【转载】PE_Info 之DIY

from:http://blog.csdn.net/iiprogram/article/details/4792390

自己写的PE 信息查看工具(C代码),不甚完美,希望可以帮助初学PE 的读者从编程的角度认识PE文件,Good Luck!
       下面是源代码:

/*///////////////////////////////////////////////////////////////////////////////
This program will output the values of important members in the PE file
Good Luck!
///////////////////////////////////////////////////////////////////////////////*/
/*///////////////////////////////////////////////////////////////////////////////
USAGE: peinfo.exe  DestinationFileName
///////////////////////////////////////////////////////////////////////////////*/

#include<windows.h>
#include<stdio.h>
#include<shlwapi.h>

/*////////////////////////////////////////////////////////////////////////////
This function is used for outputting the error information 
Please use GetLastError() to retrieve the dwErrorCode,Gook Luck!*/
void OutputErrorInfo(DWORD dwErrorCode)
{
TCHAR FormattedErrorInfo[MAX_PATH];
RtlZeroMemory(FormattedErrorInfo,MAX_PATH);//Initialization

  FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM,
    0,
    dwErrorCode,
    MAKELANGID(LANG_ENGLISH,SUBLANG_ENGLISH_US),//English
    //            0, //The default language of the current system
    FormattedErrorInfo,MAX_PATH,NULL);
    
      //    printf("/nCopyFile()'s ErrorInformation:%s/n",FormattedErrorInfo);
      MessageBox(NULL,FormattedErrorInfo,"Error",MB_OK|MB_ICONINFORMATION);
}
/*//////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////*/
//Notice the file pointer all the time,this is very important.


void main(int argc,char *argv[])
{
  HANDLE hDestinationFile=NULL;
//////////////////////////////////////////////////////////////////////
  DWORD i=0;
  DWORD j=0;
  DWORD k=0;
  DWORD NumberOfBytesRead=0;   //Number of bytes read
  WORD MZSignature=0; // MZ signature
  DWORD ImageNtSignature=0;  //PE signature
  DWORD OffsetOfNewHeader=0;
  DWORD NumberOfSections=0;
  DWORD SizeOfOptionalHeader=0;
  DWORD SizeOfSectionTable=0;           //size of section table

  HANDLE hGlobalAllocatedMemory=NULL;  //use GlobalAlloc();
  HANDLE hGlobalAllocatedMemoryOfDataDirectory=NULL;

  PIMAGE_SECTION_HEADER pImageSectionHeader=NULL; //a pointer to IMAGE_SECTION_TABLE
  PIMAGE_DATA_DIRECTORY  pImageDataDirectory; //a pointer to IMAGE_DATA_DIRECTORY

///////////////////////////////////////////////////////////////////////////////////////////////////////////////
  IMAGE_DOS_HEADER ImageDosHeader;
  IMAGE_NT_HEADERS ImageNTHeaders;
  IMAGE_FILE_HEADER ImageFileHeader;

  IMAGE_OPTIONAL_HEADER ImageOptionalHeader;
  IMAGE_SECTION_HEADER ImageSectionHeader;
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////
  IMAGE_EXPORT_DIRECTORY ImageExportDirectory;  //Export and Import
  IMAGE_IMPORT_DESCRIPTOR ImageImportDescriptor;
  PIMAGE_EXPORT_DIRECTORY pImageExportDirectory=NULL;
  PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor=NULL;

  DWORD *pExportAddressTableEntry=NULL; //pointer
  DWORD *pExportNamePointerTableEntry=NULL;
  WORD *pExportOrdinalTableEntry=NULL;


  DWORD SizeOfRawData=0;
  DWORD PointerToRawData=0;
    DWORD VirtualAddress=0;
  DWORD CountOfImportDirectoryEntries=0;

  DWORD RvaOfExportDirectoryTable=0;  
  DWORD RvaOfImportDirectoryTable=0;
  DWORD DestinationSectionPosition=0; //Destination Section Position

  DWORD FilePointerToIMAGE_EXPORT_DERECTORY=0; //file pointer
  DWORD FilePointerToImportDirectoryTable=0;
  DWORD FilePointerOfExportedDllName=0;
  TCHAR ExportedDllName[MAX_PATH];
  TCHAR ImportedDllName[MAX_PATH]; //Imported Dll Name

  DWORD FilePointerOfExportAddressTable=0;  //file pointer
  DWORD FilePointerOfExportOrdinalTable=0;
  DWORD FilePointerOfExportNamePointerTable=0;
  
  HANDLE hGlobalMemoryForExportAddressTable=NULL; //Global memory allocated
  HANDLE hGlobalMemoryForExportOrdinalTable=NULL;
  HANDLE hGlobalMemoryForExportNamePointerTable=NULL;

  HANDLE hGlobalMemoryForImportDirectoryTable=NULL;
  HANDLE hGlobalMemoryForImportDirectoryTable2=NULL;
  HANDLE hGlobalMemoryForCount=NULL;

  

//////////////////////////////////////////////////////////////////////////////////////////////////////////////////
  RtlZeroMemory(&ImageDosHeader,sizeof(IMAGE_DOS_HEADER));
  RtlZeroMemory(&ImageNTHeaders,sizeof(IMAGE_NT_HEADERS));
  RtlZeroMemory(&ImageFileHeader,sizeof(IMAGE_FILE_HEADER));

  RtlZeroMemory(&ImageOptionalHeader,sizeof(IMAGE_OPTIONAL_HEADER));
  RtlZeroMemory(&ImageSectionHeader,sizeof(IMAGE_SECTION_HEADER));

  RtlZeroMemory(&ImageExportDirectory,sizeof(IMAGE_EXPORT_DIRECTORY));  //Export and Import
  RtlZeroMemory(&ImageImportDescriptor,sizeof(IMAGE_IMPORT_DESCRIPTOR));


  if(argc!=2)
  {
    printf("Error./nUSAGE:peinfo.exe DestinationFileName/n");
    return;
  }

  hDestinationFile=CreateFile(argv[1],
    FILE_WRITE_DATA|FILE_READ_DATA,
    FILE_SHARE_WRITE,NULL,OPEN_ALWAYS,FILE_ATTRIBUTE_ARCHIVE,NULL);

  OutputErrorInfo(GetLastError());

//  OpenFile(DestinationPEFile,NULL,NULL);
  if(hDestinationFile==INVALID_HANDLE_VALUE)
  {
    printf("/nCreateFile() fails!Can't open file. Please try again!/n");
    return;
  }

  if(!ReadFile(hDestinationFile,&MZSignature,2,&NumberOfBytesRead,NULL))
  {
    printf("/nReadFile() fails! Please try again./n");
    return;
  }
  if(NumberOfBytesRead!=2)
  {
    printf("/nReadFile() fails! Can't get the MZSignature./n");
    return;
  }

  if(MZSignature!=0x5A4D)
  {
    printf("/nThis file is not a valid PE file./n");
    printf("/nThe value of MZSignature is:%#x/n",MZSignature);
    return;
  }
  SetFilePointer(hDestinationFile,0,NULL,FILE_BEGIN); //Revert the file pointer,this is very important.

  ReadFile(hDestinationFile,&ImageDosHeader,
         sizeof(IMAGE_DOS_HEADER),&NumberOfBytesRead,NULL);
  if(NumberOfBytesRead!=sizeof(IMAGE_DOS_HEADER))
  {
    printf("/nReadFile() fails! Can't get IMAGE_DOS_HEADER./n");
    return;
  }
  else
  {
    printf("/nGet IMAGE_DOS_HEADER successfully!/n");
  }
  ////////////////////////////////////Output the information in the IMAGE_DOS_HEADER
  printf("ImageDosHeader.e_magic: %#x/n",ImageDosHeader.e_magic);
  printf("ImageDosHeader.e_crlc: %#x/n",ImageDosHeader.e_crlc); //Relocations
  printf("ImageDosHeader.e_ss: %#x/n",ImageDosHeader.e_ss);
  printf("ImageDosHeader.e_sp: %#x/n",ImageDosHeader.e_sp); 
  printf("ImageDosHeader.e_csum: %#x/n",ImageDosHeader.e_csum); //check sum
  printf("ImageDosHeader.e_ip: %#x/n",ImageDosHeader.e_ip); 
  printf("ImageDosHeader.e_cs: %#x/n",ImageDosHeader.e_cs);
  printf("ImageDosHeader.e_lfarlc: %#x/n",ImageDosHeader.e_lfarlc); //File address of relocation table
  printf("ImageDosHeader.e_oemid: %#x/n",ImageDosHeader.e_oemid);
  printf("ImageDosHeader.e_oeminfo: %#x/n",ImageDosHeader.e_oeminfo); 
  printf("ImageDosHeader.e_lfanew: %#x/n",ImageDosHeader.e_lfanew); //file address of new exe header
//  printf("ImageDosHeader.e_crlc%#x/n",ImageDosHeader.e_sp); 
  //......



  if(ImageDosHeader.e_magic!=MZSignature)  //MZ header
  {
    printf("/nValue of ImageDosHeader.e_magic is:");
    printf("%#x,%#d/n",ImageDosHeader.e_magic,ImageDosHeader.e_magic);
  }

  OffsetOfNewHeader=ImageDosHeader.e_lfanew; //File address of new exe header

  SetFilePointer(hDestinationFile,(LONG)OffsetOfNewHeader,NULL,FILE_BEGIN);
//  OutputErrorInfo(GetLastError());

  ReadFile(hDestinationFile,&ImageNTHeaders,
    sizeof(IMAGE_NT_HEADERS),&NumberOfBytesRead,NULL); //Retrieve IMAGE_NT_HEADERS
  if(NumberOfBytesRead!=sizeof(IMAGE_NT_HEADERS))
  {
    printf("/nReadFile() fails! Cant' get IMAGE_NT_HEADER./n");
    return;
  }
  else
  {
    printf("/nGet IMAGE_NT_HEADERS successfully!/n");
  }
  //Output the information in IMAGE_NT_HEADER
  printf("ImageNTHeaders.Signature: %#x/n",ImageNTHeaders.Signature);


  SetFilePointer(hDestinationFile,OffsetOfNewHeader+4,NULL,FILE_BEGIN);  //Set the file pointer to point to IMAGE_FILE_HEADER
  ReadFile(hDestinationFile,&ImageFileHeader,
    sizeof(IMAGE_FILE_HEADER),&NumberOfBytesRead,NULL); //Retrieve IMAGE_FILE_HEADER
  if(NumberOfBytesRead!=sizeof(IMAGE_FILE_HEADER))
  { 
    printf("/nReadFile() fails! Can't get IMAGE_FILE_HEADER./n");
    return;
  }
  else
  {
    printf("/nGet IMAGE_FILE_HEADER successfully!/n");
  }
  //Output the information in IMAGE_FILE_HEADER
  printf("ImageFileHeader.Machine: %#x/n",ImageFileHeader.Machine);
  printf("ImageFileHeader.NumberOfSections: %#x/n",ImageFileHeader.NumberOfSections);
  printf("ImageFileHeader.TimeDateStamp: %#x/n",ImageFileHeader.TimeDateStamp);
  printf("ImageFileHeader.SizeOfOptionalHeader: %#x/n",ImageFileHeader.SizeOfOptionalHeader);
    printf("ImageFileHeader.Characteristics: %#x/n",ImageFileHeader.Characteristics);



  ReadFile(hDestinationFile,&ImageOptionalHeader,
    sizeof(IMAGE_OPTIONAL_HEADER),&NumberOfBytesRead,NULL); //Retrieve IMAGE_OPTIONAL_HEADER
  if(NumberOfBytesRead!=sizeof(IMAGE_OPTIONAL_HEADER))
  {
    printf("/nReadFile() fails! Can't get IMAGE_OPTIONAL_HEADER./n");
    return;
  }
  else
  {
    printf("/nGet IMAGE_OPTIONAL_HEADER successfully!/n");
  }
  //Output the information in the IMAGE_OPTIONAL_HEADER
  //
  //Standard fields.
  //
  printf("--------------------------------------------->>>Standard fields/n");
  printf("ImageOptionalHeader.Magic: %#x/n",ImageOptionalHeader.Magic); //Standard fields
  printf("ImageOptionalHeader.MajorLinkerVersion: %#x/n",ImageOptionalHeader.MajorLinkerVersion);
  printf("ImageOptionalHeader.MinorLinkerVersion: %#x/n",ImageOptionalHeader.MinorLinkerVersion);
  printf("ImageOptionalHeader.SizeOfCode: %#x/n",ImageOptionalHeader.SizeOfCode);
  printf("ImageOptionalHeader.SizeOfInitializedData: %#x/n",ImageOptionalHeader.SizeOfInitializedData);
  printf("ImageOptionalHeader.SizeOfUninitializedData: %#x/n",ImageOptionalHeader.SizeOfUninitializedData);
  printf("ImageOptionalHeader.AddressOfEntryPoint: %#x/n",ImageOptionalHeader.AddressOfEntryPoint);
  printf("ImageOptionalHeader.BaseOfCode: %#x/n",ImageOptionalHeader.BaseOfCode);
  printf("ImageOptionalHeader.BaseOfData: %#x/n",ImageOptionalHeader.BaseOfData);
  //
  ////NT additional fields
  //
  printf("---------------------------------------------->>>NT additional fields/n");
  printf("ImageOptionalHeader.ImageBase: %#x/n",ImageOptionalHeader.ImageBase);
  printf("ImageOptionalHeader.SectionAlignment: %#x/n",ImageOptionalHeader.SectionAlignment); 
  printf("ImageOptionalHeader.FileAlignment: %#x/n",ImageOptionalHeader.FileAlignment);
  printf("ImageOptionalHeader.MajorOperatingSystemVersion: %#x/n",ImageOptionalHeader.MajorOperatingSystemVersion);
  printf("ImageOptionalHeader.MinorOperatingSystemVersion: %#x/n",ImageOptionalHeader.MinorOperatingSystemVersion);
  printf("ImageOptionalHeader.MajorImageVersion: %#x/n",ImageOptionalHeader.MajorImageVersion);
  printf("ImageOptionalHeader.MinorImageVersion: %#x/n",ImageOptionalHeader.MinorImageVersion);
  printf("ImageOptionalHeader.MajorSubsystemVersion: %#x/n",ImageOptionalHeader.MajorSubsystemVersion);
  printf("ImageOptionalHeader.MinorSubsystemVersion: %#x/n",ImageOptionalHeader.MinorSubsystemVersion);
  printf("ImageOptionalHeader.Win32VersionValue: %#x/n",ImageOptionalHeader.Win32VersionValue);
  printf("ImageOptionalHeader.SizeOfImage: %#x/n",ImageOptionalHeader.SizeOfImage); 
  printf("ImageOptionalHeader.SizeOfHeaders: %#x/n",ImageOptionalHeader.SizeOfHeaders);
  printf("ImageOptionalHeader.CheckSum: %#x/n",ImageOptionalHeader.CheckSum);
  printf("ImageOptionalHeader.Subsystem: %#x/n",ImageOptionalHeader.Subsystem);
  printf("ImageOptionalHeader.DllCharacteristics: %#x/n",ImageOptionalHeader.DllCharacteristics);
  printf("ImageOptionalHeader.SizeOfStackReserve: %#x/n",ImageOptionalHeader.SizeOfStackReserve);
  printf("ImageOptionalHeader.SizeOfStackCommit: %#x/n",ImageOptionalHeader.SizeOfStackCommit);
  printf("ImageOptionalHeader.SizeOfHeapReserve: %#x/n",ImageOptionalHeader.SizeOfHeapReserve);
  printf("ImageOptionalHeader.SizeOfHeapCommit: %#x/n",ImageOptionalHeader.SizeOfHeapCommit);
  printf("ImageOptionalHeader.LoaderFlags: %#x/n",ImageOptionalHeader.LoaderFlags);
  printf("ImageOptionalHeader.NumberOfRvaAndSizes: %#x/n",ImageOptionalHeader.NumberOfRvaAndSizes);

  //Add the information in IMAGE_DATA_DIRECTORY to complete it.
  printf("-------------------------------------------------------------------/n");
  printf("Information in IMAGE_DATA_DIRECTORY/n");
  hGlobalAllocatedMemoryOfDataDirectory=GlobalAlloc(GPTR,
                                  sizeof(IMAGE_DATA_DIRECTORY)*ImageOptionalHeader.NumberOfRvaAndSizes); //Allocate memory and initialize with zero
  pImageDataDirectory=(PIMAGE_DATA_DIRECTORY)hGlobalAllocatedMemoryOfDataDirectory;

  RtlCopyMemory(pImageDataDirectory,ImageOptionalHeader.DataDirectory, //Get IMAGE_DATA_DIRECTORY
    sizeof(IMAGE_DATA_DIRECTORY)*ImageOptionalHeader.NumberOfRvaAndSizes);


  

  for(i=0;i<ImageOptionalHeader.NumberOfRvaAndSizes;i++)
  {
    printf("-------------------------------------/n");
    switch(i)
    {
    case 0:
      printf("Export Table:/n");
      break;
    case 1:
      printf("Import Table:/n");
      break;
    case 2:
      printf("Resource Table:/n");
      break;
    case 3:
      printf("Exception Table:/n");
      break;
    case 4:
      printf("Certificate Table:/n");
      break;
    case 5:
      printf("Base Relocation Table:/n");
      break;
    case 6:
      printf("Debug:/n");
      break;
    case 7:
      printf("Architecture:/n");
      break;
    case 8:
      printf("Global Ptr:/n");
      break;
    case 9:
      printf("TLS Table:/n");
      break;
    case 10:
      printf("Load Config Table:/n");
      break;
    case 11:
      printf("Bound Import:/n");
      break;
    case 12:
      printf("IAT:/n");
      break;
    case 13:
      printf("Delay Import Descriptor:/n");
      break;
    case 14:
      printf("CLR Runtime Header:/n");
      break;
    case 15:
      printf("Reserved, must be zero:/n");
      break;
    }
    printf("VirtualAddress: %#x/n",(pImageDataDirectory+i)->VirtualAddress);
    printf("Size: %#x/n",(pImageDataDirectory+i)->Size);
//    printf("-------------------------------------/n");
  }


///////////////////////////////////////////////////////////////////////////////////////////////////////////////
  NumberOfSections=ImageFileHeader.NumberOfSections; //Number of sections
  SizeOfOptionalHeader=ImageFileHeader.SizeOfOptionalHeader; //size of optional header

  if(SizeOfOptionalHeader!=sizeof(IMAGE_OPTIONAL_HEADER))
  {
    printf("/nThere is an error./nThe value of ImageFileHeader.SizeOfOptionalHeader is incorrect!/n");
  }
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////  
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////

  SizeOfSectionTable=sizeof(IMAGE_SECTION_HEADER)*NumberOfSections; //Get the size of Section Table

  hGlobalAllocatedMemory=GlobalAlloc(GPTR,SizeOfSectionTable);      //Allocate memory and initialize with zero
  if(hGlobalAllocatedMemory==NULL)
  {
    printf("/nGlobalAlloc() failed! Please try again./n"); //if failed,return
    return;
  }

//  RtlZeroMemory(hGlobalAllocatedMemory,SizeOfSectionTable); //Initialize with zero,this operation has been completed!

    pImageSectionHeader=(PIMAGE_SECTION_HEADER)hGlobalAllocatedMemory; //Convert a handle to a pointer to IMAGE_SECTION_HEADER

  for(i=0;i<NumberOfSections;i++)  //Retrieve the Section Table
  {
    ReadFile(hDestinationFile,pImageSectionHeader+i,
      sizeof(IMAGE_SECTION_HEADER),&NumberOfBytesRead,NULL); 
    if(NumberOfBytesRead!=sizeof(IMAGE_SECTION_HEADER))
    {
      printf("Error.Can't get IMAGE_SECTION_HEADER./n");
    }
  }
  printf("------------------------------------------------------/n");
  printf("------------------------------------------------------/n");
  printf("/nGet IMAGE_SECTION_HEADER successfully!/n");
/* 
//The following code fragment has the identical effect to the above for()
  ReadFile(hDestinationFile,pImageSectionHeader,
    SizeOfSectionTable,NULL,NULL); //Retrieve the Section Table
*/
  for(i=0;i<NumberOfSections;i++)
  {
    printf("/nThe name of the section%d: ",i);
    printf("%s/n",(*(pImageSectionHeader+i)).Name);

    printf("Misc:%#x/n",(*(pImageSectionHeader+i)).Misc);
    printf("VirtualAddress: %#x/n",(*(pImageSectionHeader+i)).VirtualAddress);
    printf("SizeOfRawData: %#x/n",(*(pImageSectionHeader+i)).SizeOfRawData);
    printf("PointerToRawData: %#x/n",(*(pImageSectionHeader+i)).PointerToRawData);
    printf("PointerToRelocations: %#x/n",(*(pImageSectionHeader+i)).PointerToRelocations);
    printf("PointerToLinenumbers: %#x/n",(*(pImageSectionHeader+i)).PointerToLinenumbers);
    printf("NumberOfRelocations: %#x/n",(*(pImageSectionHeader+i)).NumberOfRelocations);
    printf("NumberOfLinenumbers: %#x/n",(*(pImageSectionHeader+i)).NumberOfLinenumbers);

    printf("Characteristics: %#x/n",(*(pImageSectionHeader+i)).Characteristics);
      printf("------------------------------------------------------");
  }
  //Output  information of .idata section
  for(i=0;i<NumberOfSections;i++)
  {
    if(StrCmp((*(pImageSectionHeader+i)).Name,".idata")==0)
    {
      SizeOfRawData=(*(pImageSectionHeader+i)).SizeOfRawData;
      PointerToRawData=(*(pImageSectionHeader+i)).PointerToRawData;
      VirtualAddress=(*(pImageSectionHeader+i)).VirtualAddress;
      SetFilePointer(hDestinationFile,PointerToRawData,NULL,FILE_BEGIN);

      hGlobalMemoryForCount=GlobalAlloc(GPTR,sizeof(IMAGE_IMPORT_DESCRIPTOR)); //Allocate memory and initialize with zero
            
      do 
      {
        ReadFile(hDestinationFile,hGlobalMemoryForCount,sizeof(IMAGE_IMPORT_DESCRIPTOR),&NumberOfBytesRead,NULL);
        if(*((DWORD*)hGlobalMemoryForCount)==0 && *((DWORD*)hGlobalMemoryForCount+1)==0)
        {
          break;
        }
        else
          CountOfImportDirectoryEntries++;
      } while (1);
      GlobalFree(hGlobalMemoryForCount); //Free the allocated memory

      if(CountOfImportDirectoryEntries==0)
      {
        printf("/nThe count of Import Directory Entries is 0/n");//*******************************************/
        return;
      }
      hGlobalMemoryForImportDirectoryTable=GlobalAlloc(GPTR,
                                                  sizeof(IMAGE_IMPORT_DESCRIPTOR)*CountOfImportDirectoryEntries);
      pImageImportDescriptor=(PIMAGE_IMPORT_DESCRIPTOR)hGlobalMemoryForImportDirectoryTable;
      SetFilePointer(hDestinationFile,PointerToRawData,NULL,FILE_BEGIN);
      ReadFile(hDestinationFile,hGlobalMemoryForImportDirectoryTable,
        sizeof(IMAGE_IMPORT_DESCRIPTOR)*CountOfImportDirectoryEntries,
        &NumberOfBytesRead,NULL);  //Get ImportDirectoryTable
      if(NumberOfBytesRead==sizeof(IMAGE_IMPORT_DESCRIPTOR)*CountOfImportDirectoryEntries)
      {
        printf("/n/nGet Import Directory Table successfully!/n");
      }
      else
      {
        printf("/nCan't get Import Directory Table./n");
        return;
      }

      printf("/n");
      for(j=0;j<CountOfImportDirectoryEntries;j++)
      {
        DWORD temp=0;
        DWORD CountOfImportLookupTableEntries=0;
        DWORD *PointToLookupTableEntries=NULL;
        HANDLE GlobalMemoryForImportLookupTableEntries=NULL;
        TCHAR DllName[MAX_PATH];

        //Output Import Directory Table entries
        printf("IMAGE_IMPORT_DESCRIPTOR.Characteristics: %#x/n",(*(pImageImportDescriptor+j)).Characteristics);
        printf("IMAGE_IMPORT_DESCRIPTOR.FirstThunk: %#x/n",(*(pImageImportDescriptor+j)).FirstThunk);
        printf("IMAGE_IMPORT_DESCRIPTOR.ForwarderChain: %#x/n",(*(pImageImportDescriptor+j)).ForwarderChain);
        printf("IMAGE_IMPORT_DESCRIPTOR.Name: %#x/n",(*(pImageImportDescriptor+j)).Name);
        printf("IMAGE_IMPORT_DESCRIPTOR.OriginalFirstThunk: %#x/n",(*(pImageImportDescriptor+j)).OriginalFirstThunk);
        printf("IMAGE_IMPORT_DESCRIPTOR.TimeDateStamp: %#x/n",(*(pImageImportDescriptor+j)).TimeDateStamp);
    
        //Output the corresponding dll name
        temp=(*(pImageImportDescriptor+j)).Name-VirtualAddress+PointerToRawData;
                SetFilePointer(hDestinationFile,temp,NULL,FILE_BEGIN);
        ReadFile(hDestinationFile,DllName,MAX_PATH,&NumberOfBytesRead,NULL);
        printf("/n%s/n",DllName);
        ///////////////////////////////////////////////////////////////////////////////////////////
        temp=(*(pImageImportDescriptor+j)).Characteristics-VirtualAddress+PointerToRawData; //Get file pointer
        SetFilePointer(hDestinationFile,temp,NULL,FILE_BEGIN);
        do 
        {
          ReadFile(hDestinationFile,&temp,4,&NumberOfBytesRead,NULL);
          if(temp==0)
          {
            break;
          }
          else
            CountOfImportLookupTableEntries++;
        } while (1);
        GlobalMemoryForImportLookupTableEntries=GlobalAlloc(GPTR,CountOfImportLookupTableEntries*4);
        temp=(*(pImageImportDescriptor+j)).Characteristics-VirtualAddress+PointerToRawData; //Get file pointer
        SetFilePointer(hDestinationFile,temp,NULL,FILE_BEGIN);
        ReadFile(hDestinationFile,GlobalMemoryForImportLookupTableEntries,
          CountOfImportLookupTableEntries*4,&NumberOfBytesRead,NULL); //Retrieve Import Lookup Table

        PointToLookupTableEntries=(DWORD*)GlobalMemoryForImportLookupTableEntries;
        printf("/n/n");
               printf("Rva||Ordinal--Hint----ImportedFunctionName/n");/////88888
        for(k=0;k<CountOfImportLookupTableEntries;k++)
        {
          WORD Ordinal=0;
          TCHAR FunctionName[MAX_PATH];
          printf("%-4d%#-8x",k,*(PointToLookupTableEntries+k)); //Output Import Lookup Table entries
          temp=*(PointToLookupTableEntries+k)-VirtualAddress+PointerToRawData;
          SetFilePointer(hDestinationFile,temp,NULL,FILE_BEGIN);
          ReadFile(hDestinationFile,&Ordinal,2,&NumberOfBytesRead,NULL); //Get the ordinal in hint/name table
          printf(" %#-8x ",Ordinal);
          ReadFile(hDestinationFile,FunctionName,MAX_PATH,&NumberOfBytesRead,NULL);
          printf("%s/n",FunctionName);
        }
        printf("-------------------------------------------------------/n");
      }
      
    } //if end
  }
  //Output the information in the .edata section
  if((*(pImageDataDirectory+0)).VirtualAddress!=0 && (*(pImageDataDirectory+0)).Size!=0)
  {
    RvaOfExportDirectoryTable=(*(pImageDataDirectory+0)).VirtualAddress;   //Get the RVA of ExportDirectoryTable*****
    printf("/nThis file has Export Directory Table./n");
  }
  else
  {
    printf("/nThis file has no Export Directory Table./n");
    goto next;
  }

  for(i=0;i<NumberOfSections;i++)
  {
    if(RvaOfExportDirectoryTable>=(pImageSectionHeader+i)->VirtualAddress)
    {
      if(  RvaOfExportDirectoryTable<=(pImageSectionHeader+i)->VirtualAddress+(pImageSectionHeader+i)->SizeOfRawData)
      {
        DestinationSectionPosition=i;
          break;
      }
    }
  }
  FilePointerToIMAGE_EXPORT_DERECTORY= (*(pImageSectionHeader+DestinationSectionPosition)).PointerToRawData+
    RvaOfExportDirectoryTable-
    (*(pImageSectionHeader+DestinationSectionPosition)).VirtualAddress;  //Notice the priority
  SetFilePointer(hDestinationFile,FilePointerToIMAGE_EXPORT_DERECTORY,NULL,FILE_BEGIN);
  ReadFile(hDestinationFile,&ImageExportDirectory,sizeof(IMAGE_EXPORT_DIRECTORY),
            &NumberOfBytesRead,NULL);
  if(NumberOfBytesRead==sizeof(IMAGE_EXPORT_DIRECTORY))
  {
    printf("/nGet IMAGE_EXPORT_DIRECTORY successfully!/n");
  }
  else
  {
    printf("/nCan't get IMAGE_EXPORT_DIRECTORY./n");
    return;
  }
  printf("ImageExportDirectory.Characteristics: %#x/n",ImageExportDirectory.Characteristics);
  printf("ImageExportDirectory.TimeDateStamp: %#x/n",ImageExportDirectory.TimeDateStamp);
  printf("ImageExportDirectory.MajorVersion: %#x/n",ImageExportDirectory.MajorVersion);
  printf("ImageExportDirectory.MinorVersion: %#x/n",ImageExportDirectory.MinorVersion);
  printf("ImageExportDirectory.Name: %#x/n",ImageExportDirectory.Name);
  printf("ImageExportDirectory.Base: %#x/n",ImageExportDirectory.Base);
  printf("ImageExportDirectory.NumberOfFunctions: %#x/n",ImageExportDirectory.NumberOfFunctions);
  printf("ImageExportDirectory.NumberOfNames: %#x/n",ImageExportDirectory.NumberOfNames);
  printf("ImageExportDirectory.AddressOfFunctions: %#x/n",ImageExportDirectory.AddressOfFunctions);
  printf("ImageExportDirectory.AddressOfNames: %#x/n",ImageExportDirectory.AddressOfNames);
  printf("ImageExportDirectory.AddressOfNameOrdinals: %#x/n",ImageExportDirectory.AddressOfNameOrdinals);

  FilePointerOfExportedDllName=(*(pImageSectionHeader+DestinationSectionPosition)).PointerToRawData+
    ImageExportDirectory.Name-
    (*(pImageSectionHeader+DestinationSectionPosition)).VirtualAddress;
  SetFilePointer(hDestinationFile,FilePointerOfExportedDllName,NULL,FILE_BEGIN);
  ReadFile(hDestinationFile,ExportedDllName,MAX_PATH,
            &NumberOfBytesRead,NULL);
  printf("/n%s/n",ExportedDllName);


  //Get the corresponding file pointer
  FilePointerOfExportAddressTable=(*(pImageSectionHeader+DestinationSectionPosition)).PointerToRawData+
    ImageExportDirectory.AddressOfFunctions-(*(pImageSectionHeader+DestinationSectionPosition)).VirtualAddress;
  FilePointerOfExportNamePointerTable=(*(pImageSectionHeader+DestinationSectionPosition)).PointerToRawData+
    ImageExportDirectory.AddressOfNames-(*(pImageSectionHeader+DestinationSectionPosition)).VirtualAddress;
  FilePointerOfExportOrdinalTable=(*(pImageSectionHeader+DestinationSectionPosition)).PointerToRawData+
    ImageExportDirectory.AddressOfNameOrdinals-(*(pImageSectionHeader+DestinationSectionPosition)).VirtualAddress;

  //Allocate memory
  hGlobalMemoryForExportAddressTable=GlobalAlloc(GPTR,ImageExportDirectory.NumberOfFunctions*4); 
  hGlobalMemoryForExportNamePointerTable=GlobalAlloc(GPTR,ImageExportDirectory.NumberOfNames*4);
  hGlobalMemoryForExportOrdinalTable=GlobalAlloc(GPTR,ImageExportDirectory.NumberOfNames*2);

  //Set file pointer and read data from file 
  SetFilePointer(hDestinationFile,FilePointerOfExportAddressTable,NULL,FILE_BEGIN);
  ReadFile(hDestinationFile,hGlobalMemoryForExportAddressTable,ImageExportDirectory.NumberOfFunctions*4,
    &NumberOfBytesRead,NULL);

  SetFilePointer(hDestinationFile,FilePointerOfExportNamePointerTable,NULL,FILE_BEGIN);
  ReadFile(hDestinationFile,hGlobalMemoryForExportNamePointerTable,ImageExportDirectory.NumberOfNames*4,
    &NumberOfBytesRead,NULL);
  SetFilePointer(hDestinationFile,FilePointerOfExportOrdinalTable,NULL,FILE_BEGIN);
  ReadFile(hDestinationFile,hGlobalMemoryForExportOrdinalTable,ImageExportDirectory.NumberOfNames*2,
    &NumberOfBytesRead,NULL);

  pExportAddressTableEntry=(DWORD*)hGlobalMemoryForExportAddressTable;
  pExportNamePointerTableEntry=(DWORD*)hGlobalMemoryForExportNamePointerTable;
  pExportOrdinalTableEntry=(WORD*)hGlobalMemoryForExportOrdinalTable;


  printf("/nOrdinal-Index--RVA----------------FunctionName/n");
  for(i=0;i<ImageExportDirectory.NumberOfFunctions;i++)
  {
    TCHAR ExportedFunctionName[MAX_PATH];
    DWORD FilePointerOfExportedFunctionName=0;
    printf("%#-7x ",*(pExportOrdinalTableEntry+i)+ImageExportDirectory.Base);
    printf("%#-6x ",*(pExportOrdinalTableEntry+i));
    printf("%#-8x ",*(pExportAddressTableEntry+i));
    printf("%#-6x ",*(pExportNamePointerTableEntry+i));
        printf("-->");
    FilePointerOfExportedFunctionName=*(pExportNamePointerTableEntry+i)-
      (*(pImageSectionHeader+DestinationSectionPosition)).VirtualAddress+
      (*(pImageSectionHeader+DestinationSectionPosition)).PointerToRawData;
    SetFilePointer(hDestinationFile,FilePointerOfExportedFunctionName,NULL,FILE_BEGIN);
    ReadFile(hDestinationFile,ExportedFunctionName,MAX_PATH,
            &NumberOfBytesRead,NULL);
    printf(" %s",ExportedFunctionName);

    printf("/n");
  }


  //Close handle to free allocated memory
  CloseHandle(hGlobalMemoryForExportAddressTable);   
    CloseHandle(hGlobalMemoryForExportNamePointerTable);
    CloseHandle(hGlobalMemoryForExportOrdinalTable);
  ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

  //Output the information in .idata section
next:
  if((*(pImageDataDirectory+1)).VirtualAddress!=0 && (*(pImageDataDirectory+1)).Size!=0)
  {
    RvaOfImportDirectoryTable=(*(pImageDataDirectory+1)).VirtualAddress;   //Get the RVA of ImportDirectoryTable*****
    printf("/nThis file has Import Directory Table./n");
  }
  else
  {
    printf("/nThis file has no Import Directory Table./n");
    goto over;
  }

  for(i=0;i<NumberOfSections;i++) //Search the destination section
  {
    if(RvaOfImportDirectoryTable>=(pImageSectionHeader+i)->VirtualAddress)
    {
      if(  RvaOfImportDirectoryTable<=(pImageSectionHeader+i)->VirtualAddress+(pImageSectionHeader+i)->SizeOfRawData)
      {
        DestinationSectionPosition=i;
        break;
      }
    }
  }
  //Get the file pointer of Import Directory Table
  SizeOfRawData=(*(pImageSectionHeader+DestinationSectionPosition)).SizeOfRawData;
  PointerToRawData=(*(pImageSectionHeader+DestinationSectionPosition)).PointerToRawData;
  VirtualAddress=(*(pImageSectionHeader+DestinationSectionPosition)).VirtualAddress;

  FilePointerToImportDirectoryTable= (*(pImageSectionHeader+DestinationSectionPosition)).PointerToRawData+
    RvaOfImportDirectoryTable-
    (*(pImageSectionHeader+DestinationSectionPosition)).VirtualAddress;  //Notice the operator's priority
  SetFilePointer(hDestinationFile,FilePointerToImportDirectoryTable,NULL,FILE_BEGIN); //Set the file pointer

  CountOfImportDirectoryEntries=0; //Initialize with zero
  hGlobalMemoryForCount=GlobalAlloc(GPTR,sizeof(IMAGE_IMPORT_DESCRIPTOR));

  do 
  {
    ReadFile(hDestinationFile,hGlobalMemoryForCount,sizeof(IMAGE_IMPORT_DESCRIPTOR),&NumberOfBytesRead,NULL);
    if(*((DWORD*)hGlobalMemoryForCount)==0 && *((DWORD*)hGlobalMemoryForCount+1)==0) //Why ?Unhandled Exception
    {
      break;
    }
    else
      CountOfImportDirectoryEntries++;
  } while (1);

  if(CountOfImportDirectoryEntries==0) 
  {
    printf("/nThe count of Import Directory Entries is 0/n");//Output error information
    return;
  }
  else
  {
    printf("/nCount of ImportDirectoryEntries is:%d/n",CountOfImportDirectoryEntries);
  }

  hGlobalMemoryForImportDirectoryTable2=GlobalAlloc(GPTR,sizeof(IMAGE_IMPORT_DESCRIPTOR)*
                                                    CountOfImportDirectoryEntries);

  pImageImportDescriptor=(PIMAGE_IMPORT_DESCRIPTOR)hGlobalMemoryForImportDirectoryTable2;
  SetFilePointer(hDestinationFile,FilePointerToImportDirectoryTable,NULL,FILE_BEGIN); //Set the file pointer
  /*Notice : To set the file pointer before calling ReadFile() is very important.*/

  ReadFile(hDestinationFile,hGlobalMemoryForImportDirectoryTable2,
    sizeof(IMAGE_IMPORT_DESCRIPTOR)*CountOfImportDirectoryEntries,
    &NumberOfBytesRead,NULL);  //Get ImportDirectoryTable
  if(NumberOfBytesRead==sizeof(IMAGE_IMPORT_DESCRIPTOR)*CountOfImportDirectoryEntries)
  {
    printf("Get Import Directory Table successfully!/n/n");
  }
  else
  {
    printf("/nCan't get Import Directory Table./n");
    return;
  }
  for(i=0;i<CountOfImportDirectoryEntries;i++)
  {
    DWORD FilePointerOfImportedDllName=0;
    DWORD FilePointerOfImportLookupTable=0;
    WORD temp=0;
    DWORD CountOfImportLookupTableEntries=0;
    DWORD *PointerToImportLookupTableEntry=NULL; //pointer to Import Lookup Table entry
    HANDLE hGlobalMemoryForImportLookupTable=NULL;
    //Output Import Directory Table entries
    printf("IMAGE_IMPORT_DESCRIPTOR.Characteristics: %#x(union)/n",(*(pImageImportDescriptor+i)).Characteristics);
      printf("IMAGE_IMPORT_DESCRIPTOR.OriginalFirstThunk: %#x(union)/n",(*(pImageImportDescriptor+i)).OriginalFirstThunk);
    printf("IMAGE_IMPORT_DESCRIPTOR.TimeDateStamp: %#x/n",(*(pImageImportDescriptor+i)).TimeDateStamp);
    printf("IMAGE_IMPORT_DESCRIPTOR.ForwarderChain: %#x/n",(*(pImageImportDescriptor+i)).ForwarderChain);
    printf("IMAGE_IMPORT_DESCRIPTOR.Name: %#x/n",(*(pImageImportDescriptor+i)).Name);
    printf("IMAGE_IMPORT_DESCRIPTOR.FirstThunk: %#x/n",(*(pImageImportDescriptor+i)).FirstThunk);

    FilePointerOfImportedDllName=(*(pImageImportDescriptor+i)).Name-VirtualAddress+PointerToRawData; 
    SetFilePointer(hDestinationFile,FilePointerOfImportedDllName,NULL,FILE_BEGIN);
    RtlZeroMemory(ImportedDllName,MAX_PATH);
    ReadFile(hDestinationFile,ImportedDllName,MAX_PATH,&NumberOfBytesRead,NULL); 
    printf("/n%s/n",ImportedDllName); //output dll name

    FilePointerOfImportLookupTable=(*(pImageImportDescriptor+i)).Characteristics-VirtualAddress+PointerToRawData;//file pointer
    SetFilePointer(hDestinationFile,FilePointerOfImportLookupTable,NULL,FILE_BEGIN); //Set file pointer
    do 
    {
      ReadFile(hDestinationFile,&temp,4,&NumberOfBytesRead,NULL); 
      if(temp==0)
      {
        break;
      }
      else
        CountOfImportLookupTableEntries++;
    } while (1);
    if(CountOfImportLookupTableEntries==0)
    {
      printf("Error.Count of ImportLookupTableEntries is 0./n");
      return;
    }
    SetFilePointer(hDestinationFile,FilePointerOfImportLookupTable,NULL,FILE_BEGIN); //Set file pointer
    hGlobalMemoryForImportLookupTable=GlobalAlloc(GPTR,CountOfImportLookupTableEntries*4);
    ReadFile(hDestinationFile,hGlobalMemoryForImportLookupTable,CountOfImportLookupTableEntries*4,
          &NumberOfBytesRead,NULL); 
    if(NumberOfBytesRead!=CountOfImportLookupTableEntries*4)
    {
      printf("/nError.Can't get ImportLookupTable./n");
      return;
    }
    PointerToImportLookupTableEntry=(DWORD*)hGlobalMemoryForImportLookupTable;
    printf("/nInformation in ImportLookupTable./n/n");
    printf("Rva||Ordinal--Hint----ImportedFunctionName/n");
    for(j=0;j<CountOfImportLookupTableEntries;j++)
    {
      DWORD Bitwise=0;
      WORD Hint=0;
      DWORD FilePoinerOfNameTable=0;
      TCHAR ImportedFunctionName[MAX_PATH];
      printf("%-4d %#-8x ",j,*(PointerToImportLookupTableEntry+j));
      Bitwise=*(PointerToImportLookupTableEntry+j);
      Bitwise=Bitwise & 0x80000000;
      if(Bitwise!=0)
      {
      }
      else
      {
      }
      FilePoinerOfNameTable=*(PointerToImportLookupTableEntry+j)-VirtualAddress+PointerToRawData;
      SetFilePointer(hDestinationFile,FilePoinerOfNameTable,NULL,FILE_BEGIN); //Set file pointer
            ReadFile(hDestinationFile,&Hint,sizeof(WORD),
          &NumberOfBytesRead,NULL);
      printf("%#-8x ",Hint);
      ReadFile(hDestinationFile,ImportedFunctionName,MAX_PATH,
          &NumberOfBytesRead,NULL);
      printf("%s/n",ImportedFunctionName);

    }

      
    printf("-------------------------------------------------------/n");
  }


  //Free the memory allocated
over:
  GlobalFree(hGlobalMemoryForImportDirectoryTable2);
  GlobalFree(hGlobalMemoryForImportDirectoryTable);
  GlobalFree(hGlobalAllocatedMemory);
  GlobalFree(hGlobalAllocatedMemoryOfDataDirectory);
  CloseHandle(hDestinationFile);
}

posted @ 2012-04-25 13:17  r3call  阅读(243)  评论(0编辑  收藏  举报