PE read/write

Source: Internet
Author: User

Copy PE file. Cpp:defines The entry point for the console application.

#include "stdafx.h"
#include <windows.h>
#include <malloc.h>

/* Reads the file from the hard disk into the buffer
Parameter 1: File path parameter 2: pointer "Pointer" that accepts the address of the buffer where the data is read
Read successful return file length read failed returns 0
int Readfiletobuffer (in LPSTR filepath,out lpvoid* pfilebuffer);

The EXE is then copied from the file buffer into the memory mirror buffer
DWORD Copyfilebuffertoimagebuffer (in LPSTR filebuffer,out lpvoid* pimagebuffer);

int main (int argc, char* argv[])

char* filepath1= "E:/notepad++.exe";//Read in the file path strength

DWORD filelength=0;

File* Inputstream=null;

void* Pfilebuffer=null;

Inputstream=fopen (FilePath1, "RB");//Open file stream

if (filepath1=null) {
printf ("File is empty \ n");
return 0;

int Nseek=fseek (inputstream,0,seek_end);//point the file stream pointer to the end of the file
if (nseek!=0) {
printf ("Set file location pointer failed \ n");
Fclose (InputStream);
return 0;

Filelength=ftell (InputStream);
printf ("The lentgth of the EXE is%d byte\n", filelength);

Reset file location pointer to top of file
Fseek (Inputstream,0,seek_set);
Pfilebuffer= (void*) malloc (filelength);
if (pfilebuffer==null) {
printf ("File buffer request failed \ n");
Fclose (InputStream);
return 0;

memset (pfilebuffer,0,filelength);

int N=fread (pfilebuffer,filelength,1,inputstream);

if (n==0) {
printf ("file read failed \ n");
Free (pfilebuffer);
Fclose (InputStream);
return 0;

The EXE is then copied from the file buffer into the memory mirror buffer

Pimage_dos_header Pdosheader=null;
Pimage_nt_headers Pntheaders=null;
Pimage_file_header Ppeheader=null;
Pimage_optional_header Poptionalheader=null;
Pimage_section_header Psectionheader=null;

Determine if the file buffer is valid
if (pfilebuffer==null) {
printf ("Invalid file buffer pointer \ n");
return 0;

Determine if the file is a PE file
if (* ((Pword) pfilebuffer)!=image_dos_signature) {
printf ("Not a valid DOS file \ n");
return 0;
Pdosheader= (Pimage_dos_header) (Pfilebuffer);
if (* (Pdword) ((DWORD) pfilebuffer+pdosheader->e_lfanew))!=image_nt_signature) {//Note here: Filebuffer is a pointer, that is, an address , so the transition to Dwrod and pdosheader->e_lfanew add
printf ("The file is not a valid PE file");
return 0;

printf ("Dos start address is:%x\n", Pdosheader);
NT Head pointer
Pntheaders= (Pimage_nt_headers) ((DWORD) pdosheader+pdosheader->e_lfanew);
printf ("NT start address is:%x\n", pntheaders);
PE head pointer equals NT head pointer plus four
Ppeheader= (Pimage_file_header) ((DWORD) pfilebuffer+pdosheader->e_lfanew) +4);
printf ("The starting address for PE is:%x\n", Ppeheader);

The lesson of the blood, a pointer plus an integer, plus the actual size is the data type represented by the pointer "minus one *" multiplied by an integer
Poptionalheader= (Pimage_optional_header) ((DWORD) ppeheader+image_sizeof_file_header);//The pointer must be converted to shaping when Addend
printf ("The starting address of the optional is:%x\n", Poptionalheader);

Psectionheader= (Pimage_section_header) ((DWORD) poptionalheader+ppeheader->sizeofoptionalheader);
printf (the Start Address of the section table is:%x\n, Psectionheader);

The size of the memory buffers is allocated according to Size_of_image, although each application theoretically has independent 4GB virtual memory, but allocates memory size based on size FOF image
LPVOID Pimagebuffer=null;
Pimagebuffer=malloc (Poptionalheader->sizeofimage);
printf ("%x\n", poptionalheader->sizeofimage);
if (pimagebuffer==null) {
printf ("Failed to allocate memory image file \ n");

memset (Pimagebuffer,0,poptionalheader->sizeofimage);

Start copy from file buffer to mirror buffer 1: First step: Copy all the headers into the mirror buffer dosheader+ntheader+sectionheader
memcpy (pimagebuffer,pfilebuffer,poptionalheader->sizeofheaders);

Second step: loop to copy chunks into Imagbuffer
Pimage_section_header Ptempsectionheader=psectionheader;

for (int i=0;i<ppeheader->numberofsections;i++,ptempsectionheader++) {
memcpy ((void*) ((DWORD) pimagebuffer+ptempsectionheader->virtualaddress), (void*) ((DWORD) pdosheader+ Ptempsectionheader->pointertorawdata), ptempsectionheader->sizeofrawdata);

Pimage_dos_header Pimagedosheader=null;
Pimage_nt_headers Pimagentheaders=null;
Pimage_file_header Pimagepeheader=null;
Pimage_optional_header Pimageoptionalheader=null;
Pimage_section_header Pimagesectionheader=null;

Pimagedosheader= (Pimage_dos_header) Pimagebuffer;
printf ("The first address of the DOS header in image is:%x\n", Pimagedosheader);

Pimagentheaders= (Pimage_nt_headers) ((DWORD) pimagedosheader+pimagedosheader->e_lfanew);
printf ("The first address of NT header in image is:%x\n", pimagentheaders);

Pimagepeheader= (Pimage_file_header) ((DWORD) pimagentheaders+4);
printf ("The first address of the PE header in image is:%x\n", Pimagepeheader);

Pimageoptionalheader= (Pimage_optional_header) ((DWORD) pimagepeheader+image_sizeof_file_header);
printf ("The first address of the optional header in image is:%x\n", Pimageoptionalheader);

Pimagesectionheader= (Pimage_section_header) (DWORD) pimageoptionalheader+pimagepeheader-> Sizeofoptionalheader);

Re-request a piece of file buffer to restore the executable program in the mirror to the file buffer
LPVOID Pnewfilebuffer=null;
Pnewfilebuffer=malloc (filelength);
if (pnewfilebuffer==null) {
printf ("Re-request file buffer failed \ n");
return 0;

memset (pnewfilebuffer,0,filelength);
First step: Copy the first part into the new file buffer Dosheader+ntheader+sectionheader
memcpy (pnewfilebuffer,pimagedosheader,pimageoptionalheader->sizeofheaders);

Second step: loop to copy each chunk into the new file buffer
Use a temporary pointer to complete the self-increment change of the Pimagesectionheader pointer

Pimage_section_header Ptempimagesectionheader=null;

for (i=0;i<pimagepeheader->numberofsections;i++,ptempimagesectionheader++) {
memcpy ((void*) ((DWORD) pnewfilebuffer+ptempimagesectionheader->pointertorawdata), (void*) ((DWORD) pimagedosheader+ptempimagesectionheader->virtualaddress), ptempimagesectionheader->sizeofrawdata);

Writes the restored file buffer to a file, and tests that there is a can run

char* filepath2= "E:/zhuhao3.exe"; File Output Path
File* Outputstream=null;
Outputstream=fopen (FilePath2, "w+");

Fwrite (Pfilebuffer,filelength,1,outputstream);

Char* Pchar;
Char arry[]= "Zhuhao";
int a=3;

return 0;

PE read/write

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.