📄 peinfounit.pas.svn-base
字号:
unit PEInfounit;
{
Changed title from PE info to Portable Executable (PE) info. I have this feeling
that 'some people' (idiots) would nout understand that it isn't a packet editor
}
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, cefuncproc, newkernelhandler, Buttons, StdCtrls, ExtCtrls,
ComCtrls, symbolhandler, peinfofunctions;
type
TfrmPEInfo = class(TForm)
GroupBox2: TGroupBox;
Panel1: TPanel;
GroupBox1: TGroupBox;
edtAddress: TEdit;
modulelist: TListBox;
LoadButton: TSpeedButton;
Label1: TLabel;
OpenDialog1: TOpenDialog;
Label2: TLabel;
PageControl1: TPageControl;
TabSheet1: TTabSheet;
TabSheet2: TTabSheet;
TabSheet3: TTabSheet;
TabSheet4: TTabSheet;
PEItv: TTreeView;
lbImports: TListBox;
lbExports: TListBox;
lbBaseReloc: TListBox;
Button1: TButton;
RadioButton1: TRadioButton;
RadioButton2: TRadioButton;
procedure LoadButtonClick(Sender: TObject);
procedure FormDestroy(Sender: TObject);
procedure FormClose(Sender: TObject; var Action: TCloseAction);
procedure modulelistClick(Sender: TObject);
procedure FormShow(Sender: TObject);
procedure Button1Click(Sender: TObject);
procedure FormCreate(Sender: TObject);
private
{ Private declarations }
memorycopy: pbytearray;
memorycopysize: dword;
modulebase: dword;
loadedmodule: pbytearray;
procedure ParseFile(loaded: boolean);
public
{ Public declarations }
end;
function peinfo_getcodesize(header: pointer): dword;
function peinfo_getentryPoint(header: pointer): dword;
function peinfo_getcodebase(header: pointer): dword;
function peinfo_getdatabase(header: pointer): dword;
function peinfo_getheadersize(header: pointer): dword;
implementation
{$R *.dfm}
function peinfo_getcodesize(header: pointer): dword;
var
ImageNTHeader: PImageNtHeaders;
ImageSectionHeader: PImageSectionHeader;
ImageBaseRelocation: PIMAGE_BASE_RELOCATION;
ImageExportDirectory: PImageExportDirectory;
ImageImportDirectory: PImageImportDirectory;
begin
ImageNTHeader:=PImageNtHeaders(dword(header)+PImageDosHeader(header)^._lfanew);
result:=ImageNTHeader.OptionalHeader.SizeOfCode;
end;
function peinfo_getdatabase(header: pointer): dword;
var
ImageNTHeader: PImageNtHeaders;
ImageSectionHeader: PImageSectionHeader;
ImageBaseRelocation: PIMAGE_BASE_RELOCATION;
ImageExportDirectory: PImageExportDirectory;
ImageImportDirectory: PImageImportDirectory;
begin
ImageNTHeader:=PImageNtHeaders(dword(header)+PImageDosHeader(header)^._lfanew);
result:=ImageNTHeader.OptionalHeader.BaseOfData;
end;
function peinfo_getcodebase(header: pointer): dword;
var
ImageNTHeader: PImageNtHeaders;
ImageSectionHeader: PImageSectionHeader;
ImageBaseRelocation: PIMAGE_BASE_RELOCATION;
ImageExportDirectory: PImageExportDirectory;
ImageImportDirectory: PImageImportDirectory;
begin
ImageNTHeader:=PImageNtHeaders(dword(header)+PImageDosHeader(header)^._lfanew);
result:=ImageNTHeader.OptionalHeader.BaseOfCode;
end;
function peinfo_getEntryPoint(header: pointer): dword;
var
ImageNTHeader: PImageNtHeaders;
ImageSectionHeader: PImageSectionHeader;
ImageBaseRelocation: PIMAGE_BASE_RELOCATION;
ImageExportDirectory: PImageExportDirectory;
ImageImportDirectory: PImageImportDirectory;
begin
ImageNTHeader:=PImageNtHeaders(dword(header)+PImageDosHeader(header)^._lfanew);
result:=ImageNTHeader.OptionalHeader.AddressOfEntryPoint;
end;
function peinfo_getheadersize(header: pointer): dword;
var
ImageNTHeader: PImageNtHeaders;
begin
if PImageDosHeader(header)^.e_magic<>IMAGE_DOS_SIGNATURE then
result:=0;
if ImageNTHeader.OptionalHeader.Magic<>IMAGE_NT_SIGNATURE then
result:=0;
ImageNTHeader:=PImageNtHeaders(dword(header)+PImageDosHeader(header)^._lfanew);
result:=ImageNTHeader.OptionalHeader.SizeOfHeaders;
end;
function peinfo_getimagesize(header: pointer): dword;
var
ImageNTHeader: PImageNtHeaders;
begin
ImageNTHeader:=PImageNtHeaders(dword(header)+PImageDosHeader(header)^._lfanew);
result:=ImageNTHeader.OptionalHeader.SizeOfImage;
end;
procedure TfrmPEInfo.ParseFile(loaded: boolean);
{
This will parse the memorycopy and fill in the all data
params:
Loaded: Determines if the memory copy is from when it has been loaded or on file (IAT filled in, relocations done, etc...)
}
var MZheader: ttreenode;
PEheader: ttreenode;
datadir: ttreenode;
section: Ttreenode;
va: ttreenode;
wa: Pwordarray;
ba: PByteArray;
tempnode,tempnode2,tempnode3: ttreenode;
ImageNTHeader: PImageNtHeaders;
ImageSectionHeader: PImageSectionHeader;
ImageBaseRelocation: PIMAGE_BASE_RELOCATION;
ImageExportDirectory: PImageExportDirectory;
ImageImportDirectory: PImageImportDirectory;
sFileType,sCharacteristics, sType: string;
i, j, k: integer;
maxaddress: dword;
importaddress: dword;
importfunctionname: string;
importmodulename: string;
//ignore: dword;
//correctprotection: dword;
basedifference: dword;
basedifference64: INT64;
modhandle: thandle;
funcaddress: dword;
numberofrva: integer;
is64bit: boolean;
tempaddress,tempaddress2: dword;
temps: string;
begin
PEItv.Items.BeginUpdate;
lbImports.Items.BeginUpdate;
lbExports.Items.BeginUpdate;
lbBaseReloc.Items.beginUpdate;
try
is64bit:=false;
PEItv.Items.Clear;
lbImports.Clear;
lbExports.clear;
lbBaseReloc.clear;
if PImageDosHeader(memorycopy)^.e_magic<>IMAGE_DOS_SIGNATURE then
raise exception.Create('This is not a valid image');
MZheader:=PEItv.Items.Add(nil,'MZ header');
PEItv.Items.AddChild(MZHeader, 'lfanew='+inttohex(PImageDosHeader(memorycopy)^._lfanew,2));
PEItv.Items.AddChild(MZHeader, format('dos entrypoint = %.4x:%.4x',[PImageDosHeader(memorycopy)^.e_cs, PImageDosHeader(memorycopy)^.e_ip]));
PEItv.Items.AddChild(MZHeader, format('dos stack = %.4x:%.4x',[PImageDosHeader(memorycopy)^.e_ss, PImageDosHeader(memorycopy)^.e_sp]));
ImageNtHeader:=peinfo_getImageNtHeaders(memorycopy, memorycopysize);
if ImageNtHeader=nil then exit;
PEheader:=PEItv.Items.Add(nil,'PE header');
if ImageNTHeader^.FileHeader.Machine=$8664 then
begin
PEItv.Items.addchild(PEHeader,format('Machine=%.2x (64 bit)' ,[ImageNTHeader^.FileHeader.Machine]));
is64bit:=true;
end
else
PEItv.Items.addchild(PEHeader,format('Machine=%.2x' ,[ImageNTHeader^.FileHeader.Machine]));
PEItv.Items.addchild(PEHeader,format('Number of sections=%d' ,[ImageNTHeader^.FileHeader.NumberOfSections]));
PEItv.Items.addchild(PEHeader,format('Time/Date =%d' ,[ImageNTHeader^.FileHeader.TimeDateStamp]));
PEItv.Items.addchild(PEHeader,format('SymbolTable at %x' ,[ImageNTHeader^.FileHeader.PointerToSymbolTable]));
PEItv.Items.addchild(PEHeader,format('Symbolcount = %x' ,[ImageNTHeader^.FileHeader.NumberOfSymbols]));
PEItv.Items.addchild(PEHeader,format('OptionalHeader size = %x' ,[ImageNTHeader^.FileHeader.SizeOfOptionalHeader]));
sFileType:='';
if ImageNTHeader^.FileHeader.Characteristics and IMAGE_FILE_EXECUTABLE_IMAGE = IMAGE_FILE_EXECUTABLE_IMAGE then sFileType:=sFiletype+'Executable, ';
if ImageNTHeader^.FileHeader.Characteristics and IMAGE_FILE_RELOCS_STRIPPED = IMAGE_FILE_RELOCS_STRIPPED then sFileType:=sFiletype+'No relocations, ';
if ImageNTHeader^.FileHeader.Characteristics and IMAGE_FILE_LINE_NUMS_STRIPPED = IMAGE_FILE_LINE_NUMS_STRIPPED then sFileType:=sFiletype+'No line numbers, ';
if ImageNTHeader^.FileHeader.Characteristics and IMAGE_FILE_LOCAL_SYMS_STRIPPED = IMAGE_FILE_LOCAL_SYMS_STRIPPED then sFileType:=sFiletype+'No local symbols, ';
if ImageNTHeader^.FileHeader.Characteristics and IMAGE_FILE_AGGRESIVE_WS_TRIM = IMAGE_FILE_AGGRESIVE_WS_TRIM then sFileType:=sFiletype+'Agressive trim, ';
if ImageNTHeader^.FileHeader.Characteristics and IMAGE_FILE_BYTES_REVERSED_LO = IMAGE_FILE_BYTES_REVERSED_LO then sFileType:=sFiletype+'Reversed bytes LO, ';
if ImageNTHeader^.FileHeader.Characteristics and IMAGE_FILE_32BIT_MACHINE = IMAGE_FILE_32BIT_MACHINE then sFileType:=sFiletype+'32-bit, ';
if ImageNTHeader^.FileHeader.Characteristics and IMAGE_FILE_DEBUG_STRIPPED = IMAGE_FILE_DEBUG_STRIPPED then sFileType:=sFiletype+'No DBG info, ';
if ImageNTHeader^.FileHeader.Characteristics and IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP = IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP then sFileType:=sFiletype+'Removable: Run from swap, ';
if ImageNTHeader^.FileHeader.Characteristics and IMAGE_FILE_NET_RUN_FROM_SWAP = IMAGE_FILE_NET_RUN_FROM_SWAP then sFileType:=sFiletype+'Net: Run from swap, ';
if ImageNTHeader^.FileHeader.Characteristics and IMAGE_FILE_SYSTEM = IMAGE_FILE_SYSTEM then sFileType:=sFiletype+'System file, ';
if ImageNTHeader^.FileHeader.Characteristics and IMAGE_FILE_DLL = IMAGE_FILE_DLL then sFileType:=sFiletype+'DLL, ';
if ImageNTHeader^.FileHeader.Characteristics and IMAGE_FILE_UP_SYSTEM_ONLY = IMAGE_FILE_UP_SYSTEM_ONLY then sFileType:=sFiletype+'UP system only, ';
if ImageNTHeader^.FileHeader.Characteristics and IMAGE_FILE_BYTES_REVERSED_HI = IMAGE_FILE_BYTES_REVERSED_HI then sFileType:=sFiletype+'Reversed bytes HI, ';
sFileType:=copy(sfiletype,1,length(sfiletype)-2);
if sFileType='' then
sFileType:='Unknown';
PEItv.Items.addchild(PEHeader,format('Characteristics = %x (%s)' ,[ImageNTHeader^.FileHeader.Characteristics, sFileType]));
PEItv.Items.addchild(PEHeader,'-----optional-----');
PEItv.Items.addchild(PEHeader,format('Optional magic number = %x ' ,[ImageNTHeader^.OptionalHeader.Magic]));
PEItv.Items.addchild(PEHeader,format('Major linker version = %d ' ,[ImageNTHeader^.OptionalHeader.MajorLinkerVersion]));
PEItv.Items.addchild(PEHeader,format('Minor linker version = %d ' ,[ImageNTHeader^.OptionalHeader.MinorLinkerVersion]));
PEItv.Items.addchild(PEHeader,format('Size of code = %x (%d) ' ,[ImageNTHeader^.OptionalHeader.SizeOfCode, ImageNTHeader^.OptionalHeader.SizeOfCode]));
PEItv.Items.addchild(PEHeader,format('Size of initialized data = %x (%d)' ,[ImageNTHeader^.OptionalHeader.SizeOfInitializedData, ImageNTHeader^.OptionalHeader.SizeOfInitializedData]));
PEItv.Items.addchild(PEHeader,format('Size of uninitialized data = %x (%d) ' ,[ImageNTHeader^.OptionalHeader.SizeOfUninitializedData, ImageNTHeader^.OptionalHeader.SizeOfUninitializedData]));
PEItv.Items.addchild(PEHeader,format('Entry point = %.8x ' ,[ImageNTHeader^.OptionalHeader.AddressOfEntryPoint]));
PEItv.Items.addchild(PEHeader,format('Base of code = %.8x ' ,[ImageNTHeader^.OptionalHeader.BaseOfCode]));
if (not is64bit) then
begin
PEItv.Items.addchild(PEHeader,format('Base of data = %.8x ' ,[ImageNTHeader^.OptionalHeader.BaseOfData]));
PEItv.Items.addchild(PEHeader,format('Prefered imagebase = %.8x ' ,[ImageNTHeader^.OptionalHeader.ImageBase]));
end
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -