📄 peinfounit.pas.svn-base
字号:
funcaddress:=dword(getprocaddress(modhandle, pchar(importfunctionname)));
pdword(importaddress)^:=funcaddress;
end;
inc(k);
end
else
while PDWORD(dword(loadedmodule)+ImageImportDirectory.FirstThunk+4*k)^<>0 do
begin
importaddress:=dword(@pdwordarray(dword(loadedmodule)+ImageImportDirectory.FirstThunk)[k]);
tempaddress:=dword(loadedmodule)+pdwordarray(dword(loadedmodule)+ImageImportDirectory.FirstThunk)[k]+2;
if loaded then
begin
tempaddress2:=pdwordarray(dword(loadedmodule)+ImageImportDirectory.FirstThunk)[k];
importfunctionname:=symhandler.getNameFromAddress(tempaddress2);
if uppercase(inttohex(tempaddress2,8))=uppercase(importfunctionname) then
begin
//failure to convert the address to an import
inc(k);
continue;
end;
end
else importfunctionname:=pchar(tempaddress);
PEItv.Items.addchild(tempnode3, format('%x (%x) - %s',[pdwordarray(dword(loadedmodule)+ImageImportDirectory.FirstThunk)[k], importaddress, importfunctionname]));
lbImports.Items.Add( format('%x (%x) - %s',[pdwordarray(dword(loadedmodule)+ImageImportDirectory.FirstThunk)[k], importaddress-dword(loadedmodule), importfunctionname]));
if not loaded then
begin
funcaddress:=dword(getprocaddress(modhandle, pchar(importfunctionname)));
pdword(importaddress)^:=funcaddress;
end;
inc(k);
end;
end
else
begin
PEItv.Items.addchild(tempnode3,'Static addresses');
end;
inc(j);
ImageImportDirectory:=PImageImportDirectory(dword(ImageImportDirectory)+sizeof(TImageImportDirectory));
end;
end
else
if i=5 then
begin
// IMAGE_BASE_RELOCATION stuff
if is64bit then
begin
ImageBaseRelocation:=PIMAGE_BASE_RELOCATION(dword(loadedmodule)+PImageOptionalHeader64(@ImageNTHeader^.OptionalHeader)^.DataDirectory[i].VirtualAddress);
maxaddress:=dword(loadedmodule)+PImageOptionalHeader64(@ImageNTHeader^.OptionalHeader)^.DataDirectory[i].VirtualAddress+PImageOptionalHeader64(@ImageNTHeader^.OptionalHeader)^.DataDirectory[i].Size;
end
else
begin
ImageBaseRelocation:=PIMAGE_BASE_RELOCATION(dword(loadedmodule)+ImageNTHeader^.OptionalHeader.DataDirectory[i].VirtualAddress);
maxaddress:=dword(loadedmodule)+ImageNTHeader^.OptionalHeader.DataDirectory[i].VirtualAddress+ImageNTHeader^.OptionalHeader.DataDirectory[i].Size;
end;
while dword(ImageBaseRelocation)<maxaddress do
begin
if ImageBaseRelocation.SizeOfBlock=0 then break;
VA:=PEItv.Items.addchild(tempnode,format('Virtual address base: %.8x (size=%x (%d))', [ImageBaseRelocation.virtualaddress, ImageBaseRelocation.SizeOfBlock, ImageBaseRelocation.SizeOfBlock]));
for j:=0 to ((ImageBaseRelocation.SizeOfBlock-8) div 2)-1 do
begin
PEItv.Items.addchild(va, format('%.3x : %d',[(ImageBaseRelocation.rel[j] and $fff), (ImageBaseRelocation.rel[j] shr 12) ]));
lbBaseReloc.Items.Add(format('%.3x : %d',[ImageBaseRelocation.virtualaddress+(ImageBaseRelocation.rel[j] and $fff), (ImageBaseRelocation.rel[j] shr 12) ]));
if not loaded then
begin
if (ImageBaseRelocation.rel[j] shr 12)=3 then //replace the address at this address with a relocated one (dword)
pdword(dword(loadedmodule)+ImageBaseRelocation.virtualaddress+(ImageBaseRelocation.rel[j] and $fff))^:=pdword(dword(loadedmodule)+ImageBaseRelocation.virtualaddress+(ImageBaseRelocation.rel[j] and $fff))^+basedifference;
if (ImageBaseRelocation.rel[j] shr 12)=10 then //replace the address at this address with a relocated one (dword)
PUINT64(dword(loadedmodule)+ImageBaseRelocation.virtualaddress+(ImageBaseRelocation.rel[j] and $fff))^:=PUINT64(dword(loadedmodule)+ImageBaseRelocation.virtualaddress+(ImageBaseRelocation.rel[j] and $fff))^+basedifference64;
end;
end;
ImageBaseRelocation:=PIMAGE_BASE_RELOCATION(dword(ImageBaseRelocation)+ImageBaseRelocation.SizeOfBlock);
end;
end;
end;
finally
PEItv.Items.EndUpdate;
lbImports.Items.EndUpdate;
lbExports.Items.EndUpdate;
lbBaseReloc.Items.EndUpdate;
end;
if loaded then
begin
loadedmodule:=nil;
end
else
begin
if (loadedmodule<>nil) then
begin
virtualfree(loadedmodule,0,MEM_RELEASE);
loadedmodule:=nil;
end;
end;
end;
procedure TfrmPEInfo.LoadButtonClick(Sender: TObject);
var f: tfilestream;
begin
radiobutton1.Checked:=true;
if opendialog1.Execute then
begin
label1.Caption:=extractfilename(opendialog1.filename);
//open the file and read mem
f:=tfilestream.Create(opendialog1.filename, fmOpenRead or fmShareDenyNone );
try
if memorycopy<>nil then
freemem(memorycopy);
if loadedmodule<>nil then
begin
virtualfree(loadedmodule,0,MEM_RELEASE );
loadedmodule:=nil;
end;
getmem(memorycopy, f.Size);
f.ReadBuffer(memorycopy^,f.Size);
memorycopysize:=f.size;
finally
f.free;
end;
//and parse it
ParseFile(false);
end;
end;
procedure TfrmPEInfo.FormDestroy(Sender: TObject);
begin
if memorycopy<>nil then
freemem(memorycopy);
if loadedmodule<>nil then
VirtualFree(loadedmodule,0,MEM_RELEASE);
end;
procedure TfrmPEInfo.FormClose(Sender: TObject; var Action: TCloseAction);
begin
action:=cafree;
end;
procedure TfrmPEInfo.modulelistClick(Sender: TObject);
begin
if modulelist.ItemIndex<>-1 then
edtAddress.Text:=inttohex(dword(modulelist.Items.Objects[modulelist.itemindex]),8);
end;
procedure TfrmPEInfo.FormShow(Sender: TObject);
begin
modulelist.Clear;
symhandler.getModuleList(modulelist.Items);
if modulelist.Count>0 then
begin
modulelist.ItemIndex:=0;
modulelist.OnClick(modulelist);
end;
end;
procedure TfrmPEInfo.Button1Click(Sender: TObject);
var address: dword;
actualread: dword;
headersize: dword;
imagesize: dword;
imagesizes: string;
check: boolean;
begin
try
address:=strtoint('$'+edtAddress.text);
except
beep; //beeeeeeeeeeeeping idiot
exit;
end;
if loadedmodule<>nil then
begin
virtualfree(loadedmodule,0,MEM_RELEASE );
loadedmodule:=nil;
end;
if memorycopy<>nil then
freemem(memorycopy);
getmem(memorycopy,4096);
try
if (not readprocessmemory(processhandle,pointer(address),memorycopy,4096,actualread)) or (actualread<>4096) then
raise exception.Create('The header of the module could not be read');
headersize:=peinfo_getheadersize(memorycopy);
if headersize=0 then
raise exception.Create('This is not a valid PE file');
imagesize:=peinfo_getimagesize(memorycopy);
finally
freemem(memorycopy);
end;
if imagesize>256*1024*1024 then
begin
imagesizes:=inttostr(imagesize);
if inputquery('PEInfo: Image size','The imagesize is more than 256 MB, is this the correct ammount? If not, edit here', imagesizes) then
begin
try
imagesize:=strtoint(imagesizes);
except
exit;
end;
end
else exit;
end;
getmem(memorycopy,imagesize);
actualread:=0;
check:=readprocessmemory(processhandle,pointer(address),memorycopy,imagesize,actualread);
if actualread>0 then //work with this
begin
if not check then
messagedlg('Not all memory could be read, working with a partial copy here',mtwarning,[mbok],0);
memorycopysize:=actualread;
end else raise exception.Create('Failure reading memory');
modulebase:=address;
parsefile(true);
end;
procedure TfrmPEInfo.FormCreate(Sender: TObject);
begin
pagecontrol1.TabIndex:=0;
end;
end.
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -