📄 pe.c
字号:
optionalHeader.DataDirectory[i].VirtualAddress,
optionalHeader.DataDirectory[i].Size);
break;
}
case IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT :
{
printf("%02d: Bound Import \t%08X\t%-8d\n",
i,
optionalHeader.DataDirectory[i].VirtualAddress,
optionalHeader.DataDirectory[i].Size);
break;
}
case IMAGE_DIRECTORY_ENTRY_IAT :
{
printf("%02d: Import Address Table(IAT) \t%08X\t%-8d\n",
i,
optionalHeader.DataDirectory[i].VirtualAddress,
optionalHeader.DataDirectory[i].Size);
break;
}
case IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT :
{
printf("%02d: Delay Import Descriptor \t%08X\t%-8d\n",
i,
optionalHeader.DataDirectory[i].VirtualAddress,
optionalHeader.DataDirectory[i].Size);
break;
}
case IMAGE_DIRECTORY_ENTRY_CLR_RUNTIME :
{
printf("%02d: CLR Runtime Header \t%08X\t%-8d\n",
i,
optionalHeader.DataDirectory[i].VirtualAddress,
optionalHeader.DataDirectory[i].Size);
break;
}
case IMAGE_DIRECTORY_ENTRY_RESERVE :
{
printf("%02d: Reserved \t%08X\t%-8d\n",
i,
optionalHeader.DataDirectory[i].VirtualAddress,
optionalHeader.DataDirectory[i].Size);
break;
}
default :
{
break;
}
}
}
}
void ReadPEHeader(FILE *peFile, PIMAGE_NT_HEADERS peHeader, DWORD fileAddress)
{
fseek(peFile, fileAddress, SEEK_SET);
fread(&(peHeader->PESignature), sizeof(peHeader->PESignature), 1, peFile);
ReadFileHeader(peFile, &(peHeader->FileHeader), fileAddress + 4);
ReadOptionalHeader(peFile, &(peHeader->OptionalHeader),
fileAddress + sizeof(IMAGE_FILE_HEADER) + 4);
}
void PrintPEHeader(IMAGE_NT_HEADERS peHeader)
{
/* Print Signature */
if(peHeader.PESignature != IMAGE_NT_SIGNATURE)
{
printf("File is not a valid PE File!\n");
exit(1);
}
printf("PE Signature : \t%08X",
peHeader.PESignature);
printf("\t%c%c%c%c\n",
(peHeader.PESignature & 0x000000FF),
(peHeader.PESignature & 0x0000FF00) >> 8,
(peHeader.PESignature & 0x00FF0000) >> 16,
(peHeader.PESignature & 0xFF000000) >> 24);
PrintFileHeader(peHeader.FileHeader);
PrintOptionalHeader(peHeader.OptionalHeader);
}
void ReadSectionTable(FILE *peFile, PIMAGE_SECTION_HEADER sectionTable, DWORD fileAddress, int sectionNumber)
{
fseek(peFile, fileAddress, SEEK_SET);
fread(sectionTable, sizeof(IMAGE_SECTION_HEADER), sectionNumber, peFile);
}
void PrintSectionTable(PIMAGE_SECTION_HEADER sectionTable, int sectionNumber)
{
int i;
/* Section Table */
printf("\nSection Table:\n");
printf("====================================================================================\n");
printf("No Name VSize VAddr RawSize RawOff Reloc LineNO NR NL Charact\n");
printf("====================================================================================\n");
for(i = 0; i < sectionNumber; i++)
{
/* Print No. */
printf("%02d ", i + 1);
/* print Section Name */
printf("%-8.8s ", sectionTable[i].Name);
/* print Virtual Size */
printf("%08X ", sectionTable[i].Misc.VirtualSize);
/* Print Virtual Address */
printf("%08X ", sectionTable[i].VirtualAddress);
/* Print Size Of Raw Data */
printf("%08X ", sectionTable[i].SizeOfRawData);
/* Print Pointer to Raw Data */
printf("%08X ", sectionTable[i].PointerToRawData);
/* Print Pointer to Relocation */
printf("%08X ", sectionTable[i].PointerToRelocations);
/* Print Pointer to LineNumber */
printf("%08X ", sectionTable[i].PointerToLineNumbers);
/* Print Number of Relocations */
printf("%04X ", sectionTable[i].NumberOfRelocations);
/* Print Number of LineNumbers */
printf("%04X ", sectionTable[i].NumberOfLineNumbers);
/* Print Characteristics */
printf("%08X", sectionTable[i].Characteristics);
printf("\n");
}
}
DWORD RVAToFileOffset(DWORD RVA, PIMAGE_SECTION_HEADER sectionTable)
{
int i;
if(sectionTable != NULL)
{
for(i = 0; i < sectionNumber; i++)
{
if(RVA < sectionTable[i].VirtualAddress)
{
return (RVA - sectionTable[i - 1].VirtualAddress +
sectionTable[i - 1].PointerToRawData);
}
}
return 0;
}
return 0;
}
void PrintImportTable(FILE *peFile, DWORD ImportRVA, PIMAGE_SECTION_HEADER sectionTable, PIMAGE_IMPORT_DISCRIPTOR importTable)
{
int i, j;
int importCount, functionCount;
WORD Hint;
DWORD fileAddress;
char moduleName[80], functionName[80];
IMAGE_IMPORT_DISCRIPTOR importTemp;
IMAGE_THUNK_DATA thunkTemp;
PIMAGE_THUNK_DATA thunkTable;
if(ImportRVA == 0)
{
printf("No Import Table Found !\n");
exit(0);
}
if((fileAddress = RVAToFileOffset(ImportRVA, sectionTable)) == 0)
{
printf("Can't Find ImportTable!\n");
exit(1);
}
fseek(peFile, fileAddress, SEEK_SET);
importCount = 0;
while(1)
{
fread(&importTemp, sizeof(IMAGE_IMPORT_DISCRIPTOR), 1, peFile);
if((importTemp.ImportRVACharacteristics.OriginalFirstThunk == 0) &&
(importTemp.TimeDateStamp == 0) &&
(importTemp.ForwarderChain == 0) &&
(importTemp.Name == 0) &&
(importTemp.FirstThunk == 0))
{
break;
}
importCount += 1;
}
importTable = (PIMAGE_IMPORT_DISCRIPTOR) malloc(sizeof(IMAGE_IMPORT_DISCRIPTOR) * importCount);
if(importTable == NULL)
{
printf("Memory Error!\n");
exit(1);
}
fseek(peFile, fileAddress, SEEK_SET);
fread(importTable, sizeof(IMAGE_IMPORT_DISCRIPTOR), importCount, peFile);
printf("\nImported Moudles & Functions :\n");
printf("=============================================================================\n");
printf("Name\t\tBinded Time\t\tOrig1stTk ForwdChain FirstThunk\n");
printf("=============================================================================\n");
for(i = 0; i < importCount; i++)
{
/* Print Module Name */
fileAddress = RVAToFileOffset(importTable[i].Name, sectionTable);
fseek(peFile, fileAddress, SEEK_SET);
printf("%-16.16s", fgets(moduleName, 80, peFile));
/* Print Binded Time */
if((importTable[i].TimeDateStamp == 0) || (importTable[i].TimeDateStamp == -1) )
{
printf("%08X\t\t", importTable[i].TimeDateStamp);
}
else
{
printf("%-20.20s\t", asctime(gmtime((time_t *) &(importTable[i].TimeDateStamp))) + 4);
}
/* Print OriginalFirstThunk */
printf("%08X ", importTable[i].ImportRVACharacteristics.OriginalFirstThunk);
/* Print Forward Chain */
printf("%08X ", importTable[i].ForwarderChain);
/* Print First Thunk */
printf("%08X", importTable[i].FirstThunk);
/* HereAfter We print out function imported in these modules */
/*************************************************************/
fileAddress = RVAToFileOffset(importTable[i].ImportRVACharacteristics.OriginalFirstThunk, sectionTable);
functionCount = 0;
fseek(peFile, fileAddress, SEEK_SET);
while(1)
{
fread(&thunkTemp, sizeof(IMAGE_THUNK_DATA), 1, peFile);
if(thunkTemp.OrdinalName.NameTable == 0)
{
break;
}
functionCount += 1;
}
thunkTable = (PIMAGE_THUNK_DATA) malloc(sizeof(IMAGE_THUNK_DATA) * functionCount);
fseek(peFile, fileAddress, SEEK_SET);
fread(thunkTable, sizeof(IMAGE_THUNK_DATA), functionCount, peFile);
/* Print Function Names */
printf("\n-----------------------------------------------------------------------------\n");
printf("\t\tName \t\t Ordinal\tRVA\n");
printf("\t\t-------------------------------------------------------------\n");
for(j = 0; j < functionCount; j++)
{
fileAddress = RVAToFileOffset(thunkTable[j].OrdinalName.NameTable, sectionTable);
fseek(peFile, fileAddress, SEEK_SET);
fread(&Hint, sizeof(WORD), 1, peFile);
fgets(functionName, 80, peFile);
printf("\t- %02d\t", j + 1);
/* Print Name */
printf("%-36.36s", functionName);
/* Print Ordinal */
printf("%-8d\t", Hint);
/* Print RVA */
printf("%08X", thunkTable[j].OrdinalName.NameTable);
printf("\n");
}
printf("\n");
}
}
void PrintExportTable(FILE *peFile, DWORD ExportRVA, PIMAGE_SECTION_HEADER sectionTable, PIMAGE_EXPORT_DISCRIPTOR exportTable)
{
int i, j;
int Ordinal;
DWORD fileAddress;
DWORD *nameRVAArray;
DWORD *functionAddressTable;
WORD *nameOrdinalsTable;
char moduleName[80];
char **functionNames;
if(ExportRVA == 0)
{
printf("\nExported Functions:\n");
printf("=============================================================================\n");
printf("Summation : \n");
printf("-----------------------------------------------------------------------------\n");
printf("\n\t\tNo Exported Functions!\n");
return;
}
fileAddress = RVAToFileOffset(ExportRVA, sectionTable);
fseek(peFile, fileAddress, SEEK_SET);
fread(exportTable, sizeof(IMAGE_EXPORT_DISCRIPTOR), 1, peFile);
printf("\nExported Functions:\n");
printf("=============================================================================\n");
printf("Summation : \n");
printf("-----------------------------------------------------------------------------\n");
/* Print Module Name */
fileAddress = RVAToFileOffset(exportTable->Name, sectionTable);
fseek(peFile, fileAddress, SEEK_SET);
fgets(moduleName, 80, peFile);
printf("\t\tName: %s\n", moduleName);
/* Print Number of Exported Functions */
printf("\t\tNumber Of Functions: %d\n", exportTable->NumberOfFunctions);
/* Print Number of Names */
printf("\t\tNumber Of Names: %d\n", exportTable->NumberOfNames);
/* Print Base */
printf("\t\tIndex Base: %d\n", exportTable->Base);
/* Print Characteristics */
printf("\t\tCharacteristics: %08X\n", exportTable->Characteristics);
/* Print Version */
printf("\t\tExport Table Version: %d.%02d\n", exportTable->MajorVersion, exportTable->MinorVersion);
/* Print Create Time */
printf("\t\tExport Table Create Time: (%08X) %s", exportTable->TimeDateStamp,
asctime(gmtime((time_t *)&(exportTable->TimeDateStamp))));
/* Function List: */
printf("-----------------------------------------------------------------------------\n");
printf("Function List: \n");
printf("-----------------------------------------------------------------------------\n");
printf("\t\tName \t\t Ordinal\tFuncRVA\n");
printf("\t\t-------------------------------------------------------------\n");
/* Print Function Names */
nameRVAArray = (DWORD *)malloc(sizeof(DWORD) * exportTable->NumberOfNames);
functionNames = (char **)malloc(sizeof(char *) * exportTable->NumberOfNames);
functionAddressTable = (DWORD *)malloc(sizeof(DWORD) * exportTable->NumberOfFunctions);
nameOrdinalsTable = (WORD *)malloc(sizeof(WORD) * exportTable->NumberOfNames);
/* Read FunctionAddress Table */
fileAddress = RVAToFileOffset(exportTable->AddressOfFunctions, sectionTable);
fseek(peFile, fileAddress, SEEK_SET);
fread(functionAddressTable, sizeof(DWORD), exportTable->NumberOfFunctions, peFile);
/* Read Name Ordinal Table */
fileAddress = RVAToFileOffset(exportTable->AddressOfNameOrdinals, sectionTable);
fseek(peFile, fileAddress, SEEK_SET);
fread(nameOrdinalsTable, sizeof(WORD), exportTable->NumberOfNames, peFile);
/* Read Name RVA Table */
fileAddress = RVAToFileOffset(exportTable->AddressOfNames, sectionTable);
fseek(peFile, fileAddress, SEEK_SET);
fread(nameRVAArray, sizeof(DWORD), exportTable->NumberOfNames, peFile);
for(i = 0; i < exportTable->NumberOfNames; i++)
{
fileAddress = RVAToFileOffset(nameRVAArray[i], sectionTable);
fseek(peFile, fileAddress, SEEK_SET);
functionNames[i] = (char *)malloc(sizeof(char) * 80);
fgets(functionNames[i], 80, peFile);
printf("\t- %02d", i + 1);
printf("\t%-36.36s", functionNames[i]);
/* Function Ordinal */
Ordinal = nameOrdinalsTable[i] + exportTable->Base;
printf("%-8d\t", Ordinal);
/* Print Function Address */
printf("%08X", functionAddressTable[Ordinal - exportTable->Base]);
printf("\n");
}
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -