C++打印PE文件头信息Demo

PE文件格式被组织为一个线性的数据流,它由一个MS-DOS头部开始,接着是一个是模式的程序残余以及一个PE文件标志,这之后紧接着PE文件头和可选头部。这些之后是所有的段头部,段头部之后跟随着所有的段实体。文件的结束处是一些其它的区域,其中是一些混杂的信息,包括重分配信息、符号表信息、行号信息以及字串表数据。

 

PE文件主要信息按顺序

 

IMAGE_DOS_HEADER MS-DOS MZ头部

DOS STUB MS-DOS 实模式残余程序

NTSIGNATURE PE文件标识

IMAGE_FILE_HEADER PE文件头

IMAGE_OPTIONAL_HEADER PE可选头

IMAGE_SECTION_HEADER 多个段

包括.text .bss .rdata等

 

更详细的信息请参考:http://www.vckbase.com/document/viewdoc/?id=1334

 

下面给出将头文件打印出来的源码:

PE.h

#ifndef _X_PE_H_ #define _X_PE_H_ //获取PE头基地址 #define SIZE_OF_NT_SIGNATURE sizeof(DWORD) #define NTSIGNATURE(a) ((LPVOID)((BYTE *)a + ((PIMAGE_DOS_HEADER)a)->e_lfanew – 1)) #define PEFHDROFFSET(a) ((LPVOID)((BYTE *)a + ((PIMAGE_DOS_HEADER)a)->e_lfanew – 1 + SIZE_OF_NT_SIGNATURE)) #define OPTHDROFFSET(a) ((LPVOID)((BYTE *)a + ((PIMAGE_DOS_HEADER)a)->e_lfanew – 1 + SIZE_OF_NT_SIGNATURE + sizeof(IMAGE_FILE_HEADER))) DWORD WINAPI ImageFileType (LPVOID lpFile); #endif 

