开通博客赚积分
发布资源赚积分
分类

源码开发语言/平台
当前位置:首页 > 源码/资料 > Windows编程 > 文件操作 > 查看源码
PeHelp.h
资源名称:PeEdit.rar [点击查看]
上传用户:polioc
上传日期:2022-08-03
资源大小:1956k
文件大小:21k
源码类别:

文件操作

开发平台:

Visual C++

PeHelp.h:源码内容
  1. #include <windows.h>
  2. //全局函数用于保存各块的RVA和OFFSET和输入输出表信息
  3. DWORD DATARVA[20];//默认为20个块表
  4. DWORD DATAOFFSET[20];
  5. IMAGE_DATA_DIRECTORY Global_IDD[16];//数据目录表信息
  6. IMAGE_IMPORT_DESCRIPTOR iid[20]={0};//默认为调用20个DLL
  7. DWORD NUMDATA;//块数目
  8. BOOL CheckPeFile(FILE *ImageBase)//检查是否是PE文件
  9. {
  10. ::fseek(ImageBase,0,0);//每个函数使用前先文件定位
  11.    if(NULL == ImageBase)
  12.    {
  13.    return 0;
  14.    }
  15.    IMAGE_DOS_HEADER DOS_HEADER;
  17.    const DWORD PESYMBOL=0x00004550;
  18.    const WORD DOSSYMBOL=0x5A4D;
  20.    ::fread(&DOS_HEADER,sizeof(IMAGE_DOS_HEADER),1,ImageBase);
  22.    if(DOS_HEADER.e_magic == DOSSYMBOL)
  23.    {
  24.    ::fseek(ImageBase,DOS_HEADER.e_lfanew,0);//文件定位
  25.        DWORD pesymbol;
  26.    ::fread(&pesymbol,sizeof(DWORD),1,ImageBase);
  27.       if(pesymbol == PESYMBOL)
  28.   return 1;
  29.   else 
  30.   return 0;
  31.    }
  32.    else
  33.     return 0;
  34. }
  35. //一些输出转换函数
  36. //WORD 转换为2个16进制数
  37. unsigned char WORDTOLI16(const unsigned char *old)//WORD的低8位
  38. {
  39.      unsigned char LI16;
  40.  LI16=old[0];
  41.  return LI16;
  42. }
  43. unsigned char WORDTOHI16(const unsigned char *old)//WORD的高8位
  44. {
  45.       unsigned char HI16;
  46.   HI16=old[1];
  47.       return HI16;
  48. }
  49. //DWORD 转换为4个16进制数
  50. unsigned char DWORDTO_0_16(const unsigned char *old)
  51. {
  52.      unsigned char LI16;
  53.  LI16=old[0];
  54.  return LI16;
  55. }
  56. unsigned char DWORDTO_1_16(const unsigned char *old)
  57. {
  58.      unsigned char LI16;
  59.  LI16=old[1];
  60.  return LI16;
  61. }
  62. unsigned char DWORDTO_2_16(const unsigned char *old)
  63. {
  64.      unsigned char LI16;
  65.  LI16=old[2];
  66.  return LI16;
  67. }
  68. unsigned char DWORDTO_3_16(const unsigned char *old)
  69. {
  70.      unsigned char LI16;
  71.  LI16=old[3];
  72.  return LI16;
  73. }
  75. void ShowPEDosHeader(FILE *ImageBase)//显示PE文件DOS头
  76. {
  77. ::fseek(ImageBase,0,0);
  79.     IMAGE_DOS_HEADER DOS_HEADER;
  80. ::fread(&DOS_HEADER,sizeof(IMAGE_DOS_HEADER),1,ImageBase);
  81. ::printf("------PE文件DOS头部数据-------n");
  82. ::printf("e_magic    :%02x%02x   ",WORDTOLI16((const unsigned char *)&DOS_HEADER.e_magic),WORDTOHI16((const unsigned char *)&DOS_HEADER.e_magic));
  83. ::printf("e_cblp     :%02x%02x   ",WORDTOLI16((const unsigned char *)&DOS_HEADER.e_cblp),WORDTOHI16((const unsigned char *)&DOS_HEADER.e_cblp));
  84. ::printf("e_cp       :%02x%02x   n",WORDTOLI16((const unsigned char *)&DOS_HEADER.e_cp),WORDTOHI16((const unsigned char *)&DOS_HEADER.e_cp));
  85. ::printf("e_crlc     :%02x%02x   ",WORDTOLI16((const unsigned char *)&DOS_HEADER.e_crlc),WORDTOHI16((const unsigned char *)&DOS_HEADER.e_crlc));
  86.     ::printf("e_cparhdr  :%02x%02x   ",WORDTOLI16((const unsigned char *)&DOS_HEADER.e_cparhdr),WORDTOHI16((const unsigned char *)&DOS_HEADER.e_cparhdr));
  87. ::printf("e_minalloc :%02x%02x   n",WORDTOLI16((const unsigned char *)&DOS_HEADER.e_minalloc),WORDTOHI16((const unsigned char *)&DOS_HEADER.e_minalloc));
  88. ::printf("e_maxalloc :%02x%02x   ",WORDTOLI16((const unsigned char *)&DOS_HEADER.e_maxalloc),WORDTOHI16((const unsigned char *)&DOS_HEADER.e_maxalloc));
  89. ::printf("e_ss       :%02x%02x   ",WORDTOLI16((const unsigned char *)&DOS_HEADER.e_ss),WORDTOHI16((const unsigned char *)&DOS_HEADER.e_ss));
  90. ::printf("e_sp       :%02x%02x   n",WORDTOLI16((const unsigned char *)&DOS_HEADER.e_sp),WORDTOHI16((const unsigned char *)&DOS_HEADER.e_sp));
  91. ::printf("e_csum     :%02x%02x   ",WORDTOLI16((const unsigned char *)&DOS_HEADER.e_csum),WORDTOHI16((const unsigned char *)&DOS_HEADER.e_csum));
  92. ::printf("e_ip       :%02x%02x   ",WORDTOLI16((const unsigned char *)&DOS_HEADER.e_ip),WORDTOHI16((const unsigned char *)&DOS_HEADER.e_ip));
  93. ::printf("e_cs       :%02x%02x   n",WORDTOLI16((const unsigned char *)&DOS_HEADER.e_cs),WORDTOHI16((const unsigned char *)&DOS_HEADER.e_cs));
  94. ::printf("e_lfarlc   :%02x%02x   ",WORDTOLI16((const unsigned char *)&DOS_HEADER.e_lfarlc),WORDTOHI16((const unsigned char *)&DOS_HEADER.e_lfarlc));
  95. ::printf("e_ovno     :%02x%02x   ",WORDTOLI16((const unsigned char *)&DOS_HEADER.e_ovno),WORDTOHI16((const unsigned char *)&DOS_HEADER.e_ovno));
  96. ::printf("e_res      :%02x%02x   n",WORDTOLI16((const unsigned char *)&DOS_HEADER.e_res),WORDTOHI16((const unsigned char *)&DOS_HEADER.e_res));
  97. ::printf("e_oemid    :%02x%02x   ",WORDTOLI16((const unsigned char *)&DOS_HEADER.e_oemid),WORDTOHI16((const unsigned char *)&DOS_HEADER.e_oemid));
  98. ::printf("e_oeminfo  :%02x%02x   ",WORDTOLI16((const unsigned char *)&DOS_HEADER.e_oeminfo),WORDTOHI16((const unsigned char *)&DOS_HEADER.e_oeminfo));
  99. ::printf("e_res2     :%02x%02x   n",WORDTOLI16((const unsigned char *)&DOS_HEADER.e_res2),WORDTOHI16((const unsigned char *)&DOS_HEADER.e_res2));
  100. ::printf("e_lfanew   :%02x%02x%02x%02x   n",DWORDTO_0_16((const unsigned char *)&DOS_HEADER.e_lfanew),DWORDTO_1_16((const unsigned char *)&DOS_HEADER.e_lfanew),DWORDTO_1_16((const unsigned char *)&DOS_HEADER.e_lfanew),DWORDTO_2_16((const unsigned char *)&DOS_HEADER.e_lfanew),DWORDTO_3_16((const unsigned char *)&DOS_HEADER.e_lfanew));
  101.     ::printf("n");
  102. }
  104. void ShowPENTHeader(FILE *ImageBase)
  105. {
  106.     ::fseek(ImageBase,0,0);
  108. IMAGE_DOS_HEADER DOS_HEADER;
  109.     IMAGE_NT_HEADERS NT_HEADER;
  110.     ::fread(&DOS_HEADER,sizeof(IMAGE_DOS_HEADER),1,ImageBase);
  111. ::fseek(ImageBase,DOS_HEADER.e_lfanew,0);
  112. ::fread(&NT_HEADER,sizeof(IMAGE_NT_HEADERS),1,ImageBase);
  113. ::printf("------PE文件NT头部数据-------n");
  114.     const unsigned char *DWord=NULL;
  115. DWord=(const unsigned char *)&NT_HEADER.Signature;
  116.     ::printf("Singature:%02x%02x%02x%02x  n",DWord[0],DWord[1],DWord[2],DWord[3]);
  117. ::printf("n");
  119. ::printf("------PE文件NT头部IMAGE_FILE_HEADER数据-------n");
  120. IMAGE_FILE_HEADER FILE_HEADER;
  121. ::memcpy(&FILE_HEADER,&NT_HEADER.FileHeader,sizeof(IMAGE_FILE_HEADER));
  122. DWord=(const unsigned char *)&FILE_HEADER.Machine;
  123. ::printf("Machine:%02x%02x  ",DWord[0],DWord[1]);
  124. DWord=(const unsigned char *)&FILE_HEADER.NumberOfSections;
  125. ::printf("NumberOfSections:%02X%02Xn",DWord[0],DWord[1]);
  126. ::printf("n");
  128. ::printf("------PE文件NT头部IMAGE_OPTIONAL_HEADER数据-------n");
  129. IMAGE_OPTIONAL_HEADER OPTIONAL_HEADER;
  130.     ::memcpy(&OPTIONAL_HEADER,&NT_HEADER.OptionalHeader,sizeof(IMAGE_OPTIONAL_HEADER));
  131.     DWord=(const unsigned char *)&OPTIONAL_HEADER.AddressOfEntryPoint;
  132. ::printf("AddressOfEntryPoint:%02x%02x%02x%02x  ",DWord[0],DWord[1],DWord[2],DWord[3]);
  133.     DWord=(const unsigned char *)&OPTIONAL_HEADER.BaseOfCode;
  134.     ::printf("BaseOfCode:%02x%02x%02x%02x  n",DWord[0],DWord[1],DWord[2],DWord[3]);
  135.     DWord=(const unsigned char *)&OPTIONAL_HEADER.BaseOfData;
  136.     ::printf("BaseOfData:%02x%02x%02x%02x  ",DWord[0],DWord[1],DWord[2],DWord[3]);
  137. DWord=(const unsigned char *)&OPTIONAL_HEADER.NumberOfRvaAndSizes;
  138.     ::printf("NumberOfRvaAndSizes:%02x%02x%02x%02x  n",DWord[0],DWord[1],DWord[2],DWord[3]);
  139. ::printf("n");
  141.     ::printf("------PE文件NT头部数据目录表数据-------n");
  142. for(int i=0;i<16;i++)
  143. {
  144. if(0 != NT_HEADER.OptionalHeader.DataDirectory[i].Size)
  145. {
  146. DWord=(const unsigned char *)&NT_HEADER.OptionalHeader.DataDirectory[i].VirtualAddress;
  147. ::printf("序号:%2d  VirtualAddress:%02x%02x%02x%02xn",i,DWord[0],DWord[1],DWord[2],DWord[3]);
  148. ::memcpy(&Global_IDD[i],&NT_HEADER.OptionalHeader.DataDirectory[i],sizeof(IMAGE_DATA_DIRECTORY));
  149. }
  150. }
  151. }
  152. void ShowSectionHeader(FILE *ImageBase)
  153. {
  154.     ::fseek(ImageBase,0,0);
  155. const unsigned char *DWord=NULL;
  156.     IMAGE_DOS_HEADER DOS_HEADER;
  157.     IMAGE_NT_HEADERS NT_HEADER;
  158. IMAGE_SECTION_HEADER SECTION_HEADER[20];//默认为20个块表
  159.     ::fread(&DOS_HEADER,sizeof(IMAGE_DOS_HEADER),1,ImageBase);
  160.     ::fseek(ImageBase,DOS_HEADER.e_lfanew,0);
  161. ::fread(&NT_HEADER,sizeof(IMAGE_NT_HEADERS),1,ImageBase);
  162.     ::fseek(ImageBase,DOS_HEADER.e_lfanew+sizeof(IMAGE_NT_HEADERS),0);
  163. if(NT_HEADER.FileHeader.NumberOfSections !=0 )
  164. {
  165. ::printf("------PE文件的块表信息-------n");
  166.   for(int i=0;i<NT_HEADER.FileHeader.NumberOfSections;i++)
  167.   {
  168. ::fread(&SECTION_HEADER[i],sizeof(IMAGE_SECTION_HEADER),1,ImageBase);
  169.         ::printf("Name:%s   ",SECTION_HEADER[i].Name);
  170.         DWord=(const unsigned char *)&SECTION_HEADER[i].VirtualAddress;
  171. ::printf("VirtualAddress:%02x%02x%02x%02x   ",DWord[0],DWord[1],DWord[2],DWord[3]);
  172. DWord=(const unsigned char *)&SECTION_HEADER[i].PointerToRawData;
  173.         ::printf("PointerToRawData:%02x%02x%02x%02xn",DWord[0],DWord[1],DWord[2],DWord[3]);
  175. DATARVA[i]=SECTION_HEADER[i].VirtualAddress;
  176. DATAOFFSET[i]=SECTION_HEADER[i].PointerToRawData;
  177.   }
  178.   NUMDATA=i;
  179. }
  180. }
  181. //找到相应的块
  182. DWORD RVATOOFFSET(DWORD addr,DWORD numdata)
  183. {
  184.    for(DWORD i=0;i<numdata;i++)
  185.    {
  186.    if(DATARVA[i+1] != 0)
  187.    {
  188.    if(addr>=DATARVA[i] && addr<DATARVA[i+1])
  189.    {
  190.    return addr-DATARVA[i]+DATAOFFSET[i]; 
  191.    }
  192.    }
  193.    else
  194.    {
  195.    if(addr>=DATARVA[i])
  196.    {
  197.                return addr-DATARVA[i]+DATAOFFSET[i]; 
  198.    }
  199.    }
  200.    }   
  201. }
  202. void ShowIID(FILE *fp)
  203. {
  204. ::fseek(fp,0,0);
  205. if(Global_IDD[1].Size != 0)
  206. {
  207. ::printf("------该PE文件输入表如下:--------n");
  208. DWORD addr=RVATOOFFSET(Global_IDD[1].VirtualAddress,NUMDATA);
  209. const unsigned char *DWord=NULL;
  210.         fseek(fp,addr,0);
  212. DWORD isIID;
  213.     ::fread(&isIID,sizeof(DWORD),1,fp);
  214. int i=0;
  215. while(isIID != 0)
  217. ::fseek(fp,addr+i*sizeof(IMAGE_IMPORT_DESCRIPTOR),0);
  218. ::fread(&iid[i],sizeof(IMAGE_IMPORT_DESCRIPTOR),1,fp);
  219. i++;
  220.             ::fread(&isIID,sizeof(DWORD),1,fp);
  221. }
  222. for(int p=0;p<i;p++)
  223. {
  224.                DWord=(const unsigned char *)&iid[p].OriginalFirstThunk;
  225.    ::printf("OriginalFirstThunk:%02x%02x%02x%02x   ",DWord[0],DWord[1],DWord[2],DWord[3]);
  226.                DWord=(const unsigned char *)&iid[p].FirstThunk;
  227.    ::printf("FirstThunk:%02x%02x%02x%02x  ",DWord[0],DWord[1],DWord[2],DWord[3]);
  228.    DWORD nameaddr;
  229.    nameaddr=RVATOOFFSET(iid[p].Name,NUMDATA);
  230.    ::fseek(fp,nameaddr,0);
  231.    ::printf("DLLName:");
  232.    char ch=::fgetc(fp);
  233.    while(ch != 0)
  234.    {
  235.    putchar(ch);
  236.    ch=fgetc(fp);
  237.    }
  238.    ::printf("n");
  239. }
  240. ::printf("------该PE文件输入函数有:--------n");
  241.         DWORD funaddr1;
  242. DWORD funaddr2;
  243. int numdll=0;
  244. while(iid[numdll].OriginalFirstThunk != 0)
  245. {
  246.         funaddr1=RVATOOFFSET(iid[numdll].OriginalFirstThunk,NUMDATA);
  247. ::fseek(fp,funaddr1,0);
  248. ::fread(&funaddr2,sizeof(DWORD),1,fp);
  249. int numfun=0;
  250. while(funaddr2 != 0)
  251. {
  252. funaddr2=RVATOOFFSET(funaddr2,NUMDATA);
  253. ::fseek(fp,funaddr2,0);
  254. int i=0;
  255. char ch=::fgetc(fp);
  256. while(ch != 0 || i<2)
  257. {
  258. if(i>=2)//头两个字节是序号不输出
  260. if(ch<=0)
  261. {
  262.    ::printf("按序号导出的函数");
  263.    break;
  264. }
  265.   putchar(ch);  
  266. }          
  267. i++;
  268. ch=fgetc(fp);
  269. }
  270. ::printf("n");
  271. numfun++;
  273. ::fseek(fp,funaddr1+numfun*sizeof(DWORD),0);
  274. ::fread(&funaddr2,sizeof(DWORD),1,fp);
