys"> invoke
RtlZeroMemory,addr buffer,9 <br>
invoke lstrcpyn,addr buffer,addr
[esi].Name1,8 <br>
lea eax,buffer <br>
mov lvi.pszText,eax </font></p>
<p><font face="MS Sans Serif" size="-1">We will display the name of the section
but we must convert it to an ASCIIZ string first.</font></p>
<p><font face="Fixedsys"> invoke
SendDlgItemMessage,hDlg,IDC_SECTIONLIST,LVM_INSERTITEM,0,addr lvi </font></p>
<p><font face="MS Sans Serif" size="-1">Then we display it in the first column.<br>
We continue with this scheme until the last value we want to display for this
section is displayed. Then we must move to the next structure.</font> </p>
<p><font face="Fixedsys"> dec
edi <br>
add esi, sizeof IMAGE_SECTION_HEADER
<br>
.endw </font></p>
<p><font face="MS Sans Serif" size="-1">We decrement the value in edi for each
section processed. And we add the size of <font color="#CCFFCC"><b>IMAGE_SECTION_HEADER</b></font>
to esi so it contains the address of the next <font color="#CCFFCC"><b>IMAGE_SECTION_HEADER</b></font>
structure.</font></p>
<p><font face="MS Sans Serif" size="-1">The steps in walking the section table
are:</font></p>
<ol>
<li><font face="MS Sans Serif" size="-1">Verify that the file is a valid PE</font></li>
<li><font face="MS Sans Serif" size="-1">Go to the beginning of the PE header</font></li>
<li><font face="MS Sans Serif" size="-1">Obtain the number of sections from
<font color="#FFFFCC"> <b>NumberOfSections</b></font> field in the file header.</font></li>
<li><font face="MS Sans Serif" size="-1">Go to the section table either by adding
<font color="#FFFFCC"> <b>ImageBase</b></font> to <font color="#FFFFCC"><b>SizeOfHeaders</b></font>
or by adding the address of the PE header to the size of the PE header. (The
section table immediately follows the PE header). If you don't use file mapping,
you need to move the file pointer to the section table using <font color="#FFFFCC"><b>SetFilePointer</b></font>.
The file offset of the section table is in <font color="#FFFFCC"><b>SizeOfHeaders</b></font>.(<font color="#FFFFCC"><b>SizeOfHeaders</b></font>
is a member of <font color="#CCFFCC"><b>IMAGE_OPTIONAL_HEADER</b></font>)</font></li>
<li><font face="MS Sans Serif" size="-1">Process each <font color="#CCFFCC"><b>IMAGE_SECTION_HEADER</b></font>
structure.</font></li>
</ol>
<hr>
<p align="center"><b><font face="MS Sans Serif" size="-1">[<a href="http://win32asm.cjb.net">Iczelion's
Win32 Assembly Homepage</a>]</font></b></p>
<p> </p>
</body>
</html>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -