Ce code montre comment récupérer des informations sur l'entete, les sections ainsi que l'import table q'un programme. J'ai essayé de faire une code clair en donnant les infos necessaires pour comprendre. Si vous avez une question n'hesitez pas :)
Le code est disponnible aussi ici :
http://lilxam.blogspot.com/2008/01/pe-analyser.html
Have Fun ;)
lilxam.
Source / Exemple :
#include <windows.h>
#include <iostream>
int main()
{
printf("-------------------------------/ PE analyser \\-------------------------------\n\n");
HANDLE hProgram = GetModuleHandle(NULL);
if(hProgram != NULL)
{
/*
typedef struct _IMAGE_DOS_HEADER // DOS .EXE header
{
0h WORD e_magic; // Magic number
2h WORD e_cblp; // Bytes on last page of file
4h WORD e_cp; // Pages in file
6h WORD e_crlc; // Relocations
8h WORD e_cparhdr; // Size of header in paragraphs
Ah WORD e_minalloc; // Minimum extra paragraphs needed
Ch WORD e_maxalloc; // Maximum extra paragraphs needed
Eh WORD e_ss; // Initial (relative) SS value
10h WORD e_sp; // Initial SP value
12h WORD e_csum; // Checksum
14h WORD e_ip; // Initial IP value
16h WORD e_cs; // Initial (relative) CS value
18h WORD e_lfarlc; // File address of relocation table
1Ah WORD e_ovno; // Overlay number
1Ch WORD e_res[4]; // Reserved words
24h WORD e_oemid; // OEM identifier (for e_oeminfo)
26h WORD e_oeminfo; // OEM information; e_oemid specific
28h WORD e_res2[10]; // Reserved words
3Ch LONG e_lfanew; // File address of new exe header
}
IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
PIMAGE_DOS_HEADER structPE = (PIMAGE_DOS_HEADER) hProgram;
printf("\nMagic Number : %x", structPE->e_magic);
if(structPE->e_magic == 0x5a4d) //0x5a4d -> MZ -> IMAGE_DOS_SIGNATURE
{
/*
typedef struct _IMAGE_NT_HEADERS
{
0h DWORD Signature;
4h IMAGE_FILE_HEADER FileHeader;
18h IMAGE_OPTIONAL_HEADER OptionalHeader;
}
IMAGE_NT_HEADERS, *PIMAGE_NT_HEADERS;
PIMAGE_NT_HEADERS HeaderPE = (PIMAGE_NT_HEADERS)(structPE->e_lfanew+ (DWORD)structPE);
printf("\nHeader Signature : %x", HeaderPE->Signature);
if(HeaderPE->Signature == 0x4550) // 0x00004550 -> PE00 -> IMAGE_NT_SIGNATURE
{
/*
typedef struct _IMAGE_OPTIONAL_HEADER
{
0h WORD Magic;
2h BYTE MajorLinkerVersion;
3h BYTE MinorLinkerVersion;
4h DWORD SizeOfCode;
8h DWORD SizeOfInitializedData;
Ch DWORD SizeOfUninitializedData;
10h DWORD AddressOfEntryPoint;
14h DWORD BaseOfCode;
18h DWORD BaseOfData;
1Ch DWORD ImageBase;
20h DWORD SectionAlignment;
24h DWORD FileAlignment;
28h WORD MajorOperatingSystemVersion;
2Ah WORD MinorOperatingSystemVersion;
2Ch WORD MajorImageVersion;
2Eh WORD MinorImageVersion;
30h WORD MajorSubsystemVersion;
32h WORD MinorSubsystemVersion;
34h DWORD Win32VersionValue;
38h DWORD SizeOfImage;
3Ch DWORD SizeOfHeaders;
40h DWORD CheckSum;
44h WORD Subsystem;
46h WORD DllCharacteristics;
48h DWORD SizeOfStackReserve;
4Ch DWORD SizeOfStackCommit;
50h DWORD SizeOfHeapReserve;
54h DWORD SizeOfHeapCommit;
58h DWORD LoaderFlags;
5Ch DWORD NumberOfRvaAndSizes;
60h IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
}
IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER;
PIMAGE_OPTIONAL_HEADER OptionalHeaderPE = &HeaderPE->OptionalHeader;
printf("\nEntry Point : 0x%x", OptionalHeaderPE->AddressOfEntryPoint);
printf("\nBase Of Code : 0x%x", OptionalHeaderPE->BaseOfCode);
printf("\nBase Of Data : 0x%x", OptionalHeaderPE->BaseOfData);
printf("\nImage Base : 0x%x", OptionalHeaderPE->ImageBase);
printf("\nSize Of Code : 0x%x", OptionalHeaderPE->SizeOfCode);
printf("\nSize Of Image : 0x%x", OptionalHeaderPE->SizeOfImage);
printf("\nSize Of Header : 0x%x", OptionalHeaderPE->SizeOfHeaders);
/*
typedef struct _IMAGE_FILE_HEADER
{
0h WORD Machine;
2h WORD NumberOfSections;
4h DWORD TimeDateStamp;
8h DWORD PointerToSymbolTable;
Ch DWORD NumberOfSymbols;
10h WORD SizeOfOptionalHeader;
12h WORD Characteristics;
}
IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
PIMAGE_FILE_HEADER FileHeader = &HeaderPE->FileHeader;
printf("\nNumber Of Sections : %d", FileHeader->NumberOfSections);
/*
typedef struct _IMAGE_SECTION_HEADER {
BYTE Name[IMAGE_SIZEOF_SHORT_NAME];
union {
DWORD PhysicalAddress;
DWORD VirtualSize;
} Misc;
DWORD VirtualAddress;
DWORD SizeOfRawData;
DWORD PointerToRawData;
DWORD PointerToRelocations;
DWORD PointerToLinenumbers;
WORD NumberOfRelocations;
WORD NumberOfLinenumbers;
DWORD Characteristics;
} IMAGE_SECTION_HEADER,*PIMAGE_SECTION_HEADER;
PIMAGE_SECTION_HEADER Section;
Section = (PIMAGE_SECTION_HEADER)IMAGE_FIRST_SECTION(HeaderPE);
for(int i = 0; i <= FileHeader->NumberOfSections-1; i++)
{
printf("\n\n----------| Section : [%s] |----------", Section[i].Name);
printf("\n [+] Virtual Size : 0x%x", Section[i].Misc.VirtualSize);
printf("\n [+] Virtual Address : 0x%x", Section[i].VirtualAddress);
printf("\n [+] Size Of Raw Data : 0x%x", Section[i].SizeOfRawData);
printf("\n [+] Ponter To Raw Data : 0x%x", Section[i].PointerToRawData);
printf("\n [+] Pointer To Relocations : 0x%x", Section[i].PointerToRelocations);
printf("\n [+] Pointer To Line Numbers : 0x%x", Section[i].PointerToLinenumbers);
printf("\n [+] Characteristics : %x", Section[i].Characteristics);
}
/*
typedef struct _IMAGE_IMPORT_DESCRIPTOR {
_ANONYMOUS_UNION union {
DWORD Characteristics;
DWORD OriginalFirstThunk;
} DUMMYUNIONNAME;
DWORD TimeDateStamp;
DWORD ForwarderChain;
DWORD Name;
DWORD FirstThunk;
} IMAGE_IMPORT_DESCRIPTOR,*PIMAGE_IMPORT_DESCRIPTOR;
printf("\n\n\n--------------------| Import Table |--------------------");
PIMAGE_IMPORT_DESCRIPTOR pIATDesc = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)OptionalHeaderPE->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (DWORD)structPE);
while(*(PDWORD)pIATDesc != 0)
{
printf("\n");
/*
typedef struct _IMAGE_THUNK_DATA32 {
union {
DWORD ForwarderString;
DWORD Function;
DWORD Ordinal;
DWORD AddressOfData;
} u1;
} IMAGE_THUNK_DATA32,*PIMAGE_THUNK_DATA32;
PIMAGE_THUNK_DATA32 ThunkImg = (PIMAGE_THUNK_DATA32)((DWORD)pIATDesc->OriginalFirstThunk + (DWORD) structPE);
while(*(PDWORD)ThunkImg != 0)
{
/*
typedef struct _IMAGE_IMPORT_BY_NAME {
WORD Hint;
BYTE Name[1];
} IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME;
PIMAGE_IMPORT_BY_NAME pFuncName = (PIMAGE_IMPORT_BY_NAME)(ThunkImg->u1.AddressOfData + (DWORD)structPE);
printf("\n [+] Function : %s -> Address : 0x%x", pFuncName->Name, ThunkImg->u1.Function);
ThunkImg++;
}
pIATDesc++;
}
}
else
printf("\n[!]Not a PE format");
}
else
printf("\n[!]Not a DOS executable");
}
printf("\n\n");
system("pause");
return 0;
}
16 oct. 2008 à 15:15
Vous n'êtes pas encore membre ?
inscrivez-vous, c'est gratuit et ça prend moins d'une minute !
Les membres obtiennent plus de réponses que les utilisateurs anonymes.
Le fait d'être membre vous permet d'avoir un suivi détaillé de vos demandes et codes sources.
Le fait d'être membre vous permet d'avoir des options supplémentaires.