网站开发岗位,建设网站利用点击量赚钱,酒泉网站建设优化,在四川省住房和城乡建设厅网站上查尝试解析PE文件结构, 于是编写了此PE信息助手类, 暂时完成如下信息解析
1.导入表信息
2.导入表信息
3.资源表信息 CPEHelper.h
#pragma once//
// brief: PE文件解析助手类
// copyright: Copyright 2024 FlameCyclone
// license:
// birth: Created by Visual Studio 20…尝试解析PE文件结构, 于是编写了此PE信息助手类, 暂时完成如下信息解析
1.导入表信息
2.导入表信息
3.资源表信息 CPEHelper.h
#pragma once//
// brief: PE文件解析助手类
// copyright: Copyright 2024 FlameCyclone
// license:
// birth: Created by Visual Studio 2022 on 2024-02-04
// version: V1.0.0
// revision: last revised by FlameCyclone on 2024-02-04
//#include stdint.h
#include wtypesbase.h
#include windows.h
#include string
#include vector
#include map#ifdef _UNICODE
using _tstring std::wstring;
#else
using _tstring std::string;
#endif#pragma pack(push)
#pragma pack(1)// https://learn.microsoft.com/zh-cn/windows/win32/menurc/newheader
typedef struct {WORD Reserved; //保留;必须为零WORD ResType; //资源类型 1: RES_ICON 2: RES_CURSORWORD ResCount; //资源组中的图标或游标组件数
} ICON_GROUP_HEADER, * LPICON_GROUP_HEADER;// https://learn.microsoft.com/zh-cn/windows/win32/menurc/resdir
// https://learn.microsoft.com/zh-cn/windows/win32/menurc/iconresdir
typedef struct {BYTE Width; //图标的宽度以像素为单位。 可接受的值为 16、32 和 64BYTE Height; //图标的高度以像素为单位。 可接受的值为 16、32 和 64BYTE ColorCount; //图标中的颜色数。 可接受的值为 2、8 和 16。BYTE reserved; //保留;必须设置为与图标文件标头中保留字段的值相同的值WORD Planes; //图标或光标位图中的颜色平面数WORD BitCount; //图标或光标位图中每像素的位数DWORD BytesInRes; //资源的大小以字节为单位WORD IconId; //具有唯一序号标识符的图标或光标
} ICON_ENTRY, * LPICON_ENTRY;typedef struct {ICON_GROUP_HEADER Header; //图标组头部ICON_ENTRY IconEntry[1]; //单个图标信息
}ICON_GROUP_DIR, * LPICON_GROUP_DIR;// https://learn.microsoft.com/zh-cn/windows/win32/menurc/var-str
typedef struct {WORD wLength; // Var 结构的长度以字节为单位WORD wValueLength; // Value 成员的长度以字节为单位WORD wType; // 版本资源中的数据类型, 1: 资源包含文本数据 0: 版本资源包含二进制数据WCHAR szKey[12]; // Unicode 字符串 L“Translation”WORD Padding; // 在 32 位边界上对齐 Value 成员所需的任意或零个 WORDstruct {WORD LanguageID; //低序字: Microsoft 语言标识符WORD CodePageID; //高序字: IBM 代码页码}Value[1];
} Var;// https://learn.microsoft.com/zh-cn/windows/win32/menurc/varfileinfo
typedef struct {WORD wLength; // 整个 VarFileInfo 块包括 Children 成员指示的所有结构的长度以字节为单位WORD wValueLength; // 此成员始终等于零WORD wType; // 版本资源中的数据类型, 1: 资源包含文本数据 0: 版本资源包含二进制数据WCHAR szKey[12]; // Unicode 字符串 L“VarFileInfo”WORD Padding; // 在 32 位边界上对齐 Children 成员所需的任意或零个 WORDVar Children[1]; // 通常包含应用程序或 DLL 支持的语言列表
} VarFileInfo;// https://learn.microsoft.com/zh-cn/windows/win32/menurc/string-str
typedef struct {WORD wLength; // 此 字符串 结构的长度以字节为单位WORD wValueLength; // Value 成员的大小以字为单位WORD wType; // 版本资源中的数据类型, 1: 资源包含文本数据 0: 版本资源包含二进制数据WCHAR szKey[1]; // 任意长度的 Unicode 字符串WORD Padding; // 在 32 位边界上对齐 Value 成员所需的任意或零个 WORDWORD Value[1]; // 以零结尾的字符串
} String;// https://learn.microsoft.com/zh-cn/windows/win32/menurc/stringtable
typedef struct {WORD wLength; // 此 StringTable 结构的长度以字节为单位包括 Children 成员指示的所有结构WORD wValueLength; // 此成员始终等于零WORD wType; // 版本资源中的数据类型, 1: 资源包含文本数据 0: 版本资源包含二进制数据WCHAR szKey[8]; // 存储为 Unicode 字符串的 8 位十六进制数WORD Padding; // 在 32 位边界上对齐 Children 成员所需的任意或零个 WORDString Children[1]; // 一个或多个 String 结构的数组
} StringTable;// https://learn.microsoft.com/zh-cn/windows/win32/menurc/stringfileinfo
typedef struct {WORD wLength; // 整个 StringFileInfo 块的长度以字节为单位WORD wValueLength; // 此成员始终等于零WORD wType; // 版本资源中的数据类型, 1: 资源包含文本数据 0: 版本资源包含二进制数据WCHAR szKey[14]; // Unicode 字符串 L“StringFileInfo”WORD Padding; // 在 32 位边界上对齐 Children 成员所需的任意或零个 WORDStringTable Children[1]; // 一个或多个 StringTable 结构的数组
} StringFileInfo;// VS 文件版本信息
// https://learn.microsoft.com/zh-cn/windows/win32/menurc/vs-versioninfo
typedef struct {WORD wLength; // VS_VERSIONINFO 结构的长度以字节为单位,此长度不包括在 32 位边界上对齐任何后续版本资源数据的填充WORD wValueLength; // Value 成员的长度以字节为单位WORD wType; // 版本资源中的数据类型, 1: 资源包含文本数据 0: 版本资源包含二进制数据WCHAR szKey[15]; // Unicode 字符串 L“VS_VERSION_INFO”WORD Padding1; // 在 32 位边界上对齐 Children 成员所需的任意或零个 WORD//VS_FIXEDFILEINFO Value//WORD Padding2//WORD Children
} VS_VERSIONINFO, *PVS_VERSIONINFO;
#pragma pack(pop)typedef struct {WORD ID; //资源IDWORD LangID; //语言IDDWORD SectionOffset; //数据偏移(在节数据中的偏移位置)DWORD Size; //数据大小
}RESOURCE_ITEM;typedef struct {_tstring StrText; //文本内容WORD ID; //字符串ID
}STRING_TEXT;typedef struct {_tstring TypeName; //类型名WORD TypeID; //类型IDstd::vectorRESOURCE_ITEM Items; //资源信息
}RESOURCE_GROUP_INFO;typedef struct
{_tstring Text;WORD wType;
}STRING_INFO;typedef struct
{_tstring Key; // 值名字符串_tstring Value; // 值数据字符串WORD wType; // 版本资源中的数据类型, 1: 资源包含文本数据 0: 版本资源包含二进制数据std::vectoruint8_t Data; // 二进制数据
}STRING_FILE_ITEM;// 版本资源中的数据, 包含可为特定语言和代码页显示的版本信息
typedef struct
{_tstring StringCode;std::vectorSTRING_FILE_ITEM StringInfos;
}STRING_FILE_INFO;typedef struct
{WORD LanguageID;WORD CodePageID;
}TRANSLATION_INFO;// 版本信息
typedef struct
{VS_FIXEDFILEINFO FixedFileInfo;std::vectorSTRING_FILE_INFO StringFileInfo; // 版本资源中的数据的组织std::vectorTRANSLATION_INFO TranslationList; // 应用程序或 DLL 支持的语言列表
}VERSION_INFO;typedef struct
{_tstring Name; //函数名WORD Hint; //索引, 可能为0
}IMPORT_FUNCTION_INFO;typedef struct
{_tstring Name; //函数名_tstring ForwarderName; //转发函数名DWORD Addr; //函数相对偏移地址DWORD Ordinal; //函数顺序
}EXPORT_FUNCTION_INFO;typedef struct _RESOURCE_INFO
{std::vectorRESOURCE_GROUP_INFO ResourceTable; //资源表信息std::mapWORD, std::vectorSTRING_TEXT StringTable; //资源字符串表VERSION_INFO VersionInfo; //资源版本信息_tstring Manifest; //资源清单void clear(){ResourceTable.clear();StringTable.clear();VersionInfo.StringFileInfo.clear();VersionInfo.TranslationList.clear();memset(VersionInfo.FixedFileInfo, 0, sizeof(VersionInfo.FixedFileInfo));}}RESOURCE_INFO;class CPEHelper
{
public:CPEHelper();~CPEHelper();//// brief: 加载PE文件信息// param: strPath 文件路径// param: fCheckSum 检查映像文件校验和, 校验失败此函数将直接返回false// ret: bool 操作成功与否bool LoadFile(const _tstring strPath, bool fCheckSum true);//// brief: 关闭文件占用// ret: bool 操作成功与否void Close();//// brief: 获取导入表信息// ret: std::map_tstring, std::vectorIMPORT_FUNCTION_INFO 导入表信息const std::map_tstring, std::vectorIMPORT_FUNCTION_INFO GetImportTable() const;//// brief: 获取导出表信息// ret: std::map_tstring, std::vectorIMPORT_FUNCTION_INFO 导出表信息const std::map_tstring, std::vectorEXPORT_FUNCTION_INFO GetExportTable() const;//// brief: 获取资源表信息// ret: RESOURCE_INFO 资源信息const RESOURCE_INFO GetResourceInfo() const;//// brief: 打印导出表信息// param: fShowModule 显示模块信息// param: fShowFunList 显示函数信息// ret: voidvoid PrintExportTable(bool fShowModule true, bool fShowFunList true);//// brief: 打印导入表信息// param: fShowModule 显示模块信息// param: fShowFunList 显示函数信息// ret: voidvoid PrintImportTable(bool fShowModule true, bool fShowFunList true);//// brief: 打印资源表信息// param: fShowDetail 显示详情// ret: voidvoid PrintResourceTable(bool fShowDetail true);//// brief: 打印版本信息// ret: voidvoid PrintVersion();//// brief: 打印字符串表// ret: voidvoid PrintStringTable();//// brief: 打印清单信息// ret: voidvoid PrintManifest();private://// brief: 清空数据// ret: voidvoid _Clear();//// brief: 输出字节信息// ret: voidvoid _PrintfByte(LPVOID lpData, size_t size);//// brief: 获取文件大小// param: ullSize 文件大小// ret: bool 操作成功与否bool _GetFileSize(unsigned long long ullSize) const;//// brief: 读取文件// param: lpBuffer 读取数据存放缓冲// param: dwSize 缓冲大小(字节)// param: lpBytesRead 实际读取大小(字节)// param: llPos 读取文件数据位置// param: dwFlag 设置位置标志 FILE_BEGIN: 文件开头 FILE_CURRENT: 当前文件指针 FILE_END: 文件结束位置// param: fCheckResdSize 是否检查读取长度// ret: bool 操作成功与否bool _ReadFile(LPVOID lpBuffer, DWORD dwSize, LPDWORD lpBytesRead nullptr,LONGLONG llPos 0,DWORD dwFlag FILE_CURRENT, bool fCheckResdSize false);//// brief: 获取虚拟地址在节数据中的相对偏移// param: sectionHeader 节信息头// param: ullVirtualAddr 虚拟地址// ret: LONGLONG 虚拟地址在节数据中的相对偏移LONGLONG _GetSectionDataOffset(const IMAGE_SECTION_HEADER sectionHeader, ULONGLONG ullVirtualAddr);//// brief: 获取虚拟地址在节数据内存中的位置// param: lpBase 节数据内存位置// param: sectionHeader 节信息头// param: ullVirtualAddr 虚拟地址// ret: LONGLONG 虚拟地址在节数据内存中的位置LPVOID _GetSectionDataAddr(LPVOID lpBase, const IMAGE_SECTION_HEADER sectionHeader, ULONGLONG ullVirtualAddr);//// brief: 获取虚拟地址在节数据内存中的位置// param: ullVirtualAddr 虚拟地址// param: pSectinHeader 节信息头输出缓冲// ret: bool 操作成功与否bool _GetSectionHeader(ULONGLONG ullVirtualAddr, PIMAGE_SECTION_HEADER pSectinHeader);//// brief: 获取地址对齐后的地址// param: lpAddr 地址// param: dwAlign 对齐粒度// ret: LPVOID 对齐后指针LPCVOID _GetAlignAddr(LPCVOID lpAddr, DWORD dwAlign sizeof(DWORD));//// brief: 加载所有信息// ret: bool 操作成功与否bool _LoadAllInformation();//// brief: 加载导出表// ret: bool 操作成功与否bool _LoadExportTable();//// brief: 加载导入表// ret: bool 操作成功与否bool _LoadImportTable();//// brief: 加载资源表// ret: bool 操作成功与否bool _LoadResourceTable();//// brief: 加载资源信息// param: lpSection 节数据内存指针// ret: bool 操作成功与否bool _LoadResourceInformation(const LPBYTE lpSectionData);//// brief: 加载资源字符串表// param: lpSection 节数据内存指针// ret: info 资源组信息// ret: bool 操作成功与否bool _LoadResourceStringTable(const LPBYTE lpSection,const RESOURCE_GROUP_INFO info);//// brief: 加载资源Manifest// param: lpSection 节数据内存指针// ret: info 资源组信息// ret: bool 操作成功与否bool _LoadResourceManifest(const LPBYTE lpSection,const RESOURCE_GROUP_INFO info);//// brief: 加载资源版本信息// param: lpSection 节数据内存指针// ret: info 资源组信息// ret: bool 操作成功与否bool _LoadResourceVersion(const LPBYTE lpSection,const RESOURCE_GROUP_INFO info);// 宽字符转多字节字符static std::string _WStrToMultiStr(UINT CodePage, const std::wstring str);// 多字节字符转宽字符static std::wstring _MultiStrToWStr(UINT CodePage, const std::string str);// 宽字符串转换static std::string _WStrToU8Str(const std::wstring str);static std::string _WStrToAStr(const std::wstring str);static _tstring _WStrToTStr(const std::wstring str);// ANSI字符转换static std::wstring _AStrToWStr(const std::string str);static std::string _AStrToU8Str(const std::string str);static _tstring _AStrToTStr(const std::string str);// UTF-8字符串转换static std::wstring _U8StrToWStr(const std::string str);static std::string _U8StrToAStr(const std::string str);static _tstring _U8StrToTStr(const std::string str);// 中立字符串转换static std::string _TStrToAStr(const _tstring str);static std::wstring _TStrToWStr(const _tstring str);static std::string _TStrToU8Str(const _tstring str);private:HANDLE m_hFile; //PE文件句柄//基础PE信息IMAGE_DOS_HEADER m_DosHeader; //Dos头IMAGE_NT_HEADERS32 m_NtHeader32; //NT头(32位)IMAGE_NT_HEADERS64 m_NtHeader64; //NT头(64位)IMAGE_DATA_DIRECTORY m_DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; //数据目录std::vectorIMAGE_SECTION_HEADER m_SectionHeader; //节头信息std::vectorIMAGE_RESOURCE_DIRECTORY_ENTRY m_ResourceDirectoryEntrys; //资源目录信息//数据目录解析相关成员std::map_tstring, std::vectorIMPORT_FUNCTION_INFO m_ImportTable; //导入表信息std::map_tstring, std::vectorEXPORT_FUNCTION_INFO m_ExportTable; //导出表信息RESOURCE_INFO m_ResourceInfo; //资源信息WORD m_OptionalHeaderMagic; //可选头魔数
};CPEHelper.cpp
#include CPEHelper.h
#include tchar.h
#include imagehlp.h#pragma comment(lib, Imagehlp.lib) // Directory Entries/*
#define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory
#define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory
#define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory
#define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory
#define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory
#define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table
#define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory
// IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7 // (X86 usage)
#define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data
#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP
#define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory
#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory
#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers
#define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import Address Table
#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors
#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor
*/static LPCTSTR g_ResourctTypeName[] {_T(RT_NONE),_T(Cursor),_T(Bitmap),_T(Icon),_T(Menu),_T(Dialog),_T(String Table),_T(Font dir),_T(Font),_T(Accelerator),_T(Application-defined resource (raw data),_T(Message-table entry),_T(Cursor Group),_T(RT_NONE),_T(Icon Group),_T(RT_NONE),_T(Version Info),_T(RT_DLGINCLUDE),_T(RT_NONE),_T(Plug and Play resource),_T(VXD),_T(Animated cursor),_T(Animated icon),_T(Html),_T(Manifest)
};std::string CPEHelper::_WStrToMultiStr(UINT CodePage, const std::wstring str)
{std::string strResult;LPSTR lpMultiByteStr NULL;do{//计算缓冲区所需的字节大小int nConverted 0;nConverted ::WideCharToMultiByte(CodePage, 0, str.c_str(), -1, NULL, 0, NULL, NULL);if (0 nConverted){break;}//分配内存lpMultiByteStr (LPSTR)::HeapAlloc(::GetProcessHeap(), HEAP_ZERO_MEMORY, nConverted);if (NULL lpMultiByteStr){break;}//转换nConverted ::WideCharToMultiByte(CodePage, 0, str.c_str(), -1, lpMultiByteStr, nConverted, NULL, NULL);if (0 nConverted){break;}strResult lpMultiByteStr;} while (false);//释放字符串缓冲if (NULL ! lpMultiByteStr){::HeapFree(::GetProcessHeap(), 0, lpMultiByteStr);lpMultiByteStr NULL;}return strResult;
}std::wstring CPEHelper::_MultiStrToWStr(UINT CodePage, const std::string str)
{std::wstring strResult;LPWSTR lpWideStr NULL;do{//计算缓冲区所需的字节大小int nConverted 0;nConverted ::MultiByteToWideChar(CodePage, 0, str.c_str(), -1, NULL, 0);if (0 nConverted){break;}//分配缓冲内存lpWideStr (LPWSTR)::HeapAlloc(::GetProcessHeap(), HEAP_ZERO_MEMORY, nConverted * sizeof(WCHAR));if (NULL lpWideStr){break;}//转换字符串nConverted ::MultiByteToWideChar(CodePage, 0, str.c_str(), -1, lpWideStr, nConverted);if (0 nConverted){break;}strResult lpWideStr;} while (false);//释放字符串缓冲if (NULL ! lpWideStr){::HeapFree(::GetProcessHeap(), 0, lpWideStr);lpWideStr NULL;}return strResult;
}std::string CPEHelper::_WStrToAStr(const std::wstring str)
{return _WStrToMultiStr(CP_ACP, str);
}std::string CPEHelper::_WStrToU8Str(const std::wstring str)
{return _WStrToMultiStr(CP_UTF8, str);
}_tstring CPEHelper::_WStrToTStr(const std::wstring str)
{
#ifdef _UNICODEreturn str;
#elsereturn _WStrToMultiStr(CP_ACP, str);
#endif
}std::wstring CPEHelper::_AStrToWStr(const std::string str)
{return _MultiStrToWStr(CP_ACP, str);
}std::string CPEHelper::_AStrToU8Str(const std::string str)
{return _WStrToU8Str(_AStrToWStr(str));
}_tstring CPEHelper::_AStrToTStr(const std::string str)
{
#ifdef _UNICODEreturn _MultiStrToWStr(CP_ACP, str);
#elsereturn str;
#endif
}std::wstring CPEHelper::_U8StrToWStr(const std::string str)
{return _MultiStrToWStr(CP_UTF8, str);
}std::string CPEHelper::_U8StrToAStr(const std::string str)
{return _WStrToAStr(_U8StrToWStr(str));
}_tstring CPEHelper::_U8StrToTStr(const std::string str)
{
#ifdef _UNICODEreturn _MultiStrToWStr(CP_UTF8, str);
#elsereturn _WStrToAStr(_U8StrToWStr(str));
#endif
}std::string CPEHelper::_TStrToAStr(const _tstring str)
