📄 feature.cpp

📁 PE文件加壳信息的检测
💻 CPP
📖 第 1 页 / 共 3 页
字号:
上一页 1 23
	{"","609CBE001040008BFEB928030000BB78563412AD33C3ABE2FA9D61","PEncrypt 1.0 -> junkcode",1},
	{"","EB02C7851EEB03CD20EBEB01EB9CEB01EBEB02CD","PE Lock NT 2.02c -> :MARQUiS:",1},
	{"","EB03CD20EBEB01EB1EEB01EBEB02CD209CEB03CD","PE Lock NT 2.01 -> :MARQUiS:",1},
	{"","BD01ADE3384000FFB5DF3840","PC Shrinker 0.45 -> Virogen",1},
	{"","E8E80100006001ADB327400068","PC Shrinker 0.20 -> Virogen",1},
	{"","8B04249C60E8000000005D81ED0A45400080BD67444000000F8548","PE Intro 1.0 -> Predator NLS",1},
	{"","E8000000005B83EB05EB04524E44","PE Crypt 1.02 -> random, killa & acpizer",1},
	{"","E8000000005B83EB05EB04524E4421EB02CD20EB","PE Crypt 1.00/1.01/Console -> random, killa & acpizer",1},
	{"","EB0668C39C60E80233C08BC483C004938BE38B5BFC81EB3F904087DD8B85E69040018533904066C785904090900185DA90400185DE90400185E29040BB7B11","PECompact 1.68 - 1.84 -> Jeremy Collake",1},
	{"","EB0668C39C60E80233C08BC483C004938BE38B5BFC81EB3F904087DD8B85E69040018533904066C785904090900185DA90400185DE90400185E29040BB8B11","PECompact 1.67 -> Jeremy Collake",1},
	{"","EB0668C39C60E80233C08BC483C004938BE38B5BFC81EB3F804087DD8B85D28040018533804066C785804090900185CE8040BBBB12","PECompact 1.60 - 1.65 -> Jeremy Collake",1},
	{"","EB0668C39C60E80233C08BC483C004938BE38B5BFC81EB0F904087DD8B85A29040018503904066C7859040909001859E9040BB2D12","PECompact 1.56 -> Jeremy Collake",1},
	{"","EB0668C39C60E80233C08BC483C004938BE38B5BFC81EB0F804087DD8B85A28040018503804066C7858040909001859E8040BB2D12","PECompact 1.55 -> Jeremy Collake",1},
	{"","EB0668C39C60E80233C08BC483C004938BE38B5BFC81EB0FA04087DD8B85A6A040018503A04066C785A040909001859EA040BB5B12","PECompact 1.47 - 1.50 -> Jeremy Collake",1},
	{"","EB0668C39C60E80233C08BC483C004938BE38B5BFC81EB0FA04087DD8B85A6A040018503A04066C785A040909001859EA040BB6012","PECompact 1.46 -> Jeremy Collake",1},
	{"","EB0668C39C60E80233C08BC483C004938BE38B5BFC81EB0FA04087DD8B85A6A040018503A04066C785A040909001859EA040BBC311","PECompact 1.40 - 1.45 -> Jeremy Collake",1},
	{"","EB0668C39C60E80233C08BC483C004938BE38B5BFC81EB0FA04087DD8B85A6A040018503A04066C785A040909001859EA040BB8A11","PECompact 1.40b5 - 1.40b6 -> Jeremy Collake",1},
	{"","EB0668C39C60E80233C08BC483C004938BE38B5BFC81EB0FA04087DD8B85A6A040018503A04066C785A040909001859EA040BB8611","PECompact 1.40b2 - 1.40b4 -> Jeremy Collake",1},
	{"","EB0668C39C60E80233C08BC483C004938BE38B5BFC81EB0F804087DD8B85A68040018503804066C785008040909001859E8040BBF810","PECompact 1.34 - 1.40b1 -> Jeremy Collake",1},
	{"","EB0668C39C60E80233C08BC483C004938BE38B5BFC81EB0F704087DD8B85A67040018503704066C7857040909001859E7040BB050E","PECompact 1.26b1 - 1.26b2 -> Jeremy Collake",1},
	{"","EB0668C39C60E80233C08BC483C004938BE38B5BFC81EB0F704087DD8B85A67040018503704066C7857040909001859E7040BBF30D","PECompact 1.25 -> Jeremy Collake",1},
	{"","EB0668C39C60E80233C08BC483C004938BE38B5BFC81EB0F704087DD8B85A67040018503704066C7857040909001859E7040BBD209","PECompact 1.24.2 - 1.24.3 -> Jeremy Collake",1},
	{"","EB0668C39C60E80233C08BC483C004938BE38B5BFC81EB0F704087DD8B85A67040018503704066C7857040909001859E7040BBD208","PECompact 1.23b3 - 1.24.1 -> Jeremy Collake",1},
	{"","EB0668C39C60E80233C08BC483C004938BE38B5BFC81EB0F604087DD8B85956040018503604066C78560409090BB49","PECompact 1.10b5 -> Jeremy Collake",1},
	{"","EB0668C39C60E80233C08BC483C004938BE38B5BFC81EB0F604087DD8B85956040018503604066C78560409090BB44","PECompact 1.10b4 -> Jeremy Collake",1},
	{"","EB0668C39C60E80233C08BC483C004938BE38B5BFC81EB0F604087DD8B859460","PECompact 1.10b2 -> Jeremy Collake",1},
	{"","EB0668C39C60E80233C08BC483C004938BE38B5BFC81EB28634087DD8B85AD63","PECompact 1.10b1 -> Jeremy Collake",1},
	{"","EB0668C39C60E80233C08BC483C004938BE38B5BFC81EBC4844087DD8B854985","PECompact 1.00 -> Jeremy Collake",1},
