C++PE file Format parsing class (easy to make your own PE file parser)

PE is a shorthand for the portable executable file format (Portable runtime), which is the mainstream executable file format on the Windows platform right now.

PE file contains a lot of content, I will not be here to explain, interested in can see the list of references and other relevant content.

Recently I also study PE file format, reference a lot of information. A class that encapsulates an efficient and convenient PE file format parsing in C + +.

This class to learn PE file structure of friends can be counted as a valuable information. Code are very easy to understand, consider more comprehensive, with a certain versatility.

At the same time, this class can also make it easy to build your own PE file parsing software.

At last. Mistakes are unavoidable. If you find that there are errors, please correct me.

The following is the definition code for the interface function in the class (the complete code is attached to the download link later):

<pre name= "code" class= "CPP" >class cpefile{public:cpefile (); ~cpefile ();//The following function has no special description whenever available public:// Attaching the PE file to the object, successfully returning one of the Image_dos_signature, Image_os2_signature, Image_os2_signature_le, image_nt_signature ; Failed to return 0UL (unknown type), 1UL (file operation failed), 2 (other error), "Only available when no PE file is attached to class object" DWORD Attach (LPCTSTR lpszfilepath); If a PE file is attached to the class object, release the associated void Detach ();//Get attach information, successfully return Image_dos_signature, Image_os2_signature, Image_os2_signature_le One of the image_nt_signature; failed to return 0ULDWORD Getattachinfo () const;//The following function has no special description attach is available after success public:// Get file handle (note: No side effects such as CloseHandle should be run externally) HANDLE Getfilehandle () const;//get memory Map file header address Dword_ptr Getmappedfilestart () const;//gets the memory-mapped file header at the specified offset location (should not be larger than the file size.) Otherwise the returned pointer may cause an error) Dword_ptr Getmappedfileoffset (DWORD Dwfoa) const;//get DOS Head const image_dos_header* getdosheader () const ;//Get DOS Entry address DWORD Getdosentrypoint () const;//The following function has no special instructions for image_nt_signaturepublic://to get the PE file header (assuming it is a 64-bit program, Returns the actual const image_nt_header64*) "is still available when the type is image_os2_signature, Image_os2_signature_le, but the operation needs to be careful" const IMAGE_NT_ headers32* Getntheader () const;//Returns whether the file is a 64-bit (pe32+) BOOL is64bit () const;//Gets the load base address in the PE file header imagebase (the 64-bit program returns the Ulonglong type. A 32-bit program converts the return value to a DWORD type) Ulonglong getimagebase () const;//gets the Datadirectoryconst image_data_directory* in the PE file header Getdatadirectory () const;//get Rvadword Getdatadirectoryentryrva (DWORD dwindex) for each datadirectory entry const;// Gets the section table (the Number of section tables can be outgoing by lpsectionnum) const image_section_header* Getsectionheader (Lpword lpsectionnum = NULL) const;// Convert RVA to Foa (can be LPFOA outgoing Foa, the section ordinal can be outgoing by lpsection. The section ordinal in the section is-1) BOOL Rvatofoa (DWORD dwrva, Lpdword Lpfoa = null, Lpword lpsection = null) const;//convert Foa to RVA (can be Lprva outgoing RVA, available by LP The section number is outgoing. The section ordinal in the section is-1) BOOL Foatorva (DWORD dwfoa, Lpdword Lprva = null, Lpword lpsection = null) const;//convert VA to RVA (VA should be greater than imagebase, in function Do not check) DWORD Vatorva (DWORD Dwva) Const;dword Vatorva (ulonglong ullva) const;//convert RVA to VA (64-bit program returns the Ulonglong type, A 32-bit program converts the return value to a DWORD type) Ulonglong Rvatova (DWORD Dwrva) const;//The following function has no special instructions for image_nt_signaturepublic://Read only in PE export table bool Readexport ();//Read PE in Import table bool Readimport ();//Read PE in Resource table bool Readresource ();//Read exception table B in PEOOL readexception ();//Read PE in the Property Certificate table bool Readsecurity ();//Read PE in the Base Address relocation table bool Readbaserelocation ();//Read the debug data bool in PE Readdebug ();//Read PE thread local storage table bool Readtls ();//Read PE load Configuration table bool Readloadconfig ();//Read PE binding Import table bool Readboundimport ();// Read PE delay loading import table bool Readdelayimport ();//clear PE in export table void Clearexport ();//clean PE import table void Clearimport ();//clean PE in Resource table void Clearresource ();//clear PE in exception table void Clearexception ();//clean PE in Properties certificate table void Clearsecurity ();//clean PE in base address relocation table void Clearbaserelocation ();//clean up the debug data in PE void Cleardebug ();//clean PE thread local storage table void Cleartls ();//clean PE load configuration table void Clearloadconfig ();//clean PE in bind import table void Clearboundimport ();//clean PE delay Load import table void Cleardelayimport ();//Clear All void ClearAll ();// Returns whether to read the PE in the Export table bool Isreadexport () const;//returns whether the import table in the PE is read bool Isreadimport () const;//returns whether the Resource table in PE is read bool Isreadresource ( ) const;//returns whether the exception table in the PE is read bool Isreadexception () const;//returns whether the property in the PE certificate table is read bool Isreadsecurity () const;// Returns whether the base address in PE is read in reposition table bool Isreadbaserelocation () const;//Returns whether the debug data in the PE is read in bool Isreaddebug () const;//returns whether to read the PE thread local storage table bool ISREADTLS () const;//returns whether to read the PE in the downloadinto the config table bool Isreadloadconfig () const;//returns whether the read PE in the bound import table bool Isreadboundimport () const;//returns whether to read the PE in the Deferred Load import table bool Isreaddelayimport () const;//The following function has no special description for Image_nt_signature only and Readexport succeeds public://get export Table const IMAGE_EXPORT_ directory* getexportdirectory () const;//gets an array of exported function addresses in the exported table (the number can be outgoing from lpfuncnum) const dword* getexportfunction (Lpdword Lpfuncnum = NULL) const;//Gets an array of the name addresses of the exported functions that are defined in the export table (the number can be outgoing by lpnamenum) const dword* getexportname (Lpdword lpnamenum = null const;//gets the index of each exported function that has the name defined in the export table (the number can be lpnamenum outgoing) const word* getexportnameordinal (Lpdword lpnamenum = NULL) const;// Parses the Dwindex entry in the address array of the exported function, the return value is less than numberofnames for export by name (numeric value is ordinal), the return value equals Numberofnames, and the DWORD parseexportfunction is exported by ordinal (DWORD DWINDEX) const;//The following function has no special instructions for Image_nt_signature and readimport success public:// Gets the import table (the number of imported tables can be lpimportdescriptornum outgoing) const image_import_descriptor* Getimportdescriptor (Lpdword Lpimportdescriptornum = NULL) const;//Gets the IMAGE_THUNK_DATA32 structure in the Iimpoert import table (64-bit program is actually IMAGE_THUNK_ DATA64) (number can be lpcount outgoing) const image_thunk_data32* Getimportthunkdata (DWORDIimport, Lpdword lpcount = NULL) const;//Parse a IMAGE_THUNK_DATA32 structure (64-bit program is actually IMAGE_THUNK_DATA64), Results returned: 1 for import by ordinal (Lpparam), 2 for import by name (Lpparam can outgoing FOA of corresponding image_import_by_name), 0 failure "only need image_nt_signature to use" int Parsethunkdata (const image_thunk_data32* lpthunk, Lpdword lpparam = NULL) const;//The following function has no special description only for Image_nt_ Signature and Readresource success public://get the ID of the first level resource, return 1 means the first layer is a folder, return 2 means the first layer is the data. A return of 0 means that no resource int Getfirstresourceid (Pidtype lpfirstid) const;//gets the ID of the next layer of resources, 1 indicates that the next layer is a folder, and 2 indicates that the next layer is data. Returns 0 indicates that there is no next layer int Getnextresourceid (idtype ID, DWORD iRes, Pidtype nextid) const;//parse ID corresponding to the folder layer, lpentrynum the number of outgoing arrays. Lplevel can be transmitted to the first level of the folder, lpresourceentry outgoing corresponding image_resource_directory_entry array const image_resource_directory* Parseresourcedirectory (Idtype Id, Lpdword lpentrynum = null, Lpdword lplevel = null, image_resource_directory_entry** LpR Esourceentry = NULL) const;//parsing dwid corresponding data layer const image_resource_data_entry* Parseresourcedata (Idtype Id) const;// Resolves the name member in a IMAGE_RESOURCE_DIRECTORY_ENTRY structure, returns the result: 1 (dwparam is ID), 2 (Dwparam is the corresponding Image_resouRce_dir_string_u Foa) "Only need image_nt_signature can be used" int parseresourcedirectoryentry (const IMAGE_RESOURCE_DIRECTORY_ entry* lpentry, Lpdword dwparam) const;//The following function has no special description only for Image_nt_signature and readexception success public:// Gets the exception table (the number can be lpruntimefunctionnum outgoing) const image_runtime_function_entry* getruntimefunction (Lpdword Lpruntimefunctionnum = NULL) const;//The following function has no special instructions for Image_nt_signature and readsecurity success public:// Get Property Certificate table (quantity can be lpcertificatenum outgoing) const win_certificate* const* getcertificate (lpdword lpcertificatenum = NULL) const;// The following function has no special instructions for Image_nt_signature only and Readbaserelocation succeeds public://get each base Address relocation table (the number can be outgoing from lpbaserelocationnum) const IMAGE_ base_relocation* const* getbaserelocation (lpdword lpbaserelocationnum = NULL) const;//get a relocation block in a Base Address relocation table (the number can be passed by Lpcount Const word* Getbaserelocationblock (const image_base_relocation* lpbaserelocation, Lpdword lpcount = NULL) const, including justification ;//Resolves an item after a Base Address relocation table, returns a high 4-bit value, and a low 12-bit value can be lpparam outgoing "no matter when it's available" Static word parsebaserelocationblock (Word Wbaserelocationblock, Lpword Lpparam = NULL);//The following function has no special description for Image_nt_signature only and Readdebug succeeds public://get Debug data (the number can be transmitted by Lpdebugdirectorynum) const IMAGE_DEBUG_ directory* getdebugdirectory (Lpdword lpdebugdirectorynum = NULL) const;//Gets the start address of the Dwindex item debug information, not obtained to return nulllpcvoid Getdebuginfostart (DWORD dwindex);//The following function has no special description for Image_nt_signature and Readtls succeeds public://get thread-local storage table (assuming 64-bit program, The return is actually const image_tls_directory64*) const image_tls_directory32* gettlsdirectory () const;// Gets a pointer to the array of thread-local storage table callback functions (assuming a 64-bit program that returns the actual const ulonglong*) (the number can be lpcallbacknum outgoing) const dword* Gettlscallback (Lpdword Lpcallbacknum = NULL) const;//The following function has no special instructions for Image_nt_signature only and Readloadconfig succeeds public://get load configuration table (assuming 64-bit program, The return is actually const image_load_config_directory64*) const image_load_config_directory32* getloadconfigdirectory () const;// The following function has no special instructions for Image_nt_signature only and Readboundimport succeeds public://gets the bound import table (the number can be outgoing from lpboundimportnum) const IMAGE_BOUND_ import_descriptor* const* getboundimportdescriptor (lpdword lpboundimportnum = NULL) const;// Gets the Iboundimpoert bound import table (the number can be lprefnum outgoing) const Image_bound_forwarder_ref* Getboundimportforwarderref (DWORD iboundimport, Lpdword lprefnum = NULL) const;//The following function has no special description only for Image_nt_ Signature and Readdelayimport successful public://get Delay loading import table (quantity can be outgoing from lpdelayimportnum) const image_delayload_descriptor* Getdelayimportdescriptor (Lpdword lpdelayimportnum = NULL) const;/*------------------------------------------------ --------------------------------------------------------------------*///other private members};

The gaze section has specifically said the functions. The main operations such as the following:

1. Call the attach member function to attach the class object to a PE file

2. Read the required folders through READXXX (including Import table, export table, Resource table, base address relocation ....) ）

3, call the relevant processing function to obtain the corresponding information (depending on the content of the reading, the detailed look at the gaze)

4. Do the data you want (as shown, etc.)

5, Clearxxx release resources (optional, the object is self-invoked when the destructor)

6. Detach releases the association to the file (optional.) When an object is being refactored, it calls itself voluntarily)

Most of the basic data folders are now available: NET section (Image_directory_entry_com_descriptor) has not yet been implemented and will continue to be intact

After the link is accompanied by a demo demo How to use the class, if there are still unclear friends can reply to my

Finally send a self-written to obtain the information of the PE file software, can dump the information of the PE file, the software is implemented with the PE parsing class, detailed code more, at first glance is not easy to understand, so in this does not provide a country.

The software will be attached to the download link. can easily get the information in the PE file, because of limited energy, written in the console. Interested friends can implement a GUI version number on their own ~

In the software, just enter the PE file path under the console. Or drag the file into the form (inserting an. lnk shortcut is also OK). The program will output the required information.

A part of the software is attached below:

Watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqv/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/dissolve/70/gravity /southeast ">

Watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqv/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/dissolve/70/gravity /southeast ">

Ha. Long winded so much, then left to you to experience it. In fact, PE file is not so difficult to imagine ~

Related resources:

Click to open link

(Includes PE file parsing class source code file, simple demo, and self-implemented console PE file viewer)

Reference books:

The authoritative guide for Windows pe Sanli

"Encryption and decryption (third edition)" section Steel

"Insider of Software encryption technology" see Snow College

"32-bit assembly language programming in Windows environment" (Code-Wei edition) Luo Yunbin

"Encryption and decryption" Wu Qiang

"Reverse Project Core principles" Li Chengyuan

Test software:

Stud_pe

Lordpe

Studype+

Exescope-ha

CFF Explorer

Resource Hacker

Peid

Peview

Exeinfope

ollydbg

IDA Pro

References Source code:

Pedump

Libpe-master

The portable executable File Format from Top to Bottom

PE file Format Official document: Microsoft PE and COFF specification

Online pedump tool: Pedump-dump your pe!

At the same time to participate in the CSDN, see Snow College, I love to crack the best information, thank you!

C++PE file Format parsing class (easy to make your own PE file parser)