PE 파일 - 분석 vc 시범 모든 코드 [EXPORT TABLE 포함 하지 않 음]
#include <windows.h>
#include <iostream>
#define PE_FILE_NAME TEXT("C:\\WINDOWS\\system32\
otepad.exe")
#define CREATE_FILE_FAILURE " "
#define CREATE_MAPPING_FILE " "
#define MAP_VIEW_FAILURE " "
#define VALID_DOS_SIGNATURE " DOS "
#define VALID_PE_SIGNATURE " PE "
#define VALID_PE_FILE " PE "
#define INVALID_PE_FILE " PE "
#define WRITE_LINE(msg) std::cout << TEXT(msg) << std::endl;
#define WRITE_LINE_EX(msg1,msg2) std::cout << TEXT(msg1) << TEXT(msg2) << std::endl;
#define WRITE(msg) std::cout << TEXT(msg);
#define PROCESS_FAILURE(msg) WRITE_LINE(msg)\
return FALSE;
#define PE_PARSE_NT_HEADER_CALLBACK void (*PARSE_NT_HEADER_CALLBACK)(IMAGE_NT_HEADERS*)=NULL
#define PE_PARSE_SECTION_HEADER_CALLBACK void (*PARSE_SECTION_HEADER_CALLBACK)(IMAGE_SECTION_HEADER*,INT)=NULL
#define PE_PARSE_IMPORT_TABLE_CALLBACK void (*PARSE_IMPORT_TABLE_CALLBACK)(IMAGE_DATA_DIRECTORY*,PVOID)
/* */
#define GET_IMAGE_SECTION_HEADER(lpNtHeader) ((IMAGE_SECTION_HEADER *)((byte*)lpNtHeader+sizeof(*lpNtHeader)))
/* */
#define GET_IMAGE_NUMBER_OF_SECTIONS(lpNtHeader) (lpNtHeader->FileHeader.NumberOfSections)
/* */
#define RVA_TO_OFFSET(pImageBase,rva) ((PVOID)((byte*)pImageBase+rva))
/* */
PVOID MapFileToView(LPCSTR filename);
/* PE */
IMAGE_NT_HEADERS* GetPeHeader(LPVOID pMapping);
/* PE */
BOOL Validate(LPVOID pMapping);
/* PE */
void PARSE_NT_HEADER_CALLBACK(IMAGE_NT_HEADERS* lpNtHeader);
/* PE */
void PARSE_SECTION_HEADER_CALLBACK(IMAGE_SECTION_HEADER* lpSectionHeader,INT numberOfSections);
/* */
void PARSE_IMPORT_TABLE_CALLBACK(IMAGE_DATA_DIRECTORY* lpImageDataDirectory,PVOID pImageBase);
/* */
DWORD RVAToFileOffset(PVOID,DWORD);
/* DLL */
void PARSE_IMPORT_TABLE_FUNCTION_CALLBACK(PVOID,IMAGE_THUNK_DATA*);
void main()
{
//
PVOID pMapping = MapFileToView(PE_FILE_NAME);
//
IMAGE_NT_HEADERS* lpImageNtHeader = GetPeHeader(pMapping);
if (lpImageNtHeader)
{
//
PARSE_NT_HEADER_CALLBACK(lpImageNtHeader);
//
PARSE_SECTION_HEADER_CALLBACK(GET_IMAGE_SECTION_HEADER(lpImageNtHeader),GET_IMAGE_NUMBER_OF_SECTIONS(lpImageNtHeader));
//
PARSE_IMPORT_TABLE_CALLBACK(&(lpImageNtHeader->OptionalHeader.DataDirectory[1]),pMapping);
}
//
UnmapViewOfFile(pMapping);
pMapping = NULL;
}
/* */
PVOID MapFileToView(LPCSTR filename)
{
HANDLE fHandle = ::CreateFile(filename,
GENERIC_READ,
FILE_SHARE_READ,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL
);
if (fHandle==INVALID_HANDLE_VALUE)
{
PROCESS_FAILURE(CREATE_FILE_FAILURE);
}
HANDLE hMapping = ::CreateFileMapping(
fHandle,
NULL,
PAGE_READONLY,
NULL,
NULL,
NULL
);
if (hMapping==NULL)
{
CloseHandle(fHandle);
PROCESS_FAILURE(CREATE_MAPPING_FILE);
}
LPVOID pMapping = ::MapViewOfFile(hMapping,FILE_MAP_READ,NULL,NULL,NULL);
if (pMapping==NULL)
{
PROCESS_FAILURE(MAP_VIEW_FAILURE);
}
CloseHandle(hMapping);
CloseHandle(fHandle);
hMapping = NULL;
fHandle = NULL;
return pMapping;
}
/* PE */
BOOL Validate(LPVOID pMapping)
{
//1.validate IMAGE_DOS_HEADER
IMAGE_DOS_HEADER * dosHeader = (IMAGE_DOS_HEADER*)pMapping;
// if (dosHeader->e_magic == IMAGE_DOS_SIGNATURE)
// {
// WRITE_LINE(VALID_DOS_SIGNATURE);
// }
IMAGE_NT_HEADERS * nt_header=(IMAGE_NT_HEADERS*)((byte*)pMapping+dosHeader->e_lfanew);
// if (nt_header->Signature == IMAGE_NT_SIGNATURE)
// {
// WRITE_LINE(VALID_PE_SIGNATURE);
// }
// WRITE_LINE(
// (
// dosHeader->e_magic == IMAGE_DOS_SIGNATURE && nt_header->Signature == IMAGE_NT_SIGNATURE?
// TEXT(VALID_PE_FILE):
// TEXT(INVALID_PE_FILE)
// )
// );
return dosHeader->e_magic == IMAGE_DOS_SIGNATURE && nt_header->Signature == IMAGE_NT_SIGNATURE;
}
IMAGE_NT_HEADERS* GetPeHeader(LPVOID pMapping)
{
IMAGE_DOS_HEADER * dosHeader = (IMAGE_DOS_HEADER*)pMapping;
IMAGE_NT_HEADERS * nt_header=(IMAGE_NT_HEADERS*)((byte*)pMapping+dosHeader->e_lfanew);
// PE
if (dosHeader->e_magic == IMAGE_DOS_SIGNATURE && nt_header->Signature == IMAGE_NT_SIGNATURE)// PE PE
{
return nt_header;
}
//PE NULL
UnmapViewOfFile(pMapping);
pMapping = NULL;
return NULL;
}
/* NT_HEADER */
void PARSE_NT_HEADER_CALLBACK(IMAGE_NT_HEADERS* lpNtHeader)
{
WRITE_LINE(TEXT("----------------------------------FILE HEADER------------------------------------------------"));
WRITE_LINE((lpNtHeader->FileHeader.Machine==IMAGE_FILE_MACHINE_I386?TEXT(" :Intel 386"):TEXT(" : Intel 386")));
WRITE(TEXT(" :"));
WRITE_LINE(lpNtHeader->FileHeader.NumberOfSections);
WRITE_LINE(TEXT("----------------------------------FILE OPTIONAL HEADER--------------------------------------"));
std::cout.setf(std::ios::hex,std::ios::basefield);// 16
std::cout << TEXT("PE PE RVA:") << lpNtHeader->OptionalHeader.AddressOfEntryPoint << std::endl;
std::cout << TEXT("PE :") << lpNtHeader->OptionalHeader.ImageBase << std::endl;
std::cout << TEXT(" :") << lpNtHeader->OptionalHeader.SectionAlignment << std::endl;
std::cout << TEXT(" :") << lpNtHeader->OptionalHeader.FileAlignment << std::endl;
std::cout << TEXT("win32 [ PE Win32 , 4.0 3 ]:") << lpNtHeader->OptionalHeader.MajorOperatingSystemVersion << "." << lpNtHeader->OptionalHeader.MinorOperatingSystemVersion << std::endl;
std::cout << TEXT(" PE [ ]:") << lpNtHeader->OptionalHeader.SizeOfImage << std::endl;
std::cout << TEXT(" + [ 。 PE ]:") << lpNtHeader->OptionalHeader.SizeOfHeaders << std::endl;
std::cout << TEXT("PE :") << (lpNtHeader->OptionalHeader.Subsystem==IMAGE_SUBSYSTEM_WINDOWS_GUI?TEXT(" "):TEXT(" ")) << std::endl;
WRITE_LINE(TEXT("----------------------------------FILE SECTION TABLE--------------------------------------"));
//
IMAGE_SECTION_HEADER *lpSectionHeader = (IMAGE_SECTION_HEADER *)((byte*)lpNtHeader+sizeof(*lpNtHeader));
// PARSE_SECTION_HEADER_CALLBACK(lpSectionHeader,lpNtHeader->FileHeader.NumberOfSections);
// for (int i=0;i<lpNtHeader->FileHeader.NumberOfSections;i++)
// {
// std::cout << lpSectionHeader->Name << "\0" << std::endl;
// std::cout << TEXT("\t RVA( ):") << lpSectionHeader->VirtualAddress << std::endl;
// std::cout << TEXT("\t :") << lpSectionHeader->SizeOfRawData << std::endl;
// std::cout << TEXT("\t :") << lpSectionHeader->PointerToRawData << std::endl;
// lpSectionHeader++;
// }
}
/* IMAGE_SECTION_HEADER */
void PARSE_SECTION_HEADER_CALLBACK(IMAGE_SECTION_HEADER* lpSectionHeader,INT numberOfSections)
{
if (lpSectionHeader && numberOfSections)
{
for (int i=0;i<numberOfSections;i++)
{
std::cout << lpSectionHeader->Name << "\0" << std::endl;
std::cout << TEXT("\t RVA( ):") << lpSectionHeader->VirtualAddress << std::endl;
std::cout << TEXT("\t :") << lpSectionHeader->SizeOfRawData << std::endl;
std::cout << TEXT("\t :") << lpSectionHeader->PointerToRawData << std::endl;
lpSectionHeader++;
}
}
}
/* PE
