首页 > 其他分享 >逆向-第五次实验-PE文件解析

逆向-第五次实验-PE文件解析

时间:2023-05-08 22:22:13浏览次数:36  
标签:逆向 PIMAGE pFileBuffer pSectionHeader pFileHeader printf pOptionHeader 解析 PE

#include<stdio.h>
#include<string.h>
#include<windows.h>

char FileName[100]={0};

 


void PrintNTHeaders();
LPVOID ReadPEFile();

int main()
{
printf("Please input: (for example: D:/user/Desktop/PE文件对齐、内存对齐/解析pe头文件/实验.exe )\n");
gets(FileName);

PrintNTHeaders();

puts(FileName);
return 0;
}


void PrintNTHeaders()
{
LPVOID pFileBuffer = NULL;//文件缓冲区
PIMAGE_DOS_HEADER pDosHeader = NULL;//DOS头
PIMAGE_NT_HEADERS32 pNTHeader = NULL;//NT头
PIMAGE_FILE_HEADER pFileHeader =NULL;//文件头
PIMAGE_OPTIONAL_HEADER32 pOptionHeader = NULL;//可选头
PIMAGE_SECTION_HEADER pSectionHeader = NULL;//节表头

size_t i;//循环打印 节区头
size_t j;

//读取文件进缓冲区
pFileBuffer = ReadPEFile();
if(!pFileBuffer)
{
printf("file read failure!\n");
return ;
}

//判断是否有效的MZ标志
if(*(PWORD)pFileBuffer != IMAGE_DOS_SIGNATURE)
{
printf("not a void 'MZ' flag!\n");
free(pFileBuffer);
return ;
}

//打印DOC头
pDosHeader = (PIMAGE_DOS_HEADER)pFileBuffer;

printf("\n*****************DOC Header*******************\n");
printf("'MZ' Flag: %x\n",pDosHeader->e_magic);
printf("PE Offset: %x\n",pDosHeader->e_lfanew);

//判断是否有效的PE标志
if( *((PDWORD)((DWORD)pFileBuffer + pDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE )
{
printf("not a void PE flag\n");
free(pFileBuffer);
return ;
}

//打印NT头
pNTHeader = (PIMAGE_NT_HEADERS32)((DWORD)pFileBuffer + pDosHeader->e_lfanew );//DWORD强转 很重要

printf("\n**********************************************************************\n");
printf("\n********************************NT Header*****************************\n");
printf("NT Flag: %x\n",pNTHeader->Signature);

//打印PE文件头
pFileHeader = (PIMAGE_FILE_HEADER)((DWORD)pNTHeader+4);//DWORD强转 很重要

printf("*************************File Header****************\n");
printf("Machine: %x\n",pFileHeader->Machine );
printf("NumberOfSections: %x\n",pFileHeader->NumberOfSections );
printf("TimeDateStamp: %x\n",pFileHeader->TimeDateStamp );
printf("PointerToSymbolTable: %x\n",pFileHeader->PointerToSymbolTable );
printf("NumberOfSymbols: %x\n",pFileHeader->NumberOfSymbols );
printf("SizeOfOptionalHeader: %x\n",pFileHeader->SizeOfOptionalHeader );
printf("Characteristics: %x\n",pFileHeader->Characteristics );

//打印PE 可选头
pOptionHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)pFileHeader+IMAGE_SIZEOF_FILE_HEADER);//DWORD强转 很重要

