📄 exedump.c
字号:
printf(" %4u %s", pOrdinalName->Hint, pOrdinalName->Name);
}
if ( fShowIATentries )
printf( " (IAT: %08X)", thunkIAT->u1.Function );
printf( "\n" );
thunk++; // Advance to next thunk
thunkIAT++; // advance to next thunk
}
importDesc++; // advance to next IMAGE_IMPORT_DESCRIPTOR
printf("\n");
}
}
//
// Dump the exports table (usually the .edata section) of a PE file
//
void DumpExportsSection(DWORD base, PIMAGE_NT_HEADERS pNTHeader)
{
PIMAGE_EXPORT_DIRECTORY exportDir;
PIMAGE_SECTION_HEADER header;
INT delta;
PSTR filename;
DWORD i;
PDWORD functions;
PWORD ordinals;
PSTR *name;
DWORD exportsStartRVA, exportsEndRVA;
exportsStartRVA = pNTHeader->OptionalHeader.DataDirectory
[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
exportsEndRVA = exportsStartRVA + pNTHeader->OptionalHeader.DataDirectory
[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
// Get the IMAGE_SECTION_HEADER that contains the exports. This is
// usually the .edata section, but doesn't have to be.
header = GetEnclosingSectionHeader( exportsStartRVA, pNTHeader );
if ( !header )
return;
delta = (INT)(header->VirtualAddress - header->PointerToRawData);
exportDir = MakePtr(PIMAGE_EXPORT_DIRECTORY, base,
exportsStartRVA - delta);
filename = (PSTR)(exportDir->Name - delta + base);
printf("exports table:\n\n");
printf(" Name: %s\n", filename);
printf(" Characteristics: %08X\n", exportDir->Characteristics);
printf(" TimeDateStamp: %08X\n", exportDir->TimeDateStamp);
printf(" Version: %u.%02u\n", exportDir->MajorVersion,
exportDir->MinorVersion);
printf(" Ordinal base: %08X\n", exportDir->Base);
printf(" # of functions: %08X\n", exportDir->NumberOfFunctions);
printf(" # of Names: %08X\n", exportDir->NumberOfNames);
functions = (PDWORD)((DWORD)exportDir->AddressOfFunctions - delta + base);
ordinals = (PWORD)((DWORD)exportDir->AddressOfNameOrdinals - delta + base);
name = (PSTR *)((DWORD)exportDir->AddressOfNames - delta + base);
printf("\n Entry Pt Ordn Name\n");
for ( i=0; i < exportDir->NumberOfFunctions; i++ )
{
DWORD entryPointRVA = functions[i];
DWORD j;
if ( entryPointRVA == 0 ) // Skip over gaps in exported function
continue; // ordinals (the entrypoint is 0 for
// these functions).
printf(" %08X %4u", entryPointRVA, i + exportDir->Base );
// See if this function has an associated name exported for it.
for ( j=0; j < exportDir->NumberOfNames; j++ )
if ( ordinals[j] == i )
printf(" %s", name[j] - delta + base);
// Is it a forwarder? If so, the entry point RVA is inside the
// .edata section, and is an RVA to the DllName.EntryPointName
if ( (entryPointRVA >= exportsStartRVA)
&& (entryPointRVA <= exportsEndRVA) )
{
printf(" (forwarder -> %s)", entryPointRVA - delta + base );
}
printf("\n");
}
}
// The names of the available base relocations
char *SzRelocTypes[] = {
"ABSOLUTE","HIGH","LOW","HIGHLOW","HIGHADJ","MIPS_JMPADDR",
"I860_BRADDR","I860_SPLIT" };
//
// Dump the base relocation table of a PE file
//
void DumpBaseRelocationsSection(DWORD base, PIMAGE_NT_HEADERS pNTHeader)
{
PIMAGE_BASE_RELOCATION baseReloc;
baseReloc = GetSectionPtr(".reloc", pNTHeader, base);
if ( !baseReloc )
return;
printf("base relocations:\n\n");
while ( baseReloc->SizeOfBlock != 0 )
{
unsigned i,cEntries;
PWORD pEntry;
char *szRelocType;
WORD relocType;
cEntries = (baseReloc->SizeOfBlock-sizeof(*baseReloc))/sizeof(WORD);
pEntry = MakePtr( PWORD, baseReloc, sizeof(*baseReloc) );
printf("Virtual Address: %08X size: %08X\n",
baseReloc->VirtualAddress, baseReloc->SizeOfBlock);
for ( i=0; i < cEntries; i++ )
{
// Extract the top 4 bits of the relocation entry. Turn those 4
// bits into an appropriate descriptive string (szRelocType)
relocType = (*pEntry & 0xF000) >> 12;
szRelocType = relocType < 8 ? SzRelocTypes[relocType] : "unknown";