  275.             }
  276. numdll++;
  277. }
  278. }
  279. else
  280. printf("-------该PE文件无输入表.--------n");
  281. }
  282. void ShowIED(FILE *fp)
  283. {
  284. ::fseek(fp,0,0);
  285.     if(Global_IDD[0].Size != 0)
  286. {
  287. ::printf("------该PE文件输出表如下:--------n");
  288.         DWORD addr=RVATOOFFSET(Global_IDD[0].VirtualAddress,NUMDATA);
  289. const unsigned char *DWord=NULL;
  290. IMAGE_EXPORT_DIRECTORY EXPORT_DIRECTORY;
  291. fseek(fp,addr,0);
  292. ::fread(&EXPORT_DIRECTORY,sizeof(IMAGE_EXPORT_DIRECTORY),1,fp);
  293.         
  294. DWord=(const unsigned char *)&EXPORT_DIRECTORY.NumberOfFunctions;
  295. ::printf("NumOfFunction:%02x%02x%02x%02x  ",DWord[0],DWord[1],DWord[2],DWord[3]);
  296. DWord=(const unsigned char *)&EXPORT_DIRECTORY.NumberOfNames;
  297.         ::printf("NumberOfNames:%02x%02x%02x%02x  n",DWord[0],DWord[1],DWord[2],DWord[3]);
  298. DWord=(const unsigned char *)&EXPORT_DIRECTORY.AddressOfFunctions;
  299.         ::printf("AddressOfFunctions:%02x%02x%02x%02x  ",DWord[0],DWord[1],DWord[2],DWord[3]);
  300. DWord=(const unsigned char *)&EXPORT_DIRECTORY.AddressOfNames;
  301.         ::printf("AddressOfNames:%02x%02x%02x%02x  n",DWord[0],DWord[1],DWord[2],DWord[3]);
  302. DWord=(const unsigned char *)&EXPORT_DIRECTORY.AddressOfNameOrdinals;
  303. ::printf("AddressOfNameOrdinals:%02x%02x%02x%02x  ",DWord[0],DWord[1],DWord[2],DWord[3]);
  304.         
  305. ::printf("导出表名字:");
  307. DWORD dllname;
  308. dllname=RVATOOFFSET(EXPORT_DIRECTORY.Name,NUMDATA);
  309. ::fseek(fp,dllname,0);
  311.         char ch=::fgetc(fp);
  312. while(ch != 0)
  313. {
  314. putchar(ch);
  315. ch=fgetc(fp);
  316. }
  317. ::printf("n--------导出函数如下---------n");
  318.        
  319.         addr=RVATOOFFSET(EXPORT_DIRECTORY.AddressOfNames,NUMDATA);
  320.         ::fseek(fp,addr,0);
  321. DWORD addr2;
  322. ::fread(&addr2,sizeof(DWORD),1,fp);
  323. DWORD  addr1=RVATOOFFSET(EXPORT_DIRECTORY.AddressOfNameOrdinals,NUMDATA);
  324. ::fseek(fp,addr1,0);
  325.         WORD Ordinal;
  326. ::fread(&Ordinal,sizeof(WORD),1,fp);
  327. DWORD funAddr=RVATOOFFSET(EXPORT_DIRECTORY.AddressOfFunctions,NUMDATA);
  328. const DWORD FunOfAddr=funAddr;
  329. funAddr=funAddr+Ordinal*sizeof(DWORD);
  330. ::fseek(fp,funAddr,0);
  331.         ::printf("虚拟地址    导出函数名称n");
  332. DWORD funAddr1;
  333. for(DWORD i=0;i<EXPORT_DIRECTORY.NumberOfNames;i++)
  334. {          
  335. ::fread(&funAddr1,sizeof(DWORD),1,fp);
  336.             DWord=(const unsigned char*)&funAddr1;
  337. ::printf("%02x%02x%02x%02x    ",DWord[0],DWord[1],DWord[2],DWord[3]);
  339. addr2=RVATOOFFSET(addr2,NUMDATA);
  340. ::fseek(fp,addr2,0);
  341. char ch=::fgetc(fp);
  342.             while(ch != 0)
  343. {
  344.     putchar(ch);
  345.     ch=fgetc(fp);
  346. }
  347. ::printf("n");
  348.             ::fseek(fp,addr+sizeof(DWORD),0);
  349. addr=addr+sizeof(DWORD);
  350.             ::fread(&addr2,sizeof(DWORD),1,fp);
  351.               
  352. addr1=addr1+sizeof(WORD);
  353. ::fseek(fp,addr1,0);
  354.             ::fread(&Ordinal,sizeof(WORD),1,fp);
  355. funAddr=FunOfAddr+Ordinal*sizeof(DWORD);
  356.     ::fseek(fp,funAddr,0);
  357. }
  358. }
  359. else
  360.         ::printf("------该PE文件无输出表:--------n");
  361. }
  362. void ShowReloCation(FILE *fp)
  363. {
  364. ::fseek(fp,0,0);
  365. if(Global_IDD[5].Size != 0)
  366. {
  367. ::printf("------该PE文件基址重定位表------n");
  368.         IMAGE_BASE_RELOCATION BASE_RELOCATION;
  369. DWORD addr=RVATOOFFSET(Global_IDD[5].VirtualAddress,NUMDATA);
  370. unsigned char *DWord=NULL;
  371. int numTypeOffset=0;
  372. ::fseek(fp,addr,0);
  373. ::fread(&BASE_RELOCATION,sizeof(IMAGE_BASE_RELOCATION),1,fp);
  374. while(BASE_RELOCATION.VirtualAddress != 0)
  375. {
  376. DWord=(unsigned char*)&BASE_RELOCATION.VirtualAddress;
  377. ::printf("重定位基地址:%02x%02x%02x%02x   ",DWord[0],DWord[1],DWord[2],DWord[3]);
  378. numTypeOffset=(BASE_RELOCATION.SizeOfBlock-0x8)/0x2;
  379. ::printf("重定位项数量:%dn",numTypeOffset);
  380. WORD offset;
  381. for(int i=0,p=0;i<numTypeOffset;i++,p++)
  382. {
  383. if(p%10==0) printf("n");
  385. ::fread(&offset,sizeof(WORD),1,fp);
  386. offset=offset & 0x0fff;
  387. offset=offset + BASE_RELOCATION.VirtualAddress;
  388. DWord=(unsigned char*)&offset;
  389. ::printf("%02x%02x  ",DWord[1],DWord[0]);
  390. }
  391. printf("n");
  392. ::fread(&BASE_RELOCATION,sizeof(IMAGE_BASE_RELOCATION),1,fp);
  393. }
  394. }
  395. else
  396. {
  397. ::printf("------该PE文件无基址重定位表------n");
  398. }    
  399. }
  400. void FindResource_Directory(FILE *fp,DWORD addr,int cengci,const DWORD ResourceBase)
  401. {
  402. DWORD tempaddr=ResourceBase+addr;
  403. ::fseek(fp,tempaddr,0);
  404.     IMAGE_RESOURCE_DIRECTORY RESOURCE_DIRECTORY;
  405. IMAGE_RESOURCE_DIRECTORY_ENTRY DIRECTORY_ENTRY[1000];//默认一个较大的资源表
  406.     ::fread(&RESOURCE_DIRECTORY,sizeof(IMAGE_RESOURCE_DIRECTORY),1,fp);
  407.     int NumOfDIRENTRY=RESOURCE_DIRECTORY.NumberOfIdEntries+RESOURCE_DIRECTORY.NumberOfNamedEntries;
  408. for(int i=0;i<NumOfDIRENTRY;i++)
  409. {
  410. ::fread(&DIRECTORY_ENTRY[i],sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY),1,fp);
  411. }
  412. unsigned char *DWord=NULL;
  413. for(int p=0;p<NumOfDIRENTRY;p++)
  414. {
  415. DWord=(unsigned char *)&DIRECTORY_ENTRY[p].Name;
  416. switch(cengci)
  417. {
  418. case 0:
  419. {
  420. DWORD name=DIRECTORY_ENTRY[p].Name;
  421. name=name & 0x80000000;
  422. if(name == 0x00000000)
  423. {
  424.    ::printf("资源类型:%02x%02x%02x%02x  n",DWord[3],DWord[2],DWord[1],DWord[0]);
  425. }
  426. else
  427. {
  428.                    IMAGE_RESOURCE_DIR_STRING_U resourcename;
  429.    name=DIRECTORY_ENTRY[p].Name & 0x0000ffff;
  430.    ::fseek(fp,ResourceBase+name,0);
