-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathPETool.cpp
More file actions
79 lines (68 loc) · 2.46 KB
/
PETool.cpp
File metadata and controls
79 lines (68 loc) · 2.46 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
// PETool.cpp: implementation of the PETool class.
//
//////////////////////////////////////////////////////////////////////
#include "stdafx.h"
#include "PETool.h"
//////////////////////////////////////////////////////////////////////
// 加载、处理 PE
//////////////////////////////////////////////////////////////////////
PETool::PETool()
{
} //TODO
PETool::~PETool()
{
if(this->imageTable.FileBuffer != NULL)
free(this->imageTable.FileBuffer);
if(this->imageTable.ImageBuffer != NULL)
free(this->imageTable.ImageBuffer);
}
void PETool::analysis(_IMAGE_ADR_TABLE &imageTable)
{
//解析PE
imageTable.lpDosHeader = ( _IMAGE_DOS_HEADER *)imageTable.FileBuffer;
imageTable.Signature = *(DWORD*)((CHAR*)this->imageTable.FileBuffer + imageTable.lpDosHeader->e_lfanew);
imageTable.lpFileHeader = (_IMAGE_FILE_HEADER *)((CHAR*)this->imageTable.FileBuffer + imageTable.lpDosHeader->e_lfanew + sizeof(DWORD));
imageTable.lpOptionHeader = (_IMAGE_OPTIONAL_HEADER *)((CHAR*)imageTable.lpFileHeader + sizeof(_IMAGE_FILE_HEADER));
/*
#define IMAGE_NT_OPTIONAL_HDR32_MAGIC 0x10b
#define IMAGE_NT_OPTIONAL_HDR64_MAGIC 0x20b
*/
//TODO
/*
if(imageTable.lpOptionHeader->Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)//如果打开的文件是64位文件
{
imageTable.lpOptionHeader64 = (_IMAGE_OPTIONAL_HEADER64 *)((CHAR*)imageTable.lpFileHeader + sizeof(_IMAGE_FILE_HEADER));
imageTable.lpOptionHeader = NULL;
}*/
imageTable.lpSectionHeader = (_IMAGE_SECTION_HEADER *)((CHAR*)this->imageTable.FileBuffer + imageTable.lpDosHeader->e_lfanew + sizeof(DWORD) + sizeof(_IMAGE_FILE_HEADER) + imageTable.lpFileHeader->SizeOfOptionalHeader);
}
void PETool::newPEImageTable(_IMAGE_ADR_TABLE &newImageTable)
{
//创建_IMAGE_ADR_TABLE副本
analysis(newImageTable);
}
//rva转换为foa
void* PETool::rvaToFoa(DWORD rva)
{
DWORD foa;
_IMAGE_SECTION_HEADER *lpSectionHeader = this->imageTable.lpSectionHeader;
if(rva <= this->imageTable.lpOptionHeader->SizeOfHeaders)
{
foa = rva + (DWORD)this->imageTable.FileBuffer;//RVA在pe头里
return (VOID *)foa;
}
for(int i = 0; i < this->imageTable.lpFileHeader->NumberOfSections; i++)
{
if((DWORD)rva - (DWORD)(lpSectionHeader + i)->VirtualAddress <= (lpSectionHeader + i)->Misc.VirtualSize)
{
//foa = fileBuffer + rva - va + raw;
foa = (DWORD)this->imageTable.FileBuffer + rva - (lpSectionHeader + i)->VirtualAddress + (lpSectionHeader + i)->PointerToRawData;
return (VOID *)foa;
}
}
}
void* PETool::foaToRva(DWORD foa)
{
//foa转换为rva
return 0;
}