天天看點
傳回

兩種方法擷取檔案OEP

讀取的字段都是一樣的,隻是一個直接從PE檔案中讀取,一個映射到記憶體後再讀取

1.檔案直接通路法

BOOL ReadOEPByFile(LPCTSTR szFileName)
{
	HANDLE hFile;
	hFile=CreateFile(szFileName,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_FLAG_SEQUENTIAL_SCAN,0);
	if (INVALID_HANDLE_VALUE==hFile)
	{
		AfxMessageBox(_T("打開檔案失敗!"));
		return FALSE;
	}
	DWORD dwOEP,cbRead;
	IMAGE_DOS_HEADER dos_header[sizeof(IMAGE_DOS_HEADER)];//IMAGE_DOS_HEADER dos_header[1];
	if (!ReadFile(hFile,dos_header,sizeof(IMAGE_DOS_HEADER),&cbRead,NULL))
	{
		AfxMessageBox(_T("讀取DOS頭部失敗!"));
		CloseHandle(hFile);
		return FALSE;
	}
	int nEntryPos=dos_header->e_lfanew+40;
	SetFilePointer(hFile,nEntryPos,NULL,FILE_BEGIN);
	if (!ReadFile(hFile,&dwOEP,sizeof(dwOEP),&cbRead,NULL))
	{
		CloseHandle(hFile);
		return FALSE;
	}
	CloseHandle(hFile);
	CString strOEP;
	strOEP.Format(_T("OEP:0x%X"),dwOEP);
	AfxMessageBox(strOEP);
	return TRUE;
}

2.通過記憶體映射讀取

BOOL ReadOEPByMemory(LPCTSTR szFileName)
{
	HANDLE hFile;
	HANDLE hMapping;
	PVOID pBaseAddr;
	if ((hFile=CreateFile(szFileName,GENERIC_READ,FILE_SHARE_READ,
		0,OPEN_EXISTING,FILE_FLAG_SEQUENTIAL_SCAN,0))==INVALID_HANDLE_VALUE)
	{
		AfxMessageBox(_T("打開檔案失敗!"));
		return FALSE;
	}
	//建立記憶體映射檔案
	if (!(hMapping=CreateFileMapping(hFile,0,PAGE_READONLY|SEC_COMMIT,0,0,0)))
	{
		AfxMessageBox(_T("Mapping failed."));
		CloseHandle(hFile);
		return FALSE;
	}
	//把檔案映像存入pBaseAddr
	if (!(pBaseAddr=MapViewOfFile(hMapping,FILE_MAP_READ,0,0,0)))
	{
		AfxMessageBox(_T("View Failed."));
		CloseHandle(hMapping);
		CloseHandle(hFile);
		return FALSE;
	}
	IMAGE_DOS_HEADER *dos_header=(IMAGE_DOS_HEADER *)pBaseAddr;
	IMAGE_NT_HEADERS *nt_header=(IMAGE_NT_HEADERS *)((DWORD)pBaseAddr+dos_header->e_lfanew);
	DWORD dwOEP=nt_header->OptionalHeader.AddressOfEntryPoint;
	//清除記憶體映射和關閉檔案
	UnmapViewOfFile(pBaseAddr);
	CloseHandle(hMapping);
	CloseHandle(hFile);

	CString strOEP;
	strOEP.Format(_T("OEP:0x%X"),dwOEP);
	AfxMessageBox(strOEP);
	return TRUE;
}

第二種方法要注意DOS STUP與PE頭不一定是緊挨着的,一定要通過(DWORD)pBaseAddr+dos_header->e_lfanew定位到IMAGE_NT_HEADERS

如果還要讀入口點的代碼或其它東西,把PAGE_READONLY|SEC_COMMIT換成PAGE_READONLY|SEC_COMMIT|SEC_IMAGE會給你帶來很大的便利

謝謝列甯。

PE/Virus dos header image file null
上一篇: Win32.Crypto.asm
下一篇: Win98.BeGemot.8192.asm

繼續閱讀