void CCalc::OnEnChangeEdit2()
{
// TODO: If this is a RICHEDIT control, the control will not
// send this notification unless you override the CDialogEx::OnInitDialog()
// function and call CRichEditCtrl().SetEventMask()
// with the ENM_CHANGE flag ORed into the mask.
CString szRVA;
wchar_t *endPoint;
CEdit* edit_value = (CEdit*)this->GetDlgItem(IDC_EDIT2);
if (!edit_value->IsWindowEnabled())
{
return;
}
edit_value->GetWindowTextW(szRVA);
ULONGLONG ullRVA = wcstol(szRVA, &endPoint, 16);
if (ullRVA == 0)
{
return;
}
ULONGLONG ullOffset = RVA2Offset(ullRVA, lpFileImage, dwSize);
ULONGLONG ullVA = rVA2VA(ullRVA, lpFileImage, dwSize);
wchar_t szOffset[MAX_PATH] = { 0 };
wchar_t szVA[MAX_PATH] = { 0 };
_ui64tow_s(ullOffset, szOffset, MAX_PATH, 16);
_ui64tow_s(ullVA, szVA, MAX_PATH, 16);
this->SetDlgItemTextW(IDC_EDIT1, szVA);
this->SetDlgItemTextW(IDC_EDIT3, szOffset);
// TODO: Add your control notification handler code here
}
//EntryPoint
int main(int argc, char *argv[])
{
//Check CmdLine Param
if(argc !=2)
{
printf("Usage peview <FileName.exe>\n",argv[0]);
return 0;
}
//Opening File
hFile=CreateFile(argv[1],GENERIC_READ,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
if(hFile == INVALID_HANDLE_VALUE)
{
printf("[+]Error Opening File\n");
return 0;
}
//Getting FileSize
lowSize=GetFileSize(hFile,&highSize);
//Creating File Mapping
hMap=CreateFileMapping(hFile,NULL,PAGE_READONLY,highSize,lowSize,"MapFile");
if(hFile == NULL)
{
printf("[+]Error Creating FileMap Object\n");
return 0;
}
//Creating MapView in Memory
mapFile=MapViewOfFile(hMap,FILE_MAP_READ,0,0,0);
if(hFile == NULL)
{
printf("[+]Error Mapping File\n");
return 0;
}
//Intialising Value of PE Structres
peFile=(HMODULE)mapFile;
pDosHeader=(IMAGE_DOS_HEADER*)peFile;
pImageNTHeader=(IMAGE_NT_HEADERS*)((LPBYTE)peFile+pDosHeader->e_lfanew);
pFileheader=&pImageNTHeader->FileHeader;
pImageOptionalHeader=&pImageNTHeader->OptionalHeader;
sectionHeader=(IMAGE_SECTION_HEADER*)((LPBYTE)pImageOptionalHeader+pFileheader->SizeOfOptionalHeader);
//CopyMemory(&peMagic,(LPVOID)((LPBYTE)pImageNTHeader+0x06),2);
//Dumping PE File Characterisitcs
printf("==================================================================\n");
printf("PE FILE CHARACTERISTICS\n");
printf("==================================================================\n");
printf("Magic PE Bytes = %X\n",pDosHeader->e_magic);
printf("PE NT_SIGNATURE Bytes = %X\n",pImageNTHeader->Signature);
printf("Number of Sections = %d\n",pImageNTHeader->FileHeader.NumberOfSections);
printf("Time Stamp = %X\n",pFileheader->TimeDateStamp);
printf("Entry Point = %X\n",pImageOptionalHeader->AddressOfEntryPoint);
printf("Image Base = %X\n",pImageOptionalHeader->ImageBase);
printf("Image Size = %X\n",pImageOptionalHeader->SizeOfImage);
printf("Section Alignment = %X\n",pImageOptionalHeader->SectionAlignment);
printf("File Alignment = %X\n",pImageOptionalHeader->FileAlignment);
//Dumping PE File Data Directories
printf("==================================================================\n");
printf("DATA DIRECTORY\n");
printf("==================================================================\n");
for(i=0;i<15;i++)
{
if(pImageOptionalHeader->DataDirectory[i].Size !=0)
{
printf("Data Directory Name = %s\n",DataDirectoryNames[i]);
printf("Data Directory RVA = %X\n",pImageOptionalHeader->DataDirectory[i].VirtualAddress);
printf("Data Directory Size = %X\n",pImageOptionalHeader->DataDirectory[i].Size);
printf("------------------------------------------------------------------\n");
}
}
//Dumping PE File Section Table
printf("==================================================================\n");
printf("SECTION TABLE\n");
printf("==================================================================\n");
for(i=0;i<pFileheader->NumberOfSections;i++)
{
printf("Section Name = %s\n",sectionHeader->Name );
printf("Virtual Offset = %X\n",sectionHeader->VirtualAddress);
printf("Virtual Size = %X\n",sectionHeader->Misc.VirtualSize);
printf("Raw Offset = %X\n",sectionHeader->PointerToRawData );
printf("Raw Size = %X\n",sectionHeader->SizeOfRawData);
printf("Characteristics = %X\n",sectionHeader->Characteristics );
printf("------------------------------------------------------------------\n");
//sectionHeader=(IMAGE_SECTION_HEADER*)((LPBYTE)sectionHeader + 0x28);
sectionHeader++;
}
//Dumping PE File Imports
printf("==================================================================\n");
printf("IMPORT VIEWER\n");
printf("==================================================================\n");
RAW=RVA2Offset((char*)peFile,pImageOptionalHeader->DataDirectory[1].VirtualAddress);
importDLL=(IMAGE_IMPORT_DESCRIPTOR*)((DWORD)pDosHeader+RAW);
do
{
//Dumping PE File DLL Names
RAW=RVA2Offset((char*)peFile,importDLL->Name);
printf("DLL = %s\n",(DWORD)pDosHeader+RAW);
printf("------------------------------------------------------------------\n");
RAW=RVA2Offset((char*)peFile,importDLL->OriginalFirstThunk);
thunkData=(IMAGE_THUNK_DATA*)((DWORD)pDosHeader+RAW);
//Dumping DLL Functions
do
{
RAW=RVA2Offset((char*)peFile,(DWORD)thunkData->u1.AddressOfData);
importName=(IMAGE_IMPORT_BY_NAME*)((DWORD)pDosHeader+RAW);
printf("Function = %s\n",importName->Name);
thunkData++;
}while(thunkData->u1.AddressOfData != NULL);
importDLL++;
printf("------------------------------------------------------------------\n");
}while(importDLL->FirstThunk !=0);
CloseHandle(hFile);
CloseHandle(hMap);
return 0;
}
void Engine::GetPeInfo(std::string FilePath){
//PeInfo ProcessFunctionInfo;
//PEFunctions Functions;
//DLLcontainer cDLL;
IMAGE_DOS_HEADER* pDosHeader;
IMAGE_NT_HEADERS* pNtHeaders;
//IMAGE_SECTION_HEADER* pSectionHeader;
PIMAGE_IMPORT_DESCRIPTOR pImageImportData;
//PIMAGE_THUNK_DATA pImageThunkData;
PIMAGE_EXPORT_DIRECTORY pImageExportData;
ProcessFunctionInfo.Name = FilePath;
ProcessFunctionInfo.Func = &Functions;
void * FileHandle = CreateFile(FilePath.c_str(), GENERIC_READ, FILE_SHARE_READ, nullptr, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, nullptr);
if (FileHandle == INVALID_HANDLE_VALUE)
return;
void * FileMapping = CreateFileMapping(FileHandle, nullptr, PAGE_READONLY, 0, 0, nullptr);
void * MapView = MapViewOfFile(FileMapping, FILE_MAP_READ, 0, 0, 0);
pDosHeader = reinterpret_cast<IMAGE_DOS_HEADER*>(MapView);
pNtHeaders = reinterpret_cast<IMAGE_NT_HEADERS*>(((SIZE_T)(pDosHeader)) + pDosHeader->e_lfanew);
//Export Directory parsing
DWORD dwExportDirectory = RVA2Offset(MapView, pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
if (dwExportDirectory == 0)
{
return;
}
pImageExportData = (PIMAGE_EXPORT_DIRECTORY)((BYTE*)MapView + dwExportDirectory);
ULONG *addressoffunctions = (ULONG*)((BYTE*)pDosHeader + pImageExportData->AddressOfFunctions);
ULONG * addressofnames = (ULONG*)((BYTE*)pDosHeader + pImageExportData->AddressOfNames);
for (DWORD x = 0; x < pImageExportData -> NumberOfFunctions; x++)
{
//printf("%s\n", (BYTE*)pDosHeader + addressofnames[x]);
char buffer[MAX_PATH];
sprintf(buffer, "%s", (BYTE*)pDosHeader + addressofnames[x]);
ProcessFunctionInfo.Func->ExpFuncVec.push_back(buffer);
}
//Print Export Vector
//for (int i = 0; i < ProcessFunctionInfo.Func->ExpFuncVec.size(); i++){
//std::cout << ProcessFunctionInfo.Func->ExpFuncVec[i] << std::endl;
//}
//End Export Directory
//Import Directory Parsing
DWORD dwImportDirectory = RVA2Offset(MapView, pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
pImageImportData = (PIMAGE_IMPORT_DESCRIPTOR)( (BYTE*)MapView + dwImportDirectory);
//void * pThunk;
//void * dwThunk;
void * pDllName;
PBYTE pTDATA;
PBYTE pThunk;
PBYTE dwThunk;
PBYTE pAPIName;
DWORD dwAPIaddress;
// PIMAGE_THUNK_DATA thunkILT;
// PIMAGE_THUNK_DATA thunkIAT;
while (pImageImportData->Characteristics != 0)
{
pThunk = (PBYTE)MapView + pImageImportData->FirstThunk;
dwThunk = (PBYTE)pImageImportData->FirstThunk;
pTDATA = (PBYTE)MapView;
//thunkILT = (PIMAGE_THUNK_DATA)pImageImportData->OriginalFirstThunk;
//thunkIAT = (PIMAGE_THUNK_DATA)pImageImportData->FirstThunk;
if (pImageImportData->OriginalFirstThunk != 0)
{
//thunkILT
pTDATA += RVA2Offset(MapView, pImageImportData->OriginalFirstThunk);
}
else
{
//thunkIAT
pTDATA += RVA2Offset(MapView, pImageImportData->FirstThunk);
}
pDllName = (BYTE*)MapView + RVA2Offset(MapView, pImageImportData->Name);
//printf(" DLL Name: %s First Thunk: 0x%x \n\n", pDllName, pImageImportData->FirstThunk);
char buffer[MAX_PATH];
sprintf(buffer, "%s", pDllName);
cDLL.Name = buffer;
PIMAGE_THUNK_DATA pimage_thunk_data = (PIMAGE_THUNK_DATA)pTDATA;
while (pimage_thunk_data->u1.AddressOfData != 0){
dwAPIaddress = pimage_thunk_data->u1.AddressOfData;
if ((dwAPIaddress & IMAGE_ORDINAL_FLAG) == IMAGE_ORDINAL_FLAG)
{
//OrdinalFunctions - Don't include in our struct
dwAPIaddress &= 0x7FFFFFFF;
//printf("Proccess: 0x%x \n", dwAPIaddress);
//char buffer[MAX_PATH];
//sprintf(buffer, "0x%x", dwAPIaddress);
//cDLL.ImpFuncVec.push_back(buffer);
}
else
{
//Access the IMAGE_IMPORT_BY_NAME struct
//skip WORD Hint and get the Name pointer
pAPIName = (BYTE*)MapView + RVA2Offset(MapView, dwAPIaddress) + sizeof(WORD);
//printf("Proccess: %s\n", pAPIName);
char buffer[MAX_PATH];
sprintf(buffer, "%s", pAPIName);
cDLL.ImpFuncVec.push_back(buffer);
}
pThunk += 4;
pTDATA += 4;
pimage_thunk_data++;
}
Functions.ImpDllVec.push_back(cDLL);
pImageImportData++;
}
UnmapViewOfFile(MapView);
CloseHandle(FileMapping);
CloseHandle(FileHandle);
}
void CExportTable::PrintExport(PVOID lpImage, DWORD dwSize)
{
PIMAGE_DOS_HEADER pDos = (PIMAGE_DOS_HEADER)lpImage;
PIMAGE_NT_HEADERS pNT = (PIMAGE_NT_HEADERS)((size_t)lpImage + pDos->e_lfanew);
PIMAGE_DATA_DIRECTORY pDir = nullptr;
if (isx64)
{
pDir = (PIMAGE_DATA_DIRECTORY)((size_t)&(pNT->OptionalHeader) + sizeof(DWORD)* 28);
}
else
{
pDir = pNT->OptionalHeader.DataDirectory;
}
PIMAGE_DATA_DIRECTORY pExportDir = &pDir[IMAGE_DIRECTORY_ENTRY_EXPORT];
if (pDir[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress == 0 || pDir[IMAGE_DIRECTORY_ENTRY_EXPORT].Size == 0)
{
MessageBox(L"无导出表!");
pDos = nullptr;
pNT = nullptr;
pDir = nullptr;
pExportDir = nullptr;
return;
}
ULONGLONG ullExportOffset = RVA2Offset(pExportDir->VirtualAddress, lpImage, dwSize);
PIMAGE_EXPORT_DIRECTORY pExport = (PIMAGE_EXPORT_DIRECTORY)(ullExportOffset + (size_t)lpImage);
if (pExport->Characteristics != 0)
{
MessageBox(L"导出表格式错误,无法解析!");
pDos = nullptr;
pNT = nullptr;
pDir = nullptr;
pExportDir = nullptr;
pExport = nullptr;
return;
}
ULONGLONG ullNameOffset = RVA2Offset(pExport->Name, lpImage, dwSize);
PCHAR pstrName = (PCHAR)(ullNameOffset + (size_t)lpImage);
ULONGLONG ullEATOffset = RVA2Offset(pExport->AddressOfFunctions, lpImage, dwSize);
ULONGLONG ullENTOffset = RVA2Offset(pExport->AddressOfNames, lpImage, dwSize);
ULONGLONG ullEOTOffset = RVA2Offset(pExport->AddressOfNameOrdinals, lpImage, dwSize);
PDWORD pEAT = (PDWORD)(ullEATOffset + (size_t)lpImage);
PDWORD pENT = (PDWORD)(ullENTOffset + (size_t)lpImage);
PWORD pEOT = (PWORD)(ullEOTOffset + (size_t)lpImage);
DWORD dwFunctionAddressCount = pExport->NumberOfFunctions;
DWORD dwNameCount = pExport->NumberOfNames;
wchar_t szName[MAX_PATH] = { 0 };
MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, pstrName, -1, szName, MAX_PATH);
CEdit* edit_value = (CEdit*)this->GetDlgItem(IDC_EDIT1);
edit_value->SetWindowTextW(szName);
size_t dwBase = pExport->Base;
wchar_t szBase[MAX_PATH] = { 0 };
wsprintf(szBase, L"%#08X", dwBase);
edit_value = (CEdit*)this->GetDlgItem(IDC_EDIT2);
edit_value->SetWindowTextW(szBase);
wchar_t szFunctionCount[MAX_PATH] = { 0 };
wsprintf(szFunctionCount, L"%#08X", dwFunctionAddressCount);
edit_value = (CEdit*)this->GetDlgItem(IDC_EDIT3);
edit_value->SetWindowTextW(szFunctionCount);
wchar_t szNameCount[MAX_PATH] = { 0 };
wsprintf(szNameCount, L"%#08X", dwNameCount);
edit_value = (CEdit*)this->GetDlgItem(IDC_EDIT4);
edit_value->SetWindowTextW(szNameCount);
wchar_t szFunctionTable[MAX_PATH] = { 0 };
wsprintf(szFunctionTable, L"%#08X", ullEATOffset);
edit_value = (CEdit*)this->GetDlgItem(IDC_EDIT5);
edit_value->SetWindowTextW(szFunctionTable);
wchar_t szNameTable[MAX_PATH] = { 0 };
wsprintf(szNameTable, L"%#08X", ullENTOffset);
edit_value = (CEdit*)this->GetDlgItem(IDC_EDIT6);
edit_value->SetWindowTextW(szNameTable);
wchar_t szOrdinalTable[MAX_PATH] = { 0 };
wsprintf(szOrdinalTable, L"%#08X", ullEOTOffset);
edit_value = (CEdit*)this->GetDlgItem(IDC_EDIT7);
edit_value->SetWindowTextW(szOrdinalTable);
for (DWORD Ordinal = 0; Ordinal < dwFunctionAddressCount; Ordinal++)
{
for (DWORD Index = 0; Index < dwNameCount; Index++)
{
if (pEOT[Index] == Ordinal)
{
ULONGLONG ullName = RVA2Offset(pENT[Index], lpImage, dwSize);
ULONGLONG ullAddr = pEAT[Ordinal];
ULONGLONG ullOrdinal = Ordinal + pExport->Base;
PCHAR pstrFunctionName = (PCHAR)(ullName + (size_t)lpImage);
wchar_t szAddr[MAX_PATH] = { 0 };
wchar_t szOrdinal[MAX_PATH] = { 0 };
wchar_t szFunctionName[MAX_PATH] = { 0 };
wsprintf(szAddr, L"%#08X", ullAddr);
wsprintf(szOrdinal, L"%#04X", ullOrdinal);
MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, pstrFunctionName, -1, szFunctionName, MAX_PATH);
m_ExportTable.Additem(Ordinal, 3, szOrdinal, szAddr, szFunctionName);
break;
}
if (Index == dwNameCount - 1)
{
ULONGLONG ullAddr = pEAT[Ordinal];
ULONGLONG ullOrdinal = Ordinal + pExport->Base;
wchar_t szAddr[MAX_PATH] = { 0 };
wchar_t szOrdinal[MAX_PATH] = { 0 };
wsprintf(szAddr, L"%#08X", ullAddr);
wsprintf(szOrdinal, L"%#04X", ullOrdinal);
m_ExportTable.Additem(Ordinal, 3, szOrdinal, szAddr, L"-");
}
}
}
}