View the PE File relocation table
#include "stdafx.h"
#include <Windows.h>
DWORD Rva2offset (Pimage_nt_headers Pntheader, DWORD Dwrva)
{
Pimage_section_header psection = (Pimage_section_header) ((DWORD) Pntheader + sizeof (image_nt_headers));
for (int i = 0; i < pntheader->fileheader.numberofsections; i++)
{
if (Dwrva >= psection[i]. Virtualaddress && Dwrva < (psection[i). Virtualaddress + psection[i]. Sizeofrawdata))
{
Return Psection[i]. Pointertorawdata + (Dwrva-psection[i]. virtualaddress);
}
}
return 0;
}
int _tmain (int argc, _tchar* argv[])
{
HANDLE hfile = CreateFile (argv[1], generic_all, file_share_write, NULL, open_existing, NULL, NULL);
HANDLE hmapping = createfilemapping (hfile, NULL, page_readwrite, 0, 0, NULL);
PVOID Pbfile = MapViewOfFile (hmapping, file_map_all_access, 0, 0, 0);
if (Invalid_handle_value = = Hfile | | NULL = = Hmapping | | NULL = = pbfile)
{
printf ("/n/t----------the File inexistence! ----------/n ");
Goto EXIT;
}
Pimage_dos_header Pdosheader = (pimage_dos_header) pbfile;
Pimage_nt_headers Pntheader = (pimage_nt_headers) ((DWORD) Pbfile + pdosheader->e_lfanew);
if (0x00004550!= pntheader->signature)
{
printf ("/n/t----------Lawless PE file! ----------/n ");
Goto EXIT;
}
DWORD Dwrelocoffset = Rva2offset (Pntheader, Pntheader->optionalheader.datadirectory[image_directory_entry_ Basereloc]. virtualaddress);
Pimage_base_relocation Preloc = (pimage_base_relocation) ((DWORD) Pbfile + dwrelocoffset);
if (0 = preloc->virtualaddress)
{
printf ("/n/t----------No Relocation table! ----------/n ");
Goto EXIT;
}
while (preloc->virtualaddress)
{
printf ("[0x%08x]/n/n", preloc->virtualaddress);
for (int i = 0; I < (preloc->sizeofblock-sizeof (image_base_relocation))/2; i++)
{
printf ("<%04d>-0x%08x/n", I, Preloc->virtualaddress + (* (word*) ((DWORD) Preloc + sizeof (Image_base_relocati ON) + I * 2)) & 0X0FFF));
}
printf ("n");
Preloc = (pimage_base_relocation) ((DWORD) Preloc + preloc->sizeofblock);
}
EXIT:
if (NULL!= pbfile)
{
UnmapViewOfFile (Pbfile);
}
if (NULL!= hmapping)
{
CloseHandle (hmapping);
}
if (Invalid_handle_value!= hfile)
{
CloseHandle (hfile);
}
return 0;
}
View the PE file export table
#include "stdafx.h"
#include <Windows.h>
DWORD Rva2offset (Pimage_nt_headers Pntheader, DWORD Dwrva)
{
Pimage_section_header psection = (Pimage_section_header) ((DWORD) Pntheader + sizeof (image_nt_headers));
for (int i = 0; i < pntheader->fileheader.numberofsections; i++)
{
if (Dwrva >= psection[i]. Virtualaddress && Dwrva < (psection[i). Virtualaddress + psection[i]. Sizeofrawdata))
{
Return Psection[i]. Pointertorawdata + (Dwrva-psection[i]. virtualaddress);
}
}
return 0;
}
int _tmain (int argc, _tchar* argv[])
{
HANDLE hfile = CreateFile (argv[1], generic_all, file_share_write, NULL, open_existing, NULL, NULL);
HANDLE hmapping = createfilemapping (hfile, NULL, page_readwrite, 0, 0, NULL);
PVOID Pbfile = MapViewOfFile (hmapping, file_map_all_access, 0, 0, 0);
if (Invalid_handle_value = = Hfile | | NULL = = Hmapping | | NULL = = pbfile)
{
printf ("/n/t----------the File inexistence! ----------/n ");
Goto EXIT;
}
Pimage_dos_header Pdosheader = (pimage_dos_header) pbfile;
Pimage_nt_headers Pntheader = (pimage_nt_headers) ((DWORD) Pbfile + pdosheader->e_lfanew);
if (0x00004550!= pntheader->signature)
{
printf ("/n/t----------Lawless PE file! ----------/n ");
Goto EXIT;
}
DWORD Dwexportoffset = Rva2offset (Pntheader, Pntheader->optionalheader.datadirectory[image_directory_entry_ EXPORT]. virtualaddress);
Pimage_export_directory Pexport = (pimage_export_directory) ((DWORD) Pbfile + dwexportoffset);
DWORD Dwfunctionnameoffset = (DWORD) Pbfile + rva2offset (Pntheader, pexport->name);
dword* pdwnamesaddress = (dword*) ((DWORD) Pbfile + rva2offset (Pntheader, pexport->addressofnames));
dword* pdwfunctionaddress = (dword*) ((DWORD) Pbfile + rva2offset (Pntheader, pexport->addressoffunctions));
word* pwordinals = (word*) ((DWORD) Pbfile + rva2offset (Pntheader, pexport->addressofnameordinals));
if (0 = pexport->numberoffunctions)
{
printf ("/n/t----------No Export tabel! ----------/n ");
Goto EXIT;
}
printf ("FileName:%s/n", Dwfunctionnameoffset);
printf ("Numberoffunctions:%d/n", pexport->numberoffunctions);
printf ("Numberofnames:%d/n/n", pexport->numberofnames);
printf ("nameexport:/n/n");
for (int i = 0; i < pexport->numberofnames; i++)
{
DWORD dwfunctionaddress = pdwfunctionaddress[pwordinals[i]];
DWORD Pdwfunnameoffset = (DWORD) Pbfile + rva2offset (Pntheader, pdwnamesaddress[i]);
printf ("[Exportnum]:%-4d [Name]:%-30s [RVA]: 0x%08x/n", Pexport->base + I, Pdwfunnameoffset, dwfunctionaddress);
}
printf ("/nnumberexport:/n/n");
for (int i = 0; i < pexport->numberoffunctions-pexport->numberofnames; i++)
{
printf ("[Exportnum]:%-4d [RVA]: 0x%08x/n", Pexport->base + I, pdwfunctionaddress[i]);
}
printf ("n");
EXIT:
if (NULL!= pbfile)
{
UnmapViewOfFile (Pbfile);
}
if (NULL!= hmapping)
{
CloseHandle (hmapping);
}
if (Invalid_handle_value!= hfile)
{
CloseHandle (hfile);
}
return 0;
}
View the PE file import table This blog space chairman has been applying for a year, almost forgot. Recently has been learning PE files, paste paragraph code, function as the title, their own learning to write practice procedures, VC2005 compilation, console procedures, there are a lot of not rigorous and imperfect places.
#include "stdafx.h"
#include <Windows.h>
DWORD Rva2offset (Pimage_nt_headers Pntheader, DWORD Dwrva)
{
Pimage_section_header psection = (Pimage_section_header) ((DWORD) Pntheader + sizeof (image_nt_headers));
for (int i = 0; i < pntheader->fileheader.numberofsections; i++)
{
if (Dwrva >= psection[i]. Virtualaddress && Dwrva < (psection[i). Virtualaddress + psection[i]. Sizeofrawdata))
{
Return Psection[i]. Pointertorawdata + (Dwrva-psection[i]. virtualaddress);
}
}
return 0;
}
int _tmain (int argc, _tchar* argv[])
{
HANDLE hfile = CreateFile (argv[1], generic_all, file_share_write, NULL, open_existing, NULL, NULL);
HANDLE hmapping = createfilemapping (hfile, NULL, page_readwrite, 0, 0, NULL);
PVOID Pbfile = MapViewOfFile (hmapping, file_map_all_access, 0, 0, 0);
if (Invalid_handle_value = = Hfile | | NULL = = Hmapping | | NULL = = pbfile)
{
printf ("/n/t----------the File inexistence! ----------/n ");
Goto EXIT;
}
Pimage_dos_header Pdosheader = (pimage_dos_header) pbfile;
Pimage_nt_headers Pntheader = (pimage_nt_headers) ((DWORD) Pbfile + pdosheader->e_lfanew);
if (0x00004550!= pntheader->signature)
{
printf ("/n/t----------Lawless PE file! ----------/n ");
Goto EXIT;
}
DWORD Dwimportoffset = Rva2offset (Pntheader, Pntheader->optionalheader.datadirectory[image_directory_entry_ IMPORT]. virtualaddress);
Pimage_import_descriptor Pimport = (pimage_import_descriptor) ((DWORD) Pbfile + dwimportoffset);
DWORD dworiginalthunkoffset = 0;
DWORD dwthunkdata = 0;
Pimage_import_by_name pimagefunname = NULL;
Pimage_thunk_data pthunkdata = NULL;
for (int i = 0; i < pntheader->optionalheader.datadirectory[1]. Size/sizeof (Image_import_descriptor)-1; i++)
{
printf ("[DLL Name]:%s/n/n", (DWORD) Pbfile + rva2offset (Pntheader, pimport[i). Name)));
Pthunkdata = (pimage_thunk_data) (DWORD) Pbfile + rva2offset (Pntheader, pimport[i). Firstthunk));
for (int j = 0; pthunkdata[j].u1. Ordinal!= 0; J + +)
{
if (pthunkdata[j].u1. Ordinal & IMAGE_ORDINAL_FLAG32)
{
printf ("[%03d]---Number:%04d Name: <null>/n", J + 1, pthunkdata[j].u1. Ordinal & 0xFFFF);
}
Else
{
Pimagefunname = (pimage_import_by_name) (DWORD) Pbfile + rva2offset (Pntheader, pthunkdata[j].u1. Addressofdata));
printf ("[%03d]---Number:%04d Name:%s/n", J + 1, Pimagefunname->hint, pimagefunname->name);
}
}
printf ("n");
}
EXIT:
if (NULL!= pbfile)
{
UnmapViewOfFile (Pbfile);
}
if (NULL!= hmapping)
{
CloseHandle (hmapping);
}
if (Invalid_handle_value!= hfile)
{
CloseHandle (hfile);
}
return 0;
}