Analysis of PE File Format

The PE file format is the self-contained execution body file format in the Win32 environment. The main subject of a personal volume is the. exe file and. DLL file. I don't know if it is correct. If it's not correct, I hope the heroes will correct it. I will not talk about it much more. Brother Feng feixue described it in details in encryption and decryption, first, write a console-based PE File Format analysis program written by VC, which is implemented through memory ing. Pai_^

First, create an analysis class in PE format:

Header file: pelook. h

# Pragma once
# Include <windows. h>
# Include <fstream>
# Include <iostream>
Using namespace STD;

Class pelook
{
PRIVATE:
Handle hfile;
Handle hfilemap;
Void * pvfile;
Image_dos_header * dosheader;
Image_nt_headers * ntheader;
Image_section_header * sectiontable;
Image_import_descriptor * importtable;
Public:
Int loadheader (char * filename );
Int loadsectiontable ();
Int searchsection (unsigned long RVA, unsigned long * viraddr, unsigned long * viroffset, unsigned long * offset );
Int loadimporttable ();

Int loadfunction (image_import_descriptor importdesc );

Pelook (void );
Pelook (char * filename );
~ Pelook (void );
};

 

Class implementation pelook. cpp

# Include "./pelook. H"

Pelook: pelook (void)
{
}

Pelook ::~ Pelook (void)
{
}

Pelook: pelook (char * filename)
{
 
}

/*************************************** ****************************************
* Function Description: obtains the header information of .exe/. dll, including image_dos_header and image_nt_headers.
* Input parameter: char * filename file name to be analyzed
* Output parameter: None
* Return value: whether the header information is obtained successfully. If yes, 0 is returned. Otherwise,-1,-2,-3 is returned.
**************************************** ***************************************/
Int pelook: loadheader (char * filename)
{

// Create a memory ing File
Hfile = createfile (filename, generic_write | generic_read, 0, null, open_existing, file_attribute_normal, null );
If (hfile = invalid_handle_value)
{
Cout <"Create File false! "<Endl;
Return-1;
}
Hfilemap = createfilemapping (hfile, null, page_readwrite, 0, 0, null );
If (hfilemap = NULL)
{
Cout <"Create File mapping false! "<Endl;
Return-2;
}
 
Pvfile = mapviewoffile (hfilemap, file_map_write, 0, 0, 0 );
If (pvfile = NULL)
{
Cout <"view of file is filse! "<Endl;
Return-3;
}
Dosheader = (image_dos_header *) pvfile;
Ntheader = (image_nt_headers *) (char *) pvfile + dosheader-> e_lfanew );
Cout <"" <ntheader-> signature <Endl;
Return 0;
}

/*************************************** *********************************
* Function Introduction: The section table information of .exe/. dll is specified.
* Input parameter: None
* Output parameter: None
* Return value: whether the table information is successfully obtained. If yes, 0 is returned.
**************************************** ********************************/
Int pelook: loadsectiontable ()
{
Sectiontable = (image_section_header *) (char *) pvfile + dosheader-> e_lfanew + sizeof (image_nt_headers ));
For (INT I = 0; I <ntheader-> fileheader. numberofsections; I ++)
{
Cout <"-----------------------------------" <Endl;
Cout <"name:" <sectiontable [I]. Name <Endl;
Cout <"virtualsize:" <sectiontable [I]. Misc. virtualsize <Endl;
Cout <"virtualaddress:" <sectiontable [I]. virtualaddress <Endl;
Cout <"pointertorawdata:" <sectiontable [I]. pointertorawdata <Endl;
Cout <"sizeofrawdata:" <sectiontable [I]. sizeofrawdata <Endl;
Cout <"characteristics:" <sectiontable [I]. characteristics <Endl;
}
Return 0;
}

/*************************************** *********************************
* Function Introduction: Find the offset address of the address in the file based on the given virtual address.
* Input parameter: Unsigned long RVA needs to find the virtual address of the Offset address
* Output parameter: Unsigned long * virtual address of the section where the virtual address queried by viraddr is located
* Unsigned long offset the offset address in the text in the section where the virtual address to be queried is located
* Return value: the node number of the queried virtual address. If it is smaller than 0 (-1), the search fails.
**************************************** ********************************/
Int pelook: searchsection (unsigned long RVA, unsigned long * viraddr, unsigned long * viroffset, unsigned long * offset)
{
For (INT I = 0; I <ntheader-> fileheader. numberofsections; I ++)
{
If (RVA> = sectiontable [I]. virtualaddress & RVA <sectiontable [I]. virtualaddress + sectiontable [I]. Misc. virtualsize)
{
* Viraddr = sectiontable [I]. virtualaddress;
* Viroffset = sectiontable [I]. pointertorawdata;
* Offset = * viroffset + RVA-* viraddr;
Return I;
}
}
Return-1;
}

/*************************************** *********************************
* Function Introduction: The input table information of the .exe/. dll file is specified.
* Input parameter: None
* Output parameter: None
* Return value: whether the table information is successfully obtained. If yes, 0 is returned.
**************************************** ********************************/
Int pelook: loadimporttable ()
{
Unsigned long localvir, viraddr, viroffset, offset;
Localvir = ntheader-> optionalheader. datadirectory [image_directory_entry_import]. virtualaddress;
Int sectionnumber = searchsection (localvir, & viraddr, & viroffset, & offset );

Image_import_descriptor * P = (image_import_descriptor *) (char *) pvfile + offset );
For (; P-> name; P ++)
{
Cout <"-------------------------------" <Endl;
Localvir = p-> name;
Sectionnumber = searchsection (localvir, & viraddr, & viroffset, & offset );
Cout <"name:" <(char *) pvfile + offset <Endl;
Cout <"originalfirstthunk:" <p-> originalfirstthunk <Endl;
Cout <"timedatestamp:" <p-> timedatestamp <Endl;
Cout <"forwarderchain:" <p-> forwarderchain <Endl;
Cout <"characteristics:" <p-> characteristics <Endl;
Cout <"firstthunk:" <p-> firstthunk <Endl;
Loadfunction (* P );
}
Return 0;
}

/*************************************** *********************************
* Function Introduction: The function introduced when the. exe/. dll file is used.
* Input parameter: image_import_descriptor importdesc a reference section, representing a reference
* DLL used
* Output parameter: None
* Return value: number of functions referenced from the. dll file
**************************************** ********************************/
Int pelook: loadfunction (image_import_descriptor importdesc)
{
Unsigned long localvir, viraddr, viroffset, offset;
Localvir = importdesc. firstthunk;
Int sectionnumber = searchsection (localvir, & viraddr, & viroffset, & offset );
Image_thunk_data * thunktable = (image_thunk_data *) (char *) pvfile + offset );

Image_import_by_name * P;
Int funnum = 0;
For (; thunktable-> u1.function; thunktable ++)
{
Localvir = thunktable-> u1.function;
Sectionnumber = searchsection (localvir, & viraddr, & viroffset, & offset );
P = (image_import_by_name *) (char *) pvfile + offset );
Cout <p-> hint <"/t" <p-> name <Endl;
Funnum ++;
}
Return funnum;
}

Main function file peanalyse. cpp

# Include "pelook. H"

Void main ()
{
Pelook mype;
Mype. loadheader ("C: // mysocket. dll ");
Mype. loadsectiontable ();
Mype. loadimporttable ();
Char ch;
Cin> CH;
}