📄 pe_decoder.cpp
字号:
//*******************************************************************************
// *
// PE Decoder Version 1.0, implemented with C++ *
// *
// Created By HQ(Fahrenheit), 04CS, NJU *
// Finished On Oct 14th 2006 *
// *
// Contact me if you have good ideas. *
// Email : fahrenheit871116@163.com *
// *
//*******************************************************************************
#include <windows.h>
#include <iostream>
#include <fstream>
#include <iomanip>
using namespace std;
VOID ToNumeric( LPDWORD ptr, CHAR buf[], INT start, INT size )
{
if ( start<0 || size<0 )
{
return;
}
*ptr = buf[start+size-1];
for ( INT i=size-2; i>=0; i-- )
{
(*ptr) <<= 8;
(*ptr) |= (UCHAR)buf[i+start];
}
}
VOID ToString( LPSTR ptr, CHAR buf[], INT start, INT size)
{
if ( start<0 || size<0 )
{
return;
}
for ( INT i=0; i<size; i++ )
{
ptr[i] = buf[i+start];
}
}
class DataDump
{
private :
IMAGE_FILE_HEADER FILE_HEADER;
IMAGE_OPTIONAL_HEADER32 OPTIONAL_HEADER32;
PIMAGE_SECTION_HEADER SECTION_HEADER;
IMAGE_IMPORT_DESCRIPTOR IMPORT_DESCRIPTOR;
PIMAGE_EXPORT_DIRECTORY EXPORT_DIRECTORY;
DWORD ExVRk, ImVRk;
public :
DataDump();
~DataDump();
BOOL Set_FILE_HEADER( CHAR [], INT );
BOOL Set_OPTIONAL_HEADER32( CHAR [], INT );
BOOL Set_SECTION_HEADER32( CHAR [], INT );
BOOL Set_EXPORT_TABLE( CHAR [], INT );
VOID GetReady( CHAR [] );
DWORD Get_OPTIONAL_HEADER_SIZE( VOID ) const;
DWORD Get_SECTION_NUMBER( VOID ) const;
DWORD Get_EXPORT_TABLE_RAW( VOID ) const;
DWORD Get_IMPORT_TABLE_RAW( VOID ) const;
VOID Set_Export_VRk( VOID );
VOID Set_Import_VRk( VOID );
BOOL Export_Table_Existed( VOID ) const;
BOOL Import_Table_Existed( VOID ) const;
BOOL Show_FILE_HEADER( ofstream& ) const;
BOOL Show_OPTIONAL_HEADER32( ofstream& ) const;
BOOL Show_SECTION_HEADER32( ofstream& ) const;
BOOL Show_EXPORT_TABLE( ifstream&, ofstream& ) const;
BOOL Show_IMPORT_TABLE( ifstream&, ofstream& ) const;
};
DataDump::DataDump( VOID )
{
SECTION_HEADER = NULL;
ExVRk = ImVRk = 0x00000000;
}
DataDump::~DataDump()
{
if ( SECTION_HEADER )
{
delete [] SECTION_HEADER;
}
if ( EXPORT_DIRECTORY )
{
delete EXPORT_DIRECTORY;
}
}
BOOL DataDump::Set_FILE_HEADER( CHAR buf[], INT size )
{
if ( size!=20 )
{
return FALSE;
}
ToNumeric((LPDWORD)&FILE_HEADER.Machine, buf, 0, 2);
ToNumeric((LPDWORD)&FILE_HEADER.NumberOfSections, buf, 2, 2);
ToNumeric((LPDWORD)&FILE_HEADER.TimeDateStamp, buf, 4, 4);
ToNumeric((LPDWORD)&FILE_HEADER.PointerToSymbolTable, buf, 8, 4);
ToNumeric((LPDWORD)&FILE_HEADER.NumberOfSymbols, buf, 12, 4);
ToNumeric((LPDWORD)&FILE_HEADER.SizeOfOptionalHeader, buf, 16, 2);
ToNumeric((LPDWORD)&FILE_HEADER.Characteristics, buf, 18, 2);
return TRUE;
}
BOOL DataDump::Set_OPTIONAL_HEADER32( CHAR buf[], INT size )
{
if ( size<1 )
{
return FALSE;
}
ToNumeric((LPDWORD)&OPTIONAL_HEADER32.Magic, buf, 0, 2);
ToNumeric((LPDWORD)&OPTIONAL_HEADER32.MajorLinkerVersion, buf, 2, 1);
ToNumeric((LPDWORD)&OPTIONAL_HEADER32.AddressOfEntryPoint, buf, 16, 4);
ToNumeric((LPDWORD)&OPTIONAL_HEADER32.BaseOfCode, buf, 20, 4);
ToNumeric((LPDWORD)&OPTIONAL_HEADER32.BaseOfData, buf, 24, 4);
ToNumeric((LPDWORD)&OPTIONAL_HEADER32.ImageBase, buf, 28, 4);
ToNumeric((LPDWORD)&OPTIONAL_HEADER32.SectionAlignment, buf, 32, 4);
ToNumeric((LPDWORD)&OPTIONAL_HEADER32.FileAlignment, buf, 36, 4);
ToNumeric((LPDWORD)&OPTIONAL_HEADER32.MajorImageVersion, buf, 44, 2);
ToNumeric((LPDWORD)&OPTIONAL_HEADER32.MajorSubsystemVersion, buf, 48, 2);
ToNumeric((LPDWORD)&OPTIONAL_HEADER32.SizeOfImage, buf, 56, 4);
ToNumeric((LPDWORD)&OPTIONAL_HEADER32.SizeOfHeaders, buf, 60, 4);
ToNumeric((LPDWORD)&OPTIONAL_HEADER32.CheckSum, buf, 64, 4);
ToNumeric((LPDWORD)&OPTIONAL_HEADER32.Subsystem, buf, 68, 4);
ToNumeric((LPDWORD)&OPTIONAL_HEADER32.DllCharacteristics, buf, 70, 4);
ToNumeric((LPDWORD)&OPTIONAL_HEADER32.NumberOfRvaAndSizes, buf, 92, 4);
for ( INT i=0, j=0; i<OPTIONAL_HEADER32.NumberOfRvaAndSizes; i++, j+=8 )
{
ToNumeric((LPDWORD)&OPTIONAL_HEADER32.DataDirectory[i].VirtualAddress, buf, 96+j, 4);
ToNumeric((LPDWORD)&OPTIONAL_HEADER32.DataDirectory[i].Size, buf, 100+j, 4);
}
return TRUE;
}
BOOL DataDump::Set_SECTION_HEADER32( CHAR buf[], INT size )
{
if ( size<1 || size%40!=0 )
{
return FALSE;
}
SECTION_HEADER = new IMAGE_SECTION_HEADER [FILE_HEADER.NumberOfSections];
for ( INT i=0, j=0; i<FILE_HEADER.NumberOfSections; i++, j+=40 )
{
ToString((LPSTR)&SECTION_HEADER[i].Name, buf, j, 8);
ToNumeric((LPDWORD)&SECTION_HEADER[i].Misc, buf, j+8, 4);
ToNumeric((LPDWORD)&SECTION_HEADER[i].VirtualAddress, buf, j+12, 4);
ToNumeric((LPDWORD)&SECTION_HEADER[i].SizeOfRawData, buf, j+16, 4);
ToNumeric((LPDWORD)&SECTION_HEADER[i].PointerToRawData, buf, j+20, 4);
ToNumeric((LPDWORD)&SECTION_HEADER[i].PointerToRelocations, buf, j+24, 4);
ToNumeric((LPDWORD)&SECTION_HEADER[i].PointerToLinenumbers, buf, j+28, 4);
ToNumeric((LPDWORD)&SECTION_HEADER[i].NumberOfRelocations, buf, j+32, 2);
ToNumeric((LPDWORD)&SECTION_HEADER[i].NumberOfLinenumbers, buf, j+34, 2);
ToNumeric((LPDWORD)&SECTION_HEADER[i].Characteristics, buf, j+36, 4);
}
Set_Export_VRk();
Set_Import_VRk();
return TRUE;
}
BOOL DataDump::Set_EXPORT_TABLE( CHAR buf[], INT size )
{
if ( size<1 )
{
return FALSE;
}
EXPORT_DIRECTORY = new IMAGE_EXPORT_DIRECTORY;
ToNumeric((LPDWORD)&EXPORT_DIRECTORY->Characteristics, buf, 0, 4);
ToNumeric((LPDWORD)&EXPORT_DIRECTORY->TimeDateStamp, buf, 4, 4);
ToNumeric((LPDWORD)&EXPORT_DIRECTORY->MajorVersion, buf, 8, 2);
ToNumeric((LPDWORD)&EXPORT_DIRECTORY->MinorVersion, buf, 10, 2);
ToNumeric((LPDWORD)&EXPORT_DIRECTORY->Name, buf, 12, 4);
ToNumeric((LPDWORD)&EXPORT_DIRECTORY->Base, buf, 16, 4);
ToNumeric((LPDWORD)&EXPORT_DIRECTORY->NumberOfFunctions, buf, 20, 4);
ToNumeric((LPDWORD)&EXPORT_DIRECTORY->NumberOfNames, buf, 24, 4);
ToNumeric((LPDWORD)&EXPORT_DIRECTORY->AddressOfFunctions, buf, 28, 4);
