PE read/write

Copy PE file. Cpp:defines The entry point for the console application.
//

#include "stdafx.h"
#include <windows.h>
#include <malloc.h>

/* Reads the file from the hard disk into the buffer
Parameter 1: File path parameter 2: pointer "Pointer" that accepts the address of the buffer where the data is read
Read successful return file length read failed returns 0
*/
int Readfiletobuffer (in LPSTR filepath,out lpvoid* pfilebuffer);

The EXE is then copied from the file buffer into the memory mirror buffer
DWORD Copyfilebuffertoimagebuffer (in LPSTR filebuffer,out lpvoid* pimagebuffer);

int main (int argc, char* argv[])

{
char* filepath1= "E:/notepad++.exe";//Read in the file path strength

DWORD filelength=0;

File* Inputstream=null;

void* Pfilebuffer=null;

Inputstream=fopen (FilePath1, "RB");//Open file stream

if (filepath1=null) {
printf ("File is empty \ n");
return 0;
}

int Nseek=fseek (inputstream,0,seek_end);//point the file stream pointer to the end of the file
if (nseek!=0) {
printf ("Set file location pointer failed \ n");
Fclose (InputStream);
return 0;
}

Filelength=ftell (InputStream);
printf ("The lentgth of the EXE is%d byte\n", filelength);

Reset file location pointer to top of file
Fseek (Inputstream,0,seek_set);
Pfilebuffer= (void*) malloc (filelength);
if (pfilebuffer==null) {
printf ("File buffer request failed \ n");
Fclose (InputStream);
return 0;
}

memset (pfilebuffer,0,filelength);

int N=fread (pfilebuffer,filelength,1,inputstream);

if (n==0) {
printf ("file read failed \ n");
Free (pfilebuffer);
Fclose (InputStream);
return 0;
}

The EXE is then copied from the file buffer into the memory mirror buffer

Pimage_dos_header Pdosheader=null;
Pimage_nt_headers Pntheaders=null;
Pimage_file_header Ppeheader=null;
Pimage_optional_header Poptionalheader=null;
Pimage_section_header Psectionheader=null;

Determine if the file buffer is valid
if (pfilebuffer==null) {
printf ("Invalid file buffer pointer \ n");
return 0;
}

Determine if the file is a PE file
if (* ((Pword) pfilebuffer)!=image_dos_signature) {
printf ("Not a valid DOS file \ n");
return 0;
}
Pdosheader= (Pimage_dos_header) (Pfilebuffer);
if (* (Pdword) ((DWORD) pfilebuffer+pdosheader->e_lfanew))!=image_nt_signature) {//Note here: Filebuffer is a pointer, that is, an address , so the transition to Dwrod and pdosheader->e_lfanew add
printf ("The file is not a valid PE file");
return 0;
}

printf ("Dos start address is:%x\n", Pdosheader);
NT Head pointer
Pntheaders= (Pimage_nt_headers) ((DWORD) pdosheader+pdosheader->e_lfanew);
printf ("NT start address is:%x\n", pntheaders);
PE head pointer equals NT head pointer plus four
Ppeheader= (Pimage_file_header) ((DWORD) pfilebuffer+pdosheader->e_lfanew) +4);
printf ("The starting address for PE is:%x\n", Ppeheader);

The lesson of the blood, a pointer plus an integer, plus the actual size is the data type represented by the pointer "minus one *" multiplied by an integer
Poptionalheader= (Pimage_optional_header) ((DWORD) ppeheader+image_sizeof_file_header);//The pointer must be converted to shaping when Addend
printf ("The starting address of the optional is:%x\n", Poptionalheader);

Psectionheader= (Pimage_section_header) ((DWORD) poptionalheader+ppeheader->sizeofoptionalheader);
printf (the Start Address of the section table is:%x\n, Psectionheader);

The size of the memory buffers is allocated according to Size_of_image, although each application theoretically has independent 4GB virtual memory, but allocates memory size based on size FOF image
LPVOID Pimagebuffer=null;
Pimagebuffer=malloc (Poptionalheader->sizeofimage);
printf ("%x\n", poptionalheader->sizeofimage);
if (pimagebuffer==null) {
printf ("Failed to allocate memory image file \ n");
}

memset (Pimagebuffer,0,poptionalheader->sizeofimage);

Start copy from file buffer to mirror buffer 1: First step: Copy all the headers into the mirror buffer dosheader+ntheader+sectionheader
memcpy (pimagebuffer,pfilebuffer,poptionalheader->sizeofheaders);

Second step: loop to copy chunks into Imagbuffer
Pimage_section_header Ptempsectionheader=psectionheader;

for (int i=0;i<ppeheader->numberofsections;i++,ptempsectionheader++) {
memcpy ((void*) ((DWORD) pimagebuffer+ptempsectionheader->virtualaddress), (void*) ((DWORD) pdosheader+ Ptempsectionheader->pointertorawdata), ptempsectionheader->sizeofrawdata);
}

Pimage_dos_header Pimagedosheader=null;
Pimage_nt_headers Pimagentheaders=null;
Pimage_file_header Pimagepeheader=null;
Pimage_optional_header Pimageoptionalheader=null;
Pimage_section_header Pimagesectionheader=null;

Pimagedosheader= (Pimage_dos_header) Pimagebuffer;
printf ("The first address of the DOS header in image is:%x\n", Pimagedosheader);

Pimagentheaders= (Pimage_nt_headers) ((DWORD) pimagedosheader+pimagedosheader->e_lfanew);
printf ("The first address of NT header in image is:%x\n", pimagentheaders);

Pimagepeheader= (Pimage_file_header) ((DWORD) pimagentheaders+4);
printf ("The first address of the PE header in image is:%x\n", Pimagepeheader);

Pimageoptionalheader= (Pimage_optional_header) ((DWORD) pimagepeheader+image_sizeof_file_header);
printf ("The first address of the optional header in image is:%x\n", Pimageoptionalheader);

Pimagesectionheader= (Pimage_section_header) (DWORD) pimageoptionalheader+pimagepeheader-> Sizeofoptionalheader);

Re-request a piece of file buffer to restore the executable program in the mirror to the file buffer
LPVOID Pnewfilebuffer=null;
Pnewfilebuffer=malloc (filelength);
if (pnewfilebuffer==null) {
printf ("Re-request file buffer failed \ n");
return 0;
}

memset (pnewfilebuffer,0,filelength);
First step: Copy the first part into the new file buffer Dosheader+ntheader+sectionheader
memcpy (pnewfilebuffer,pimagedosheader,pimageoptionalheader->sizeofheaders);

Second step: loop to copy each chunk into the new file buffer
Use a temporary pointer to complete the self-increment change of the Pimagesectionheader pointer

Pimage_section_header Ptempimagesectionheader=null;
Ptempimagesectionheader=pimagesectionheader;

for (i=0;i<pimagepeheader->numberofsections;i++,ptempimagesectionheader++) {
memcpy ((void*) ((DWORD) pnewfilebuffer+ptempimagesectionheader->pointertorawdata), (void*) ((DWORD) pimagedosheader+ptempimagesectionheader->virtualaddress), ptempimagesectionheader->sizeofrawdata);
}

Writes the restored file buffer to a file, and tests that there is a can run

char* filepath2= "E:/zhuhao3.exe"; File Output Path
File* Outputstream=null;
Outputstream=fopen (FilePath2, "w+");

Fwrite (Pfilebuffer,filelength,1,outputstream);

Char* Pchar;
Char arry[]= "Zhuhao";
Pchar=arry;
int a=3;

return 0;
}

PE read/write