找回密码
 立即注册→加入我们

QQ登录

只需一步,快速开始

搜索
热搜: 下载 VB C 实现 编写
查看: 9221|回复: 3

【C】C语言写的打印PE文件头信息的程序

[复制链接]
发表于 2014-4-22 00:16:13 | 显示全部楼层 |阅读模式

欢迎访问技术宅的结界,请注册或者登录吧。

您需要 登录 才可以下载或查看,没有账号?立即注册→加入我们

×
这是个命令行程序。用法就是用以下命令启动它。
PrintPE PE文件.后缀
好。直接贴出源代码。大家编译运行一下就知道效果了。
  1. #include<stdio.h>
  2. #include<windows.h>

  3. IMAGE_DOS_HEADER        g_DOSH;
  4. IMAGE_FILE_HEADER       g_PEH;

  5. const char*pDirTableDesc[]=
  6. {
  7.     "Export Directory",
  8.     "Import Directory",
  9.     "Resource Directory",
  10.     "Exception Directory",
  11.     "Security Directory",
  12.     "Base Relocation Table",
  13.     "Debug Directory",
  14.     "Architecture Specific Data",
  15.     "RVA of GP",
  16.     "TLS Directory",
  17.     "Load Configuration Directory",
  18.     "Bound Import Directory in headers",
  19.     "Import Address Table",
  20.     "Delay Load Import Descriptors",
  21.     "COM Runtime descriptor"
  22. };

  23. void Usage()
  24. {
  25.     fputs(
  26.         "USAGE:\n"
  27.         "PrintPE PEFILE\n",stderr);
  28. }

  29. void ReadDOSH(FILE*fp)
  30. {
  31.     fread(&g_DOSH,1,sizeof(g_DOSH),fp);
  32.     printf(
  33.         "--------------------------------DOS .EXE header--------------------------------\n"
  34.         "Magic number:0x%04X\n"
  35.         "Bytes on last page of file:0x%04X\n"
  36.         "Pages in file:0x%04X\n"
  37.         "Relocations:0x%04X\n"
  38.         "Size of header in paragraphs:0x%04X\n"
  39.         "Minimum extra paragraphs needed:0x%04X\n"
  40.         "Maximum extra paragraphs needed:0x%04X\n"
  41.         "Initial (relative) SS value:0x%04X\n"
  42.         "Initial SP value:0x%04X\n"
  43.         "Checksum:0x%04X\n"
  44.         "Initial IP value:0x%04X\n"
  45.         "Initial (relative) CS value:0x%04X\n"
  46.         "File address of relocation table:0x%04X\n"
  47.         "Overlay number:0x%04X\n"
  48.         "OEM identifier (for e_oeminfo):0x%04X\n"
  49.         "OEM information; e_oemid specific:0x%04X\n"
  50.         "File address of new exe header:0x%08X\n",
  51.         g_DOSH.e_magic,                     // Magic number
  52.         g_DOSH.e_cblp,                      // Bytes on last page of file
  53.         g_DOSH.e_cp,                        // Pages in file
  54.         g_DOSH.e_crlc,                      // Relocations
  55.         g_DOSH.e_cparhdr,                   // Size of header in paragraphs
  56.         g_DOSH.e_minalloc,                  // Minimum extra paragraphs needed
  57.         g_DOSH.e_maxalloc,                  // Maximum extra paragraphs needed
  58.         g_DOSH.e_ss,                        // Initial (relative) SS value
  59.         g_DOSH.e_sp,                        // Initial SP value
  60.         g_DOSH.e_csum,                      // Checksum
  61.         g_DOSH.e_ip,                        // Initial IP value
  62.         g_DOSH.e_cs,                        // Initial (relative) CS value
  63.         g_DOSH.e_lfarlc,                    // File address of relocation table
  64.         g_DOSH.e_ovno,                      // Overlay number
  65.         g_DOSH.e_oemid,                     // OEM identifier (for e_oeminfo)
  66.         g_DOSH.e_oeminfo,                   // OEM information, e_oemid specific
  67.         g_DOSH.e_lfanew);                   // File address of new exe header
  68.     if(g_DOSH.e_crlc)//如果DOS的EXE头有16位EXE的重定向表
  69.     {
  70.         WORD wRelocs=g_DOSH.e_crlc;
  71.         DWORD*pdwRelocTable=(DWORD*)malloc(sizeof(DWORD)*wRelocs);
  72.         fseek(fp,g_DOSH.e_lfarlc,SEEK_SET);//转到16位EXE的重定向表
  73.         printf("DOS Relocations:\n");
  74.         if(pdwRelocTable)
  75.         {
  76.             DWORD*pPtr=pdwRelocTable;
  77.             fread(pdwRelocTable,1,sizeof(DWORD)*wRelocs,fp);
  78.             while(wRelocs--)
  79.             {
  80.                 printf("0x%08X:0x%08X\n",(*pPtr>>16)&0xFFFF,*pPtr&0xFFFF);
  81.                 pPtr++;
  82.             }
  83.             free(pdwRelocTable);
  84.         }
  85.         else
  86.         {
  87.             DWORD dwReloc;
  88.             while(wRelocs--)
  89.             {
  90.                 fread(&dwReloc,1,sizeof(dwReloc),fp);
  91.                 printf("0x%08X:0x%08X\n",(dwReloc>>16)&0xFFFF,dwReloc&0xFFFF);
  92.             }
  93.         }
  94.     }
  95. }

