Shulou(Shulou.com)06/01 Report--

The main purpose is to be familiar with PE files

Create handle map pe file to address space create file view to get the first address of the file PIMAGE

Then initialize each structure

Main code

Import tabl

Void GETIMPORT (PVOID PIMAGE)

{

PBYTE PBIMAGE = (PBYTE) PIMAGE

DWORD IMPORTRAW = 0

DWORD CNTDLL=0

DWORD IMPORTRVA = pe.DATA [1] .VirtualAddress

PIMAGE_SECTION_HEADER PIMPORTSEC

For (int iTuno; iNumberOfSections; iTunes +)

{

If (IMPORTRVA > = a [I] & & IMPORTRVARAW calculates the file offset

PIMPORTSEC = & pe.SECTION [I]; / record input table section

}

}

If (! IMPORTRVA)

{

MessageBox (NULL, "IMPORT IS EMOPTY", "ERROR", NULL)

Return

}

PIMAGE_IMPORT_DESCRIPTOR IMPORT = PIMAGE_IMPORT_DESCRIPTOR (IMPORTRAW+PBIMAGE); / / use the file address of the input table

/ / because the general OriginalFirstThunk is not 0, it is actually not rigorous to adopt this judgment condition.

/ / if the OriginalFirstThunk of some programs is 0, then use FIRSTTHUNK to loop through the situation that is not considered as 0 here.

/ / but FIRSTTHUNK is also used to get the RVA of each function.

While (0! = IMPORT- > OriginalFirstThunk) / / determine whether the dll ends

{

LPDWORD THUNK = (LPDWORD) (IMPORT- > OriginalFirstThunk-PIMPORTSEC- > VirtualAddress

+ PIMPORTSEC- > PointerToRawData+PBIMAGE)

LPDWORD FIRSTTHUNK = (LPDWORD) IMPORT- > FirstThunk

/ / THUNK uses OriginalFirstThunk to traverse the structure of each PIMAGE_THUNK_DATA (four bytes)

/ / FIRSTTHUNK uses FirstThunk to traverse the structure of each PIMAGE_THUNK_DATA (four bytes)

/ / use it here to find the RVA of each function

/ * /

/ / if you want to get the name of dll or function, you have to calculate its location on disk before you can take it out.

LPDWORD DLLNAME = (LPDWORD) (IMPORT- > Name-PIMPORTSEC- > VirtualAddress +

PIMPORTSEC- > PointerToRawData + PBIMAGE)

CHAR NAMEBUF [20]

Sprintf (NAMEBUF, "% s", DLLNAME)

DWORD NAMEBUFFER = strlen (NAMEBUF)

DWORD STYLE

WriteFile (IMPORTHANDLE, "\ r\ n", 2 memorials STYLENull)

WriteFile (IMPORTHANDLE,NAMEBUF,NAMEBUFFER,&NAMEBUFFER,NULL)

WriteFile (IMPORTHANDLE, "\ r\ n", 2 memorials NAMEBUFFERjurisdiction null)

WriteFile (IMPORTHANDLE, "\ r\ n", 2 memorials NAMEBUFFERjurisdiction null)

/ * this code gets the name of each incoming dll and outputs the dll name where the function is located before looping out the function index and name * /

/ * /

/ / the value saved by the THUNK pointer is the PIMAGE_THUNK_DATA structure that OriginalFirstThunk points to, that is, it determines whether the function ends.

/ / * THUNK is the content of the PIMAGE_THUNK_DATA (four byte size) structure

/ / this content is a RVA pointing to PIMAGE_IMPORT_BY_NAME, and the saved content is the function name and index after being converted into RAW.

While (* THUNK)

{

If (* THUNK & IMAGE_ORDINAL_FLAG32) / / the highest bit is 1 and the sequence number is introduced.

{

DWORD index = (* THUNK & 0x7fffffff)

CHAR BUFFER [20]

DWORD REALBUFFER

Sprintf (BUFFER, "0x%x", index)

WriteFile (IMPORTHANDLE,BUFFER,4,&REALBUFFER,NULL)

WriteFile (IMPORTHANDLE, "\ r", 2Magneto REALBUFFER

CHAR FRISTTHUNK [20]

Sprintf (FRISTTHUNK, "0x%x", FIRSTTHUNK)

WriteFile (IMPORTHANDLE,FRISTTHUNK,8,&REALBUFFER,NULL)

WriteFile (IMPORTHANDLE, "\ r\ n", 2)

}

Else

{

/ *

Calculate the disk location of the PIMAGE_IMPORT_BY_NAME structure

* THUNK is the content of the PIMAGE_THUNK_DATA (four-byte size) structure

This content is a RVA pointing to the PIMAGE_IMPORT_BY_NAME structure and converting it to RAW. What is saved is the index and the name of the function.

FIRSTTHUNK is also the content of PIMAGE_THUNK_DATA at this time.

When loaded into memory, it will be changed to the real address of the function, so here we just take out the value of FIRSTTHUNK, that is, a RVA.

Because at this time, the content of * FIRSTTHUNK is exactly the same as * THUNK.

, /

PIMAGE_IMPORT_BY_NAME NAME = PIMAGE_IMPORT_BY_NAME (* THUNK-PIMPORTSEC- > VirtualAddress)

+ PIMPORTSEC- > PointerToRawData + PBIMAGE)

/ * /

/ / output HINT in PIMAGE_IMPORT_BY_NAME structure

CHAR BUFFER [10]

DWORD REALBUFFER

Sprintf (BUFFER, "0x%x", NAME- > Hint)

WriteFile (IMPORTHANDLE,BUFFER,5,&REALBUFFER,NULL)

WriteFile (IMPORTHANDLE, "\ r", 2meme REALBUFFERNull)

/ * /

/ / output NAME in PIMAGE_IMPORT_BY_NAME structure

CHAR BUF [30]

DWORD LEN

Sprintf (BUF, 's', NAME- > Name)

LEN=strlen (BUF) + 1

WriteFile (IMPORTHANDLE,NAME- > Name,LEN,&REALBUFFER,NULL)

/ * /

/ / output the content of the PIMAGE_THUNK_DATA structure, that is, the RVA pointing to the PIMAGE_IMPORT_BY_NAME structure

CHAR THUNKBUF [20]

Sprintf (THUNKBUF, "0x%x", * THUNK)

WriteFile (IMPORTHANDLE,THUNKBUF,8,&REALBUFFER,NULL)

WriteFile (IMPORTHANDLE, "\ r", 2meme REALBUFFERNull)

/ * /

/ / output the value of FRISTTHUNK, that is, when pe is loaded, the initial value of RVA pointing to the real address of the incoming function is IMPORT- > FirstThunk; pointer plus 1.

CHAR FRISTTHUNK [20]

Sprintf (FRISTTHUNK, "0x%x", FIRSTTHUNK)

WriteFile (IMPORTHANDLE,FRISTTHUNK,6,&REALBUFFER,NULL)

WriteFile (IMPORTHANDLE, "\ r\ n", 2)

/ * /

}

THUNK++; / / pointer plus 1 means skipping a PIMAGE_THUNK_DATA structure to scan the next function.

FIRSTTHUNK++; / / get the RVA of each incoming function

}

IMPORT++;// scan the next dll

CNTDLL++; / / record the number of dll

}

}

Export tabl

Void GETEXPORT (PVOID PIMAGE)

{

PBYTE PBIMAGE = (PBYTE) PIMAGE

DWORD EXPORTRVA = pe.DATA [0] .VirtualAddress

PIMAGE_SECTION_HEADER EXPORTSECT

PIMAGE_EXPORT_DIRECTORY EXPORT

DWORD EXPORTRAW

For (int iTuno; iNumberOfSections; iTunes +)

{

If (EXPORTRVA > = a [I] & & EXPORTRVARAW

EXPORTSECT = & pe.section [I]

}

}

EXPORT = PIMAGE_EXPORT_DIRECTORY (EXPORTRAW+PBIMAGE); / / use the file address of the output table

If (! EXPORTRVA)

{

MessageBox (NULL, "EXPORT IS EMOPTY", "ERROR", NULL)

Return

}

Printf ("Base = 0x%x\ n", EXPORT- > Base)

Printf ("NumberOfFunctions = 0x%x\ n", EXPORT- > NumberOfFunctions)

Printf ("NumberOfNames = 0x%x\ n", EXPORT- > NumberOfNames)

Printf ("AddressOfFunctions = 0x%x\ n", EXPORT- > AddressOfFunctions)

Printf ("AddressOfNameOrdinals = 0x%x\ n", EXPORT- > AddressOfNameOrdinals)

Printf ("AddressOfNames = 0x%x\ n", EXPORT- > AddressOfNames)

DWORD DLLNAME = (DWORD) (EXPORT- > Name-EXPORTSECT- > VirtualAddress + EXPORTSECT- > PointerToRawData + PBIMAGE)

/ / before outputting a name, you must get the RAW of the name RVA and add the first address of the file to get the file address

Printf ("Name =% s\ n", DLLNAME)

LPDWORD NAMEADDRESS = (LPDWORD) (EXPORT- > AddressOfNames-EXPORTSECT- > VirtualAddress + EXPORTSECT- > PointerToRawData + PBIMAGE)

LPWORD ADDNAMEORD = (LPWORD) (EXPORT- > AddressOfNameOrdinals-EXPORTSECT- > VirtualAddress + EXPORTSECT- > PointerToRawData + PBIMAGE)

LPDWORD FUNCTIONADDRESS = (LPDWORD) (EXPORT- > AddressOfFunctions-EXPORTSECT- > VirtualAddress + EXPORTSECT- > PointerToRawData + PBIMAGE)

For (DWORD jacks 0; jNumberOfNames; jacks +)

{

/ / calculate the file address where the name is located. RVA-> RAW (RVA2 of the name) RVA2- > RAW2 (first name) found in two steps

PDWORD NAME = (PDWORD) (* NAMEADDRESS-EXPORTSECT- > VirtualAddress + EXPORTSECT- > PointerToRawData + PBIMAGE)

/ * /

/ * * it is important for the name of the function to get its file address *

DWORD BUF

CHAR NAMEBUF [50]

DWORD LEN

Sprintf (NAMEBUF, "% s", NAME)

LEN=strlen (NAMEBUF)

WriteFile (EXPORTHANDLE,NAME,LEN,&BUF,NULL)

WriteFile (EXPORTHANDLE, "\ r", 2meme buff _ null)

WriteFile (EXPORTHANDLE, "\ r", 2meme buff _ null)

/ * /

/ * the index number can get its content in one step * /

Sprintf (NAMEBUF, "0xx", * ADDNAMEORD+1)

WriteFile (EXPORTHANDLE,NAMEBUF,6,&BUF,NULL)

WriteFile (EXPORTHANDLE, "\ r", 2meme buff _ null)

WriteFile (EXPORTHANDLE, "\ r", 2meme buff _ null)

/ * /

The RVA of the / * * function is similar to the method of finding the index number * * /

Sprintf (NAMEBUF, "0xx", * FUNCTIONADDRESS)

WriteFile (EXPORTHANDLE,NAMEBUF,10,&BUF,NULL)

WriteFile (EXPORTHANDLE, "\ r\ n", 2 recordable buff, null)

/ * /

NAMEADDRESS++

ADDNAMEORD++

FUNCTIONADDRESS++

}

}

End.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.