printf(" %08X %s\n",
(*pEntry & 0x0FFF) + baseReloc->VirtualAddress,
szRelocType);
pEntry++; // Advance to next relocation entry
}
baseReloc = MakePtr( PIMAGE_BASE_RELOCATION, baseReloc,
baseReloc->SizeOfBlock);
}
}
//
// Dump out the new IMAGE_BOUND_IMPORT_DESCRIPTOR that NT 3.51 added
//
void DumpBoundImportDescriptors( DWORD base, PIMAGE_NT_HEADERS pNTHeader )
{
DWORD bidRVA; // Bound import descriptors RVA
PIMAGE_BOUND_IMPORT_DESCRIPTOR pibid;
bidRVA = pNTHeader->OptionalHeader.DataDirectory
[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress;
if ( !bidRVA )
return;
pibid = MakePtr( PIMAGE_BOUND_IMPORT_DESCRIPTOR, base, bidRVA );
printf( "Bound import descriptors:\n\n" );
printf( " Module TimeDate\n" );
printf( " ------------ --------\n" );
while ( pibid->TimeDateStamp )
{
unsigned i;
PIMAGE_BOUND_FORWARDER_REF pibfr;
printf( " %-12s %08X\n", base + bidRVA + pibid->OffsetModuleName,
pibid->TimeDateStamp );
pibfr = MakePtr(PIMAGE_BOUND_FORWARDER_REF, pibid,
sizeof(IMAGE_BOUND_IMPORT_DESCRIPTOR));
for ( i=0; i < pibid->NumberOfModuleForwarderRefs; i++ )
{
printf(" forwarder: %-12s %08X\n",
base + bidRVA + pibfr->OffsetModuleName,
pibfr->TimeDateStamp );
pibfr++; // advance to next forwarder ref
// Keep the outer loop pointer up to date too!
pibid = MakePtr( PIMAGE_BOUND_IMPORT_DESCRIPTOR, pibid,
sizeof( IMAGE_BOUND_FORWARDER_REF ) );
}
pibid++; // Advance to next pibid;
}
}
//
// top level routine called from PEDUMP.C to dump the components of a PE file
//
void DumpExeFile( PIMAGE_DOS_HEADER dosHeader )
{
PIMAGE_NT_HEADERS pNTHeader;
DWORD base = (DWORD)dosHeader;
pNTHeader = MakePtr( PIMAGE_NT_HEADERS, dosHeader,
dosHeader->e_lfanew );
// First, verify that the e_lfanew field gave us a reasonable
// pointer, then verify the PE signature.
__try
{
if ( pNTHeader->Signature != IMAGE_NT_SIGNATURE )
{
printf("Not a Portable Executable (PE) EXE\n");
return;
}
}
__except( TRUE ) // Should only get here if pNTHeader (above) is bogus
{
printf( "invalid .EXE\n");
return;
}
DumpHeader((PIMAGE_FILE_HEADER)&pNTHeader->FileHeader);
printf("\n");
DumpOptionalHeader((PIMAGE_OPTIONAL_HEADER)&pNTHeader->OptionalHeader);
printf("\n");
DumpSectionTable( IMAGE_FIRST_SECTION(pNTHeader),
pNTHeader->FileHeader.NumberOfSections, TRUE);
printf("\n");
DumpExeDebugDirectory(base, pNTHeader);
if ( pNTHeader->FileHeader.PointerToSymbolTable == 0 )
PCOFFDebugInfo = 0; // Doesn't really exist!
printf("\n");
DumpResourceSection(base, pNTHeader);
printf("\n");
DumpImportsSection(base, pNTHeader);
printf("\n");
if ( pNTHeader->OptionalHeader.DataDirectory
[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT]
.VirtualAddress )
{
DumpBoundImportDescriptors( base, pNTHeader );
printf( "\n" );
}
DumpExportsSection(base, pNTHeader);
printf("\n");
if ( fShowRelocations )
{
DumpBaseRelocationsSection(base, pNTHeader);
printf("\n");
}
//
// Initialize these vars here since we'll need them in DumpLineNumbers
//
PCOFFSymbolTable = MakePtr(PIMAGE_SYMBOL, base,
pNTHeader->FileHeader.PointerToSymbolTable);
COFFSymbolCount = pNTHeader->FileHeader.NumberOfSymbols;
if ( fShowSymbolTable && PCOFFDebugInfo )
{
DumpCOFFHeader( PCOFFDebugInfo );
printf("\n");
}
if ( fShowLineNumbers && PCOFFDebugInfo )
{
DumpLineNumbers( MakePtr(PIMAGE_LINENUMBER, PCOFFDebugInfo,
PCOFFDebugInfo->LvaToFirstLinenumber),
PCOFFDebugInfo->NumberOfLinenumbers);
printf("\n");
}
if ( fShowSymbolTable )
{
if ( pNTHeader->FileHeader.NumberOfSymbols
&& pNTHeader->FileHeader.PointerToSymbolTable)
{
DumpSymbolTable(PCOFFSymbolTable, COFFSymbolCount);
printf("\n");
}
}
if ( fShowRawSectionData )
{
DumpRawSectionData( (PIMAGE_SECTION_HEADER)(pNTHeader+1),
dosHeader,
pNTHeader->FileHeader.NumberOfSections);
}
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -