繁體
|
簡體
Sclub交友聊天~加入聊天室當版主
(檢舉)
分享
新浪微博
QQ空间
人人网
腾讯微博
Facebook
Google+
Plurk
Twitter
Line
标题:
模拟windows PE文件加载器
[打印本页]
作者:
forwe
时间:
2013-7-14 00:54
标题:
模拟windows PE文件加载器
#include "stdio.h"
#include <WINDOWS.H>
typedef BOOL (__stdcall *pSetFilePointerEx)(
HANDLE hFile,
LARGE_INTEGER liDistanceToMove,
PLARGE_INTEGER lpNewFilePointer,
DWORD dwMoveMethod);
void ReadPeFile()
{
HANDLE hFile;
HMODULE h;
BOOL bStatus;
ULONG uIndex;
DWORD dwRetSize;
LARGE_INTEGER FileOffset;
IMAGE_DOS_HEADER ImageDosHeader;
IMAGE_NT_HEADERS ImageNtHeader;
IMAGE_SECTION_HEADER *pImageSectionHeader;
pSetFilePointerEx SetFilePointerEx;
hFile = CreateFile("c:\\NOTEPAD.EXE", GENERIC_ALL, FILE_SHARE_READ, NULL, OPEN_ALWAYS,
FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
printf("CreateFile Failed!\n");
return;
}
bStatus = ReadFile(hFile, &ImageDosHeader, sizeof(IMAGE_DOS_HEADER), &dwRetSize, NULL);
if (bStatus == FALSE)
{
printf("read image_dos_header falied! :%d \n", GetLastError());
CloseHandle(hFile);
}
printf("e_magic:%s, e_lfanew:0x%X\n", &ImageDosHeader.e_magic, ImageDosHeader.e_lfanew);
h = LoadLibrary("Kernel32.dll");
if(!h)return;
SetFilePointerEx=(pSetFilePointerEx)GetProcAddress(h,"SetFilePointerEx");
FileOffset.QuadPart = ImageDosHeader.e_lfanew;
bStatus = SetFilePointerEx(hFile, FileOffset, NULL, FILE_BEGIN);
if (bStatus == FALSE)
{
printf("SetFilePointerEx falied! :%d \n", GetLastError());
CloseHandle(hFile);
}
bStatus = ReadFile(hFile, &ImageNtHeader, sizeof(IMAGE_NT_HEADERS), &dwRetSize, NULL);
if (bStatus == FALSE)
{
printf("read image_nt_header falied! :%d \n", GetLastError());
CloseHandle(hFile);
}
printf("Signature:%s, NumberOfSections: %d\n", &ImageNtHeader.Signature, ImageNtHeader.FileHeader.NumberOfSections);
FileOffset.QuadPart += sizeof(IMAGE_NT_HEADERS);
bStatus = SetFilePointerEx(hFile, FileOffset, NULL, FILE_BEGIN);
if (bStatus == FALSE)
{
printf("SetFilePointerEx falied! :%d \n", GetLastError());
CloseHandle(hFile);
}
pImageSectionHeader = (IMAGE_SECTION_HEADER *)malloc(sizeof(IMAGE_SECTION_HEADER) * ImageNtHeader.FileHeader.NumberOfSections);
if (pImageSectionHeader == 0)
{
CloseHandle(hFile);
return;
}
bStatus = ReadFile(hFile, pImageSectionHeader, sizeof(IMAGE_SECTION_HEADER) * ImageNtHeader.FileHeader.NumberOfSections, &dwRetSize, NULL);
if (bStatus == FALSE)
{
printf("read IMAGE_SECTION_HEADER falied! :%d \n", GetLastError());
CloseHandle(hFile);
}
for (uIndex = 0; uIndex < ImageNtHeader.FileHeader.NumberOfSections; uIndex++)
{
printf("pImageSectionHeader[%d]:%s\n", uIndex, &pImageSectionHeader[uIndex].Name);
}
CloseHandle(hFile);
free(pImageSectionHeader);
}
void ReadFileToMemory()
{
HANDLE hFile;
HMODULE h;
BOOL bStatus;
ULONG uIndex;
DWORD dwRetSize;
DWORD FileAlign, VirtualAlign;
DWORD VirtualSizeOfImage;
PVOID pVirtualPoint;
DWORD SectionVirtualAddr, SizeOfSection;
DWORD PointerToRawData;
LARGE_INTEGER FileOffset;
IMAGE_DOS_HEADER ImageDosHeader;
IMAGE_NT_HEADERS ImageNtHeader;
IMAGE_SECTION_HEADER *pImageSectionHeader;
pSetFilePointerEx SetFilePointerEx;
hFile = CreateFile("c:\\NOTEPAD.EXE", GENERIC_ALL, FILE_SHARE_READ, NULL, OPEN_ALWAYS,
FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
printf("CreateFile Failed!\n");
return;
}
bStatus = ReadFile(hFile, &ImageDosHeader, sizeof(IMAGE_DOS_HEADER), &dwRetSize, NULL);
if (bStatus == FALSE)
{
printf("read image_dos_header falied! :%d \n", GetLastError());
CloseHandle(hFile);
return;
}
printf("e_magic:%s, e_lfanew:0x%X\n", &ImageDosHeader.e_magic, ImageDosHeader.e_lfanew);
h = LoadLibrary("Kernel32.dll");
if(!h)return;
SetFilePointerEx=(pSetFilePointerEx)GetProcAddress(h,"SetFilePointerEx");
FileOffset.QuadPart = ImageDosHeader.e_lfanew;
bStatus = SetFilePointerEx(hFile, FileOffset, NULL, FILE_BEGIN);
if (bStatus == FALSE)
{
printf("SetFilePointerEx falied! :%d \n", GetLastError());
CloseHandle(hFile);
return;
}
bStatus = ReadFile(hFile, &ImageNtHeader, sizeof(IMAGE_NT_HEADERS), &dwRetSize, NULL);
if (bStatus == FALSE)
{
printf("read image_nt_header falied! :%d \n", GetLastError());
CloseHandle(hFile);
return;
}
printf("Signature:%s, NumberOfSections: %d\n", &ImageNtHeader.Signature, ImageNtHeader.FileHeader.NumberOfSections);
FileOffset.QuadPart += sizeof(IMAGE_NT_HEADERS);
bStatus = SetFilePointerEx(hFile, FileOffset, NULL, FILE_BEGIN);
if (bStatus == FALSE)
{
printf("SetFilePointerEx falied! :%d \n", GetLastError());
CloseHandle(hFile);
return;
}
pImageSectionHeader = (IMAGE_SECTION_HEADER *)malloc(sizeof(IMAGE_SECTION_HEADER) * ImageNtHeader.FileHeader.NumberOfSections);
if (pImageSectionHeader == 0)
{
CloseHandle(hFile);
return;
}
bStatus = ReadFile(hFile, pImageSectionHeader, sizeof(IMAGE_SECTION_HEADER) * ImageNtHeader.FileHeader.NumberOfSections, &dwRetSize, NULL);
if (bStatus == FALSE)
{
printf("read IMAGE_SECTION_HEADER falied! :%d \n", GetLastError());
CloseHandle(hFile);
free(pImageSectionHeader);
return;
}
for (uIndex = 0; uIndex < ImageNtHeader.FileHeader.NumberOfSections; uIndex++)
{
printf("pImageSectionHeader[%d]:%s\n", uIndex, &pImageSectionHeader[uIndex].Name);
}
FileAlign = ImageNtHeader.OptionalHeader.FileAlignment;
VirtualAlign = ImageNtHeader.OptionalHeader.SectionAlignment;
VirtualSizeOfImage = ImageNtHeader.OptionalHeader.SizeOfImage;
pVirtualPoint = malloc(VirtualSizeOfImage);
if (pVirtualPoint == 0)
{
CloseHandle(hFile);
free(pImageSectionHeader);
return;
}
memset(pVirtualPoint, 0, VirtualSizeOfImage);
memcpy(pVirtualPoint, &ImageDosHeader, sizeof(IMAGE_DOS_HEADER));
memcpy((PVOID)((LONG)pVirtualPoint + ImageDosHeader.e_lfanew), &ImageNtHeader,
sizeof(IMAGE_NT_HEADERS));
memcpy((PVOID)((LONG)pVirtualPoint + ImageDosHeader.e_lfanew + sizeof(IMAGE_NT_HEADERS)),
pImageSectionHeader, sizeof(IMAGE_SECTION_HEADER) * ImageNtHeader.FileHeader.NumberOfSections);
for (uIndex = 0; uIndex < ImageNtHeader.FileHeader.NumberOfSections; uIndex++)
{
SectionVirtualAddr = pImageSectionHeader[uIndex].VirtualAddress;
SizeOfSection = pImageSectionHeader[uIndex].SizeOfRawData;
PointerToRawData = pImageSectionHeader[uIndex].PointerToRawData;
FileOffset.QuadPart = PointerToRawData;
bStatus = SetFilePointerEx(hFile, FileOffset, NULL, FILE_BEGIN);
if (bStatus == FALSE)
{
CloseHandle(hFile);
free(pImageSectionHeader);
free(pVirtualPoint);
return;
}
bStatus = ReadFile(hFile, (PVOID)((DWORD)pVirtualPoint + SectionVirtualAddr),
SizeOfSection, &dwRetSize, NULL);
if (bStatus == FALSE)
{
CloseHandle(hFile);
free(pImageSectionHeader);
free(pVirtualPoint);
return;
}
}
printf("pVirtualPoint:0x%X\n", pVirtualPoint);
getchar();
getchar();
CloseHandle(hFile);
free(pImageSectionHeader);
free(pVirtualPoint);
}
void main(int argc, char** argv)
{
ReadFileToMemory();
}
复制代码
欢迎光临 Forwe (http://forwe.joinbbs.net/)
Powered by Discuz! 7.2