void test(void)
{
std::list<PROCESSENTRY32> lProcess;
std::list<MODULEENTRY32> lModules;
DWORD dwPid = 0;
std::list<MEMORY_BASIC_INFORMATION> lMemBI;
std::list<THREADENTRY32> lThreads;
std::list<LPCVOID> lAddress;
DWORD dwBaseAddress = 0;
IMAGE_DOS_HEADER DosHeader;
IMAGE_NT_HEADERS NTHeader;
lProcess = GetProcessList();
PrintProcessList(lProcess);
dwPid = GetPidProcess("notepad++.exe");
PrintPidProcess("notepad++.exe", dwPid);
lModules = GetModuleList(dwPid);
PrintModulesList(lModules);
lMemBI = GetMemoryInformation(dwPid);
PrintMemoryInfo(lMemBI);
lThreads = GetThreadsList(dwPid);
PrintThreadsInfo(lThreads);
SuspendAllThread(dwPid);
Sleep(1000);
ResumeAllThread(dwPid);
lAddress = ScanPattern("\x42\x42\x42", 3, dwPid);
PrintPatternMatch(lAddress);
dwBaseAddress = GetRemoteBaseAddress(dwPid);
printf("BaseAddress = %08X\n", dwBaseAddress);
DosHeader = GetDosHeader(dwPid);
PrintDosHeader(&DosHeader);
NTHeader = GetNTHeader(dwPid);
PrintNTHeader(&NTHeader);
}
DWORD StripSection(void * pMap, DWORD dwFsize, DWORD nSection)
{
IMAGE_NT_HEADERS * pNTH;
IMAGE_SECTION_HEADER * pSH, * pSHC;
DWORD dwNewFsize;
DWORD Diff;
unsigned int i;
pNTH = GetNTHeader(pMap);
// section doesn't exist / only one section
if(nSection >= pNTH->FileHeader.NumberOfSections || pNTH->FileHeader.NumberOfSections == 1)
return 0;
pSHC = IMAGE_FIRST_SECTION(pNTH); // used in loop
pSH = &pSHC[nSection]; // section to delete
pNTH->FileHeader.NumberOfSections--;
if(nSection == pNTH->FileHeader.NumberOfSections)
{ // last section -> truncate at section start
dwNewFsize = pSH->PointerToRawData; // ????
pSH--;
if(IsPE64(pNTH)){
if(pSH->Misc.PhysicalAddress)
((IMAGE_NT_HEADERS64 *)pNTH)->OptionalHeader.SizeOfImage = pSH->VirtualAddress + pSH->Misc.VirtualSize;
else // WATCOM is always a bit special >:-)
((IMAGE_NT_HEADERS64 *)pNTH)->OptionalHeader.SizeOfImage = pSH->VirtualAddress + pSH->SizeOfRawData;
}
else{
if(pSH->Misc.PhysicalAddress)
((IMAGE_NT_HEADERS32 *)pNTH)->OptionalHeader.SizeOfImage = pSH->VirtualAddress + pSH->Misc.VirtualSize;
else
((IMAGE_NT_HEADERS32 *)pNTH)->OptionalHeader.SizeOfImage = pSH->VirtualAddress + pSH->SizeOfRawData;
}
}
else // not the last section
{
if(pSH->SizeOfRawData != 0)
{
Diff = AlignUp(pSH->SizeOfRawData, HDR3264(pNTH, OptionalHeader.FileAlignment));
dwNewFsize = dwFsize - Diff;
// copy section(s) after this section to the start of this section
memcpy((void *)((ULONG_PTR)pMap + pSH->PointerToRawData), (void *)((ULONG_PTR)pMap + pSH->PointerToRawData + Diff), dwFsize - pSH->PointerToRawData - Diff);
for(i=0; i <= pNTH->FileHeader.NumberOfSections; i++)
{
if(pSHC->PointerToRawData >= (pSH->PointerToRawData + Diff))
pSHC->PointerToRawData -= Diff;
pSHC++;
}
}
// fix section header
if(nSection == 0)
{
pSH->SizeOfRawData = 0;
pNTH->FileHeader.NumberOfSections++;
}
else
{
(pSH-1)->Misc.VirtualSize += pSH->Misc.VirtualSize;
memcpy(pSH, (pSH+1), sizeof(IMAGE_SECTION_HEADER) * (pNTH->FileHeader.NumberOfSections-nSection));
}
}
if(nSection != 0)
{ // Zerofill last section header
pSH = IMAGE_FIRST_SECTION(pNTH);
memset(&pSH[pNTH->FileHeader.NumberOfSections], 0, sizeof(IMAGE_SECTION_HEADER));
}
return dwNewFsize;
}
