📄 pe_decoder.cpp
字号:
ToString(buf, buf, 0, 28);
fout<<setfill(' ')<<setw(28)<<buf;
}
fout<<endl;
}
}
else
{
fout<<" No Avaliable Information !"<<endl;
}
fout<<endl;
}
fout<<" -> "<<dec<<i<<" (dec) Dll File(s) Included !"<<endl;
}
else
{
fout<<" ->No Import Table Information !"<<endl;
}
return TRUE;
}
DWORD DataDump::Get_OPTIONAL_HEADER_SIZE( VOID ) const
{
return FILE_HEADER.SizeOfOptionalHeader;
}
DWORD DataDump::Get_SECTION_NUMBER( VOID ) const
{
return FILE_HEADER.NumberOfSections;
}
DWORD DataDump::Get_EXPORT_TABLE_RAW( VOID ) const
{
return OPTIONAL_HEADER32.DataDirectory[0].VirtualAddress-ExVRk;
}
DWORD DataDump::Get_IMPORT_TABLE_RAW( VOID ) const
{
return OPTIONAL_HEADER32.DataDirectory[1].VirtualAddress-ImVRk;
}
VOID DataDump::Set_Export_VRk()
{
BOOL find = FALSE;
for ( INT i=1; i<FILE_HEADER.NumberOfSections; i++ )
{
if ( SECTION_HEADER[i].VirtualAddress>OPTIONAL_HEADER32.DataDirectory[0].VirtualAddress )
{
ExVRk = SECTION_HEADER[i-1].VirtualAddress - SECTION_HEADER[i-1].PointerToRawData;
break;
}
}
}
VOID DataDump::Set_Import_VRk()
{
for ( INT i=1; i<FILE_HEADER.NumberOfSections; i++ )
{
if ( SECTION_HEADER[i].VirtualAddress>OPTIONAL_HEADER32.DataDirectory[1].VirtualAddress )
{
ImVRk = SECTION_HEADER[i-1].VirtualAddress - SECTION_HEADER[i-1].PointerToRawData;
break;
}
}
}
BOOL DataDump::Export_Table_Existed( VOID ) const
{
if ( !OPTIONAL_HEADER32.DataDirectory[0].VirtualAddress || !OPTIONAL_HEADER32.DataDirectory[0].Size )
{
return FALSE;
}
if ( OPTIONAL_HEADER32.DataDirectory[0].VirtualAddress < ExVRk )
{
return FALSE;
}
return TRUE;
}
BOOL DataDump::Import_Table_Existed( VOID ) const
{
if ( !OPTIONAL_HEADER32.DataDirectory[1].VirtualAddress || !OPTIONAL_HEADER32.DataDirectory[1].Size )
{
return FALSE;
}
if ( OPTIONAL_HEADER32.DataDirectory[1].VirtualAddress < ImVRk )
{
return FALSE;
}
return TRUE;
}
BOOL DataDump::Show_FILE_HEADER( ofstream& fout ) const
{
fout.clear();
fout<<"+++++++++++++++++ FILE HEADER IMFORMATION ++++++++++++++++++++++++++++++++"<<endl<<endl;
fout<<setfill(' ')<<setw(25)<<"Machine"<<" "<<" "<<setfill('0')<<hex<<setw(4)<<FILE_HEADER.Machine<<endl;
fout<<setfill(' ')<<setw(25)<<"NumberOfSections"<<" "<<" "<<setfill('0')<<hex<<setw(4)<<FILE_HEADER.NumberOfSections<<endl;
fout<<setfill(' ')<<setw(25)<<"TimeDateStamp"<<" "<<" "<<setfill('0')<<hex<<setw(8)<<FILE_HEADER.TimeDateStamp<<endl;
fout<<setfill(' ')<<setw(25)<<"PointerToSymbolTable"<<" "<<" "<<setfill('0')<<hex<<setw(8)<<FILE_HEADER.PointerToSymbolTable<<endl;
