peinfodlg.cpp

PE文件加壳信息的检测

// PEInfoDlg.cpp : implementation file
//

#include "stdafx.h"
#include "PE_Info.h"
#include "PEInfoDlg.h"

#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif

/////////////////////////////////////////////////////////////////////////////
// CAboutDlg dialog used for App About

class CAboutDlg : public CDialog
{
public:
	CAboutDlg();

// Dialog Data
	//{{AFX_DATA(CAboutDlg)
	enum { IDD = IDD_ABOUTBOX };
	//}}AFX_DATA

	// ClassWizard generated virtual function overrides
	//{{AFX_VIRTUAL(CAboutDlg)
	protected:
	virtual void DoDataExchange(CDataExchange* pDX);    // DDX/DDV support
	//}}AFX_VIRTUAL

// Implementation
protected:
	//{{AFX_MSG(CAboutDlg)
	//}}AFX_MSG
	DECLARE_MESSAGE_MAP()
};

CAboutDlg::CAboutDlg() : CDialog(CAboutDlg::IDD)
{
	//{{AFX_DATA_INIT(CAboutDlg)
	//}}AFX_DATA_INIT
}

void CAboutDlg::DoDataExchange(CDataExchange* pDX)
{
	CDialog::DoDataExchange(pDX);
	//{{AFX_DATA_MAP(CAboutDlg)
	//}}AFX_DATA_MAP
}

BEGIN_MESSAGE_MAP(CAboutDlg, CDialog)
	//{{AFX_MSG_MAP(CAboutDlg)
		// No message handlers
	//}}AFX_MSG_MAP
END_MESSAGE_MAP()

/////////////////////////////////////////////////////////////////////////////
// CPEInfoDlg dialog

CPEInfoDlg::CPEInfoDlg(CWnd* pParent /*=NULL*/)
	: CDialog(CPEInfoDlg::IDD, pParent)
{
	//{{AFX_DATA_INIT(CPEInfoDlg)
	m_strinfo = _T("");
	//}}AFX_DATA_INIT
	// Note that LoadIcon does not require a subsequent DestroyIcon in Win32
	m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME);
}

void CPEInfoDlg::DoDataExchange(CDataExchange* pDX)
{
	CDialog::DoDataExchange(pDX);
	//{{AFX_DATA_MAP(CPEInfoDlg)
	DDX_Control(pDX, IDC_BUTOPEN, m_openFileBut);
	DDX_Text(pDX, IDC_EDITINFO, m_strinfo);
	//}}AFX_DATA_MAP
}

BEGIN_MESSAGE_MAP(CPEInfoDlg, CDialog)
	//{{AFX_MSG_MAP(CPEInfoDlg)
	ON_WM_SYSCOMMAND()
	ON_WM_PAINT()
	ON_WM_QUERYDRAGICON()
	ON_BN_CLICKED(IDC_BUTOPEN, OnButopen)
	ON_MESSAGE(WM_DROPFILES,OnDropFiles)
	//}}AFX_MSG_MAP
END_MESSAGE_MAP()

/////////////////////////////////////////////////////////////////////////////
// CPEInfoDlg message handlers

BOOL CPEInfoDlg::OnInitDialog()
{
	CDialog::OnInitDialog();

	// Add "About..." menu item to system menu.

	// IDM_ABOUTBOX must be in the system command range.
	ASSERT((IDM_ABOUTBOX & 0xFFF0) == IDM_ABOUTBOX);
	ASSERT(IDM_ABOUTBOX < 0xF000);

	CMenu* pSysMenu = GetSystemMenu(FALSE);
	if (pSysMenu != NULL)
	{
		CString strAboutMenu;
		strAboutMenu.LoadString(IDS_ABOUTBOX);
		if (!strAboutMenu.IsEmpty())
		{
			pSysMenu->AppendMenu(MF_SEPARATOR);
			pSysMenu->AppendMenu(MF_STRING, IDM_ABOUTBOX, strAboutMenu);
		}
	}

	// Set the icon for this dialog.  The framework does this automatically
	//  when the application's main window is not a dialog
	SetIcon(m_hIcon, TRUE);			// Set big icon
	SetIcon(m_hIcon, FALSE);		// Set small icon
	
	// TODO: Add extra initialization here
	//!初始化特征码链表
	DWORD ShellCodeCount = GetItemCount();
	for( DWORD i=0; i < ShellCodeCount; i++ )
	{
		m_FeatureList.push_back(g_ShellInfoTab[i]);
	}
	
	return TRUE;  // return TRUE  unless you set the focus to a control
}

void CPEInfoDlg::OnSysCommand(UINT nID, LPARAM lParam)
{
	if ((nID & 0xFFF0) == IDM_ABOUTBOX)
	{
		CAboutDlg dlgAbout;
		dlgAbout.DoModal();
	}
	else
	{
		CDialog::OnSysCommand(nID, lParam);
	}
}

// If you add a minimize button to your dialog, you will need the code below
//  to draw the icon.  For MFC applications using the document/view model,
//  this is automatically done for you by the framework.

void CPEInfoDlg::OnPaint() 
{
	if (IsIconic())
	{
		CPaintDC dc(this); // device context for painting

		SendMessage(WM_ICONERASEBKGND, (WPARAM) dc.GetSafeHdc(), 0);

		// Center icon in client rectangle
		int cxIcon = GetSystemMetrics(SM_CXICON);
		int cyIcon = GetSystemMetrics(SM_CYICON);
		CRect rect;
		GetClientRect(&rect);
		int x = (rect.Width() - cxIcon + 1) / 2;
		int y = (rect.Height() - cyIcon + 1) / 2;

