杀毒

开发平台：
Visual C++

ParsePE.cpp：源码内容
							#include "StdAfx.h"
#include "MemFileObject.h"
#include ".ParsePE.h"
CParsePE::CParsePE(void)
{
}
CParsePE::~CParsePE(void)
{
}
bool CParsePE::BasicParse(IN CMemFileObject* pScanObj, OUT FSPE* pFSPE)
{
	if(!pScanObj->IsOpened())
		return false;
	DWORD dwObjSize = pScanObj->GetObjectSize();
	//Check size
	if( dwObjSize < sizeof(PIMAGE_DOS_HEADER) )	return FALSE;
	pFSPE->m_pImageDosHeader	= (PIMAGE_DOS_HEADER)pScanObj->GetBuffer();
	//check "MZ" signature
	if( IMAGE_DOS_SIGNATURE != pFSPE->m_pImageDosHeader->e_magic )
	{
		pFSPE->m_bMZFile = false;
		return false;
	}
	pFSPE->m_bMZFile = true;
	if(pFSPE->m_pImageDosHeader->e_lfanew+sizeof(IMAGE_NT_SIGNATURE)>dwObjSize)
	{
		pFSPE->m_bPEFile = false;
		return true;
	}
	pFSPE->m_pNtHeaders	= (PIMAGE_NT_HEADERS)(pFSPE->m_pImageDosHeader->e_lfanew + pScanObj->GetBuffer());
	//check "PE" signature
	if( IMAGE_NT_SIGNATURE != pFSPE->m_pNtHeaders->Signature)
	{
		pFSPE->m_bPEFile = false;
		return true;
	}
	pFSPE->m_bPEFile = true;
	pFSPE->m_pFileHeader		= &pFSPE->m_pNtHeaders->FileHeader;
	pFSPE->m_pOptionalHeader	= &pFSPE->m_pNtHeaders->OptionalHeader;
	//SECTIONS
	PIMAGE_SECTION_HEADER	pSectionHeader = (PIMAGE_SECTION_HEADER)(pFSPE->m_pOptionalHeader + 1);
	pFSPE->m_nSectionCount = pFSPE->m_pFileHeader->NumberOfSections;
	ASSERT( pFSPE->m_nSectionCount < MAX_SECTIONS );
	for(int i=0; i<pFSPE->m_nSectionCount; i++)
	{
		pFSPE->m_aSectionHeaders[i] = pSectionHeader;
		pSectionHeader++;
	}
	// Entry point
	pFSPE->m_pEntryPoint		= AddrM2F(pFSPE, (LPVOID)pFSPE->m_pOptionalHeader->AddressOfEntryPoint) + pScanObj->GetBuffer();
	if( pFSPE->m_pEntryPoint > (dwObjSize + pScanObj->GetBuffer()) )
		return false;
	//IMPORT TABLE
	PIMAGE_IMPORT_DESCRIPTOR	pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)(AddrM2F(pFSPE, (LPVOID)pFSPE->m_pOptionalHeader->DataDirectory[1].VirtualAddress) + pScanObj->GetBuffer());
	if( (LPBYTE)pImportDescriptor > (dwObjSize + pScanObj->GetBuffer()) )
		return false;
	for(i=0; pImportDescriptor&&pImportDescriptor->Characteristics; i++,pImportDescriptor++)
	{
		ASSERT( i<MAX_IMPORTS );
		pFSPE->m_aImportDescriptors[i] = pImportDescriptor;
	}
	pFSPE->m_nImportCount = i;
	//EXPORT TABLE
	if(pFSPE->m_pOptionalHeader->DataDirectory[0].VirtualAddress)
		pFSPE->m_pExportDirectory = (PIMAGE_EXPORT_DIRECTORY)(AddrM2F(pFSPE, (LPVOID)pFSPE->m_pOptionalHeader->DataDirectory[0].VirtualAddress) + pScanObj->GetBuffer());
	if( (LPBYTE)pFSPE->m_pExportDirectory > (dwObjSize + pScanObj->GetBuffer()) )
		return false;
	//RESOURCE
	if(pFSPE->m_pOptionalHeader->DataDirectory[2].VirtualAddress)
		pFSPE->m_pResourceDirectory = (PIMAGE_RESOURCE_DIRECTORY)(AddrM2F(pFSPE, (LPVOID)pFSPE->m_pOptionalHeader->DataDirectory[2].VirtualAddress) + pScanObj->GetBuffer());
	if( (LPBYTE)pFSPE->m_pResourceDirectory > (dwObjSize + pScanObj->GetBuffer()) )
		return false;
	return true;
}
DWORD CParsePE::AddrM2F(IN FSPE* pFSPE, IN LPVOID lpMemAddr)
{
	if( lpMemAddr < (LPVOID)pFSPE->m_aSectionHeaders[0]->VirtualAddress &&
		lpMemAddr >= NULL)
		return (DWORD)lpMemAddr;
	for(INT i=0; i<pFSPE->m_nSectionCount; i++)
	{
		if( lpMemAddr >= LPVOID(pFSPE->m_aSectionHeaders[i]->VirtualAddress) &&
			lpMemAddr <= LPVOID(pFSPE->m_aSectionHeaders[i]->VirtualAddress + pFSPE->m_aSectionHeaders[i]->Misc.VirtualSize) )
		{
			DWORD dwOffset = DWORD( (LPBYTE)lpMemAddr - (LPBYTE)pFSPE->m_aSectionHeaders[i]->VirtualAddress );
			if( dwOffset<pFSPE->m_aSectionHeaders[i]->SizeOfRawData )
				return pFSPE->m_aSectionHeaders[i]->PointerToRawData + dwOffset;
		}
	}
	return 0;
}

						