获取pe文件的文件类型

工程文件petype.cpp通过调用pefile类中的函数获取文件类型。

 

文件类型的判断通过5个监测点完成。

监测点1:dos头的e_magic

监测点2:nt头的Signature

监测点3:文件头的Characteristics

监测点4:可选头的Magic

监测点5:可选头的Subsystem

 

通过监测点1和2判断是否是pe文件;

通过监测点3判断文件是否是动态库文件

通过监测点4判断文件是pe32还是pe32+还是rom映像

通过监测点5判断文件是否是0环可执行文件[驱动文件],还是3环可执行文件[exe文件]

 

具体代码参见下面:

pefile.h

  1 #ifndef PE_FILE_H
  2 #define PE_FILE_H
  3 #include "windows.h"
  4 
  5 #define ISMZHEADER            (*(WORD*)File_memory == 0x5a4d)
  6 #define ISPEHEADER            (*(WORD*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c)) == 0x4550)
  7 #define ISPE32MAGIC            (*(WORD*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c) + sizeof(MX_IMAGE_FILE_HEADER) + 4) == 0x10b)
  8 #define ISPE64MAGIC            (*(WORD*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c) + sizeof(MX_IMAGE_FILE_HEADER) + 4) == 0x20b)
  9 #define ISPEROMMAGIC        (*(WORD*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c) + sizeof(MX_IMAGE_FILE_HEADER) + 4) == 0x107)
 10 
 11 
 12 #define X_PE_32                32
 13 #define X_PE_64                64
 14 
 15 #define    READ_ERRO            0x0
 16 #define    NOT_PE_FILE            0x200
 17 #define    PE_FILE                0x100
 18 #define    PE64_FILE            0x40
 19 #define    PE32_FILE            0x20
 20 #define    ROM_IMAGE            0x10
 21 #define    EXE_FILE            0x8
 22 #define    DLL_FILE            0x4
 23 #define    SYS_FILE            0x2
 24 #define    OTHER_FILE            0x1
 25 
 26 
 27 #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES    16
 28 #define X_EXPORT            0
 29 #define X_IMPORT            1
 30 #define X_RESOURSE            2
 31 #define X_EXCEPTION            3
 32 #define X_CERTIFICATE        4
 33 #define X_BASE_RELOCATION    5
 34 #define X_DEBUG                6
 35 #define X_ARCHITECTURE        7
 36 #define X_GLOBAL_PTR        8
 37 #define X_TLS                9
 38 #define X_LOAD_CONFIG        10
 39 #define X_BAND_IMPORT        11
 40 #define X_IAT                12
 41 #define X_DELAY_IMPORT        13
 42 #define X_COM_HEADER        14
 43 #define X_RESERVED            15
 44 
 45 typedef struct X_IMAGE_DOS_HEADER {      // DOS .EXE header
 46     WORD   e_magic;                     // Magic number
 47     WORD   e_cblp;                      // Bytes on last page of file
 48     WORD   e_cp;                        // Pages in file
 49     WORD   e_crlc;                      // Relocations
 50     WORD   e_cparhdr;                   // Size of header in paragraphs
 51     WORD   e_minalloc;                  // Minimum extra paragraphs needed
 52     WORD   e_maxalloc;                  // Maximum extra paragraphs needed
 53     WORD   e_ss;                        // Initial (relative) SS value
 54     WORD   e_sp;                        // Initial SP value
 55     WORD   e_csum;                      // Checksum
 56     WORD   e_ip;                        // Initial IP value
 57     WORD   e_cs;                        // Initial (relative) CS value
 58     WORD   e_lfarlc;                    // File address of relocation table
 59     WORD   e_ovno;                      // Overlay number
 60     WORD   e_res[4];                    // Reserved words
 61     WORD   e_oemid;                     // OEM identifier (for e_oeminfo)
 62     WORD   e_oeminfo;                   // OEM information; e_oemid specific
 63     WORD   e_res2[10];                  // Reserved words
 64     LONG   e_lfanew;                    // File address of new exe header
 65   } MX_IMAGE_DOS_HEADER;
 66 
 67 typedef struct X_IMAGE_FILE_HEADER {
 68     WORD    Machine;
 69     WORD    NumberOfSections;
 70     DWORD   TimeDateStamp;
 71     DWORD   PointerToSymbolTable;
 72     DWORD   NumberOfSymbols;
 73     WORD    SizeOfOptionalHeader;
 74     WORD    Characteristics;
 75 } MX_IMAGE_FILE_HEADER;
 76 
 77 typedef struct X_IMAGE_DATA_DIRECTORY {
 78     DWORD   VirtualAddress;
 79     DWORD   Size;
 80 } MX_IMAGE_DATA_DIRECTORY;
 81 
 82 typedef struct X_IMAGE_OPTIONAL_HEADER32 {
 83     WORD    Magic;
 84     BYTE    MajorLinkerVersion;
 85     BYTE    MinorLinkerVersion;
 86     DWORD   SizeOfCode;
 87     DWORD   SizeOfInitializedData;
 88     DWORD   SizeOfUninitializedData;
 89     DWORD   AddressOfEntryPoint;
 90     DWORD   BaseOfCode;
 91     DWORD   BaseOfData;
 92     DWORD   ImageBase;
 93     DWORD   SectionAlignment;
 94     DWORD   FileAlignment;
 95     WORD    MajorOperatingSystemVersion;
 96     WORD    MinorOperatingSystemVersion;
 97     WORD    MajorImageVersion;
 98     WORD    MinorImageVersion;
 99     WORD    MajorSubsystemVersion;
100     WORD    MinorSubsystemVersion;
101     DWORD   Win32VersionValue;
102     DWORD   SizeOfImage;
103     DWORD   SizeOfHeaders;
104     DWORD   CheckSum;
105     WORD    Subsystem;
106     WORD    DllCharacteristics;
107     DWORD   SizeOfStackReserve;
108     DWORD   SizeOfStackCommit;
109     DWORD   SizeOfHeapReserve;
110     DWORD   SizeOfHeapCommit;
111     DWORD   LoaderFlags;
112     DWORD   NumberOfRvaAndSizes;
113     MX_IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
114 } MX_IMAGE_OPTIONAL_HEADER32;
115 
116 
117 typedef struct X_IMAGE_OPTIONAL_HEADER64 {
118     WORD        Magic;
119     BYTE        MajorLinkerVersion;
120     BYTE        MinorLinkerVersion;
121     DWORD       SizeOfCode;
122     DWORD       SizeOfInitializedData;
123     DWORD       SizeOfUninitializedData;
124     DWORD       AddressOfEntryPoint;
125     DWORD       BaseOfCode;
126     ULONGLONG   ImageBase;
127     DWORD       SectionAlignment;
128     DWORD       FileAlignment;
129     WORD        MajorOperatingSystemVersion;
130     WORD        MinorOperatingSystemVersion;
131     WORD        MajorImageVersion;
132     WORD        MinorImageVersion;
133     WORD        MajorSubsystemVersion;
134     WORD        MinorSubsystemVersion;
135     DWORD       Win32VersionValue;
136     DWORD       SizeOfImage;
137     DWORD       SizeOfHeaders;
138     DWORD       CheckSum;
139     WORD        Subsystem;
140     WORD        DllCharacteristics;
141     ULONGLONG   SizeOfStackReserve;
142     ULONGLONG   SizeOfStackCommit;
143     ULONGLONG   SizeOfHeapReserve;
144     ULONGLONG   SizeOfHeapCommit;
145     DWORD       LoaderFlags;
146     DWORD       NumberOfRvaAndSizes;
147     IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
148 } MX_IMAGE_OPTIONAL_HEADER64;
149 
150 typedef struct X_IMAGE_NT_HEADERS32 {
151     DWORD Signature;
152     MX_IMAGE_FILE_HEADER FileHeader;
153     MX_IMAGE_OPTIONAL_HEADER32 OptionalHeader;
154 } MX_IMAGE_NT_HEADERS32;
155 
156 typedef struct X_IMAGE_NT_HEADERS64 {
157     DWORD Signature;
158     MX_IMAGE_FILE_HEADER FileHeader;
159     MX_IMAGE_OPTIONAL_HEADER64 OptionalHeader;
160 } MX_IMAGE_NT_HEADERS64;
161 
162 class XPEFILE
163 {
164 public:
165     XPEFILE(char* lpFileName);
166     virtual ~XPEFILE();
167     int GetType();
168     int GetSize();
169 private:
170     void* File_memory;
171     int File_size;
172     int File_type;
173 };
174 
175 #endif
pefile.h

pefile.cpp

  1 #include "stdafx.h"
  2 #include "windows.h"
  3 #include "pefile.h"
  4 #include <iostream>
  5 
  6 XPEFILE::XPEFILE(char* strFileName)
  7 {
  8     HANDLE hfile;
  9     unsigned long sizehigh;
 10     void* lpmemory;
 11 
 12     File_memory = NULL;
 13     File_type = READ_ERRO;
 14 
 15     hfile = CreateFile(strFileName, GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,0,OPEN_EXISTING,FILE_FLAG_SEQUENTIAL_SCAN,0);
 16     if (hfile != INVALID_HANDLE_VALUE)
 17     {
 18         File_size = GetFileSize(hfile, NULL);
 19         lpmemory = LocalAlloc(LPTR,File_size);
 20         if(ReadFile(hfile,lpmemory,File_size,&sizehigh,0) != NULL)
 21         {
 22             File_memory = lpmemory;
 23         }
 24         CloseHandle(hfile);
 25     }
 26 }
 27 
 28 
 29 
 30 
 31 XPEFILE::~XPEFILE()
 32 {
 33     if (File_memory == NULL)
 34     {
 35         LocalFree(File_memory);
 36     }
 37 }
 38 
 39 int XPEFILE::GetSize()
 40 {
 41     return File_size;
 42 }
 43 
 44 int XPEFILE::GetType()
 45 {
 46     MX_IMAGE_NT_HEADERS32* ntheader32;
 47     MX_IMAGE_NT_HEADERS64* ntheader64;
 48 
 49     File_type = READ_ERRO;
 50 
 51     if (File_memory == NULL)
 52     {
 53         return File_type;
 54     }
 55     File_type = NOT_PE_FILE;
 56 //    if ((*(WORD*)File_memory == 0x5a4d)    && (*(WORD*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c)) == 0x4550))
 57     if(ISMZHEADER && ISPEHEADER)
 58     {
 59         File_type = PE_FILE;
 60     }
 61     if (File_type == PE_FILE)
 62     {
 63 //        if (*(WORD*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c) + sizeof(MX_IMAGE_FILE_HEADER) + 4) == 0x10b)
 64         if (ISPE32MAGIC)
 65         {
 66             File_type = File_type | PE32_FILE;
 67             ntheader32 = (MX_IMAGE_NT_HEADERS32*) ((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c));
 68             if (ntheader32->FileHeader.Characteristics & 0x2000)
 69             {
 70                 File_type = File_type | DLL_FILE;
 71             }
 72             else if ((ntheader32->OptionalHeader.Subsystem & 2)|(ntheader32->OptionalHeader.Subsystem & 3))
 73             {
 74                 File_type = File_type | EXE_FILE;
 75             }
 76             else if (ntheader32->OptionalHeader.Subsystem & 1)
 77             {
 78                 File_type = File_type | SYS_FILE;
 79             }
 80         }
 81 //        if (*(WORD*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c) + sizeof(MX_IMAGE_FILE_HEADER) + 4) == 0x20b)
 82         if (ISPE64MAGIC)
 83         {
 84             File_type = File_type | PE64_FILE;
 85             ntheader64 = (MX_IMAGE_NT_HEADERS64*) ((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c));
 86             if (ntheader64->FileHeader.Characteristics & 0x2000)
 87             {
 88                 File_type = File_type | DLL_FILE;
 89             }
 90             else if ((ntheader64->OptionalHeader.Subsystem & 2)|(ntheader64->OptionalHeader.Subsystem & 3))
 91             {
 92                 File_type = File_type | EXE_FILE;
 93             }
 94             else if (ntheader64->OptionalHeader.Subsystem & 1)
 95             {
 96                 File_type = File_type | SYS_FILE;
 97             }
 98         }
 99 //        if (*(WORD*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c) + sizeof(MX_IMAGE_FILE_HEADER) + 4) == 0x107)
100         if (ISPEROMMAGIC)
101         {
102             File_type = File_type | ROM_IMAGE;
103         }
104     }
105     return  File_type;
106 }
pefile.cpp

petype.cpp

 1 #include "stdafx.h"
 2 #include "pefile.h"
 3 #include <iostream>
 4  
 5 int main(int argc, char* argv[])
 6 {
 7     int filetype;
 8 
 9     char* file = "c:\\1.exe";
10     XPEFILE pefile1(file);
11     
12     filetype = pefile1.GetType();
13 
14     system("pause");
15     return 0;
16 }
petype.cpp

 

posted @ 2015-04-22 22:12  米哈伊尔  阅读(529)  评论(0编辑  收藏  举报