  431.    ::fread(&resourcename,sizeof(IMAGE_RESOURCE_DIR_STRING_U),1,fp);
  432.    ::printf("资源名称:");   
  433.    char resname[100];
  434.    ::fseek(fp,ResourceBase+name+2,0);
  435.    ::fread(resname,resourcename.Length*2,1,fp);
  436.    for(WORD i=0;i<resourcename.Length*2;i=i+2)
  437.    {
  438.    ::printf("%c",resname[i]);
  439.    }
  440. }
  441.                 DWORD offset=DIRECTORY_ENTRY[p].OffsetToData;
  442. offset=offset & 0x80000000;
  443. if(offset == 0x80000000)
  444. {
  445.    offset=DIRECTORY_ENTRY[p].OffsetToData & 0x0000ffff;
  446.                    FindResource_Directory(fp,offset,cengci+1,ResourceBase);
  447. }
  448. else
  449. {
  450.    offset=DIRECTORY_ENTRY[p].OffsetToData & 0x0000ffff;
  451.                    IMAGE_RESOURCE_DATA_ENTRY DATA_ENTRY;
  452.    ::fseek(fp,offset+ResourceBase,0);
  453.    ::fread(&DATA_ENTRY,sizeof(IMAGE_RESOURCE_DATA_ENTRY),1,fp);
  454.    DWord=(unsigned char *)&DATA_ENTRY.OffsetToData;
  455.    ::printf("资源数据的RVA:%02X%02X%02X%02X   ",DWord[3],DWord[2],DWord[1],DWord[0]);
  456.                    ::printf("资源长度%ld  ",DATA_ENTRY.Size);
  457.    DWord=(unsigned char *)&DATA_ENTRY.CodePage;
  458.                    ::printf("资源数据的代码页:%02X%02X%02X%02X n ",DWord[3],DWord[2],DWord[1],DWord[0]);
  459. }
  460. break;
  461. }
  462. case 1:
  463. {
  464. DWORD name=DIRECTORY_ENTRY[p].Name;
  465. name=name & 0x80000000;
  466. if(name == 0x00000000)
  467. {
  468. ::printf("资源ID:%u  n",DIRECTORY_ENTRY[p].Name);
  469.                 }
  470. else
  471. {
  472. IMAGE_RESOURCE_DIR_STRING_U resourcename;
  473. name=DIRECTORY_ENTRY[p].Name & 0x0000ffff;
  474. ::fseek(fp,ResourceBase+name,0);
  475. ::fread(&resourcename,sizeof(IMAGE_RESOURCE_DIR_STRING_U),1,fp);
  476. ::printf("资源名称:");
  477. char resname[200];
  478. ::fseek(fp,ResourceBase+name+2,0);
  479. ::fread(resname,resourcename.Length*2,1,fp);
  480. for(WORD i=0;i<resourcename.Length*2;i=i+2)
  481. {
  482. ::printf("%c",resname[i]);
  483. }
  484. }
  485.                 DWORD offset=DIRECTORY_ENTRY[p].OffsetToData;
  486. offset=offset & 0x80000000;
  487. if(offset == 0x80000000)
  488. {
  489. offset=DIRECTORY_ENTRY[p].OffsetToData & 0x0000ffff;
  490. FindResource_Directory(fp,offset,cengci+1,ResourceBase);
  491. }
  492. else
  493. {
  494. offset=DIRECTORY_ENTRY[p].OffsetToData & 0x0000ffff;
  495. IMAGE_RESOURCE_DATA_ENTRY DATA_ENTRY;
  496. ::fseek(fp,offset+ResourceBase,0);
  497. ::fread(&DATA_ENTRY,sizeof(IMAGE_RESOURCE_DATA_ENTRY),1,fp);
  498. DWord=(unsigned char *)&DATA_ENTRY.OffsetToData;
  499. ::printf("资源数据的RVA:%02X%02X%02X%02X   ",DWord[3],DWord[2],DWord[1],DWord[0]);
  500. ::printf("资源长度%ld  ",DATA_ENTRY.Size);
  501. DWord=(unsigned char *)&DATA_ENTRY.CodePage;
  502. ::printf("资源数据的代码页:%02X%02X%02X%02X n ",DWord[3],DWord[2],DWord[1],DWord[0]);
  503. }
  504. break;
  505. }
  506. case 2:
  507. {
  508. DWORD name=DIRECTORY_ENTRY[p].Name;
  509. name=name & 0x80000000;
  510. if(name == 0x0000)
  511. {
  512. ::printf("资源代码页编号:%02x%02x%02x%02x  n",DWord[3],DWord[2],DWord[1],DWord[0]);
  513.                 }
  514. else
  515. {
  516. IMAGE_RESOURCE_DIR_STRING_U resourcename;
  517. name=DIRECTORY_ENTRY[p].Name & 0x0000ffff;
  518. ::fseek(fp,ResourceBase+name,0);
  519. ::fread(&resourcename,sizeof(IMAGE_RESOURCE_DIR_STRING_U),1,fp);
  520. ::printf("资源名称:");
  521. char resname[100];
  522. ::fseek(fp,ResourceBase+name+2,0);
  523. ::fread(resname,resourcename.Length*2,1,fp);
  524. for(WORD i=0;i<resourcename.Length*2;i=i+2)
  525. {
  526. ::printf("%c",resname[i]);
  527. }
  528. }
  529.                 DWORD offset=DIRECTORY_ENTRY[p].OffsetToData;
  530. offset=offset & 0x80000000;
  531. if(offset == 0x80000000)
  532. {
  533. offset=DIRECTORY_ENTRY[p].OffsetToData & 0x0000ffff;
  534. FindResource_Directory(fp,offset,cengci+1,ResourceBase);
  535. }
  536. else
  537. {
  538. offset=DIRECTORY_ENTRY[p].OffsetToData & 0x0000ffff;
  539. IMAGE_RESOURCE_DATA_ENTRY DATA_ENTRY;
  540. ::fseek(fp,offset+ResourceBase,0);
  541. ::fread(&DATA_ENTRY,sizeof(IMAGE_RESOURCE_DATA_ENTRY),1,fp);
  542. DWord=(unsigned char *)&DATA_ENTRY.OffsetToData;
  543. ::printf("资源数据的RVA:%02X%02X%02X%02X   ",DWord[3],DWord[2],DWord[1],DWord[0]);
  544. ::printf("资源长度%ld  ",DATA_ENTRY.Size);
  545. DWord=(unsigned char *)&DATA_ENTRY.CodePage;
  546. ::printf("资源数据的代码页:%02X%02X%02X%02X n ",DWord[3],DWord[2],DWord[1],DWord[0]);
  547. ::printf("n");
  548. }
  549. break;
  550. }
  551. default:
  552. {
  553. ::printf("超过了3层资源ID:%02x%02x%02x%02x  n",DWord[3],DWord[2],DWord[1],DWord[0]);
  554. }
  555. }
  556. }
  557. }
  558. void ShowResource(FILE *fp)
  559. {
  560. ::fseek(fp,0,0);
  561. unsigned char *DWord=NULL;
  562. if(Global_IDD[2].Size != 0)
  563. {
  564. ::printf("-----该PE文件资源表如下------n");
  565. const DWORD ResourceBase=RVATOOFFSET(Global_IDD[2].VirtualAddress,NUMDATA);
  566. FindResource_Directory(fp,0,0,ResourceBase);
  567. }
  568. else
  569. printf("--------该PE文件无资源-------n");
  570. }
  571. void ShowTls(FILE *fp)
  572. {
  573. ::fseek(fp,0,0);
  574.     unsigned char *DWord=NULL;
  575. if(Global_IDD[9].Size != 0)
  576. {
  577. ::printf("-----该PE的TLS表如下------n");
  578.         IMAGE_TLS_DIRECTORY TLS;
  579.         const DWORD TlsAddr=RVATOOFFSET(Global_IDD[9].VirtualAddress,NUMDATA);
  580. ::fseek(fp,TlsAddr,0);
  581. ::fread(&TLS,sizeof(IMAGE_TLS_DIRECTORY32),1,fp);
  582. DWord=(unsigned char *)&TLS.AddressOfCallBacks;
  583.         ::printf("TLS.AddressofCallBacks:%02x%02x%02x%02x   ",DWord[0],DWord[1],DWord[2],DWord[3]);
  584. }
  585. else
  586. printf("--------该PE文件无TLS-------n");
  587. }