📄 peinfounit.pas.svn-base
字号:
else
PEItv.Items.addchild(PEHeader,format('Prefered imagebase = %.16x ' ,[PUINT64(@ImageNTHeader^.OptionalHeader.BaseOfData)^]));
PEItv.Items.addchild(PEHeader,format('Section allignment = %x ' ,[ImageNTHeader^.OptionalHeader.SectionAlignment]));
PEItv.Items.addchild(PEHeader,format('File Alignment = %x ' ,[ImageNTHeader^.OptionalHeader.FileAlignment]));
PEItv.Items.addchild(PEHeader,format('Major Operating System Version = %d ' ,[ImageNTHeader^.OptionalHeader.MajorOperatingSystemVersion]));
PEItv.Items.addchild(PEHeader,format('Major Image Version = %d ' ,[ImageNTHeader^.OptionalHeader.MajorImageVersion]));
PEItv.Items.addchild(PEHeader,format('Minor Image Version = %d ' ,[ImageNTHeader^.OptionalHeader.MinorImageVersion]));
PEItv.Items.addchild(PEHeader,format('Major Subsystem Version = %d ' ,[ImageNTHeader^.OptionalHeader.MajorSubsystemVersion]));
PEItv.Items.addchild(PEHeader,format('Minor Subsystem Version = %d ' ,[ImageNTHeader^.OptionalHeader.MinorSubsystemVersion]));
PEItv.Items.addchild(PEHeader,format('Win32 Version Value = %x ' ,[ImageNTHeader^.OptionalHeader.Win32VersionValue]));
PEItv.Items.addchild(PEHeader,format('Size Of Image = %x ' ,[ImageNTHeader^.OptionalHeader.SizeOfImage]));
PEItv.Items.addchild(PEHeader,format('Size Of Headers = %x ' ,[ImageNTHeader^.OptionalHeader.SizeOfHeaders]));
PEItv.Items.addchild(PEHeader,format('CheckSum = %x ' ,[ImageNTHeader^.OptionalHeader.CheckSum]));
PEItv.Items.addchild(PEHeader,format('Subsystem = %x ' ,[ImageNTHeader^.OptionalHeader.Subsystem]));
PEItv.Items.addchild(PEHeader,format('Dll Characteristics = %x ' ,[ImageNTHeader^.OptionalHeader.DllCharacteristics]));
if is64bit then
begin
PEItv.Items.addchild(PEHeader,format('Size Of Stack Reserve = %x ' ,[PImageOptionalHeader64(@ImageNTHeader^.OptionalHeader)^.SizeOfStackReserve]));
PEItv.Items.addchild(PEHeader,format('Size Of Stack Commit = %x ' ,[PImageOptionalHeader64(@ImageNTHeader^.OptionalHeader)^.SizeOfStackCommit]));
PEItv.Items.addchild(PEHeader,format('Size Of Heap Reserve = %x ' ,[PImageOptionalHeader64(@ImageNTHeader^.OptionalHeader)^.SizeOfHeapReserve]));
PEItv.Items.addchild(PEHeader,format('Size Of Heap Commit = %x ' ,[PImageOptionalHeader64(@ImageNTHeader^.OptionalHeader)^.SizeOfHeapCommit]));
PEItv.Items.addchild(PEHeader,format('Loader Flags = %x ' ,[PImageOptionalHeader64(@ImageNTHeader^.OptionalHeader)^.LoaderFlags]));
numberofrva:=PImageOptionalHeader64(@ImageNTHeader^.OptionalHeader)^.NumberOfRvaAndSizes;
end
else
begin
PEItv.Items.addchild(PEHeader,format('Size Of Stack Reserve = %x ' ,[ImageNTHeader^.OptionalHeader.SizeOfStackReserve]));
PEItv.Items.addchild(PEHeader,format('Size Of Stack Commit = %x ' ,[ImageNTHeader^.OptionalHeader.SizeOfStackCommit]));
PEItv.Items.addchild(PEHeader,format('Size Of Heap Reserve = %x ' ,[ImageNTHeader^.OptionalHeader.SizeOfHeapReserve]));
PEItv.Items.addchild(PEHeader,format('Size Of Heap Commit = %x ' ,[ImageNTHeader^.OptionalHeader.SizeOfHeapCommit]));
PEItv.Items.addchild(PEHeader,format('Loader Flags = %x ' ,[ImageNTHeader^.OptionalHeader.LoaderFlags]));
numberofrva:=ImageNTHeader^.OptionalHeader.NumberOfRvaAndSizes;
end;
datadir:=PEItv.Items.addchild(PEHeader,format('Number Of Rva And Sizes = %d ' ,[numberofrva]));
ImageSectionHeader:=PImageSectionHeader(dword(@ImageNTHeader^.OptionalHeader)+ImageNTHeader^.FileHeader.SizeOfOptionalHeader);
PEItv.Items.addchild(PEHeader,'-----sections-----');
maxaddress:=0;
for i:=0 to ImageNTHeader^.FileHeader.NumberOfSections-1 do
begin
section:=PEItv.Items.addchild(PEHeader, copy(pchar(@ImageSectionHeader.Name[0]), 1, 8));
PEItv.Items.addchild(section,format('Virtual Size=%x',[ImageSectionHeader.Misc.VirtualSize]));
PEItv.Items.addchild(section,format('Virtual Address=%x',[ImageSectionHeader.VirtualAddress]));
PEItv.Items.addchild(section,format('size of raw data=%x',[ImageSectionHeader.SizeOfRawData]));
PEItv.Items.addchild(section,format('Pointer to raw data=%x',[ImageSectionHeader.PointerToRawData]));
PEItv.Items.addchild(section,format('Pointer to relocations=%x',[ImageSectionHeader.PointerToRelocations]));
PEItv.Items.addchild(section,format('Pointer to line numbers=%x',[ImageSectionHeader.PointerToLinenumbers]));
PEItv.Items.addchild(section,format('number of relocations=%x',[ImageSectionHeader.NumberOfRelocations]));
PEItv.Items.addchild(section,format('number of line numbers=%x',[ImageSectionHeader.NumberOfLinenumbers]));
sCharacteristics:='';
if ImageSectionHeader.Characteristics and IMAGE_SCN_CNT_CODE = IMAGE_SCN_CNT_CODE then sCharacteristics:='Executable code, ';
if ImageSectionHeader.Characteristics and IMAGE_SCN_CNT_INITIALIZED_DATA = IMAGE_SCN_CNT_INITIALIZED_DATA then sCharacteristics:=sCharacteristics+'Initialized data, ';
if ImageSectionHeader.Characteristics and IMAGE_SCN_CNT_UNINITIALIZED_DATA = IMAGE_SCN_CNT_UNINITIALIZED_DATA then sCharacteristics:=sCharacteristics+'Uninitialized data, ';
if ImageSectionHeader.Characteristics and IMAGE_SCN_LNK_REMOVE = IMAGE_SCN_LNK_REMOVE then sCharacteristics:=sCharacteristics+'removed, ';
if ImageSectionHeader.Characteristics and IMAGE_SCN_MEM_DISCARDABLE = IMAGE_SCN_MEM_DISCARDABLE then sCharacteristics:=sCharacteristics+'discardable, ';
if ImageSectionHeader.Characteristics and IMAGE_SCN_MEM_NOT_CACHED = IMAGE_SCN_MEM_NOT_CACHED then sCharacteristics:=sCharacteristics+'not cached, ';
if ImageSectionHeader.Characteristics and IMAGE_SCN_MEM_NOT_PAGED = IMAGE_SCN_MEM_NOT_PAGED then sCharacteristics:=sCharacteristics+'not paged, ';
if ImageSectionHeader.Characteristics and IMAGE_SCN_MEM_SHARED = IMAGE_SCN_MEM_SHARED then sCharacteristics:=sCharacteristics+'shared memory, ';
if ImageSectionHeader.Characteristics and IMAGE_SCN_MEM_EXECUTE = IMAGE_SCN_MEM_EXECUTE then sCharacteristics:=sCharacteristics+'executable memory, ';
if ImageSectionHeader.Characteristics and IMAGE_SCN_MEM_READ = IMAGE_SCN_MEM_READ then sCharacteristics:=sCharacteristics+'readable memory, ';
if ImageSectionHeader.Characteristics and IMAGE_SCN_MEM_WRITE = IMAGE_SCN_MEM_WRITE then sCharacteristics:=sCharacteristics+'writable memory, ';
sCharacteristics:=copy(sCharacteristics,1,length(sCharacteristics)-2);
if sCharacteristics='' then sCharacteristics:='Unknown';
PEItv.Items.addchild(section,format('characterisitics=%x (%s)',[ImageSectionHeader.Characteristics, sCharacteristics]));
if maxaddress<(ImageSectionHeader.VirtualAddress+ImageSectionHeader.SizeOfRawData) then
maxaddress:=ImageSectionHeader.VirtualAddress+ImageSectionHeader.SizeOfRawData;
inc(ImageSectionHeader);
end;
ImageSectionHeader:=PImageSectionHeader(dword(@ImageNTHeader^.OptionalHeader)+ImageNTHeader^.FileHeader.SizeOfOptionalHeader);
if loaded then
begin
//in memory
loadedmodule:=memorycopy;
if is64bit then
begin
//no use in 5.4- , but let's do it anyhow
basedifference:=dword(loadedmodule)-PImageOptionalHeader64(@ImageNTHeader^.OptionalHeader)^.ImageBase;
basedifference64:=UINT64(loadedmodule)-PImageOptionalHeader64(@ImageNTHeader^.OptionalHeader)^.ImageBase;
end
else
begin
basedifference:=dword(loadedmodule)-ImageNTHeader^.OptionalHeader.ImageBase;
end;
end
else
begin
//from a file
loadedmodule:=virtualalloc(nil,maxaddress, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if loadedmodule=nil then raise exception.create('Failure at allocating memory');
ZeroMemory(loadedmodule,maxaddress);
label2.caption:=inttohex(dword(loadedmodule),8);
for i:=0 to ImageNTHeader^.FileHeader.NumberOfSections-1 do
begin
CopyMemory(@loadedmodule[ImageSectionHeader.VirtualAddress], @memorycopy[ImageSectionHeader.PointerToRawData], ImageSectionHeader.SizeOfRawData);
//determine the correct protection
// correctprotection:=0;
// VirtualProtect(@ImageSectionHeader[ImageSectionHeader.VirtualAddress], ImageSectionHeader.SizeOfRawData, correctprotection, ignore);
//adjust rva's
inc(ImageSectionHeader);
end;
if is64bit then
begin
CopyMemory(@loadedmodule[0], @memorycopy[0], PImageOptionalHeader64(@ImageNTHeader^.OptionalHeader)^.SizeOfHeaders);
basedifference:=dword(loadedmodule)-PImageOptionalHeader64(@ImageNTHeader^.OptionalHeader)^.ImageBase;
basedifference64:=UINT64(loadedmodule)-PImageOptionalHeader64(@ImageNTHeader^.OptionalHeader)^.ImageBase;
end
else
begin
CopyMemory(@loadedmodule[0], @memorycopy[0], ImageNTHeader^.OptionalHeader.SizeOfHeaders);
basedifference:=dword(loadedmodule)-ImageNTHeader^.OptionalHeader.ImageBase;
end;
end;
//now it has been mapped the vla and other stuff can be handled
for i:=0 to numberofrva-1 do
begin
case i of
0: sType:='Export table';
1: sType:='Import table';
2: sType:='Resource table';
3: sType:='Exception table';
4: sType:='Certificate table';
5: sType:='Base-Relocation table';
6: sType:='Debugging info table';
7: sType:='Architecture-Specific table';
8: sType:='Global pointer table';
9: sType:='TLS table';
10: sType:='Load config table';
11: sType:='Bound import table';
12: sType:='import address table';
13: sType:='Delay import descriptor table';
else sType:='reserved';
end;
if is64bit then
tempnode:=PEItv.Items.addchild(datadir,format('%.8x - %x (%s)' ,[PImageOptionalHeader64(@ImageNTHeader^.OptionalHeader)^.DataDirectory[i].VirtualAddress, PImageOptionalHeader64(@ImageNTHeader^.OptionalHeader)^.DataDirectory[i].Size, sType]))
else
tempnode:=PEItv.Items.addchild(datadir,format('%.8x - %x (%s)' ,[ImageNTHeader^.OptionalHeader.DataDirectory[i].VirtualAddress, ImageNTHeader^.OptionalHeader.DataDirectory[i].Size, sType]));
if (is64bit and (PImageOptionalHeader64(@ImageNTHeader^.OptionalHeader)^.DataDirectory[i].VirtualAddress=0)) or
((not is64bit) and (ImageNTHeader^.OptionalHeader.DataDirectory[i].VirtualAddress=0)) then
continue; //don't look into it
if i=0 then
begin
//exports
if is64bit then
ImageExportDirectory:=PImageExportDirectory(dword(loadedmodule)+PImageOptionalHeader64(@ImageNTHeader^.OptionalHeader)^.DataDirectory[i].VirtualAddress)
else
ImageExportDirectory:=PImageExportDirectory(dword(loadedmodule)+ImageNTHeader^.OptionalHeader.DataDirectory[i].VirtualAddress);
lbExports.Items.Add(pchar(dword(loadedmodule)+ImageExportDirectory.Name)+':');
PEItv.Items.addchild(tempnode, format('Characteristics=%x (should be 0)', [ImageExportDirectory.Characteristics]));
PEItv.Items.addchild(tempnode, format('Time datastamp=%x', [ImageExportDirectory.TimeDateStamp]));
PEItv.Items.addchild(tempnode, format('Major version=%d', [ImageExportDirectory.MajorVersion]));
PEItv.Items.addchild(tempnode, format('Minor version=%d', [ImageExportDirectory.MinorVersion]));
PEItv.Items.addchild(tempnode, format('Name = %x (%s)', [ImageExportDirectory.Name, pchar(dword(loadedmodule)+ImageExportDirectory.Name)]));
PEItv.Items.addchild(tempnode, format('Base = %x', [ImageExportDirectory.Base]));
PEItv.Items.addchild(tempnode, format('NumberOfFunctions = %d', [ImageExportDirectory.NumberOfFunctions]));
PEItv.Items.addchild(tempnode, format('NumberOfNames = %d', [ImageExportDirectory.NumberOfNames]));
tempnode2:=PEItv.Items.addchild(tempnode, format('AddressOfFunctions = %x', [dword(ImageExportDirectory.AddressOfFunctions)]));
if ImageExportDirectory.NumberOfFunctions<>ImageExportDirectory.NumberOfNames then
tempnode2.Text:=tempnode2.Text+' (inconsistent)'
else
begin
for j:=0 to ImageExportDirectory.NumberOfFunctions-1 do
lbExports.Items.Add(format('%x - %s',[pdwordarray(dword(loadedmodule)+dword(ImageExportDirectory.AddressOfFunctions))[j], pchar(dword(loadedmodule)+pdwordarray(dword(loadedmodule)+dword(ImageExportDirectory.AddressOfNames))[j])]));
end;
for j:=0 to ImageExportDirectory.NumberOfFunctions-1 do
PEItv.Items.addchild(tempnode2, format('%x',[pdwordarray(dword(loadedmodule)+dword(ImageExportDirectory.AddressOfFunctions))[j]]));
tempnode2:=PEItv.Items.addchild(tempnode, format('AddressOfNames = %x', [dword(ImageExportDirectory.AddressOfNames)]));
for j:=0 to ImageExportDirectory.NumberOfNames-1 do
PEItv.Items.addchild(tempnode2, format('%s',[pchar(dword(loadedmodule)+pdwordarray(dword(loadedmodule)+dword(ImageExportDirectory.AddressOfNames))[j])]));
PEItv.Items.addchild(tempnode, format('AddressOfNameOrdinals = %x', [dword(ImageExportDirectory.AddressOfNameOrdinals)]));
end
else
if i=1 then
begin //import
j:=0;
if is64bit then
ImageImportDirectory:=PImageImportDirectory(dword(loadedmodule)+PImageOptionalHeader64(@ImageNTHeader^.OptionalHeader)^.DataDirectory[i].VirtualAddress)
else
ImageImportDirectory:=PImageImportDirectory(dword(loadedmodule)+ImageNTHeader^.OptionalHeader.DataDirectory[i].VirtualAddress);
while (j<45) do
begin
if ImageImportDirectory.name=0 then break;
if j>0 then
lbImports.Items.Add('');
lbImports.Items.Add(format('%s', [pchar(dword(loadedmodule)+ImageImportDirectory.name)]));
tempnode2:=PEItv.Items.addchild(tempnode,format('Import %d : %s',[j, pchar(dword(loadedmodule)+ImageImportDirectory.name)]));
PEItv.Items.addchild(tempnode2, format('Characteristics/OriginalFirstThunk=%x', [ImageImportDirectory.characteristicsOrFirstThunk]));
PEItv.Items.addchild(tempnode2, format('TimeDateStamp=%x (0=not bound -1=bound, and timestamp)', [ImageImportDirectory.TimeDateStamp]));
PEItv.Items.addchild(tempnode2, format('Forwarder Chain=%x (-1 if no forwarders)', [ImageImportDirectory.ForwarderChain]));
PEItv.Items.addchild(tempnode2, format('Name=%x : %s', [ImageImportDirectory.name, pchar(dword(loadedmodule)+ImageImportDirectory.name)]));
PEItv.Items.addchild(tempnode2, format('FirstThunk=%x', [ImageImportDirectory.FirstThunk]));
tempnode3:=PEItv.Items.addchild(tempnode2, format('imports:',[]));
if ImageImportDirectory.ForwarderChain<>$ffffffff then
begin
importmodulename:=pchar(dword(loadedmodule)+ImageImportDirectory.name);
if not loaded then
modhandle:=loadlibrary(pchar(importmodulename));
k:=0;
if is64bit then
while PUINT64(dword(loadedmodule)+ImageImportDirectory.FirstThunk+8*k)^<>0 do
begin
importaddress:=dword(loadedmodule)+ImageImportDirectory.FirstThunk+8*k;
importfunctionname:=pchar(dword(loadedmodule)+pdword(importaddress)^+2);
PEItv.Items.addchild(tempnode3, format('%x (%x) - %s',[PUINT64(dword(loadedmodule)+ImageImportDirectory.FirstThunk+8*k)^, importaddress, importfunctionname]));
lbImports.Items.Add( format('%x (%x) - %s',[PUINT64(dword(loadedmodule)+ImageImportDirectory.FirstThunk+8*k)^, importaddress, importfunctionname]));
if not loaded then
begin
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -