32位汇编编写PE查看器

        很久没用汇编大规模编码了，今天本打算用c语言写的。想想还是用汇编写就算是把将要遗忘的汇编找回来。开发工具很简单。介绍下：

操作系统：xp sp3(en)

编译器  ：MASM 8

项目组织：MakeFile

开发工具：EditPlus 3.10

基本上跟linux上写代码一样感觉了。呵呵。我编写PE查看器，主要目的是熟练下汇编，其次就是更加深入理解PE结构。这东西没写过这次，确实还有很多盲点。写完后感觉真的不同，比看100遍书效果都要强。PE结构和原理这里我就不讲了，我这里只是贴下代码。如果有时间，我再写专门文章，这东西讲解我必须画N多的漂亮图片，要时间啊。以后吧。

界面图：

工程结构：

PEInfo.asm   主界面

About.asm   关于界面

Import.asm  导入表界面

Section.asm 节表界面

dlgMain.rc    资源文件

MAKEFILE    辅助编译用的。windows上高级语言，工具帮你做这个了。但linux和汇编都是自己写罗

 

主界面(PEInfo.asm)

.386
.model flat,stdcall
option casemap:none

;Description : PE INFO Tools
;Authors:      zhujian
;City:         changsha
;date:         2009/1/20


include WINDOWS.INC
include user32.inc
include kernel32.inc
include comdlg32.inc
includelib user32.lib
includelib kernel32.lib
includelib Comdlg32.lib





;>>>>>>>>>>>>>>>>>>>>>>>>>>>>Recource ID Const >>>>>>>>>>>>>>>>>>>>>>>>>>>>>

IDD_DLG1 equ 1000
IDC_EDT_FILE equ 1001
IDC_BTN_OPEN equ 1002
IDC_STC1 equ 1003
IDC_EntyPoint equ 1004
IDC_EDT_EntryPoint equ 1005
IDC_EDT_ImageBase equ 1006
IDC_ImageBase equ 1007
IDC_EDT_CodeBase equ 1008
IDC_CodeBase equ 1009
IDC_EDT_DataBase equ 1010
IDC_DataBase equ 1011
IDC_EDT_ImageSize equ 1012
IDC_ImageSize equ 1013
IDC_EDT_HeadersSize equ 1014
IDC_HeadersSize equ 1015
IDC_EDT1 equ 1016
IDC_SectionAlig equ 1017
IDC_EDT_FileAligment equ 1018
IDC_FileAligment equ 1019
IDC_EDT_Subsystem equ 1020
IDC_Subsystem  equ 1021
IDC_EDT_CheckSum equ 1022
IDC_CheckSum equ 1023
IDC_EDT_DllFlags equ 1024
IDC_STC2 equ 1026
IDC_Machine equ 1027
IDC_EDT_Machine equ 1028
IDC_EDT_NumberOfSections equ 1029
IDC_NumberOfSections equ 1030
IDC_EDT_TimeDateStamp equ 1031
IDC_TimeDateStamp equ 1032
IDC_EDT_PointerOfSymbol equ 1033
IDC_PointerToSymbol equ 1034
IDC_EDT_NumberOfSymbols equ 1035
IDC_NumberOfSymbols equ 1036
IDC_EDT_SizeOfOptional equ 1037
IDC_SizeOfOptional equ 1038
IDC_EDT_Characteristics equ 1039
IDC_Characteristics equ 1040
IDC_STC3 equ 1041
IDC_BTN_SectionTable equ 1042
IDC_BTN_DataDirectory equ 1043
IDC_BTN_About equ 1044
IDC_BTN_Exit equ 1045

IDD_DLG_About equ 1100

IDD_DLG_Section equ 1200

IDC_BTN_IAT equ 1046

IDD_DLG_Import equ 1300


ICON_MAIN equ 100


_MAPFILE_STRUCT    STRUCT
  hFile        DWORD      ?
  hMapFile    DWORD      ?
  ImageBase    DWORD      ?
  lpPEHeader    DWORD       ?
  dwFilesize    DWORD       ?
_MAPFILE_STRUCT ENDS

public stMapFile

.const

szFilter        db    'PE Files(*.exe;*.dll)',0,'*.exe;*.dll',0,'All Files(*.*)',0,'*.*',0,0
szOpenFileErr   db  'Open File Error',0
szFileIsNotExe    db  'File Is Not Exe',0

szFmtHex1        db    "%04x",0
szFmtHex        db    "%08lx",0


;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Data Segment>>>>>>>>>>>>>>>>>>>>>>>>>>

.data?
hInstance                     dd             ?

szFileName                     db  MAX_PATH dup(?)

hFile                         dd             ?


stMapFile                 _MAPFILE_STRUCT<?,?,?,?,?>


;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>code Segment>>>>>>>>>>>>>>>>>>>>>>>>>>>>