PE.cpp

#include <windows.h> #include <stdio.h> #include <iostream> #include “pe.h” using namespace std; //PE文件类型判断 DWORD WINAPI ImageFileType (LPVOID lpFile) { /* 首先出现的是DOS文件标志 */ if (*(USHORT *)lpFile == IMAGE_DOS_SIGNATURE) { /* 由DOS头部决定PE文件头部的位置 */ if (LOWORD (*(DWORD *)NTSIGNATURE (lpFile)) == IMAGE_OS2_SIGNATURE || LOWORD (*(DWORD *)NTSIGNATURE (lpFile)) == IMAGE_OS2_SIGNATURE_LE) return (DWORD)LOWORD(*(DWORD *)NTSIGNATURE (lpFile)); else if (*(DWORD *)NTSIGNATURE (lpFile) == IMAGE_NT_SIGNATURE) return IMAGE_NT_SIGNATURE; else return IMAGE_DOS_SIGNATURE; } else /* 不明文件种类 */ return 0; } int main() { //业务信息参考 //http://www.vckbase.com/document/viewdoc/?id=1334 CHAR szBuf[2048]; FILE* pFile=fopen(“E://task//Win32//Debug//win32.exe”,”r”);//这里加载一个PE文件 int iRead=fread(szBuf,1,2048,pFile); //MZ-DOS头 IMAGE_DOS_HEADER* dos; dos=(IMAGE_DOS_HEADER*)szBuf; cout.setf(ios::hex,ios::basefield);//设置十六进制显示数值 cout.setf(ios::showbase|ios::uppercase);//设置0x头和大写 cout<<“dos->e_magic=”<<dos->e_magic<<endl; cout<<“dos->e_lfanew=”<<dos->e_lfanew<<endl; cout<<“NTSIGNATURE=”<<*(DWORD *)NTSIGNATURE(szBuf)<<endl; cout<<“ImageFileType=”<<ImageFileType(szBuf)<<” is “; switch(ImageFileType(szBuf)) { case IMAGE_DOS_SIGNATURE://MZ cout<<“IMAGE_DOS_SIGNATURE”<<endl; break; case IMAGE_OS2_SIGNATURE://NE cout<<“IMAGE_OS2_SIGNATURE”<<endl; break; case IMAGE_OS2_SIGNATURE_LE: cout<<“IMAGE_OS2_SIGNATURE_LE”<<endl; break; case IMAGE_NT_SIGNATURE: cout<<“IMAGE_NT_SIGNATURE”<<endl; } cout<<“PEFHDROFFSET=”<<PEFHDROFFSET(szBuf)<<endl; //PE必选头 PIMAGE_FILE_HEADER header =(PIMAGE_FILE_HEADER)PEFHDROFFSET(szBuf); cout<<“Machine=”<<header->Machine<<endl; cout<<“区段数NumberOfSections=”<<header->NumberOfSections<<endl; cout<<“建立时间TimeDateStamp=”<<header->TimeDateStamp<<endl; cout<<“PointerToSymbolTable=”<<header->PointerToSymbolTable<<endl; cout<<“可选头部大小SizeOfOptionalHeader=”<<header->SizeOfOptionalHeader<<endl; cout<<“特征Characteristics=”<<header->Characteristics<<endl; //PE可选头 PIMAGE_OPTIONAL_HEADER opHeader=(PIMAGE_OPTIONAL_HEADER)OPTHDROFFSET(szBuf); cout<<“魔术字Magic=”<<opHeader->Magic<<endl;//0x010B为.EXE,0x0107为ROM映像 cout<<“连接器主版本MajorLinkerVersion=”<<(short)opHeader->MajorLinkerVersion<<endl; cout<<“连接器副版本MinorLinkerVersion=”<<(short)opHeader->MinorLinkerVersion<<endl; cout<<“可执行代码大小SizeOfCode=”<<opHeader->SizeOfCode<<endl; cout<<“已初始化的数据大小SizeOfInitializedData=”<<opHeader->SizeOfInitializedData<<endl; cout<<“未初始化的数据大小SizeOfUninitializedData=”<<opHeader->SizeOfUninitializedData<<endl; cout<<“入口点AddressOfEntryPoint=”<<opHeader->AddressOfEntryPoint<<endl; cout<<“代码基址(.text段)BaseOfCode=”<<opHeader->BaseOfCode<<endl; cout<<“数据基址(.bss段)BaseOfData=”<<opHeader->BaseOfData<<endl; cout<<“映像基址ImageBase”<<opHeader->ImageBase<<endl;//进程映像地址空间中的首选基地址,Windows NT的Microsoft Win32 SDK链接器将这个值默认设为0x00400000,但是你可以使用-BASE:linker开关改变这个值。 cout<<“区段对齐SectionAlignment=”<<opHeader->SectionAlignment<<endl; cout<<“FileAlignment=”<<opHeader->FileAlignment<<endl; cout<<“NT主版本号MajorOperatingSystemVersion=”<<opHeader->MajorOperatingSystemVersion<<endl; cout<<“NT副版本号MinorOperatingSystemVersion=”<<opHeader->MinorOperatingSystemVersion<<endl; cout<<“应用程序主版本号MajorImageVersion=”<<opHeader->MajorImageVersion<<endl; cout<<“应用程序副版本号MinorImageVersion=”<<opHeader->MinorImageVersion<<endl; cout<<“Win32子系统主版本号MajorSubsystemVersion=”<<opHeader->MajorSubsystemVersion<<endl; cout<<“Win32子系统副版本号MinorSubsystemVersion=”<<opHeader->MinorSubsystemVersion<<endl; cout<<“SizeOfImage=”<<opHeader->SizeOfImage<<endl; cout<<“头大小SizeOfHeaders=”<<opHeader->SizeOfHeaders<<endl; cout<<“校验和CheckSum=”<<opHeader->CheckSum<<endl;//私有算法 cout<<“子系统Subsystem=”<<opHeader->Subsystem<<endl; cout<<“DllCharacteristics=”<<opHeader->DllCharacteristics<<endl; cout<<“SizeOfStackReserve=”<<opHeader->SizeOfStackReserve<<endl; cout<<“SizeOfStackCommit=”<<opHeader->SizeOfStackCommit<<endl; cout<<“SizeOfHeapReserve=”<<opHeader->SizeOfHeapReserve<<endl; cout<<“SizeOfHeapCommit=”<<opHeader->SizeOfHeapCommit<<endl; cout<<“LoaderFlags=”<<opHeader->LoaderFlags<<endl; cout<<“NumberOfRvaAndSizes=”<<opHeader->NumberOfRvaAndSizes<<endl; cout<<“导出表RVA:”<<opHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress<<endl; cout<<“导出表大小:”<<opHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size<<endl; cout<<“导入表RVA:”<<opHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress<<endl; cout<<“导入表大小:”<<opHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size<<endl; cout<<“资源RVA:”<<opHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress<<endl; cout<<“资源大小:”<<opHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size<<endl; cout<<“TLSRVA:”<<opHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress<<endl; cout<<“TLS大小:”<<opHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size<<endl; cout<<“调试RVA:”<<opHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG].VirtualAddress<<endl; cout<<“调试:”<<opHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG].Size<<endl; cout<<sizeof(IMAGE_OPTIONAL_HEADER)<<endl; PIMAGE_SECTION_HEADER ps=(PIMAGE_SECTION_HEADER)((BYTE*)opHeader+sizeof(IMAGE_OPTIONAL_HEADER)); //打印所有的段信息 for (int i=0;i<header->NumberOfSections;i++) { cout<<endl; cout<<“Name=”<<ps[i].Name<<endl; cout<<“PhysicalAddress=”<<ps[i].Misc.PhysicalAddress<<endl; cout<<“VirtualSize=”<<ps[i].Misc.VirtualSize<<endl; cout<<“VirtualAddress=”<<ps[i].VirtualAddress<<endl; cout<<“SizeOfRawData=”<<ps[i].SizeOfRawData<<endl; cout<<“PointerToRawData=”<<ps[i].PointerToRawData<<endl; cout<<“PointerToRelocations=”<<ps[i].PointerToRelocations<<endl; cout<<“PointerToLinenumbers=”<<ps[i].PointerToLinenumbers<<endl; cout<<“NumberOfRelocations=”<<ps[i].NumberOfRelocations<<endl; cout<<“NumberOfLinenumbers=”<<ps[i].NumberOfLinenumbers<<endl; cout<<“Characteristics=”<<ps[i].Characteristics<<endl; } return 0; } 

    原文作者:普通网友
    原文地址: https://blog.csdn.net/iamoyjj/article/details/6535189
    本文转自网络文章,转载此文章仅为分享知识,如有侵权,请联系博主进行删除。
点赞