PE related code

Last Update:2018-08-15 Source: Internet

Author: User

Tags goto

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

View the PE File relocation table

#include "stdafx.h"
#include <Windows.h>

DWORD Rva2offset (Pimage_nt_headers Pntheader, DWORD Dwrva)
{
Pimage_section_header psection = (Pimage_section_header) ((DWORD) Pntheader + sizeof (image_nt_headers));

for (int i = 0; i < pntheader->fileheader.numberofsections; i++)
{
if (Dwrva >= psection[i]. Virtualaddress && Dwrva < (psection[i). Virtualaddress + psection[i]. Sizeofrawdata))
{
Return Psection[i]. Pointertorawdata + (Dwrva-psection[i]. virtualaddress);
}
}

return 0;
}

int _tmain (int argc, _tchar* argv[])
{
HANDLE hfile = CreateFile (argv[1], generic_all, file_share_write, NULL, open_existing, NULL, NULL);
HANDLE hmapping = createfilemapping (hfile, NULL, page_readwrite, 0, 0, NULL);
PVOID Pbfile = MapViewOfFile (hmapping, file_map_all_access, 0, 0, 0);

if (Invalid_handle_value = = Hfile | | NULL = = Hmapping | | NULL = = pbfile)
{
printf ("/n/t----------the File inexistence! ----------/n ");
Goto EXIT;
}

Pimage_dos_header Pdosheader = (pimage_dos_header) pbfile;
Pimage_nt_headers Pntheader = (pimage_nt_headers) ((DWORD) Pbfile + pdosheader->e_lfanew);

if (0x00004550!= pntheader->signature)
{
printf ("/n/t----------Lawless PE file! ----------/n ");
Goto EXIT;
}

DWORD Dwrelocoffset = Rva2offset (Pntheader, Pntheader->optionalheader.datadirectory[image_directory_entry_ Basereloc]. virtualaddress);
Pimage_base_relocation Preloc = (pimage_base_relocation) ((DWORD) Pbfile + dwrelocoffset);

if (0 = preloc->virtualaddress)
{
printf ("/n/t----------No Relocation table! ----------/n ");
Goto EXIT;
}

while (preloc->virtualaddress)
{
printf ("[0x%08x]/n/n", preloc->virtualaddress);

for (int i = 0; I < (preloc->sizeofblock-sizeof (image_base_relocation))/2; i++)
{
printf ("<%04d>-0x%08x/n", I, Preloc->virtualaddress + (* (word*) ((DWORD) Preloc + sizeof (Image_base_relocati ON) + I * 2)) & 0X0FFF));
}

printf ("n");

Preloc = (pimage_base_relocation) ((DWORD) Preloc + preloc->sizeofblock);
}

EXIT:
if (NULL!= pbfile)
{
UnmapViewOfFile (Pbfile);
}

if (NULL!= hmapping)
{
CloseHandle (hmapping);
}

if (Invalid_handle_value!= hfile)
{
CloseHandle (hfile);
}

return 0;
}

View the PE file export table

#include "stdafx.h"
#include <Windows.h>

DWORD Rva2offset (Pimage_nt_headers Pntheader, DWORD Dwrva)
{
Pimage_section_header psection = (Pimage_section_header) ((DWORD) Pntheader + sizeof (image_nt_headers));

return 0;
}

if (Invalid_handle_value = = Hfile | | NULL = = Hmapping | | NULL = = pbfile)
{
printf ("/n/t----------the File inexistence! ----------/n ");
Goto EXIT;
}

Pimage_dos_header Pdosheader = (pimage_dos_header) pbfile;
Pimage_nt_headers Pntheader = (pimage_nt_headers) ((DWORD) Pbfile + pdosheader->e_lfanew);

if (0x00004550!= pntheader->signature)
{
printf ("/n/t----------Lawless PE file! ----------/n ");
Goto EXIT;
}

DWORD Dwexportoffset = Rva2offset (Pntheader, Pntheader->optionalheader.datadirectory[image_directory_entry_ EXPORT]. virtualaddress);
Pimage_export_directory Pexport = (pimage_export_directory) ((DWORD) Pbfile + dwexportoffset);
DWORD Dwfunctionnameoffset = (DWORD) Pbfile + rva2offset (Pntheader, pexport->name);
dword* pdwnamesaddress = (dword*) ((DWORD) Pbfile + rva2offset (Pntheader, pexport->addressofnames));
dword* pdwfunctionaddress = (dword*) ((DWORD) Pbfile + rva2offset (Pntheader, pexport->addressoffunctions));
word* pwordinals = (word*) ((DWORD) Pbfile + rva2offset (Pntheader, pexport->addressofnameordinals));

if (0 = pexport->numberoffunctions)
{
printf ("/n/t----------No Export tabel! ----------/n ");
Goto EXIT;
}

printf ("FileName:%s/n", Dwfunctionnameoffset);
printf ("Numberoffunctions:%d/n", pexport->numberoffunctions);
printf ("Numberofnames:%d/n/n", pexport->numberofnames);
printf ("nameexport:/n/n");

for (int i = 0; i < pexport->numberofnames; i++)
{
DWORD dwfunctionaddress = pdwfunctionaddress[pwordinals[i]];
DWORD Pdwfunnameoffset = (DWORD) Pbfile + rva2offset (Pntheader, pdwnamesaddress[i]);

printf ("[Exportnum]:%-4d [Name]:%-30s [RVA]: 0x%08x/n", Pexport->base + I, Pdwfunnameoffset, dwfunctionaddress);
}

printf ("/nnumberexport:/n/n");

for (int i = 0; i < pexport->numberoffunctions-pexport->numberofnames; i++)
{
printf ("[Exportnum]:%-4d [RVA]: 0x%08x/n", Pexport->base + I, pdwfunctionaddress[i]);
}

printf ("n");

EXIT:
if (NULL!= pbfile)
{
UnmapViewOfFile (Pbfile);
}

if (NULL!= hmapping)
{
CloseHandle (hmapping);
}

if (Invalid_handle_value!= hfile)
{
CloseHandle (hfile);
}

return 0;
}

View the PE file import table This blog space chairman has been applying for a year, almost forgot. Recently has been learning PE files, paste paragraph code, function as the title, their own learning to write practice procedures, VC2005 compilation, console procedures, there are a lot of not rigorous and imperfect places.

#include "stdafx.h"
#include <Windows.h>

DWORD Rva2offset (Pimage_nt_headers Pntheader, DWORD Dwrva)
{
Pimage_section_header psection = (Pimage_section_header) ((DWORD) Pntheader + sizeof (image_nt_headers));

return 0;
}

if (Invalid_handle_value = = Hfile | | NULL = = Hmapping | | NULL = = pbfile)
{
printf ("/n/t----------the File inexistence! ----------/n ");
Goto EXIT;
}

Pimage_dos_header Pdosheader = (pimage_dos_header) pbfile;
Pimage_nt_headers Pntheader = (pimage_nt_headers) ((DWORD) Pbfile + pdosheader->e_lfanew);

if (0x00004550!= pntheader->signature)
{
printf ("/n/t----------Lawless PE file! ----------/n ");
Goto EXIT;
}

DWORD Dwimportoffset = Rva2offset (Pntheader, Pntheader->optionalheader.datadirectory[image_directory_entry_ IMPORT]. virtualaddress);
Pimage_import_descriptor Pimport = (pimage_import_descriptor) ((DWORD) Pbfile + dwimportoffset);

DWORD dworiginalthunkoffset = 0;
DWORD dwthunkdata = 0;
Pimage_import_by_name pimagefunname = NULL;
Pimage_thunk_data pthunkdata = NULL;

for (int i = 0; i < pntheader->optionalheader.datadirectory[1]. Size/sizeof (Image_import_descriptor)-1; i++)
{
printf ("[DLL Name]:%s/n/n", (DWORD) Pbfile + rva2offset (Pntheader, pimport[i). Name)));

Pthunkdata = (pimage_thunk_data) (DWORD) Pbfile + rva2offset (Pntheader, pimport[i). Firstthunk));

for (int j = 0; pthunkdata[j].u1. Ordinal!= 0; J + +)
{
if (pthunkdata[j].u1. Ordinal & IMAGE_ORDINAL_FLAG32)
{
printf ("[%03d]---Number:%04d Name: <null>/n", J + 1, pthunkdata[j].u1. Ordinal & 0xFFFF);
}
Else
{
Pimagefunname = (pimage_import_by_name) (DWORD) Pbfile + rva2offset (Pntheader, pthunkdata[j].u1. Addressofdata));
printf ("[%03d]---Number:%04d Name:%s/n", J + 1, Pimagefunname->hint, pimagefunname->name);
}
}

printf ("n");
}

EXIT:
if (NULL!= pbfile)
{
UnmapViewOfFile (Pbfile);
}

if (NULL!= hmapping)
{
CloseHandle (hmapping);
}

if (Invalid_handle_value!= hfile)
{
CloseHandle (hfile);
}

return 0;
}

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More