18,356
社区成员
发帖
与我相关
我的任务
分享关于PE的问题,非高手无进来!
DWORD RVAToOffset(LPVOID lpBase,DWORD VirtualAddress)
{
IMAGE_DOS_HEADER *dosHeader;
IMAGE_NT_HEADERS *ntHeader;
IMAGE_SECTION_HEADER *SectionHeader;
int NumOfSections;
dosHeader=(IMAGE_DOS_HEADER*)lpBase;
ntHeader=(IMAGE_NT_HEADERS*)((BYTE*)lpBase+dosHeader->e_lfanew);
NumOfSections=ntHeader->FileHeader.NumberOfSections;
for (int i=0;i<NumOfSections;i++)
{
SectionHeader=(IMAGE_SECTION_HEADER*)((BYTE*)lpBase+dosHeader->e_lfanew+sizeof(IMAGE_NT_HEADERS))+i;
if(VirtualAddress>SectionHeader->VirtualAddress&&VirtualAddress<SectionHeader->VirtualAddress+SectionHeader->SizeOfRawData)
{
DWORD AposRAV=VirtualAddress-SectionHeader->VirtualAddress;
DWORD Offset=SectionHeader->PointerToRawData+AposRAV;
return Offset;
}
}
return 0;
}
{
IMAGE_DOS_HEADER *dosHeader;
IMAGE_NT_HEADERS *ntHeader;
IMAGE_SECTION_HEADER *SectionHeader;
int NumOfSections;
dosHeader=(IMAGE_DOS_HEADER*)lpBase;
ntHeader=(IMAGE_NT_HEADERS*)((BYTE*)lpBase+dosHeader->e_lfanew);
NumOfSections=ntHeader->FileHeader.NumberOfSections;
for (int i=0;i<NumOfSections;i++)
{
SectionHeader=(IMAGE_SECTION_HEADER*)((BYTE*)lpBase+dosHeader->e_lfanew+sizeof(IMAGE_NT_HEADERS))+i;
if(VirtualAddress>SectionHeader->VirtualAddress&&VirtualAddress<SectionHeader->VirtualAddress+SectionHeader->SizeOfRawData)
{
DWORD AposRAV=VirtualAddress-SectionHeader->VirtualAddress;
DWORD Offset=SectionHeader->PointerToRawData+AposRAV;
return Offset;
}
}
return 0;
}
...全文
请发表友善的回复…
发表回复
ccccj 2008-06-19
- 打赏
- 举报
算了,我给出全部源码,我就是上面那个函数看不懂
#include "stdafx.h"
#include <stdio.h>
#include <windows.h>
DWORD RVAToOffset(LPVOID lpBase,DWORD VirtualAddress)
{
IMAGE_DOS_HEADER *dosHeader;
IMAGE_NT_HEADERS *ntHeader;
IMAGE_SECTION_HEADER *SectionHeader;
int NumOfSections;
dosHeader=(IMAGE_DOS_HEADER*)lpBase;
ntHeader=(IMAGE_NT_HEADERS*)((BYTE*)lpBase+dosHeader->e_lfanew);
NumOfSections=ntHeader->FileHeader.NumberOfSections;
for (int i=0;i<NumOfSections;i++)
{
SectionHeader=(IMAGE_SECTION_HEADER*)((BYTE*)lpBase+dosHeader->e_lfanew+sizeof(IMAGE_NT_HEADERS))+i;
if(VirtualAddress>SectionHeader->VirtualAddress&&VirtualAddress<SectionHeader->VirtualAddress+SectionHeader->SizeOfRawData)
{
DWORD AposRAV=VirtualAddress-SectionHeader->VirtualAddress;
DWORD Offset=SectionHeader->PointerToRawData+AposRAV;
return Offset;
}
}
return 0;
}
int main(int argc, char* argv[])
{
//打开文件
HANDLE hFile=CreateFile(argv[1],GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
if(hFile==INVALID_HANDLE_VALUE)
{
printf("CreateFile Failed\n");
return 0;
}
//创建内存映射文件的内核对象
HANDLE hMap=CreateFileMapping(hFile,NULL,PAGE_READONLY,NULL,NULL,NULL);
if(hMap==INVALID_HANDLE_VALUE)
{
printf("CreateFileMapping Failed\n");
return 0;
}
//把文件映射入内存
LPVOID lpBase=MapViewOfFile(hMap,FILE_MAP_READ,0,0,0);
if(lpBase==NULL)
{
printf("MapViewOfFile Failed\n");
return 0;
}
IMAGE_DOS_HEADER *dosHeader;
IMAGE_NT_HEADERS *ntHeader;
IMAGE_IMPORT_BY_NAME *ImportName;
//lpBase由MapViewOfFile函数返回
dosHeader=(IMAGE_DOS_HEADER*)lpBase;
//检测是否是有效的PE文件
if (dosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
{
printf("This is not a windows file\n");
return 0;
}
//定位到PE header
ntHeader=(IMAGE_NT_HEADERS*)((BYTE*)lpBase+dosHeader->e_lfanew);
if(ntHeader->Signature!=IMAGE_NT_SIGNATURE)
{
printf("This is not a win32 file\n");
return 0;
}
//定位到导入表
IMAGE_IMPORT_DESCRIPTOR *ImportDec=(IMAGE_IMPORT_DESCRIPTOR*)((BYTE*)lpBase+RVAToOffset(lpBase,ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress));
while(ImportDec->FirstThunk)
{
//得到DLL文件名
char *pDllName=(char*)((BYTE*)lpBase+RVAToOffset(lpBase,ImportDec->Name));
printf("\nDLL文件名:%s\n",pDllName);
//通过OriginalFirstThunk定位到PIMAGE_THUNK_DATA结构数组
PIMAGE_THUNK_DATA pThunk=(PIMAGE_THUNK_DATA)((BYTE*)lpBase+RVAToOffset(lpBase,ImportDec->OriginalFirstThunk));
while(pThunk->u1.Function)
{
//判断函数是用函数名导入的还是序号导入的
if(pThunk->u1.Ordinal& IMAGE_ORDINAL_FLAG32)
{
//输出序号
printf("从此DLL模块导出的函数的序号:%x\n",pThunk->u1.Ordinal&0xFFFF);
}
else
{
//得到IMAGE_IMPORT_BY_NAME结构中的函数名
ImportName=(IMAGE_IMPORT_BY_NAME*)((BYTE*)lpBase+RVAToOffset(lpBase,(DWORD)pThunk->u1.AddressOfData));
printf("从此DLL模块导出的函数的函数名:%s\n",ImportName->Name);
}
pThunk++;
}
ImportDec++;
}
UnmapViewOfFile(lpBase);
CloseHandle(hMap);
CloseHandle(hFile);
return 0;
}
#include "stdafx.h"
#include <stdio.h>
#include <windows.h>
DWORD RVAToOffset(LPVOID lpBase,DWORD VirtualAddress)
{
IMAGE_DOS_HEADER *dosHeader;
IMAGE_NT_HEADERS *ntHeader;
IMAGE_SECTION_HEADER *SectionHeader;
int NumOfSections;
dosHeader=(IMAGE_DOS_HEADER*)lpBase;
ntHeader=(IMAGE_NT_HEADERS*)((BYTE*)lpBase+dosHeader->e_lfanew);
NumOfSections=ntHeader->FileHeader.NumberOfSections;
for (int i=0;i<NumOfSections;i++)
{
SectionHeader=(IMAGE_SECTION_HEADER*)((BYTE*)lpBase+dosHeader->e_lfanew+sizeof(IMAGE_NT_HEADERS))+i;
if(VirtualAddress>SectionHeader->VirtualAddress&&VirtualAddress<SectionHeader->VirtualAddress+SectionHeader->SizeOfRawData)
{
DWORD AposRAV=VirtualAddress-SectionHeader->VirtualAddress;
DWORD Offset=SectionHeader->PointerToRawData+AposRAV;
return Offset;
}
}
return 0;
}
int main(int argc, char* argv[])
{
//打开文件
HANDLE hFile=CreateFile(argv[1],GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
if(hFile==INVALID_HANDLE_VALUE)
{
printf("CreateFile Failed\n");
return 0;
}
//创建内存映射文件的内核对象
HANDLE hMap=CreateFileMapping(hFile,NULL,PAGE_READONLY,NULL,NULL,NULL);
if(hMap==INVALID_HANDLE_VALUE)
{
printf("CreateFileMapping Failed\n");
return 0;
}
//把文件映射入内存
LPVOID lpBase=MapViewOfFile(hMap,FILE_MAP_READ,0,0,0);
if(lpBase==NULL)
{
printf("MapViewOfFile Failed\n");
return 0;
}
IMAGE_DOS_HEADER *dosHeader;
IMAGE_NT_HEADERS *ntHeader;
IMAGE_IMPORT_BY_NAME *ImportName;
//lpBase由MapViewOfFile函数返回
dosHeader=(IMAGE_DOS_HEADER*)lpBase;
//检测是否是有效的PE文件
if (dosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
{
printf("This is not a windows file\n");
return 0;
}
//定位到PE header
ntHeader=(IMAGE_NT_HEADERS*)((BYTE*)lpBase+dosHeader->e_lfanew);
if(ntHeader->Signature!=IMAGE_NT_SIGNATURE)
{
printf("This is not a win32 file\n");
return 0;
}
//定位到导入表
IMAGE_IMPORT_DESCRIPTOR *ImportDec=(IMAGE_IMPORT_DESCRIPTOR*)((BYTE*)lpBase+RVAToOffset(lpBase,ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress));
while(ImportDec->FirstThunk)
{
//得到DLL文件名
char *pDllName=(char*)((BYTE*)lpBase+RVAToOffset(lpBase,ImportDec->Name));
printf("\nDLL文件名:%s\n",pDllName);
//通过OriginalFirstThunk定位到PIMAGE_THUNK_DATA结构数组
PIMAGE_THUNK_DATA pThunk=(PIMAGE_THUNK_DATA)((BYTE*)lpBase+RVAToOffset(lpBase,ImportDec->OriginalFirstThunk));
while(pThunk->u1.Function)
{
//判断函数是用函数名导入的还是序号导入的
if(pThunk->u1.Ordinal& IMAGE_ORDINAL_FLAG32)
{
//输出序号
printf("从此DLL模块导出的函数的序号:%x\n",pThunk->u1.Ordinal&0xFFFF);
}
else
{
//得到IMAGE_IMPORT_BY_NAME结构中的函数名
ImportName=(IMAGE_IMPORT_BY_NAME*)((BYTE*)lpBase+RVAToOffset(lpBase,(DWORD)pThunk->u1.AddressOfData));
printf("从此DLL模块导出的函数的函数名:%s\n",ImportName->Name);
}
pThunk++;
}
ImportDec++;
}
UnmapViewOfFile(lpBase);
CloseHandle(hMap);
CloseHandle(hFile);
return 0;
}
rageliu 2008-06-19
- 打赏
- 举报
pe格式的问题,看名字rva va...已经说明大概意思,网上讲pe格式的资料比较多了
僵哥 2008-06-19
- 打赏
- 举报
如果没错的话,应该是:
SectionHeader=(IMAGE_SECTION_HEADER*)((BYTE*)lpBase+dosHeader->e_lfanew+sizeof(IMAGE_NT_HEADERS))+i*IMAGE_SECTION_HEADER;
SectionHeader=(IMAGE_SECTION_HEADER*)((BYTE*)lpBase+dosHeader->e_lfanew+sizeof(IMAGE_NT_HEADERS))+i*IMAGE_SECTION_HEADER;
僵哥 2008-06-19
- 打赏
- 举报
另外,我想知道的是,你这代码哪来的?
SectionHeader=(IMAGE_SECTION_HEADER*)((BYTE*)lpBase+dosHeader->e_lfanew+sizeof(IMAGE_NT_HEADERS))+i;
这个+i有什么意义?每次只是加一个字节的偏移...
SectionHeader=(IMAGE_SECTION_HEADER*)((BYTE*)lpBase+dosHeader->e_lfanew+sizeof(IMAGE_NT_HEADERS))+i;
这个+i有什么意义?每次只是加一个字节的偏移...
ccccj 2008-06-19
- 打赏
- 举报
这个返回值Offset的代表什么?????
僵哥 2008-06-19
- 打赏
- 举报
不知道你要问什么,看来只有等高手了。