fout<<setfill(' ')<<setw(25)<<"NumberOfSymbols"<<" "<<" "<<setfill('0')<<hex<<setw(8)<<FILE_HEADER.NumberOfSymbols<<endl;
fout<<setfill(' ')<<setw(25)<<"SizeOfOptionalHeader"<<" "<<" "<<setfill('0')<<hex<<setw(4)<<FILE_HEADER.SizeOfOptionalHeader<<endl;
fout<<setfill(' ')<<setw(25)<<"Characteristics"<<" "<<" "<<setfill('0')<<hex<<setw(4)<<FILE_HEADER.Characteristics<<endl<<endl;
fout<<"Brief Tips :"<<endl;
fout<<"----> 1. Runs At The Environment Of ";
if ( FILE_HEADER.Machine==IMAGE_FILE_MACHINE_I386 )
{
fout<<"32";
}
else
{
fout<<"64";
}
fout<<"-Bit Machine."<<endl;
fout<<"----> 2. Contains "<<(WORD)FILE_HEADER.NumberOfSections<<" Sections."<<endl;
fout<<"----> 3. Created Time : "<<(time_t)FILE_HEADER.TimeDateStamp<<endl;
fout<<"----> 4. OptionalHeader Size Is "<<dec<<(WORD)FILE_HEADER.SizeOfOptionalHeader<<"(dec) Bytes."<<endl<<endl<<endl;
fout<<"FILE HEADER Features :";
if ( IMAGE_FILE_RELOCS_STRIPPED & FILE_HEADER.Characteristics )
{
fout<<" NO_RELOCATION, ";
}
if ( IMAGE_FILE_EXECUTABLE_IMAGE & FILE_HEADER.Characteristics )
{
fout<<" EXECUTABLE, ";
}
if ( IMAGE_FILE_AGGRESIVE_WS_TRIM & FILE_HEADER.Characteristics )
{
fout<<" AGGRESIVE_CLEAR_WORKSPACE, ";
}
if ( IMAGE_FILE_LARGE_ADDRESS_AWARE & FILE_HEADER.Characteristics )
{
fout<<" ACCESS_2GB_MEMORY, ";
}
if ( IMAGE_FILE_32BIT_MACHINE & FILE_HEADER.Characteristics )
{
fout<<" 32BIT_MACHINE, ";
}
if ( IMAGE_FILE_DEBUG_STRIPPED & FILE_HEADER.Characteristics )
{
fout<<" NO_DEBUG_INFORMATION, ";
}
if ( IMAGE_FILE_DLL & FILE_HEADER.Characteristics )
{
fout<<" DLL_FILE, ";
}
if ( IMAGE_FILE_UP_SYSTEM_ONLY & FILE_HEADER.Characteristics )
{
fout<<" ONLY_ONE_PROCESSOR, ";
}
fout<<endl<<endl<<endl;
return TRUE;
}
BOOL DataDump::Show_OPTIONAL_HEADER32( ofstream& fout ) const
{
fout.clear();
fout<<"+++++++++++++++++ OPTIONAL HEADER IMFORMATION ++++++++++++++++++++++++++++"<<endl<<endl;
fout<<setfill(' ')<<setw(25)<<"AddressOfEntryPoint"<<" "<<setfill('0')<<setw(8)<<hex<<(DWORD)OPTIONAL_HEADER32.AddressOfEntryPoint<<endl;
fout<<setfill(' ')<<setw(25)<<"ImageBase"<<" "<<setfill('0')<<setw(8)<<hex<<(DWORD)OPTIONAL_HEADER32.ImageBase<<endl;
fout<<setfill(' ')<<setw(25)<<"SizeOfImage"<<" "<<setfill('0')<<setw(8)<<hex<<(DWORD)OPTIONAL_HEADER32.SizeOfImage<<endl;
fout<<setfill(' ')<<setw(25)<<"SizeOfCode"<<" "<<setfill('0')<<setw(8)<<hex<<(DWORD)OPTIONAL_HEADER32.SizeOfCode<<endl;
fout<<setfill(' ')<<setw(25)<<"BaseOfCode"<<" "<<setfill('0')<<setw(8)<<hex<<(DWORD)OPTIONAL_HEADER32.BaseOfCode<<endl;
fout<<setfill(' ')<<setw(25)<<"BaseOfData"<<" "<<setfill('0')<<setw(8)<<hex<<(DWORD)OPTIONAL_HEADER32.BaseOfData<<endl;
fout<<setfill(' ')<<setw(25)<<"Subsystem"<<" "<<setfill('0')<<setw(8)<<hex<<(WORD)OPTIONAL_HEADER32.Subsystem<<endl;
fout<<setfill(' ')<<setw(25)<<"CheckSum"<<" "<<setfill('0')<<setw(8)<<hex<<(DWORD)OPTIONAL_HEADER32.CheckSum<<endl;
fout<<setfill(' ')<<setw(25)<<"MajorLinkerVersion"<<" "<<setfill('0')<<setw(8)<<hex<<(DWORD)OPTIONAL_HEADER32.MajorLinkerVersion<<endl;
fout<<setfill(' ')<<setw(25)<<"MajorImageVersion"<<" "<<setfill('0')<<setw(8)<<hex<<(WORD)OPTIONAL_HEADER32.MajorImageVersion<<endl;
fout<<setfill(' ')<<setw(25)<<"MajorSubsystemVersion"<<" "<<setfill('0')<<setw(8)<<hex<<(DWORD)OPTIONAL_HEADER32.MajorSubsystemVersion<<endl;
fout<<setfill(' ')<<setw(25)<<"SectionAlignment"<<" "<<setfill('0')<<setw(8)<<hex<<(DWORD)OPTIONAL_HEADER32.SectionAlignment<<endl;
fout<<setfill(' ')<<setw(25)<<"SizeOfHeaders"<<" "<<setfill('0')<<setw(8)<<hex<<(DWORD)OPTIONAL_HEADER32.SizeOfHeaders<<endl;
fout<<setfill(' ')<<setw(25)<<"DllCharacteristics"<<" "<<setfill('0')<<setw(8)<<hex<<(DWORD)OPTIONAL_HEADER32.DllCharacteristics<<endl;
fout<<setfill(' ')<<setw(25)<<"FileAlignment"<<" "<<setfill('0')<<setw(8)<<hex<<(DWORD)OPTIONAL_HEADER32.FileAlignment<<endl;
fout<<setfill(' ')<<setw(25)<<"SizeOfDataDirectory"<<" "<<setfill('0')<<setw(8)<<hex<<(DWORD)OPTIONAL_HEADER32.NumberOfRvaAndSizes<<endl;
fout<<setfill(' ')<<setw(25)<<"AddressOfDataDirectory"<<" "<<setfill('0')<<setw(8)<<hex<<(DWORD)OPTIONAL_HEADER32.DataDirectory<<endl<<endl;
fout<<" -----> DataDirectory :"<<endl<<endl;
fout<<setfill(' ')<<setw(16)<<"Item"<<setw(16)<<"RVA"<<setw(16)<<"Size"<<endl;
fout<<"---------------------------------------------------------------------"<<endl;
fout<<setfill(' ')<<setw(16)<<"Export Table"<<" "<<setfill('0')<<setw(8)<<(DWORD)OPTIONAL_HEADER32.DataDirectory[0].VirtualAddress<<" "<<setw(8)<<(DWORD)OPTIONAL_HEADER32.DataDirectory[0].Size<<endl;
fout<<setfill(' ')<<setw(16)<<"Import Table"<<" "<<setfill('0')<<setw(8)<<(DWORD)OPTIONAL_HEADER32.DataDirectory[1].VirtualAddress<<" "<<setw(8)<<(DWORD)OPTIONAL_HEADER32.DataDirectory[1].Size<<endl;
fout<<setfill(' ')<<setw(16)<<"Resource"<<" "<<setfill('0')<<setw(8)<<(DWORD)OPTIONAL_HEADER32.DataDirectory[2].VirtualAddress<<" "<<setw(8)<<(DWORD)OPTIONAL_HEADER32.DataDirectory[2].Size<<endl;
