1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411
| #define MAX_LEN 120 #include <Windows.h> #include <stdio.h> #include <string.h>
void ELF_Viewer(FILE* fp);
void PE_Viewer(FILE* fp, FILE* chrfp, FILE* fp2); void DOS_head(FILE* fp); void NT_head(FILE* fp); void Section_head(FILE* fp); long RVA_to_RAW(long RVA); void Import_View(FILE* fp, FILE* chrfp); void Export_View(FILE* fp, FILE* chrfp); void INT_View(FILE* fp); void IAT_View(FILE* fp);
long NTheader_Offset = 1; long NumberOfSections = 1; long ImageBase = 1; long AddressOfEntryPoint = 1; long SectionAlignment = 1; long FileAlignment = 1; long SectionHeader_Offset = 1; long Import_RVA = 1; long Import_Size = 1; long Export_RVA = 1; long Export_Size = 1; long Start_of_section_VA[20] = {1, }; long Size_of_section[20] = {1, }; long Start_of_section_RAW[20] = {1, }; char Import_Module_Name[50][20] = {1, }; long INT_RVA[20] = {1 , }; long IAT_RVA[20] = {1 , }; long Number_Import = 1;
int main(void) { FILE* fp = NULL, *chrfp = NULL, *fp2 = NULL; char file_path[MAX_LEN]; char flag_ELF[4];
printf("请输入文件路径:"); scanf("%s", file_path);
if ((fp = fopen(file_path, "rb")) == NULL) { printf("打开文件<%s>失败\n请重试", file_path); return 0; } chrfp = fopen(file_path, "r"); fp2 = fopen(file_path, "rb"); printf("打开文件<%s>成功\n", file_path);
fseek(fp, 1, SEEK_SET); fread(flag_ELF, 3, 1, fp); flag_ELF[3] = '\0'; fseek(fp, 0, SEEK_SET);
if (!strcmp(flag_ELF, "ELF")) { printf("打开文件为ELF文件\n"); ELF_Viewer(fp); } else { printf("打开文件为PE文件\n"); PE_Viewer(fp, chrfp, fp2); }
fclose(fp); fclose(fp2); fclose(chrfp);
return 0; }
void ELF_Viewer(FILE* fp) {
}
void PE_Viewer(FILE* fp, FILE* chrfp, FILE* fp2) {
DOS_head(fp);
fseek(fp, NTheader_Offset, SEEK_SET); NT_head(fp);
fseek(fp, SectionHeader_Offset, SEEK_SET); Section_head(fp);
fseek(fp, RVA_to_RAW(Import_RVA), SEEK_SET); Import_View(fp, chrfp);
fseek(fp, RVA_to_RAW(Export_RVA), SEEK_SET); Export_View(fp, chrfp);
INT_View(fp);
IAT_View(fp); }
void DOS_head(FILE* fp) { IMAGE_DOS_HEADER dos_header; fread(&dos_header, sizeof(IMAGE_DOS_HEADER), 1, fp); printf("----------------------------------DOS头----------------------------------\n"); printf("-------------------------------------------------------------------------\n"); printf("成员 地址 值\n\n"); printf("魔数 %08lx %x\n", (long)&(dos_header.e_magic) - (long)&dos_header, dos_header.e_magic); printf("文件最后一页的字节数 %08lx %x\n", (long)&(dos_header.e_cblp) - (long)&dos_header, dos_header.e_cblp); printf("文件中的页数 %08lx %x\n", (long)&(dos_header.e_cp) - (long)&dos_header, dos_header.e_cp); printf("重定位 %08lx %x\n", (long)&(dos_header.e_crlc) - (long)&dos_header, dos_header.e_crlc); printf("段头的大小 %08lx %x\n", (long)&(dos_header.e_cparhdr) - (long)&dos_header, dos_header.e_cparhdr); printf("所需额外段落的最小值 %08lx %x\n", (long)&(dos_header.e_minalloc) - (long)&dos_header, dos_header.e_minalloc); printf("所需额外段落的最大值 %08lx %x\n", (long)&(dos_header.e_maxalloc) - (long)&dos_header, dos_header.e_maxalloc); printf("初始(相对)SS值 %08lx %x\n", (long)&(dos_header.e_ss) - (long)&dos_header, dos_header.e_ss); printf("初始sp值 %08lx %x\n", (long)&(dos_header.e_sp) - (long)&dos_header, dos_header.e_sp); printf("校验和 %08lx %x\n", (long)&(dos_header.e_csum) - (long)&dos_header, dos_header.e_csum); printf("初始IP值 %08lx %x\n", (long)&(dos_header.e_ip) - (long)&dos_header, dos_header.e_ip); printf("初始(相对)CS值 %08lx %x\n", (long)&(dos_header.e_cs) - (long)&dos_header, dos_header.e_cs); printf("重定位表的文件地址 %08lx %x\n", (long)&(dos_header.e_lfarlc) - (long)&dos_header, dos_header.e_lfarlc); printf("叠加层数 %08lx %x\n", (long)&(dos_header.e_ovno) - (long)&dos_header, dos_header.e_ovno); printf("保留字 %08lx %x %x %x %x\n", (long)dos_header.e_res - (long)&dos_header, dos_header.e_res[0], dos_header.e_res[1], dos_header.e_res[2], dos_header.e_res[3]); printf("OEM标识符 %08lx %x\n", (long)&(dos_header.e_oemid) - (long)&dos_header, dos_header.e_oemid); printf("OEM信息 %08lx %x\n", (long)&(dos_header.e_oeminfo) - (long)&dos_header, dos_header.e_oeminfo); printf("保留字2 %08lx %x %x %x %x %x %x %x %x %x %x\n", (long)dos_header.e_res2 - (long)&dos_header, dos_header.e_res2[0], dos_header.e_res2[1], dos_header.e_res2[2], dos_header.e_res2[3], dos_header.e_res2[4], dos_header.e_res2[5], dos_header.e_res2[6], dos_header.e_res2[7], dos_header.e_res2[8], dos_header.e_res2[9]); printf("下一个文件头地址 %08lx %x\n", (long)&(dos_header.e_lfanew) - (long)&dos_header, dos_header.e_lfanew); NTheader_Offset = dos_header.e_lfanew; printf("-------------------------------------------------------------------------\n"); printf("\n按回车键继续...\n"); getchar(); } void NT_head(FILE* fp) { int option; IMAGE_NT_HEADERS32 nt_header; fread(&nt_header, sizeof(IMAGE_NT_HEADERS32), 1, fp); printf("----------------------------------NT头----------------------------------\n"); printf("-------------------------------------------------------------------------\n"); printf("成员 地址 值\n\n"); printf("NT头签名 %08lx %08lx\n", (long)&nt_header.Signature - (long)&nt_header + NTheader_Offset, nt_header.Signature); printf("文件头 %08lx \n", (long)&nt_header.FileHeader - (long)&nt_header + NTheader_Offset); printf("可选头 %08lx \n", (long)&nt_header.OptionalHeader - (long)&nt_header + NTheader_Offset); printf("-------------------------------------------------------------------------\n"); printf("----------------------------------文件头----------------------------------\n"); printf("-------------------------------------------------------------------------\n"); printf("成员 地址 值\n\n"); printf("机器 %08lx %04x\n", (long)&nt_header.FileHeader.Machine - (long)&nt_header + NTheader_Offset, nt_header.FileHeader.Machine); printf("节区数 %08lx %04x\n", (long)&nt_header.FileHeader.NumberOfSections - (long)&nt_header + NTheader_Offset, nt_header.FileHeader.NumberOfSections); printf("时间戳 %08lx %08lx\n", (long)&nt_header.FileHeader.TimeDateStamp - (long)&nt_header + NTheader_Offset, nt_header.FileHeader.TimeDateStamp); printf("符号表偏移量 %08lx %08lx\n", (long)&nt_header.FileHeader.PointerToSymbolTable - (long)&nt_header + NTheader_Offset, nt_header.FileHeader.PointerToSymbolTable); printf("符号表中的符号数 %08lx %08lx\n", (long)&nt_header.FileHeader.NumberOfSymbols - (long)&nt_header + NTheader_Offset, nt_header.FileHeader.NumberOfSymbols); printf("可选头大小 %08lx %08lx\n", (long)&nt_header.FileHeader.SizeOfOptionalHeader - (long)&nt_header + NTheader_Offset, nt_header.FileHeader.SizeOfOptionalHeader); printf("映射特征 %08lx %08lx\n", (long)&nt_header.FileHeader.Characteristics - (long)&nt_header + NTheader_Offset, nt_header.FileHeader.Characteristics); printf("-------------------------------------------------------------------------\n"); printf("----------------------------------可选头----------------------------------\n"); printf("-------------------------------------------------------------------------\n"); printf("成员 地址 值\n\n"); printf("魔数 %08lx %04x\n", (long)&nt_header.OptionalHeader.Magic - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.Magic); printf("链接器主版本 %08lx %.2x\n", (long)&nt_header.OptionalHeader.MajorLinkerVersion - (long)&nt_header + NTheader_Offset, *((unsigned char* ) & nt_header.OptionalHeader.MajorLinkerVersion)); printf("链接器次版本 %08lx %.2x\n", (long)&nt_header.OptionalHeader.MinorLinkerVersion - (long)&nt_header + NTheader_Offset, *((unsigned char* ) & nt_header.OptionalHeader.MinorLinkerVersion)); printf("代码段的大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.SizeOfCode - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.SizeOfCode); printf("已初始化数据段大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.SizeOfInitializedData - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.SizeOfInitializedData); printf("未初始化数据段大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.SizeOfUninitializedData - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.SizeOfUninitializedData); printf("入口函数指针 %08lx %08lx\n", (long)&nt_header.OptionalHeader.AddressOfEntryPoint - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.AddressOfEntryPoint); printf("代码段基址 %08lx %08lx\n", (long)&nt_header.OptionalHeader.BaseOfCode - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.BaseOfCode); printf("数据段基址 %08lx %08lx\n", (long)&nt_header.OptionalHeader.BaseOfData - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.BaseOfData); printf("基址 %08lx %08lx\n", (long)&nt_header.OptionalHeader.ImageBase - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.ImageBase); printf("节对齐量 %08lx %08lx\n", (long)&nt_header.OptionalHeader.SectionAlignment - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.SectionAlignment); printf("文件对齐量 %08lx %08lx\n", (long)&nt_header.OptionalHeader.FileAlignment - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.FileAlignment); printf("系统主版本 %08lx %04x\n", (long)&nt_header.OptionalHeader.MajorOperatingSystemVersion - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.MajorOperatingSystemVersion); printf("系统次版本 %08lx %04x\n", (long)&nt_header.OptionalHeader.MinorOperatingSystemVersion - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.MinorOperatingSystemVersion); printf("映像主版本 %08lx %04x\n", (long)&nt_header.OptionalHeader.MajorImageVersion - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.MajorImageVersion); printf("映像次版本 %08lx %04x\n", (long)&nt_header.OptionalHeader.MinorImageVersion - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.MinorImageVersion); printf("子系统主版本 %08lx %04x\n", (long)&nt_header.OptionalHeader.MajorSubsystemVersion - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.MajorSubsystemVersion); printf("子系统次版本 %08lx %04x\n", (long)&nt_header.OptionalHeader.MinorSubsystemVersion - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.MinorSubsystemVersion); printf("保留成员 %08lx %08lx\n", (long)&nt_header.OptionalHeader.Win32VersionValue - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.Win32VersionValue); printf("映像大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.SizeOfImage - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.SizeOfImage); printf("头总大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.SizeOfHeaders - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.SizeOfHeaders); printf("校验和 %08lx %08lx\n", (long)&nt_header.OptionalHeader.CheckSum - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.CheckSum); printf("子系统 %08lx %04x\n", (long)&nt_header.OptionalHeader.Subsystem - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.Subsystem); printf("DLL特征 %08lx %04x\n", (long)&nt_header.OptionalHeader.DllCharacteristics - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DllCharacteristics); printf("堆栈保留大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.SizeOfStackReserve - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.SizeOfStackReserve); printf("堆栈提交大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.SizeOfStackCommit - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.SizeOfStackCommit); printf("本地保留大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.SizeOfHeapReserve - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.SizeOfHeapReserve); printf("本地提交大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.SizeOfHeapCommit - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.SizeOfHeapCommit); printf("无用成员 %08lx %08lx\n", (long)&nt_header.OptionalHeader.LoaderFlags - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.LoaderFlags); printf("可选头其余条目数 %08lx %08lx\n", (long)&nt_header.OptionalHeader.NumberOfRvaAndSizes - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.NumberOfRvaAndSizes); printf("映射数据表 %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory - (long)&nt_header + NTheader_Offset); printf("-------------------------------------------------------------------------\n"); printf("----------------------------------DataDirectory----------------------------------\n"); printf("-------------------------------------------------------------------------\n"); printf("成员 地址 值\n\n"); printf("导出表RVA %08lx %08lx\n", (long) & nt_header.OptionalHeader.DataDirectory[0].VirtualAddress - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[0].VirtualAddress); printf("导出表大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[0].Size - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[0].Size); printf("导入表RVA %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[1].VirtualAddress - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[1].VirtualAddress); printf("导入表大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[1].Size - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[1].Size); printf("异常表RVA %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[2].VirtualAddress - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[2].VirtualAddress); printf("异常表大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[2].Size - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[2].Size); printf("资源表RVA %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[3].VirtualAddress - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[3].VirtualAddress); printf("资源表大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[3].Size - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[3].Size); printf("证书表RVA %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[4].VirtualAddress - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[4].VirtualAddress); printf("证书表大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[4].Size - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[4].Size); printf("基址重定位表RVA %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[5].VirtualAddress - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[5].VirtualAddress); printf("基址重定位表大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[5].Size - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[5].Size); printf("调试信息RVA %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[6].VirtualAddress - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[6].VirtualAddress); printf("调试信息大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[6].Size - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[6].Size); printf("特定体系结构数据RVA %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[7].VirtualAddress - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[7].VirtualAddress); printf("特定体系结构数据大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[7].Size - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[7].Size); printf("全局指针寄存器RVA %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[8].VirtualAddress - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[8].VirtualAddress); printf("全局指针寄存器大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[8].Size - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[8].Size); printf("TLS表RVA %08lx %08x\n", (long)&nt_header.OptionalHeader.DataDirectory[9].VirtualAddress - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[9].VirtualAddress); printf("TLS表大小 %08lx %08x\n", (long)&nt_header.OptionalHeader.DataDirectory[9].Size - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[9].Size); printf("加载配置表RVA %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[10].VirtualAddress - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[10].VirtualAddress); printf("加载配置表大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[10].Size - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[10].Size); printf("绑定导入表RVA %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[11].VirtualAddress - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[11].VirtualAddress); printf("绑定导入表大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[11].Size - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[11].Size); printf("导入地址表RVA %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[12].VirtualAddress - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[12].VirtualAddress); printf("导入地址表大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[12].Size - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[12].Size); printf("延迟导入表RVA %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[13].VirtualAddress - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[13].VirtualAddress); printf("延迟导入表大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[13].Size - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[13].Size); printf("CLR运行时头部数据RVA %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[14].VirtualAddress - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[14].VirtualAddress); printf("CLR运行时头部数据大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[14].Size - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[14].Size); printf("保留RVA %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[15].VirtualAddress - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[15].VirtualAddress); printf("保留大小 %08lx %08lx\n", (long)&nt_header.OptionalHeader.DataDirectory[15].Size - (long)&nt_header + NTheader_Offset, nt_header.OptionalHeader.DataDirectory[15].Size); printf("-------------------------------------------------------------------------\n"); printf("\n按回车键继续\n"); getchar(); NumberOfSections = nt_header.FileHeader.NumberOfSections; SectionHeader_Offset = (long)&nt_header.OptionalHeader.Magic - (long)&nt_header + NTheader_Offset + nt_header.FileHeader.SizeOfOptionalHeader; SectionAlignment = nt_header.OptionalHeader.SectionAlignment; FileAlignment = nt_header.OptionalHeader.FileAlignment; ImageBase = nt_header.OptionalHeader.ImageBase; AddressOfEntryPoint = nt_header.OptionalHeader.AddressOfEntryPoint; Import_RVA = nt_header.OptionalHeader.DataDirectory[1].VirtualAddress; Import_Size = nt_header.OptionalHeader.DataDirectory[1].Size; Export_RVA = nt_header.OptionalHeader.DataDirectory[0].VirtualAddress; Export_Size = nt_header.OptionalHeader.DataDirectory[1].Size; } void Section_head(FILE* fp) { long i; IMAGE_SECTION_HEADER sh; for (i = 0; i < NumberOfSections; i++) { fread(&sh, sizeof(IMAGE_SECTION_HEADER), 1, fp);
printf("----------------------------------%s节区头----------------------------------\n", sh.Name); printf("-------------------------------------------------------------------------\n"); printf("成员 地址 值\n"); printf("-------------------------------------------------------------------------\n"); printf("名称 %08lx %s\n", (long)sh.Name - (long)&sh + SectionHeader_Offset + (long)sizeof(IMAGE_SECTION_HEADER) * i, sh.Name); printf("加载至内存的虚拟大小 %08lx %08lx\n", (long)&sh.Misc.VirtualSize - (long)&sh + SectionHeader_Offset + (long)sizeof(IMAGE_SECTION_HEADER) * i, sh.Misc.VirtualSize); printf("RVA %08lx %08lx\n", (long)&sh.VirtualAddress - (long)&sh + SectionHeader_Offset + (long)sizeof(IMAGE_SECTION_HEADER) * i, sh.VirtualAddress); printf("对齐后的尺寸 %08lx %08lx\n", (long)&sh.SizeOfRawData - (long)&sh + SectionHeader_Offset + (long)sizeof(IMAGE_SECTION_HEADER) * i, sh.SizeOfRawData); printf("RAW %08lx %08lx\n", (long)&sh.PointerToRawData - (long)&sh + SectionHeader_Offset + (long)sizeof(IMAGE_SECTION_HEADER) * i, sh.PointerToRawData); printf("重定位偏移 %08lx %08lx\n", (long)&sh.PointerToRelocations - (long)&sh + SectionHeader_Offset + (long)sizeof(IMAGE_SECTION_HEADER) * i, sh.PointerToRelocations); printf("行号表偏移 %08lx %08lx\n", (long)&sh.PointerToLinenumbers - (long)&sh + SectionHeader_Offset + (long)sizeof(IMAGE_SECTION_HEADER) * i, sh.PointerToLinenumbers); printf("重定位项数 %08lx %04x\n", (long)&sh.NumberOfRelocations - (long)&sh + SectionHeader_Offset + (long)sizeof(IMAGE_SECTION_HEADER) * i, sh.NumberOfRelocations); printf("行号表行数 %08lx %04x\n", (long)&sh.NumberOfLinenumbers - (long)&sh + SectionHeader_Offset + (long)sizeof(IMAGE_SECTION_HEADER) * i, sh.NumberOfLinenumbers); printf("节区属性 %08lx %08lx\n", (long)&sh.Characteristics - (long)&sh + SectionHeader_Offset + (long)sizeof(IMAGE_SECTION_HEADER) * i, sh.Characteristics); printf("-------------------------------------------------------------------------\n"); Start_of_section_VA[i] = sh.VirtualAddress; Start_of_section_RAW[i] = sh.PointerToRawData; Size_of_section[i] = sh.Misc.VirtualSize; } printf("\n按回车键继续...\n"); getchar(); } void Import_View(FILE* fp, FILE* chrfp) { int i; IMAGE_IMPORT_DESCRIPTOR IID; long Import_RAW = RVA_to_RAW(Import_RVA);
Number_Import = 0;
printf("----------------------------------导出表----------------------------------\n"); if (Import_Size == 0) { printf("由于Size为0, 所以导入表为空\n"); printf("\n按回车键继续\n"); getchar(); return; }
printf("----------------------------------导入表----------------------------------\n"); for (i = 0; i < 20; i++) { fread(&IID, sizeof(IMAGE_IMPORT_DESCRIPTOR), 1, fp); if (!IID.OriginalFirstThunk) return; fseek(chrfp, RVA_to_RAW(IID.Name), SEEK_SET); fscanf(chrfp, "%s", Import_Module_Name[i]); printf("----------------------------------%s导入描述符----------------------------------\n", Import_Module_Name[i]); printf("成员 文件偏移 值\n"); printf("-------------------------------------------------------------------------\n"); printf("INT名称表的RVA %08lx %08lx\n", (long) & IID.OriginalFirstThunk - (long) & IID + Import_RAW + i * sizeof(IMAGE_IMPORT_DESCRIPTOR), IID.OriginalFirstThunk); printf("日期戳 %08lx %08lx\n", (long)&IID.TimeDateStamp - (long)&IID + Import_RAW + i * sizeof(IMAGE_IMPORT_DESCRIPTOR), IID.TimeDateStamp); printf("ForwarderChain %08lx %08lx\n", (long)&IID.ForwarderChain - (long)&IID + Import_RAW + i * sizeof(IMAGE_IMPORT_DESCRIPTOR), IID.ForwarderChain); printf("导入映像名称指针 %08lx %08lx\n", (long)&IID.Name - (long)&IID + Import_RAW + i * sizeof(IMAGE_IMPORT_DESCRIPTOR), IID.Name); printf("IAT地址表的RVA %08lx %08lx\n", (long)&IID.FirstThunk - (long)&IID + Import_RAW + i * sizeof(IMAGE_IMPORT_DESCRIPTOR), IID.FirstThunk); printf("-------------------------------------------------------------------------\n"); INT_RVA[i] = IID.OriginalFirstThunk; IAT_RVA[i] = IID.FirstThunk; Number_Import++; } printf("\n按回车键继续\n"); getchar(); } void INT_View(FILE* fp) { long i, j = 1, tmp; long IIBN_RVA; for (i = 0; i < Number_Import; i++) { tmp = RVA_to_RAW(INT_RVA[i]); fseek(fp, tmp, SEEK_SET); fread(&IIBN_RVA, 4, 1, fp); printf("----------------------------------<%02ld>INT----------------------------------\n", i + 1); printf("成员 文件偏移 值\n"); printf("-------------------------------------------------------------------------\n"); while (IIBN_RVA) { printf("%04d %08lx %08lx\n", j, tmp + 4 * (j - 1), IIBN_RVA); fread(&IIBN_RVA, 4, 1, fp); j++; } }
printf("\n按回车键继续\n"); getchar(); } void IAT_View(FILE* fp) { long i, j = 1, tmp; long RVA;
for (i = 0; i < Number_Import; i++) { tmp = RVA_to_RAW(IAT_RVA[i]); fseek(fp, tmp, SEEK_SET); fread(&RVA, 4, 1, fp); printf("----------------------------------<%02ld>IAT----------------------------------\n", i + 1); printf("成员 文件偏移 值\n"); printf("-------------------------------------------------------------------------\n"); while (RVA) { printf("%04ld %08lx %08lx\n", j, tmp + 4 * (j - 1), RVA); fread(&RVA, 4, 1, fp); j++; } } } void Export_View(FILE* fp, FILE* chrfp) { IMAGE_EXPORT_DIRECTORY IED; long Export_RAW; printf("----------------------------------导出表----------------------------------\n"); if (Export_Size == 0) { printf("由于Size为0, 所以导入表为空\n"); printf("\n按回车键继续\n"); getchar(); return; }
Export_RAW = RVA_to_RAW(Export_RVA); fseek(fp, Export_RAW, SEEK_SET); fread(&IED, sizeof(IMAGE_EXPORT_DIRECTORY), 1, fp);
printf("----------------------------------导出描述符----------------------------------\n"); printf("成员 文件偏移 值\n"); printf("未使用 %08lx %08lx\n", (long)&IED.Characteristics - (long)&IED + Export_RAW, IED.Characteristics); printf("时间戳 %08lx %08lx\n", (long)&IED.TimeDateStamp - (long)&IED + Export_RAW, IED.TimeDateStamp); printf("未使用 %08lx %04x\n", (long)&IED.MajorVersion - (long)&IED + Export_RAW, IED.MajorVersion); printf("未使用 %08lx %04x\n", (long)&IED.MinorVersion - (long)&IED + Export_RAW, IED.MinorVersion); printf("导出表文件名指针 %08lx %08lx\n", (long)&IED.Name - (long)&IED + Export_RAW, IED.Name); printf("导出表的起始序号 %08lx %08lx\n", (long)&IED.Base - (long)&IED + Export_RAW, IED.Base); printf("导出函数个数 %08lx %08lx\n", (long)&IED.NumberOfFunctions - (long)&IED + Export_RAW, IED.NumberOfFunctions); printf("以函数名导出函数个数 %08lx %08lx\n", (long)&IED.NumberOfNames - (long)&IED + Export_RAW, IED.NumberOfNames); printf("EAT_RVA %08lx %08lx\n", (long)&IED.AddressOfFunctions - (long)&IED + Export_RAW, IED.AddressOfFunctions); printf("ENT_RVA %08lx %08lx\n", (long)&IED.AddressOfNames - (long)&IED + Export_RAW, IED.AddressOfNames); printf("导出函数序号表 %08lx %08lx\n", (long)&IED.AddressOfNameOrdinals - (long)&IED + Export_RAW, IED.AddressOfNameOrdinals); printf("-------------------------------------------------------------------------\n");
printf("\n请按回车键继续\n"); getchar(); }
long RVA_to_RAW(long RVA) { long RAW, i; for (i = 0; i < NumberOfSections; i++) { if (RVA >= Start_of_section_VA[i] && RVA <= Start_of_section_VA[i] + Size_of_section[i]) { RAW = RVA - Start_of_section_VA[i] + Start_of_section_RAW[i]; return RAW; } } return 0; }
|