  96. void ReadPEH(FILE*fp)
  97. {
  98.     fread(&g_PEH,1,sizeof(g_PEH),fp);
  99.     fputs(
  100.         "----------------------------------PE Header------------------------------------\n"
  101.         "Machine:",stdout);
  102.     switch(g_PEH.Machine)
  103.     {
  104.     default:
  105.     case IMAGE_FILE_MACHINE_UNKNOWN:
  106.         fputs("Unknown machine type\n",stdout);
  107.         break;
  108.     case IMAGE_FILE_MACHINE_I386:
  109.         fputs("Intel 386.\n",stdout);
  110.         break;
  111.     case IMAGE_FILE_MACHINE_R3000:
  112.         fputs("MIPS little-endian, 0x160 big-endian\n",stdout);
  113.         break;
  114.     case IMAGE_FILE_MACHINE_R4000:
  115.         fputs("MIPS little-endian\n",stdout);
  116.         break;
  117.     case IMAGE_FILE_MACHINE_R10000:
  118.         fputs("MIPS little-endian\n",stdout);
  119.         break;
  120.     case IMAGE_FILE_MACHINE_WCEMIPSV2:
  121.         fputs("MIPS little-endian WCE v2\n",stdout);
  122.         break;
  123.     case IMAGE_FILE_MACHINE_ALPHA:
  124.         fputs("Alpha_AXP\n",stdout);
  125.         break;
  126.     case IMAGE_FILE_MACHINE_POWERPC:
  127.         fputs("IBM PowerPC Little-Endian\n",stdout);
  128.         break;
  129.     case IMAGE_FILE_MACHINE_SH3:
  130.         fputs("SH3 little-endian\n",stdout);
  131.         break;
  132.     case IMAGE_FILE_MACHINE_SH3E:
  133.         fputs("SH3E little-endian\n",stdout);
  134.         break;
  135.     case IMAGE_FILE_MACHINE_SH4:
  136.         fputs("SH4 little-endian\n",stdout);
  137.         break;
  138.     case IMAGE_FILE_MACHINE_ARM:
  139.         fputs("ARM Little-Endian\n",stdout);
  140.         break;
  141.     case IMAGE_FILE_MACHINE_THUMB:
  142.         fputs("Thumb\n",stdout);
  143.         break;
  144.     case IMAGE_FILE_MACHINE_IA64:
  145.         fputs("Intel 64\n",stdout);
  146.         break;
  147.     case IMAGE_FILE_MACHINE_MIPS16:
  148.         fputs("MIPS 16\n",stdout);
  149.         break;
  150.     case IMAGE_FILE_MACHINE_MIPSFPU:
  151.         fputs("MIPS FPU\n",stdout);
  152.         break;
  153.     case IMAGE_FILE_MACHINE_MIPSFPU16:
  154.         fputs("MIPS FPU 16\n",stdout);
  155.         break;
  156.     case IMAGE_FILE_MACHINE_ALPHA64:
  157.         fputs("ALPHA64\n",stdout);
  158.         break;
  159.     }
  160.     printf(
  161.         "Number of sections:0x%04X\n"
  162.         "Time date stamp:0x%08X\n"
  163.         "Pointer to symbol table:0x%08X\n"
  164.         "Number of symbols:0x%08X\n"
  165.         "Size of optional header:0x%04X\n"
  166.         "Characteristics:0x%04X\n",
  167.         g_PEH.NumberOfSections,
  168.         g_PEH.TimeDateStamp,
  169.         g_PEH.PointerToSymbolTable,
  170.         g_PEH.NumberOfSymbols,
  171.         g_PEH.SizeOfOptionalHeader,
  172.         g_PEH.Characteristics);
  173.     if(g_PEH.Characteristics&IMAGE_FILE_RELOCS_STRIPPED)
  174.         fputs("\tRelocation info stripped from file.\n",stdout);
  175.     if(g_PEH.Characteristics&IMAGE_FILE_EXECUTABLE_IMAGE)
  176.         fputs("\tFile is executable  (i.e. no unresolved externel references).\n",stdout);
  177.     if(g_PEH.Characteristics&IMAGE_FILE_LINE_NUMS_STRIPPED)
  178.         fputs("\tLine numbers stripped from file.\n",stdout);
  179.     if(g_PEH.Characteristics&IMAGE_FILE_LOCAL_SYMS_STRIPPED)
  180.         fputs("\tLocal symbols stripped from file.\n",stdout);
  181.     if(g_PEH.Characteristics&IMAGE_FILE_AGGRESIVE_WS_TRIM)
  182.         fputs("\tAgressively trim working set\n",stdout);
  183.     if(g_PEH.Characteristics&IMAGE_FILE_LARGE_ADDRESS_AWARE)
  184.         fputs("\tApp can handle >2gb addresses\n",stdout);
  185.     if(g_PEH.Characteristics&IMAGE_FILE_BYTES_REVERSED_LO)
  186.         fputs("\tBytes of machine word are reversed.\n",stdout);
  187.     if(g_PEH.Characteristics&IMAGE_FILE_32BIT_MACHINE)
  188.         fputs("\t32 bit word machine.\n",stdout);
  189.     if(g_PEH.Characteristics&IMAGE_FILE_DEBUG_STRIPPED)
  190.         fputs("\tDebugging info stripped from file in .DBG file\n",stdout);
  191.     if(g_PEH.Characteristics&IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP)
  192.         fputs("\tIf Image is on removable media, copy and run from the swap file.\n",stdout);
  193.     if(g_PEH.Characteristics&IMAGE_FILE_NET_RUN_FROM_SWAP)
  194.         fputs("\tIf Image is on Net, copy and run from the swap file.\n",stdout);
  195.     if(g_PEH.Characteristics&IMAGE_FILE_SYSTEM)
  196.         fputs("\tSystem File.\n",stdout);
  197.     if(g_PEH.Characteristics&IMAGE_FILE_DLL)
  198.         fputs("\tFile is a DLL.\n",stdout);
  199.     if(g_PEH.Characteristics&IMAGE_FILE_UP_SYSTEM_ONLY)
  200.         fputs("\tFile should only be run on a UP machine\n",stdout);
  201.     if(g_PEH.Characteristics&IMAGE_FILE_BYTES_REVERSED_HI)
  202.         fputs("\tBytes of machine word are reversed.\n",stdout);
  203. }

  204. void ReadOPT32(FILE*fp,IMAGE_OPTIONAL_HEADER32*pOPT32)
  205. {
  206.     UINT uDirEntry;
  207.     printf(
  208.         "Major linker version:0x%02X\n"
  209.         "Minor linker version:0x%02X\n"
  210.         "Size of code:0x%08X\n"
  211.         "Size of initialized data:0x%08X\n"
  212.         "Size of uninitialized data:0x%08X\n"
  213.         "Address of entry point:0x%08X\n"
  214.         "Base of code:0x%08X\n"
  215.         "Base of data:0x%08X\n"
  216.         "Image base:0x%08X\n"
  217.         "Section alignment:0x%08X\n"
  218.         "File alignment:0x%08X\n"
  219.         "Major operating system version:0x%04X\n"
  220.         "Minor operating system version:0x%04X\n"
  221.         "Major image version:0x%04X\n"
  222.         "Minor image version:0x%04X\n"
  223.         "Major subsystem version:0x%04X\n"
  224.         "Minor subsystem version:0x%04X\n"
  225.         "Win32 version value:0x%08X\n"
  226.         "Size of image:0x%08X\n"
  227.         "Size of headers:0x%08X\n"
  228.         "Check sum:0x%08X\n"
  229.         "Subsystem:0x%04X\n",
  230.         pOPT32->Magic,
  231.         pOPT32->MajorLinkerVersion,
  232.         pOPT32->MinorLinkerVersion,
  233.         pOPT32->SizeOfCode,
  234.         pOPT32->SizeOfInitializedData,
  235.         pOPT32->SizeOfUninitializedData,
  236.         pOPT32->AddressOfEntryPoint,
  237.         pOPT32->BaseOfCode,
  238.         pOPT32->BaseOfData,
  239.         pOPT32->ImageBase,
  240.         pOPT32->SectionAlignment,
  241.         pOPT32->FileAlignment,
  242.         pOPT32->MajorOperatingSystemVersion,
  243.         pOPT32->MinorOperatingSystemVersion,
  244.         pOPT32->MajorImageVersion,
  245.         pOPT32->MinorImageVersion,
  246.         pOPT32->MajorSubsystemVersion,
  247.         pOPT32->MinorSubsystemVersion,
  248.         pOPT32->Win32VersionValue,
  249.         pOPT32->SizeOfImage,
  250.         pOPT32->SizeOfHeaders,
  251.         pOPT32->CheckSum,
  252.         pOPT32->Subsystem);
  253.     switch(pOPT32->Subsystem)
  254.     {
  255.     default:
  256.     case IMAGE_SUBSYSTEM_UNKNOWN:
  257.         fputs("\tUnknown subsystem.\n",stdout);
  258.         break;
  259.     case IMAGE_SUBSYSTEM_NATIVE:
  260.         fputs("\tImage doesn't require a subsystem.\n",stdout);
  261.         break;
  262.     case IMAGE_SUBSYSTEM_WINDOWS_GUI:
  263.         fputs("\tImage runs in the Windows GUI subsystem.\n",stdout);
  264.         break;
  265.     case IMAGE_SUBSYSTEM_WINDOWS_CUI:
  266.         fputs("\tImage runs in the Windows character subsystem.\n",stdout);
  267.         break;
  268.     case IMAGE_SUBSYSTEM_OS2_CUI:
  269.         fputs("\timage runs in the OS/2 character subsystem.\n",stdout);
  270.         break;
  271.     case IMAGE_SUBSYSTEM_POSIX_CUI:
  272.         fputs("\timage runs in the Posix character subsystem.\n",stdout);
  273.         break;
  274.     case IMAGE_SUBSYSTEM_NATIVE_WINDOWS:
  275.         fputs("\timage is a native Win9x driver.\n",stdout);
  276.         break;
  277.     case IMAGE_SUBSYSTEM_WINDOWS_CE_GUI:
  278.         fputs("\tImage runs in the Windows CE subsystem.\n",stdout);
  279.         break;
  280.     }
  281.     printf("Dll characteristics:0x%04X\n",pOPT32->DllCharacteristics);
  282.     if(pOPT32->DllCharacteristics&1)
  283.         fputs("\tDLL_PROCESS_ATTACH\n",stdout);
  284.     if(pOPT32->DllCharacteristics&2)
  285.         fputs("\tDLL_THREAD_ATTACH\n",stdout);
  286.     if(pOPT32->DllCharacteristics&4)
  287.         fputs("\tDLL_THREAD_DETACH\n",stdout);
  288.     if(pOPT32->DllCharacteristics&8)
  289.         fputs("\tDLL_PROCESS_DETACH\n",stdout);
  290.     if(pOPT32->DllCharacteristics&IMAGE_DLLCHARACTERISTICS_WDM_DRIVER)
  291.         fputs("\tWDM_Driver\n",stdout);
  292.     printf(
  293.         "Size of stack reserve:0x%08X\n"
  294.         "Size of stack commit:0x%08X\n"
  295.         "Size of heap reserve:0x%08X\n"
  296.         "Size of heap commit:0x%08X\n"
  297.         "Loader flags:0x%08X\n"
  298.         "Number of RVA and sizes:0x%08X\n"
  299.         "Data directories:\n",
  300.         pOPT32->SizeOfStackReserve,
  301.         pOPT32->SizeOfStackCommit,
  302.         pOPT32->SizeOfHeapReserve,
  303.         pOPT32->SizeOfHeapCommit,
  304.         pOPT32->LoaderFlags,
  305.         pOPT32->NumberOfRvaAndSizes);
  306.     for(uDirEntry=0;uDirEntry<pOPT32->NumberOfRvaAndSizes;uDirEntry++)
  307.     {
  308.         printf(
  309.             "%s:\n"
  310.             "Virtual address:0x%08X\tSize:0x%08X\n",
  311.             uDirEntry<sizeof(pDirTableDesc)/sizeof(char*)?pDirTableDesc[uDirEntry]:"Unknown",
  312.             pOPT32->DataDirectory[uDirEntry].VirtualAddress,
  313.             pOPT32->DataDirectory[uDirEntry].Size);
  314.     }
  315. }

  316. void ReadOPT64(FILE*fp,IMAGE_OPTIONAL_HEADER64*pOPT64)
  317. {
  318.     UINT uDirEntry;
  319.     printf(
  320.         "Major linker version=0x%02X\n"
  321.         "Minor linker version=0x%02X\n"
  322.         "Size of code=0x%08X\n"
  323.         "Size of initialized data=0x%08X\n"
  324.         "Size of uninitialized data=0x%08X\n"
  325.         "Address of entry point=0x%08X\n"
  326.         "Base of code=0x%08X\n"
  327.         "Image base=0x%016I64X\n"
  328.         "Section alignment=0x%08X\n"
  329.         "File alignment=0x%08X\n"
  330.         "Major operating system version=0x%04X\n"
  331.         "Minor operating system version=0x%04X\n"
  332.         "Major image version=0x%04X\n"
  333.         "Minor image version=0x%04X\n"
  334.         "Major subsystem version=0x%04X\n"
  335.         "Minor subsystem version=0x%04X\n"
  336.         "Win32 version value=0x%08X\n"
  337.         "Size of image=0x%08X\n"
  338.         "Size of headers=0x%08X\n"
  339.         "Check sum=0x%08X\n"
  340.         "Subsystem=0x%04X\n",
  341.         pOPT64->MajorLinkerVersion,
  342.         pOPT64->MinorLinkerVersion,
  343.         pOPT64->SizeOfCode,
  344.         pOPT64->SizeOfInitializedData,
  345.         pOPT64->SizeOfUninitializedData,
  346.         pOPT64->AddressOfEntryPoint,
  347.         pOPT64->BaseOfCode,
  348.         pOPT64->ImageBase,
  349.         pOPT64->SectionAlignment,
  350.         pOPT64->FileAlignment,
  351.         pOPT64->MajorOperatingSystemVersion,
  352.         pOPT64->MinorOperatingSystemVersion,
  353.         pOPT64->MajorImageVersion,
  354.         pOPT64->MinorImageVersion,
  355.         pOPT64->MajorSubsystemVersion,
  356.         pOPT64->MinorSubsystemVersion,
  357.         pOPT64->Win32VersionValue,
  358.         pOPT64->SizeOfImage,
  359.         pOPT64->SizeOfHeaders,
  360.         pOPT64->CheckSum,
  361.         pOPT64->Subsystem);
  362.     switch(pOPT64->Subsystem)
  363.     {
  364.     default:
  365.     case IMAGE_SUBSYSTEM_UNKNOWN:
  366.         fputs("\tUnknown subsystem.\n",stdout);
  367.         break;
  368.     case IMAGE_SUBSYSTEM_NATIVE:
  369.         fputs("\tImage doesn't require a subsystem.\n",stdout);
  370.         break;
  371.     case IMAGE_SUBSYSTEM_WINDOWS_GUI:
  372.         fputs("\tImage runs in the Windows GUI subsystem.\n",stdout);
  373.         break;
  374.     case IMAGE_SUBSYSTEM_WINDOWS_CUI:
  375.         fputs("\tImage runs in the Windows character subsystem.\n",stdout);
  376.         break;
  377.     case IMAGE_SUBSYSTEM_OS2_CUI:
  378.         fputs("\timage runs in the OS/2 character subsystem.\n",stdout);
  379.         break;
  380.     case IMAGE_SUBSYSTEM_POSIX_CUI:
  381.         fputs("\timage runs in the Posix character subsystem.\n",stdout);
  382.         break;
  383.     case IMAGE_SUBSYSTEM_NATIVE_WINDOWS:
  384.         fputs("\timage is a native Win9x driver.\n",stdout);
  385.         break;
  386.     case IMAGE_SUBSYSTEM_WINDOWS_CE_GUI:
  387.         fputs("\tImage runs in the Windows CE subsystem.\n",stdout);
  388.         break;
  389.     }
  390.     printf("Dll characteristics:0x%04X\n",pOPT64->DllCharacteristics);
  391.     if(pOPT64->DllCharacteristics&1)
  392.         fputs("\tDLL_PROCESS_ATTACH\n",stdout);
  393.     if(pOPT64->DllCharacteristics&2)
  394.         fputs("\tDLL_THREAD_ATTACH\n",stdout);
  395.     if(pOPT64->DllCharacteristics&4)
  396.         fputs("\tDLL_THREAD_DETACH\n",stdout);
  397.     if(pOPT64->DllCharacteristics&8)
  398.         fputs("\tDLL_PROCESS_DETACH\n",stdout);
  399.     if(pOPT64->DllCharacteristics&IMAGE_DLLCHARACTERISTICS_WDM_DRIVER)
  400.         fputs("\tWDM_Driver\n",stdout);
  401.     printf(
  402.         "Size of stack reserve=0x%016I64X\n"
  403.         "Size of stack commit=0x%016I64X\n"
  404.         "Size of heap reserve=0x%016I64X\n"
  405.         "Size of heap commit=0x%016I64X\n"
  406.         "Loader flags=0x%08X\n"
  407.         "Number of RVA and sizes=0x%08X\n",
  408.         pOPT64->SizeOfStackReserve,
  409.         pOPT64->SizeOfStackCommit,
  410.         pOPT64->SizeOfHeapReserve,
  411.         pOPT64->SizeOfHeapCommit,
  412.         pOPT64->LoaderFlags,
  413.         pOPT64->NumberOfRvaAndSizes);
  414.     for(uDirEntry=0;uDirEntry<pOPT64->NumberOfRvaAndSizes;uDirEntry++)
  415.     {
  416.         printf(
  417.             "%s:\n"
  418.             "Virtual address:0x%08X\tSize:0x%08X\n",
  419.             uDirEntry<sizeof(pDirTableDesc)/sizeof(char*)?pDirTableDesc[uDirEntry]:"Unknown",
  420.             pOPT64->DataDirectory[uDirEntry].VirtualAddress,
  421.             pOPT64->DataDirectory[uDirEntry].Size);
  422.     }
  423. }

  424. void ReadROMOPT(FILE*fp,IMAGE_ROM_OPTIONAL_HEADER*pROMOPT)
  425. {
  426.     printf(
  427.         "Major linker version=0x%02X\n"
  428.         "Minor linker version=0x%02X\n"
  429.         "Size of code=0x%08X\n"
  430.         "Size of initializedData=0x%08X\n"
  431.         "Size of uninitializedData=0x%08X\n"
  432.         "Address of entry point=0x%08X\n"
  433.         "Base of code=0x%08X\n"
  434.         "Base of data=0x%08X\n"
  435.         "Base of bss=0x%08X\n"
  436.         "Gpr mask=0x%08X\n"
  437.         "Cpr mask:\n"
  438.         "\t0x%08X\n"
  439.         "\t0x%08X\n"
  440.         "\t0x%08X\n"
  441.         "\t0x%08X\n"
  442.         "Gp value0x%08X\n",
  443.         "MajorLinkerVersion=0x%02X\n",
  444.         pROMOPT->MinorLinkerVersion,
  445.         pROMOPT->SizeOfCode,
  446.         pROMOPT->SizeOfInitializedData,
  447.         pROMOPT->SizeOfUninitializedData,
  448.         pROMOPT->AddressOfEntryPoint,
  449.         pROMOPT->BaseOfCode,
  450.         pROMOPT->BaseOfData,
  451.         pROMOPT->BaseOfBss,
  452.         pROMOPT->GprMask,
  453.         pROMOPT->CprMask[0],
  454.         pROMOPT->CprMask[1],
  455.         pROMOPT->CprMask[2],
  456.         pROMOPT->CprMask[3],
  457.         pROMOPT->GpValue);
  458. }

  459. void ReadSegH(FILE*fp)
  460. {
  461.     IMAGE_SECTION_HEADER SecH;
  462.     char szBuf[IMAGE_SIZEOF_SHORT_NAME+1]={0};
  463.     WORD wSeg=g_PEH.NumberOfSections;
  464.     while(wSeg--)
  465.     {
  466.         fread(&SecH,1,sizeof(SecH),fp);
  467.         memcpy(szBuf,SecH.Name,IMAGE_SIZEOF_SHORT_NAME);
  468.         printf(
  469.             "--------------------------------Section headers--------------------------------\n"
  470.             "Name:%s\n"
  471.             "Physical address\\Virtual size:0x%08X\n"
  472.             "Virtual address:0x%08X\n"
  473.             "Size of raw data:0x%08X\n"
  474.             "Pointer to raw data:0x%08X\n"
  475.             "Pointer to relocations:0x%08X\n"
  476.             "Pointer to linenumbers:0x%08X\n"
  477.             "Number of relocations:0x%04X\n"
  478.             "Number of linenumbers:0x%04X\n"
  479.             "Characteristics:0x%08X\n",
  480.             szBuf,
  481.             SecH.Misc.PhysicalAddress,
  482.             SecH.VirtualAddress,
  483.             SecH.SizeOfRawData,
  484.             SecH.PointerToRawData,
  485.             SecH.PointerToRelocations,
  486.             SecH.PointerToLinenumbers,
  487.             SecH.NumberOfRelocations,
  488.             SecH.NumberOfLinenumbers,
  489.             SecH.Characteristics);
  490.         if(SecH.Characteristics&IMAGE_SCN_TYPE_NO_PAD)
  491.             fputs("IMAGE_SCN_TYPE_NO_PAD\n",stdout);
  492.         if(SecH.Characteristics&IMAGE_SCN_CNT_CODE)
  493.             fputs("IMAGE_SCN_CNT_CODE\n",stdout);
  494.         if(SecH.Characteristics&IMAGE_SCN_CNT_INITIALIZED_DATA)
  495.             fputs("IMAGE_SCN_CNT_INITIALIZED_DATA\n",stdout);
  496.         if(SecH.Characteristics&IMAGE_SCN_CNT_UNINITIALIZED_DATA)
  497.             fputs("IMAGE_SCN_CNT_UNINITIALIZED_DATA\n",stdout);
  498.         if(SecH.Characteristics&IMAGE_SCN_LNK_OTHER)
  499.             fputs("IMAGE_SCN_LNK_OTHER\n",stdout);
  500.         if(SecH.Characteristics&IMAGE_SCN_LNK_INFO)
  501.             fputs("IMAGE_SCN_LNK_INFO\n",stdout);
  502.         if(SecH.Characteristics&IMAGE_SCN_LNK_REMOVE)
  503.             fputs("IMAGE_SCN_LNK_REMOVE\n",stdout);
  504.         if(SecH.Characteristics&IMAGE_SCN_LNK_COMDAT)
  505.             fputs("IMAGE_SCN_LNK_COMDAT\n",stdout);
  506.         if(SecH.Characteristics&IMAGE_SCN_NO_DEFER_SPEC_EXC)
  507.             fputs("IMAGE_SCN_NO_DEFER_SPEC_EXC\n",stdout);
  508.         if(SecH.Characteristics&IMAGE_SCN_GPREL)
  509.             fputs("IMAGE_SCN_GPREL\n",stdout);
  510.         if(SecH.Characteristics&IMAGE_SCN_MEM_FARDATA)
  511.             fputs("IMAGE_SCN_MEM_FARDATA\n",stdout);
  512.         if(SecH.Characteristics&IMAGE_SCN_MEM_PURGEABLE)
  513.             fputs("IMAGE_SCN_MEM_PURGEABLE\n",stdout);
  514.         if(SecH.Characteristics&IMAGE_SCN_MEM_16BIT)
  515.             fputs("IMAGE_SCN_MEM_16BIT\n",stdout);
  516.         if(SecH.Characteristics&IMAGE_SCN_MEM_LOCKED)
  517.             fputs("IMAGE_SCN_MEM_LOCKED\n",stdout);
  518.         if(SecH.Characteristics&IMAGE_SCN_MEM_PRELOAD)
  519.             fputs("IMAGE_SCN_MEM_PRELOAD\n",stdout);
  520.         if(SecH.Characteristics&IMAGE_SCN_ALIGN_1BYTES)
  521.             fputs("IMAGE_SCN_ALIGN_1BYTES\n",stdout);
  522.         if(SecH.Characteristics&IMAGE_SCN_ALIGN_2BYTES)
  523.             fputs("IMAGE_SCN_ALIGN_2BYTES\n",stdout);
  524.         if(SecH.Characteristics&IMAGE_SCN_ALIGN_4BYTES)
  525.             fputs("IMAGE_SCN_ALIGN_4BYTES\n",stdout);
  526.         if(SecH.Characteristics&IMAGE_SCN_ALIGN_8BYTES)
  527.             fputs("IMAGE_SCN_ALIGN_8BYTES\n",stdout);
  528.         if(SecH.Characteristics&IMAGE_SCN_ALIGN_16BYTES)
  529.             fputs("IMAGE_SCN_ALIGN_16BYTES\n",stdout);
  530.         if(SecH.Characteristics&IMAGE_SCN_ALIGN_32BYTES)
  531.             fputs("IMAGE_SCN_ALIGN_32BYTES\n",stdout);
  532.         if(SecH.Characteristics&IMAGE_SCN_ALIGN_64BYTES)
  533.             fputs("IMAGE_SCN_ALIGN_64BYTES\n",stdout);
  534.         if(SecH.Characteristics&IMAGE_SCN_ALIGN_128BYTES)
  535.             fputs("IMAGE_SCN_ALIGN_128BYTES\n",stdout);
  536.         if(SecH.Characteristics&IMAGE_SCN_ALIGN_256BYTES)
  537.             fputs("IMAGE_SCN_ALIGN_256BYTES\n",stdout);
  538.         if(SecH.Characteristics&IMAGE_SCN_ALIGN_512BYTES)
  539.             fputs("IMAGE_SCN_ALIGN_512BYTES\n",stdout);
  540.         if(SecH.Characteristics&IMAGE_SCN_ALIGN_1024BYTES)
  541.             fputs("IMAGE_SCN_ALIGN_1024BYTES\n",stdout);
  542.         if(SecH.Characteristics&IMAGE_SCN_ALIGN_2048BYTES)
  543.             fputs("IMAGE_SCN_ALIGN_2048BYTES\n",stdout);
  544.         if(SecH.Characteristics&IMAGE_SCN_ALIGN_4096BYTES)
  545.             fputs("IMAGE_SCN_ALIGN_4096BYTES\n",stdout);
  546.         if(SecH.Characteristics&IMAGE_SCN_ALIGN_8192BYTES)
  547.             fputs("IMAGE_SCN_ALIGN_8192BYTES\n",stdout);
  548.         if(SecH.Characteristics&IMAGE_SCN_LNK_NRELOC_OVFL)
  549.             fputs("IMAGE_SCN_LNK_NRELOC_OVFL\n",stdout);
  550.         if(SecH.Characteristics&IMAGE_SCN_MEM_DISCARDABLE)
  551.             fputs("IMAGE_SCN_MEM_DISCARDABLE\n",stdout);
  552.         if(SecH.Characteristics&IMAGE_SCN_MEM_NOT_CACHED)
  553.             fputs("IMAGE_SCN_MEM_NOT_CACHED\n",stdout);
  554.         if(SecH.Characteristics&IMAGE_SCN_MEM_NOT_PAGED)
  555.             fputs("IMAGE_SCN_MEM_NOT_PAGED\n",stdout);
  556.         if(SecH.Characteristics&IMAGE_SCN_MEM_SHARED)
  557.             fputs("IMAGE_SCN_MEM_SHARED\n",stdout);
  558.         if(SecH.Characteristics&IMAGE_SCN_MEM_EXECUTE)
  559.             fputs("IMAGE_SCN_MEM_EXECUTE\n",stdout);
  560.         if(SecH.Characteristics&IMAGE_SCN_MEM_READ)
  561.             fputs("IMAGE_SCN_MEM_READ\n",stdout);
  562.         if(SecH.Characteristics&IMAGE_SCN_MEM_WRITE)
  563.             fputs("IMAGE_SCN_MEM_WRITE\n",stdout);
  564.     }
  565. }

  566. int main(int argc,char**argv)
  567. {
  568.     FILE*fp;
  569.     if(argc<2)
  570.     {
  571.         Usage();
  572.         return 1;
  573.     }
  574.     fp=fopen(argv[1],"rb");
  575.     if(!fp)
  576.     {
  577.         printf("Unable to open %s.\n",argv[1]);
  578.         return 1;
  579.     }

  580.     //PE文件第一个文件头:DOS EXE头
  581.     ReadDOSH(fp);

  582.     //PE文件第二个头:PE头
  583.     if(g_DOSH.e_lfanew)//如果有新EXE头(PE、LE、NE等)
  584.     {
  585.         DWORD dwMagicNumber;
  586.         fseek(fp,g_DOSH.e_lfanew,SEEK_SET);//转到新EXE头
  587.         fread(&dwMagicNumber,1,sizeof(dwMagicNumber),fp);//读取标记
  588.         if(dwMagicNumber==IMAGE_NT_SIGNATURE)//如果是PE头
  589.         {
  590.             //PE头
  591.             ReadPEH(fp);

  592.             //PE可选标头
  593.             if(g_PEH.SizeOfOptionalHeader)//如果有可选标头
  594.             {
  595.                 IMAGE_OPTIONAL_HEADER32     *pOPT32=NULL;
  596.                 IMAGE_OPTIONAL_HEADER64     *pOPT64=NULL;
  597.                 IMAGE_ROM_OPTIONAL_HEADER   *pROMOPT=NULL;
  598.                 void                        *pBuffer=malloc(g_PEH.SizeOfOptionalHeader);
  599.                 if(pBuffer)
  600.                 {
  601.                     fputs("Optional header:\n",stdout);
  602.                     fread(pBuffer,1,g_PEH.SizeOfOptionalHeader,fp);//读取
  603.                     switch(*(WORD*)pBuffer)//读取魔法数字
  604.                     {
  605.                     case IMAGE_NT_OPTIONAL_HDR32_MAGIC:
  606.                         fputs("-----------------------------32 bit optional header----------------------------\n",stdout);
  607.                         ReadOPT32(fp,(IMAGE_OPTIONAL_HEADER32*)pBuffer);
  608.                         break;
  609.                     case IMAGE_NT_OPTIONAL_HDR64_MAGIC:
  610.                         fputs("-----------------------------64 bit optional header----------------------------\n",stdout);
  611.                         ReadOPT64(fp,(IMAGE_OPTIONAL_HEADER64*)pBuffer);
  612.                         break;
  613.                     case IMAGE_ROM_OPTIONAL_HDR_MAGIC:
  614.                         fputs("-----------------------------Rom optional header-------------------------------\n",stdout);
  615.                         ReadROMOPT(fp,(IMAGE_ROM_OPTIONAL_HEADER*)pBuffer);
  616.                         break;
  617.                     default:
  618.                         fputs("Unknown optional header.\n",stdout);
  619.                         break;
  620.                     }
  621.                     free(pBuffer);
  622.                     ReadSegH(fp);//读取区段
  623.                 }
  624.                 else
  625.                     fputs("No enough memory for reading the optional header.\n",stderr);
  626.             }
  627.         }
  628.         else
  629.             fputs("PrintPE is only for PE files.\n",stderr);
  630.     }
  631.     fclose(fp);
  632.     return 0;
  633. }
复制代码
可以用它来查看EXE、DLL的文件头的细节。也可以通过修改它的源码来实现自己的加壳工具。
EXE下载地址:
PrintPE.exe (56 KB, 下载次数: 2, 售价: 1 个宅币)
这是源码:
PrintPE.7z (23.54 KB, 下载次数: 5, 售价: 10 个宅币)

本帖被以下淘专辑推荐:

回复

使用道具 举报

 楼主| 发表于 2014-4-22 00:22:43 | 显示全部楼层
PE文件的组成:
1、DOS的16位EXE头(Stub)
IMAGE_DOS_HEADER
在WINNT.H有定义。
2、PE头。
IMAGE_FILE_HEADER
在WINNT.H有定义。
3、可选头。定义了程序的入口点等信息
根据情况有以下三种类型:
IMAGE_OPTIONAL_HEADER32
IMAGE_OPTIONAL_HEADER64
IMAGE_ROM_OPTIONAL_HEADER
在WINNT.H有定义。
4、区段头。定义了程序的分段的信息。
IMAGE_SECTION_HEADER
在WINNT.H有定义。
常见区段:
.text:代码段
.data:数据段
.rdata:只读数据段
.bss:未初始化数据段
.reloc:重定向表信息
5、镜像。
所谓镜像就是运行的指令、附带的数据等。
6、资源。
图标、位图、字串表等玩意儿。
回复 赞! 靠!

使用道具 举报

 楼主| 发表于 2014-4-22 00:24:13 | 显示全部楼层
让PrintPE分析自己的PE头:
D:\C\PrintPE\Release>PrintPE.exe PrintPE.exe
--------------------------------DOS .EXE header--------------------------------
Magic number:0x5A4D
Bytes on last page of file:0x0090
Pages in file:0x0003
Relocations:0x0000
Size of header in paragraphs:0x0004
Minimum extra paragraphs needed:0x0000
Maximum extra paragraphs needed:0xFFFF
Initial (relative) SS value:0x0000
Initial SP value:0x00B8
Checksum:0x0000
Initial IP value:0x0000
Initial (relative) CS value:0x0000
File address of relocation table:0x0040
Overlay number:0x0000
OEM identifier (for e_oeminfo):0x0000
OEM information; e_oemid specific:0x0000
File address of new exe header:0x000000C8
----------------------------------PE Header------------------------------------
Machine:Intel 386.
Number of sections:0x0003
Time date stamp:0x53551E51
Pointer to symbol table:0x00000000
Number of symbols:0x00000000
Size of optional header:0x00E0
Characteristics:0x010F
        Relocation info stripped from file.
        File is executable  (i.e. no unresolved externel references).
        Line numbers stripped from file.
        Local symbols stripped from file.
        32 bit word machine.
Optional header:
-----------------------------32 bit optional header----------------------------
Major linker version:0x10B
Minor linker version:0x06
Size of code:0x00000000
Size of initialized data:0x00007000
Size of uninitialized data:0x00007000
Address of entry point:0x00000000
Base of code:0x00002605
Base of data:0x00001000
Image base:0x00008000
Section alignment:0x00400000
File alignment:0x00001000
Major operating system version:0x1000
Minor operating system version:0x0004
Major image version:0x0000
Minor image version:0x0000
Major subsystem version:0x0000
Minor subsystem version:0x0004
Win32 version value:0x00000000
Size of image:0x00000000
Size of headers:0x0000F000
Check sum:0x00001000
Subsystem:0x0000
        Image runs in the Windows character subsystem.
Dll characteristics:0x0000
Size of stack reserve:0x00100000
Size of stack commit:0x00001000
Size of heap reserve:0x00100000
Size of heap commit:0x00001000
Loader flags:0x00000000
Number of RVA and sizes:0x00000010
Data directories:
Export Directory:
Virtual address:0x00000000      Size:0x00000000
Import Directory:
Virtual address:0x000084CC      Size:0x00000028
Resource Directory:
Virtual address:0x00000000      Size:0x00000000
Exception Directory:
Virtual address:0x00000000      Size:0x00000000
Security Directory:
Virtual address:0x00000000      Size:0x00000000
Base Relocation Table:
Virtual address:0x00000000      Size:0x00000000
Debug Directory:
Virtual address:0x00000000      Size:0x00000000
Architecture Specific Data:
Virtual address:0x00000000      Size:0x00000000
RVA of GP:
Virtual address:0x00000000      Size:0x00000000
TLS Directory:
Virtual address:0x00000000      Size:0x00000000
Load Configuration Directory:
Virtual address:0x00000000      Size:0x00000000
Bound Import Directory in headers:
Virtual address:0x00000000      Size:0x00000000
Import Address Table:
Virtual address:0x00008000      Size:0x000000BC
Delay Load Import Descriptors:
Virtual address:0x00000000      Size:0x00000000
COM Runtime descriptor:
Virtual address:0x00000000      Size:0x00000000
Unknown:
Virtual address:0x00000000      Size:0x00000000
--------------------------------Section headers--------------------------------
Name:.text
Physical address\Virtual size:0x00006932
Virtual address:0x00001000
Size of raw data:0x00007000
Pointer to raw data:0x00001000
Pointer to relocations:0x00000000
Pointer to linenumbers:0x00000000
Number of relocations:0x0000
Number of linenumbers:0x0000
Characteristics:0x60000020
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
--------------------------------Section headers--------------------------------
Name:.rdata
Physical address\Virtual size:0x000008D6
Virtual address:0x00008000
Size of raw data:0x00001000
Pointer to raw data:0x00008000
Pointer to relocations:0x00000000
Pointer to linenumbers:0x00000000
Number of relocations:0x0000
Number of linenumbers:0x0000
Characteristics:0x40000040
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
--------------------------------Section headers--------------------------------
Name:.data
Physical address\Virtual size:0x000056E4
Virtual address:0x00009000
Size of raw data:0x00005000
Pointer to raw data:0x00009000
Pointer to relocations:0x00000000
Pointer to linenumbers:0x00000000
Number of relocations:0x0000
Number of linenumbers:0x0000
Characteristics:0xC0000040
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
回复 赞! 靠!

使用道具 举报

发表于 2019-2-16 11:06:15 | 显示全部楼层
顶站长,orz
回复

使用道具 举报

本版积分规则

QQ|Archiver|小黑屋|技术宅的结界 ( 滇ICP备16008837号 )|网站地图

GMT+8, 2024-11-24 15:14 , Processed in 0.042472 second(s), 30 queries , Gzip On.

Powered by Discuz! X3.5

© 2001-2024 Discuz! Team.

快速回复 返回顶部 返回列表