|
 Trouver une ressource
Vous ne trouvez pas de réponse à votre problème ? Alors posez la question dans le forum. Souvenez-vous qu'il n'y a jamais de question bête, mais rester dans l'ignorance parce que l'on n'ose pas poser une question, ça c'est une erreur !
 PE ANALYSER
 Information sur la source
 Description
Ce code montre comment récupérer des informations sur l'entete, les sections ainsi que l'import table q'un programme. J'ai essayé de faire une code clair en donnant les infos necessaires pour comprendre. Si vous avez une question n'hesitez pas :) Le code est disponnible aussi ici : http://lilxam.blogspot.com/2008/01/pe-analyser.html Have Fun ;) lilxam.
 Source
- #include <windows.h>
- #include <iostream>
-
- int main()
- {
- printf("-------------------------------/ PE analyser \\-------------------------------\n\n");
-
- HANDLE hProgram = GetModuleHandle(NULL);
-
- if(hProgram != NULL)
- {
- /*
- typedef struct _IMAGE_DOS_HEADER // DOS .EXE header
- {
- 0h WORD e_magic; // Magic number
- 2h WORD e_cblp; // Bytes on last page of file
- 4h WORD e_cp; // Pages in file
- 6h WORD e_crlc; // Relocations
- 8h WORD e_cparhdr; // Size of header in paragraphs
- Ah WORD e_minalloc; // Minimum extra paragraphs needed
- Ch WORD e_maxalloc; // Maximum extra paragraphs needed
- Eh WORD e_ss; // Initial (relative) SS value
- 10h WORD e_sp; // Initial SP value
- 12h WORD e_csum; // Checksum
- 14h WORD e_ip; // Initial IP value
- 16h WORD e_cs; // Initial (relative) CS value
- 18h WORD e_lfarlc; // File address of relocation table
- 1Ah WORD e_ovno; // Overlay number
- 1Ch WORD e_res[4]; // Reserved words
- 24h WORD e_oemid; // OEM identifier (for e_oeminfo)
- 26h WORD e_oeminfo; // OEM information; e_oemid specific
- 28h WORD e_res2[10]; // Reserved words
- 3Ch LONG e_lfanew; // File address of new exe header
- }
- IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
- */
- PIMAGE_DOS_HEADER structPE = (PIMAGE_DOS_HEADER) hProgram;
- printf("\nMagic Number : %x", structPE->e_magic);
-
- if(structPE->e_magic == 0x5a4d) //0x5a4d -> MZ -> IMAGE_DOS_SIGNATURE
- {
-
- /*
- typedef struct _IMAGE_NT_HEADERS
- {
- 0h DWORD Signature;
- 4h IMAGE_FILE_HEADER FileHeader;
- 18h IMAGE_OPTIONAL_HEADER OptionalHeader;
- }
- IMAGE_NT_HEADERS, *PIMAGE_NT_HEADERS;
- */
- PIMAGE_NT_HEADERS HeaderPE = (PIMAGE_NT_HEADERS)(structPE->e_lfanew+ (DWORD)structPE);
- printf("\nHeader Signature : %x", HeaderPE->Signature);
-
- if(HeaderPE->Signature == 0x4550) // 0x00004550 -> PE00 -> IMAGE_NT_SIGNATURE
- {
-
- /*
- typedef struct _IMAGE_OPTIONAL_HEADER
- {
- 0h WORD Magic;
- 2h BYTE MajorLinkerVersion;
- 3h BYTE MinorLinkerVersion;
- 4h DWORD SizeOfCode;
- 8h DWORD SizeOfInitializedData;
- Ch DWORD SizeOfUninitializedData;
- 10h DWORD AddressOfEntryPoint;
- 14h DWORD BaseOfCode;
- 18h DWORD BaseOfData;
- 1Ch DWORD ImageBase;
- 20h DWORD SectionAlignment;
- 24h DWORD FileAlignment;
- 28h WORD MajorOperatingSystemVersion;
- 2Ah WORD MinorOperatingSystemVersion;
- 2Ch WORD MajorImageVersion;
- 2Eh WORD MinorImageVersion;
- 30h WORD MajorSubsystemVersion;
- 32h WORD MinorSubsystemVersion;
- 34h DWORD Win32VersionValue;
- 38h DWORD SizeOfImage;
- 3Ch DWORD SizeOfHeaders;
- 40h DWORD CheckSum;
- 44h WORD Subsystem;
- 46h WORD DllCharacteristics;
- 48h DWORD SizeOfStackReserve;
- 4Ch DWORD SizeOfStackCommit;
- 50h DWORD SizeOfHeapReserve;
- 54h DWORD SizeOfHeapCommit;
- 58h DWORD LoaderFlags;
- 5Ch DWORD NumberOfRvaAndSizes;
- 60h IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
- }
- IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER;
- */
-
- PIMAGE_OPTIONAL_HEADER OptionalHeaderPE = &HeaderPE->OptionalHeader;
- printf("\nEntry Point : 0x%x", OptionalHeaderPE->AddressOfEntryPoint);
- printf("\nBase Of Code : 0x%x", OptionalHeaderPE->BaseOfCode);
- printf("\nBase Of Data : 0x%x", OptionalHeaderPE->BaseOfData);
- printf("\nImage Base : 0x%x", OptionalHeaderPE->ImageBase);
- printf("\nSize Of Code : 0x%x", OptionalHeaderPE->SizeOfCode);
- printf("\nSize Of Image : 0x%x", OptionalHeaderPE->SizeOfImage);
- printf("\nSize Of Header : 0x%x", OptionalHeaderPE->SizeOfHeaders);
-
- /*
- typedef struct _IMAGE_FILE_HEADER
- {
- 0h WORD Machine;
- 2h WORD NumberOfSections;
- 4h DWORD TimeDateStamp;
- 8h DWORD PointerToSymbolTable;
- Ch DWORD NumberOfSymbols;
- 10h WORD SizeOfOptionalHeader;
- 12h WORD Characteristics;
- }
- IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
- */
- PIMAGE_FILE_HEADER FileHeader = &HeaderPE->FileHeader;
- printf("\nNumber Of Sections : %d", FileHeader->NumberOfSections);
-
- /*
- typedef struct _IMAGE_SECTION_HEADER {
- BYTE Name[IMAGE_SIZEOF_SHORT_NAME];
- union {
- DWORD PhysicalAddress;
- DWORD VirtualSize;
- } Misc;
- DWORD VirtualAddress;
- DWORD SizeOfRawData;
- DWORD PointerToRawData;
- DWORD PointerToRelocations;
- DWORD PointerToLinenumbers;
- WORD NumberOfRelocations;
- WORD NumberOfLinenumbers;
- DWORD Characteristics;
- } IMAGE_SECTION_HEADER,*PIMAGE_SECTION_HEADER;
- */
-
- PIMAGE_SECTION_HEADER Section;
- Section = (PIMAGE_SECTION_HEADER)IMAGE_FIRST_SECTION(HeaderPE);
- for(int i = 0; i <= FileHeader->NumberOfSections-1; i++)
- {
- printf("\n\n----------| Section : [%s] |----------", Section[i].Name);
- printf("\n [+] Virtual Size : 0x%x", Section[i].Misc.VirtualSize);
- printf("\n [+] Virtual Address : 0x%x", Section[i].VirtualAddress);
- printf("\n [+] Size Of Raw Data : 0x%x", Section[i].SizeOfRawData);
- printf("\n [+] Ponter To Raw Data : 0x%x", Section[i].PointerToRawData);
- printf("\n [+] Pointer To Relocations : 0x%x", Section[i].PointerToRelocations);
- printf("\n [+] Pointer To Line Numbers : 0x%x", Section[i].PointerToLinenumbers);
- printf("\n [+] Characteristics : %x", Section[i].Characteristics);
- }
-
- /*
- typedef struct _IMAGE_IMPORT_DESCRIPTOR {
- _ANONYMOUS_UNION union {
- DWORD Characteristics;
- DWORD OriginalFirstThunk;
- } DUMMYUNIONNAME;
- DWORD TimeDateStamp;
- DWORD ForwarderChain;
- DWORD Name;
- DWORD FirstThunk;
- } IMAGE_IMPORT_DESCRIPTOR,*PIMAGE_IMPORT_DESCRIPTOR;
- */
- printf("\n\n\n--------------------| Import Table |--------------------");
- PIMAGE_IMPORT_DESCRIPTOR pIATDesc = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)OptionalHeaderPE->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (DWORD)structPE);
-
- while(*(PDWORD)pIATDesc != 0)
- {
- printf("\n");
- /*
- typedef struct _IMAGE_THUNK_DATA32 {
- union {
- DWORD ForwarderString;
- DWORD Function;
- DWORD Ordinal;
- DWORD AddressOfData;
- } u1;
- } IMAGE_THUNK_DATA32,*PIMAGE_THUNK_DATA32;
- */
- PIMAGE_THUNK_DATA32 ThunkImg = (PIMAGE_THUNK_DATA32)((DWORD)pIATDesc->OriginalFirstThunk + (DWORD) structPE);
-
-
- while(*(PDWORD)ThunkImg != 0)
- {
- /*
- typedef struct _IMAGE_IMPORT_BY_NAME {
- WORD Hint;
- BYTE Name[1];
- } IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME;
- */
-
- PIMAGE_IMPORT_BY_NAME pFuncName = (PIMAGE_IMPORT_BY_NAME)(ThunkImg->u1.AddressOfData + (DWORD)structPE);
- printf("\n [+] Function : %s -> Address : 0x%x", pFuncName->Name, ThunkImg->u1.Function);
- ThunkImg++;
- }
- pIATDesc++;
- }
- }
- else
- printf("\n[!]Not a PE format");
- }
- else
- printf("\n[!]Not a DOS executable");
- }
- printf("\n\n");
- system("pause");
- return 0;
- }
-
#include <windows.h>
#include <iostream>
int main()
{
printf("-------------------------------/ PE analyser \\-------------------------------\n\n");
HANDLE hProgram = GetModuleHandle(NULL);
if(hProgram != NULL)
{
/*
typedef struct _IMAGE_DOS_HEADER // DOS .EXE header
{
0h WORD e_magic; // Magic number
2h WORD e_cblp; // Bytes on last page of file
4h WORD e_cp; // Pages in file
6h WORD e_crlc; // Relocations
8h WORD e_cparhdr; // Size of header in paragraphs
Ah WORD e_minalloc; // Minimum extra paragraphs needed
Ch WORD e_maxalloc; // Maximum extra paragraphs needed
Eh WORD e_ss; // Initial (relative) SS value
10h WORD e_sp; // Initial SP value
12h WORD e_csum; // Checksum
14h WORD e_ip; // Initial IP value
16h WORD e_cs; // Initial (relative) CS value
18h WORD e_lfarlc; // File address of relocation table
1Ah WORD e_ovno; // Overlay number
1Ch WORD e_res[4]; // Reserved words
24h WORD e_oemid; // OEM identifier (for e_oeminfo)
26h WORD e_oeminfo; // OEM information; e_oemid specific
28h WORD e_res2[10]; // Reserved words
3Ch LONG e_lfanew; // File address of new exe header
}
IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
*/
PIMAGE_DOS_HEADER structPE = (PIMAGE_DOS_HEADER) hProgram;
printf("\nMagic Number : %x", structPE->e_magic);
if(structPE->e_magic == 0x5a4d) //0x5a4d -> MZ -> IMAGE_DOS_SIGNATURE
{
/*
typedef struct _IMAGE_NT_HEADERS
{
0h DWORD Signature;
4h IMAGE_FILE_HEADER FileHeader;
18h IMAGE_OPTIONAL_HEADER OptionalHeader;
}
IMAGE_NT_HEADERS, *PIMAGE_NT_HEADERS;
*/
PIMAGE_NT_HEADERS HeaderPE = (PIMAGE_NT_HEADERS)(structPE->e_lfanew+ (DWORD)structPE);
printf("\nHeader Signature : %x", HeaderPE->Signature);
if(HeaderPE->Signature == 0x4550) // 0x00004550 -> PE00 -> IMAGE_NT_SIGNATURE
{
/*
typedef struct _IMAGE_OPTIONAL_HEADER
{
0h WORD Magic;
2h BYTE MajorLinkerVersion;
3h BYTE MinorLinkerVersion;
4h DWORD SizeOfCode;
8h DWORD SizeOfInitializedData;
Ch DWORD SizeOfUninitializedData;
10h DWORD AddressOfEntryPoint;
14h DWORD BaseOfCode;
18h DWORD BaseOfData;
1Ch DWORD ImageBase;
20h DWORD SectionAlignment;
24h DWORD FileAlignment;
28h WORD MajorOperatingSystemVersion;
2Ah WORD MinorOperatingSystemVersion;
2Ch WORD MajorImageVersion;
2Eh WORD MinorImageVersion;
30h WORD MajorSubsystemVersion;
32h WORD MinorSubsystemVersion;
34h DWORD Win32VersionValue;
38h DWORD SizeOfImage;
3Ch DWORD SizeOfHeaders;
40h DWORD CheckSum;
44h WORD Subsystem;
46h WORD DllCharacteristics;
48h DWORD SizeOfStackReserve;
4Ch DWORD SizeOfStackCommit;
50h DWORD SizeOfHeapReserve;
54h DWORD SizeOfHeapCommit;
58h DWORD LoaderFlags;
5Ch DWORD NumberOfRvaAndSizes;
60h IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
}
IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER;
*/
PIMAGE_OPTIONAL_HEADER OptionalHeaderPE = &HeaderPE->OptionalHeader;
printf("\nEntry Point : 0x%x", OptionalHeaderPE->AddressOfEntryPoint);
printf("\nBase Of Code : 0x%x", OptionalHeaderPE->BaseOfCode);
printf("\nBase Of Data : 0x%x", OptionalHeaderPE->BaseOfData);
printf("\nImage Base : 0x%x", OptionalHeaderPE->ImageBase);
printf("\nSize Of Code : 0x%x", OptionalHeaderPE->SizeOfCode);
printf("\nSize Of Image : 0x%x", OptionalHeaderPE->SizeOfImage);
printf("\nSize Of Header : 0x%x", OptionalHeaderPE->SizeOfHeaders);
/*
typedef struct _IMAGE_FILE_HEADER
{
0h WORD Machine;
2h WORD NumberOfSections;
4h DWORD TimeDateStamp;
8h DWORD PointerToSymbolTable;
Ch DWORD NumberOfSymbols;
10h WORD SizeOfOptionalHeader;
12h WORD Characteristics;
}
IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
*/
PIMAGE_FILE_HEADER FileHeader = &HeaderPE->FileHeader;
printf("\nNumber Of Sections : %d", FileHeader->NumberOfSections);
/*
typedef struct _IMAGE_SECTION_HEADER {
BYTE Name[IMAGE_SIZEOF_SHORT_NAME];
union {
DWORD PhysicalAddress;
DWORD VirtualSize;
} Misc;
DWORD VirtualAddress;
DWORD SizeOfRawData;
DWORD PointerToRawData;
DWORD PointerToRelocations;
DWORD PointerToLinenumbers;
WORD NumberOfRelocations;
WORD NumberOfLinenumbers;
DWORD Characteristics;
} IMAGE_SECTION_HEADER,*PIMAGE_SECTION_HEADER;
*/
PIMAGE_SECTION_HEADER Section;
Section = (PIMAGE_SECTION_HEADER)IMAGE_FIRST_SECTION(HeaderPE);
for(int i = 0; i <= FileHeader->NumberOfSections-1; i++)
{
printf("\n\n----------| Section : [%s] |----------", Section[i].Name);
printf("\n [+] Virtual Size : 0x%x", Section[i].Misc.VirtualSize);
printf("\n [+] Virtual Address : 0x%x", Section[i].VirtualAddress);
printf("\n [+] Size Of Raw Data : 0x%x", Section[i].SizeOfRawData);
printf("\n [+] Ponter To Raw Data : 0x%x", Section[i].PointerToRawData);
printf("\n [+] Pointer To Relocations : 0x%x", Section[i].PointerToRelocations);
printf("\n [+] Pointer To Line Numbers : 0x%x", Section[i].PointerToLinenumbers);
printf("\n [+] Characteristics : %x", Section[i].Characteristics);
}
/*
typedef struct _IMAGE_IMPORT_DESCRIPTOR {
_ANONYMOUS_UNION union {
DWORD Characteristics;
DWORD OriginalFirstThunk;
} DUMMYUNIONNAME;
DWORD TimeDateStamp;
DWORD ForwarderChain;
DWORD Name;
DWORD FirstThunk;
} IMAGE_IMPORT_DESCRIPTOR,*PIMAGE_IMPORT_DESCRIPTOR;
*/
printf("\n\n\n--------------------| Import Table |--------------------");
PIMAGE_IMPORT_DESCRIPTOR pIATDesc = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)OptionalHeaderPE->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (DWORD)structPE);
while(*(PDWORD)pIATDesc != 0)
{
printf("\n");
/*
typedef struct _IMAGE_THUNK_DATA32 {
union {
DWORD ForwarderString;
DWORD Function;
DWORD Ordinal;
DWORD AddressOfData;
} u1;
} IMAGE_THUNK_DATA32,*PIMAGE_THUNK_DATA32;
*/
PIMAGE_THUNK_DATA32 ThunkImg = (PIMAGE_THUNK_DATA32)((DWORD)pIATDesc->OriginalFirstThunk + (DWORD) structPE);
while(*(PDWORD)ThunkImg != 0)
{
/*
typedef struct _IMAGE_IMPORT_BY_NAME {
WORD Hint;
BYTE Name[1];
} IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME;
*/
PIMAGE_IMPORT_BY_NAME pFuncName = (PIMAGE_IMPORT_BY_NAME)(ThunkImg->u1.AddressOfData + (DWORD)structPE);
printf("\n [+] Function : %s -> Address : 0x%x", pFuncName->Name, ThunkImg->u1.Function);
ThunkImg++;
}
pIATDesc++;
}
}
else
printf("\n[!]Not a PE format");
}
else
printf("\n[!]Not a DOS executable");
}
printf("\n\n");
system("pause");
return 0;
}
 Sources du même auteur
 Sources de la même categorie
Sources en rapport avec celle ci
 Commentaires et avis
 Discussions en rapport avec ce code source dans le forum
Besoin d'un connaisseur en format PE/COFF [ par Kangourou_Nomade ]
Bonjour,je travaille sur un logiciel permettant de lister les dependances d'une image PE sous windows (DLL, EXE, OCX), exactement comme Depends, en mo
convertir format mac to dos [ par deutant ]
en compilant un fichier c++ que j ai récupére du net, l erreur suivante est apparue:error C4335: Format de fichier Mac détecté : convertissez le fichi
Transformer un char* en format Timestamp [ par IceFinger ]
Voila, mon probleme est simple, je suis totalement debutant en c, et je dois copier un data file dans une base de donnees. Seulement dans ce fichier l
fichier cso et Alcohol 120% [ par igore62 ]
bonjour avant je monté une image au format cso avec Alcohol 120% mais j ai du formaté mon pc cause de probleme après reinstallation de Alcohol 120% je
error pixel format [ par dark_naruto25 ]
Salut tout le monde !Je viens de me mettre à OpenGL et je rencontre déjà un problème à l'exécution du programme :GLUT: Fatal Error in Cube tournant.ex
Afficher JPEG avec DirectX [ par Roro8883 ]
Bonjour, je souhaite faire une mini visionneuse de photos pour un vieil ordinateur.Mais le problème c'est que jusqu'à maintenant, je n'utilisais que d
[C++ Builder] Comment charger un JPG puis le gérer ensuite comme un BMP ? [ par MikeGyver ]
Bonjour à tous !Je suis en train de concevoir un petit soft qui permettrait de redimensionner, recadrer, etc...des photos issues d'un APN afin de les
infos des boites de dialogue format et compression vidéo [ par steph12358 ]
Bonjour à tousquelqu'un connait-il un moyen de récupérer les informations qui peuvent être renseignées par l'utilisateur lors de l'appel de ? capDlgVi
ecriture d'un caractère au format exposant [ par toxjamescook ]
Bonjour,j'utilise borland c++ builder et j'aimerais pouvoir écrire un label du genre m3/h avec le trois sous format exposant.j'aimerais savoir quel es
format d'affichage d'un double [ par infodaoudi ]
bonjour,je veux afficher des doubles de facon à ce qu'il contiennent un nombre fixe de chiffre apres la virguleexp 0.2222je programme en c++, existe i
|
 Téléchargements
Logiciels à télécharger sur le même thème :
Comparez les prix Nouvelle version
HTC Touch HD
Entre 25€ et 605€
|