PE ANALYSER PE, format, IAT, import table, sections, Source N°45416

Information sur la source

Catégorie :Application Classé sous : PE, format, IAT, import table, sections Niveau : Initié Date de création : 13/01/2008 Vu : 1 786

Auteur : lilxam7

Site perso

Ecrire un message privé

Note :
Aucune note

Commentaire sur cette source (0)

Ajouter un commentaire et/ou une note

Description

Ce code montre comment récupérer des informations sur l'entete, les sections ainsi que l'import table q'un programme. J'ai essayé de faire une code clair en donnant les infos necessaires pour comprendre. Si vous avez une question n'hesitez pas :)
Le code est disponnible aussi ici : http://lilxam.blogspot.com/2008/01/pe-analyser.html

Have Fun ;)
lilxam.

Source

#include <windows.h>
#include <iostream>
int main()
{
printf("-------------------------------/ PE analyser \\-------------------------------\n\n");
HANDLE hProgram = GetModuleHandle(NULL);
if(hProgram != NULL)
{
/*
typedef struct _IMAGE_DOS_HEADER // DOS .EXE header
{
0h WORD e_magic; // Magic number
2h WORD e_cblp; // Bytes on last page of file
4h WORD e_cp; // Pages in file
6h WORD e_crlc; // Relocations
8h WORD e_cparhdr; // Size of header in paragraphs
Ah WORD e_minalloc; // Minimum extra paragraphs needed
Ch WORD e_maxalloc; // Maximum extra paragraphs needed
Eh WORD e_ss; // Initial (relative) SS value
10h WORD e_sp; // Initial SP value
12h WORD e_csum; // Checksum
14h WORD e_ip; // Initial IP value
16h WORD e_cs; // Initial (relative) CS value
18h WORD e_lfarlc; // File address of relocation table
1Ah WORD e_ovno; // Overlay number
1Ch WORD e_res[4]; // Reserved words
24h WORD e_oemid; // OEM identifier (for e_oeminfo)
26h WORD e_oeminfo; // OEM information; e_oemid specific
28h WORD e_res2[10]; // Reserved words
3Ch LONG e_lfanew; // File address of new exe header
}
IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
*/
PIMAGE_DOS_HEADER structPE = (PIMAGE_DOS_HEADER) hProgram;
printf("\nMagic Number : %x", structPE->e_magic);
if(structPE->e_magic == 0x5a4d) //0x5a4d -> MZ -> IMAGE_DOS_SIGNATURE
{
/*
typedef struct _IMAGE_NT_HEADERS
{
0h DWORD Signature;
4h IMAGE_FILE_HEADER FileHeader;
18h IMAGE_OPTIONAL_HEADER OptionalHeader;
}
IMAGE_NT_HEADERS, *PIMAGE_NT_HEADERS;
*/
PIMAGE_NT_HEADERS HeaderPE = (PIMAGE_NT_HEADERS)(structPE->e_lfanew+ (DWORD)structPE);
printf("\nHeader Signature : %x", HeaderPE->Signature);
if(HeaderPE->Signature == 0x4550) // 0x00004550 -> PE00 -> IMAGE_NT_SIGNATURE
{
/*
typedef struct _IMAGE_OPTIONAL_HEADER
{
0h WORD Magic;
2h BYTE MajorLinkerVersion;
3h BYTE MinorLinkerVersion;
4h DWORD SizeOfCode;
8h DWORD SizeOfInitializedData;
Ch DWORD SizeOfUninitializedData;
10h DWORD AddressOfEntryPoint;
14h DWORD BaseOfCode;
18h DWORD BaseOfData;
1Ch DWORD ImageBase;
20h DWORD SectionAlignment;
24h DWORD FileAlignment;
28h WORD MajorOperatingSystemVersion;
2Ah WORD MinorOperatingSystemVersion;
2Ch WORD MajorImageVersion;
2Eh WORD MinorImageVersion;
30h WORD MajorSubsystemVersion;
32h WORD MinorSubsystemVersion;
34h DWORD Win32VersionValue;
38h DWORD SizeOfImage;
3Ch DWORD SizeOfHeaders;
40h DWORD CheckSum;
44h WORD Subsystem;
46h WORD DllCharacteristics;
48h DWORD SizeOfStackReserve;
4Ch DWORD SizeOfStackCommit;
50h DWORD SizeOfHeapReserve;
54h DWORD SizeOfHeapCommit;
58h DWORD LoaderFlags;
5Ch DWORD NumberOfRvaAndSizes;
60h IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
}
IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER;
*/
PIMAGE_OPTIONAL_HEADER OptionalHeaderPE = &HeaderPE->OptionalHeader;
