📄 pedump.c
字号:
/* copy optional header info to structure */
BOOL WINAPI
GetPEOptionalHeader (
LPVOID lpFile,
PIMAGE_OPTIONAL_HEADER pHeader)
{
/* optional header follows file header and dos header */
if (ImageFileType (lpFile) == IMAGE_NT_SIGNATURE)
bcopy (OPTHDROFFSET (lpFile), (LPVOID) pHeader, sizeof (IMAGE_OPTIONAL_HEADER));
else
return FALSE;
return TRUE;
}
/* function returns the entry point for an exe module lpFile must
be a memory mapped file pointer to the beginning of the image file */
LPVOID WINAPI
GetModuleEntryPoint (
LPVOID lpFile)
{
PIMAGE_OPTIONAL_HEADER poh = (PIMAGE_OPTIONAL_HEADER) OPTHDROFFSET (lpFile);
if (poh != NULL)
return (LPVOID) (poh->AddressOfEntryPoint);
else
return NULL;
}
/* return the total number of sections in the module */
int WINAPI
NumOfSections (
LPVOID lpFile)
{
/* number os sections is indicated in file header */
return ((int) ((PIMAGE_FILE_HEADER) PEFHDROFFSET (lpFile))->NumberOfSections);
}
/* retrieve entry point */
LPVOID WINAPI
GetImageBase (
LPVOID lpFile)
{
PIMAGE_OPTIONAL_HEADER poh = (PIMAGE_OPTIONAL_HEADER) OPTHDROFFSET (lpFile);
if (poh != NULL)
return (LPVOID) (poh->ImageBase);
else
return NULL;
}
//
// This function is written by sang cho
// .. october 5, 1997
//
/* function returns the actual address of given RVA, lpFile must
be a memory mapped file pointer to the beginning of the image file */
LPVOID WINAPI
GetActualAddress (
LPVOID lpFile,
DWORD dwRVA)
{
// PIMAGE_OPTIONAL_HEADER poh = (PIMAGE_OPTIONAL_HEADER)OPTHDROFFSET (lpFile);
PIMAGE_SECTION_HEADER psh = (PIMAGE_SECTION_HEADER) SECHDROFFSET (lpFile);
int nSections = NumOfSections (lpFile);
int i = 0;
if (dwRVA == 0)
return NULL;
if (dwRVA & 0x80000000)
{
//return (LPVOID)dwRVA;
printf ("\n$$ what is going on $$");
exit (0);
}
/* locate section containing image directory */
while (i++ < nSections)
{
if (psh->VirtualAddress <= (DWORD) dwRVA &&
psh->VirtualAddress + psh->SizeOfRawData > (DWORD) dwRVA)
break;
psh++;
}
if (i > nSections)
return NULL;
/* return image import directory offset */
return (LPVOID) (((int) lpFile + (int) dwRVA - psh->VirtualAddress) +
(int) psh->PointerToRawData);
}
//
// This function is modified by sang cho
//
//
/* return offset to specified IMAGE_DIRECTORY entry */
LPVOID WINAPI
ImageDirectoryOffset (
LPVOID lpFile,
DWORD dwIMAGE_DIRECTORY)
{
PIMAGE_OPTIONAL_HEADER poh = (PIMAGE_OPTIONAL_HEADER) OPTHDROFFSET (lpFile);
PIMAGE_SECTION_HEADER psh = (PIMAGE_SECTION_HEADER) SECHDROFFSET (lpFile);
int nSections = NumOfSections (lpFile);
int i = 0;
LPVOID VAImageDir;
/* must be 0 thru (NumberOfRvaAndSizes-1) */
if (dwIMAGE_DIRECTORY >= poh->NumberOfRvaAndSizes)
return NULL;
/* locate specific image directory's relative virtual address */
VAImageDir = (LPVOID) poh->DataDirectory[dwIMAGE_DIRECTORY].VirtualAddress;
if (VAImageDir == NULL)
return NULL;
/* locate section containing image directory */
while (i++ < nSections)
{
if (psh->VirtualAddress <= (DWORD) VAImageDir &&
psh->VirtualAddress + psh->SizeOfRawData > (DWORD) VAImageDir)
break;
psh++;
}
if (i > nSections)
return NULL;
/* return image import directory offset */
return (LPVOID) (((int) lpFile + (int) VAImageDir - psh->VirtualAddress) +
(int) psh->PointerToRawData);
}
/* function retrieve names of all the sections in the file */
int WINAPI
GetSectionNames (
LPVOID lpFile,
char **pszSections)
{
int nSections = NumOfSections (lpFile);
int i, nCnt = 0;
PIMAGE_SECTION_HEADER psh;
char *ps;
if (ImageFileType (lpFile) != IMAGE_NT_SIGNATURE ||
(psh = (PIMAGE_SECTION_HEADER) SECHDROFFSET (lpFile)) == NULL)
return 0;
/* count the number of chars used in the section names */
for (i = 0; i < nSections; i++)
nCnt += strlen ((char *)psh[i].Name) + 1;
/* allocate space for all section names from heap */
ps = *pszSections = (char *) calloc (nCnt, 1);
for (i = 0; i < nSections; i++)
{
strcpy (ps, (char *)psh[i].Name);
ps += strlen ((char *)psh[i].Name) + 1;
}
return nCnt;
}
/* function gets the function header for a section identified by name */
BOOL WINAPI
GetSectionHdrByName (
LPVOID lpFile,
IMAGE_SECTION_HEADER * sh,
char *szSection)
{
PIMAGE_SECTION_HEADER psh;
int nSections = NumOfSections (lpFile);
int i;
if ((psh = (PIMAGE_SECTION_HEADER) SECHDROFFSET (lpFile)) != NULL)
{
/* find the section by name */
for (i = 0; i < nSections; i++)
{
if (!strcmp ((char *)psh->Name, szSection))
{
/* copy data to header */
bcopy ((LPVOID) psh, (LPVOID) sh, sizeof (IMAGE_SECTION_HEADER));
return TRUE;
}
else
psh++;
}
}
return FALSE;
}
//
// This function is modified by sang cho
//
//
/* get import modules names separated by null terminators, return module count */
int WINAPI
GetImportModuleNames (
LPVOID lpFile,
char **pszModules)
{
PIMAGE_IMPORT_MODULE_DIRECTORY pid = (PIMAGE_IMPORT_MODULE_DIRECTORY)
ImageDirectoryOffset (lpFile, IMAGE_DIRECTORY_ENTRY_IMPORT);
//
// sometimes there may be no section for idata or edata
// instead rdata or data section may contain these sections ..
// or even module names or function names are in different section.
// so that's why we need to get actual address of RVAs each time.
// ...................sang cho..................
//
// PIMAGE_SECTION_HEADER psh = (PIMAGE_SECTION_HEADER)
// ImageDirectorySection (lpFile, IMAGE_DIRECTORY_ENTRY_IMPORT);
// BYTE *pData = (BYTE *)pid;
// DWORD *pdw = (DWORD *)pid;
int nCnt = 0, nSize = 0, i;
char *pModule[1024]; /* hardcoded maximum number of modules?? */
char *psz;
if (pid == NULL)
return 0;
// pData = (BYTE *)((int)lpFile + psh->PointerToRawData - psh->VirtualAddress);
/* extract all import modules */
while (pid->dwRVAModuleName)
{
/* allocate temporary buffer for absolute string offsets */
//pModule[nCnt] = (char *)(pData + pid->dwRVAModuleName);
pModule[nCnt] = (char *) GetActualAddress (lpFile, pid->dwRVAModuleName);
nSize += strlen (pModule[nCnt]) + 1;
/* increment to the next import directory entry */
pid++;
nCnt++;
}
/* copy all strings to one chunk of memory */
*pszModules = (char *) calloc (nSize, 1);
psz = *pszModules;
for (i = 0; i < nCnt; i++)
{
strcpy (psz, pModule[i]);
psz += strlen (psz) + 1;
}
return nCnt;
}
//
// This function is rewritten by sang cho
//
//
/* get import module function names separated by null terminators, return function count */
int WINAPI
GetImportFunctionNamesByModule (
LPVOID lpFile,
char *pszModule,
char **pszFunctions)
{
PIMAGE_IMPORT_MODULE_DIRECTORY pid = (PIMAGE_IMPORT_MODULE_DIRECTORY)
ImageDirectoryOffset (lpFile, IMAGE_DIRECTORY_ENTRY_IMPORT);
//
// sometimes there may be no section for idata or edata
// instead rdata or data section may contain these sections ..
// or even module names or function names are in different section.
// so that's why we need to get actual address each time.
// ...................sang cho..................
//
//PIMAGE_SECTION_HEADER psh = (PIMAGE_SECTION_HEADER)
//ImageDirectorySection (lpFile, IMAGE_DIRECTORY_ENTRY_IMPORT);
//DWORD dwBase;
int nCnt = 0, nSize = 0;
int nnid = 0;
int mnlength, i;
DWORD dwFunctionName;
DWORD dwFunctionAddress;
char name[128];
char buff[256]; // enough for any string ??
char *psz;
DWORD *pdw;
//dwBase = (DWORD)((int)lpFile + psh->PointerToRawData - psh->VirtualAddress);
/* find module's pid */
while (pid->dwRVAModuleName &&
strcmp (pszModule, (char *) GetActualAddress (lpFile, pid->dwRVAModuleName)))
pid++;
/* exit if the module is not found */
if (!pid->dwRVAModuleName)
return 0;
// I am doing this to get rid of .dll from module name
strcpy (name, pszModule);
mnlength = strlen (pszModule);
for (i = 0; i < mnlength; i++)
if (name[i] == '.')
break;
name[i] = 0;
mnlength = i;
/* count number of function names and length of strings */
dwFunctionName = pid->dwRVAFunctionNameList;
// IMAGE_IMPORT_BY_NAME OR IMAGE_THUNK_DATA
// modified by Sang Cho
while (dwFunctionName &&
*(pdw = (DWORD *) GetActualAddress (lpFile, dwFunctionName)))
{
if ((*pdw) & 0x80000000)
nSize += mnlength + 10 + 1 + 6;
else
nSize += strlen ((char *) GetActualAddress (lpFile, *pdw + 2)) + 1 + 6;
dwFunctionName += 4;
nCnt++;
}
/* allocate memory for function names */
*pszFunctions = (char *) calloc (nSize, 1);
psz = *pszFunctions;
//
// I modified this part to store function address (4 bytes),
// ord number (2 bytes),
// and name strings (which was there originally)
// so that's why there are 6 more bytes...... +6, or +4 and +2 etc.
// these informations are used where they are needed.
// ...........sang cho..................
//
/* copy function names to mempry pointer */
dwFunctionName = pid->dwRVAFunctionNameList;
dwFunctionAddress = pid->dwRVAFunctionAddressList;
while (dwFunctionName &&
*(pdw = (DWORD *) GetActualAddress (lpFile, dwFunctionName)))
{
if ((*pdw) & 0x80000000)
{
*(int *) psz = (int) (*(DWORD *) GetActualAddress (lpFile, dwFunctionAddress));
psz += 4;
*(short *) psz = *(short *) pdw;
psz += 2;
sprintf (buff, "%s:NoName%04d", name, nnid++);
strcpy (psz, buff);
psz += strlen (buff) + 1;
}
else
{
*(int *) psz = (int) (*(DWORD *) GetActualAddress (lpFile, dwFunctionAddress));
psz += 4;
*(short *) psz = (*(short *) GetActualAddress (lpFile, *pdw));
psz += 2;
strcpy (psz, (char *) GetActualAddress (lpFile, *pdw + 2));
psz += strlen ((char *) GetActualAddress (lpFile, *pdw + 2)) + 1;
}
dwFunctionName += 4;
dwFunctionAddress += 4;
}
return nCnt;
}
//
// This function is written by sang cho
// October 6, 1997
//
/* get numerically expressed string length */
int WINAPI
GetStringLength (
char *psz)
{
if (!isdigit (*psz))
return 0;
if (isdigit (*(psz + 1)))
return (*psz - '0') * 10 + *(psz + 1) - '0';
else
return *psz - '0';
}
//
// This function is written by sang cho
// October 12, 1997
//
/* translate parameter part of condensed name */
void WINAPI
GetPreviousParamString (
char *xpin, // read-only source
char *xpout) // translated result
{
int n = 0;
char *pin, *pout;
pin = xpin;
pout = xpout;
pin--;
if (*pin == ',')
pin--;
else
{
printf ("\n **error PreviousParamString1 char = %c", *pin);
exit (0);
}
while (*pin)
{
if (*pin == '>')
n++;
else if (*pin == '<')
n--;
else if (*pin == ')')
n++;
if (n > 0)
{
if (*pin == '(')
n--;
}
else if (strchr (",(", *pin))
break;
pin--;
}
//printf("\n ----- %s", pin);
if (strchr (",(", *pin))
{
pin++;
} // printf("\n %s", pin); }
else
{
printf ("\n **error PreviousParamString2");
exit (0);
}
n = xpin - pin - 1;
strncpy (pout, pin, n);
*(pout + n) = 0;
}
//
// This function is written by sang cho
// October 10, 1997
//
/* translate parameter part of condensed name */
void WINAPI
TranslateParameters (
char **ppin, // read-only source
char **ppout, // translated result
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -