devbox
我家自动化
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

PE文件(三)节表作业

作者:我家自动化 | 2024-04-29 12:34:12

PE文件(三)节表作业

本次作业以notepad进行演示,如下是其在硬盘上的内存

1.手动解析节表

由标准pe头可知,一共由7个节也就是7个节表,可选pe头的大小是0X00F0,即240字节大小

根据上述我们所获取的信息,找到节表的首地址为0x01F8

.text

#define IMAGE_SIZEOF_SHORT_NAME  8 //宏定义    
typedef struct _IMAGE_SECTION_HEADER{
    BYTE Name[IMAGE_SIZEOF_SHORT_NAME];  0X000000747865742E
    union{
        DWORD   PhysicalAddress;
        DWORD   VirtualSize;
    }Misc;  0X00027D02
    DWORD VirtualAddress;  0X00001000
    DWORD SizeOfRawData;  0X00028000
    DWORD PointerToRawData; 0X00001000
    DWORD PointerToRelocations; 0X00000000
    DWORD PointerToLinenumbers;0X00000000
    WORD NumberOfRelocations; 0X0000
    WORD NumberOfLinenumbers;0X0000
    DWORD Characteristics;  0X60000020
} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
 

.rdata

#define IMAGE_SIZEOF_SHORT_NAME 8 
typedef struct _IMAGE_SECTION_HEADER{
    BYTE Name[IMAGE_SIZEOF_SHORT_NAME];  0X000061746164722E
    union{
        DWORD   PhysicalAddress;
        DWORD   VirtualSize;
    }Misc;  0X0000A608
    DWORD VirtualAddress;  0X00029000
    DWORD SizeOfRawData; 0X0000B000
    DWORD PointerToRawData; 0X00029000
    DWORD PointerToRelocations; 0X00000000
    DWORD PointerToLinenumbers; 0X00000000
    WORD NumberOfRelocations; 0X0000
    WORD NumberOfLinenumbers; 0X0000
    DWORD Characteristics;  0X40000040
} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
 

.data

#define IMAGE_SIZEOF_SHORT_NAME 8
typedef struct _IMAGE_SECTION_HEADER{
    BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; 0X000000617464642E
    union{
        DWORD   PhysicalAddress;
        DWORD   VirtualSize;
    }Misc;  000026C0
    DWORD VirtualAddress;  0X00034000
    DWORD SizeOfRawData; 0X00001000
    DWORD PointerToRawData; 0X00034000
    DWORD PointerToRelocations; 0X00000000
    DWORD PointerToLinenumbers; 0X00000000
    WORD NumberOfRelocations; 0X0000
    WORD NumberOfLinenumbers;0X0000
    DWORD Characteristics; 0XC0000040
} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
 

由于该文件所有节过多,此处不再多演示,具体操作都是一样的。

2.控制台输出解析所有节表

  1. #include<stdio.h>
  2. #include<Windows.h>
  3.  
  4. char* ReadPEFile(const char* lpszFile)
  5. {
  6. 	FILE* pFile = NULL;
  7. 	pFile = fopen(lpszFile, "rb");
  8. 	DWORD fileSize = 0;
  9. 	char* pFileBuffer = NULL;
  10. 	if (!pFile)
  11. 	{
  12. 		printf("无法打开EXE文件");
  13. 		return NULL;
  14. 	}
  15. 	fseek(pFile, 0, SEEK_END);
  16. 	fileSize = ftell(pFile);
  17. 	fseek(pFile, 0, SEEK_SET);
  18. 	pFileBuffer = (char*)malloc(sizeof(char)*fileSize);
  19. 	if (!pFileBuffer)
  20. 	{
  21. 		printf("分配空间失败");
  22. 		fclose(pFile);
  23. 		return NULL;
  24. 	}
  25. 	size_t i = fread(pFileBuffer, fileSize, 1, pFile);
  26. 	if (!i)
  27. 	{
  28. 		printf("读取数据失败!");
  29. 		free(pFileBuffer);
  30. 		fclose(pFile);
  31. 		return NULL;
  32. 	}
  33. 	fclose(pFile);
  34. 	return pFileBuffer;
  35. }
  36. BOOL PrintNTHeaders(const char* lpszFile)
  37. {
  38. 	IMAGE_DOS_HEADER  *pDosHeader;
  39. 	IMAGE_NT_HEADERS *pNTHeader;
  40. 	IMAGE_FILE_HEADER *pPEHeader;
  41. 	IMAGE_SECTION_HEADER *pSecHeader;
  42. 	int i = 0;
  43. 	char* pFileBuffer = ReadPEFile(lpszFile);
  44. 	pDosHeader = (IMAGE_DOS_HEADER*)pFileBuffer;
  45. 	if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
  46. 	{
  47. 		printf("不是有效MZ标志,打印结束\n");
  48. 		free(pFileBuffer);
  49. 		pFileBuffer = NULL;
  50. 		return FALSE;
  51. 	}
  52. 	pNTHeader = (IMAGE_NT_HEADERS*)((char*)pFileBuffer + pDosHeader->e_lfanew);
  53. 	if (pNTHeader->Signature != IMAGE_NT_SIGNATURE)
  54. 	{
  55. 		printf("不是有效的PE标志,打印结束\n");
  56. 		free(pFileBuffer);
  57. 		pFileBuffer = NULL;
  58. 		return FALSE;
  59. 	}
  60. 	pPEHeader = (IMAGE_FILE_HEADER*)((char*)pNTHeader + 4);
  61. 	printf("NumberOfSections(节表的数量):%04X\n", pPEHeader->NumberOfSections);
  62. 	printf("SizeOfOptionalHeader(可选pe头的大小):%04X\n", pPEHeader->SizeOfOptionalHeader); 
  63. 	printf("\n");
  64. 	printf("节表信息解析开始");
  65. 	pSecHeader = (IMAGE_SECTION_HEADER*)((char*)pPEHeader + sizeof(_IMAGE_FILE_HEADER) + pPEHeader->SizeOfOptionalHeader);
  66. 	for (int i = 0; i < pPEHeader->NumberOfSections; i++)
  67. 	{	
  68. 		char SecName[9] = "\0";
  69. 		printf("这是第%d个节表\n", i+1);
  70. 		char* Name = (char*)pSecHeader->Name;
  71. 		strcpy(SecName, Name);
  72. 		printf("Name:%s\n", SecName);
  73. 		printf("VirtualSize:%08X\n", pSecHeader->Misc.VirtualSize);
  74. 		printf("VirtualAddress:%08X\n", pSecHeader->VirtualAddress);
  75. 		printf("SizeOfRawData:%08X\n", pSecHeader->SizeOfRawData);
  76. 		printf("PointerToRawData:%08X\n", pSecHeader->PointerToRawData);
  77. 		printf("Characteristics:%08X\n", pSecHeader->Characteristics);
  78. 		printf("\n");
  79. 		pSecHeader++;
  80. 	}
  81. 	free(pFileBuffer);
  82. 	pFileBuffer = NULL;
  83. 	return TRUE;
  84. }
  85. int main(int argc, char* argv[])
  86. {
  87. 	const char* lpszFile = "C:\\Windows\\notepad.exe";
  88. 	PrintNTHeaders(lpszFile);
  89. 	return 0;
  90. }

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/我家自动化/article/detail/507774
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号