Home > Cloud Computing > Cloud Security

Pe Structure Learning Experience (1) -- get DOS header information

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

I think the best way to really understand pe is to write a program to obtain pe-related information, so I tried to write code by myself based on what I learned on the forum, of course, in order to intuitively reflect my thoughts, I wrote the console code and did not add any error-proof measures, mainly for my own understanding, it is also shared with cainiao like me. Daniel can directly stream the code for my food. If you don't talk about it, paste the Code directly and post it in six posts, every post gets a content of the pe structure. The reason why I don't write the code together is to make everyone better understand (or that sentence, just like me.
 
// PEDosHeader. cpp: defines the entry point of the console application.
//
 
# Include "stdafx. h"
# Include <windows. h>
# Include <time. h>
# Include <imagehlp. h>
# Pragma comment (lib, "imagehlp. lib ")
 
Int _ tmain (int argc, _ TCHAR * argv [])
{
While (TRUE ){
WCHAR cFile [256] = {0 };
Printf ("Please enter the file name and path :");
Wscanf (L "% s", cFile );
 
HANDLE hFile = NULL;
HFile =: CreateFile (LPCWSTR) cFile, GENERIC_READ, 0, NULL, OPEN_EXISTING, NULL, NULL );
If (hFile = INVALID_HANDLE_VALUE ){
Printf ("Create file failed! (% D). \ n ", GetLastError ());
Printf ("\ n ");
System ("pause ");
Return 0;
}
 
// Create a file ing
HANDLE hMap = NULL;
HMap =: CreateFileMapping (hFile, NULL, PAGE_READONLY, 0, 0 );
If (! HMap ){
Printf ("Create file mapping failed! (% D). \ n ", GetLastError ());
System ("pause ");
Return 0;
}
 
// Map the space of your own Process
LPVOID pMap = NULL;
 
PMap =: MapViewOfFile (hMap, FILE_MAP_READ, 0, 0 );
If (! PMap ){
Printf ("Mapping file failed (% d). \ n", GetLastError ());
System ("pause ");
Return 0;
}
 
// Obtain the DOS header file pointer
PIMAGE_DOS_HEADER pDosHeader = NULL;
PDosHeader = (PIMAGE_DOS_HEADER) pMap;
 

// Determine the DOS header flag IMAGE_DOS_SIGNATURE 0x5A4D MZ
If (pDosHeader-> e_magic! = IMAGE_DOS_SIGNATURE ){
Printf ("Not DOS Header! (% D). \ n ", GetLastError ());
System ("pause ");
Return 0;
}
 
// Print DOS header information
Printf ("| -- DosHeader \ n "\
"\ T | -- WORD \ te_magic: \ t0x % 08x \ t % s \ n "\
"\ T | -- WORD \ te_cblp: \ t \ t0x % 08x \ n "\
"\ T | -- WORD \ te_cp: \ t \ t0x % 08x \ n "\
"\ T | -- WORD \ te_crlc: \ t \ t0x % 08x \ n "\
"\ T | -- WORD \ te_cparhdr: \ t0x % 08x \ n "\
"\ T | -- WORD \ te_minalloc: \ t0x % 08x \ n "\
"\ T | -- WORD \ te_maxalloc: \ t0x % 08x \ n "\
"\ T | -- WORD \ te_ss: \ t \ t0x % 08x \ n "\
"\ T | -- WORD \ te_sp: \ t \ t0x % 08x \ n "\
"\ T | -- WORD \ te_csum: \ t \ t0x % 08x \ n "\
"\ T | -- WORD \ te_ip: \ t \ t0x % 08x \ n "\
"\ T | -- WORD \ te_cs: \ t \ t0x % 08x \ n "\
"\ T | -- WORD \ te_lfarlc: \ t0x % 08x \ n "\
"\ T | -- WORD \ te_ovno: \ t \ t0x % 08x \ n "\
"\ T | -- WORD \ te_res: \ n "\
"\ T | -- WORD \ te_res [0]: \ t0x % 08x \ n "\
"\ T | -- WORD \ te_res [1]: \ t0x % 08x \ n "\
"\ T | -- WORD \ te_res [2]: \ t0x % 08x \ n "\
"\ T | -- WORD \ te_res [3]: \ t0x % 08x \ n "\
"\ T | -- WORD \ te_oemid: \ t0x % 08x \ n "\
"\ T | -- WORD \ te_oeminfo: \ t0x % 08x \ n "\
"\ T | -- WORD \ te_res2: \ n "\
"\ T | -- WORD \ te_res2 [0]: \ t0x % 08x \ n "\
"\ T | -- WORD \ te_res2 [1]: \ t0x % 08x \ n "\
"\ T | -- WORD \ te_res2 [2]: \ t0x % 08x \ n "\
"\ T | -- WORD \ te_res2 [3]: \ t0x % 08x \ n "\
"\ T | -- WORD \ te_res2 [4]: \ t0x % 08x \ n "\
"\ T | -- WORD \ te_res2 [5]: \ t0x % 08x \ n "\
"\ T | -- WORD \ te_res2 [6]: \ t0x % 08x \ n "\
"\ T | -- WORD \ te_res2 [7]: \ t0x % 08x \ n "\
"\ T | -- WORD \ te_res2 [8]: \ t0x % 08x \ n "\
"\ T | -- WORD \ te_res2 [9]: \ t0x % 08x \ n "\
"\ T | -- LONG \ te_lfanew: \ t0x % 08x \ n ",
PDosHeader-> e_magic, & pDosHeader-> e_magic, // magic number, IMAGE_DOS_SIGNATURE 0x5A4D MZ
PDosHeader-> e_cblp, // number of bytes on the last page of the file \
PDosHeader-> e_cp, // number of file pages
PDosHeader-> e_crlc, // Number of redefinition Elements
PDosHeader-> e_cparhdr, // header size, in the unit of Section
PDosHeader-> e_minalloc, // The minimum additional segment required
PDosHeader-> e_maxalloc, // The maximum additional segment required
PDosHeader-> e_ss, // initial SS value (relative offset)
PDosHeader-> e_sp, // initial SP value
PDosHeader-> e_csum, // checksum
PDosHeader-> e_ip, // initial IP value
PDosHeader-> e_cs, // initial CS value (relative offset)
PDosHeader-> e_lfarlc, // re-allocate the table file address
PDosHeader-> e_ovno, // overwrite number
PDosHeader-> e_res [0], // Reserved Words
PDosHeader-> e_res [1],
PDosHeader-> e_res [2],
PDosHeader-> e_res [3],
PDosHeader-> e_oemid, // OEM ID
PDosHeader-> e_oeminfo, // OEM Information
PDosHeader-> e_res2 [0], // Reserved Words
PDosHeader-> e_res2 [1],
PDosHeader-> e_res2 [2],
PDosHeader-> e_res2 [3],
PDosHeader-> e_res2 [4],
PDosHeader-> e_res2 [5],
PDosHeader-> e_res2 [6],
PDosHeader-> e_res2 [7],
PDosHeader-> e_res2 [8],
PDosHeader-> e_res2 [9],
PDosHeader-> e_lfanew); // file address of the new exe Header
 
// Close the opened handle and release the resource
: UnmapViewOfFile (pMap );
: CloseHandle (hMap );
: CloseHandle (hFile );
}
 
System ("pause ");
Return 0;
}

Author: Chen Weihua

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More