解析PE资源表与重定位表

#include<Windows.h>
#include<iostream>
#include<stdio.h>
#include<stdlib.h>
#include<commdlg.h>
using namespace std;
DWORD dwFileSize;
BYTE* g_pFileImageBase = 0;
PIMAGE_NT_HEADERS g_pNt = 0;

DWORD RVAtoFOA(DWORD dwRVA);

//显示pe头
//参数为内存映射首地址
void myPE() {
        OPENFILENAME stOF;
        HANDLE hFile, hMapFile;
        DWORD totalSize;        //文件大小
        LPVOID lpMemory;        //内存映像文件在内存的起始位置
        char szFileName[MAX_PATH] = { 0 };  //要打开的文件路径及名称名
        char bufTemp1[10];                  //每个字符的十六进制字节码
        char bufTemp2[20];                  //第一列
        char lpServicesBuffer[100];     //一行的所有内容
        char bufDisplay[50];                //第三列ASCII码字符
        DWORD dwCount;                      //计数,逢16则重新计
        DWORD dwCount1;                     //地址顺号
        DWORD dwBlanks;                     //最后一行空格数
        char szExtPe[] = TEXT("PE Files\0*.exe;*.dll;*.scr;*.fon;*.drv\0All Files(*.*)\0*.*\0\0");
        RtlZeroMemory(&stOF, sizeof(stOF));
        stOF.lStructSize = sizeof(stOF);
        //stOF.hwndOwner = (HWND)GetModuleHandle(NULL);
        stOF.lpstrFilter = szExtPe;
        stOF.lpstrFile = szFileName;
        stOF.nMaxFile = MAX_PATH;
        stOF.Flags = OFN_PATHMUSTEXIST | OFN_FILEMUSTEXIST;
    if (GetOpenFileName(&stOF))     //让用户选择打开的文件
    {
        hFile = CreateFile(szFileName, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE,
                    NULL, OPEN_EXISTING, FILE_ATTRIBUTE_ARCHIVE, NULL);
        //如果是无效的句柄
        if (hFile == INVALID_HANDLE_VALUE) {
            printf("文件打开失败\n");
            return;
        }
        //获取文件大小
        dwFileSize = GetFileSize(hFile, NULL);
        g_pFileImageBase = new BYTE[dwFileSize]{};
        DWORD dwRead;
        //将文件读取到内存中
        bool bRet =ReadFile(hFile, g_pFileImageBase, dwFileSize, &dwRead, NULL);
        //如果读取失败就返回
        if (!bRet)
        {
            delete[] g_pFileImageBase;
        }
        //关闭句柄
        CloseHandle(hFile);
/////////////////////////////////dos头///////////////////////////////////////////////
        //typedef struct _IMAGE_DOS_HEADER {      // DOS .EXE header
        //  WORD   e_magic;                     // Magic number
        //  WORD   e_cblp;                      // Bytes on last page of file
        //  WORD   e_cp;                        // Pages in file
        //  WORD   e_crlc;                      // Relocations
        //  WORD   e_cparhdr;                   // Size of header in paragraphs
        //  WORD   e_minalloc;                  // Minimum extra paragraphs needed
        //  WORD   e_maxalloc;                  // Maximum extra paragraphs needed
        //  WORD   e_ss;                        // Initial (relative) SS value
        //  WORD   e_sp;                        // Initial SP value
        //  WORD   e_csum;                      // Checksum
        //  WORD   e_ip;                        // Initial IP value
        //  WORD   e_cs;                        // Initial (relative) CS value
        //  WORD   e_lfarlc;                    // File address of relocation table
        //  WORD   e_ovno;                      // Overlay number
        //  WORD   e_res[4];                    // Reserved words
        //  WORD   e_oemid;                     // OEM identifier (for e_oeminfo)
        //  WORD   e_oeminfo;                   // OEM information; e_oemid specific
        //  WORD   e_res2[10];                  // Reserved words
        //  LONG   e_lfanew;                    // File address of new exe header
        //} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
/////////////////////////////////dos头///////////////////////////////////////////////
        //使用PIMAGE_DOS_HEADER(占64字节)解释前64个字节
        PIMAGE_DOS_HEADER pDos = (PIMAGE_DOS_HEADER)g_pFileImageBase;
        //判断PE文件的标识是否正确,有一个不对,那么它就不是PE文件
        if (pDos->e_magic != IMAGE_DOS_SIGNATURE)//0x5A4D(‘MZ‘)
        {
            return ;
        }
        cout << "---------------------------DOS头(_IMAGE_DOS_HEADER)------------------------------- "<< endl;
        cout << hex << "WORD   e_magic:     " << pDos->e_magic << endl;
        cout << hex << "WORD   e_cblp:      " << pDos->e_cblp << endl;
        cout << hex << "WORD   e_cp:        " << pDos->e_cp << endl;
        cout << hex << "WORD   e_cblp:      " << pDos->e_cblp << endl;
        cout << hex << "WORD   e_cparhdr:   " << pDos->e_cparhdr << endl;
        cout << hex << "WORD   e_minalloc:  " << pDos->e_minalloc << endl;
        cout << hex << "WORD   e_ss:        " << pDos->e_ss << endl;
        cout << hex << "WORD   e_sp:        " << pDos->e_sp << endl;
        cout << hex << "WORD   e_csum:      " << pDos->e_csum << endl;
        cout << hex << "WORD   e_ip:        " << pDos->e_ip << endl;
        cout << hex << "WORD   e_cs:        " << pDos->e_cs << endl;
        cout << hex << "WORD   e_lfarlc:    " << pDos->e_lfarlc << endl;
        cout << hex << "WORD   e_ovno:      " << pDos->e_ovno << endl;
        cout << hex << "WORD   e_res[4]:    " << *(pDos->e_res) << endl;
        cout << hex << "WORD   e_oemid:     " << pDos->e_oemid << endl;
        cout << hex << "WORD   e_oeminfo:   " << pDos->e_oeminfo << endl;
        cout << hex << "WORD   e_res2[10]:  " << *(pDos->e_res2) << endl;
        cout << hex << "WORD   e_lfanew:    " << pDos->e_lfanew << endl;

/////////////////////////////////NT头///////////////////////////////////////////////

        /*typedef struct _IMAGE_NT_HEADERS {
            DWORD Signature;
            IMAGE_FILE_HEADER FileHeader;
            IMAGE_OPTIONAL_HEADER32 OptionalHeader;
        } IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;*/
        g_pNt = (PIMAGE_NT_HEADERS)(pDos->e_lfanew + g_pFileImageBase);
        if (g_pNt->Signature != IMAGE_NT_SIGNATURE)//0x00004550(‘PE‘)
        {
            return ;
        }
        cout << "---------------------------NT头(PIMAGE_NT_HEADERS)------------------------------- " << endl;
        cout << hex << "DWORD Signature;                              " << g_pNt->Signature << endl;
        cout << hex << "IMAGE_FILE_HEADER FileHeader;                 " << &g_pNt->OptionalHeader << endl;
        cout << hex << "IMAGE_OPTIONAL_HEADER32 OptionalHeader;       " << &g_pNt->OptionalHeader << endl;
/////////////////////////////////FILE头///////////////////////////////////////////////
        /*typedef struct _IMAGE_FILE_HEADER {
            WORD    Machine;
            WORD    NumberOfSections;
            DWORD   TimeDateStamp;
            DWORD   PointerToSymbolTable;
            DWORD   NumberOfSymbols;
            WORD    SizeOfOptionalHeader;
            WORD    Characteristics;
        } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;*/
        PIMAGE_FILE_HEADER mytmf = &(g_pNt->FileHeader);
        cout << "---------------------------FILE头(IMAGE_FILE_HEADER )----------------------------- " << endl;
        cout << hex << "WORD    Machine;                              " << mytmf->Machine << endl;
        cout << hex << "WORD    NumberOfSections;                     " << mytmf->NumberOfSections << endl;
        cout << hex << "DWORD   TimeDateStamp;                        " << mytmf->TimeDateStamp << endl;
        cout << hex << "DWORD   PointerToSymbolTable;                 " << mytmf->PointerToSymbolTable << endl;
        cout << hex << "DWORD   NumberOfSymbols;                      " << mytmf->NumberOfSymbols << endl;
        cout << hex << "WORD    SizeOfOptionalHeader;                 " << mytmf->SizeOfOptionalHeader << endl;
        cout << hex << "WORD    Characteristics;                      " << mytmf->Characteristics << endl;
        /////////////////////////////////Optional头///////////////////////////////////////////////

        //
        // Optional header format.
        //

        //typedef struct _IMAGE_OPTIONAL_HEADER {
        //  //
        //  // Standard fields.
        //  //

        //  WORD    Magic;
        //  BYTE    MajorLinkerVersion;
        //  BYTE    MinorLinkerVersion;
        //  DWORD   SizeOfCode;
        //  DWORD   SizeOfInitializedData;
        //  DWORD   SizeOfUninitializedData;
        //  DWORD   AddressOfEntryPoint;
        //  DWORD   BaseOfCode;
        //  DWORD   BaseOfData;

        //  //
        //  // NT additional fields.
        //  //

        //  DWORD   ImageBase;
        //  DWORD   SectionAlignment;
        //  DWORD   FileAlignment;
        //  WORD    MajorOperatingSystemVersion;
        //  WORD    MinorOperatingSystemVersion;
        //  WORD    MajorImageVersion;
        //  WORD    MinorImageVersion;
        //  WORD    MajorSubsystemVersion;
        //  WORD    MinorSubsystemVersion;
        //  DWORD   Win32VersionValue;
        //  DWORD   SizeOfImage;
        //  DWORD   SizeOfHeaders;
        //  DWORD   CheckSum;
        //  WORD    Subsystem;
        //  WORD    DllCharacteristics;
        //  DWORD   SizeOfStackReserve;
        //  DWORD   SizeOfStackCommit;
        //  DWORD   SizeOfHeapReserve;
        //  DWORD   SizeOfHeapCommit;
        //  DWORD   LoaderFlags;
        //  DWORD   NumberOfRvaAndSizes;
        //  IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
        //} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
        PIMAGE_OPTIONAL_HEADER32 myoption = &(g_pNt->OptionalHeader);
        cout << "---------------------------OPTIONAL头(PIMAGE_OPTIONAL_HEADER32 )-------------------------------------------------- " << endl;

        cout << "---------------------------------------Standard fields.------------------------------------------------------------- " << endl;
        cout << hex << "WORD    Magic;                                     " << myoption->Magic << endl;
        cout << hex << "BYTE    MajorLinkerVersion;                        " << myoption->MajorLinkerVersion << endl;
        cout << hex << "BYTE    MinorLinkerVersion;                        " << myoption->MinorLinkerVersion << endl;
        cout << hex << "DWORD   SizeOfCode;                                " << myoption->SizeOfCode << endl;
        cout << hex << "DWORD   SizeOfInitializedData;                     " << myoption->SizeOfInitializedData << endl;
        cout << hex << "DWORD   SizeOfUninitializedData;                   " << myoption->SizeOfUninitializedData << endl;
        cout << hex << "DWORD   AddressOfEntryPoint;                       " << myoption->AddressOfEntryPoint << endl;
        cout << hex << "DWORD   BaseOfCode;                                " << myoption->BaseOfCode << endl;
        cout << hex << "DWORD   BaseOfData;                                " << myoption->BaseOfData << endl;
        cout << "----------------------------------------- NT additional fields.----------------------------------------------------- " << endl;
        cout << hex << "DWORD   ImageBase;                                 " << myoption->ImageBase << endl;
        cout << hex << "DWORD   SectionAlignment;                          " << myoption->SectionAlignment << endl;
        cout << hex << "DWORD   FileAlignment;                             " << myoption->FileAlignment << endl;
        cout << hex << "WORD    MajorOperatingSystemVersion;               " << myoption->MajorOperatingSystemVersion << endl;
        cout << hex << "WORD    MinorOperatingSystemVersion;               " << myoption->MinorOperatingSystemVersion << endl;
        cout << hex << "WORD    MajorImageVersion;                         " << myoption->MajorImageVersion << endl;
        cout << hex << "DWORD   SectionAlignment;                          " << myoption->SectionAlignment << endl;
        cout << hex << "WORD    MinorImageVersion;                         " << myoption->MinorImageVersion << endl;
        cout << hex << "WORD    MajorSubsystemVersion;                     " << myoption->MajorSubsystemVersion << endl;
        cout << hex << "WORD    MinorSubsystemVersion;                     " << myoption->MinorSubsystemVersion << endl;
        cout << hex << "DWORD   Win32VersionValue;                         " << myoption->Win32VersionValue << endl;
        cout << hex << "DWORD   SizeOfImage;                               " << myoption->SizeOfImage << endl;
        cout << hex << "DWORD   SizeOfHeaders;                             " << myoption->SizeOfHeaders << endl;
        cout << hex << "DWORD   CheckSum;                                  " << myoption->CheckSum << endl;
        cout << hex << "WORD    Subsystem;                                 " << myoption->Subsystem << endl;
        cout << hex << "WORD    DllCharacteristics;                        " << myoption->DllCharacteristics << endl;
        cout << hex << "DWORD   SizeOfStackReserve;                        " << myoption->SizeOfStackReserve << endl;
        cout << hex << "DWORD   SizeOfStackCommit;                         " << myoption->SizeOfStackCommit << endl;
        cout << hex << "DWORD   SizeOfHeapReserve;                         " << myoption->SizeOfHeapReserve << endl;
        cout << hex << "DWORD   SizeOfHeapCommit;                          " << myoption->SizeOfHeapCommit << endl;
        cout << hex << "DWORD   LoaderFlags;                               " << myoption->LoaderFlags << endl;
        cout << hex << "DWORD   NumberOfRvaAndSizes;                       " << myoption->NumberOfRvaAndSizes << endl;
        cout << hex << "IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];" << &(myoption->DataDirectory) << endl;
        /////////////////////////////////////////////所有区段表头////////////////////////////////////////////////////
        /*typedef struct _IMAGE_SECTION_HEADER {
            BYTE    Name[IMAGE_SIZEOF_SHORT_NAME];
            union {
                DWORD   PhysicalAddress;
                DWORD   VirtualSize;
            } Misc;
            DWORD   VirtualAddress;
            DWORD   SizeOfRawData;
            DWORD   PointerToRawData;
            DWORD   PointerToRelocations;
            DWORD   PointerToLinenumbers;
            WORD    NumberOfRelocations;
            WORD    NumberOfLinenumbers;
            DWORD   Characteristics;
        } IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;*/
        //所有区表头都在一起
        //大文件头中找区段数
        int nCountOfSection = g_pNt->FileHeader.NumberOfSections;
        //取第一个区表头
        PIMAGE_SECTION_HEADER pSec = IMAGE_FIRST_SECTION(g_pNt);
        //循环
        for (int i = 0; i < nCountOfSection; i++)
        {
        cout << "----------------------第"<<i<<"个-----PIMAGE_SECTION_HEADER头(PIMAGE_OPTIONAL_HEADER32 )----------------------------- " << endl;
        cout << "BYTE    Name[IMAGE_SIZEOF_SHORT_NAME];                    " << pSec->Name << endl;
        cout << hex << "DWORD   PhysicalAddress;                           " << pSec->Misc.PhysicalAddress << endl;
        cout << hex << "DWORD   VirtualSize;                               " << pSec->Misc.VirtualSize << endl;
        cout << hex << "DWORD   VirtualAddress;                            " << pSec->VirtualAddress << endl;
        cout << hex << "DWORD   SizeOfRawData;                             " << pSec->SizeOfRawData << endl;
        cout << hex << "DWORD   PointerToRawData;                          " << pSec->PointerToRawData << endl;
        cout << hex << "DWORD   PointerToRelocations;                      " << pSec->PointerToRelocations << endl;
        cout << hex << "WORD    PointerToLinenumbers;                      " << pSec->PointerToLinenumbers << endl;
        cout << hex << "WORD    NumberOfRelocations;                       " << pSec->NumberOfRelocations << endl;
        cout << hex << "DWORD   NumberOfLinenumbers;                       " << pSec->NumberOfLinenumbers << endl;
        cout << hex << "DWORD   Characteristics;                           " << pSec->Characteristics << endl;
        cout << hex << "在文件中相对文件偏移;                            " << RVAtoFOA(pSec->VirtualAddress) << endl;

            //下一个区表头首地址
            ++pSec;
        }
        /////////////////////////////////////////////导出表///////////////////////////////////////////////////////////
        //typedef struct _IMAGE_EXPORT_DIRECTORY {
        //  DWORD   Characteristics;
        //  DWORD   TimeDateStamp;
        //  WORD    MajorVersion;
        //  WORD    MinorVersion;
        //  DWORD   Name;
        //  DWORD   Base;
        //  DWORD   NumberOfFunctions;
        //  DWORD   NumberOfNames;
        //  DWORD   AddressOfFunctions;     // RVA from base of image
        //  DWORD   AddressOfNames;         // RVA from base of image
        //  DWORD   AddressOfNameOrdinals;  // RVA from base of image
        //} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
        //找到导出表  也就是第一个表下标为0
        DWORD dwExportRVA =g_pNt->OptionalHeader.DataDirectory[0].VirtualAddress;
        //获取在文件中的位置
        PIMAGE_EXPORT_DIRECTORY pExport =(PIMAGE_EXPORT_DIRECTORY)(RVAtoFOA(dwExportRVA) + g_pFileImageBase);
        //模块名字
        char* pName = (char*)(RVAtoFOA(pExport->Name) + g_pFileImageBase);
        printf("%s\n", pName);
        //地址表中的个数
        DWORD dwCountOfFuntions = pExport->NumberOfFunctions;
        //名称表中的个数
        DWORD dwCountOfNames = pExport->NumberOfNames;
        //地址表地址
        PDWORD pAddrOfFuntion = (PDWORD)(RVAtoFOA(pExport->AddressOfFunctions) + g_pFileImageBase);
        //名称表地址
        PDWORD pAddrOfName = (PDWORD)(RVAtoFOA(pExport->AddressOfNames) + g_pFileImageBase);
        //序号表地址
        PWORD pAddrOfOrdial = (PWORD)(RVAtoFOA(pExport->AddressOfNameOrdinals) + g_pFileImageBase);
        //base值
        DWORD dwBase = pExport->Base;
        //遍历地址表中的元素
        cout << "-----------------------------------------导出表中的导出函数与导出序号-------------------------------------------------- " << endl;
        if (dwExportRVA == 0) {
            printf("没有导出表\n");
            //return;
        }
        else {
            for (int i = 0; i < dwCountOfFuntions;i++)
            {
                //地址表中可能存在无用的值(就是为0的值)
                if (pAddrOfFuntion[i] == 0)
                {
                    continue;
                }
                //根据序号表中是否有值(地址表的下标值),
                //来判断是否是名称导出
                bool bRet = false;
                for (int j = 0; j < dwCountOfNames;j++)
                {
                    //i为地址表下标j为序号表的下标(值为地址表下标)
                    //判断是否在序号表中
                    if (i == pAddrOfOrdial[j])
                    {
                        //因为序号表与名称表的位置一一对应
                        //取出名称表中的名称地址RVA
                        DWORD dwNameRVA = pAddrOfName[j];
                        char* pFunName = (char*)(RVAtoFOA(dwNameRVA) + g_pFileImageBase);
                        printf("%04d  %s  0x%08x\n", i + dwBase, pFunName, pAddrOfFuntion[i]);
                        bRet = true;
                        break;
                    }
                }
                if (!bRet)
                {
                    //序号表中没有,说明是以序号导出的
                    printf("%04d           %08X\n", i + dwBase, pAddrOfFuntion[i]);
                }

            }
        }
        /////////////////////////////////////////////导出表///////////////////////////////////////////////////////////
        //typedef struct _IMAGE_IMPORT_DESCRIPTOR {
        //  union {
        //      DWORD   Characteristics;            // 0 for terminating null import descriptor
        //      DWORD   OriginalFirstThunk;         // RVA to original unbound IAT (PIMAGE_THUNK_DATA)
        //  } DUMMYUNIONNAME;
        //  DWORD   TimeDateStamp;                  // 0 if not bound,
        //                                          // -1 if bound, and real date\time stamp
        //                                          //     in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
        //                                          // O.W. date/time stamp of DLL bound to (Old BIND)

        //  DWORD   ForwarderChain;                 // -1 if no forwarders
        //  DWORD   Name;
        //  DWORD   FirstThunk;                     // RVA to IAT (if bound this IAT has actual addresses)
        //} IMAGE_IMPORT_DESCRIPTOR;
        //typedef IMAGE_IMPORT_DESCRIPTOR UNALIGNED *PIMAGE_IMPORT_DESCRIPTOR;
        cout << "-----------------------------------------导入表中的导入函数与导入模块-------------------------------------------------- " << endl;

        //找到导入表  也就是第二个下标为1
        DWORD dwImpotRVA = g_pNt->OptionalHeader.DataDirectory[1].VirtualAddress;
        //在文件中的位置
        DWORD dwImportInFile = (DWORD)(RVAtoFOA(dwImpotRVA) + g_pFileImageBase);
        PIMAGE_IMPORT_DESCRIPTOR pImport = (PIMAGE_IMPORT_DESCRIPTOR)dwImportInFile;
        //遍历每一个导入表  通过最后一个为0作为判断条件
        if (dwImpotRVA == 0) {
            printf("没有导入表\n");
            return;
        }
        else {
            while (pImport->Name)
            {
                //函数名称地址
                PIMAGE_THUNK_DATA pFirsThunk =
                    (PIMAGE_THUNK_DATA)(RVAtoFOA(pImport->FirstThunk) + g_pFileImageBase);
                //模块名
                char* pName = (char*)(RVAtoFOA(pImport->Name) + g_pFileImageBase);
                printf("导入模块名字%s\n", pName);
                //也是通过最后一个为0作为判断条件
                while (pFirsThunk->u1.AddressOfData)
                {
                    //判断导入方式
                    if (IMAGE_SNAP_BY_ORDINAL32(pFirsThunk->u1.AddressOfData))
                    {
                        //说明是序号导入(低16位是其序号)
                        printf("\t\t%04X \n", pFirsThunk->u1.Ordinal & 0xFFFF);
                    }
                    else
                    {
                        //名称导入
                        PIMAGE_IMPORT_BY_NAME pImportName =
                            (PIMAGE_IMPORT_BY_NAME)(RVAtoFOA(pFirsThunk->u1.AddressOfData) + g_pFileImageBase);
                        printf("\t\t%04X %s \n", pImportName->Hint, pImportName->Name);
                    }
                    //
                    pFirsThunk++;
                }
                pImport++;
            }
        }
        cout << "--------------------------------------------------资源表--------------------------------------------------------------- " << endl;
        //注意的是NameOffset偏移  OffsetToDirectory偏移  OffsetToData偏移都是资源表最开始的偏移
            //找到资源表
            DWORD dwResRVA =
                g_pNt->OptionalHeader.DataDirectory[2].VirtualAddress;
            DWORD dwResFOA = (DWORD)(RVAtoFOA(dwResRVA) + g_pFileImageBase);
            PIMAGE_RESOURCE_DIRECTORY pRes = (PIMAGE_RESOURCE_DIRECTORY)dwResFOA;
            //资源有三层 每一层都以一个PIMAGE_RESOURCE_DIRECTORY开头,之后跟数个
            //PIMAGE_RESOURCE_DIRECTORY_ENTRY结构,可以说第一层由一个PIMAGE_RESOURCE_DIRECTORY
            //与一个PIMAGE_RESOURCE_DIRECTORY_ENTRY结构体组成
            //第一层(种类)
            //种类个数
            DWORD dwCountOfResType =
                pRes->NumberOfIdEntries + pRes->NumberOfNamedEntries;

            for (int i = 0; i < dwCountOfResType;i++)
            {   //pRes代表PIMAGE_RESOURCE_DIRECTORY的首地址+1之后就是后面的PIMAGE_RESOURCE_DIRECTORY_ENTRY首地址
                PIMAGE_RESOURCE_DIRECTORY_ENTRY pResEntry =
                    (PIMAGE_RESOURCE_DIRECTORY_ENTRY)(pRes + 1);
                //typedef struct _IMAGE_RESOURCE_DIRECTORY_ENTRY {
                //这个联合体说明资源叫什么  如果这种资源是已知的也就是微软定义的那么
                //联合体最高位为0也就是NameIsString成员为0这个时候整个四字节(union)代表着已知资源的类型,也就是ID起
                //作用  如果这种资源是未知是那么NameIsString的最高位为1 低31位指向一个name的结构体(PIMAGE_RESOURCE_DIR_STRING_U)偏移,也就是DWORD   Name;起作用
                //  union {
                //      struct {
                //          DWORD NameOffset : 31;
                //          DWORD NameIsString : 1;
                //      } DUMMYSTRUCTNAME;
                //      DWORD   Name;
                //      WORD    Id;
                //  } DUMMYUNIONNAME;
                //这个联合体说明资源在哪里
                //当DataIsDirectory字段为1时(也就是这个四字节最高位为1)说明这个联合体表示的地方是一个目录,OffsetToDirectory(低31位)表示具体有
                //多少个地方,这个些地方就是第二层
                //  union {
                //      DWORD   OffsetToData;
                //      struct {
                //          DWORD   OffsetToDirectory : 31;
                //          DWORD   DataIsDirectory : 1;
                //      } DUMMYSTRUCTNAME2;
                //  } DUMMYUNIONNAME2;
                //} IMAGE_RESOURCE_DIRECTORY_ENTRY, *PIMAGE_RESOURCE_DIRECTORY_ENTRY;

                //判断这种资源是字符串还是ID
                if (pResEntry->NameIsString)
                {
                    //如果是字符串,NameOffset保存的就是这个字符串的RVA
                    //得到名字字符串的FOA
                    DWORD dwNameFOA = (DWORD)(RVAtoFOA(pResEntry->NameOffset) + g_pFileImageBase);
                    //NameOffset所指向的结构体是IMAGE_RESOURCE_DIR_STRING_U类型
                    //这里保存了字符串的长度和起始位置
                    PIMAGE_RESOURCE_DIR_STRING_U pName = (PIMAGE_RESOURCE_DIR_STRING_U)dwNameFOA;
                    //这里的字符串不是以0结尾的,所以需要拷贝出来加上‘\0’结尾后再打印
                    WCHAR *pResName = new WCHAR[pName->Length + 1]{};
                    memcpy(pResName, pName, (pName->Length) * sizeof(WCHAR));
                    //因为是WCHAR,所以用wprintf
                    wprintf(L"%s\n", pResName);
                    //释放内存
                    delete[] pResName;
                }
                else   //id
                {
                    char* arryResType[] = { "", "鼠标指针(Cursor)", "位图(Bitmap)", "图标(Icon)", "菜单(Menu)"
                        , "对话框(Dialog)", "字符串列表(String Table)", "字体目录(Font Directory)", "字体(Font)", "快捷键(Accelerators)"
                        , "非格式化资源(Unformatted)", "消息列表(Message Table)", "鼠标指针组(Croup Cursor)", "", "图标组(Group Icon)", ""
                        , "版本信息(Version Information)" };
                    if (pResEntry->Id < 17)
                    {
                        printf("arryResType[pResEntry->Id]  %s\n", arryResType[pResEntry->Id]);
                    }
                    else
                    {
                        printf("pResEntry->Id %04X\n", pResEntry->Id);
                    }

                    //判断是否有下一层(0个表示没有下一层)
                    if (pResEntry->DataIsDirectory)
                    {   //到了第二层相对结构体同样和上一层一样但是OffsetToDirectory就指向对三层了
                        DWORD dwResSecond = (DWORD)pRes + pResEntry->OffsetToDirectory;
                        PIMAGE_RESOURCE_DIRECTORY pResSecond = (PIMAGE_RESOURCE_DIRECTORY)dwResSecond;
                        //第二层个数
                        DWORD dwCountOfSecond =
                            pResSecond->NumberOfIdEntries + pResSecond->NumberOfNamedEntries;
                        //遍历每一个资源
                        for (int iSecond = 0; iSecond < dwCountOfSecond;iSecond++)
                        {
                            PIMAGE_RESOURCE_DIRECTORY_ENTRY pResSecondEntry = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)(pResSecond + 1);

                            //判断这种资源是字符串还是ID
                            if (pResEntry->NameIsString)
                            {
                                //如果是字符串,NameOffset保存的就是这个字符串的RVA
                                //得到名字字符串的FOA
                                DWORD dwNameFOA = (DWORD)(RVAtoFOA(pResEntry->NameOffset) + g_pFileImageBase);
                                //NameOffset所指向的结构体是IMAGE_RESOURCE_DIR_STRING_U类型
                                //这里保存了字符串的长度和起始位置
                                PIMAGE_RESOURCE_DIR_STRING_U pName = (PIMAGE_RESOURCE_DIR_STRING_U)dwNameFOA;
                                //这里的字符串不是以0结尾的,所以需要拷贝出来加上‘\0’结尾后再打印
                                WCHAR *pResName = new WCHAR[pName->Length + 1]{};
                                memcpy(pResName, pName, (pName->Length) * sizeof(WCHAR));
                                wprintf(L"pResName %s\n", pResName);
                                delete[] pResName;
                            }
                            else   //id
                            {
                                printf("pResEntry->Id %04X\n", pResEntry->Id);
                            }
                            //判断有没有下一层
                            //第三层  同样套路从第一个结构体开始找 到了OffsetToDirectory就是第三层了
                            //这里要注意的是到了第三层这个IMAGE_RESOURCE_DIRECTORY_ENTRY结构体的第一个联合体就没用了
                            //同时第二个联合体的DataIsDirectory为0没有下一层了
                            //通过OffsetToData字段找到资源结构体的偏移(指向_IMAGE_RESOURCE_DATA_ENTRY结构体)
                            if (pResSecondEntry->DataIsDirectory)
                            {
                                //第三层的起始位置
                                DWORD dwResThrid =
                                    (DWORD)pRes + pResSecondEntry->OffsetToDirectory;
                                PIMAGE_RESOURCE_DIRECTORY pResThrid = (PIMAGE_RESOURCE_DIRECTORY)dwResThrid;

                                PIMAGE_RESOURCE_DIRECTORY_ENTRY pResThridEntry = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)(pResThrid + 1);
                                //第三层,已经是最后一层,使用PIMAGE_RESOURCE_DIRECTORY_ENTRY中的
                                //OffsetToData成员,得到PIMAGE_RESOURCE_DATA_ENTRY结构的位置
                                /*typedef struct _IMAGE_RESOURCE_DATA_ENTRY {
                                DWORD   OffsetToData;   //资源偏移
                                DWORD   Size;
                                DWORD   CodePage;
                                DWORD   Reserved;
                                } IMAGE_RESOURCE_DATA_ENTRY, *PIMAGE_RESOURCE_DATA_ENTRY;
                                */
                                PIMAGE_RESOURCE_DATA_ENTRY pResData =
                                    (PIMAGE_RESOURCE_DATA_ENTRY)(pResThridEntry->OffsetToData + (DWORD)pRes);
                                //资源的RVA和Size
                                DWORD dwResDataRVA = pResData->OffsetToData;
                                DWORD dwResDataSize = pResData->Size;
                                //PIMAGE_RESOURCE_DATA_ENTRY中的OffsetToData是个RVA
                                DWORD dwResDataFOA = (DWORD)(RVAtoFOA(dwResDataRVA) + g_pFileImageBase);
                                //资源的二进制数据
                                //遍历打印资源的二进制数据  这里就只能是二进制了
                                PBYTE pData = (PBYTE)dwResDataFOA;
                                for (int iData = 0; iData < dwResDataSize; iData++)
                                {
                                    if (iData % 16 == 0 && iData != 0)
                                    {
                                        printf("\n");
                                    }
                                    printf("%02X ", pData[iData]);
                                }
                                printf("\n");
                            }
                            //下一个资源
                            pResSecondEntry++;
                        }
                    }
                }
                //下一种资源
                pResEntry++;
            }
        cout << "----------------------------------------------------重定位表------------------------------------------------------------ " << endl;
        //因为代码用的是绝对地址因此要有定位表
        //当重定位发生时,只需要现在pe文件的加载基址,用现在的加载基址减去默认加载基址得到一个数,再用这个数加上需要重定位的数据即可,所以重定位
        //表中保存的只是需要重定位信息
        typedef struct _OFFSET_TYPE
        {
            WORD offset : 12; //本页的偏移量
            WORD type : 4;    //重定位类型(3)
        }OFFSET_TYPE, *POFFSET_TYPE;
        //重定位表RVA
        DWORD dwRelocRVA = g_pNt->OptionalHeader.DataDirectory[5].VirtualAddress;
        //是否为空
        if (!dwRelocRVA)
        {
            printf("没有重定位表\n");
            return;
        }
        //重定位表在文件中的地址
        PIMAGE_BASE_RELOCATION pReloc = (PIMAGE_BASE_RELOCATION)(RVAtoFOA(dwRelocRVA) + g_pFileImageBase);

        //循环重定位表
        //如果SizeOfBlock为0,说明没有需要重定位的数据了
        while (pReloc->SizeOfBlock)
        {
            //当前重定位页RVA
            printf("%08X\n\n", pReloc->VirtualAddress);
            //这一页一共有多少个重定位块(即多少个需要重定位的数据)
            DWORD dwCount = (pReloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);
            //指向重定位块地址
            POFFSET_TYPE pOffset = (POFFSET_TYPE)(pReloc + 1);
            //遍历每一个重定位块
            for (int i = 0; i < dwCount;i++)
            {
                //在这一页中的位置地址RVA
                DWORD dwRelocDataRVA = pReloc->VirtualAddress + pOffset->offset;
                //转成FOA
                DWORD dwRelocDataFOA = (DWORD)(RVAtoFOA(dwRelocDataRVA) + g_pFileImageBase);
                //实际需要重定位的数据地址是个VA
                DWORD dwRealDataVA = *(DWORD*)dwRelocDataFOA;
                //转成RVA(这就是内存中的转换完成的相对地址了)
                DWORD dwRealDataRVA = dwRealDataVA - g_pNt->OptionalHeader.ImageBase;
                //再转FOA(RVA在文件中的地址)
                DWORD dwRealDataFOA = (DWORD)(RVAtoFOA(dwRealDataRVA) + g_pFileImageBase);
                //需要重定位的具体数据(字节数不确定)
                DWORD dwData = *(DWORD*)dwRealDataFOA;

                printf("需要重定位的第%d个数据 RVA:%08X  VA:%08X  DATA:%08X\n",
                    i + 1, dwRelocDataRVA, dwRealDataVA, dwData);
                //下一个重定位数据位置
                pOffset++;
            }

            //下一页
            pReloc =
                (PIMAGE_BASE_RELOCATION)(pReloc->SizeOfBlock + (DWORD)pReloc);
        }

        return ;
    }

}
//void _openFile();
DWORD RVAtoFOA(DWORD dwRVA)
{
    //此RVA落在哪个区段中
    //找到所在区段后,
    //减去所在区段的起始位置,加上在文件中的起始位置
    //大文件头中找区段数
    int nCountOfSection = g_pNt->FileHeader.NumberOfSections;
    //区段表头
    PIMAGE_SECTION_HEADER pSec = IMAGE_FIRST_SECTION(g_pNt);
    //在扩展头中找到块对齐数
    DWORD dwSecAligment = g_pNt->OptionalHeader.SectionAlignment;
    //循环
    for (int i = 0; i < nCountOfSection; i++)
    {
        //求在内存中的真实大小
        //Misc.VirtualSize % dwSecAligment如果是0代表刚好对齐否则就先对齐(非0就是真)
        //Misc.VirtualSize / dwSecAligment * dwSecAligment   + dwSecAligment     //最后加上余数的对齐
        DWORD dwRealVirSize = pSec->Misc.VirtualSize % dwSecAligment ?
            pSec->Misc.VirtualSize / dwSecAligment * dwSecAligment + dwSecAligment
            : pSec->Misc.VirtualSize;
        //区段中的相对虚拟地址转文件偏移  思路是 用要转换的地址与各个区
        //段起始地址做比较如果落在一个区段中(大于起始地址小于起始地址加区段最大偏移和),
        //就用要转换的相对虚拟地址减去区段的起始地址的相对虚拟地址,
        //得到了这个地址相对这个区段偏移,再用得到的这个偏移加上区段在文件中的偏移的起始位置
        //(pointerToRawData字段)就是他在文件中的文件偏移
        if (dwRVA >= pSec->VirtualAddress &&
            dwRVA < pSec->VirtualAddress + dwRealVirSize)
        {
            //FOA = RVA - 内存中区段的起始位置 + 在文件中区段的起始位置
            return dwRVA - pSec->VirtualAddress + pSec->PointerToRawData;
        }
        //下一个区段地址
        pSec++;
    }
}
int main() {

    myPE();
    cin.get();
}

原文地址:http://blog.51cto.com/haidragon/2104874

时间: 2024-11-07 07:44:46

解析PE资源表与重定位表的相关文章

也谈PE重定位表

最近研究脱壳,遇到了dll,所以不可避免的需要修复重定位表.以前研究过也脱过不少壳,但都是exe从来没有手工修过重定位表,于是搜索之,恩有这么一篇:<PE重定位表学习手记>,有刚巧手上有看雪段钢等编著的<加密与解密>,一并阅读. <PE重定位表学习手记>中说到: 每个块的首部是如下定义: typedef struct _IMAGE_BASE_RELOCATION { DWORD VirtualAddress; DWORD SizeOfBlock; } IMAGE_BAS

PE知识复习之PE的重定位表

PE知识复习之PE的重定位表 一丶何为重定位 重定位的意思就是修正偏移的意思.  如一个地址位 0x401234 ,Imagebase = 0x400000 . 那么RVA就是 1234.  如果Imagebase 变了成了0x300000, 那么修正之后就是 ImageBase + RVA = 0X300000+1234 = 0x301234. 首先我们知道.一个EXE文件.会调用很多DLL(PE) 有多个PE文件组成. exe文件启动的基址 (ImageBase) 是0x40000. 假设我

了解动态链接(六)—— 重定位表

柳条青青,南风熏熏,幻化奇峰瑶岛,一天的黄云白云,那边麦浪中间,有农妇笑语殷殷.问后园豌豆肥否,问杨梅可有鸟来偷:好几天不下雨了,玫瑰花还未曾红透:梅夫人今天进城去,且看她有新闻无有.—— 徐志摩·夏日田间即景 无论是可执行文件还是 so,只要它依赖于其他 so(.dynsym 动态符号表中有导入符号存在),那么在编译链接阶段,这些符号的地址未知,所以只能在动态链接阶段对其进行地址重定位. 注意:以 PIC 编译的 so,虽然称“地址无关代码”,但也需要重定位.因为对于 PIC 的 so 来说,

ELF 动态链接 - so 的 重定位表

动态链接下,无论时可执行文件还是共享对象,一旦对其他共享对象有依赖,也就是所有导入的符号时,那么代码或数据中就会有对于导入符号的引用.而在编译时期这些导入符号的确切地址时未知的.只有在运行期才能确定真正确切的地址 静态编译下,这些未知的地址会被编译器一一修正. 对于动态链接来说,共享文件有两种编译方式(gcc -shared 和 gcc -fPIC -shared) 如果不使用PIC模式编译,那么装载时肯定是要重定位的,而且时每个进程都有一个副本(相对比较占用内存) 如果使用PIC模式编译,将会

[PE结构分析] 10.基址重定位

源代码如下: typedef struct _IMAGE_BASE_RELOCATION { DWORD VirtualAddress; DWORD SizeOfBlock; // WORD TypeOffset[1]; } IMAGE_BASE_RELOCATION; typedef IMAGE_BASE_RELOCATION UNALIGNED * PIMAGE_BASE_RELOCATION; 重定位表是一个数组,这个数组的大小记载在 _IMAGE_OPTIONAL_HEADER 的 .D

重定位表 IMAGE_BASE_RELOCATION

typedef struct _IMAGE_BASE_RELOCATION { DWORD VirtualAddress; DWORD SizeOfBlock; // WORD TypeOffset[1]; } IMAGE_BASE_RELOCATION; typedef IMAGE_BASE_RELOCATION UNALIGNED * PIMAGE_BASE_RELOCATION; VirtualAddress:页起始地址RVA. SizeOfBlock:表示该分组保存了几项重定位项. Ty

PE文件结构详解(六)重定位

前面两篇 PE文件结构详解(四)PE导入表 和 PE文件结构详解(五)延迟导入表 介绍了PE文件中比较常用的两种导入方式,不知道大家有没有注意到,在调用导入函数时系统生成的代码是像下面这样的: 在这里,IE的iexplorer.exe导入了Kernel32.dll的GetCommandLineA函数,可以看到这是个间接call,00401004这个地址的内存里保存了目的地址, 根据图中显示的符号信息可知,00401004这个地址是存在于iexplorer.exe模块中的,实际上也就是一项IAT的

解析PE文件

最近在自学解析PE文件,根据小辣椒(CFF Explorer)以及各论坛上大佬的帖子,做了个黑屏打印PE文件的,历时7天完成,在此想跟有相关需要的同学们分享下思路,有不足之处也希望大家不吝赐教,指点出来.谢谢. PE文件主要有DOS头,NT头(包含PE头,可选PE头,可选PE头中又包含着一个数据目录,里面包含了其他表单的RVA和大小),节表 表单主要有导出表,导入表,重定位表,资源表.除了资源表外,其他表单的各项数据都用代码实现了打印. 首先通过CreateFile打开文件,获得文件句柄,随后调

PE文件结构(五)基址重定位

PE文件结构(五) 参考 书:<加密与解密> 视频:小甲鱼 解密系列 视频 基址重定位 链接器生成一个PE文件时,它会假设程序被装入时使用的默认ImageBase基地址(VC默认exe基地址00400000h,dll基地址10000000h),并且会把代码中所有指令中用到的地址都使用默认的基地址(例如 程序代码中 push 10001000,就是把10000000h当做了基地址,把push 10001000写入到文件中).如果一个exe程序中一个dll装载时的地址与其它dll地址发生冲突(因为