#include "stdafx.h" #include<stdio.h> #include<windows.h> #include<malloc.h> ////////////////////////////////////////////////////////////////// //FileBuffer函数 DWORD ReadPEFile(LPVOID* ppFileBuffer) { FILE* pFile=NULL; DWORD SizeFileBuffer=0; pFile=fopen("C://Documents and Settings//ma_lic//桌面//RebPE.dll","rb"); if(!pFile) { printf("打开notepad失败\n"); return 0; } //获取文件大小 fseek(pFile,0,SEEK_END); SizeFileBuffer=ftell(pFile); fseek(pFile,0,SEEK_SET); if(!SizeFileBuffer) { printf("读取文件大小失败\n"); return 0; } //开辟空间 *ppFileBuffer=malloc(SizeFileBuffer); if(!*ppFileBuffer) { printf("开辟空间失败\n"); fclose(pFile); return 0; } //复制数据 size_t n=fread(*ppFileBuffer,SizeFileBuffer,1,pFile); if(!n) { printf("复制数据失败\n"); free(*ppFileBuffer); fclose(pFile); return 0; } fclose(pFile); return SizeFileBuffer; } DWORD RavToFoa(LPVOID pFileBuffer,DWORD Rav) { PIMAGE_DOS_HEADER pDosHeader=NULL; PIMAGE_NT_HEADERS pNTHeader=NULL; PIMAGE_FILE_HEADER pFileHeader=NULL; PIMAGE_OPTIONAL_HEADER pOptionalHeader=NULL; PIMAGE_SECTION_HEADER pSectionHeader=NULL; PIMAGE_SECTION_HEADER NextSectionHeader=NULL; DWORD Foa=0; pDosHeader=(PIMAGE_DOS_HEADER)pFileBuffer; pNTHeader=(PIMAGE_NT_HEADERS)((DWORD)pFileBuffer+pDosHeader->e_lfanew); pFileHeader=(PIMAGE_FILE_HEADER)((DWORD)pNTHeader+4); pOptionalHeader=(PIMAGE_OPTIONAL_HEADER)((DWORD)pFileHeader+20); pSectionHeader=(PIMAGE_SECTION_HEADER)((DWORD)pOptionalHeader+pFileHeader->SizeOfOptionalHeader); if(Rav<pOptionalHeader->SizeOfHeaders) { printf("Rav在Header里面\n"); return Rav; } NextSectionHeader=pSectionHeader+1; for(int i=1;i<pFileHeader->NumberOfSections;i++,pSectionHeader++,NextSectionHeader++) { if(Rav>pSectionHeader->VirtualAddress && Rav<NextSectionHeader->VirtualAddress) { Foa=Rav-pSectionHeader->VirtualAddress+pSectionHeader->PointerToRawData; return Foa; } } //循环到最后一个节 if(Rav>pSectionHeader->VirtualAddress && Rav<pOptionalHeader->SizeOfImage) { Foa=Rav-pSectionHeader->VirtualAddress+pSectionHeader->PointerToRawData; return Foa; } else { printf("Rav大于sizeofimage!!!\n"); return 0; } } VOID PrintExport(LPVOID pFileBuffer) { PIMAGE_DOS_HEADER pDosHeader=NULL; PIMAGE_NT_HEADERS pNTHeader=NULL; PIMAGE_FILE_HEADER pFileHeader=NULL; PIMAGE_OPTIONAL_HEADER pOptionalHeader=NULL; PIMAGE_SECTION_HEADER pSectionHeader=NULL; PIMAGE_DATA_DIRECTORY pDataDirHeader=NULL; PIMAGE_EXPORT_DIRECTORY pExportHeader=NULL; if(!pFileBuffer) { printf("FileBuffer函数调用失败\n"); } printf("%x\n",pFileBuffer); //判断是否是PE文件 pDosHeader=(PIMAGE_DOS_HEADER)pFileBuffer; if(pDosHeader->e_magic!=IMAGE_DOS_SIGNATURE) { printf("不是有效的MZ标志\n"); } pNTHeader=(PIMAGE_NT_HEADERS)((DWORD)pFileBuffer+pDosHeader->e_lfanew); if(pNTHeader->Signature!