C语言怎么获得进程的PE文件信息

时间:2022-09-14 13:01:12

一、打印Sections信息。下面的程序打印出Windows_Graphics_Programming 1.1中第三个程序“Hello World Version 3:Create a Full-Screen Window"生成的可执行文件的Sections结构字节的信息

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#include<stdio.h>
#include<windows.h>
 
char *strPath="C:/c1_hwv3/Debug/c1_hwv3.exe";
 
int main()
{
  IMAGE_DOS_HEADER myDosHeader;
  LONG e_lfanew;
  FILE *pFile;
  pFile=fopen(strPath,"rb+");
 
  fread(&myDosHeader,sizeof(IMAGE_DOS_HEADER),1,pFile);
  e_lfanew=myDosHeader.e_lfanew;
 
  IMAGE_FILE_HEADER myFileHeader;
  int nSectionCount;
 
  fseek(pFile,(e_lfanew+sizeof(DWORD)),SEEK_SET);
  fread(&myFileHeader,sizeof(IMAGE_FILE_HEADER),1,pFile);
  nSectionCount=myFileHeader.NumberOfSections;
 
  IMAGE_SECTION_HEADER *pmySectionHeader=
    (IMAGE_SECTION_HEADER *)calloc(nSectionCount,sizeof(IMAGE_SECTION_HEADER));
  fseek(pFile,(e_lfanew+sizeof(IMAGE_NT_HEADERS)),SEEK_SET);
  fread(pmySectionHeader,sizeof(IMAGE_SECTION_HEADER),nSectionCount,pFile);
 
  for(int i=0;i<nSectionCount;i++,pmySectionHeader++)
  {
    printf("Name: %s\n", pmySectionHeader->Name);
    printf("union_PhysicalAddress: %08x\n", pmySectionHeader->Misc.PhysicalAddress);
    printf("union_VirtualSize: %04x\n", pmySectionHeader->Misc.VirtualSize);
    printf("VirtualAddress: %08x\n", pmySectionHeader->VirtualAddress);
    printf("SizeOfRawData: %08x\n", pmySectionHeader->SizeOfRawData);
    printf("PointerToRawData: %04x\n", pmySectionHeader->PointerToRawData);
    printf("PointerToRelocations: %04x\n", pmySectionHeader->PointerToRelocations);
    printf("PointerToLinenumbers: %04x\n", pmySectionHeader->PointerToLinenumbers);
    printf("NumberOfRelocations: %04x\n", pmySectionHeader->NumberOfRelocations);
    printf("NumberOfLinenumbers: %04x\n", pmySectionHeader->NumberOfLinenumbers);
    printf("Charateristics: %04x\n", pmySectionHeader->Characteristics);
  }
//  pmySectionHeader-=m_nSectionCount;
 
  if(pmySectionHeader!=NULL)
  {
    free(pmySectionHeader);
    pmySectionHeader=NULL;
  }
 
  fclose(pFile);
  return 0;
}

运行程序打印出如下信息

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
Name: .text
 
union_PhysicalAddress: 00022350
 
union_VirtualSize: 22350
 
VirtualAddress: 00001000
 
SizeOfRawData: 00023000
 
PointerToRawData: 1000
 
PointerToRelocations: 0000
 
PointerToLinenumbers: 0000
 
NumberOfRelocations: 0000
 
NumberOfLinenumbers: 0000
 
Charateristics: 60000020
 
Name: .rdata
 
union_PhysicalAddress: 00001615
 
union_VirtualSize: 1615
 
VirtualAddress: 00024000
 
SizeOfRawData: 00002000
 
PointerToRawData: 24000
 
PointerToRelocations: 0000
 
PointerToLinenumbers: 0000
 
NumberOfRelocations: 0000
 
NumberOfLinenumbers: 0000
 
Charateristics: 40000040
 
Name: .data
 
union_PhysicalAddress: 00005650
 
union_VirtualSize: 5650
 
VirtualAddress: 00026000
 
SizeOfRawData: 00004000
 
PointerToRawData: 26000
 
PointerToRelocations: 0000
 
PointerToLinenumbers: 0000
 
NumberOfRelocations: 0000
 
NumberOfLinenumbers: 0000
 
Charateristics: c0000040
 
Name: .idata
 
union_PhysicalAddress: 00000b23
 
union_VirtualSize: 0b23
 
VirtualAddress: 0002c000
 
SizeOfRawData: 00001000
 
PointerToRawData: 2a000
 
PointerToRelocations: 0000
 
PointerToLinenumbers: 0000
 
NumberOfRelocations: 0000
 
NumberOfLinenumbers: 0000
 
Charateristics: c0000040
 
Name: .reloc
 
union_PhysicalAddress: 00000f00
 
union_VirtualSize: 0f00
 
VirtualAddress: 0002d000
 
SizeOfRawData: 00001000
 
PointerToRawData: 2b000
 
PointerToRelocations: 0000
 
PointerToLinenumbers: 0000
 
NumberOfRelocations: 0000
 
NumberOfLinenumbers: 0000
 
Charateristics: 42000040

pe文件结构图:

 

时间,时间,会给我答案 time will give me the answer

再给大家分享一则

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
#include <windows.h>
#include <stdio.h>
#define MAX_SECTION_NUM  16
#define MAX_IMPDESC_NUM  64
 
HANDLE hHeap;
PIMAGE_DOS_HEADER pDosHeader;
PCHAR  pDosStub;
DWORD  dwDosStubSize;
DWORD  dwDosStubOffset;
PIMAGE_NT_HEADERS      pNtHeaders;
PIMAGE_FILE_HEADER     pFileHeader;
PIMAGE_OPTIONAL_HEADER32  pOptHeader;
PIMAGE_SECTION_HEADER  pSecHeaders;
PIMAGE_SECTION_HEADER  pSecHeader[MAX_SECTION_NUM];
WORD wSecNum;
PBYTE pSecData[MAX_SECTION_NUM];
DWORD dwSecSize[MAX_SECTION_NUM];
DWORD dwFileSize;
 
void OutputPEInMem(HANDLE hd)
{
  // 请在这里填入你的代码
  DWORD             dwBase;
  dwBase = (DWORD)hd;
  pDosHeader = (PIMAGE_DOS_HEADER)dwBase;
  pNtHeaders = (PIMAGE_NT_HEADERS)(dwBase + pDosHeader->e_lfanew);
  pOptHeader = &(pNtHeaders->OptionalHeader);
  pFileHeader = &(pNtHeaders->FileHeader);
  printf("Address Of Entry Point: 0x%08x\n", pOptHeader->AddressOfEntryPoint);
  printf("ImageBase: 0x%08x\n", pOptHeader->ImageBase);
  printf("Number Of Sections: %d\n", pFileHeader->NumberOfSections);
  printf("Size Of Image: 0x%04x\n", pOptHeader->SizeOfImage);
  return;
}
 
int main(int argc, char *argv[])
{
  DWORD pid = 0;
  pid=atoi(argv[1]);
  HANDLE hd=OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid);
   
  LPCSTR lpszFileName = "hello.exe";
  LPCSTR lpszInjFileName = "hello_inj0.exe";
 
   
  OutputPEInMem(hd);
  hHeap = GetProcessHeap();
 
  if (! CopyPEFileToMem(lpszFileName)) {
    return 1;
  }
  return 0;
}
标签:

相关文章