pefile.pas

这是个反向工程delphi的程序的全部源代码.能分析几乎所有的结构 Revendepro is a program to reverse engineer Delphi program. Reven

//    Author:          Python (python@softhome.net)
//    Version:         0.0.1.2
//    LastModified:    3-23-2000
//    LatestVersion:   http://thunder.prohosting.com/~pytho/
//    Copyright (c) 1999, 2000 Python. All rights reserved

unit PEFile;

interface

uses
  SysUtils, Windows, Classes, peFixups, peExports;

type
  PImageDosHeader = ^TImageDosHeader;
  _IMAGE_DOS_HEADER = packed record      { DOS .EXE header                  }
      e_magic: Word;                     { Magic number                     }
      e_cblp: Word;                      { Bytes on last page of file       }
      e_cp: Word;                        { Pages in file                    }
      e_crlc: Word;                      { Relocations                      }
      e_cparhdr: Word;                   { Size of header in paragraphs     }
      e_minalloc: Word;                  { Minimum extra paragraphs needed  }
      e_maxalloc: Word;                  { Maximum extra paragraphs needed  }
      e_ss: Word;                        { Initial (relative) SS value      }
      e_sp: Word;                        { Initial SP value                 }
      e_csum: Word;                      { Checksum                         }
      e_ip: Word;                        { Initial IP value                 }
      e_cs: Word;                        { Initial (relative) CS value      }
      e_lfarlc: Word;                    { File address of relocation table }
      e_ovno: Word;                      { Overlay number                   }
      e_res: array [0..3] of Word;       { Reserved words                   }
      e_oemid: Word;                     { OEM identifier (for e_oeminfo)   }
      e_oeminfo: Word;                   { OEM information; e_oemid specific}
      e_res2: array [0..9] of Word;      { Reserved words                   }
      _lfanew: LongInt;                  { File address of new exe header   }
  end;
  TImageDosHeader = _IMAGE_DOS_HEADER;

  PIMAGE_OPTIONAL_HEADER = ^IMAGE_OPTIONAL_HEADER;
  IMAGE_OPTIONAL_HEADER = packed record
   { Standard fields. }
    Magic           : WORD;
    MajorLinkerVersion : Byte;
    MinorLinkerVersion : Byte;
    SizeOfCode      : DWORD;
    SizeOfInitializedData : DWORD;
    SizeOfUninitializedData : DWORD;
    AddressOfEntryPoint : DWORD;
    BaseOfCode      : DWORD;
    BaseOfData      : DWORD;
   { NT additional fields. }
    ImageBase       : DWORD;
    SectionAlignment : DWORD;
    FileAlignment   : DWORD;
    MajorOperatingSystemVersion : WORD;
    MinorOperatingSystemVersion : WORD;
    MajorImageVersion : WORD;
    MinorImageVersion : WORD;
    MajorSubsystemVersion : WORD;
    MinorSubsystemVersion : WORD;
    Reserved1       : DWORD;
    SizeOfImage     : DWORD;
    SizeOfHeaders   : DWORD;
    CheckSum        : DWORD;
    Subsystem       : WORD;
    DllCharacteristics : WORD;
    SizeOfStackReserve : DWORD;
    SizeOfStackCommit : DWORD;
    SizeOfHeapReserve : DWORD;
    SizeOfHeapCommit : DWORD;
    LoaderFlags     : DWORD;
    NumberOfRvaAndSizes : DWORD;
    DataDirectory   : packed array [0..IMAGE_NUMBEROF_DIRECTORY_ENTRIES-1] of IMAGE_DATA_DIRECTORY;
    Objects: packed array [0..9999] of IMAGE_SECTION_HEADER;
  end;

  PIMAGE_NT_HEADERS = ^IMAGE_NT_HEADERS;
  IMAGE_NT_HEADERS = packed record
    Signature       : DWORD;
    FileHeader      : IMAGE_FILE_HEADER;
    OptionalHeader  : IMAGE_OPTIONAL_HEADER;
  end;

  { TPEObject }

  TPEObject = record
    ObjectName: string;
    Address: PChar;
    PhysicalSize: Integer;
    VirtualSize: Integer;
    Characteristics: Cardinal;
    PointerToRawData: Integer;
  end;

  TNameOrID = (niName, niID);

  { TPEImports }

  TPEImport = record
    NameOrID: TNameOrID;
    Name: string;
    ID: Integer;
    PAddress: PChar;  // Pointer to the imported function
                      // (used to call the function).
  end;

  TPEImports = record
    DLLName: string;
    Entries: array of TPEImport;
  end;


  { TPEFixups }

  TPEFixup = record
    FixupType: Byte;
    Address: PChar;
  end;

  TPEFixups = array of TPEFixup;

  { TPEResource }

  TDataOrEntries = (deData, deEntries);

  TPEResource = class;

  TPEResourceList = array of TPEResource;

  TPEResource = class(TObject)
  private
    FNameOrID: TNameOrID;
    FName: WideString;
    FID: Integer;
    FDataOrEntries: TDataOrEntries;
    FData: PChar;
    FDataSize: Integer;
    FEntries: TPEResourceList;
    function GetData: PChar;
    function GetDataSize: Integer;
    function GetEntries: TPEResourceList;
  public
    property NameOrID: TNameOrID read FNameOrID;
    property Name: WideString read FName;
    property ID: Integer read FID;
    property DataOrEntries: TDataOrEntries read FDataOrEntries;
    property Data: PChar read GetData;
    property DataSize: Integer read GetDataSize;
    property Entries: TPEResourceList read GetEntries;
  end;

  { TPEFile }

  EPEError = class(Exception);

  TPEFile = class(TObject)
  private
    FFileName: string;
    FProjectName: string;
  protected
    FFileStream: TFileStream;
    FFileBase: PChar;
    FHeaderSize: Integer;
    FImageSize: Integer;
    FIsConsole: Boolean;
    FNTHeader: PIMAGE_NT_HEADERS;
    procedure Error(S: string);
  public
    ImageBase: PChar;
    StackCommitSize: Cardinal;
    StackReserveSize: Cardinal;
    EntryPoint: PChar;
    Code: PChar;
    CodeSize: Cardinal;
    Data: PChar;
    DataSize: Cardinal;
    BSS: PChar;
    BSSSize: Cardinal;
    Objects: array of TPEObject;
    PEExports: TpeExportList;
    Imports: array of TPEImports;
    Fixups: TFixups;
    Resources: TPEResourceList;
    constructor Create(FileName: string); virtual;
    destructor Destroy; override;
    function PhysOffset(Address: PChar): Integer;

    property FileBase: PChar read FFileBase;
    property NTHeader: PIMAGE_NT_HEADERS read FNTHeader;
    property IsConsole: Boolean read FIsConsole;
    property FileName: string read FFileName;
    property ProjectName: string read FProjectName;
  end;

type
  PByte = ^Byte;
  PPointer = ^Pointer;
  PInteger = ^Integer;
  PPChar = ^PChar;

resourcestring
  SErrorAddressNotInFile = 'Error, Address %p not in file';
  SErrorInvalidResourceType = 'Error, can''t read this, other resource'; 

implementation

{ TPEResource }

function TPEResource.GetData: PChar;
begin
  if DataOrEntries = deEntries then
    raise EPEError.Create(SErrorInvalidResourceType);
  Result := FData;
end;

function TPEResource.GetDataSize: Integer;
begin
  if DataOrEntries = deEntries then
    raise EPEError.Create(SErrorInvalidResourceType);
  Result := FDataSize;
end;

function TPEResource.GetEntries: TPEResourceList;
begin
  if DataOrEntries = deData then
    raise EPEError.Create(SErrorInvalidResourceType);
  Result := FEntries;
end;

{ TPEFile }

constructor TPEFile.Create(FileName: string);
var
  I: Integer;

  procedure LoadResources;
  var
    BaseEntry: PChar;

    procedure FillResources(var RL: TPEResourceList;
       DirEntry: Integer);
    var
      I: Integer;
      NameCount, IDCount: Integer;

    type
      PIMAGE_RESOURCE_DIRECTORY = ^IMAGE_RESOURCE_DIRECTORY;
      IMAGE_RESOURCE_DIRECTORY = packed record
        Characteristics : DWORD;
        TimeDateStamp   : DWORD;
        MajorVersion    : WORD;
        MinorVersion    : WORD;
        NumberOfNamedEntries : WORD;
        NumberOfIdEntries : WORD;
      end;

    begin
      // Save Name and ID count.
      NameCount :=PIMAGE_RESOURCE_DIRECTORY(DirEntry)^.NumberOfNamedEntries;
      IDCount := PIMAGE_RESOURCE_DIRECTORY(DirEntry)^.NumberOfIDEntries;
      // Make resources large enough.
      SetLength(RL, NameCount + IDCount);
      // Jump over Resource table.
      Inc(DirEntry, SizeOf(Image_Resource_Directory));
      for I := 0 to NameCount -1 do
      begin
        // Create object
        RL[I] := TPEResource.Create;
        // Name or ID is Name.
        RL[I].FNameOrID := niName;
        // Copy name.
        SetLength(RL[I].FName, PWord(BaseEntry + PDWord(DirEntry)^ and $7FFFFFFF)^);
        Move(PDWord(BaseEntry + PDWord(DirEntry)^ and $7FFFFFFF + 2)^,