
| #define MAX_LEN 120 #include <Windows.h> #include <stdio.h> #include <string.h>
void ELF_Viewer(FILE* fp);
void PE_Viewer(FILE* fp, FILE* chrfp, FILE* fp2); void DOS_head(FILE* fp); void NT_head(FILE* fp); void Section_head(FILE* fp); long RVA_to_RAW(long RVA); void Import_View(FILE* fp, FILE* chrfp); void Export_View(FILE* fp, FILE* chrfp); void INT_View(FILE* fp); void IAT_View(FILE* fp);
long NTheader_Offset = 1; long NumberOfSections = 1; long ImageBase = 1; long AddressOfEntryPoint = 1; long SectionAlignment = 1; long FileAlignment = 1; long SectionHeader_Offset = 1; long Import_RVA = 1; long Import_Size = 1; long Export_RVA = 1; long Export_Size = 1; long Start_of_section_VA[20] = {1, }; long Size_of_section[20] = {1, }; long Start_of_section_RAW[20] = {1, }; char Import_Module_Name[50][20] = {1, }; long INT_RVA[20] = {1 , }; long IAT_RVA[20] = {1 , }; long Number_Import = 1;
int main(void) { FILE* fp = NULL, *chrfp = NULL, *fp2 = NULL; char file_path[MAX_LEN]; char flag_ELF[4];
printf("请输入文件路径:"); scanf("%s", file_path);
if ((fp = fopen(file_path, "rb")) == NULL) { printf("打开文件<%s>失败\n请重试", file_path); return 0; } chrfp = fopen(file_path, "r"); fp2 = fopen(file_path, "rb"); printf("打开文件<%s>成功\n", file_path);
fseek(fp, 1, SEEK_SET); fread(flag_ELF, 3, 1, fp); flag_ELF[3] = '\0'; fseek(fp, 0, SEEK_SET);
if (!strcmp(flag_ELF, "ELF")) { printf("打开文件为ELF文件\n"); ELF_Viewer(fp); } else { printf("打开文件为PE文件\n"); PE_Viewer(fp, chrfp, fp2); }
fclose(fp); fclose(fp2); fclose(chrfp);
return 0; }
void ELF_Viewer(FILE* fp) {
}
void PE_Viewer(FILE* fp, FILE* chrfp, FILE* fp2) {
DOS_head(fp);
fseek(fp, NTheader_Offset, SEEK_SET); NT_head(fp);
fseek(fp, SectionHeader_Offset, SEEK_SET); Section_head(fp);
fseek(fp, RVA_to_RAW(Import_RVA), SEEK_SET); Import_View(fp, chrfp);
fseek(fp, RVA_to_RAW(Export_RVA), SEEK_SET); Export_View(fp, chrfp);
INT_View(fp);
IAT_View(fp); }
void DOS_head(FILE* fp) { IMAGE_DOS_HEADER dos_header; fread(&dos_header, sizeof(IMAGE_DOS_HEADER), 1, fp); printf("----------------------------------DOS头----------------------------------\n"); printf("-------------------------------------------------------------------------\n"); printf("成员 地址 值\n\n"); printf("魔数 %08lx %x\n", (long)&(dos_header.e_magic) - (long)&dos_header, dos_header.e_magic); printf("文件最后一页的字节数 %08lx %x\n", (long)&(dos_header.e_cblp) - (long)&dos_header, dos_header.e_cblp); printf("文件中的页数 %08lx %x\n", (long)&(dos_header.e_cp) - (long)&dos_header, dos_header.e_cp); printf("重定位 %08lx %x\n", (long)&(dos_header.e_crlc) - (long)&dos_header, dos_header.e_crlc); printf("段头的大小 %08lx %x\n", (long)&(dos_header.e_cparhdr) - (long)&dos_header, dos_header.e_cparhdr); printf("所需额外段落的最小值 %08lx %x\n", (long)&(dos_header.e_minalloc) - (long)&dos_header, dos_header.e_minalloc); printf("所需额外段落的最大值 %08lx %x\n", (long)&(dos_header.e_maxalloc) - (long)&dos_header, dos_header.e_maxalloc); printf("初始(相对)SS值 %08lx %x\n", (long)&(dos_header.e_ss) - (long)&dos_header, dos_header.e_ss); printf("初始sp值 %08lx %x\n", (long)&(dos_header.e_sp) - (long)&dos_header, dos_header.e_sp); printf("校验和 %08lx %x\n", (long)&(dos_header.e_csum) - (long)&dos_header, dos_header.e_csum); printf("初始IP值 %08lx %x\n", (long)&(dos_header.e_ip) - (long)&dos_header, dos_header.e_ip); printf("初始(相对)CS值 %08lx %x\n", (long)&(dos_header.e_cs) - (long)&dos_header, dos_header.e_cs); printf("重定位表的文件地址 %08lx %x\n", (long)&(dos_header.e_lfarlc) - (long)&dos_header, dos_header.e_lfarlc); printf("叠加层数 %08lx %x\n", (long)&(dos_header.e_ovno) - (long)&dos_header, dos_header.e_ovno); printf("保留字 %08lx %x %x %x %x\n", (long)dos_header.e_res - (long)&dos_header, dos_header.e_res[0], dos_header.e_res[1], dos_header.e_res[2], dos_header.e_res[3]); printf("OEM标识符 %08lx %x\n", (long)&(dos_header.e_oemid) - (long)&dos_header, dos_header.e_oemid); printf("OEM信息 %08lx %x\n", (long)&(dos_header.e_oeminfo) - (long)&dos_header, dos_header.e_oeminfo); printf("保留字2 %08lx %x %x %x %x %x %x %x %x %x %x\n", (long)dos_header.e_res2 - (long)&dos_header, dos_header.e_res2[0], dos_header.e_res2[1], dos_header.e_res2[2], dos_header.e_res2[3], dos_header.e_res2[4], dos_header.e_res2[5], dos_header.e_res2[6], dos_header.e_res2[7], dos_header.e_res2[8], dos_header.e_res2[9]); printf("下一个文件头地址 %08lx %x\n", (long)&(dos_header.e_lfanew) - (long)&dos_header, dos_header.e_lfanew); NTheader_Offset = dos_header.e_lfanew; printf("-------------------------------------------------------------------------\n"); printf("\n按回车键继续...\n"); getchar(); } void NT_head(FILE* fp) { int option; IMAGE_NT_HEADERS32 nt_header; fread(&nt_header, sizeof(IMAGE_NT_HEADERS32), 1, fp); printf("----------------------------------NT头----------------------------------\n"); printf("-------------------------------------------------------------------------\n"); printf("成员 地址 值\n\n"); printf("NT头签名 %08lx %08lx\n", (long)&nt_header.Signature - (long)&nt_header + NTheader_Offset, nt_header.Signature); printf("文件头 %08lx \n", (long)&nt_header.FileHeader - (long)&nt_header + NTheader_Offset); printf("可选头 %08lx \n", (long)&nt_header.OptionalHeader - (long)&nt_header + NTheader_Offset); printf("-------------------------------------------------------------------------\n"); printf("----------------------------------文件头----------------------------------\n"); printf("-------------------------------------------------------------------------\n"); printf("成员 地址 值\n\n"); printf("机器 %08lx %04x\n", (long)&nt_header.FileHeader.Machine - (long)&nt_header + NTheader_Offset, nt_header.FileHeader.Machine); printf("节区数 %08lx %04x\n", (long)&nt_header.FileHeader.NumberOfSections - (long)&nt_header + NTheader_Offset, nt_header.FileHeader.NumberOfSections); printf("时间戳 %08lx %08lx\n", (long)&nt_header.FileHeader.TimeDateStamp - (long)&nt_header + NTheader_Offset, nt_header.FileHeader.TimeDateStamp); printf("符号表偏移量 %08lx %08lx\n", (long)&nt_header.FileHeader.PointerToSymbolTable - (long)&nt_header + NTheader_Offset, nt_header.FileHeader.PointerToSymbolTable); printf("符号表中的符号数 %08lx %08lx\n", (long)&nt_header.FileHeader.NumberOfSymbols - (long)&nt_header + NTheader_Offset, nt_header.FileHeader.NumberOfSymbols); printf("可选头大小 %08lx %08lx\n", (long)&nt_header.FileHeader.SizeOfOptionalHeader - (long)&nt_header + NTheader_Offset, nt_header.FileHeader.SizeOfOptionalHeader); printf("映射特征 %08lx %08lx\n", (long)&nt_header.FileHeader.Characteristics - (long)&nt_header + NTheader_Offset, nt_header.FileHeader.Characteristics); printf("-------------------------------------------------------------------------\n"); printf("----------------------------------可选头----------------------------------\n"); printf("-------------------------------------------------------------------------\n"); printf("成员 地址 值\n\n"); printf("魔数 %08lx %04x\n", (long)&nt_header.OptionalHeader.Magic - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.Magic); printf("链接器主版本 %08lx %.2x\n", (long)&nt_header.OptionalHeader.MajorLinkerVersion - (long)&nt_header + NTheader_Offset, *((unsigned char* ) & nt_header.OptionalHeader.MajorLinkerVersion)); printf("链接器次版本 %08lx %.2x\n", (long)&nt_header.OptionalHeader.MinorLinkerVersion - (long)&nt_header + NTheader_Offset, *((unsigned char* ) & nt_header.OptionalHeader.MinorLinkerVersion)); printf("代码段的大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.SizeOfCode - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.SizeOfCode); printf("已初始化数据段大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.SizeOfInitializedData - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.SizeOfInitializedData); printf("未初始化数据段大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.SizeOfUninitializedData - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.SizeOfUninitializedData); printf("入口函数指针 %08lx %08lx\n", (long)&nt_header.OptionalHeader.AddressOfEntryPoint - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.AddressOfEntryPoint); printf("代码段基址 %08lx %08lx\n", (long)&nt_header.OptionalHeader.BaseOfCode - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.BaseOfCode); printf("数据段基址 %08lx %08lx\n", (long)&nt_header.OptionalHeader.BaseOfData - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.BaseOfData); printf("基址 %08lx %08lx\n", (long)&nt_header.OptionalHeader.ImageBase - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.ImageBase); printf("节对齐量 %08lx %08lx\n", (long)&nt_header.OptionalHeader.SectionAlignment - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.SectionAlignment); printf("文件对齐量 %08lx %08lx\n", (long)&nt_header.OptionalHeader.FileAlignment - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.FileAlignment); printf("系统主版本 %08lx %04x\n", (long)&nt_header.OptionalHeader.MajorOperatingSystemVersion - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.MajorOperatingSystemVersion); printf("系统次版本 %08lx %04x\n", (long)&nt_header.OptionalHeader.MinorOperatingSystemVersion - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.MinorOperatingSystemVersion); printf("映像主版本 %08lx %04x\n", (long)&nt_header.OptionalHeader.MajorImageVersion - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.MajorImageVersion); printf("映像次版本 %08lx %04x\n", (long)&nt_header.OptionalHeader.MinorImageVersion - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.MinorImageVersion); printf("子系统主版本 %08lx %04x\n", (long)&nt_header.OptionalHeader.MajorSubsystemVersion - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.MajorSubsystemVersion); printf("子系统次版本 %08lx %04x\n", (long)&nt_header.OptionalHeader.MinorSubsystemVersion - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.MinorSubsystemVersion); printf("保留成员 %08lx %08lx\n", (long)&nt_header.OptionalHeader.Win32VersionValue - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.Win32VersionValue); printf("映像大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.SizeOfImage - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.SizeOfImage); printf("头总大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.SizeOfHeaders - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.SizeOfHeaders); printf("校验和 %08lx %08lx\n", (long)&nt_header.OptionalHeader.CheckSum - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.CheckSum); printf("子系统 %08lx %04x\n", (long)&nt_header.OptionalHeader.Subsystem - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.Subsystem); printf("DLL特征 %08lx %04x\n", (long)&nt_header.OptionalHeader.DllCharacteristics - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DllCharacteristics); printf("堆栈保留大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.SizeOfStackReserve - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.SizeOfStackReserve); printf("堆栈提交大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.SizeOfStackCommit - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.SizeOfStackCommit); printf("本地保留大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.SizeOfHeapReserve - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.SizeOfHeapReserve); printf("本地提交大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.SizeOfHeapCommit - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.SizeOfHeapCommit); printf("无用成员 %08lx %08lx\n", (long)&nt_header.OptionalHeader.LoaderFlags - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.LoaderFlags); printf("可选头其余条目数 %08lx %08lx\n", (long)&nt_header.OptionalHeader.NumberOfRvaAndSizes - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.NumberOfRvaAndSizes); printf("映射数据表 %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory - (long)&nt_header + NTheader_Offset); printf("-------------------------------------------------------------------------\n"); printf("----------------------------------DataDirectory----------------------------------\n"); printf("-------------------------------------------------------------------------\n"); printf("成员 地址 值\n\n"); printf("导出表RVA %08lx %08lx\n", (long) & nt_header.OptionalHeader.DataDirectory[0].VirtualAddress - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[0].VirtualAddress); printf("导出表大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[0].Size - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[0].Size); printf("导入表RVA %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[1].VirtualAddress - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[1].VirtualAddress); printf("导入表大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[1].Size - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[1].Size); printf("异常表RVA %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[2].VirtualAddress - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[2].VirtualAddress); printf("异常表大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[2].Size - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[2].Size); printf("资源表RVA %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[3].VirtualAddress - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[3].VirtualAddress); printf("资源表大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[3].Size - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[3].Size); printf("证书表RVA %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[4].VirtualAddress - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[4].VirtualAddress); printf("证书表大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[4].Size - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[4].Size); printf("基址重定位表RVA %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[5].VirtualAddress - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[5].VirtualAddress); printf("基址重定位表大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[5].Size - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[5].Size); printf("调试信息RVA %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[6].VirtualAddress - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[6].VirtualAddress); printf("调试信息大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[6].Size - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[6].Size); printf("特定体系结构数据RVA %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[7].VirtualAddress - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[7].VirtualAddress); printf("特定体系结构数据大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[7].Size - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[7].Size); printf("全局指针寄存器RVA %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[8].VirtualAddress - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[8].VirtualAddress); printf("全局指针寄存器大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[8].Size - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[8].Size); printf("TLS表RVA %08lx %08x\n", (long)&nt_header.OptionalHeader.DataDirectory[9].VirtualAddress - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[9].VirtualAddress); printf("TLS表大小 %08lx %08x\n", (long)&nt_header.OptionalHeader.DataDirectory[9].Size - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[9].Size); printf("加载配置表RVA %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[10].VirtualAddress - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[10].VirtualAddress); printf("加载配置表大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[10].Size - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[10].Size); printf("绑定导入表RVA %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[11].VirtualAddress - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[11].VirtualAddress); printf("绑定导入表大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[11].Size - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[11].Size); printf("导入地址表RVA %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[12].VirtualAddress - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[12].VirtualAddress); printf("导入地址表大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[12].Size - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[12].Size); printf("延迟导入表RVA %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[13].VirtualAddress - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[13].VirtualAddress); printf("延迟导入表大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[13].Size - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[13].Size); printf("CLR运行时头部数据RVA %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[14].VirtualAddress - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[14].VirtualAddress); printf("CLR运行时头部数据大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[14].Size - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[14].Size); printf("保留RVA %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[15].VirtualAddress - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[15].VirtualAddress); printf("保留大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[15].Size - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[15].Size); printf("-------------------------------------------------------------------------\n"); printf("\n按回车键继续\n"); getchar(); NumberOfSections = nt_header.FileHeader.NumberOfSections; SectionHeader_Offset = (long)&nt_header.OptionalHeader.Magic - (long)&nt_header + NTheader_Offset + nt_header.FileHeader.SizeOfOptionalHeader; SectionAlignment = nt_header.OptionalHeader.SectionAlignment; FileAlignment = nt_header.OptionalHeader.FileAlignment; ImageBase = nt_header.OptionalHeader.ImageBase; AddressOfEntryPoint = nt_header.OptionalHeader.AddressOfEntryPoint; Import_RVA = nt_header.OptionalHeader.DataDirectory[1].VirtualAddress; Import_Size = nt_header.OptionalHeader.DataDirectory[1].Size; Export_RVA = nt_header.OptionalHeader.DataDirectory[0].VirtualAddress; Export_Size = nt_header.OptionalHeader.DataDirectory[1].Size; } void Section_head(FILE* fp) { long i; IMAGE_SECTION_HEADER sh; for (i = 0; i < NumberOfSections; i++) { fread(&sh, sizeof(IMAGE_SECTION_HEADER), 1, fp);
printf("----------------------------------%s节区头----------------------------------\n", sh.Name); printf("-------------------------------------------------------------------------\n"); printf("成员 地址 值\n"); printf("-------------------------------------------------------------------------\n"); printf("名称 %08lx %s\n", (long)sh.Name - (long)&sh + SectionHeader_Offset + (long)sizeof(IMAGE_SECTION_HEADER) * i, sh.Name); printf("加载至内存的虚拟大小 %08lx %08lx\n", (long)&sh.Misc.VirtualSize - (long)&sh + SectionHeader_Offset + (long)sizeof(IMAGE_SECTION_HEADER) * i, sh.Misc.VirtualSize); printf("RVA %08lx %08lx\n", (long)&sh.VirtualAddress - (long)&sh + SectionHeader_Offset + (long)sizeof(IMAGE_SECTION_HEADER) * i, sh.VirtualAddress); printf("对齐后的尺寸 %08lx %08lx\n", (long)&sh.SizeOfRawData - (long)&sh + SectionHeader_Offset + (long)sizeof(IMAGE_SECTION_HEADER) * i, sh.SizeOfRawData); printf("RAW %08lx %08lx\n", (long)&sh.PointerToRawData - (long)&sh + SectionHeader_Offset + (long)sizeof(IMAGE_SECTION_HEADER) * i, sh.PointerToRawData); printf("重定位偏移 %08lx %08lx\n", (long)&sh.PointerToRelocations - (long)&sh + SectionHeader_Offset + (long)sizeof(IMAGE_SECTION_HEADER) * i, sh.PointerToRelocations); printf("行号表偏移 %08lx %08lx\n", (long)&sh.PointerToLinenumbers - (long)&sh + SectionHeader_Offset + (long)sizeof(IMAGE_SECTION_HEADER) * i, sh.PointerToLinenumbers); printf("重定位项数 %08lx %04x\n", (long)&sh.NumberOfRelocations - (long)&sh + SectionHeader_Offset + (long)sizeof(IMAGE_SECTION_HEADER) * i, sh.NumberOfRelocations); printf("行号表行数 %08lx %04x\n", (long)&sh.NumberOfLinenumbers - (long)&sh + SectionHeader_Offset + (long)sizeof(IMAGE_SECTION_HEADER) * i, sh.NumberOfLinenumbers); printf("节区属性 %08lx %08lx\n", (long)&sh.Characteristics - (long)&sh + SectionHeader_Offset + (long)sizeof(IMAGE_SECTION_HEADER) * i, sh.Characteristics); printf("-------------------------------------------------------------------------\n"); Start_of_section_VA[i] = sh.VirtualAddress; Start_of_section_RAW[i] = sh.PointerToRawData; Size_of_section[i] = sh.Misc.VirtualSize; } printf("\n按回车键继续...\n"); getchar(); } void Import_View(FILE* fp, FILE* chrfp) { int i; IMAGE_IMPORT_DESCRIPTOR IID; long Import_RAW = RVA_to_RAW(Import_RVA);
Number_Import = 0;
printf("----------------------------------导出表----------------------------------\n"); if (Import_Size == 0) { printf("由于Size为0, 所以导入表为空\n"); printf("\n按回车键继续\n"); getchar(); return; }
printf("----------------------------------导入表----------------------------------\n"); for (i = 0; i < 20; i++) { fread(&IID, sizeof(IMAGE_IMPORT_DESCRIPTOR), 1, fp); if (!IID.OriginalFirstThunk) return; fseek(chrfp, RVA_to_RAW(IID.Name), SEEK_SET); fscanf(chrfp, "%s", Import_Module_Name[i]); printf("----------------------------------%s导入描述符----------------------------------\n", Import_Module_Name[i]); printf("成员 文件偏移 值\n"); printf("-------------------------------------------------------------------------\n"); printf("INT名称表的RVA %08lx %08lx\n", (long) & IID.OriginalFirstThunk - (long) & IID + Import_RAW + i * sizeof(IMAGE_IMPORT_DESCRIPTOR), IID.OriginalFirstThunk); printf("日期戳 %08lx %08lx\n", (long)&IID.TimeDateStamp - (long)&IID + Import_RAW + i * sizeof(IMAGE_IMPORT_DESCRIPTOR), IID.TimeDateStamp); printf("ForwarderChain %08lx %08lx\n", (long)&IID.ForwarderChain - (long)&IID + Import_RAW + i * sizeof(IMAGE_IMPORT_DESCRIPTOR), IID.ForwarderChain); printf("导入映像名称指针 %08lx %08lx\n", (long)&IID.Name - (long)&IID + Import_RAW + i * sizeof(IMAGE_IMPORT_DESCRIPTOR), IID.Name); printf("IAT地址表的RVA %08lx %08lx\n", (long)&IID.FirstThunk - (long)&IID + Import_RAW + i * sizeof(IMAGE_IMPORT_DESCRIPTOR), IID.FirstThunk); printf("-------------------------------------------------------------------------\n"); INT_RVA[i] = IID.OriginalFirstThunk; IAT_RVA[i] = IID.FirstThunk; Number_Import++; } printf("\n按回车键继续\n"); getchar(); } void INT_View(FILE* fp) { long i, j = 1, tmp; long IIBN_RVA; for (i = 0; i < Number_Import; i++) { tmp = RVA_to_RAW(INT_RVA[i]); fseek(fp, tmp, SEEK_SET); fread(&IIBN_RVA, 4, 1, fp); printf("----------------------------------<%02ld>INT----------------------------------\n", i + 1); printf("成员 文件偏移 值\n"); printf("-------------------------------------------------------------------------\n"); while (IIBN_RVA) { printf("%04d %08lx %08lx\n", j, tmp + 4 * (j - 1), IIBN_RVA); fread(&IIBN_RVA, 4, 1, fp); j++; } }
printf("\n按回车键继续\n"); getchar(); } void IAT_View(FILE* fp) { long i, j = 1, tmp; long RVA;
for (i = 0; i < Number_Import; i++) { tmp = RVA_to_RAW(IAT_RVA[i]); fseek(fp, tmp, SEEK_SET); fread(&RVA, 4, 1, fp); printf("----------------------------------<%02ld>IAT----------------------------------\n", i + 1); printf("成员 文件偏移 值\n"); printf("-------------------------------------------------------------------------\n"); while (RVA) { printf("%04ld %08lx %08lx\n", j, tmp + 4 * (j - 1), RVA); fread(&RVA, 4, 1, fp); j++; } } } void Export_View(FILE* fp, FILE* chrfp) { IMAGE_EXPORT_DIRECTORY IED; long Export_RAW; printf("----------------------------------导出表----------------------------------\n"); if (Export_Size == 0) { printf("由于Size为0, 所以导入表为空\n"); printf("\n按回车键继续\n"); getchar(); return; }
Export_RAW = RVA_to_RAW(Export_RVA); fseek(fp, Export_RAW, SEEK_SET); fread(&IED, sizeof(IMAGE_EXPORT_DIRECTORY), 1, fp);
printf("----------------------------------导出描述符----------------------------------\n"); printf("成员 文件偏移 值\n"); printf("未使用 %08lx %08lx\n", (long)&IED.Characteristics - (long)&IED + Export_RAW, IED.Characteristics); printf("时间戳 %08lx %08lx\n", (long)&IED.TimeDateStamp - (long)&IED + Export_RAW, IED.TimeDateStamp); printf("未使用 %08lx %04x\n", (long)&IED.MajorVersion - (long)&IED + Export_RAW, IED.MajorVersion); printf("未使用 %08lx %04x\n", (long)&IED.MinorVersion - (long)&IED + Export_RAW, IED.MinorVersion); printf("导出表文件名指针 %08lx %08lx\n", (long)&IED.Name - (long)&IED + Export_RAW, IED.Name); printf("导出表的起始序号 %08lx %08lx\n", (long)&IED.Base - (long)&IED + Export_RAW, IED.Base); printf("导出函数个数 %08lx %08lx\n", (long)&IED.NumberOfFunctions - (long)&IED + Export_RAW, IED.NumberOfFunctions); printf("以函数名导出函数个数 %08lx %08lx\n", (long)&IED.NumberOfNames - (long)&IED + Export_RAW, IED.NumberOfNames); printf("EAT_RVA %08lx %08lx\n", (long)&IED.AddressOfFunctions - (long)&IED + Export_RAW, IED.AddressOfFunctions); printf("ENT_RVA %08lx %08lx\n", (long)&IED.AddressOfNames - (long)&IED + Export_RAW, IED.AddressOfNames); printf("导出函数序号表 %08lx %08lx\n", (long)&IED.AddressOfNameOrdinals - (long)&IED + Export_RAW, IED.AddressOfNameOrdinals); printf("-------------------------------------------------------------------------\n");
printf("\n请按回车键继续\n"); getchar(); }
long RVA_to_RAW(long RVA) { long RAW, i; for (i = 0; i < NumberOfSections; i++) { if (RVA >= Start_of_section_VA[i] && RVA <= Start_of_section_VA[i] + Size_of_section[i]) { RAW = RVA - Start_of_section_VA[i] + Start_of_section_RAW[i]; return RAW; } } return 0; }
|