printf("\nEntry Point : 0x%x", OptionalHeaderPE->AddressOfEntryPoint);
printf("\nBase Of Code : 0x%x", OptionalHeaderPE->BaseOfCode);
printf("\nBase Of Data : 0x%x", OptionalHeaderPE->BaseOfData);
printf("\nImage Base : 0x%x", OptionalHeaderPE->ImageBase);
printf("\nSize Of Code : 0x%x", OptionalHeaderPE->SizeOfCode);
printf("\nSize Of Image : 0x%x", OptionalHeaderPE->SizeOfImage);
printf("\nSize Of Header : 0x%x", OptionalHeaderPE->SizeOfHeaders);
/*
typedef struct _IMAGE_FILE_HEADER
{
0h WORD Machine;
2h WORD NumberOfSections;
4h DWORD TimeDateStamp;
8h DWORD PointerToSymbolTable;
Ch DWORD NumberOfSymbols;
10h WORD SizeOfOptionalHeader;
12h WORD Characteristics;
}
IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
*/
PIMAGE_FILE_HEADER FileHeader = &HeaderPE->FileHeader;
printf("\nNumber Of Sections : %d", FileHeader->NumberOfSections);
/*
typedef struct _IMAGE_SECTION_HEADER {
BYTE Name[IMAGE_SIZEOF_SHORT_NAME];
union {
DWORD PhysicalAddress;
DWORD VirtualSize;
} Misc;
DWORD VirtualAddress;
DWORD SizeOfRawData;
DWORD PointerToRawData;
DWORD PointerToRelocations;
DWORD PointerToLinenumbers;
WORD NumberOfRelocations;
WORD NumberOfLinenumbers;
DWORD Characteristics;
} IMAGE_SECTION_HEADER,*PIMAGE_SECTION_HEADER;
*/
PIMAGE_SECTION_HEADER Section;
Section = (PIMAGE_SECTION_HEADER)IMAGE_FIRST_SECTION(HeaderPE);
for(int i = 0; i <= FileHeader->NumberOfSections-1; i++)
{
printf("\n\n----------| Section : [%s] |----------", Section[i].Name);
printf("\n [+] Virtual Size : 0x%x", Section[i].Misc.VirtualSize);
printf("\n [+] Virtual Address : 0x%x", Section[i].VirtualAddress);
printf("\n [+] Size Of Raw Data : 0x%x", Section[i].SizeOfRawData);
printf("\n [+] Ponter To Raw Data : 0x%x", Section[i].PointerToRawData);
printf("\n [+] Pointer To Relocations : 0x%x", Section[i].PointerToRelocations);
printf("\n [+] Pointer To Line Numbers : 0x%x", Section[i].PointerToLinenumbers);
printf("\n [+] Characteristics : %x", Section[i].Characteristics);
}
/*
typedef struct _IMAGE_IMPORT_DESCRIPTOR {
_ANONYMOUS_UNION union {
DWORD Characteristics;
DWORD OriginalFirstThunk;
} DUMMYUNIONNAME;
DWORD TimeDateStamp;
DWORD ForwarderChain;
DWORD Name;
DWORD FirstThunk;
} IMAGE_IMPORT_DESCRIPTOR,*PIMAGE_IMPORT_DESCRIPTOR;
*/
printf("\n\n\n--------------------| Import Table |--------------------");
PIMAGE_IMPORT_DESCRIPTOR pIATDesc = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)OptionalHeaderPE->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (DWORD)structPE);
while(*(PDWORD)pIATDesc != 0)
{
printf("\n");
/*
typedef struct _IMAGE_THUNK_DATA32 {
union {
DWORD ForwarderString;
DWORD Function;
DWORD Ordinal;
DWORD AddressOfData;
} u1;
} IMAGE_THUNK_DATA32,*PIMAGE_THUNK_DATA32;
*/
PIMAGE_THUNK_DATA32 ThunkImg = (PIMAGE_THUNK_DATA32)((DWORD)pIATDesc->OriginalFirstThunk + (DWORD) structPE);
while(*(PDWORD)ThunkImg != 0)
{
/*
typedef struct _IMAGE_IMPORT_BY_NAME {
WORD Hint;
BYTE Name[1];
} IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME;
*/
PIMAGE_IMPORT_BY_NAME pFuncName = (PIMAGE_IMPORT_BY_NAME)(ThunkImg->u1.AddressOfData + (DWORD)structPE);
printf("\n [+] Function : %s -> Address : 0x%x", pFuncName->Name, ThunkImg->u1.Function);
ThunkImg++;
}
pIATDesc++;
}
}
else
printf("\n[!]Not a PE format");
}
else
printf("\n[!]Not a DOS executable");
}
printf("\n\n");
system("pause");
return 0;
}

#include <windows.h>
#include <iostream>

int main()
{
    printf("-------------------------------/ PE analyser \\-------------------------------\n\n");

    HANDLE hProgram = GetModuleHandle(NULL);
    
    if(hProgram != NULL)
    {
        /*
        typedef struct _IMAGE_DOS_HEADER // DOS .EXE header
            {
         0h	WORD e_magic;		// Magic number
         2h	WORD e_cblp;		// Bytes on last page of file
         4h	WORD e_cp;  		// Pages in file
         6h	WORD e_crlc;		// Relocations
         8h	WORD e_cparhdr;		// Size of header in paragraphs
         Ah	WORD e_minalloc;	// Minimum extra paragraphs needed
         Ch	WORD e_maxalloc;	// Maximum extra paragraphs needed
         Eh	WORD e_ss;  		// Initial (relative) SS value
        10h	WORD e_sp;  		// Initial SP value
        12h	WORD e_csum;		// Checksum
        14h	WORD e_ip;  		// Initial IP value
        16h	WORD e_cs;  		// Initial (relative) CS value
        18h	WORD e_lfarlc;		// File address of relocation table
        1Ah	WORD e_ovno;		// Overlay number
        1Ch	WORD e_res[4];		// Reserved words
        24h	WORD e_oemid;		// OEM identifier (for e_oeminfo)
        26h	WORD e_oeminfo;		// OEM information; e_oemid specific
        28h	WORD e_res2[10];	// Reserved words
        3Ch	LONG e_lfanew;		// File address of new exe header
            }
            IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
        */
        PIMAGE_DOS_HEADER structPE = (PIMAGE_DOS_HEADER) hProgram;
        printf("\nMagic Number : %x", structPE->e_magic);
        
        if(structPE->e_magic == 0x5a4d) //0x5a4d -> MZ -> IMAGE_DOS_SIGNATURE
        {
            
            /*
            typedef struct _IMAGE_NT_HEADERS
                {
             0h	DWORD Signature;
             4h	IMAGE_FILE_HEADER FileHeader;
            18h	IMAGE_OPTIONAL_HEADER OptionalHeader;
                }
                IMAGE_NT_HEADERS, *PIMAGE_NT_HEADERS;
            */
            PIMAGE_NT_HEADERS HeaderPE = (PIMAGE_NT_HEADERS)(structPE->e_lfanew+ (DWORD)structPE);
            printf("\nHeader Signature : %x", HeaderPE->Signature);
            
            if(HeaderPE->Signature == 0x4550) // 0x00004550 -> PE00 -> IMAGE_NT_SIGNATURE
            {
                
                /*
                typedef struct _IMAGE_OPTIONAL_HEADER
                    {
                 0h	WORD   Magic;
                 2h	BYTE   MajorLinkerVersion;
                 3h	BYTE   MinorLinkerVersion;
                 4h	DWORD  SizeOfCode;
                 8h	DWORD  SizeOfInitializedData;
                 Ch	DWORD  SizeOfUninitializedData;
                10h	DWORD  AddressOfEntryPoint;
                14h	DWORD  BaseOfCode;
                18h	DWORD  BaseOfData;
                1Ch	DWORD  ImageBase;
                20h	DWORD  SectionAlignment;
                24h	DWORD  FileAlignment;
                28h	WORD   MajorOperatingSystemVersion;
                2Ah	WORD   MinorOperatingSystemVersion;
                2Ch	WORD   MajorImageVersion;
                2Eh	WORD   MinorImageVersion;
                30h	WORD   MajorSubsystemVersion;
                32h	WORD   MinorSubsystemVersion;
                34h	DWORD  Win32VersionValue;
                38h	DWORD  SizeOfImage;
                3Ch	DWORD  SizeOfHeaders;
                40h	DWORD  CheckSum;
                44h	WORD   Subsystem;
                46h	WORD   DllCharacteristics;
                48h	DWORD  SizeOfStackReserve;
                4Ch	DWORD  SizeOfStackCommit;
                50h	DWORD  SizeOfHeapReserve;
                54h	DWORD  SizeOfHeapCommit;
                58h	DWORD  LoaderFlags;
                5Ch	DWORD  NumberOfRvaAndSizes;
                60h	IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
                    }
                    IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER;
                */

                PIMAGE_OPTIONAL_HEADER OptionalHeaderPE = &HeaderPE->OptionalHeader;
                printf("\nEntry Point : 0x%x", OptionalHeaderPE->AddressOfEntryPoint);
                printf("\nBase Of Code : 0x%x", OptionalHeaderPE->BaseOfCode);
                printf("\nBase Of Data : 0x%x", OptionalHeaderPE->BaseOfData);
                printf("\nImage Base : 0x%x", OptionalHeaderPE->ImageBase);
                printf("\nSize Of Code : 0x%x", OptionalHeaderPE->SizeOfCode);
                printf("\nSize Of Image : 0x%x", OptionalHeaderPE->SizeOfImage);
                printf("\nSize Of Header : 0x%x", OptionalHeaderPE->SizeOfHeaders);
                
                /*
                typedef struct _IMAGE_FILE_HEADER
                    {
                 0h	WORD  Machine;
                 2h	WORD  NumberOfSections;
                 4h	DWORD TimeDateStamp;
                 8h	DWORD PointerToSymbolTable;
                 Ch	DWORD NumberOfSymbols;
                10h	WORD  SizeOfOptionalHeader;
                12h	WORD  Characteristics;
                    }
                    IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
                */
                PIMAGE_FILE_HEADER FileHeader = &HeaderPE->FileHeader;
                printf("\nNumber Of Sections : %d", FileHeader->NumberOfSections);
                
                /*
                typedef struct _IMAGE_SECTION_HEADER {
            	BYTE Name[IMAGE_SIZEOF_SHORT_NAME];
            	union {
            		DWORD PhysicalAddress;
            		DWORD VirtualSize;
            	} Misc;
            	DWORD VirtualAddress;
            	DWORD SizeOfRawData;
            	DWORD PointerToRawData;
            	DWORD PointerToRelocations;
            	DWORD PointerToLinenumbers;
            	WORD NumberOfRelocations;
            	WORD NumberOfLinenumbers;
            	DWORD Characteristics;
                } IMAGE_SECTION_HEADER,*PIMAGE_SECTION_HEADER;
                */

                PIMAGE_SECTION_HEADER Section;
                Section = (PIMAGE_SECTION_HEADER)IMAGE_FIRST_SECTION(HeaderPE);
                for(int i = 0; i <= FileHeader->NumberOfSections-1; i++)
                {
                    printf("\n\n----------| Section : [%s] |----------", Section[i].Name);
                    printf("\n     [+] Virtual Size : 0x%x", Section[i].Misc.VirtualSize);
                    printf("\n     [+] Virtual Address : 0x%x", Section[i].VirtualAddress);
                    printf("\n     [+] Size Of Raw Data : 0x%x", Section[i].SizeOfRawData);
                    printf("\n     [+] Ponter To Raw Data : 0x%x", Section[i].PointerToRawData);
                    printf("\n     [+] Pointer To Relocations : 0x%x", Section[i].PointerToRelocations);
                    printf("\n     [+] Pointer To Line Numbers : 0x%x", Section[i].PointerToLinenumbers);
                    printf("\n     [+] Characteristics : %x", Section[i].Characteristics);
                }
                
                /*
                typedef struct _IMAGE_IMPORT_DESCRIPTOR {
            	_ANONYMOUS_UNION union {
            		DWORD Characteristics;
            		DWORD OriginalFirstThunk;
            	} DUMMYUNIONNAME;
            	DWORD TimeDateStamp;
            	DWORD ForwarderChain;
            	DWORD Name;
            	DWORD FirstThunk;
            } IMAGE_IMPORT_DESCRIPTOR,*PIMAGE_IMPORT_DESCRIPTOR;
            */
                printf("\n\n\n--------------------| Import Table |--------------------");
                PIMAGE_IMPORT_DESCRIPTOR pIATDesc = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)OptionalHeaderPE->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (DWORD)structPE);
                
                while(*(PDWORD)pIATDesc != 0)
                {
                    printf("\n");
                    /*
                    typedef struct _IMAGE_THUNK_DATA32 {
                	union {
                		DWORD ForwarderString;
                		DWORD Function;
                		DWORD Ordinal;
                		DWORD AddressOfData;
                	} u1;
                    } IMAGE_THUNK_DATA32,*PIMAGE_THUNK_DATA32;
                    */
                    PIMAGE_THUNK_DATA32 ThunkImg = (PIMAGE_THUNK_DATA32)((DWORD)pIATDesc->OriginalFirstThunk + (DWORD) structPE);
                    
                    
                    while(*(PDWORD)ThunkImg != 0)
                    {
                        /*
                        typedef struct _IMAGE_IMPORT_BY_NAME {
                    	WORD Hint;
                    	BYTE Name[1];
                        } IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME;
                        */

                        PIMAGE_IMPORT_BY_NAME pFuncName = (PIMAGE_IMPORT_BY_NAME)(ThunkImg->u1.AddressOfData + (DWORD)structPE);
                        printf("\n     [+] Function : %s -> Address : 0x%x", pFuncName->Name, ThunkImg->u1.Function);
                        ThunkImg++;
                    }
                    pIATDesc++;
                }
            }
            else
                printf("\n[!]Not a PE format");
        }
        else
            printf("\n[!]Not a DOS executable");
    }
    printf("\n\n");
    system("pause");
    return 0;
}