.code




AboutProc proto:DWORD,:DWORD,:DWORD,:DWORD

SectionProc proto:DWORD,:DWORD,:DWORD,:DWORD

ImportProc proto:DWORD,:DWORD,:DWORD,:DWORD


showNtHeader proc uses esi,hwnd:DWORD
    
    local    @szbuffer[64]:byte
    mov esi,offset stMapFile
    assume esi:ptr _MAPFILE_STRUCT
    mov ebx,[esi].lpPEHeader
    mov esi,ebx
    assume esi:ptr IMAGE_NT_HEADERS
    
    invoke wsprintf,addr @szbuffer,addr szFmtHex,[esi].OptionalHeader.AddressOfEntryPoint
    invoke SetDlgItemText,hwnd,IDC_EDT_EntryPoint,addr @szbuffer
    
    invoke wsprintf,addr @szbuffer,addr szFmtHex,[esi].OptionalHeader.ImageBase
    invoke SetDlgItemText,hwnd,IDC_EDT_ImageBase,addr @szbuffer
    
    invoke wsprintf,addr @szbuffer,addr szFmtHex,[esi].OptionalHeader.BaseOfCode
    invoke SetDlgItemText,hwnd,IDC_EDT_CodeBase,addr @szbuffer
    
    invoke wsprintf,addr @szbuffer,addr szFmtHex,[esi].OptionalHeader.BaseOfData
    invoke SetDlgItemText,hwnd,IDC_EDT_DataBase,addr @szbuffer
    
    invoke wsprintf,addr @szbuffer,addr szFmtHex,[esi].OptionalHeader.SizeOfImage
    invoke SetDlgItemText,hwnd,IDC_EDT_ImageSize,addr @szbuffer
    
    invoke wsprintf,addr @szbuffer,addr szFmtHex,[esi].OptionalHeader.SizeOfHeaders
    invoke SetDlgItemText,hwnd,IDC_EDT_HeadersSize,addr @szbuffer
    
    invoke wsprintf,addr @szbuffer,addr szFmtHex,[esi].OptionalHeader.FileAlignment
    invoke SetDlgItemText,hwnd,IDC_EDT_FileAligment,addr @szbuffer
    
    invoke wsprintf,addr @szbuffer,addr szFmtHex,[esi].OptionalHeader.SectionAlignment
    invoke SetDlgItemText,hwnd,IDC_EDT1,addr @szbuffer
    
    invoke wsprintf,addr @szbuffer,addr szFmtHex,[esi].OptionalHeader.Subsystem
    invoke SetDlgItemText,hwnd,IDC_EDT_Subsystem,addr @szbuffer
    
    invoke wsprintf,addr @szbuffer,addr szFmtHex1,[esi].OptionalHeader.CheckSum
    invoke SetDlgItemText,hwnd,IDC_EDT_CheckSum,addr @szbuffer
    
    invoke wsprintf,addr @szbuffer,addr szFmtHex1,[esi].OptionalHeader.LoaderFlags
    invoke SetDlgItemText,hwnd,IDC_EDT_DllFlags,addr @szbuffer
    
    assume esi:nothing
    ret

showNtHeader endp

showFileHeader proc uses esi, hwnd:DWORD
    local    @szbuffer[64]:byte
    mov esi,offset stMapFile
    assume esi:ptr _MAPFILE_STRUCT
    mov ebx,[esi].lpPEHeader
    mov esi,ebx
    assume esi:ptr IMAGE_NT_HEADERS
    
    invoke wsprintf,addr @szbuffer,addr szFmtHex1,[esi].FileHeader.Machine
    invoke SetDlgItemText,hwnd,IDC_EDT_Machine,addr @szbuffer
    
    invoke wsprintf,addr @szbuffer,addr szFmtHex1,[esi].FileHeader.NumberOfSections
    invoke SetDlgItemText,hwnd,IDC_EDT_NumberOfSections,addr @szbuffer

    invoke wsprintf,addr @szbuffer,addr szFmtHex,[esi].FileHeader.TimeDateStamp
    invoke SetDlgItemText,hwnd,IDC_EDT_TimeDateStamp,addr @szbuffer
    
    invoke wsprintf,addr @szbuffer,addr szFmtHex,[esi].FileHeader.PointerToSymbolTable
    invoke SetDlgItemText,hwnd,IDC_EDT_PointerOfSymbol,addr @szbuffer
    
    invoke wsprintf,addr @szbuffer,addr szFmtHex,[esi].FileHeader.NumberOfSymbols
    invoke SetDlgItemText,hwnd,IDC_EDT_NumberOfSymbols,addr @szbuffer
    
    invoke wsprintf,addr @szbuffer,addr szFmtHex1,[esi].FileHeader.SizeOfOptionalHeader
    invoke SetDlgItemText,hwnd,IDC_EDT_SizeOfOptional,addr @szbuffer
    
    invoke wsprintf,addr @szbuffer,addr szFmtHex1,[esi].FileHeader.Characteristics
    invoke SetDlgItemText,hwnd,IDC_EDT_Characteristics,addr @szbuffer
    

    
    
    assume esi:nothing
    
    ret
showFileHeader endp


_UnLoadFile    proc    pstMapFile
        push    ebx
        xor    ebx,ebx
        mov    ebx,pstMapFile
        assume    ebx:ptr    _MAPFILE_STRUCT
        .if [ebx].ImageBase
            invoke    CloseHandle,[ebx].ImageBase
        .endif
        .if [ebx].hMapFile
            invoke    CloseHandle,[ebx].hMapFile
        .endif
        .if [ebx].hFile
            invoke    CloseHandle,[ebx].hFile
        .endif        
        assume    ebx:nothing
        pop    ebx
        ret
_UnLoadFile    endp


LoadAndIsPEFile proc uses esi,hwnd
        LOCAL @dwFileSize:DWORD
        LOCAL @hMapFile:DWORD
        LOCAL @lpImageBase:DWORD
        
        invoke CreateFile,addr szFileName,GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL
        cmp eax,INVALID_HANDLE_VALUE
        jz @F
        mov hFile,eax
        invoke GetFileSize,hFile,NULL
        mov @dwFileSize,eax
        test eax,eax
        jz @F
        invoke CreateFileMapping,hFile,NULL,PAGE_READONLY,0,0,NULL
        test eax,eax
        jz @F
        mov @hMapFile,eax
        invoke MapViewOfFile,eax,FILE_MAP_READ,0,0,0
        test eax,eax
        jz @F
        mov @lpImageBase,eax  ;Get Image Base Address values
        ;Is PE Format ?
        mov esi,@lpImageBase
        assume esi:ptr IMAGE_DOS_HEADER
        cmp [esi].e_magic,IMAGE_DOS_SIGNATURE
        jnz FileFormatErr
        add esi,[esi].e_lfanew
        assume    esi:ptr IMAGE_NT_HEADERS
        cmp [esi].Signature,IMAGE_NT_SIGNATURE
        jnz FileFormatErr
        
        ;set _MAPFILE_STRUCT value
        
        push ebx
        xor ebx,ebx
        mov ebx,offset stMapFile
        assume ebx:ptr _MAPFILE_STRUCT
        mov eax,hFile
        mov [ebx].hFile,eax
        mov eax,@hMapFile
        mov [ebx].hMapFile,eax
        mov eax,@lpImageBase
        mov [ebx].ImageBase,eax
        mov eax,@dwFileSize
        mov [ebx].dwFilesize,eax
        mov [ebx].lpPEHeader,esi
        assume ebx:nothing
        pop ebx
        
        xor eax,eax
        inc eax
        ret
        

FileFormatErr:
        
        invoke MessageBox,hwnd,addr szFileIsNotExe,NULL,MB_ICONINFORMATION
        xor eax,eax
        ret
       
@@:
        invoke MessageBox,hwnd,addr szOpenFileErr,NULL,MB_ICONINFORMATION
        xor eax,eax
        ret
LoadAndIsPEFile endp
OpenFileProc proc hwnd
    LOCAL @stOF:OPENFILENAME
    invoke RtlZeroMemory,addr @stOF,sizeof @stOF
    mov @stOF.lStructSize,sizeof @stOF
    push hwnd
    pop @stOF.hwndOwner
    mov @stOF.lpstrFilter,offset szFilter
    mov @stOF.lpstrFile,offset szFileName
    mov    @stOF.nMaxFile,MAX_PATH
    mov    @stOF.Flags,OFN_PATHMUSTEXIST or OFN_FILEMUSTEXIST
    invoke GetOpenFileName,addr @stOF
    test eax,eax
    jz @F
    
    push hwnd
    call LoadAndIsPEFile   ; call function confirm file formart
    cmp eax,0h
    jz @F
    ;show filename is TextBox
    invoke SetDlgItemText,hwnd,IDC_EDT_FILE,offset szFileName
    ;show FileHeader information
    push hwnd
    call showFileHeader
    push hwnd
    call showNtHeader
    
    ;Enalbe Section Button and Data Driaction
    invoke GetDlgItem,hwnd,IDC_BTN_SectionTable
    invoke EnableWindow,eax,1
    
    invoke GetDlgItem,hwnd,IDC_BTN_IAT
    invoke EnableWindow,eax,1
    
    invoke GetDlgItem,hwnd,IDC_BTN_DataDirectory
    invoke EnableWindow,eax,1
    
    ;invoke MessageBox,hwnd,addr szFileName,addr szFileName,MB_OK
@@:
    invoke _UnLoadFile,addr stMapFile
    ret
OpenFileProc endp 
;----------------------------------dlg proc --------------------------------
dlgProc proc hWnd,Msg,wParam,lParam
    
            mov eax,Msg
            cmp eax,WM_CLOSE
            jz Exit
            cmp eax,WM_INITDIALOG
            jz Init
            cmp eax,WM_COMMAND
            jz Command
            jmp N
Init:
            invoke    LoadIcon,hInstance,ICON_MAIN
            invoke SendMessage,hWnd,WM_SETICON,ICON_BIG,eax
            jmp H
Command:                    
            mov eax,wParam
            cmp eax,IDC_BTN_Exit   ;Exit Button Handle
            jz Exit
            cmp eax,IDC_BTN_OPEN  ;Open File Handle
            jz OpenF
            cmp eax,IDC_BTN_About
            jz DlgAbout
            cmp eax,IDC_BTN_SectionTable
            jz SectionDlg
            cmp eax,IDC_BTN_IAT
            jz IATDlg
            jmp N    
IATDlg:
            invoke DialogBoxParam,hInstance,IDD_DLG_Import,hWnd,addr ImportProc,NULL
            jmp H
SectionDlg:
            invoke DialogBoxParam,hInstance,IDD_DLG_Section,hWnd,addr SectionProc,NULL
            jmp H
            
DlgAbout:
            invoke DialogBoxParam,hInstance,IDD_DLG_About,hWnd,addr AboutProc,NULL
            jmp H
OpenF:                            ;open file
            push hWnd
            call OpenFileProc
            jmp H
Exit:
            Invoke EndDialog,hWnd,NULL
            jmp H

H:
            xor eax,eax
            inc eax
            ret
N:
            xor eax,eax
            ret

dlgProc endp


;----------------------------------program entry ----------------------------
main:
    invoke GetModuleHandle,NULL
    mov hInstance,eax
    invoke DialogBoxParam,hInstance,IDD_DLG1,NULL,offset dlgProc,NULL
    invoke ExitProcess,NULL
end main

 

节表界面  (Section.asm )

.386
.model flat,stdcall
option casemap:none

;Description : PE INFO Tools
;FileDescriptin :  Section Dialog File
;Authors:      zhujian
;City:         changsha
;date:         2009/1/21


include WINDOWS.INC
include user32.inc
include kernel32.inc
include comctl32.inc
includelib user32.lib
includelib kernel32.lib
includelib comctl32.lib

IDC_LSV_Section equ 1201

_MAPFILE_STRUCT    STRUCT
  hFile        DWORD      ?
  hMapFile    DWORD      ?
  ImageBase    DWORD      ?
  lpPEHeader    DWORD       ?
  dwFilesize    DWORD       ?
_MAPFILE_STRUCT ENDS

EXTERN stMapFile:_MAPFILE_STRUCT

.const

ColumTitle1 db 'Name',0
ColumTitle2 db 'Virual Address',0
ColumTitle3 db 'Virual Size',0
ColumTitle4 db 'Raw Address',0
ColumTitle5 db 'Raw Size',0
ColumTitle6 db 'Characteristics',0

szFmtHex1        db    "%04x",0
szFmtHex        db    "%08lx",0
.code


showSectionInfo proc hwnd
                    local    @stlvItem:LVITEM
                    local    @szName[16]:byte,@szbuffer[1024]:byte
                    LOCAL   @i
                    pushad
                    mov edi,stMapFile.lpPEHeader
                    assume edi:ptr IMAGE_NT_HEADERS
                    movzx ecx,[edi].FileHeader.NumberOfSections
                    add edi,sizeof IMAGE_NT_HEADERS
                    assume edi:ptr IMAGE_SECTION_HEADER
                    mov @i , 0
            L1:        
                    push ecx
                    invoke RtlZeroMemory,addr @szName,sizeof @szName
                    push edi
                    push esi
                    mov esi,edi
                    lea edi,@szName
                    mov ecx,8
                            cld   ; esi edi dirction
                            L2:
                            lodsb
                                test al,al
                                jnz @F 
                                  mov    al,' '
                                @@:
                            stosb
                            
                            loop    L2
                    pop    esi
                    pop    edi
                    invoke    RtlZeroMemory,addr @stlvItem,sizeof @stlvItem
                    
                    ;show name column
                    mov    @stlvItem.imask,LVIF_TEXT
                    push @i
                    pop    @stlvItem.iItem
                    lea    ebx,@szName
                    mov    @stlvItem.pszText,ebx
                    mov    @stlvItem.iSubItem,0
                    invoke    SendDlgItemMessage,hwnd,IDC_LSV_Section,LVM_INSERTITEM,0,addr @stlvItem
                    
                    ;show virtual Size column
                    
                    invoke    wsprintf,addr @szbuffer, offset szFmtHex,[edi].VirtualAddress
                    lea    ebx,@szbuffer
                    mov    @stlvItem.pszText,ebx
                    mov    @stlvItem.iSubItem,1
                    invoke    SendDlgItemMessage,hwnd,IDC_LSV_Section,LVM_SETITEM,0,addr @stlvItem

                    invoke    wsprintf,addr @szbuffer, offset szFmtHex,[edi].Misc.VirtualSize
                    lea    ebx,@szbuffer
                    mov    @stlvItem.pszText,ebx
                    mov    @stlvItem.iSubItem,2
                    invoke    SendDlgItemMessage,hwnd,IDC_LSV_Section,LVM_SETITEM,0,addr @stlvItem
                    
                    
                    invoke    wsprintf,addr @szbuffer, offset szFmtHex,[edi].PointerToRawData
                    lea    ebx,@szbuffer
                    mov    @stlvItem.pszText,ebx
                    mov    @stlvItem.iSubItem,3
                    invoke    SendDlgItemMessage,hwnd,IDC_LSV_Section,LVM_SETITEM,0,addr @stlvItem
                    
                    invoke    wsprintf,addr @szbuffer, offset szFmtHex,[edi].SizeOfRawData
                    lea    ebx,@szbuffer
                    mov    @stlvItem.pszText,ebx
                    mov    @stlvItem.iSubItem,4
                    invoke    SendDlgItemMessage,hwnd,IDC_LSV_Section,LVM_SETITEM,0,addr @stlvItem
                    
                    
                    invoke    wsprintf,addr @szbuffer, offset szFmtHex,[edi].Characteristics
                    lea    ebx,@szbuffer
                    mov    @stlvItem.pszText,ebx
                    mov    @stlvItem.iSubItem,5
                    invoke    SendDlgItemMessage,hwnd,IDC_LSV_Section,LVM_SETITEM,0,addr @stlvItem
                    
                    
                    inc    @stlvItem.iItem 
                    inc @i
                    add     edi,sizeof IMAGE_SECTION_HEADER
                    pop    ecx
                    dec ecx
                    
                    cmp ecx,0
                    jg L1
                    
                    popad
    
    ret

showSectionInfo endp


InitSectionList    proc    hWnd
            local    @stlvColumn:LVCOLUMN,@hList:DWORD
        invoke    RtlZeroMemory,addr @stlvColumn,sizeof @stlvColumn
        invoke    GetDlgItem,hWnd,IDC_LSV_Section
        mov    @hList,eax
        invoke    SendMessage,@hList,LVM_SETEXTENDEDLISTVIEWSTYLE,NULL,LVS_EX_FULLROWSELECT
        
        mov    @stlvColumn.imask,LVCF_FMT or LVCF_TEXT or LVCF_WIDTH or LVCF_SUBITEM
        mov    @stlvColumn.fmt,LVCFMT_LEFT
        mov    @stlvColumn.iSubItem,0 
        mov    @stlvColumn.lx,100                                    
        mov    @stlvColumn.pszText,OFFSET ColumTitle1        
        invoke    SendDlgItemMessage,hWnd,IDC_LSV_Section,LVM_INSERTCOLUMN,0,addr @stlvColumn
        
        
        
        mov    @stlvColumn.fmt,LVCFMT_RIGHT 
        mov    @stlvColumn.lx,100
        mov    @stlvColumn.pszText,OFFSET ColumTitle2
        invoke    SendDlgItemMessage,hWnd,IDC_LSV_Section,LVM_INSERTCOLUMN,1,addr @stlvColumn

        
        mov    @stlvColumn.lx,100
        mov    @stlvColumn.pszText,OFFSET ColumTitle3
        invoke    SendDlgItemMessage,hWnd,IDC_LSV_Section,LVM_INSERTCOLUMN,2,addr @stlvColumn

        
        mov    @stlvColumn.lx,100
        mov    @stlvColumn.pszText,OFFSET ColumTitle4
        invoke    SendDlgItemMessage,hWnd,IDC_LSV_Section,LVM_INSERTCOLUMN,3,addr @stlvColumn

        
        mov    @stlvColumn.lx,100
        mov    @stlvColumn.pszText,OFFSET ColumTitle5
        invoke    SendDlgItemMessage,hWnd,IDC_LSV_Section,LVM_INSERTCOLUMN,4,addr @stlvColumn

        
        mov    @stlvColumn.lx,110
        mov    @stlvColumn.pszText,OFFSET ColumTitle6
        invoke    SendDlgItemMessage,hWnd,IDC_LSV_Section,LVM_INSERTCOLUMN,5,addr @stlvColumn            
        ret
InitSectionList    endp

SectionProc proc hWnd,Msg,wParam,lParam
        mov eax,Msg
        cmp eax,WM_CLOSE
        jz EXIT
        cmp eax,WM_INITDIALOG
        jz INIT
        
        jmp @F

EXIT:
        invoke EndDialog,hWnd,NULL
        xor eax,eax
        inc eax
        ret
INIT:
        ;show section data 
        push hWnd
        call InitSectionList
        push hWnd
        call showSectionInfo
        xor eax,eax
        inc eax
        ret
@@:        xor eax,eax
        ret
SectionProc endp
end

 

导入表界面 (Import.asm )

.386
.model flat,stdcall
option casemap:none

;Description : PE INFO Tools
;FileDescriptin : Import Table File
;Authors:      zhujian
;City:         changsha
;date:         2009/1/22


include WINDOWS.INC
include user32.inc
include kernel32.inc
include comctl32.inc
includelib user32.lib
includelib kernel32.lib
includelib comctl32.lib


_MAPFILE_STRUCT    STRUCT
  hFile        DWORD      ?
  hMapFile    DWORD      ?
  ImageBase    DWORD      ?
  lpPEHeader    DWORD       ?
  dwFilesize    DWORD       ?
_MAPFILE_STRUCT ENDS

IDC_LSV_Fun equ 1302

IDC_LSV_IDD equ 1301

EXTERN stMapFile:_MAPFILE_STRUCT

.const

COL1 db 'DLLName',0
COL2 db 'OriginalFirstThunk',0
COL3 db 'TimeDateStamp',0
COL4 db 'ForwarderChain',0
COL5 db 'Name',0
COL6 db 'FirstTrunk',0

;----------------------------------
fCol1 db 'ThrunkRva',0
fCol2 db 'ThrunkOffset',0
fCol3 db 'ThrunkValue',0
fCol4 db 'Hint',0
fCol5 db 'ApiName',0

HitTemp db "%04lx",0
NameTemplate db "%s",0

OrdinalTemplate db "%u (ord.)",0

szFmtHex        db    "%08lx",0


szIATerr        db  'IAT error',0
.code


RvaToVa    proc    _lpPEHeader,_dwRVA
        local    @Return:DWORD
        pushad
        mov    esi,_lpPEHeader
        assume    esi:ptr IMAGE_NT_HEADERS
        mov    edi,_dwRVA
        mov    edx,esi
        add    edx,sizeof IMAGE_NT_HEADERS
        assume    edx:ptr IMAGE_SECTION_HEADER
        movzx    ecx,[esi].FileHeader.NumberOfSections


        .repeat
            mov    eax,[edx].VirtualAddress
            add    eax,[edx].SizeOfRawData        ;eax = Section End
            .if    (edi >= [edx].VirtualAddress) && (edi < eax)
                mov    eax,[edx].VirtualAddress ;eax= Section start
                sub    edi,eax            ;edi = offset in section
                mov    eax,[edx].PointerToRawData
                add    eax,edi            ;eax = file offset
                jmp    @F
            .endif
            add    edx,sizeof IMAGE_SECTION_HEADER
        .untilcxz
        assume    edx:nothing
        assume    esi:nothing
        mov    eax,-1
@@:
        mov    @Return,eax
        popad
        mov    eax,@Return
        ret
RvaToVa    endp

showFun proc hwnd,idx
                local    @stlvItem:LVITEM
                LOCAL   @szbuffer[1024]:BYTE
                LOCAL   @hList
                LOCAL @lpThunkRVA:dword
                pushad
                
                invoke GetDlgItem,hwnd,IDC_LSV_Fun
                mov @hList,eax
                invoke    SendMessage,@hList,LVM_DELETEALLITEMS ,0,0
                
                mov edi,stMapFile.lpPEHeader
                assume edi:ptr IMAGE_NT_HEADERS
                mov eax,[edi].OptionalHeader.DataDirectory[8].VirtualAddress
                test eax,eax
                jz IATerr
                
                invoke RvaToVa,stMapFile.lpPEHeader,eax  ;change file offset address
                add eax,stMapFile.ImageBase
                
                mov edi,eax    ;idi file offset
                mov    eax,sizeof IMAGE_IMPORT_DESCRIPTOR
                mul idx
                add edi,eax
                assume edi:ptr IMAGE_IMPORT_DESCRIPTOR
                mov ebx,[edi].OriginalFirstThunk
                test ebx,ebx
                jnz FirstT
                mov ebx,[edi].FirstThunk
                FirstT:
                
                mov @lpThunkRVA,ebx
                
                invoke  RvaToVa,stMapFile.lpPEHeader,ebx
                add eax,stMapFile.ImageBase
                mov edi,eax
                
                
                invoke    RtlZeroMemory,addr @stlvItem,sizeof @stlvItem
                mov    @stlvItem.imask,LVIF_TEXT
                mov    @stlvItem.iItem,0
                @@:
                mov eax,dword ptr [edi] ;edi is rva
                test eax,eax
                jz @F
                
                mov ebx,edi
                ;sub ebx,stMapFile.ImageBase
                push edx
                invoke    wsprintf,addr @szbuffer, offset szFmtHex,@lpThunkRVA  ;rva
                lea    edx,@szbuffer  ;format 
                mov    @stlvItem.pszText,edx
                mov    @stlvItem.iSubItem,0
                
                pop edx
                invoke    SendDlgItemMessage,hwnd,IDC_LSV_Fun,LVM_INSERTITEM,0,addr @stlvItem
                
                push edx
                invoke  RvaToVa,stMapFile.lpPEHeader,@lpThunkRVA
                invoke    wsprintf,addr @szbuffer, offset szFmtHex,eax
                lea    edx,@szbuffer
                mov    @stlvItem.pszText,edx
                mov    @stlvItem.iSubItem,1
                invoke    SendDlgItemMessage,hwnd,IDC_LSV_Fun,LVM_SETITEM,0,addr @stlvItem
                pop edx
                
                push edx
                ;invoke  RvaToVa,stMapFile.lpPEHeader,dword ptr[edi]
                invoke    wsprintf,addr @szbuffer, offset szFmtHex,dword ptr[edi];eax
                lea    edx,@szbuffer
                mov    @stlvItem.pszText,edx
                mov    @stlvItem.iSubItem,2
                invoke    SendDlgItemMessage,hwnd,IDC_LSV_Fun,LVM_SETITEM,0,addr @stlvItem
                pop edx
                test dword ptr [edi],IMAGE_ORDINAL_FLAG32
                jnz ImportByOrdinal
                
                        invoke RvaToVa,stMapFile.lpPEHeader,dword ptr[edi]
                        mov edx,eax
                        add edx,stMapFile.ImageBase
                        
                        push edx
                        assume edx:ptr IMAGE_IMPORT_BY_NAME
                        mov cx, [edx].Hint
                        movzx ecx,cx
                        invoke wsprintf,addr @szbuffer,addr HitTemp,ecx
                        lea edx,@szbuffer
                        mov    @stlvItem.pszText,edx
                        mov    @stlvItem.iSubItem,3
                        invoke    SendDlgItemMessage,hwnd,IDC_LSV_Fun,LVM_SETITEM,0,addr @stlvItem
                        pop edx
                        
                        push edx
                        invoke wsprintf,addr @szbuffer,addr NameTemplate,addr [edx].Name1
                        lea eax,@szbuffer
                        mov    @stlvItem.pszText,eax
                        mov    @stlvItem.iSubItem,4
                        invoke    SendDlgItemMessage,hwnd,IDC_LSV_Fun,LVM_SETITEM,0,addr @stlvItem
                        pop edx
                        
                        jmp lst
                ImportByOrdinal:
                
                        mov edx,dword ptr [edi]
                        and edx,0FFFFh
                        invoke wsprintf,addr @szbuffer,addr OrdinalTemplate,edx
                        lea eax,@szbuffer
                        mov    @stlvItem.pszText,eax
                        mov    @stlvItem.iSubItem,4
                        invoke    SendDlgItemMessage,hwnd,IDC_LSV_Fun,LVM_SETITEM,0,addr @stlvItem
                        
                lst:

                inc    @stlvItem.iItem
                add @lpThunkRVA,4
                add edi,4
                jmp @B
                @@:
                popad
                ret
    IATerr:
                invoke MessageBox,hwnd,addr szIATerr ,NULL,MB_ICONINFORMATION
                ret        
showFun endp

showIATIDD proc hwnd
                local    @stlvItem:LVITEM
                LOCAL   @szbuffer[1024]:BYTE
                LOCAL   @i
                pushad
                mov edi,stMapFile.lpPEHeader
                assume edi:ptr IMAGE_NT_HEADERS
                mov    eax,[edi].OptionalHeader.DataDirectory[8].VirtualAddress
                test eax,eax
                jz IATerr
                
                
                invoke RvaToVa,stMapFile.lpPEHeader,eax  ;change file offset address
                add eax,stMapFile.ImageBase
                mov edi,eax
                assume edi:ptr IMAGE_IMPORT_DESCRIPTOR
                
                mov @i,0
                
                @@:
                mov eax,[edi].FirstThunk
                test eax,eax
                jz @F
                
                invoke    RtlZeroMemory,addr @stlvItem,sizeof @stlvItem
                mov    @stlvItem.imask,LVIF_TEXT
                push @i
                pop    @stlvItem.iItem
                invoke  RvaToVa,stMapFile.lpPEHeader,[edi].Name1
                add eax,stMapFile.ImageBase
                mov edx,eax
                mov @stlvItem.pszText,edx
                invoke    SendDlgItemMessage,hwnd,IDC_LSV_IDD,LVM_INSERTITEM,0,addr @stlvItem
                
                invoke    wsprintf,addr @szbuffer, offset szFmtHex,[edi].OriginalFirstThunk
                lea    ebx,@szbuffer
                mov    @stlvItem.pszText,ebx
                mov    @stlvItem.iSubItem,1
                invoke    SendDlgItemMessage,hwnd,IDC_LSV_IDD,LVM_SETITEM,0,addr @stlvItem
                
                
                invoke    wsprintf,addr @szbuffer, offset szFmtHex,[edi].TimeDateStamp
                lea    ebx,@szbuffer
                mov    @stlvItem.pszText,ebx
                mov    @stlvItem.iSubItem,2
                invoke    SendDlgItemMessage,hwnd,IDC_LSV_IDD,LVM_SETITEM,0,addr @stlvItem
                
                
                invoke    wsprintf,addr @szbuffer, offset szFmtHex,[edi].ForwarderChain
                lea    ebx,@szbuffer
                mov    @stlvItem.pszText,ebx
                mov    @stlvItem.iSubItem,3
                invoke    SendDlgItemMessage,hwnd,IDC_LSV_IDD,LVM_SETITEM,0,addr @stlvItem
                
                invoke    wsprintf,addr @szbuffer, offset szFmtHex,[edi].Name1
                lea    ebx,@szbuffer
                mov    @stlvItem.pszText,ebx
                mov    @stlvItem.iSubItem,4
                invoke    SendDlgItemMessage,hwnd,IDC_LSV_IDD,LVM_SETITEM,0,addr @stlvItem
                
                invoke    wsprintf,addr @szbuffer, offset szFmtHex,[edi].FirstThunk
                lea    ebx,@szbuffer
                mov    @stlvItem.pszText,ebx
                mov    @stlvItem.iSubItem,5
                invoke    SendDlgItemMessage,hwnd,IDC_LSV_IDD,LVM_SETITEM,0,addr @stlvItem
                
                inc    @stlvItem.iItem
                inc @i
                add    edi,sizeof IMAGE_IMPORT_DESCRIPTOR
                jmp @B
                @@:
                popad
                ret
    IATerr:
                invoke MessageBox,hwnd,addr szIATerr ,NULL,MB_ICONINFORMATION
                ret        
showIATIDD endp


InitImportList2    proc    hWnd
            local    @stlvColumn:LVCOLUMN,@hListDll:DWORD
            invoke    RtlZeroMemory,addr @stlvColumn,sizeof @stlvColumn
            invoke GetDlgItem,hWnd,IDC_LSV_Fun
            mov @hListDll,eax
            invoke SendMessage,eax,LVM_SETEXTENDEDLISTVIEWSTYLE,NULL,LVS_EX_FULLROWSELECT
            
            ;fill LVCOLUMN DATA
            mov @stlvColumn.imask,LVCF_FMT or LVCF_TEXT or LVCF_WIDTH or LVCF_SUBITEM
            mov @stlvColumn.fmt,LVCFMT_LEFT
            mov @stlvColumn.pszText,offset fCol1
            mov @stlvColumn.lx,100
            mov @stlvColumn.iSubItem,0
            invoke SendDlgItemMessage,hWnd,IDC_LSV_Fun,LVM_INSERTCOLUMN,0,addr @stlvColumn
            
            mov @stlvColumn.pszText,offset fCol2
            mov @stlvColumn.lx,100
            invoke SendDlgItemMessage,hWnd,IDC_LSV_Fun,LVM_INSERTCOLUMN,1,addr @stlvColumn
            
            mov @stlvColumn.pszText,offset fCol3
            mov @stlvColumn.lx,100
            invoke SendDlgItemMessage,hWnd,IDC_LSV_Fun,LVM_INSERTCOLUMN,2,addr @stlvColumn
            
            mov @stlvColumn.pszText,offset fCol4
            mov @stlvColumn.lx,100
            invoke SendDlgItemMessage,hWnd,IDC_LSV_Fun,LVM_INSERTCOLUMN,3,addr @stlvColumn
            
            mov @stlvColumn.pszText,offset fCol5
            mov @stlvColumn.lx,100
            invoke SendDlgItemMessage,hWnd,IDC_LSV_Fun,LVM_INSERTCOLUMN,4,addr @stlvColumn
            
        ret
InitImportList2    endp

InitImportList    proc    hWnd
            local    @stlvColumn:LVCOLUMN,@hListDll:DWORD
            invoke    RtlZeroMemory,addr @stlvColumn,sizeof @stlvColumn
            invoke GetDlgItem,hWnd,IDC_LSV_IDD
            mov @hListDll,eax
            invoke SendMessage,eax,LVM_SETEXTENDEDLISTVIEWSTYLE,NULL,LVS_EX_FULLROWSELECT
            
            ;fill LVCOLUMN DATA
            mov @stlvColumn.imask,LVCF_FMT or LVCF_TEXT or LVCF_WIDTH or LVCF_SUBITEM
            mov @stlvColumn.fmt,LVCFMT_LEFT
            mov @stlvColumn.pszText,offset COL1
            mov @stlvColumn.lx,100
            mov @stlvColumn.iSubItem,0
            invoke SendDlgItemMessage,hWnd,IDC_LSV_IDD,LVM_INSERTCOLUMN,0,addr @stlvColumn
            
            mov @stlvColumn.pszText,offset COL2
            mov @stlvColumn.lx,100
            invoke SendDlgItemMessage,hWnd,IDC_LSV_IDD,LVM_INSERTCOLUMN,1,addr @stlvColumn
            
            mov @stlvColumn.pszText,offset COL3
            mov @stlvColumn.lx,100
            invoke SendDlgItemMessage,hWnd,IDC_LSV_IDD,LVM_INSERTCOLUMN,2,addr @stlvColumn
            
            mov @stlvColumn.pszText,offset COL4
            mov @stlvColumn.lx,100
            invoke SendDlgItemMessage,hWnd,IDC_LSV_IDD,LVM_INSERTCOLUMN,3,addr @stlvColumn
            
            mov @stlvColumn.pszText,offset COL5
            mov @stlvColumn.lx,100
            invoke SendDlgItemMessage,hWnd,IDC_LSV_IDD,LVM_INSERTCOLUMN,4,addr @stlvColumn
            
            mov @stlvColumn.pszText,offset COL6
            mov @stlvColumn.lx,100
            invoke SendDlgItemMessage,hWnd,IDC_LSV_IDD,LVM_INSERTCOLUMN,5,addr @stlvColumn
        ret
InitImportList    endp

ImportProc proc hWnd,Msg,wParam,lParam
        mov eax,Msg
        cmp eax,WM_CLOSE
        jz EXIT
        cmp eax,WM_INITDIALOG
        jz INIT
        cmp eax,WM_NOTIFY
        jz Notify
        jmp @F

Notify:
            pushad
            mov    eax,wParam
            mov    ebx,lParam
            .if    ax == IDC_LSV_IDD                
                assume ebx:ptr NMHDR
                .if [ebx].code == LVN_ITEMCHANGED
                    assume ebx:ptr NM_LISTVIEW
                    .if [ebx].uNewState
                    invoke    showFun,hWnd,[ebx].iItem
                        
                    .endif
                .endif            
            .endif
            assume ebx:nothing
            popad
            ret
EXIT:
        invoke EndDialog,hWnd,NULL
        xor eax,eax
        inc eax
        ret
INIT:
        ;show section data 
        push hWnd
        call InitImportList
        push hWnd
        call InitImportList2
        push hWnd
        call showIATIDD
        xor eax,eax
        inc eax
        ret
@@:        xor eax,eax
        ret
ImportProc endp
end

 

 关于界面 (About.asm)  

 

.386
.model flat,stdcall
option casemap:none

;Description : PE INFO Tools
;FileDescriptin :  About Dialog File
;Authors:      zhujian
;City:         changsha
;date:         2009/1/21


include WINDOWS.INC
include user32.inc
include kernel32.inc

includelib user32.lib
includelib kernel32.lib



.code

AboutProc proc hWnd,Msg,wParam,lParam
        mov eax,Msg
        cmp eax,WM_CLOSE
        jnz s
            invoke EndDialog,hWnd,NULL
        xor eax,eax
        inc eax
        ret
s:        xor eax,eax
        ret
AboutProc endp
end

 MAKEFILE 文件

EXE = PEInfo.exe
OBJS = PEInfo.obj About.obj Section.obj Import.obj
RES = dlgMain.res

LINK_FLAG = /subsystem:windows
ML_FLAG = /c /coff

$(EXE):$(OBJS) $(RES)
    Link $(LINK_FLAG) $(OBJS) $(RES)

.asm.obj:
    Ml $(ML_FLAG) $<

.rc.res:
    rc $<

clean:
    del *.obj
    del *.res
   

 参考《加密技术内幕》和Herx兄部分代码，难免不足之处，请见谅。

                                                                                               作者：朱剑