PE查看器:
1、创建映射文件
2、判断是否为PE文件
3、获取各个数据地址
4、读取各个数据结构
=======================================================
1、创建文件
void CreatePEFile(CString FileName)
{
HANDLE pFile;
HANDLE pMap;
/*-------------创建映射文件-----------*/
//FileName要打开文件所在路径
pFile = CreateFile(FileName, GENERIC_READ, FILE_SHARE_READ, NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL, 0);
if(!pFile)
return ;
hMap = CreateFileMapping(ip->pf.pFile, NULL, PAGE_READONLY, 0, 0, NULL);
if(!hMap)
return ;
/*------------获取文件基地址-----------*/
DWORD Based; //基地址
Based = MapViewOfFile(pMap, FILE_MAP_READ, 0, 0, 0);
if (!Based)
{
CloseHandle(pMap);
CloseHandle(pFile);
return ;
}
}2、判断是否为PE文件
void IsPE(DWORD Based)
{
if(!Based)
return;
/*-----------判断是否为DOS--------------*/
PIMAGE_DOS_HEADER pDH = (PIMAGE_DOS_HEADER)Based;
if(!pDH->e_magic != IMAGE_DOS_SIGNATURE)
return;
/*----------------判断是否为NT-------------*/
PIMAGE_NT_HEADERS pNh = (PIMAGE_NT_HEADERS32)((DWORD)Based + pDH->e_lfanew);
if(!pNH->Signature != IMAGE_NT_SIGNATURE)
return;
}3、获取各个数据地址
PIMAGE_FILE_HEADER GetFileHeader(DWORD Based)
{
if(!Based)
return;
PIMAGE_DOS_HEADER pDH = (PIMAGE_DOS_HEADER)Based;
if(!pDH->e_magic != IMAGE_DOS_SIGNATURE)
return;
PIMAGE_NT_HEADERS pNh = (PIMAGE_NT_HEADERS32)((DWORD)Based + pDH->e_lfanew);
if(!pNH->Signature != IMAGE_NT_SIGNATURE)
return;
/*--------------获取FileHeader----------*/
PIMAGE_FILE_HEADER FileHeader = &(pNH->FileHeader);
return FileHeader;
}PIMAGE_OPTIONAL_HEADER GetOptionalHeader(DWORD Based)
{
if(!Based)
return;
PIMAGE_DOS_HEADER pDH = (PIMAGE_DOS_HEADER)Based;
if(!pDH->e_magic != IMAGE_DOS_SIGNATURE)
return;
PIMAGE_NT_HEADERS pNh = (PIMAGE_NT_HEADERS32)((DWORD)Based + pDH->e_lfanew);
if(!pNH->Signature != IMAGE_NT_SIGNATURE)
return;
/*--------------------获取Optional地址-----------*/
PIMAGE_OPTIONAL_HEADER pOptionalHeader = &(pNH->OptionalHeader);
return pOtionalHeader;
}LPVOID RvaToVa(PIMAGE_NT_HEADERS pNH,DWORD Based,DWORD dwRVA)
{
return ImageRvaToVa(pNH,Based,dwRva, NULL);
}/*----获取数据表入口点----------*/LPVOID GetDirectoryEntryToData(LPVOID Based,USHORT DirectoryEntry)
{
DWORD dwDataStartRVA;
LPVOID pDirData=NULL;
PIMAGE_NT_HEADERS pNH=NULL;
PIMAGE_OPTIONAL_HEADER pOH=NULL;
pNH=GetNtHeaders(Based);
if(!pNH)
return NULL;
pOH=GetOptionalHeader(Base);
if(!pOH)
return NULL;
/*--------------数据表入口点-----------*/
dwDataStartRVA=pOH->DataDirectory[DirectoryEntry].VirtualAddress;
if(!dwDataStartRVA)
return NULL;
pDirData=RvaToPVa(pNH,Based,dwDataStartRVA);
if(!pDirData)
return NULL;
return pDirData;
}/*---------------获取输出表----------------*/
PIMAGE_EXPORT_DIRECTORY GetExportDirectory(LPVOID Based)
{
PIMAGE_EXPORT_DIRECTORY pExportDir=NULL;
pExportDir=(PIMAGE_EXPORT_DIRECTORY)GetDirectoryEntryToData(Based,IMAGE_DIRECTORY_ENTRY_EXPORT);
if(!pExportDir)
return NULL;
return pExportDir;
}/*------------获取第一个输入表地址--------------*/
PIMAGE_IMPORT_DESCRIPTOR GetFirstImportDesc(LPVOID Based)
{
PIMAGE_IMPORT_DESCRIPTOR pImportDesc;
pImportDesc=(PIMAGE_IMPORT_DESCRIPTOR)GetDirectoryEntryToData(Base,IMAGE_DIRECTORY_ENTRY_IMPORT);
if(!pImportDesc)
return NULL;
return pImportDesc;
}
/*---------获取输出表函数个数-----------*/
DWORD GetNumOfExportFuncs(LPVOID Based,PIMAGE_EXPORT_DIRECTORY pExportDir)
{
DWORD dwnum=0;
PDWORD pdwRvas=NULL;
/* if(!IsPEFile(Base))
return NULL;
*/
PIMAGE_NT_HEADERS pNtH=GetNtHeaders(Based);
pdwRvas=(PDWORD)RvaToPtr(pNtH,Based,pExportDir->AddressOfFunctions);
for(DWORD i=0;i<pExportDir->NumberOfFunctions;i++)
{
if(*pdwRvas)
++dwnum;
++pdwRvas;
}
return dwnum;
}BOOL IsDataDirPresent(LPVOID ImageBase,USHORT DirectoryEntry){ if(!GetDirectoryEntryToData(ImageBase,DirectoryEntry))return FALSE;return TRUE;}