=IMAGE_NT_SIGNATURE) { printf("不是有效的PE标志\n"); } pFileHeader=(PIMAGE_FILE_HEADER)(((DWORD)pNTHeader)+4); pOptionalHeader=(PIMAGE_OPTIONAL_HEADER)((DWORD)pFileHeader+20); pDataDirHeader=(PIMAGE_DATA_DIRECTORY)((DWORD)pOptionalHeader+0x60); printf("-----------------------------------------------------\n"); printf("导出表\n"); printf("virtualAddress=%x\n",pDataDirHeader->VirtualAddress); printf("size=%x\n",pDataDirHeader->Size); printf("-----------------------------------------------------\n"); pExportHeader=(PIMAGE_EXPORT_DIRECTORY)(RavToFoa(pFileBuffer,(DWORD)pDataDirHeader->VirtualAddress)+(DWORD)pFileBuffer); printf("Characteristics=%x\n",pExportHeader->Characteristics); printf("TimeDateStamp=%x\n",pExportHeader->TimeDateStamp); printf("MajorVersion=%x\n",pExportHeader->MajorVersion); printf("Name=%x\n",pExportHeader->Name); printf("Base=%x\n",pExportHeader->Base); printf("NumberOfFunctions=%x\n",pExportHeader->NumberOfNames); printf("NumberOfNames=%x\n",pExportHeader->NumberOfNames); printf("--------------------------------------------------\n"); printf("AddressOfFun\n"); PDWORD pAddressOfFun=NULL; pAddressOfFun=(PDWORD)(RavToFoa(pFileBuffer,pExportHeader->AddressOfFunctions)+(DWORD)pFileBuffer); for(int i=0;i<pExportHeader->NumberOfFunctions;i++,pAddressOfFun++) { printf("下标:%d, ",i); printf("函数地址:%x\n",*(PDWORD)pAddressOfFun); } printf("------------------------------------------------\n"); printf("AddressOfNameOrdinals\n"); PWORD pAddressOfNameOrdinal=NULL; pAddressOfNameOrdinal=(PWORD)(RavToFoa(pFileBuffer,(DWORD)pExportHeader->AddressOfNameOrdinals)+(DWORD)pFileBuffer); for(int j=0;j<pExportHeader->NumberOfNames;j++,pAddressOfNameOrdinal++) { printf("下标:%d, , ",j); printf("序号%x\n",*(PWORD)pAddressOfNameOrdinal); } printf("------------------------------------------------\n"); printf("AddressOfNames\n"); PDWORD pAddressOfName=NULL; char* Name=NULL; pAddressOfName=(PDWORD)(RavToFoa(pFileBuffer,pExportHeader->AddressOfNames)+(DWORD)pFileBuffer); for(int k=0;k<pExportHeader->NumberOfNames;k++,pAddressOfName++) { Name=(char*)(RavToFoa(pFileBuffer,(DWORD)*pAddressOfName)+(DWORD)pFileBuffer); printf("下标:%d, , ",k); printf("函数名称=%s\n",Name); } } LPVOID GetFunAddressByOrdinal(LPVOID pFileBuffer) { PIMAGE_DOS_HEADER pDosHeader=NULL; PIMAGE_NT_HEADERS pNTHeader=NULL; PIMAGE_FILE_HEADER pFileHeader=NULL; PIMAGE_OPTIONAL_HEADER pOptionalHeader=NULL; PIMAGE_SECTION_HEADER pSectionHeader=NULL; PIMAGE_DATA_DIRECTORY pDataDirHeader=NULL; PIMAGE_EXPORT_DIRECTORY pExportHeader=NULL; if(!pFileBuffer) { printf("FileBuffer函数调用失败\n"); } printf("%x\n",pFileBuffer); //判断是否是PE文件 pDosHeader=(PIMAGE_DOS_HEADER)pFileBuffer; if(pDosHeader->e_magic!=IMAGE_DOS_SIGNATURE) { printf("不是有效的MZ标志\n"); } pNTHeader=(PIMAGE_NT_HEADERS)((DWORD)pFileBuffer+pDosHeader->e_lfanew); if(pNTHeader->Signature!