printf("***********************Optional Header******************\n");
printf("Magic: %x\n",pOptionHeader->Magic);
printf("MajorLinkerVersion: %x\n",pOptionHeader->MajorLinkerVersion);
printf("MinorLinkerVersion: %x\n",pOptionHeader->MinorLinkerVersion);
printf("SizeOfCode: %x\n",pOptionHeader->SizeOfCode);
printf("SizeOfInitializedData: %x\n",pOptionHeader->SizeOfInitializedData);
printf("SizeOfUninitializedData: %x\n",pOptionHeader->SizeOfUninitializedData);
printf("AddressOfEntryPoint: %x\n",pOptionHeader->AddressOfEntryPoint);
printf("BaseOfCode: %x\n",pOptionHeader->BaseOfCode);
printf("BaseOfData: %x\n",pOptionHeader->BaseOfData);
printf("ImageBase: %x\n",pOptionHeader->ImageBase);
printf("SectionAlignment: %x\n",pOptionHeader->SectionAlignment);
printf("FileAlignment: %x\n",pOptionHeader->FileAlignment);
printf("MajorOperatingSystemVersion: %x\n",pOptionHeader->MajorOperatingSystemVersion);
printf("MinorOperatingSystemVersion: %x\n",pOptionHeader->MinorOperatingSystemVersion);
printf("MajorImageVersion: %x\n",pOptionHeader->MajorImageVersion);
printf("MinorImageVersion: %x\n",pOptionHeader->MinorImageVersion);
printf("MajorSubsystemVersion: %x\n",pOptionHeader->MajorSubsystemVersion);
printf("MinorSubsystemVersion: %x\n",pOptionHeader->MinorSubsystemVersion);
printf("Win32VersionValue: %x\n",pOptionHeader->Win32VersionValue);
printf("SizeOfImage: %x\n",pOptionHeader->SizeOfImage);
printf("SizeOfHeaders: %x\n",pOptionHeader->SizeOfHeaders);
printf("CheckSum: %x\n",pOptionHeader->CheckSum);
printf("Subsystem: %x\n",pOptionHeader->Subsystem);
printf("DllCharacteristics: %x\n",pOptionHeader->DllCharacteristics);
printf("SizeOfStackReserve: %x\n",pOptionHeader->SizeOfStackReserve);
printf("SizeOfStackCommit: %x\n",pOptionHeader->SizeOfStackCommit);
printf("SizeOfHeapReserve: %x\n",pOptionHeader->SizeOfHeapReserve);
printf("SizeOfHeapCommit: %x\n",pOptionHeader->SizeOfHeapCommit);
printf("LoaderFlags: %x\n",pOptionHeader->LoaderFlags);
printf("NumberOfRvaAndSizes: %x\n",pOptionHeader->NumberOfRvaAndSizes);

//打印节表
pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader + pFileHeader->SizeOfOptionalHeader );//DWORD强转 很重要

printf("\n***************************************************************\n\n");
printf("***********************Section Header****************************\n");

for(i = pFileHeader->NumberOfSections ; i>0 ; i--)
{
printf("Name: ");
for(j=0 ; j<IMAGE_SIZEOF_SHORT_NAME ; j++)
printf("%c",pSectionHeader->Name[j]);
printf("\n");

// printf("VirtualSize(Misc): %x\n",pSectionHeader->Misc.VirtualSize );
printf("VirtualAddress: %x\n",pSectionHeader->VirtualAddress );
printf("SizeOfRawData: %x\n",pSectionHeader->SizeOfRawData);
printf("PointerToRawData: %x\n",pSectionHeader->PointerToRawData);
printf("PointerToRelocations: %x\n",pSectionHeader->PointerToRelocations);
printf("PointerToLinenumbers: %x\n",pSectionHeader->PointerToLinenumbers);
printf("NumberOfRelocations: %x\n",pSectionHeader->NumberOfRelocations);
printf("NumberOfLinenumbers: %x\n",pSectionHeader->NumberOfLinenumbers);
printf("Characteristics: %x\n",pSectionHeader->Characteristics);

pSectionHeader = (PIMAGE_SECTION_HEADER)( (DWORD)pSectionHeader + IMAGE_SIZEOF_SECTION_HEADER );
printf("\n");
}

 


//释放内存
free(pFileBuffer);
}


LPVOID ReadPEFile()
{
FILE* pFile = NULL;
DWORD FileSize = 0;
LPVOID pFileBuffer = 0;
size_t flag = 0;

// size_t i ;

//打开文件
pFile = fopen(FileName , "rb");
if(!pFile)
{
printf("open file failure!\n");
return NULL;
}

//读取文件大小
fseek(pFile , 0, SEEK_END);
FileSize = ftell(pFile);

fseek(pFile , 0 , SEEK_SET);

//分配缓冲区
pFileBuffer = malloc(FileSize);
if(!pFileBuffer)
{
printf("allocation space failure!\n");
fclose(pFile);
return NULL;
}

//将文件数据读取到缓冲区
flag = fread(pFileBuffer , FileSize , 1 , pFile);
if(!flag)
{
printf("read data failure!\n");
fclose(pFile);
free(pFile);
return NULL;
}
/*输出16进制数据
for(i=0 ; i<FileSize;i++)
{
printf("%x",*((byte*)pFileBuffer+i));
}
*/
//关闭文件
fclose(pFile);

//返回指针 指向文件数据
return pFileBuffer;
}

 

标签:逆向,PIMAGE,pFileBuffer,pSectionHeader,pFileHeader,printf,pOptionHeader,解析,PE
From: https://www.cnblogs.com/nish1hundun/p/17381106.html

相关文章

  • CodeForces - 630F Selection of Personnel (组合数学)
    TimeLimit: 500MS MemoryLimit: 65536KB 64bitIOFormat: %I64d&%I64uCodeForces-630FSelectionofPersonnelSubmit StatusDescriptionOnecompanyofITCitydecidedtocreateagroupofinnovativedevelopmentsconsistingfrom 5 to 7 peopleandhir......
  • Whisper
    Whisper是OpenAI公司开源的通用的语音识别模型。(https://github.com/openai/whisper)它是在包含各种音频的大型数据集上训练的,是一个可以执行多语言语音识别、语音翻译和语言识别的多任务模型。它也是一个针对各种语音处理任务进行训练的Transformer序列到序列模型。Whis......
  • 使用 Ef core 时 报错Data is Null. This method or property cannot be called on
    1.问题在使用EFcore做查询操作的时候报错"DataisNull.ThismethodorpropertycannotbecalledonNullvalues.”"2.解决这是数据库中的某个属性为空导致,即使这个属性srting类型,也需要将字段标记为可空的......
  • 深入理解 python 虚拟机:描述器的王炸应用-property、staticmethod 和 classmehtod
    深入理解python虚拟机:描述器的王炸应用-property、staticmethod和classmehtod在本篇文章当中主要给大家介绍描述器在python语言当中有哪些应用,主要介绍如何使用python语言实现python内置的proterty、staticmethod和classmethod。property当你在编写Python代码......
  • WARNING: Running pip as the 'root' user can result in broken permissions and con
      pipinstall-rrequirements.txt报错"WARNING:Runningpipasthe'root'usercanresultinbrokenpermissionsandconflictingbehaviourwiththesystempackagemanager.Itisrecommendedtouseavirtualenvironmentinstead:https://pip.pyp......
  • 【验证码逆向专栏】某验全家桶细节避坑总结
    声明本文章中所有内容仅供学习交流使用,不用于其他任何目的,不提供完整代码,抓包内容、敏感网址、数据接口等均已做脱敏处理,严禁用于商业用途和非法用途,否则由此产生的一切后果均与作者无关!本文章未经许可禁止转载,禁止任何修改后二次传播,擅自使用本文讲解的技术而导致的任何意外,作......
  • 【验证码逆向专栏】数美验证码全家桶逆向分析以及 AST 获取动态参数
    声明本文章中所有内容仅供学习交流使用,不用于其他任何目的,不提供完整代码,抓包内容、敏感网址、数据接口等均已做脱敏处理,严禁用于商业用途和非法用途,否则由此产生的一切后果均与作者无关!本文章未经许可禁止转载,禁止任何修改后二次传播,擅自使用本文讲解的技术而导致的任何意外,作......
  • Wallys 2×2.4GHz 2x5GHz/ #MT7915 #MT7975 /support openwrt
    DR7915https://www.wallystech.com/Network_Card/DR7915-wifi6-MT7915-MT7975-2T2R-support-OpenWRT-802.11AX-supporting-MiniPCIe-Module.htmlMT7915+MT7975 Chipset2.4GHzmax23dBm&5GHzmax20dBmoutputpower IEEE802.11ac /axcompliant&backwardcompa......
  • Wallys 2×2.4GHz 2x5GHz/ #MT7915 #MT7975 /support openwrt
    DR7915https://www.wallystech.com/Network_Card/DR7915-wifi6-MT7915-MT7975-2T2R-support-OpenWRT-802.11AX-supporting-MiniPCIe-Module.htmlMT7915+MT7975 Chipset2.4GHzmax23dBm&5GHzmax20dBmoutputpower IEEE802.11ac /axcompliant&backwardcompa......
  • 更新macOS系统后,使用gcc/g++命令,提示错误xcrun: error: invalid active developer pat
      更新macOS系统后,使用gcc/g++命令编译程序,提示错误xcrun:error:invalidactivedeveloperpath(/Library/Developer/CommandLineTools),missingxcrunat:/Library/Developer/CommandLineTools/usr/bin/xcrun解决方法:重新安装CommandLineTools,一般安装完成后问题就能......