		// Draw the icon
		dc.DrawIcon(x, y, m_hIcon);
	}
	else
	{
		CDialog::OnPaint();
	}
}

// The system calls this to obtain the cursor to display while the user drags
//  the minimized window.
HCURSOR CPEInfoDlg::OnQueryDragIcon()
{
	return (HCURSOR) m_hIcon;
}

void CPEInfoDlg::OnButopen() 
{
	char szFilter[] = "EXE File (*.exe)|*.EXE|All Files (*.*)|*.*||";
 	CFileDialog dlg(TRUE , NULL , "" , OFN_FILEMUSTEXIST | OFN_NOCHANGEDIR, szFilter , this);
	
	if (dlg.DoModal() != IDOK) return;
	_SetFile(dlg.GetPathName());
	
}
LRESULT CPEInfoDlg::OnDropFiles(WPARAM wParam, LPARAM lParam)
{
	char	szDroppedFile[MAX_PATH];
	HDROP	hDrop ;
	int nFiles;

	hDrop = (HDROP)wParam;
	
	nFiles = DragQueryFile(hDrop,	// Struture Identifier
					  -1,			// -1 to Drop more than one file
					  szDroppedFile,// Droped File Name
					  MAX_PATH);	// Max char

	
	
	DragQueryFile(hDrop,0,szDroppedFile,MAX_PATH);
	// 判断是不是文件夹
	if(::GetFileAttributes(szDroppedFile)&FILE_ATTRIBUTE_DIRECTORY){
		AfxMessageBox("文件夹不能分析!");
		return 0 ;
	}
	_SetFile(szDroppedFile);
	return 1;
}
void CPEInfoDlg::_SetFile(CONST CString & _FileName)
{
	UpdateData(true);

	m_strinfo = _GetShell(_FileName);

	UpdateData(false);
}
CString CPEInfoDlg::_GetShell(CONST CString& _FileName)
{
	SetWindowText(_FileName);
	CString strShell("未检测到!:(");
	HANDLE hFile;						//handle for the file detecting 
	HANDLE hMapping;					//handle for the mapping file detecting
	void *pBasePointer;					//pointer for the mapping file begin
	LPBYTE pEntryPoint;					//PE文件入口点
	IMAGE_DOS_HEADER *imDos_Headers;	//定义DOS头
	IMAGE_NT_HEADERS *imNT_Headers;		//定义PE头
	hFile=CreateFile(_FileName,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING, 
		FILE_ATTRIBUTE_NORMAL,0);		//Create the File handle
	if (hFile==INVALID_HANDLE_VALUE)
	{	//test File Handle
		DWORD dwError =GetLastError(); 
		CloseHandle(hFile);
		strShell.Format("文件打开失败,错误代码为:%u",dwError);
		return strShell; 
	} 
	
	if (!(hMapping=CreateFileMapping(hFile,0,PAGE_READONLY|SEC_COMMIT,0,0,0)))
	{									//Create the File Map and test
		DWORD dwError =GetLastError();
		CloseHandle(hFile);
		CloseHandle(hMapping);
		strShell.Format("创建文件映射失败,错误代码为:%u",dwError);
		return strShell;
	}
	
	if (!(pBasePointer=::MapViewOfFile(hMapping,FILE_MAP_READ,0,0,0)))
	{
		DWORD dwError =GetLastError();
		UnmapViewOfFile(pBasePointer);
		CloseHandle(hFile);
		CloseHandle(hMapping);
		strShell.Format("映射文件失败,错误代码为:%u",dwError);
		return strShell;
	}

	
	imDos_Headers=(IMAGE_DOS_HEADER *)pBasePointer;	//设置初始指针地址
	if(!(imDos_Headers->e_magic ==IMAGE_DOS_SIGNATURE))
	{	
		UnmapViewOfFile(pBasePointer);
		CloseHandle(hFile);
		CloseHandle(hMapping);
		strShell.Format("不是PE文件!");
		return strShell;
	}
	imNT_Headers=(IMAGE_NT_HEADERS *)((char *)pBasePointer+imDos_Headers->e_lfanew);//NT头指针地址

	pEntryPoint=((LPBYTE)pBasePointer + RVA2Offset(pBasePointer,imNT_Headers->OptionalHeader.AddressOfEntryPoint ));

	FeatureVec::iterator	it,
		end = m_FeatureList.end();
	for (it = m_FeatureList.begin(); it!= end ; it++)
	{
		if (_DetectShell(pEntryPoint,it->Pos,it->Fea,it->IsOrdered))
		{
			break;
		}
	}
	if (it!=end)
	{
		strShell.Format("%s",it->Info);
	}
	
	UnmapViewOfFile(pBasePointer);
	CloseHandle(hMapping);
	CloseHandle(hFile);
	
	return strShell;
}
BOOL	CPEInfoDlg::_DetectShell(CONST LPBYTE pEntryPoint, CONST CString& pos, CONST CString& Fea, bool IsOrdered)
{
	char ch1,ch2;
	int len=pos.GetLength()/2;
	CString Pos=pos;
	
	if(IsOrdered)
	{
		len=Fea.GetLength()/2;
		for(int i=0;i<len;i++)
		{
			ch1=*(pEntryPoint+i);
			ch2=GetHexValue(Fea,i);
			if(ch1!=ch2)
			{
				return false;
			}
		}
	}
	else
	{	
		for(int j=0;j<len;j++)
		{
			
			ch1=*(pEntryPoint+GetHexValue(Pos,j)-1);
			ch2=GetHexValue(Fea,j);
			if(ch1!=ch2)
			{
				return false;
			}
		}
	}
	return TRUE;
}