PETOOL开发日记2 - PE文件查看

本文最后更新于:2022年4月13日 下午

本节将进一步完善PE TOOL的功能,添加对PE头的初步解析。

当点击主界面的PE查看按钮后,将弹出文件选择界面,为此需要编写相应的消息处理函数。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
BOOL CALLBACK MainDialogProc(
	HWND hwndDlg,  // handle to dialog box
	UINT uMsg,     // message
	WPARAM wParam, // first message parameter
	LPARAM lParam  // second message parameter
	)
{

	OPENFILENAME stopenFile;
	switch(uMsg)
	{

...
	case  WM_COMMAND :
		{
			switch (LOWORD (wParam))
			{
			case   IDC_BUTTON_QUIT :
				EndDialog(hwndDlg, 0);
				return TRUE;
			case   IDC_BUTTON_PEVIEW :
				TCHAR szPeFileExt[100] = _T("PE 文件(*.exe;*.dll;*.scr;*.drv;*.sys)\0*.exe;*.dll;*.scr;*.drv;*.sys\0All Files(*.*)\0*.*\0\0");

				memset(szFileName,0,256);
				memset(&stopenFile, 0,sizeof (OPENFILENAME));
				stopenFile.lStructSize = sizeof(OPENFILENAME);
				stopenFile.Flags = OFN_FILEMUSTEXIST|OFN_PATHMUSTEXIST;
				stopenFile.hwndOwner = hwndDlg;
				stopenFile.lpstrFilter = szPeFileExt;
				stopenFile.lpstrFile = szFileName;
				stopenFile.nMaxFile =MAX_PATH;
				GetOpenFileName (&stopenFile);
				//打开新的对话框
				if (szFileName != NULL)
				{
					DialogBox(hAppInstance, MAKEINTRESOURCE(IDD_DIALOG_PEVIEW),hwndDlg,PeViewDialogProc);
				}

				return TRUE;
			}
			return FALSE ;
		}
...

}

选择PE文件后将弹出PE信息查看窗口对该PE文件进行初步解析。

image-20220110213214966

该对话框的消息处理函数为PeViewDialogProc,如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
BOOL CALLBACK PeViewDialogProc(
	HWND hwndDlg,  // handle to dialog box
	UINT uMsg,     // message
	WPARAM wParam, // first message parameter
	LPARAM lParam  // second message parameter
	)
{
	switch(uMsg)
	{
	case  WM_INITDIALOG :
		{
			InitPeView(hwndDlg);
			return TRUE ;
		}

	case  WM_COMMAND :
		{
			switch (LOWORD (wParam))
			{
			case   IDC_BUTTON_PEVIEW_CLOSE :
				EndDialog(hwndDlg, 0);
				return TRUE;
			case   IDC_BUTTON_PEVIEW_SECTION :
				DialogBox(hAppInstance, MAKEINTRESOURCE(IDD_DIALOG_SECTION),hwndDlg,SectionDialogProc);
				return TRUE;
			case   IDC_BUTTON_PEVIEW_DIR :
				DialogBox(hAppInstance, MAKEINTRESOURCE(IDD_DIALOG_DIR),hwndDlg,DirDialogProc);
				return TRUE;
			}
			return FALSE ;
		}

	case WM_CLOSE:
		{
			EndDialog(hwndDlg, 0);
			return TRUE;
		}
		return FALSE ;
	}


	return FALSE;
}

点击区段按钮,将会弹出对话框,显示该PE文件所含区段:

image-20220110213904729

对节表对话框设置的代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
VOID InitSectionView(HWND hwndDlg)
{
	//1、初始化列名信息:
	LV_COLUMN lv;
	HWND hListSection;

	//初始化
	memset(&lv,0,sizeof(LV_COLUMN));
	//获取IDC_LIST_PROCESS句柄
	hListSection = GetDlgItem(hwndDlg,IDC_LIST_SECTION);
	//设置整行选中
	SendMessage(hListSection,LVM_SETEXTENDEDLISTVIEWSTYLE,LVS_EX_FULLROWSELECT,LVS_EX_FULLROWSELECT);

	//第一列
	lv.mask = LVCF_TEXT | LVCF_WIDTH | LVCF_SUBITEM;
	lv.pszText = _T("节名");//列标题
	lv.cx = 50;
	lv.iSubItem = 0;
	ListView_InsertColumn(hListSection, 0, &lv);
	//第二列
	lv.pszText = _T("文件偏移");
	lv.cx = 100;
	lv.iSubItem = 1;
	ListView_InsertColumn(hListSection, 1, &lv);
	//第三列
	lv.pszText = _T("文件大小");
	lv.cx = 100;
	lv.iSubItem = 2;
	ListView_InsertColumn(hListSection, 2, &lv);
	//第四列
	lv.pszText = _T("内存偏移");
	lv.cx = 100;
	lv.iSubItem = 3;
	ListView_InsertColumn(hListSection, 3, &lv);
	//第五列
	lv.pszText = _T("内存大小");
	lv.cx = 100;
	lv.iSubItem = 4;
	ListView_InsertColumn(hListSection, 4, &lv);
	//第六列
	lv.pszText = _T("节区属性");
	lv.cx = 100;
	lv.iSubItem = 4;
	ListView_InsertColumn(hListSection, 5, &lv);



	ReadPEFile(szFileName, &pFileBuffer);
	pDosHeader = (PIMAGE_DOS_HEADER) pFileBuffer;
	pNTHeader = (PIMAGE_NT_HEADERS) ((DWORD) pFileBuffer + pDosHeader->e_lfanew);
	PIMAGE_SECTION_HEADER pSectionHeader = IMAGE_FIRST_SECTION(pNTHeader);

	LPSTR sectionData[6] = {0};
	TCHAR name[0x40];
	TCHAR virtualAddress[0x40];
	TCHAR sizeOfRawData[0x40];
	TCHAR pointerToRawData[0x40];
	TCHAR virtualSize[0x40];
	TCHAR characteristics[0x40];

	for (int i = 0; i < pFileHeader->NumberOfSections; i++) {
		sprintf(name, _T("%s"), pSectionHeader[i].Name);
		sectionData[0] = name;

		sprintf(virtualAddress, _T("0x%X"), pSectionHeader[i].VirtualAddress);
		sectionData[1] = virtualAddress;

		sprintf(sizeOfRawData, _T("0x%X"), pSectionHeader[i].SizeOfRawData);
		sectionData[2] = sizeOfRawData;

		sprintf(pointerToRawData, _T("0x%X"), pSectionHeader[i].PointerToRawData);
		sectionData[3] = pointerToRawData;

		sprintf(virtualSize, _T("0x%X"), pSectionHeader[i].Misc.VirtualSize);
		sectionData[4] = virtualSize;

		sprintf(characteristics, _T("0x%08X"), pSectionHeader[i].Characteristics);
		sectionData[5] = characteristics;

		InsertRow(hListSection,sectionData);
	}

	free(pFileBuffer);
}

最终实现效果:

image-20220110214459957

image-20220110214527351

Binary > 滴水学习 > 项目开发
#Binary #Win32
PETOOL开发日记2 - PE文件查看
https://m0ck1ng-b1rd.github.io/2022/02/20/二进制/PE Tool 开发日记 2 - PE文件查看/
作者
何语灵
发布于
2022年2月20日
许可协议