// testpehead.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <stdio.h>
#include <windows.h>
#include <Commdlg.h>
int main(int argc, char* argv[])
{
char szFilePath[MAX_PATH];//要分析的文件名及路径
OPENFILENAME ofn;//定义结构,调用打开对话框选择要分析的文件及其保存路径
HANDLE hFile;// 文件句柄
HANDLE hMapping;// 映射文件句柄
LPVOID ImageBase;// 映射基址
PIMAGE_DOS_HEADER pDH = NULL;//指向IMAGE_DOS结构的指针
PIMAGE_NT_HEADERS pNtH = NULL;//指向IMAGE_NT结构的指针
PIMAGE_FILE_HEADER pFH = NULL;//指向IMAGE_FILE结构的指针
PIMAGE_OPTIONAL_HEADER pOH = NULL;//指向IMAGE_OPTIONALE结构的指针
//必要的初始换
memset(szFilePath, 0, MAX_PATH);
memset(&ofn, 0, sizeof(ofn));
ofn.lStructSize = sizeof(ofn);
ofn.hwndOwner = NULL;
ofn.hInstance = GetModuleHandle(NULL);
ofn.nMaxFile = MAX_PATH;
ofn.lpstrInitialDir = L".";
ofn.lpstrFile = (LPWSTR)szFilePath;
ofn.lpstrTitle = L"选择 PE文件打开 by For";
ofn.Flags = OFN_PATHMUSTEXIST | OFN_FILEMUSTEXIST | OFN_HIDEREADONLY;
ofn.lpstrFilter = L"*.exe\0*.exe\0";//过滤器
if (!GetOpenFileName(&ofn))//调用打开对话框,选择要分析的文件
{
MessageBox(NULL, L"打开文件错误", NULL, MB_OK);
return 0;
}
//选择要分析的文件后,经过3步打开并映射选择的文件到虚拟内存中
//1.创建文件内核对象,其句柄保存于hFile,将文件在物理存储器的位置通告给操作系统
hFile = CreateFile(ofn.lpstrFile, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
if (!hFile)
{
MessageBox(NULL, L"打开文件错误", NULL, MB_OK);
return 0;
}
//2.创建文件映射内核对象(分配虚拟内存),句柄保存于hFileMapping
hMapping = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL);
if (!hMapping)
{
CloseHandle(hFile);
return FALSE;
}
//3.将文件数据映射到进程的地址空间,返回的映射基址保存在ImageBase中
ImageBase = MapViewOfFile(hMapping, FILE_MAP_READ, 0, 0, 0);
if (!ImageBase)
{
CloseHandle(hMapping);
CloseHandle(hFile);
return FALSE;
}
//IMAGE_DOS Header结构指针
pDH = (PIMAGE_DOS_HEADER)ImageBase;
//IMAGE_NT Header结构指针
pNtH = (PIMAGE_NT_HEADERS)((DWORD)pDH + pDH->e_lfanew);
//IMAGE_File Header结构指针
pFH = &pNtH->FileHeader;
//IMAGE_Optional Header结构指针
pOH = &pNtH->OptionalHeader;
//输出各个结构中重要成员的取值
printf("Dos header RVA:%08lX\n", pDH - ImageBase);
printf("NT header RVA:%08lX\n", pDH->e_lfanew);
printf("File header RVA:%08lX\n", pDH->e_lfanew + sizeof(pNtH->Signature));
printf("Optional header RVA:%08lX\n", pDH->e_lfanew +
sizeof(pNtH->Signature) + +sizeof(pNtH->FileHeader));
printf("Section header RVA:%08lX\n",
pDH->e_lfanew + sizeof(pNtH->Signature) +
sizeof(pNtH->OptionalHeader) + sizeof(pNtH->FileHeader));
printf("e_magic: %04X ASCII值为:%c%c\n",
pDH->e_magic, pDH->e_magic % 256, pDH->e_magic / 256);
printf("e_lfarlc: %08X\n", pDH->e_lfarlc);
printf("\n\nSignature: %08X ASCII值:%c%c00\n",
pNtH->Signature, pNtH->Signature % 4096, pNtH->Signature / 256);
printf("Machine: %04X\n", pFH->Machine);
printf("NumberOfSections: %04X\n", pFH->NumberOfSections);
printf("Characteristics: %04X\n", pFH->Characteristics);
printf("Magic: %04X\n", pOH->Magic);
printf("SizeOfCode: %08X\n", pOH->SizeOfCode);
printf("AddressOfEntryPoint:%08X\n", pOH->AddressOfEntryPoint);
printf("ImageBase: %08X\n", pOH->ImageBase);
printf("SectionAlignment: %08X\n", pOH->SectionAlignment);
printf("FileAlignment: %08X\n", pOH->FileAlignment);
printf("SizeOfImage: %08X\n", pOH->SizeOfImage);
system("pause");
return 0;
}
ofn.lpstrFile = (LPWSTR)szFilePath;
szFilePath值C
注:此方式是错误的获取方式
