📄 pe_sections.idc
字号:
SegDelete(SectionStart, 0);
Message(" %s section found at %.8X, expanding down to (%.8X - %.8X).\n", SectionName, temp, SectionStart, SegEnd(temp));
SegBounds(temp, SectionStart, SegEnd(temp), 1);
SegRename(SectionStart, SectionName);
// next iteration will take care of the upper boundary.
}
else
{
// a different name, let's skip it (note: must preserve what ever is already there)
Message(" error: %s section (%.8X - %.8X) is interfering.\n", SegName(temp), temp, SegEnd(temp));
if(SegEnd(temp) < SectionEnd)
{
Message("\n splitting %s up, will try to create a new block at (%.8X - %.8X).\n", SectionName, SegEnd(temp), SectionEnd);
SectionStart = SegEnd(temp);
}
else
{
// we are done
SectionStart = SectionEnd;
break;
}
}
}
else
{
// cool, nothing more needed
SectionStart = SectionEnd;
break;
}
}
}
else
{
Message(" WARNING: Sections virtual size is zero, can't create");
}
if(phySize != 0)
{
if(vSize < phySize)
{
phySize = vSize;
}
if(loadData)
{
loadfile(fhandle, phyAddr, SectionBase, phySize);
}
}
}
/*
// Function:
// MySeek
// Input:
// fhandle
// offset
// method (0 - from start of file, 1 - from current pos, 2 - from end of file)
// Returns:
// 0 - success
// -1 - a file error, unable to seek to that address.
// Notes:
// The function also prints messages (if return value != 0), which indicate what happened.
*/
static MySeek(fhandle, offset, method)
{
if(fseek(fhandle, offset, method) != 0)
{
Message(" file seek error (method:offset 0x%x:%.8X)!", method, offset);
return -1;
}
return 0;
}
/*
// Function:
// fgetStr
// Purpose:
// Returns an ASCII string, read from the current file position. After the read
// the file pointer will be positioned 'size' bytes from where the read started.
// Input:
// fhandle
// size
// Returns:
// a string
*/
static fgetStr(fHandle, size)
{
auto result, charRead;
result = "\0";
charRead = "A";
while(size && (charRead != '\0'))
{
charRead = fgetc(fHandle);
result = result + charRead;
--size;
}
if(charRead != '\0')
{
result = result + '\0';
}
if(size != 0)
{
MySeek(fHandle, size, 1);
}
return result;
}
static LoadSections(fhandle, PEoffset, DLL_name)
{
auto i, k, flags;
auto comment, commentTimeStamp, findString;
auto headerPSize, headerVSize, imageBase, imageBase2;
auto numberSections, NTheaderSize, PEsections;
auto fileSize;
auto PEentry;
auto SectionAlignment, FileAlignment;
auto LargestPhysical;
auto PEtype;
auto subsystem;
auto strange_alignment;
auto load_section_data;
auto tables_error;
auto TimeStamp;
auto already_loaded;
auto actualImageSize;
auto DLLflags;
auto imageDelta;
strange_alignment = 0;
load_section_data = 1;
already_loaded = 1;
if(DLL_name != "")
{
DLL_name = DLL_name + DLL_SEPERATOR;
already_loaded = 0;
}
if(FirstNamedSeg(DLL_name + PE_HEADER_SECTION_NAME) != BADADDR)
{
load_section_data = AskYN(0, "Do you want me to reload the section data?");
// -1 - we return from this function.
// 0 - we don't reload any section data, but we still apply the script in any other way.
// 1 - we reload all section data.
if(load_section_data < 0)
{
return -1;
}
already_loaded = 1;
}
LargestPhysical = 0;
Message("-------------------------------------------------------------------------------\n\n");
MySeek(fhandle, PEoffset + 0x18, 0);
PEtype = readshort(fhandle, 0);
fseek(fhandle, PEoffset + 0x54, 0);
headerPSize = readlong(fhandle, 0);
if(PEtype != 0x20b)
{
Message("Found PE header of size %.8X at file offset %.8X:\n\n", headerPSize, PEoffset);
}
else
{
Message("Found PE2 header of size %.8X at file offset %.8X:\n\n", headerPSize, PEoffset);
}
fileSize = filelength(fhandle);
if(fileSize == -1)
{
WarningMessage("Unable to get the file size!");
}
Message("- file size: %.8X (%d bytes)\n\n", fileSize, fileSize);
MySeek(fhandle, PEoffset + 0x4, 0);
i = readshort(fhandle,0);
if(i == 0)
{
comment = "applicable to all cpu's";
}
else
{
k = i & 0xff;
i = i >> 8;
if(k == 0x84)
{
comment = "Alpha AXP";
if(i == 2)
{
comment = comment + " 64-bit";
}
}
else if((k == 0) || (k == 0x4c))
{
comment = "intel " + ((k == 0) ? "IA64" : "386+");