	{"","EB0668C39C60E80233C08BC483C004938BE38B5BFC81EB2F854087DD8B85B485","PECompact 0.99 -> Jeremy Collake",1},
	{"","EB0668C39C60E80233C08BC483C004938BE38B5BFC81EBD7844087DD8B855C85","PECompact 0.98 -> Jeremy Collake",1},
	{"","EB0668C39C60E80233C08BC483C004938BE38B5BFC81EBD1844087DD8B855685","PECompact 0.978.2 -> Jeremy Collake",1},
	{"","EB0668C39C60E80233C08BC483C004938BE38B5BFC81EB49874087DD8B85CE87","PECompact 0.978.1 -> Jeremy Collake",1},
	{"","EB0668C39C60E80233C08BC483C004938BE38B5BFC81EB24884087DD8B85A988","PECompact 0.978 -> Jeremy Collake",1},
	{"","EB0668C39C60E85D555B81ED8B85018566C785","PECompact 0.971 - 0.976 -> Jeremy Collake",1},
	{"","5550E8000000005DEB01E360E803000000D2EB0B58EB014840EB01","PC-Guard 3.03d -> Blagoje Ceklic",1},
	{"","EB019AE83D000000EB019AE8EB010000EB019AE82C040000EB01","NoodleCrypt 2.0 -> noodlespa",1},
	{"","8B0C24E9C08D0100C13A6ECA5D7E796DB3645A71EA","Krypton 0.3 -> Yado/Lockless",1},
	{"","60E8000000005EB9470800002BC002040ED3C04979F8418D7E2C3346F666B91B","kryptor 9 / kryptor a -> r!sc & noodlespa",1},
	{"","EB6A87DB00000000","kryptor 8 -> r!sc & noodlespa",1},
	{"","6A0060E901010000","EP v2.0 -> CoDe_Inside",1},
	{"","5083C0178BF09733C033C9B124ACAA86C4","EP v1.0 -> CoDe_Inside",1},
	{"","3BC074028183553BC074028183533BC97401BC028100003BDB7401BE5D8BD581EDEC8D4000","EXE32Pack 1.39 -> SteelBytes",1},
	{"","3BC074028183553BC074028183533BC97401BC028100003BDB7401BE5D8BD581EDDC8D4000","EXE32Pack 1.38 -> SteelBytes",1},
	{"","3BC074028183553BC074028183533BC97401BC028100003BDB7401BE5D8BD581ED4C8E4000","EXE32Pack 1.37 -> SteelBytes",1},
	{"","9CFE030060BE000041008DBE0010FFFF5783CDFFEB10","ExeSmasher",1},
	{"","EB033A4D3A1EEB02CD209CEB02CD20EB02CD2060","BJFNT 1.3 -> :MARQUiS:",1},
	{"","EB0269B183EC04EB03CD20EBEB01EB9CEB01EBEB","BJFNT 1.2rc -> :MARQUiS:",1},
	{"","A8030000617508B801000000C20C006800000000C38B85260400008D8D3B0400005150FF95","ASPack 2.xx Heuristic Mode -> Alexey Solodovnikov",1},
	{"","60E802000000EB095D5581ED39394400C3E959040000","ASPack 2.11c -> Alexey Solodovnikov",1},
	{"","60E8000000005D81ED0A4A4400BB044A440003DD2B9DB150440083BDAC50440000899DBB4E","ASPack 1.08.03 -> Alexey Solodovnikov",1},
	{"","60EB035DFFE5E8F8FFFFFF81ED1B6A4400BB106A440003DD2B9D2A","ASPack 1.08.x -> Alexey Solodovnikov",1},
	{"","60E8000000005D81ED00B80003C52B850BDE898517DE0080BD01DE0000","ASPack 1.07b -> Alexey Solodovnikov",1},
	{"","60E8000000005D81EDEAA84300B8E4A8430003C52B8578AD4300898584AD430080BD6EAD43","ASPack 1.061b -> Alexey Solodovnikov",1},
	{"","60E8000000005D81EDCE3A4400B8C83A440003C52B85B53E44008985C13E440080BDAC3E44","ASPack 1.05b -> Alexey Solodovnikov",1},
	{"","60E8000000005D81EDAE984300B8A898430003C52B85189D43008985249D430080BD0E9D43","ASPack 1.03b -> Alexey Solodovnikov",1},
	{"","60E8000000005D81ED96784300B89078430003C52B857D7C43008985897C430080BD747C43","ASPack 1.02b -> Alexey Solodovnikov",1},
	{"","60E8000000005D81EDD22A4400B8CC2A440003C52B85A52E44008985B12E440080BD9C2E44","ASPack 1.01b -> Alexey Solodovnikov",1},
	{"","558BEC6AFF686864A100000000506489250000000083EC535657","Microsoft Visual C++ 6.0",1},
	{"","538BD833C0A36A00E8FFA3A1A333C0A333C0A3E8","Borland Delphi 6.0",1},
	{"","EB1066623A432B2B484F4F4B90E9A1C1E002A38B","Borland C++ DLL Method 3",1},
	{"","558BEC6AFF6850687464A100000000506489250000000083EC585356578965E8FF155833D28AD48915FC","Armadillo 2.60 beta1 -> Silicon Realms Toolworks",1},
	{"","558BEC6AFF6840685464A100000000506489250000000083EC585356578965E8FF155833D28AD48915EC","Armadillo 2.53 -> Silicon Realms Toolworks",1},
	{"","558BEC6AFF68E068D464A100000000506489250000000083EC585356578965E8FF1538","Armadillo 2.52 -> Silicon Realms Toolworks",1},
	{"","558BEC6AFF68B0686064A100000000506489250000000083EC585356578965E8FF1524","Armadillo 2.52 beta2 -> Silicon Realms Toolworks",1},
};

DWORD	GetItemCount()
{
	return sizeof(g_ShellInfoTab)/sizeof(Feature);
}
// 将 RVA 转换成实际的数据位置
DWORD RVA2Offset(LPVOID pFileHead , DWORD dwRVA)
{
	DWORD dwOffset = 0;

	IMAGE_DOS_HEADER * pIDH = (IMAGE_DOS_HEADER *)pFileHead;
	LPVOID pNTHeader = (char *)pFileHead + pIDH->e_lfanew;
	IMAGE_NT_HEADERS * pINH = (IMAGE_NT_HEADERS *) pNTHeader;
	
	// 得到节表位置
	IMAGE_SECTION_HEADER * pISH = (IMAGE_SECTION_HEADER *) ((char *)pINH + sizeof(IMAGE_NT_HEADERS));
	int nSecCount = pINH->FileHeader.NumberOfSections;

    // 扫描每个节区并判断 RVA 是否位于这个节区内
	DWORD dwTmpRva = dwRVA;
	for (int i = 0 ; i < nSecCount ; i ++)
	{
		DWORD dwSectionEnd = pISH->VirtualAddress + pISH->SizeOfRawData;
		if ((dwTmpRva >= pISH->VirtualAddress) && (dwTmpRva < dwSectionEnd))
		{
		
			dwTmpRva -= pISH->VirtualAddress; // dwTmpRva = offset in section
			dwOffset = pISH->PointerToRawData + dwTmpRva; // file offset
			break;
		}
		pISH ++;
	}
	
	return dwOffset;
}
char GetHexValue(CONST CString& strHex, int pos)
{
	assert(strHex.GetLength()>=pos*2+1);

	char hexchar[3];
	hexchar[0]= strHex[pos*2];   
	hexchar[1]= strHex[pos*2+1];   
	hexchar[2]= 0;
	
	int iValue = strtol( hexchar, NULL ,16 );
	return iValue;
}
上一页 1 23
💿 文件大小 66 K
👤 上传用户 pj117
📂 所属分类加密解密
🏷️ 相关标签

#PE文件 #检测
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -