C语言怎么获得进程的PE文件信息
一、打印Sections信息。下面的程序打印出Windows_Graphics_Programming1.1中第三个程序“HelloWorldVersion3:CreateaFull-ScreenWindow"生成的可执行文件的Sections结构字节的信息
#include<stdio.h>
#include<windows.h>
char*strPath="C:/c1_hwv3/Debug/c1_hwv3.exe";
intmain()
{
IMAGE_DOS_HEADERmyDosHeader;
LONGe_lfanew;
FILE*pFile;
pFile=fopen(strPath,"rb+");
fread(&myDosHeader,sizeof(IMAGE_DOS_HEADER),1,pFile);
e_lfanew=myDosHeader.e_lfanew;
IMAGE_FILE_HEADERmyFileHeader;
intnSectionCount;
fseek(pFile,(e_lfanew+sizeof(DWORD)),SEEK_SET);
fread(&myFileHeader,sizeof(IMAGE_FILE_HEADER),1,pFile);
nSectionCount=myFileHeader.NumberOfSections;
IMAGE_SECTION_HEADER*pmySectionHeader=
(IMAGE_SECTION_HEADER*)calloc(nSectionCount,sizeof(IMAGE_SECTION_HEADER));
fseek(pFile,(e_lfanew+sizeof(IMAGE_NT_HEADERS)),SEEK_SET);
fread(pmySectionHeader,sizeof(IMAGE_SECTION_HEADER),nSectionCount,pFile);
for(inti=0;i<nSectionCount;i++,pmySectionHeader++)
{
printf("Name:%s\n",pmySectionHeader->Name);
printf("union_PhysicalAddress:%08x\n",pmySectionHeader->Misc.PhysicalAddress);
printf("union_VirtualSize:%04x\n",pmySectionHeader->Misc.VirtualSize);
printf("VirtualAddress:%08x\n",pmySectionHeader->VirtualAddress);
printf("SizeOfRawData:%08x\n",pmySectionHeader->SizeOfRawData);
printf("PointerToRawData:%04x\n",pmySectionHeader->PointerToRawData);
printf("PointerToRelocations:%04x\n",pmySectionHeader->PointerToRelocations);
printf("PointerToLinenumbers:%04x\n",pmySectionHeader->PointerToLinenumbers);
printf("NumberOfRelocations:%04x\n",pmySectionHeader->NumberOfRelocations);
printf("NumberOfLinenumbers:%04x\n",pmySectionHeader->NumberOfLinenumbers);
printf("Charateristics:%04x\n",pmySectionHeader->Characteristics);
}
//pmySectionHeader-=m_nSectionCount;
if(pmySectionHeader!=NULL)
{
free(pmySectionHeader);
pmySectionHeader=NULL;
}
fclose(pFile);
return0;
}
运行程序打印出如下信息
Name:.text union_PhysicalAddress:00022350 union_VirtualSize:22350 VirtualAddress:00001000 SizeOfRawData:00023000 PointerToRawData:1000 PointerToRelocations:0000 PointerToLinenumbers:0000 NumberOfRelocations:0000 NumberOfLinenumbers:0000 Charateristics:60000020 Name:.rdata union_PhysicalAddress:00001615 union_VirtualSize:1615 VirtualAddress:00024000 SizeOfRawData:00002000 PointerToRawData:24000 PointerToRelocations:0000 PointerToLinenumbers:0000 NumberOfRelocations:0000 NumberOfLinenumbers:0000 Charateristics:40000040 Name:.data union_PhysicalAddress:00005650 union_VirtualSize:5650 VirtualAddress:00026000 SizeOfRawData:00004000 PointerToRawData:26000 PointerToRelocations:0000 PointerToLinenumbers:0000 NumberOfRelocations:0000 NumberOfLinenumbers:0000 Charateristics:c0000040 Name:.idata union_PhysicalAddress:00000b23 union_VirtualSize:0b23 VirtualAddress:0002c000 SizeOfRawData:00001000 PointerToRawData:2a000 PointerToRelocations:0000 PointerToLinenumbers:0000 NumberOfRelocations:0000 NumberOfLinenumbers:0000 Charateristics:c0000040 Name:.reloc union_PhysicalAddress:00000f00 union_VirtualSize:0f00 VirtualAddress:0002d000 SizeOfRawData:00001000 PointerToRawData:2b000 PointerToRelocations:0000 PointerToLinenumbers:0000 NumberOfRelocations:0000 NumberOfLinenumbers:0000 Charateristics:42000040
pe文件结构图:
时间,时间,会给我答案timewillgivemetheanswer
再给大家分享一则
#include<windows.h>
#include<stdio.h>
#defineMAX_SECTION_NUM16
#defineMAX_IMPDESC_NUM64
HANDLEhHeap;
PIMAGE_DOS_HEADERpDosHeader;
PCHARpDosStub;
DWORDdwDosStubSize;
DWORDdwDosStubOffset;
PIMAGE_NT_HEADERSpNtHeaders;
PIMAGE_FILE_HEADERpFileHeader;
PIMAGE_OPTIONAL_HEADER32pOptHeader;
PIMAGE_SECTION_HEADERpSecHeaders;
PIMAGE_SECTION_HEADERpSecHeader[MAX_SECTION_NUM];
WORDwSecNum;
PBYTEpSecData[MAX_SECTION_NUM];
DWORDdwSecSize[MAX_SECTION_NUM];
DWORDdwFileSize;
voidOutputPEInMem(HANDLEhd)
{
//请在这里填入你的代码
DWORDdwBase;
dwBase=(DWORD)hd;
pDosHeader=(PIMAGE_DOS_HEADER)dwBase;
pNtHeaders=(PIMAGE_NT_HEADERS)(dwBase+pDosHeader->e_lfanew);
pOptHeader=&(pNtHeaders->OptionalHeader);
pFileHeader=&(pNtHeaders->FileHeader);
printf("AddressOfEntryPoint:0x%08x\n",pOptHeader->AddressOfEntryPoint);
printf("ImageBase:0x%08x\n",pOptHeader->ImageBase);
printf("NumberOfSections:%d\n",pFileHeader->NumberOfSections);
printf("SizeOfImage:0x%04x\n",pOptHeader->SizeOfImage);
return;
}
intmain(intargc,char*argv[])
{
DWORDpid=0;
pid=atoi(argv[1]);
HANDLEhd=OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid);
LPCSTRlpszFileName="hello.exe";
LPCSTRlpszInjFileName="hello_inj0.exe";
OutputPEInMem(hd);
hHeap=GetProcessHeap();
if(!CopyPEFileToMem(lpszFileName)){
return1;
}
return0;
}