PE第三课——区段表结构

课堂笔记

区段表其实上节课就已经讲过了,这个区段呢我们能自己定义名字然后它在 PE 里面有内存地址偏移和文件偏移。我们需要用一个宏来从这个 NTHeaders 获取 SectionHeader。再从 NTheaders 中获取区段的数量 NumberOfSection。

然后就是根据结构体打印一些信息了)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
#include<windows.h>
#include<stdio.h>
int main() {
    FILE* fd = fopen("C:\\Users\\xia0ji233\\Desktop\\Home\\C++\\test.exe", "rb");
    char* buffer = (char*)malloc(0x10000);
    if (buffer == NULL) {
        perror("malloc fail");
        exit(0);
    }
    if (fd == NULL) {
        perror("NO such File");
        exit(0);
    }
    fread(buffer, 1, 0x10000, fd);
    PIMAGE_DOS_HEADER pheader = (PIMAGE_DOS_HEADER)buffer;
    printf("MS-DOS INFO:\n");
    printf("MAGIC HEADER: ");
    fwrite((char*)&pheader->e_magic, 2, 1, stdout);
    putchar(10);
    printf("PE OFFSET:%x\n", pheader->e_lfanew);
    printf("PE INFO:\n");
    PIMAGE_NT_HEADERS ReadNTHeaders = (PIMAGE_NT_HEADERS)(&(buffer[pheader->e_lfanew]));

    printf("PE Magic Header:");
    fwrite(&ReadNTHeaders->Signature, 2, 1, stdout);
    putchar(10);

    printf("Standard Header info:");
    printf("Platform:");
    switch (ReadNTHeaders->FileHeader.Machine)
    {
    case IMAGE_FILE_MACHINE_I386:
        printf("I386");
        break;
    case IMAGE_FILE_MACHINE_IA64:
        printf("Intel 64");
        break;
    case IMAGE_FILE_MACHINE_AMD64:
        printf("AMD 64");
        break;
    default:
        printf("UNKnown Platform");
        break;
    }
    putchar(10);

    printf("Optional PE Header:");
    printf("ImageBase:%08x\n", ReadNTHeaders->OptionalHeader.ImageBase);

    PIMAGE_SECTION_HEADER ReadSectionHeader = IMAGE_FIRST_SECTION(ReadNTHeaders);
    PIMAGE_FILE_HEADER pFileHeader = &ReadNTHeaders->FileHeader;
    for(int i = 0; i < pFileHeader->NumberOfSections; i++){
        printf("Name(区段名称):%s\n",ReadSectionHeader[i].Name);
        printf("Voffset(起始的相对虚拟地址):%08X\n",ReadSectionHeader[i].VirtualAddress); 
        printf("VSize(区段大小):%08X\n", ReadSectionHeader[i].SizeOfRawData);
        printf("ROffset(文件偏移):%08X\n",ReadSectionHeader[i].PointerToRawData);
        printf("RSize(文件中区段大小):%08X\n",ReadSectionHeader[i].Misc.VirtualSize);
        printf("标记(区段的属性):%08X\n\n", ReadSectionHeader[i].Characteristics);
    }
        

    system("pause");
}

运行结果