{
#ifdef _UNICODEreturn _WStrToMultiStr(CP_ACP, str);
#elsereturn str;
#endif
}std::wstring CPEHelper::_TStrToWStr(const _tstring str)
{
#ifdef _UNICODEreturn str;
#elsereturn _AStrToWStr(str);
#endif
}std::string CPEHelper::_TStrToU8Str(const _tstring str)
{
#ifdef _UNICODEreturn _WStrToU8Str(str);
#elsereturn _WStrToU8Str(_AStrToWStr(str));
#endif
}CPEHelper::CPEHelper():m_hFile(INVALID_HANDLE_VALUE)
{_Clear();
}CPEHelper::~CPEHelper()
{Close();
}bool CPEHelper::LoadFile(const _tstring strPath, bool fCheckSum/* true*/)
{bool bResult false;Close();_Clear();m_hFile ::CreateFile(strPath.c_str(),GENERIC_READ,FILE_SHARE_READ | FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);if (INVALID_HANDLE_VALUE m_hFile){return false;}do{DWORD HeaderSum 0;DWORD CheckSum 0;// 计算校验和if (fCheckSum (CHECKSUM_SUCCESS ! ::MapFileAndCheckSum(strPath.c_str(), HeaderSum, CheckSum))){break;}// 读取 DOS 头 64字节IMAGE_DOS_HEADER dosHeader { 0 };DWORD dwBytesRead 0;if (!_ReadFile(dosHeader, sizeof(dosHeader), dwBytesRead, 0, FILE_BEGIN, true) || IMAGE_DOS_SIGNATURE ! dosHeader.e_magic){break;}// 读取 NT头(32位版本) 248字节IMAGE_NT_HEADERS32 ntHeader32 { 0 };if (!_ReadFile(ntHeader32, sizeof(ntHeader32), dwBytesRead, dosHeader.e_lfanew, FILE_BEGIN, true)){break;}// 读取 NT头(64位版本) 264字节IMAGE_NT_HEADERS64 ntHeader64 { 0 };if (!_ReadFile(ntHeader64, sizeof(ntHeader64), dwBytesRead, dosHeader.e_lfanew, FILE_BEGIN, true)){break;}// 检查 NT头 签名if (IMAGE_NT_SIGNATURE ! ntHeader32.Signature){break;}// 检查 是否为 32位程序可选头if (IMAGE_NT_OPTIONAL_HDR32_MAGIC ntHeader32.OptionalHeader.Magic){if (fCheckSum (CheckSum ! ntHeader32.OptionalHeader.CheckSum)){break;}m_OptionalHeaderMagic IMAGE_NT_OPTIONAL_HDR32_MAGIC;memcpy_s(m_NtHeader32, sizeof(m_NtHeader32), ntHeader32, sizeof(ntHeader32));memcpy(m_DataDirectory, m_NtHeader32.OptionalHeader.DataDirectory, sizeof(m_DataDirectory));}// 检查 是否为 64位程序可选头else if (IMAGE_NT_OPTIONAL_HDR64_MAGIC ntHeader64.OptionalHeader.Magic){if (fCheckSum (CheckSum ! ntHeader64.OptionalHeader.CheckSum)){break;}m_OptionalHeaderMagic IMAGE_NT_OPTIONAL_HDR64_MAGIC;memcpy_s(m_NtHeader64, sizeof(m_NtHeader64), ntHeader64, sizeof(ntHeader64));memcpy(m_DataDirectory, m_NtHeader64.OptionalHeader.DataDirectory, sizeof(m_DataDirectory));}// ROM可选头else if (IMAGE_ROM_OPTIONAL_HDR_MAGIC ntHeader32.OptionalHeader.Magic){m_OptionalHeaderMagic IMAGE_ROM_OPTIONAL_HDR_MAGIC;}else{break;}// 保存Dos头memcpy(m_DosHeader, dosHeader, sizeof(m_DosHeader));// 节标头偏移DWORD dwSectionOffset (DWORD)(dosHeader.e_lfanew FIELD_OFFSET(IMAGE_NT_HEADERS64, OptionalHeader) ntHeader32.FileHeader.SizeOfOptionalHeader);WORD wNumberOfSections ntHeader32.FileHeader.NumberOfSections;PIMAGE_SECTION_HEADER pSectionHeader (PIMAGE_SECTION_HEADER)::HeapAlloc(::GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(IMAGE_SECTION_HEADER) * wNumberOfSections);if (nullptr pSectionHeader){break;}//保存标头信息do{if (!_ReadFile(pSectionHeader, sizeof(IMAGE_SECTION_HEADER) * wNumberOfSections, dwBytesRead, dwSectionOffset, FILE_BEGIN, true)){break;}for (int i 0; i wNumberOfSections; i){m_SectionHeader.push_back(pSectionHeader[i]);}} while (false);// 释放节标头缓冲if (pSectionHeader){::HeapFree(::GetProcessHeap(), 0, pSectionHeader);}bResult true;} while (false);if (bResult){_LoadAllInformation();}else{Close();}return bResult;
}void CPEHelper::Close()
{if (INVALID_HANDLE_VALUE ! m_hFile){::CloseHandle(m_hFile);m_hFile INVALID_HANDLE_VALUE;}
}const std::map_tstring, std::vectorIMPORT_FUNCTION_INFO CPEHelper::GetImportTable() const
{return m_ImportTable;
}const std::map_tstring, std::vectorEXPORT_FUNCTION_INFO CPEHelper::GetExportTable() const
{return m_ExportTable;
}const RESOURCE_INFO CPEHelper::GetResourceInfo() const
{return m_ResourceInfo;
}void CPEHelper::_Clear()
{memset(m_DosHeader, 0, sizeof(m_DosHeader));memset(m_NtHeader32, 0, sizeof(m_NtHeader32));memset(m_NtHeader64, 0, sizeof(m_NtHeader64));memset(m_DataDirectory, 0, sizeof(m_DataDirectory));m_ResourceDirectoryEntrys.clear();m_SectionHeader.clear();m_ImportTable.clear();m_ExportTable.clear();m_ResourceInfo.clear();m_OptionalHeaderMagic 0;
}void CPEHelper::_PrintfByte(LPVOID lpData, size_t size)
{if (NULL lpData){return;}for (int i 0; i size; i){if (i ! size - 1){_tprintf(_T(%02X ), ((LPBYTE)lpData)[i]);}else{_tprintf(_T(%02X), ((LPBYTE)lpData)[i]);}}
}bool CPEHelper::_GetFileSize(unsigned long long ullSize) const
{if (INVALID_HANDLE_VALUE m_hFile){return false;}LARGE_INTEGER ullFileSize { 0 };if (!::GetFileSizeEx(m_hFile, ullFileSize)){return false;}ullSize ullFileSize.QuadPart;return true;
}bool CPEHelper::_ReadFile(LPVOID lpBuffer,DWORD dwSize,LPDWORD lpBytesRead/* nullptr*/,LONGLONG llPos/* 0*/,DWORD dwFlag/* FILE_CURRENT*/,bool fCheckResdSize/* false*/
)
{if (INVALID_HANDLE_VALUE m_hFile){return false;}LARGE_INTEGER liDistanceToMove { 0 };BOOL bResult FALSE;liDistanceToMove.QuadPart llPos;::SetFilePointerEx(m_hFile, liDistanceToMove, NULL, dwFlag);DWORD dwBytesRead 0;bResult ::ReadFile(m_hFile, lpBuffer, dwSize, dwBytesRead, NULL);if (!bResult){return bResult;}if (nullptr ! lpBytesRead){*lpBytesRead dwBytesRead;}//设置了大区大小检查, 则当实际读取数据量与指定读取数据量相同才认为读取成功if (fCheckResdSize){bResult (dwBytesRead dwSize);}return bResult;
}LONGLONG CPEHelper::_GetSectionDataOffset(const IMAGE_SECTION_HEADER sectionHeader,ULONGLONG ullVirtualAddr
)
{ULONGLONG VirtualAddrBegin sectionHeader.VirtualAddress;ULONGLONG VirtualAddrEnd VirtualAddrBegin sectionHeader.SizeOfRawData;ULONGLONG ullOffset ullVirtualAddr;if (ullOffset VirtualAddrBegin || ullOffset VirtualAddrEnd){return -1;}ullOffset - VirtualAddrBegin;return ullOffset;
}LPVOID CPEHelper::_GetSectionDataAddr(LPVOID lpBase,const IMAGE_SECTION_HEADER sectionHeader,ULONGLONG ullVirtualAddr
)
{ULONGLONG VirtualAddrBegin sectionHeader.VirtualAddress;ULONGLONG VirtualAddrEnd VirtualAddrBegin sectionHeader.SizeOfRawData;ULONGLONG ullOffset VirtualAddrBegin ullVirtualAddr - sectionHeader.VirtualAddress;if (ullOffset VirtualAddrBegin || ullOffset VirtualAddrEnd){return NULL;}ullOffset - VirtualAddrBegin;return (LPBYTE)lpBase ullOffset;
}bool CPEHelper::_GetSectionHeader(ULONGLONG ullVirtualAddr,PIMAGE_SECTION_HEADER pSectinHeader
)
{for (const auto item : m_SectionHeader){ULONGLONG VirtualAddrBegin item.VirtualAddress;ULONGLONG VirtualAddrEnd item.VirtualAddress item.SizeOfRawData;if ((ullVirtualAddr VirtualAddrBegin) (ullVirtualAddr VirtualAddrEnd)){if (pSectinHeader){*pSectinHeader item;}return true;}}return false;
}LPCVOID CPEHelper::_GetAlignAddr(LPCVOID lpAddr,DWORD dwAlign
)
{DWORD_PTR dwPadding ((DWORD_PTR)lpAddr % dwAlign);if (0 dwPadding){return lpAddr;}return (LPBYTE)lpAddr (dwAlign - dwPadding);
}bool CPEHelper::_LoadAllInformation()
{// 加载资源表_LoadResourceTable();// 加载导出表_LoadExportTable();// 加载导入表_LoadImportTable();return true;
}bool CPEHelper::_LoadExportTable()
{bool fResult false;DWORD VirtualAddress m_DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;if (0 VirtualAddress){return false;}LPBYTE lpSectionData nullptr;do{// 获取虚拟地址所在节信息IMAGE_SECTION_HEADER sectionHeader { 0 };if (!_GetSectionHeader(VirtualAddress, sectionHeader)){break;}//分配节数据缓冲lpSectionData (LPBYTE)::HeapAlloc(::GetProcessHeap(), HEAP_ZERO_MEMORY, sectionHeader.SizeOfRawData);if (NULL lpSectionData){break;}// 读取整个节数据DWORD dwReadBytes 0;if (!_ReadFile(lpSectionData, sectionHeader.SizeOfRawData, dwReadBytes, sectionHeader.PointerToRawData, FILE_BEGIN, true)){break;}// 获取导出描述信息所在偏移ULONGLONG VirtualAddrBegin m_DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;ULONGLONG VirtualAddrEnd VirtualAddrBegin m_DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;LONGLONG ullExportDescOffset _GetSectionDataOffset(sectionHeader, VirtualAddress);if (-1 ullExportDescOffset){break;}// 获取导出目录信息位置PIMAGE_EXPORT_DIRECTORY pExportDirectory (PIMAGE_EXPORT_DIRECTORY)((LPBYTE)lpSectionData ullExportDescOffset);LPCSTR lpDllName (LPCSTR)_GetSectionDataAddr(lpSectionData, sectionHeader, pExportDirectory-Name);if (NULL lpDllName){break;}// 遍历导出表LPDWORD pFuncAddr (LPDWORD)_GetSectionDataAddr(lpSectionData, sectionHeader, pExportDirectory-AddressOfFunctions);LPDWORD pNameAddr (LPDWORD)_GetSectionDataAddr(lpSectionData, sectionHeader, pExportDirectory-AddressOfNames);LPWORD pNameOrdinalsName (LPWORD)_GetSectionDataAddr(lpSectionData, sectionHeader, pExportDirectory-AddressOfNameOrdinals);if ((NULL pFuncAddr) || (NULL pNameAddr) || (NULL pNameOrdinalsName)){break;}std::vectorEXPORT_FUNCTION_INFO FunList;for (DWORD i 0; i pExportDirectory-NumberOfFunctions; i){EXPORT_FUNCTION_INFO info;info.Addr pFuncAddr[i];info.Ordinal pExportDirectory-Base i;FunList.push_back(info);}for (DWORD i 0; i pExportDirectory-NumberOfNames; i){LPCSTR lpFnName (LPCSTR)_GetSectionDataAddr(lpSectionData, sectionHeader, pNameAddr[i]);if (NULL lpFnName){break;}DWORD dwOrdinal pNameOrdinalsName[i];FunList[dwOrdinal].Name _AStrToTStr(lpFnName);//转发函数if ((FunList[dwOrdinal].Addr VirtualAddrBegin FunList[dwOrdinal].Addr VirtualAddrEnd)){LPCSTR lpForwarderName (LPCSTR)_GetSectionDataAddr(lpSectionData, sectionHeader, FunList[dwOrdinal].Addr);if (NULL lpForwarderName){break;}FunList[dwOrdinal].ForwarderName _AStrToTStr(lpForwarderName);}}m_ExportTable.insert(std::make_pair(_AStrToTStr(lpDllName), FunList));fResult true;} while (false);// 释放节数据缓冲if (lpSectionData){::HeapFree(::GetProcessHeap(), 0, lpSectionData);}return fResult;
}bool CPEHelper::_LoadImportTable()
{IMAGE_IMPORT_DESCRIPTOR emptyImportDesc { 0 };bool fResult false;DWORD VirtualAddress m_DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;if (0 VirtualAddress){return false;}LPBYTE lpSectionData nullptr;do{// 获取虚拟地址所在节信息IMAGE_SECTION_HEADER sectionHeader { 0 };if (!_GetSectionHeader(VirtualAddress, sectionHeader)){break;}//分配节数据缓冲lpSectionData (LPBYTE)::HeapAlloc(::GetProcessHeap(), HEAP_ZERO_MEMORY, sectionHeader.SizeOfRawData);if (NULL lpSectionData){break;}// 读取整个节数据DWORD dwReadBytes 0;if (!_ReadFile(lpSectionData, sectionHeader.SizeOfRawData, dwReadBytes, sectionHeader.PointerToRawData, FILE_BEGIN, true)){break;}// 获取导入描述信息所在偏移LONGLONG ullImportDescOffset _GetSectionDataOffset(sectionHeader, VirtualAddress);if (-1 ullImportDescOffset){break;}// 导入描述PIMAGE_IMPORT_DESCRIPTOR pImportDesc (PIMAGE_IMPORT_DESCRIPTOR)(LPBYTE)(lpSectionData ullImportDescOffset);// 32位导入表if (IMAGE_NT_OPTIONAL_HDR32_MAGIC m_OptionalHeaderMagic){// 遍历导入表for (DWORD i 0; 0 ! ::memcmp(pImportDesc i, emptyImportDesc, sizeof(emptyImportDesc)) ! 0; i){LPCSTR DllName (LPCSTR)_GetSectionDataAddr(lpSectionData, sectionHeader, pImportDesc[i].Name);if (NULL DllName){break;}PIMAGE_THUNK_DATA32 pThunkData (PIMAGE_THUNK_DATA32)_GetSectionDataAddr(lpSectionData, sectionHeader, pImportDesc[i].FirstThunk);if (NULL pThunkData){break;}std::vectorIMPORT_FUNCTION_INFO FunList;while (pThunkData-u1.AddressOfData){if (IMAGE_SNAP_BY_ORDINAL32(pThunkData-u1.AddressOfData)){IMPORT_FUNCTION_INFO info;info.Hint IMAGE_ORDINAL32(pThunkData-u1.AddressOfData);FunList.push_back(info);}else{PIMAGE_IMPORT_BY_NAME pImportName (PIMAGE_IMPORT_BY_NAME)_GetSectionDataAddr(lpSectionData, sectionHeader, pThunkData-u1.AddressOfData);if (NULL pImportName){break;}IMPORT_FUNCTION_INFO info;info.Hint pImportName-Hint;info.Name _AStrToTStr((LPCSTR)pImportName-Name);FunList.push_back(info);}pThunkData;}m_ImportTable.insert(std::make_pair(_AStrToTStr(DllName), FunList));}}// 64位导入表if (IMAGE_NT_OPTIONAL_HDR64_MAGIC m_OptionalHeaderMagic){// 遍历导入表for (DWORD i 0; 0 ! ::memcmp(pImportDesc i, emptyImportDesc, sizeof(emptyImportDesc)) ! 0; i){LPCSTR DllName (LPCSTR)_GetSectionDataAddr(lpSectionData, sectionHeader, pImportDesc[i].Name);if (NULL DllName){break;}PIMAGE_THUNK_DATA64 pThunkData (PIMAGE_THUNK_DATA64)_GetSectionDataAddr(lpSectionData, sectionHeader, pImportDesc[i].FirstThunk);if (NULL pThunkData){break;}std::vectorIMPORT_FUNCTION_INFO FunList;while (pThunkData-u1.AddressOfData){if (IMAGE_SNAP_BY_ORDINAL64(pThunkData-u1.AddressOfData)){IMPORT_FUNCTION_INFO info;info.Hint IMAGE_ORDINAL64(pThunkData-u1.AddressOfData);FunList.push_back(info);}else{PIMAGE_IMPORT_BY_NAME pImportName (PIMAGE_IMPORT_BY_NAME)_GetSectionDataAddr(lpSectionData, sectionHeader, pThunkData-u1.AddressOfData);if (NULL pImportName){break;}IMPORT_FUNCTION_INFO info;info.Hint pImportName-Hint;info.Name _AStrToTStr((LPCSTR)pImportName-Name);FunList.push_back(info);}pThunkData;}m_ImportTable.insert(std::make_pair(_AStrToTStr(DllName), FunList));}}fResult true;} while (false);// 释放节数据缓冲if (lpSectionData){::HeapFree(::GetProcessHeap(), 0, lpSectionData);}return fResult;
}bool CPEHelper::_LoadResourceTable()
{bool fResult false;DWORD VirtualAddress m_DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress;if (0 VirtualAddress){return false;}LPBYTE lpSectionData nullptr;do{// 获取虚拟地址所在节信息IMAGE_SECTION_HEADER sectionHeader { 0 };if (!_GetSectionHeader(VirtualAddress, sectionHeader)){break;}//分配节数据缓冲lpSectionData (LPBYTE)::HeapAlloc(::GetProcessHeap(), HEAP_ZERO_MEMORY, sectionHeader.SizeOfRawData);if (NULL lpSectionData){break;}// 读取整个节数据DWORD dwReadBytes 0;if (!_ReadFile(lpSectionData, sectionHeader.SizeOfRawData, dwReadBytes, sectionHeader.PointerToRawData, FILE_BEGIN, true)){break;}PIMAGE_RESOURCE_DIRECTORY pDirectoryRoot (PIMAGE_RESOURCE_DIRECTORY)lpSectionData;DWORD dwTpyeCount pDirectoryRoot-NumberOfNamedEntries pDirectoryRoot-NumberOfIdEntries;for (DWORD i 0; i dwTpyeCount; i){//资源类型目录子项PIMAGE_RESOURCE_DIRECTORY_ENTRY pEntryType (PIMAGE_RESOURCE_DIRECTORY_ENTRY)(pDirectoryRoot 1) i;m_ResourceDirectoryEntrys.push_back(*pEntryType);RESOURCE_GROUP_INFO GroupInfo;// 资源类型IDif (pEntryType-NameIsString){PIMAGE_RESOURCE_DIR_STRING_U pStrName (PIMAGE_RESOURCE_DIR_STRING_U)((LPBYTE)pDirectoryRoot pEntryType-NameOffset);GroupInfo.TypeName _WStrToTStr(std::wstring(pStrName-NameString, pStrName-Length));GroupInfo.TypeID 0;}else{GroupInfo.TypeName g_ResourctTypeName[pEntryType-Id];GroupInfo.TypeID pEntryType-Id;}// 资源类型ID子项PIMAGE_RESOURCE_DIRECTORY pDirectoryDataID (PIMAGE_RESOURCE_DIRECTORY)((LPBYTE)pDirectoryRoot pEntryType-OffsetToDirectory);DWORD dwCount pDirectoryDataID-NumberOfNamedEntries pDirectoryDataID-NumberOfIdEntries;for (DWORD j 0; j dwCount; j){RESOURCE_ITEM info;// 资源类型ID子项PIMAGE_RESOURCE_DIRECTORY_ENTRY pEntryDataID (PIMAGE_RESOURCE_DIRECTORY_ENTRY)(pDirectoryDataID 1) j;info.ID pEntryDataID-Id;//各种语言版本的资源数据PIMAGE_RESOURCE_DIRECTORY pDirectoryLanguage (PIMAGE_RESOURCE_DIRECTORY)((LPBYTE)pDirectoryRoot pEntryDataID-OffsetToDirectory);DWORD dwLanguageCount pDirectoryLanguage-NumberOfNamedEntries pDirectoryLanguage-NumberOfIdEntries;for (DWORD k 0; k dwLanguageCount; k){//资源ID与数据偏移, 数据大小PIMAGE_RESOURCE_DIRECTORY_ENTRY pEntryLanguage (PIMAGE_RESOURCE_DIRECTORY_ENTRY)(pDirectoryLanguage 1) k;PIMAGE_RESOURCE_DATA_ENTRY pDataEntry (PIMAGE_RESOURCE_DATA_ENTRY)((LPBYTE)pDirectoryRoot pEntryLanguage-OffsetToDirectory);info.LangID pEntryLanguage-Id;info.SectionOffset pDataEntry-OffsetToData - sectionHeader.VirtualAddress;info.Size pDataEntry-Size;GroupInfo.Items.push_back(info);}}m_ResourceInfo.ResourceTable.push_back(GroupInfo);}fResult true;_LoadResourceInformation(lpSectionData);} while (false);// 释放节数据缓冲if (lpSectionData){::HeapFree(::GetProcessHeap(), 0, lpSectionData);}return fResult;
}bool CPEHelper::_LoadResourceInformation(const LPBYTE lpSectionData)
{// 解析各种资源类型for (const auto item : m_ResourceInfo.ResourceTable){if (MAKEINTRESOURCE(item.TypeID) RT_STRING){// 加载 字符串表 资源_LoadResourceStringTable(lpSectionData, item);}else if (MAKEINTRESOURCE(item.TypeID) RT_MANIFEST){// 加载 Manifest 资源_LoadResourceManifest(lpSectionData, item);}else if (MAKEINTRESOURCE(item.TypeID) RT_VERSION){// 加载 版本 资源_LoadResourceVersion(lpSectionData, item);}}return true;
}bool CPEHelper::_LoadResourceStringTable(const LPBYTE lpSection,const RESOURCE_GROUP_INFO info
)
{for (const auto str : info.Items){std::vectorSTRING_TEXT strList;WORD wIdBegin (str.ID - 1) * 16;LPWORD lpLength (LPWORD)((LPBYTE)lpSection str.SectionOffset);for (WORD i wIdBegin; i wIdBegin 16; i){if (0 ! *lpLength){STRING_TEXT strText;strText.StrText _WStrToTStr(std::wstring((LPCTSTR)lpLength 1, *lpLength));strText.ID i;strList.push_back(strText);lpLength *lpLength;}lpLength;}auto itFind m_ResourceInfo.StringTable.find(str.LangID);if (m_ResourceInfo.StringTable.end() itFind){m_ResourceInfo.StringTable.insert(std::make_pair(str.LangID, strList));}else{itFind-second.insert(itFind-second.end(), strList.begin(), strList.end());}}return true;
}bool CPEHelper::_LoadResourceManifest(const LPBYTE lpSection,const RESOURCE_GROUP_INFO info
)
{for (const auto str : info.Items){LPCSTR lpStr (LPCSTR)((LPBYTE)lpSection str.SectionOffset);m_ResourceInfo.Manifest _U8StrToTStr(lpStr);}return true;
}bool CPEHelper::_LoadResourceVersion(const LPBYTE lpSection,const RESOURCE_GROUP_INFO info
)
{for (const auto str : info.Items){PVS_VERSIONINFO lpVersion (PVS_VERSIONINFO)((LPBYTE)lpSection str.SectionOffset);// 存在 VS_FIXEDFILEINFO 信息if (0 ! lpVersion-wValueLength){VS_FIXEDFILEINFO* pFixedFileInfo (VS_FIXEDFILEINFO*)((LPBYTE)lpVersion sizeof(VS_VERSIONINFO));pFixedFileInfo (VS_FIXEDFILEINFO*)_GetAlignAddr(pFixedFileInfo, sizeof(DWORD));m_ResourceInfo.VersionInfo.FixedFileInfo *pFixedFileInfo;}// 解析 StringFileInfoStringFileInfo* pStringFileInfo (StringFileInfo*)((LPBYTE)lpVersion sizeof(VS_VERSIONINFO) lpVersion-wValueLength);pStringFileInfo (StringFileInfo*)_GetAlignAddr(pStringFileInfo, sizeof(DWORD));{STRING_FILE_INFO strFileInfo;StringTable* pStringTable (StringTable*)(pStringFileInfo-Children);strFileInfo.StringCode _WStrToTStr(std::wstring(pStringTable-szKey, _countof(pStringTable-szKey)));LPBYTE lpBegin (LPBYTE)pStringTable-Children;LPBYTE lpEnd lpBegin pStringTable-wLength - sizeof(STRING_FILE_INFO);while (lpBegin lpEnd){String* pString (String*)lpBegin;DWORD dwValueSize pString-wValueLength;STRING_FILE_ITEM item;std::wstring strKey pString-szKey;item.Key _WStrToTStr(strKey);//值名LPCWSTR lpStrValue pString-szKey;lpStrValue strKey.size() 1;//值数据位置lpStrValue (LPCWSTR)_GetAlignAddr(lpStrValue, sizeof(DWORD));item.wType pString-wType;//字符串类型if (1 pString-wType){item.Value _WStrToTStr(std::wstring(lpStrValue, dwValueSize));}//字节数据类型else{item.Value _WStrToTStr(std::wstring(lpStrValue, dwValueSize));item.Data.resize(dwValueSize);for (DWORD i 0; i dwValueSize; i){item.Data[i] ((LPBYTE)lpStrValue)[i];}}strFileInfo.StringInfos.push_back(item);lpBegin pString-wLength;lpBegin (LPBYTE)_GetAlignAddr(lpBegin, sizeof(DWORD));}m_ResourceInfo.VersionInfo.StringFileInfo.push_back(strFileInfo);}// 解析 VarFileInfoVarFileInfo* pVerFileInfo (VarFileInfo*)((LPBYTE)pStringFileInfo pStringFileInfo-wLength);pVerFileInfo (VarFileInfo*)_GetAlignAddr(pVerFileInfo, sizeof(DWORD));if ((LPBYTE)pVerFileInfo ((LPBYTE)lpVersion lpVersion-wLength)){Var* pVar pVerFileInfo-Children;for (DWORD i 0; i pVar-wValueLength / sizeof(DWORD); i){TRANSLATION_INFO transInfo;transInfo.CodePageID pVar-Value[i].CodePageID;transInfo.LanguageID pVar-Value[i].LanguageID;m_ResourceInfo.VersionInfo.TranslationList.push_back(transInfo);}}}return true;
}void CPEHelper::PrintResourceTable(bool fShowDetail/* true*/)
{_tprintf(_T(资源类型数量: %4d\n), (int)m_ResourceInfo.ResourceTable.size());int i 0;for (const auto ResourceInfo : m_ResourceInfo.ResourceTable){if (0 ! ResourceInfo.TypeID){_tprintf(_T( %4d 类型ID: %4d 类型名: %s 数量: %d\n), i, ResourceInfo.TypeID, ResourceInfo.TypeName.c_str(), (int)ResourceInfo.Items.size());}else{_tprintf(_T( %4d 类型ID: \%s\ 数量: %d\n), i, ResourceInfo.TypeName.c_str(), (int)ResourceInfo.Items.size());}if (!fShowDetail){continue;}int j 0;for (const auto item : ResourceInfo.Items){_tprintf(_T( %4d 资源ID: %4d 节数据偏移: %08X 大小: %d 语言: %d\n), j, item.ID, item.SectionOffset, item.Size, item.LangID);}}
}void CPEHelper::PrintExportTable(bool fShowModule/* true*/, bool fShowFunList/* true*/)
{int nFunctionCount 0;for (const auto item : m_ExportTable){nFunctionCount (int)item.second.size();}_tprintf(_T(Export module count: %d function count: %d\n), (int)m_ExportTable.size(), nFunctionCount);int i 0;for (const auto item : m_ExportTable){if (fShowModule){_tprintf(_T( %4d %s function count: %4d\n), i, item.first.c_str(), (int)item.second.size());}if (!fShowFunList){continue;}int j 0;for (const auto fun : item.second){if (!fun.Name.empty()){if (fun.ForwarderName.empty()){_tprintf(_T( %4d Ordinal: %4d(%04x) Addr: %08x %s \n), j, fun.Ordinal, fun.Ordinal, fun.Addr, fun.Name.c_str());}else{_tprintf(_T( %4d Ordinal: %4d(%04x) Addr: %08x %s - %s \n), j, fun.Ordinal, fun.Ordinal, fun.Addr, fun.Name.c_str(), fun.ForwarderName.c_str());}}else{_tprintf(_T( %4d Ordinal: %4d(%04x) Addr: %08x \n), j, fun.Ordinal, fun.Ordinal, fun.Addr);}}}
}void CPEHelper::PrintImportTable(bool fShowModule/* true*/, bool fShowFunList/* true*/)
{int nFunctionCount 0;for (const auto item : m_ImportTable){nFunctionCount (int)item.second.size();}_tprintf(_T(Import module count: %d function count: %d\n), (int)m_ImportTable.size(), nFunctionCount);int i 0;for (const auto item : m_ImportTable){if (fShowModule){_tprintf(_T( %d %s count: %d\n), i, item.first.c_str(), (int)item.second.size());}if (!fShowFunList){continue;}int j 0;for (const auto fun : item.second){if (!fun.Name.empty()){_tprintf(_T( %4d %4d(%04x) %s\n), j, fun.Hint, fun.Hint, fun.Name.c_str());}else{_tprintf(_T( %4d %4d(%04x)\n), j, fun.Hint, fun.Hint);}}}
}void CPEHelper::PrintVersion()
{_tprintf(_T(Version:\n));_tprintf(_T( StringFileInfo conut: %d\n), (int)m_ResourceInfo.VersionInfo.StringFileInfo.size());for (const auto item : m_ResourceInfo.VersionInfo.StringFileInfo){_tprintf(_T( %s\n), item.StringCode.c_str());VS_FIXEDFILEINFO FixedFileInfo m_ResourceInfo.VersionInfo.FixedFileInfo;_tprintf(_T( FileVersion: %d.%d.%d.%d\n),HIWORD(FixedFileInfo.dwFileVersionMS),LOWORD(FixedFileInfo.dwFileVersionMS),HIWORD(FixedFileInfo.dwFileVersionLS),LOWORD(FixedFileInfo.dwFileVersionLS));for (const auto info : item.StringInfos){if (info.wType){_tprintf(_T( %s: %s\n), info.Key.c_str(), info.Value.c_str());}else{_tprintf(_T( %s: %s\n), info.Key.c_str(), info.Value.c_str());//_tprintf(_T( %s: ), info.Key.c_str());_PrintfByte((LPVOID)info.Data.data(), info.Data.size());_tprintf(_T(\n));}}}_tprintf(_T( Translation conut: %d\n), (int)m_ResourceInfo.VersionInfo.TranslationList.size());for (const auto item : m_ResourceInfo.VersionInfo.TranslationList){_tprintf(_T( 0x%04X 0x%04X\n), item.LanguageID, item.CodePageID);}
}void CPEHelper::PrintStringTable()
{_tprintf(_T(StringTable: count: %d\n), (int)m_ResourceInfo.StringTable.size());for (const auto item : m_ResourceInfo.StringTable){_tprintf(_T( ID: %d, count: %d\n), item.first, (int)item.second.size());for (const auto info : item.second){_tprintf(_T( %04d: %s\n), info.ID, info.StrText.c_str());}}
}void CPEHelper::PrintManifest()
{_tprintf(_T(Manifest:\n));_tprintf(_T(%s\n), m_ResourceInfo.Manifest.c_str());
}测试
main.c
#include iostream
#include windows.h
#include tchar.h
#include CPEHelper.h
#include CTimeUtils.hint main()
{setlocale(LC_ALL, );CPEHelper obj;int64_t timeBegin CTimeUtils::GetCurrentTickCount();int64_t timeEnd CTimeUtils::GetCurrentTickCount();int nRepeatCount 1;while (true){timeBegin CTimeUtils::GetCurrentTickCount();for (int i 0; i nRepeatCount; i){//obj.LoadFile(_T(R(gfx_win_101.3790_101.2114.exe)), false);//obj.LoadFile(_T(R(CPEUtils.exe)), false);//obj.LoadFile(_T(R(qt-opensource-windows-x86-5.14.2.exe)), true);obj.LoadFile(_T(R(user32.dll)), true);//obj.LoadFile(_T(R(ndis.sys)), true);//obj.LoadFile(_T(R(shell32.dll)), true);//obj.LoadFile(_T(R(KernelBase.dll)), true);//obj.LoadFile(_T(R(ntdll.dll)), true);}RESOURCE_INFO info obj.GetResourceInfo();timeEnd CTimeUtils::GetCurrentTickCount();#if 0obj.PrintExportTable(false, false);_tprintf(_T(\n));obj.PrintImportTable(false, false);_tprintf(_T(\n));obj.PrintResourceTable(false);_tprintf(_T(\n));obj.PrintStringTable();_tprintf(_T(\n));obj.PrintVersion();_tprintf(_T(\n));
#elseobj.PrintExportTable(true, true);_tprintf(_T(\n));obj.PrintImportTable(true, true);_tprintf(_T(\n));obj.PrintResourceTable(true);_tprintf(_T(\n));obj.PrintStringTable();_tprintf(_T(\n));obj.PrintVersion();_tprintf(_T(\n));
#endif//obj.PrintManifest();_tprintf(_T(repeat count: %d cost time: %llu ms\n), nRepeatCount, timeEnd - timeBegin);system(pause);}return 0;
}