}
else
{
// to lasy to do the rest, since I rarely encounter them... :)
comment = "unrecognized";
}
}
Message("- required cpu type: " + comment + "\n");
MySeek(fhandle, PEoffset + 0x5c, 0);
subsystem = readshort(fhandle,0);
if(subsystem == 1)
{
comment = "Native (doesn't require a subsystem)";
}
else if(subsystem == 2)
{
comment = "Windows GUI";
}
else if(subsystem == 3)
{
comment = "Windows character";
}
else if(subsystem == 7)
{
comment = "POSIX character";
}
else if(subsystem == 9)
{
comment = "Windows CE";
}
else if(subsystem == 10)
{
comment = "EFI application";
}
else if(subsystem == 11)
{
comment = "EFI boot service driver";
}
else if(subsystem == 12)
{
comment = "EFI runtime service driver";
}
else
{
comment = "unknown";
}
Message("- required subsystem: " + comment + "\n");
MySeek(fhandle, PEoffset + 0x8, 0);
TimeStamp = readlong(fhandle, 0);
commentTimeStamp = "Microsoft(" + ULDateToStr(TimeStamp) + "), Borland(" + ULDosDateToStr(TimeStamp) + ")";
Message("- time stamp: " + commentTimeStamp + "\n");
commentTimeStamp = "time stamp: " + commentTimeStamp;
fseek(fhandle, PEoffset + 0x30, 0);
imageBase = readlong(fhandle, 0);
imageBase2 = readlong(fhandle, 0);
Message("- image base: ");
if(PEtype != 0x20b)
{
imageBase = imageBase2;
imageBase2 = 0;
Message("%.8X\n", imageBase);
}
else
{
Message("%.8X%.8X\n", imageBase2, imageBase);
}
fseek(fhandle, PEoffset + 0x38, 0);
SectionAlignment = readlong(fhandle, 0);
Message("- Section alignment: %.8X\n", SectionAlignment);
if(SectionAlignment != (SectionAlignment & ~(SectionAlignment - 1)))
{
Message(" * WARNING: SectionAlignment is strange\n");
}
if(SectionAlignment > 0x100000)
{
Message(" * ERROR: SectionAlignment is 1M+, using 200h instead.\n");
SectionAlignment = 0x200;
}
fseek(fhandle, PEoffset + 0x3C, 0);
FileAlignment = readlong(fhandle, 0);
if(!SectionAlignment)
{
if(FileAlignment)
{
SectionAlignment = FileAlignment;
Message(" using file alignment instead (%.8X)\n", FileAlignment);
}
else
{
Message(" file alignment is also zero, using default value of 0x200.\n");
SectionAlignment = 0x200; // Mustn't divide by zero.
}
}
Message("- File alignment: %.8X\n", FileAlignment);
if(!FileAlignment)
{
Message(" file alignment is zero, using section alignment instead.\n");
FileAlignment = SectionAlignment;
}
if(FileAlignment != (FileAlignment & ~(FileAlignment - 1)))
{
Message(" * WARNING: FileAlignment is strange\n");
}
if(FileAlignment > 0x100000)
{
Message(" * ERROR: FileAlignment is 1M+, using 512 instead.\n");
FileAlignment = 512;
}
MySeek(fhandle, PEoffset + 0x28, 0);
PEentry = readlong(fhandle,0);
MySeek(fhandle, PEoffset + 0x6, 0);
numberSections = readshort(fhandle, 0);
MySeek(fhandle, PEoffset + 0x14, 0);
NTheaderSize = readshort(fhandle, 0);
PEsections = PEoffset + NTheaderSize + 0x18;
MySeek(fhandle, PEoffset + 0x16, 0);
flags = readshort(fhandle, 0);
Message("- entry point: ");
if(PEentry || !(flags & 0x2000))
{
if(PEtype != 0x20b)
{
Message("%.8X (%.8X)\n", PEentry, PEentry + imageBase);
}
else
{
auto temp_lower, temp_higher;
temp_higher = imageBase2;
temp_lower = PEentry + imageBase;
if(temp_lower < PEentry)
{
temp_higher = temp_higher + 1;
}
Message("%.8X (%.8X%.8X)\n", PEentry, temp_higher, temp_lower);
}
}
else
{
Message("not present\n");
}
Message("\n- image flags (%.4X):\n", flags);
comment = "";
if(flags & 0x0001)
{
comment = comment + "\n 0x0001 - 1 - relocs stripped";
}
comment = comment + "\n 0x0002 - " + ((flags & 0x0002) ? "1 - executable" : "0 - invalid") + " image";
if(flags & 0x0004)
{
comment = comment + "\n 0x0004 - 1 - COFF line numbers stripped";
}
if(flags & 0x0008)
{
comment = comment + "\n 0x0008 - 1 - COFF symbols stripped";
}
if(flags & 0x0010)
{
comment = comment + "\n 0x0010 - 1 - OS is supposed to aggressively trim working set";
}
if(flags & 0x0020)
{
comment = comment + "\n 0x0020 - 1 - Application can handle 2GB+ addresses";
}
if(flags & 0x0040)
{
comment = comment + "\n 0x0040 - 1 - 16-bit word architecture (reserved)";
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -