PE file validity judgment

 

The PE file format is organized into a linear data stream. The start is the MS-DOS header, then the program root of the real mode, and then the PE file signature, followed by the PE file header and optional Header. After that, all the node headers are displayed, followed by the Section bodies of all sections. Files often end with miscellaneous information such as relocation information, symbolic table information, number of rows, and string table data. All of this can be easily digested and absorbed by viewing the image information in Figure 1.

 

 

Determine whether a file is a valid PE file, mainly to determine whether the specified file has: "valid DoS Header" and "PE file signature"

In winnt. in the H file, two struct types are defined: <br/> typedef struct _ image_dos_header {// dos. EXE header <br/> word e_magic; // magic number <br/> word e_cblp; // bytes on last page of file <br/> word e_cp; // pages in file <br/> word e_crlc; // relocations <br/> word e_cparhdr; // size of header in paragraphs <br/> word e_minalloc; // minimum extra paragraphs needed <br/> word e_maxalloc; // maximum extra paragraphs needed <br/> word e_ss; // initial (relative) SS value <br/> word e_sp; // initial sp value <br/> word e_csum; // checksum <br/> word e_ip; // initial IP value <br/> word e_cs; // initial (relative) Cs value <br/> word e_lfarlc; // file address of relocation table <br/> word e_ovno; // overlay number <br/> word e_res [4]; // reserved words <br/> word e_oemid; // OEM identifier (for e_oeminfo) <br/> word e_oeminfo; // OEM information; e_oemid specific <br/> word e_res2 [10]; // reserved words <br/> long e_lfanew; // file address of New EXE header <br/>} image_dos_header, * pimage_dos_header; <br/> typedef struct _ image_nt_headers {<br/> DWORD signature; <br/> image_file_header fileheader; <br/> define optionalheader; <br/>} image_nt_headers32, * response; <br/>

 

Specific operations:

1, Load the specified file to the memory

2, Obtain the DOS header of the file (image_dos_header) and determine whether the member variable e_magic in image_dos_header is equal to "MZ". If yes, the file has a valid DoS header.

3, Obtain the PE File Header (image_nt_headers32) based on the member variable e_lfanew in image_dos_header, and determine whether the member variable signature in image_nt_headers32 is equal to "pe00". If yes, the file is a valid PE file.

4, Delete loaded files from memory

 

// [9/28/2010 zcg] <br/> // determine the validity of the PE file <br/> bool checkpefile (const wchar_t * lpfilepath) <br/>{< br/> bool ispefile = false; <br/> handle hfile = NULL; <br/> image_dos_header stdosheader; <br/> image_nt_headers32 stntheader; <br/> DWORD dwret = 0; </P> <p> // determine the validity of the file path <br/> If (null = lpfilepath) <br/>{< br/> ispefile = false; <br/> goto end; <br/>}< br/> // step 1, open the file to be detected <br/> hfile = createfile (lpfilepath, generic_read, file_share_read, null, open_existing, file_attribute_normal, null); <br/> If (null = hfile) <br/>{< br/> ispefile = false; <br/> goto end; <br/>}< br/> // step 2, check the validity of the DOS header <br/> readfile (hfile, & stdosheader, sizeof (image_dos_header), & dwret, null ); <br/> If (dwret = sizeof (image_dos_header )) <br/>{< br/> // valid DoS header is "MZ" <br/> If (image_dos_signature = stdosheader. e_magic) <br/>{< br/> // Step 3: locate image_nt_headers. <br/> dwret = setfilepointer (hfile, stdosheader. e_lfanew, null, file_begin); <br/> If (0 xffffffff = dwret) <br/>{< br/> ispefile = false; <br/> goto end; <br/>}< br/> // check whether a valid PE file signature exists. <br/> readfile (hfile, & stntheader, sizeof (image_nt_headers32 ), & dwret, null); <br/> If (image_nt_signature = stntheader. signature) <br/>{< br/> ispefile = true; <br/>}< br/> end: <br/> If (hfile) <br/>{< br/> closehandle (hfile); <br/> hfile = NULL; <br/>}< br/> return ispefile; <br/>}