📄 modpeskeleton.bas
字号:
AppData.OptHeaderOffset = Seek(InFileNumber) - 1
'Get the OPTHeader
Call GetPEOptionHeader
'***********************************
'The SECtion headers exist just after the option header
'***********************************
'Save the SECtionHeader offset
AppData.SecHeaderOffset = Seek(InFileNumber) - 1
'Get the SecHeader
Call GetPESecHeader
'These sections are not included; they're
'not needed for VB6 analysis, but could be
'added if more PE file analysis is desired:
'DebugDirectory
'ResourceSection
'ImportsSection
'Needed for Pcode
Seek #InFileNumber, OptHeader.DataDirectory(1).Address + 1
Dim ImportHolder As IMAGE_IMPORT_DESCRIPTOR
ReDim PEImport(0)
ReDim ImportList(0)
' Do
'MsgBox "Loc:" & Loc(InFileNumber)
Get #InFileNumber, , ImportHolder
'' If ImportHolder.lpName = 0 Then Exit Do
'Save it in the import table
ReDim PEImport(UBound(PEImport) + 1)
PEImport(UBound(PEImport)).ForwarderChain = ImportHolder.ForwarderChain
PEImport(UBound(PEImport)).lpFirstThunk = ImportHolder.lpFirstThunk
PEImport(UBound(PEImport)).lpImportByName = ImportHolder.lpImportByName
PEImport(UBound(PEImport)).lpName = ImportHolder.lpName
PEImport(UBound(PEImport)).TimeDateStamp = ImportHolder.TimeDateStamp
Seek InFileNumber, PEImport(UBound(PEImport)).lpName + 1
ImportList(0).strName = GetUntilNull(InFileNumber)
ReDim exeIMPORT_APINAME(1 To 1)
Call ScanTable(InFileNumber, PEImport(UBound(PEImport)).lpFirstThunk + 1, PEImport(UBound(PEImport)).lpImportByName + 1, exeIMPORT_APINAME())
' Loop
'ExportsSection
'Needed for dll's and ocx's
'Used for dll projects
If OptHeader.DataDirectory(0).Address <> 0 Then
Dim ExportPointer As Long
'Get Dll Header
Seek #InFileNumber, OptHeader.DataDirectory(0).Address + 29
Get #InFileNumber, , ExportPointer
Seek #InFileNumber, ExportPointer + 1
Get #InFileNumber, , ExportPointer
Seek #InFileNumber, ExportPointer + 3
Get #InFileNumber, , ExportPointer
'MsgBox "EXPORT: " & ExportPointer - OptHeader.ImageBase
VBStartHeader.PushStartAddress = ExportPointer
gDllProject = True
Seek #InFileNumber, OptHeader.DataDirectory(0).Address + 1
Get #InFileNumber, , PeExport
Dim ExportName() As Long
Dim ExportOrdinal() As Long
Dim ExportProcedure() As Integer
ReDim ExportName(PeExport.NumberOfNames - 1)
ReDim ExportOrdinal(PeExport.NumberOfFunctions - 1)
ReDim ExportProcedure(PeExport.NumberOfFunctions - 1)
'Get Name array
Seek #InFileNumber, PeExport.lpAddressOfNames + 1
Get #InFileNumber, , ExportName
Dim strHolder As String
Dim i As Integer
For i = 0 To UBound(ExportName)
'MsgBox ExportName(i)
Seek #InFileNumber, ExportName(i) + 1
strHolder = GetUntilNull(InFileNumber)
' MsgBox strHolder
If strHolder = "DllCanUnloadNow" Then
'MsgBox "PROD" & ExportProcedure(i)
Seek #InFileNumber, ExportProcedure(i) + 1
'c 'all modPeSkeleton.GetVBHeader2
End If
Next
'Get Ordinal Array
Seek #InFileNumber, PeExport.lpAddressOfNameOrdinals + 1
Get #InFileNumber, , ExportOrdinal
For i = 0 To UBound(ExportOrdinal)
Next
'Get Procedure Array
Seek #InFileNumber, PeExport.lpAddressOfFunctions + 1
Get #InFileNumber, , ExportProcedure
For i = 0 To UBound(ExportProcedure)
Next
' MsgBox "EXP " & ExportProcedure(0)
AppData.VBStartOffset = ExportProcedure(0)
Seek #InFileNumber, ExportProcedure(0) + 1
'Call modPeSkeleton.GetVBHeader2
Exit Function
End If
'****************************
'Start the VB app analysis
'****************************
'Calculate the load offset mask
DecLoadOffset# = OptHeader.ImageBase
'MsgBox OptHeader.ImageBase
' mImageBaseAlign = ((OptHeader.ImageBase + OptHeader.entrypoint) - GetPtrFromRVA(OptHeader.entrypoint))
'MsgBox GetPtrFromRVA(OptHeader.entrypoint)
' mImageBaseAlign
' MsgBox mImageBaseAlign
'**************************************
'The VB Startheader holds the jump vector
'**************************************
'Get the APP data VB app start location = OPTHeader.EntryPoint
AppData.VBStartOffset = OptHeader.entrypoint
'Point file at the VB code start position
Seek #InFileNumber, AppData.VBStartOffset + 1
'Get the VBStartHeader, check error
Call GetVBStartHeader
If ErrorFlag = True Then
CheckHeader = False
Exit Function
End If
'**************************************
'The VB start vector holds the compiler signature
'**************************************
'Get the APP data VB signature offset
AppData.VBVerOffsetRaw = VBStartHeader.PushStartAddress
'Calculate the APP offset
AppData.VBVerOffsetMasked = AppData.VBVerOffsetRaw - DecLoadOffset#
'Point file at the VB signature position
Seek #InFileNumber, AppData.VBVerOffsetMasked + 1
'Check for VB version (compiler) of this file, check error
Call GetVBVer
If ErrorFlag = True Then
CheckHeader = False
Exit Function
End If
'Assign this location to our reference
AppData.ProjDataAppReference = AppData.VBVerOffsetMasked
'*****************************
'Check if the interpreter name exists
'*****************************
'Point file at the Data Directory #1 position
Seek #InFileNumber, OptHeader.DataDirectory(1).Address + 1
'Move ahead 12 bytes
Seek #InFileNumber, Seek(InFileNumber) + 12
'Get the APP data interpreter address offset
AppData.VBIntrptrOffset = GetDWord()
'Move to the interpreter signature
Seek #InFileNumber, AppData.VBIntrptrOffset + 1
'Get the interpreter
Call GetVBIntrptr
If ErrorFlag = True Then
CheckHeader = False
Exit Function
End If
'If we got here, this is definitely a valid VB6 app
End Function
Public Sub GetDOSSignature()
'Get the first two characters
DosHeader.Magic = GetWord()
'Check for error
If DosHeader.Magic <> DOS_SIGNATURE Then
ErrorFlag = True
End If
End Sub
Public Sub GetDOSHeader()
'Get DOS header data
DosHeader.NumBytesLastPage = GetWord()
DosHeader.NumPages = GetWord()
DosHeader.NumRelocates = GetWord()
DosHeader.NumHeaderBlks = GetWord()
DosHeader.NumMinBlks = GetWord()
DosHeader.NumMaxBlks = GetWord()
DosHeader.SSPointer = GetWord()
DosHeader.SPPointer = GetWord()
DosHeader.Checksum = GetWord()
DosHeader.IPPointer = GetWord()
DosHeader.CurrentSeg = GetWord()
DosHeader.RelocTablePointer = GetWord()
DosHeader.Overlay = GetWord()
DosHeader.ReservedW1 = GetWord()
DosHeader.ReservedW2 = GetWord()
DosHeader.ReservedW3 = GetWord()
DosHeader.ReservedW4 = GetWord()
DosHeader.OEMType = GetWord()
DosHeader.OEMData = GetWord()
DosHeader.ReservedW5 = GetWord()
DosHeader.ReservedW6 = GetWord()
DosHeader.ReservedW7 = GetWord()
DosHeader.ReservedW8 = GetWord()
DosHeader.ReservedW9 = GetWord()
DosHeader.ReservedW10 = GetWord()
DosHeader.ReservedW11 = GetWord()
DosHeader.ReservedW12 = GetWord()
DosHeader.ReservedW13 = GetWord()
DosHeader.ReservedW14 = GetWord()
DosHeader.ExeHeaderPointer = GetDWord()
'Make sure the potential PE signature location seems reasonable
If ((DosHeader.ExeHeaderPointer > 4096) Or (DosHeader.ExeHeaderPointer < 64)) Then
ErrorFlag = True
End If
End Sub
Public Sub GetPESignature()
'Get the first two characters
PEHeader.Magic = GetDWord()
'Check for error
If PEHeader.Magic <> PE_SIGNATURE Then
ErrorFlag = True
End If
End Sub
Public Sub GetPEOptionHeader()
'Now get the "optional" header data
OptHeader.Magic = GetWord()
OptHeader.MajLinkerVer = GetByte()
OptHeader.MinLinkerVer = GetByte()
OptHeader.CodeSize = GetDWord()
OptHeader.InitDataSize = GetDWord()
OptHeader.UninitDataSize = GetDWord()
OptHeader.entrypoint = GetDWord()
OptHeader.CodeBase = GetDWord()
OptHeader.DataBase = GetDWord()
OptHeader.ImageBase = GetDWord()
OptHeader.SectionAlignment = GetDWord()
OptHeader.FileAlignment = GetDWord()
OptHeader.MajOSVer = GetWord()
OptHeader.MinOSVer = GetWord()
OptHeader.MajImageVer = GetWord()
OptHeader.MinImageVer = GetWord()
OptHeader.MajSSysVer = GetWord()
OptHeader.MinSSysVer = GetWord()
OptHeader.Win32Ver = GetDWord()
OptHeader.SizeImage = GetDWord()
OptHeader.SizeHeader = GetDWord()
OptHeader.Checksum = GetDWord()
OptHeader.SSystem = GetWord()
OptHeader.DLLProperties = GetWord()
OptHeader.SSizeRes = GetDWord()
OptHeader.SSizeCom = GetDWord()
OptHeader.HSizeRes = GetDWord()
OptHeader.HSizeCom = GetDWord()
OptHeader.LFlags = GetDWord()
OptHeader.NumRVA_Sizes = GetDWord()
OptHeader.DataDirectory(0).Name = "EXPORT"
OptHeader.DataDirectory(0).Address = GetDWord()
OptHeader.DataDirectory(0).Size = GetDWord()
OptHeader.DataDirectory(1).Name = "IMPORT"
OptHeader.DataDirectory(1).Address = GetDWord()
OptHeader.DataDirectory(1).Size = GetDWord()
OptHeader.DataDirectory(2).Name = "RESOURCE"
OptHeader.DataDirectory(2).Address = GetDWord()
OptHeader.DataDirectory(2).Size = GetDWord()
OptHeader.DataDirectory(3).Name = "EXCEPTION"
OptHeader.DataDirectory(3).Address = GetDWord()
OptHeader.DataDirectory(3).Size = GetDWord()
OptHeader.DataDirectory(4).Name = "SECURITY"
OptHeader.DataDirectory(4).Address = GetDWord()
OptHeader.DataDirectory(4).Size = GetDWord()
OptHeader.DataDirectory(5).Name = "BASERELOC"
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -