滴水逆向-打印数据目录

核心代码部分

//简单打印可选PE头的数据目录

VOID FileBufferPrintDataDirectory(IN LPVOID pFileBuffer)
{
    PIMAGE_DOS_HEADER pDosHeader = NULL;
    PIMAGE_NT_HEADERS pNTHeader = NULL;
    PIMAGE_FILE_HEADER pPEHeader = NULL;
    PIMAGE_OPTIONAL_HEADER32 pOptionHeader = NULL;
    PIMAGE_SECTION_HEADER pSectionHeader = NULL;
    PIMAGE_DATA_DIRECTORY pDataDirectory = NULL;

    if (pFileBuffer == NULL)
    {
        printf("FileBuffer 获取失败!\r\n");
        return;
    }

    //判断是否是有效的MZ标志
    if (*((PWORD)pFileBuffer) != IMAGE_DOS_SIGNATURE)
    {
        printf("无效的MZ标识\r\n");
        return;
    }
    pDosHeader = (PIMAGE_DOS_HEADER)pFileBuffer;

    //判断是否是有效的PE标志
    if (*((PDWORD)((DWORD)pFileBuffer+pDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
    {
        printf("无效的PE标记\r\n");
        return;
    }
    //定位NT头
    pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pFileBuffer+pDosHeader->e_lfanew);
    pPEHeader = (PIMAGE_FILE_HEADER)(((DWORD)pNTHeader)+4);
    pOptionHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)pPEHeader+IMAGE_SIZEOF_FILE_HEADER);
    //	pDataDirectory = PIMAGE_DATA_DIRECTORY((&pOptionHeader->NumberOfRvaAndSizes + 1));
    pDataDirectory = pOptionHeader->DataDirectory;
    printf("\t\t RVA\t\t 大小\r\n");

    //打印相关信息测试
    //#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES    16

    //下面是一种粗糙的遍历写法;
    /*
    for (int i = 0; i < IMAGE_NUMBEROF_DIRECTORY_ENTRIES; i++,pDataDirectory++)
    {
        printf("%#08X \r\n",pDataDirectory->VirtualAddress);
        printf("%#08X \r\n",pDataDirectory->Size);
    }
    */

    for (DWORD i = 0; i< IMAGE_NUMBEROF_DIRECTORY_ENTRIES; i++)
    {
       DirectoryString(i);
       printf("%08X\t%08X\r\n",pDataDirectory[i].VirtualAddress,pDataDirectory[i].Size);
    }
    
    return;
}

VOID DirectoryString(DWORD dwIndex)
{
    switch(dwIndex)
    {
    case 0:
        printf("输出表:\t\t");
        break;
    case 1:
        printf("输入表:\t\t");
        break;
    case 2:
        printf("资源:\t\t");
        break;
    case 3:
        printf("异常:\t\t");
        break;
    case 4:
        printf("安全:\t\t");
        break;
    case 5:
        printf("重定位:\t\t");
        break;
    case 6:
        printf("调试:\t\t");
        break;
    case 7:
        printf("版权:\t\t");
        break;
    case 8:
        printf("全局指针:\t");
        break;
    case 9:
        printf("TLS表:\t\t");
        break;
    case 10:
        printf("载入配置:\t");
        break;
    case 11:
        printf("输入范围:\t");
        break;
    case 12:
        printf("IAT:\t\t");
        break;
    case 13:
        printf("延时输入\t");
        break;
    case 14:
        printf("COM:\t\t");
        break;
    case 15:
        printf("保留:\t\t");
        break;
    }
}

上述代码定义好头文件,然后在main入口调用即可,下面是执行后的效果;

posted @ 2021-09-16 16:10  皇帽讲绿帽带法技巧  阅读(126)  评论(0编辑  收藏  举报