讀取的字段都是一樣的,隻是一個直接從PE檔案中讀取,一個映射到記憶體後再讀取
1.檔案直接通路法
BOOL ReadOEPByFile(LPCTSTR szFileName)
{
HANDLE hFile;
hFile=CreateFile(szFileName,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_FLAG_SEQUENTIAL_SCAN,0);
if (INVALID_HANDLE_VALUE==hFile)
{
AfxMessageBox(_T("打開檔案失敗!"));
return FALSE;
}
DWORD dwOEP,cbRead;
IMAGE_DOS_HEADER dos_header[sizeof(IMAGE_DOS_HEADER)];//IMAGE_DOS_HEADER dos_header[1];
if (!ReadFile(hFile,dos_header,sizeof(IMAGE_DOS_HEADER),&cbRead,NULL))
{
AfxMessageBox(_T("讀取DOS頭部失敗!"));
CloseHandle(hFile);
return FALSE;
}
int nEntryPos=dos_header->e_lfanew+40;
SetFilePointer(hFile,nEntryPos,NULL,FILE_BEGIN);
if (!ReadFile(hFile,&dwOEP,sizeof(dwOEP),&cbRead,NULL))
{
CloseHandle(hFile);
return FALSE;
}
CloseHandle(hFile);
CString strOEP;
strOEP.Format(_T("OEP:0x%X"),dwOEP);
AfxMessageBox(strOEP);
return TRUE;
}
2.通過記憶體映射讀取
BOOL ReadOEPByMemory(LPCTSTR szFileName)
{
HANDLE hFile;
HANDLE hMapping;
PVOID pBaseAddr;
if ((hFile=CreateFile(szFileName,GENERIC_READ,FILE_SHARE_READ,
0,OPEN_EXISTING,FILE_FLAG_SEQUENTIAL_SCAN,0))==INVALID_HANDLE_VALUE)
{
AfxMessageBox(_T("打開檔案失敗!"));
return FALSE;
}
//建立記憶體映射檔案
if (!(hMapping=CreateFileMapping(hFile,0,PAGE_READONLY|SEC_COMMIT,0,0,0)))
{
AfxMessageBox(_T("Mapping failed."));
CloseHandle(hFile);
return FALSE;
}
//把檔案映像存入pBaseAddr
if (!(pBaseAddr=MapViewOfFile(hMapping,FILE_MAP_READ,0,0,0)))
{
AfxMessageBox(_T("View Failed."));
CloseHandle(hMapping);
CloseHandle(hFile);
return FALSE;
}
IMAGE_DOS_HEADER *dos_header=(IMAGE_DOS_HEADER *)pBaseAddr;
IMAGE_NT_HEADERS *nt_header=(IMAGE_NT_HEADERS *)((DWORD)pBaseAddr+dos_header->e_lfanew);
DWORD dwOEP=nt_header->OptionalHeader.AddressOfEntryPoint;
//清除記憶體映射和關閉檔案
UnmapViewOfFile(pBaseAddr);
CloseHandle(hMapping);
CloseHandle(hFile);
CString strOEP;
strOEP.Format(_T("OEP:0x%X"),dwOEP);
AfxMessageBox(strOEP);
return TRUE;
}
第二種方法要注意DOS STUP與PE頭不一定是緊挨着的,一定要通過(DWORD)pBaseAddr+dos_header->e_lfanew定位到IMAGE_NT_HEADERS
如果還要讀入口點的代碼或其它東西,把PAGE_READONLY|SEC_COMMIT換成PAGE_READONLY|SEC_COMMIT|SEC_IMAGE會給你帶來很大的便利
謝謝列甯。