ToNumeric((LPDWORD)&EXPORT_DIRECTORY->AddressOfNames, buf, 32, 4);
ToNumeric((LPDWORD)&EXPORT_DIRECTORY->AddressOfNameOrdinals, buf, 36, 4);
return TRUE;
}
BOOL DataDump::Show_IMPORT_TABLE( ifstream& PE_file, ofstream& fout ) const
{
CHAR buf[33];
DWORD ImOffset = Get_IMPORT_TABLE_RAW(), ThunkValue = 0x00000001, Thunk;
WORD hint = 0x00000000;
buf[28] = 0;
fout.clear();
fout<<"++++++++++++++++++++++++++ Import Table Information +++++++++++++++++++++"<<endl<<endl;
if ( Import_Table_Existed() )
{
PE_file.clear();
for ( INT i=0; ; i++ )
{
PE_file.seekg(ImOffset+i*20);
PE_file.read(buf, 20);
ToNumeric((LPDWORD)&IMPORT_DESCRIPTOR.FirstThunk, buf, 16, 4);
if ( IMPORT_DESCRIPTOR.FirstThunk==0xCCCCCCCC )
{
return FALSE;
}
if ( !IMPORT_DESCRIPTOR.FirstThunk )
{
break;
}
ToNumeric((LPDWORD)&IMPORT_DESCRIPTOR.TimeDateStamp, buf, 4, 4);
ToNumeric((LPDWORD)&IMPORT_DESCRIPTOR.ForwarderChain, buf, 8, 4);
ToNumeric((LPDWORD)&IMPORT_DESCRIPTOR.Name, buf, 12, 4);
ToNumeric((LPDWORD)&IMPORT_DESCRIPTOR.OriginalFirstThunk, buf, 0, 4);
fout<<" ------------------------------------------------------------------------"<<endl<<endl;
fout<<setfill(' ')<<setw(20)<<"Name";
fout<<" "<<setfill('0')<<setw(8)<<IMPORT_DESCRIPTOR.Name;
fout<<setfill(' ')<<setw(20)<<"TimeDateStamp";
fout<<" "<<setfill('0')<<setw(8)<<IMPORT_DESCRIPTOR.TimeDateStamp<<endl;
fout<<setfill(' ')<<setw(20)<<"OriginalFirstThunk";
fout<<" "<<setfill('0')<<setw(8)<<IMPORT_DESCRIPTOR.OriginalFirstThunk;
fout<<setfill(' ')<<setw(20)<<"FirstThunk";
fout<<" "<<setfill('0')<<setw(8)<<IMPORT_DESCRIPTOR.FirstThunk<<endl;
fout<<setfill(' ')<<setw(20)<<"ForwarderChain";
fout<<" "<<setfill('0')<<setw(8)<<IMPORT_DESCRIPTOR.ForwarderChain;
fout<<setfill(' ')<<setw(20)<<"Characteristics";
fout<<" "<<setfill('0')<<setw(8)<<IMPORT_DESCRIPTOR.Characteristics<<endl<<endl;
PE_file.seekg(IMPORT_DESCRIPTOR.Name-ImVRk);
PE_file.read(buf, 24);
fout.fill(0);
fout<<" -> DLL Name : "<<buf<<endl;
fout<<" |"<<endl;
fout<<" -> "<<setw(12)<<"ThunkRVA"<<setw(16)<<"ThunkValue"<<setw(12)<<"Hint"<<setw(28)<<"Function Name"<<endl;
fout<<" ----------------------------------------------------------------------"<<endl;
if ( IMPORT_DESCRIPTOR.OriginalFirstThunk )
{
Thunk = IMPORT_DESCRIPTOR.OriginalFirstThunk;
}
else
{
Thunk = IMPORT_DESCRIPTOR.FirstThunk;
}
if ( Thunk )
{
for ( INT j=0; ; j++, Thunk+=4 )
{
PE_file.seekg(Thunk-ImVRk);
PE_file.read(buf, 4);
ToNumeric((LPDWORD)&ThunkValue, buf, 0, 4);
if ( !ThunkValue )
{
break;
}
fout<<" "<<setfill('0')<<setw(8)<<Thunk<<" "<<setw(8)<<ThunkValue;
if ( !(ThunkValue & 0x80000000) ) // MSB Setted '0' Represents It Is A Pointer To IMAGE_IMPORT_BY_NAME
{
PE_file.seekg(ThunkValue-ImVRk);
PE_file.read(buf, 2);
ToNumeric((LPDWORD)&hint, buf, 0, 2);
PE_file.read(buf, 28);
fout<<" "<<setfill('0')<<setw(4)<<hint;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -