Delphi : Analyze PE file headers?

Analyze PE file headers?

{ You‘ll need a OpenDialog to open a Exe-File and a Memo to show the file informations }

{
  Man braucht einen OpenDialog um eine Exe-Datei zu öffnen und ein Memo,
  um die Informationen anzuzeigen.
}

procedure DumpDOSHeader(const h: IMAGE_DOS_HEADER; Lines: TStrings);
begin
  Lines.Add(‘Dump of DOS file header‘);
  Lines.Add(Format(‘Magic number: %d‘, [h.e_magic]));
  Lines.Add(Format(‘Bytes on last page of file: %d‘, [h.e_cblp]));
  Lines.Add(Format(‘Pages in file: %d‘, [h.e_cp]));
  Lines.Add(Format(‘Relocations: %d‘, [h.e_crlc]));
  Lines.Add(Format(‘Size of header in paragraphs: %d‘, [h.e_cparhdr]));
  Lines.Add(Format(‘Minimum extra paragraphs needed: %d‘, [h.e_minalloc]));
  Lines.Add(Format(‘Maximum extra paragraphs needed: %d‘, [h.e_maxalloc]));
  Lines.Add(Format(‘Initial (relative) SS value: %d‘, [h.e_ss]));
  Lines.Add(Format(‘Initial SP value: %d‘, [h.e_sp]));
  Lines.Add(Format(‘Checksum: %d‘, [h.e_csum]));
  Lines.Add(Format(‘Initial IP value: %d‘, [h.e_ip]));
  Lines.Add(Format(‘Initial (relative) CS value: %d‘, [h.e_cs]));
  Lines.Add(Format(‘File address of relocation table: %d‘, [h.e_lfarlc]));
  Lines.Add(Format(‘Overlay number: %d‘, [h.e_ovno]));
  Lines.Add(Format(‘OEM identifier (for e_oeminfo): %d‘, [h.e_oemid]));
  Lines.Add(Format(‘OEM information; e_oemid specific: %d‘, [h.e_oeminfo]));
  Lines.Add(Format(‘File address of new exe header: %d‘, [h._lfanew]));
  Lines.Add(‘‘);
end;

procedure DumpPEHeader(const h: IMAGE_FILE_HEADER; Lines: TStrings);
var
  dt: TDateTime;
begin
  Lines.Add(‘Dump of PE file header‘);
  Lines.Add(Format(‘Machine: %4x‘, [h.Machine]));
  case h.Machine of
    IMAGE_FILE_MACHINE_UNKNOWN : Lines.Add(‘ MACHINE_UNKNOWN ‘);
    IMAGE_FILE_MACHINE_I386: Lines.Add(‘ Intel 386. ‘);
    IMAGE_FILE_MACHINE_R3000: Lines.Add(‘ MIPS little-endian, 0x160 big-endian ‘);
    IMAGE_FILE_MACHINE_R4000: Lines.Add(‘ MIPS little-endian ‘);
    IMAGE_FILE_MACHINE_R10000: Lines.Add(‘ MIPS little-endian ‘);
    IMAGE_FILE_MACHINE_ALPHA: Lines.Add(‘ Alpha_AXP ‘);
    IMAGE_FILE_MACHINE_POWERPC: Lines.Add(‘ IBM PowerPC Little-Endian ‘);
    // some values no longer defined in winnt.h
    $14D: Lines.Add(‘ Intel i860‘);
    $268: Lines.Add(‘ Motorola 68000‘);
    $290: Lines.Add(‘ PA RISC‘);
    else
      Lines.Add(‘ unknown machine type‘);
  end; { Case }
  Lines.Add(Format(‘NumberOfSections: %d‘, [h.NumberOfSections]));
  Lines.Add(Format(‘TimeDateStamp: %d‘, [h.TimeDateStamp]));
  dt := EncodeDate(1970, 1, 1) + h.Timedatestamp / SecsPerDay;
  Lines.Add(FormatDateTime(‘ c‘, dt));

  Lines.Add(Format(‘PointerToSymbolTable: %d‘, [h.PointerToSymbolTable]));
  Lines.Add(Format(‘NumberOfSymbols: %d‘, [h.NumberOfSymbols]));
  Lines.Add(Format(‘SizeOfOptionalHeader: %d‘, [h.SizeOfOptionalHeader]));
  Lines.Add(Format(‘Characteristics: %d‘, [h.Characteristics]));
  if (IMAGE_FILE_DLL and h.Characteristics) <> 0 then
    Lines.Add(‘ file is a DLL‘)
  else if (IMAGE_FILE_EXECUTABLE_IMAGE and h.Characteristics) <> 0 then
    Lines.Add(‘ file is a program‘);
  Lines.Add(‘‘);
end;

procedure DumpOptionalHeader(const h: IMAGE_OPTIONAL_HEADER; Lines: TStrings);
begin
  Lines.Add(‘Dump of PE optional file header‘);
  Lines.Add(Format(‘Magic: %d‘, [h.Magic]));
  case h.Magic of
    $107: Lines.Add(‘ ROM image‘);
    $10b: Lines.Add(‘ executable image‘);
    else
      Lines.Add(‘ unknown image type‘);
  end; { If }
  Lines.Add(Format(‘MajorLinkerVersion: %d‘, [h.MajorLinkerVersion]));
  Lines.Add(Format(‘MinorLinkerVersion: %d‘, [h.MinorLinkerVersion]));
  Lines.Add(Format(‘SizeOfCode: %d‘, [h.SizeOfCode]));
  Lines.Add(Format(‘SizeOfInitializedData: %d‘, [h.SizeOfInitializedData]));
  Lines.Add(Format(‘SizeOfUninitializedData: %d‘, [h.SizeOfUninitializedData]));
  Lines.Add(Format(‘AddressOfEntryPoint: %d‘, [h.AddressOfEntryPoint]));
  Lines.Add(Format(‘BaseOfCode: %d‘, [h.BaseOfCode]));
  Lines.Add(Format(‘BaseOfData: %d‘, [h.BaseOfData]));
  Lines.Add(Format(‘ImageBase: %d‘, [h.ImageBase]));
  Lines.Add(Format(‘SectionAlignment: %d‘, [h.SectionAlignment]));
  Lines.Add(Format(‘FileAlignment: %d‘, [h.FileAlignment]));
  Lines.Add(Format(‘MajorOperatingSystemVersion: %d‘, [h.MajorOperatingSystemVersion]));
  Lines.Add(Format(‘MinorOperatingSystemVersion: %d‘, [h.MinorOperatingSystemVersion]));
  Lines.Add(Format(‘MajorImageVersion: %d‘, [h.MajorImageVersion]));
  Lines.Add(Format(‘MinorImageVersion: %d‘, [h.MinorImageVersion]));
  Lines.Add(Format(‘MajorSubsystemVersion: %d‘, [h.MajorSubsystemVersion]));
  Lines.Add(Format(‘MinorSubsystemVersion: %d‘, [h.MinorSubsystemVersion]));
  Lines.Add(Format(‘Win32VersionValue: %d‘, [h.Win32VersionValue]));
  Lines.Add(Format(‘SizeOfImage: %d‘, [h.SizeOfImage]));
  Lines.Add(Format(‘SizeOfHeaders: %d‘, [h.SizeOfHeaders]));
  Lines.Add(Format(‘CheckSum: %d‘, [h.CheckSum]));
  Lines.Add(Format(‘Subsystem: %d‘, [h.Subsystem]));
  case h.Subsystem of
    IMAGE_SUBSYSTEM_NATIVE:
      Lines.Add(‘ Image doesn‘‘t require a subsystem. ‘);
    IMAGE_SUBSYSTEM_WINDOWS_GUI:
      Lines.Add(‘ Image runs in the Windows GUI subsystem. ‘);
    IMAGE_SUBSYSTEM_WINDOWS_CUI:
      Lines.Add(‘ Image runs in the Windows character subsystem. ‘);
    IMAGE_SUBSYSTEM_OS2_CUI:
      Lines.Add(‘ image runs in the OS/2 character subsystem. ‘);
    IMAGE_SUBSYSTEM_POSIX_CUI:
      Lines.Add(‘ image run in the Posix character subsystem. ‘);
    else
      Lines.Add(‘ unknown subsystem‘)
  end; { Case }
  Lines.Add(Format(‘DllCharacteristics: %d‘, [h.DllCharacteristics]));
  Lines.Add(Format(‘SizeOfStackReserve: %d‘, [h.SizeOfStackReserve]));
  Lines.Add(Format(‘SizeOfStackCommit: %d‘, [h.SizeOfStackCommit]));
  Lines.Add(Format(‘SizeOfHeapReserve: %d‘, [h.SizeOfHeapReserve]));
  Lines.Add(Format(‘SizeOfHeapCommit: %d‘, [h.SizeOfHeapCommit]));
  Lines.Add(Format(‘LoaderFlags: %d‘, [h.LoaderFlags]));
  Lines.Add(Format(‘NumberOfRvaAndSizes: %d‘, [h.NumberOfRvaAndSizes]));
end;

// Example Call, Beispielaufruf:

procedure TForm1.Button1Click(Sender: TObject);
var
  fs: TFilestream;
  signature: DWORD;
  dos_header: IMAGE_DOS_HEADER;
  pe_header: IMAGE_FILE_HEADER;
  opt_header: IMAGE_OPTIONAL_HEADER;
begin
  memo1.Clear;
  with Opendialog1 do
  begin
    Filter := ‘Executables (*.EXE)|*.EXE‘;
    if Execute then
    begin
      fs := TFilestream.Create(FileName, fmOpenread or fmShareDenyNone);
      try
        fs.read(dos_header, SizeOf(dos_header));
        if dos_header.e_magic <> IMAGE_DOS_SIGNATURE then
        begin
          memo1.Lines.Add(‘Invalid DOS file header‘);
          Exit;
        end;
        DumpDOSHeader(dos_header, memo1.Lines);

        fs.seek(dos_header._lfanew, soFromBeginning);
        fs.read(signature, SizeOf(signature));
        if signature <> IMAGE_NT_SIGNATURE then
        begin
          memo1.Lines.Add(‘Invalid PE header‘);
          Exit;
        end;

        fs.read(pe_header, SizeOf(pe_header));
        DumpPEHeader(pe_header, memo1.Lines);

        if pe_header.SizeOfOptionalHeader > 0 then
        begin
          fs.read(opt_header, SizeOf(opt_header));
          DumpOptionalHeader(opt_header, memo1.Lines);
        end;
      finally
        fs.Free;
      end; { finally }
    end;
  end;
end;
时间: 2024-08-06 20:00:31

Delphi : Analyze PE file headers?的相关文章

Inject shellcode into PE file

先声明这是不免杀的,只是演示. 新增节 一般能实现特定功能的shellcode的长度都比较长,可以分到几个节上的空白区,但是这样麻烦啊,或者把最后一个节扩大,但是最后一个节一般没有执行的属性.所以选择新增一个节表. 修改添加节表 先判断一下最后一个节表后面有没有够40个字节新增一个节表的结构体,正常的都够. 把第一个节表拷贝写到最后一个节表的后面,因为第一个节表的属性默认是可执行的,可以省了后面的修改. 节表是复制过来的所以还要修改很多东西,先获取一下文件对齐和内存对齐. SectionAlig

don&#39;t run &#39;strings&#39; on untrusted files

0x00 前言:  reahat的官网上可以找到编号CVE-2014-8485的漏洞,描述如下: CVE-2014-8485 binutils: lack of range checking leading to controlled write in _bfd_elf_setup_sections() 然而给的参考链接 MITRE CVE dictionary 和 NIST NVD都没有CVE-2014-8485的信息:Unable to find vuln CVE-2014-8485 可以看

《Peering Inside the PE: A Tour of the Win32 Portable Executable File Format》阅读笔记(未完)

---恢复内容开始--- The format of an operating system's executable file is in many ways a mirror of the operating system. Winnt.h是一个非常重要的头文件,其中定义了大部分windows下的内部结构. The PE format is documented (in the loosest sense of the word) in the WINNT.H header file.Abo

dnSpy PE format ( Portable Executable File Format)

Portable Executable File Format PE Format  微软官方的 What is a .PE file in the .NET framework? [closed] The PE file you are talking about is the "Portable Executable" format. Almost every EXE and DLL on the Windows platform is formatted in PE format

PE打补丁技术大全

Downloads PE Viewer PE Maker - Step 1 - Add new Section. PE Maker - Step 2 - Travel towards OEP. PE Maker - Step 3 - Support Import Table. PE Maker - Step 4 - Support DLL and OCX. PE Maker - Step 5 - Final work. CALC.EXE - test file Contents 0. Prefa

The Portable Executable File Format from Top to Bottom(每个结构体都非常清楚)

The Portable Executable File Format from Top to Bottom Randy KathMicrosoft Developer Network Technology Group Created: June 12, 1993 Click to open or copy the files in the EXEVIEW sample application for this technical article. Click to open or copy t

Delphi DLL制作和加载 Static, Dynamic, Delayed 以及 Shared-Memory Manager

一 Dll的制作一般分为以下几步:1 在一个DLL工程里写一个过程或函数2 写一个Exports关键字,在其下写过程的名称.不用写参数和调用后缀.二 参数传递1 参数类型最好与window C++的参数类型一致.不要用DELPHI的数据类型.2 最好有返回值[即使是一个过程],来报出调用成功或失败,或状态.成功或失败的返回值最好为1[成功]或0[失败].一句话,与windows c++兼容.3 用stdcall声明后缀.4 最好大小写敏感.5 无须用far调用后缀,那只是为了与windows 1

Load PE from memory(反取证)

  Article 1:Loading Win32/64 DLLs "manually" without LoadLibrary() The most important steps of DLL loading are: Mapping or loading the DLL into memory. Relocating offsets in the DLL using the relocating table of the DLL (if present). Resolving t

Load PE from memory(反取证)(未完)

  Article 1:Loading Win32/64 DLLs "manually" without LoadLibrary() The most important steps of DLL loading are: Mapping or loading the DLL into memory. Relocating offsets in the DLL using the relocating table of the DLL (if present). Resolving t