=IMAGE_NT_SIGNATURE) { printf("不是有效的PE标志\n"); } pFileHeader=(PIMAGE_FILE_HEADER)(((DWORD)pNTHeader)+4); pOptionalHeader=(PIMAGE_OPTIONAL_HEADER)((DWORD)pFileHeader+20); pDataDirHeader=(PIMAGE_DATA_DIRECTORY)((DWORD)pOptionalHeader+0x60); pExportHeader=(PIMAGE_EXPORT_DIRECTORY)(RavToFoa(pFileBuffer,(DWORD)pDataDirHeader->VirtualAddress)+(DWORD)pFileBuffer); int num; printf("输入你要查询的序号\n"); scanf("%d",&num); int Ordinal; Ordinal=num-pExportHeader->Base; PDWORD pAddressOfFun=NULL; pAddressOfFun=(PDWORD)(RavToFoa(pFileBuffer,pExportHeader->AddressOfFunctions)+(DWORD)pFileBuffer); for(int i=0;i<Ordinal;i++,pAddressOfFun++) { printf("%d\n",i); } printf("你要寻找的函数地址是=%x\n",*(PDWORD)pAddressOfFun); return (LPVOID)*(PDWORD)pAddressOfFun; } LPVOID GetAddressByName(LPVOID pFileBuffer,char* str) { PIMAGE_DOS_HEADER pDosHeader=NULL; PIMAGE_NT_HEADERS pNTHeader=NULL; PIMAGE_FILE_HEADER pFileHeader=NULL; PIMAGE_OPTIONAL_HEADER pOptionalHeader=NULL; PIMAGE_SECTION_HEADER pSectionHeader=NULL; PIMAGE_DATA_DIRECTORY pDataDirHeader=NULL; PIMAGE_EXPORT_DIRECTORY pExportHeader=NULL; char* Name=NULL; if(!pFileBuffer) { printf("FileBuffer函数调用失败\n"); } printf("%x\n",pFileBuffer); //判断是否是PE文件 pDosHeader=(PIMAGE_DOS_HEADER)pFileBuffer; if(pDosHeader->e_magic!=IMAGE_DOS_SIGNATURE) { printf("不是有效的MZ标志\n"); } pNTHeader=(PIMAGE_NT_HEADERS)((DWORD)pFileBuffer+pDosHeader->e_lfanew); if(pNTHeader->Signature!=IMAGE_NT_SIGNATURE) { printf("不是有效的PE标志\n"); } pFileHeader=(PIMAGE_FILE_HEADER)(((DWORD)pNTHeader)+4); pOptionalHeader=(PIMAGE_OPTIONAL_HEADER)((DWORD)pFileHeader+20); pDataDirHeader=(PIMAGE_DATA_DIRECTORY)((DWORD)pOptionalHeader+0x60); pExportHeader=(PIMAGE_EXPORT_DIRECTORY)(RavToFoa(pFileBuffer,(DWORD)pDataDirHeader->VirtualAddress)+(DWORD)pFileBuffer); PDWORD pAddressOfName=NULL; pAddressOfName=(PDWORD)(RavToFoa(pFileBuffer,pExportHeader->AddressOfNames)+(DWORD)pFileBuffer); for(int k=0;k<pExportHeader->NumberOfNames;k++,pAddressOfName++) { Name=(char*)(RavToFoa(pFileBuffer,(DWORD)*pAddressOfName)+(DWORD)pFileBuffer); if(!strcmp(Name,str)) { break; } } int num=k; PWORD pAddressOfNameOrdinal=NULL; pAddressOfNameOrdinal=(PWORD)(RavToFoa(pFileBuffer,(DWORD)pExportHeader->AddressOfNameOrdinals)+(DWORD)pFileBuffer); for(int j=0;j<k;j++,pAddressOfNameOrdinal++) { printf("下标:%d, , ",j); } WORD Ordinal=*(PWORD)pAddressOfNameOrdinal; PDWORD pAddressOfFun=NULL; pAddressOfFun=(PDWORD)(RavToFoa(pFileBuffer,pExportHeader->AddressOfFunctions)+(DWORD)pFileBuffer); for(int i=0;i<Ordinal;i++,pAddressOfFun++) { printf("下标:%d, ",i); } printf("你要寻找的函数地址是=%x\n",*(PDWORD)pAddressOfFun); return (LPVOID)*(PDWORD)pAddressOfFun; } int main() { LPVOID pFileBuffer=NULL; LPVOID* ppFileBuffer=&pFileBuffer; LPVOID pImageBuffer=NULL; LPVOID* ppImageBuffer=&pImageBuffer; DWORD SizeOfFileBuffer=0; DWORD SizeOfImageBuffer=0; DWORD SizeOfBuffer=0; LPVOID pBuffer=NULL; LPVOID* ppBuffer=&pBuffer; //调用filebuffer函数 SizeOfFileBuffer=ReadPEFile(ppFileBuffer); if(!SizeOfFileBuffer) { printf("FileBuffer函数调用失败 \n"); return 0; } pFileBuffer=*ppFileBuffer; PrintExport(pFileBuffer); GetAddressByName(pFileBuffer,"DumpFix"); return 0; }
标签:printf,代码,pFileBuffer,导出,HEADER,PIMAGE,DWORD,NULL From: https://www.cnblogs.com/cspecialr/p/17382801.html