获取pe文件的文件类型

时间:2022-11-26 13:31:08

工程文件petype.cpp通过调用pefile类中的函数获取文件类型。

 

文件类型的判断通过5个监测点完成。

监测点1:dos头的e_magic

监测点2:nt头的Signature

监测点3:文件头的Characteristics

监测点4:可选头的Magic

监测点5:可选头的Subsystem

 

通过监测点1和2判断是否是pe文件;

通过监测点3判断文件是否是动态库文件

通过监测点4判断文件是pe32还是pe32+还是rom映像

通过监测点5判断文件是否是0环可执行文件[驱动文件],还是3环可执行文件[exe文件]

 

具体代码参见下面:

pefile.h

获取pe文件的文件类型获取pe文件的文件类型
  1 #ifndef PE_FILE_H
2 #define PE_FILE_H
3 #include "windows.h"
4
5 #define ISMZHEADER (*(WORD*)File_memory == 0x5a4d)
6 #define ISPEHEADER (*(WORD*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c)) == 0x4550)
7 #define ISPE32MAGIC (*(WORD*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c) + sizeof(MX_IMAGE_FILE_HEADER) + 4) == 0x10b)
8 #define ISPE64MAGIC (*(WORD*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c) + sizeof(MX_IMAGE_FILE_HEADER) + 4) == 0x20b)
9 #define ISPEROMMAGIC (*(WORD*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c) + sizeof(MX_IMAGE_FILE_HEADER) + 4) == 0x107)
10
11
12 #define X_PE_32 32
13 #define X_PE_64 64
14
15 #define READ_ERRO 0x0
16 #define NOT_PE_FILE 0x200
17 #define PE_FILE 0x100
18 #define PE64_FILE 0x40
19 #define PE32_FILE 0x20
20 #define ROM_IMAGE 0x10
21 #define EXE_FILE 0x8
22 #define DLL_FILE 0x4
23 #define SYS_FILE 0x2
24 #define OTHER_FILE 0x1
25
26
27 #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
28 #define X_EXPORT 0
29 #define X_IMPORT 1
30 #define X_RESOURSE 2
31 #define X_EXCEPTION 3
32 #define X_CERTIFICATE 4
33 #define X_BASE_RELOCATION 5
34 #define X_DEBUG 6
35 #define X_ARCHITECTURE 7
36 #define X_GLOBAL_PTR 8
37 #define X_TLS 9
38 #define X_LOAD_CONFIG 10
39 #define X_BAND_IMPORT 11
40 #define X_IAT 12
41 #define X_DELAY_IMPORT 13
42 #define X_COM_HEADER 14
43 #define X_RESERVED 15
44
45 typedef struct X_IMAGE_DOS_HEADER { // DOS .EXE header
46 WORD e_magic; // Magic number
47 WORD e_cblp; // Bytes on last page of file
48 WORD e_cp; // Pages in file
49 WORD e_crlc; // Relocations
50 WORD e_cparhdr; // Size of header in paragraphs
51 WORD e_minalloc; // Minimum extra paragraphs needed
52 WORD e_maxalloc; // Maximum extra paragraphs needed
53 WORD e_ss; // Initial (relative) SS value
54 WORD e_sp; // Initial SP value
55 WORD e_csum; // Checksum
56 WORD e_ip; // Initial IP value
57 WORD e_cs; // Initial (relative) CS value
58 WORD e_lfarlc; // File address of relocation table
59 WORD e_ovno; // Overlay number
60 WORD e_res[4]; // Reserved words
61 WORD e_oemid; // OEM identifier (for e_oeminfo)
62 WORD e_oeminfo; // OEM information; e_oemid specific
63 WORD e_res2[10]; // Reserved words
64 LONG e_lfanew; // File address of new exe header
65 } MX_IMAGE_DOS_HEADER;
66
67 typedef struct X_IMAGE_FILE_HEADER {
68 WORD Machine;
69 WORD NumberOfSections;
70 DWORD TimeDateStamp;
71 DWORD PointerToSymbolTable;
72 DWORD NumberOfSymbols;
73 WORD SizeOfOptionalHeader;
74 WORD Characteristics;
75 } MX_IMAGE_FILE_HEADER;
76
77 typedef struct X_IMAGE_DATA_DIRECTORY {
78 DWORD VirtualAddress;
79 DWORD Size;
80 } MX_IMAGE_DATA_DIRECTORY;
81
82 typedef struct X_IMAGE_OPTIONAL_HEADER32 {
83 WORD Magic;
84 BYTE MajorLinkerVersion;
85 BYTE MinorLinkerVersion;
86 DWORD SizeOfCode;
87 DWORD SizeOfInitializedData;
88 DWORD SizeOfUninitializedData;
89 DWORD AddressOfEntryPoint;
90 DWORD BaseOfCode;
91 DWORD BaseOfData;
92 DWORD ImageBase;
93 DWORD SectionAlignment;
94 DWORD FileAlignment;
95 WORD MajorOperatingSystemVersion;
96 WORD MinorOperatingSystemVersion;
97 WORD MajorImageVersion;
98 WORD MinorImageVersion;
99 WORD MajorSubsystemVersion;
100 WORD MinorSubsystemVersion;
101 DWORD Win32VersionValue;
102 DWORD SizeOfImage;
103 DWORD SizeOfHeaders;
104 DWORD CheckSum;
105 WORD Subsystem;
106 WORD DllCharacteristics;
107 DWORD SizeOfStackReserve;
108 DWORD SizeOfStackCommit;
109 DWORD SizeOfHeapReserve;
110 DWORD SizeOfHeapCommit;
111 DWORD LoaderFlags;
112 DWORD NumberOfRvaAndSizes;
113 MX_IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
114 } MX_IMAGE_OPTIONAL_HEADER32;
115
116
117 typedef struct X_IMAGE_OPTIONAL_HEADER64 {
118 WORD Magic;
119 BYTE MajorLinkerVersion;
120 BYTE MinorLinkerVersion;
121 DWORD SizeOfCode;
122 DWORD SizeOfInitializedData;
123 DWORD SizeOfUninitializedData;
124 DWORD AddressOfEntryPoint;
125 DWORD BaseOfCode;
126 ULONGLONG ImageBase;
127 DWORD SectionAlignment;
128 DWORD FileAlignment;
129 WORD MajorOperatingSystemVersion;
130 WORD MinorOperatingSystemVersion;
131 WORD MajorImageVersion;
132 WORD MinorImageVersion;
133 WORD MajorSubsystemVersion;
134 WORD MinorSubsystemVersion;
135 DWORD Win32VersionValue;
136 DWORD SizeOfImage;
137 DWORD SizeOfHeaders;
138 DWORD CheckSum;
139 WORD Subsystem;
140 WORD DllCharacteristics;
141 ULONGLONG SizeOfStackReserve;
142 ULONGLONG SizeOfStackCommit;
143 ULONGLONG SizeOfHeapReserve;
144 ULONGLONG SizeOfHeapCommit;
145 DWORD LoaderFlags;
146 DWORD NumberOfRvaAndSizes;
147 IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
148 } MX_IMAGE_OPTIONAL_HEADER64;
149
150 typedef struct X_IMAGE_NT_HEADERS32 {
151 DWORD Signature;
152 MX_IMAGE_FILE_HEADER FileHeader;
153 MX_IMAGE_OPTIONAL_HEADER32 OptionalHeader;
154 } MX_IMAGE_NT_HEADERS32;
155
156 typedef struct X_IMAGE_NT_HEADERS64 {
157 DWORD Signature;
158 MX_IMAGE_FILE_HEADER FileHeader;
159 MX_IMAGE_OPTIONAL_HEADER64 OptionalHeader;
160 } MX_IMAGE_NT_HEADERS64;
161
162 class XPEFILE
163 {
164 public:
165 XPEFILE(char* lpFileName);
166 virtual ~XPEFILE();
167 int GetType();
168 int GetSize();
169 private:
170 void* File_memory;
171 int File_size;
172 int File_type;
173 };
174
175 #endif
pefile.h

pefile.cpp

获取pe文件的文件类型获取pe文件的文件类型
  1 #include "stdafx.h"
2 #include "windows.h"
3 #include "pefile.h"
4 #include <iostream>
5
6 XPEFILE::XPEFILE(char* strFileName)
7 {
8 HANDLE hfile;
9 unsigned long sizehigh;
10 void* lpmemory;
11
12 File_memory = NULL;
13 File_type = READ_ERRO;
14
15 hfile = CreateFile(strFileName, GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,0,OPEN_EXISTING,FILE_FLAG_SEQUENTIAL_SCAN,0);
16 if (hfile != INVALID_HANDLE_VALUE)
17 {
18 File_size = GetFileSize(hfile, NULL);
19 lpmemory = LocalAlloc(LPTR,File_size);
20 if(ReadFile(hfile,lpmemory,File_size,&sizehigh,0) != NULL)
21 {
22 File_memory = lpmemory;
23 }
24 CloseHandle(hfile);
25 }
26 }
27
28
29
30
31 XPEFILE::~XPEFILE()
32 {
33 if (File_memory == NULL)
34 {
35 LocalFree(File_memory);
36 }
37 }
38
39 int XPEFILE::GetSize()
40 {
41 return File_size;
42 }
43
44 int XPEFILE::GetType()
45 {
46 MX_IMAGE_NT_HEADERS32* ntheader32;
47 MX_IMAGE_NT_HEADERS64* ntheader64;
48
49 File_type = READ_ERRO;
50
51 if (File_memory == NULL)
52 {
53 return File_type;
54 }
55 File_type = NOT_PE_FILE;
56 // if ((*(WORD*)File_memory == 0x5a4d) && (*(WORD*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c)) == 0x4550))
57 if(ISMZHEADER && ISPEHEADER)
58 {
59 File_type = PE_FILE;
60 }
61 if (File_type == PE_FILE)
62 {
63 // if (*(WORD*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c) + sizeof(MX_IMAGE_FILE_HEADER) + 4) == 0x10b)
64 if (ISPE32MAGIC)
65 {
66 File_type = File_type | PE32_FILE;
67 ntheader32 = (MX_IMAGE_NT_HEADERS32*) ((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c));
68 if (ntheader32->FileHeader.Characteristics & 0x2000)
69 {
70 File_type = File_type | DLL_FILE;
71 }
72 else if ((ntheader32->OptionalHeader.Subsystem & 2)|(ntheader32->OptionalHeader.Subsystem & 3))
73 {
74 File_type = File_type | EXE_FILE;
75 }
76 else if (ntheader32->OptionalHeader.Subsystem & 1)
77 {
78 File_type = File_type | SYS_FILE;
79 }
80 }
81 // if (*(WORD*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c) + sizeof(MX_IMAGE_FILE_HEADER) + 4) == 0x20b)
82 if (ISPE64MAGIC)
83 {
84 File_type = File_type | PE64_FILE;
85 ntheader64 = (MX_IMAGE_NT_HEADERS64*) ((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c));
86 if (ntheader64->FileHeader.Characteristics & 0x2000)
87 {
88 File_type = File_type | DLL_FILE;
89 }
90 else if ((ntheader64->OptionalHeader.Subsystem & 2)|(ntheader64->OptionalHeader.Subsystem & 3))
91 {
92 File_type = File_type | EXE_FILE;
93 }
94 else if (ntheader64->OptionalHeader.Subsystem & 1)
95 {
96 File_type = File_type | SYS_FILE;
97 }
98 }
99 // if (*(WORD*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c) + sizeof(MX_IMAGE_FILE_HEADER) + 4) == 0x107)
100 if (ISPEROMMAGIC)
101 {
102 File_type = File_type | ROM_IMAGE;
103 }
104 }
105 return File_type;
106 }
pefile.cpp

petype.cpp

获取pe文件的文件类型获取pe文件的文件类型
 1 #include "stdafx.h"
2 #include "pefile.h"
3 #include <iostream>
4
5 int main(int argc, char* argv[])
6 {
7 int filetype;
8
9 char* file = "c:\\1.exe";
10 XPEFILE pefile1(file);
11
12 filetype = pefile1.GetType();
13
14 system("pause");
15 return 0;
16 }
petype.cpp