IMAGE_DATA_DIRECTORY.VirtualAddress -->
IMAGE_IMPORT_DESCRIPTOR.OriginalFirstThunk/IMAGE_IMPORT_DESCRIPTOR.FirstThunk -->//IMAGE_IMPORT_DESCRIPTOR 0
IMAGE_THUNK_DATA -->
IMAGE_IMPORT_BY_NAME.Name
*/
void PARSE_IMPORT_TABLE_CALLBACK(IMAGE_DATA_DIRECTORY* lpImageDataDirectory,PVOID pImageBase)
{
if (!lpImageDataDirectory)
return;
WRITE_LINE(TEXT("----------------------------------PARSE IMPORT TABLE----------------------------------------"));
int dllcounter = 0;
IMAGE_IMPORT_DESCRIPTOR* lpImageImportDescriptor = (IMAGE_IMPORT_DESCRIPTOR*)((byte*)pImageBase+RVAToFileOffset(pImageBase,lpImageDataDirectory->VirtualAddress));
while (lpImageImportDescriptor->Name!=NULL)//
{
dllcounter++;
WRITE_LINE((char*)((byte*)pImageBase+RVAToFileOffset(pImageBase,lpImageImportDescriptor->Name)));// DLL
DWORD thunk = (lpImageImportDescriptor->OriginalFirstThunk==NULL?lpImageImportDescriptor->FirstThunk:lpImageImportDescriptor->OriginalFirstThunk);
PARSE_IMPORT_TABLE_FUNCTION_CALLBACK(pImageBase,(IMAGE_THUNK_DATA *)((byte*)pImageBase+RVAToFileOffset(pImageBase,thunk)));
WRITE_LINE(TEXT("-------------------------------------------"));
lpImageImportDescriptor++;
}
WRITE_LINE_EX(TEXT(" DLL :"),TEXT(dllcounter));
}
/* PE */
void PARSE_EXPORT_TABLE_CALLBACK(IMAGE_DATA_DIRECTORY* lpImageDataDirectory,PVOID pImageBase)
{
//
}
void PARSE_IMPORT_TABLE_FUNCTION_CALLBACK(PVOID pImageBase,IMAGE_THUNK_DATA *lpImageThunkData)
{
WRITE_LINE(TEXT("\t\tHint\t\tFunction"));
while (lpImageThunkData->u1.Ordinal!=NULL)
{
// , IMAGE_ORDINAL_FLAG32。
// 1, , 。
// 0, RVA IMAGE_IMPORT_BY_NAME , Hint
if(lpImageThunkData->u1.Ordinal & IMAGE_ORDINAL_FLAG32)// 1,
{
WORD ordinal = (lpImageThunkData->u1.Ordinal & 0xFFFF);//
WRITE_LINE_EX(TEXT("\t\t"),ordinal);//
}
else
{
IMAGE_IMPORT_BY_NAME* lpImageImportByName = (IMAGE_IMPORT_BY_NAME*)((byte*)pImageBase+RVAToFileOffset(pImageBase,lpImageThunkData->u1.Ordinal));
WRITE(TEXT("\t\t0x"));
WRITE(lpImageImportByName->Hint);
WRITE(TEXT("\t\t"));
WRITE_LINE((char*)(lpImageImportByName->Name));
}
lpImageThunkData++;
}
}
/* */
DWORD RVAToFileOffset(PVOID pMappping,DWORD rva)
{
// DOS
IMAGE_DOS_HEADER* lpImageDosHeader = (IMAGE_DOS_HEADER*)pMappping;
// PE
IMAGE_NT_HEADERS* lpImageNtHeader = (IMAGE_NT_HEADERS*)((byte*)pMappping+lpImageDosHeader->e_lfanew);
//
IMAGE_SECTION_HEADER* lpSectionTable = (IMAGE_SECTION_HEADER*)((byte*)lpImageNtHeader+sizeof(IMAGE_NT_HEADERS));
//
int i = lpImageNtHeader->FileHeader.NumberOfSections;
while(i>0)//
{
if (rva>=lpSectionTable->VirtualAddress)// rva
{
DWORD sectionEndAddr = lpSectionTable->VirtualAddress+lpSectionTable->SizeOfRawData;// = +
if (rva<sectionEndAddr)// rva
{
DWORD r_rva = rva-lpSectionTable->VirtualAddress;// rva - [rva ]
return lpSectionTable->PointerToRawData+r_rva;// +rva
}
}
lpSectionTable++;
i--;
}
return rva;
}
이 내용에 흥미가 있습니까?
현재 기사가 여러분의 문제를 해결하지 못하는 경우 AI 엔진은 머신러닝 분석(스마트 모델이 방금 만들어져 부정확한 경우가 있을 수 있음)을 통해 가장 유사한 기사를 추천합니다:
다양한 언어의 JSONJSON은 Javascript 표기법을 사용하여 데이터 구조를 레이아웃하는 데이터 형식입니다. 그러나 Javascript가 코드에서 이러한 구조를 나타낼 수 있는 유일한 언어는 아닙니다. 저는 일반적으로 '객체'{}...
텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
CC BY-SA 2.5, CC BY-SA 3.0 및 CC BY-SA 4.0에 따라 라이센스가 부여됩니다.
좋은 웹페이지 즐겨찾기