fout<<setfill(' ')<<setw(16)<<"Exception"<<" "<<setfill('0')<<setw(8)<<(DWORD)OPTIONAL_HEADER32.DataDirectory[3].VirtualAddress<<" "<<setw(8)<<(DWORD)OPTIONAL_HEADER32.DataDirectory[3].Size<<endl;
fout<<setfill(' ')<<setw(16)<<"Security"<<" "<<setfill('0')<<setw(8)<<(DWORD)OPTIONAL_HEADER32.DataDirectory[4].VirtualAddress<<" "<<setw(8)<<(DWORD)OPTIONAL_HEADER32.DataDirectory[4].Size<<endl;
fout<<setfill(' ')<<setw(16)<<"Relocation"<<" "<<setfill('0')<<setw(8)<<(DWORD)OPTIONAL_HEADER32.DataDirectory[5].VirtualAddress<<" "<<setw(8)<<(DWORD)OPTIONAL_HEADER32.DataDirectory[5].Size<<endl;
fout<<setfill(' ')<<setw(16)<<"Debug"<<" "<<setfill('0')<<setw(8)<<(DWORD)OPTIONAL_HEADER32.DataDirectory[6].VirtualAddress<<" "<<setw(8)<<(DWORD)OPTIONAL_HEADER32.DataDirectory[6].Size<<endl;
fout<<setfill(' ')<<setw(16)<<"Copyright"<<" "<<setfill('0')<<setw(8)<<(DWORD)OPTIONAL_HEADER32.DataDirectory[7].VirtualAddress<<" "<<setw(8)<<(DWORD)OPTIONAL_HEADER32.DataDirectory[7].Size<<endl;
fout<<setfill(' ')<<setw(16)<<"GlobalPtr"<<" "<<setfill('0')<<setw(8)<<(DWORD)OPTIONAL_HEADER32.DataDirectory[8].VirtualAddress<<" "<<setw(8)<<(DWORD)OPTIONAL_HEADER32.DataDirectory[8].Size<<endl;
fout<<setfill(' ')<<setw(16)<<"Tls Table"<<" "<<setfill('0')<<setw(8)<<(DWORD)OPTIONAL_HEADER32.DataDirectory[9].VirtualAddress<<" "<<setw(8)<<(DWORD)OPTIONAL_HEADER32.DataDirectory[9].Size<<endl;
fout<<setfill(' ')<<setw(16)<<"Load Config"<<" "<<setfill('0')<<setw(8)<<(DWORD)OPTIONAL_HEADER32.DataDirectory[10].VirtualAddress<<" "<<setw(8)<<(DWORD)OPTIONAL_HEADER32.DataDirectory[10].Size<<endl;
fout<<setfill(' ')<<setw(16)<<"IAT"<<" "<<setfill('0')<<setw(8)<<(DWORD)OPTIONAL_HEADER32.DataDirectory[11].VirtualAddress<<" "<<setw(8)<<(DWORD)OPTIONAL_HEADER32.DataDirectory[11].Size<<endl;
fout<<setfill(' ')<<setw(16)<<"Bound Import"<<" "<<setfill('0')<<setw(8)<<(DWORD)OPTIONAL_HEADER32.DataDirectory[12].VirtualAddress<<" "<<setw(8)<<(DWORD)OPTIONAL_HEADER32.DataDirectory[12].Size<<endl;
fout<<setfill(' ')<<setw(16)<<"COM"<<" "<<setfill('0')<<setw(8)<<(DWORD)OPTIONAL_HEADER32.DataDirectory[13].VirtualAddress<<" "<<setw(8)<<(DWORD)OPTIONAL_HEADER32.DataDirectory[13].Size<<endl;
fout<<setfill(' ')<<setw(16)<<"Delay Import"<<" "<<setfill('0')<<setw(8)<<(DWORD)OPTIONAL_HEADER32.DataDirectory[14].VirtualAddress<<" "<<setw(8)<<(DWORD)OPTIONAL_HEADER32.DataDirectory[14].Size<<endl;
fout<<setfill(' ')<<setw(16)<<"No Use"<<" "<<setfill('0')<<setw(8)<<(DWORD)OPTIONAL_HEADER32.DataDirectory[15].VirtualAddress<<setfill('0')<<setw(8)<<" "<<(DWORD)OPTIONAL_HEADER32.DataDirectory[15].Size<<endl<<endl;
fout<<"SubSystem(User Interface) Features : ";
switch ( OPTIONAL_HEADER32.Subsystem )
{
case IMAGE_SUBSYSTEM_UNKNOWN :
{
fout<<" UNKNOW_SUBSYSTEM.";
break;
}
case IMAGE_SUBSYSTEM_NATIVE :
{
fout<<" REQUIRED_NO_SUBSYSTEM.";
break;
}
case IMAGE_SUBSYSTEM_WINDOWS_GUI :
{
fout<<" WINDOWS_GUI_SUBSYSTEM.";
break;
}
case IMAGE_SUBSYSTEM_WINDOWS_CUI :
{
fout<<" WINDOWS_CHARACTER_SUBSYSTEM.";
break;
}
case IMAGE_SUBSYSTEM_OS2_CUI :
{
fout<<" OS/2_SUBSYSTEM.";
break;
}
case IMAGE_SUBSYSTEM_POSIX_CUI :
{
fout<<" POSIX_SUBSYSTEM.";
break;
}
case IMAGE_SUBSYSTEM_NATIVE_WINDOWS :
{
fout<<" WIN9X_DRIVE_SUBSYSTEM.";
break;
}
/* case IMAGE_SUBSYSTEM_XBOX :
{
fout<<" XBOX_SUBSYSTEM.";
break;
}*/
default : ;
}
fout<<endl<<endl<<endl;
/*fout<<"DLL Features : "<<endl;
if ( IMAGE_DLLCHARACTERISTICS_WDM_DRIVE & OPTIONAL_HEADER32.DllCharacteristic )
{
fout<<" CODE Included, ";
}*/
return TRUE;
}
BOOL DataDump::Show_SECTION_HEADER32( ofstream& fout ) const
{
INT i = 0;
fout.clear();
fout<<"++++++++++++++++++ SECTION HEADER IMFORMATION +++++++++++++++++++++++++"<<endl<<endl;
fout<<" -> "<<FILE_HEADER.NumberOfSections<<" Sections Contained !"<<endl<<endl;
fout<<setfill(' ')<<setw(10)<<"Name"<<setw(12)<<"VOffset"<<setw(12)<<"VSize"<<setw(12)<<"ROffset"<<setw(12)<<"RSize"<<setw(12)<<"Flags"<<endl;
fout<<"-----------------------------------------------------------------------"<<endl;
for ( i=0; i<FILE_HEADER.NumberOfSections; i++ )
{
fout<<setfill(' ')<<setw(10)<<SECTION_HEADER[i].Name;
fout<<" "<<setfill('0')<<setw(8)<<SECTION_HEADER[i].VirtualAddress<<" "<<setw(8)<<SECTION_HEADER[i].Misc.VirtualSize<<" "<<setw(8)<<SECTION_HEADER[i].PointerToRawData<<" "<<setw(8)<<SECTION_HEADER[i].SizeOfRawData<<" "<<setw(8)<<SECTION_HEADER[i].Characteristics<<endl;
}
fout.fill(0);
fout<<endl;
DWORD flag;
for ( i=0; i<FILE_HEADER.NumberOfSections; i++ )
{
fout<<setfill(' ')<<setw(8)<<SECTION_HEADER[i].Name<<" Segment Features :";
flag = SECTION_HEADER[i].Characteristics;
if ( IMAGE_SCN_CNT_CODE & SECTION_HEADER[i].Characteristics )
{
fout<<" CODE Included, ";
}
if ( IMAGE_SCN_MEM_EXECUTE & SECTION_HEADER[i].Characteristics )
{
fout<<" EXECUTABLE, ";
}
if ( IMAGE_SCN_CNT_INITIALIZED_DATA & SECTION_HEADER[i].Characteristics )
{
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -