PE file (C language description) The third article - Hands the battles and shelling battlefield output table, finally go to the table, NO Wasting Time, Let's Go! Or justify the principle. The input table is slightly complicated than the previous output table, the so-called complex, in the C language, nothing more than a few pointers, finding the multi-pointer to find it to visit what you want. Just like you have a money to find a kidnapperary (T), get a designated place, pick a phone, T also specify a new location, so you have to the new location of T ... huh, make a joke . Previous article We found the output table in the first array of image_optional_header32.dataDirectory, and the second element described is the information of the input table. Do you still remember this DATADIRECTORY structure? It is IMAGE_DATA_DIRECTORY structure, it is necessary to again reiterate its definition: typedef struct _IMAGE_DATA_DIRECTORY {DWORD VirtualAddress; DWORD Size;} IMAGE_DATA_DIRECTORY, * PIMAGE_DATA_DIRECTORY; think of it, ViretualAddress points to the output table (the kidnappers received a phone, huh, huh). What are you waiting for? let us start! Core code: // first positioning structure IMAGE_OPTIONAL_HEADER32 IMAGE_OPTIONAL_HEADER32 myOptionalHeader; fseek (pFile, (e_lfanew sizeof (DWORD) sizeof (IMAGE_FILE_HEADER)), SEEK_SET); // Causes so positioned refer to FIG PE paper fread (& myOptionalHeader, sizeof (Image_optional_header32), 1, pfile; // convert the VA of the input table to file offset dwfileoffset = onConvertvatorAwa (MyOptionalHeader.DataDirectory; if (dwfileoffset! = -1) {Printf ("input table The file offset is:% 08x / n ", dwfileoffset); / / The input table begins by the image_import_descriptor architecture array, each with an implicitly called DLL file has a corresponding IID structure array / / but no field indicates the IID array The number, that is, the number of DLL files introduced, but the last element of this IID array is all 0, // can calculate the number of the introduced DLL files through this point, that is, the number of elements of the IID structure array.
// IMAGE_IMPORT_DESCRIPTOR structure definition: // typedef struct _IMAGE_IMPORT_DESCRIPTOR {// union {// DWORD Characteristics; // 0 for terminating null import descriptor // DWORD OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA) //}; // DWORD TimeDateStamp; // 0 if not bound, // -1 if bound, and real date / time stamp // in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND) // OW date / time stamp of DLL bound to (Old BIND) // DWORD ForwarderChain ; //1 if no forwarders // dword name; // dword firstthunk; // rva to ip (if bound this IAT HAS ACTUAL Addresses) //} Image_import_descriptor; // Now I have obtained the file offset of the input table, So starting from here is the IID array of input tables for image_import_descriptor Iid; FSeek; FREAD (& IID, SIZEOF (Image_import_Descriptor), 1, pfile; // Get the number of IID array first int NDLLLCOUNT = 0; While ((0! = iid.characteristics || (0! = iid.firstthunk) || (0! = iid.forwarderchain) || (0! = IID.NAME) || (0! = iid.originalfirstthunk) || (0! = Iid.timedatestamp)) {ndllcount ; FREAD (& IID, SIZEOF (i Mage_import_descriptor *) calloc (nDllCount, sizeof (IMAGE_IMPORT_DESCRIPTOR)); // prince 01 fseek (pFile, dwFileOffset, SEEK_SET); fread (pIID, sizeof (IMAGE_IMPORT_DESCRIPTOR), nDllCount, pFile); // IID.Name DLL file is stored The address of the name, note that the address is not the string ending with ZERO. // --------------------- RVA reads the DLL through IID.NAME Name --------------------- // DWORD * PNAMEFILEOFFSET = (DWORD *) Malloc (Sizeof (DWORD) * NDLLCOUNT); // Prince 02 // Remove the VA of these Names into FileOffset exists in PNAMEFILEOFFSET in PNAMEFILEOFSET (INT i = 0; I , PIID ) {* pNameFileOffset = OnConvertVAToRowA (pIID-> Name);} // pointer recovery pIID - = nDllCount; pNameFileOffset - = nDllCount; // open dynamic pointer array pName, * pName point kept the DLL Name of pchName DWORD * PNAME = (DWORD *) Calloc (NDLLCOUNT, SIZEOF (DWORD)); // PRINCE 03 must be released with 04 to release for (i = 0; i DWORD * pdwRowAddressOfOriginalFirstThunk = (DWORD *) malloc (sizeof (DWORD)); // prince 23 for (i = 0; i ) {FSeek (Pfile, * pfirstthunkoffileoffset, seek_set); FREAD (Pitd, SizeOf (Image_thunk_data), 1, Pfile; Int nfunctioncount = 0; While (Pitd-> u1.forwarderstring! = 0) || (Pitd-> U1.Function! = 0) || (Pitd-> u1.ordinal! = 0) || (Pitd-> u1.addressofData! = 0)) {NFunctionCount ; FREAD (Pitd, Sizeof (Image_thunk_Data), 1, Pfile ;} * pnFunctionCountPerDll = nFunctionCount;} if (pITD = NULL!) // release prince 08 {free (pITD); pITD = NULL;} pFirstThunkOfFileOffset - = nDllCount; pnFunctionCountPerDll - = nDllCount; // ------- --------- PnFunctionCountPerdll is stored in each DLL in each DLL number -------------- // Due to the number of DLL files, The number of functions for each DLL file is not fixed, so I use a triple pointer. // may have it to use a triple pointer to make the following procedures, but I think this is the best way. // ------------------------------ Read the name of the function in each DLL file -------- ---------------------- // dword *** pdwfunctionofdll = (dword ***) Calloc (NDLLCOUNT, SIZEOF (DWORD **)); / / prince 09 and 10, 11 together must be released for (i = 0; i // ------------------ PNByindexdllFunctions, the number of functions pointed to each by the DLL file introduced by the serial number ------------ ---- // // ----------------- Dynamic opening of the memory used to save the serial number introduced by the serial number ------------ ------------ // dword ** pdwfunctionIndex = (dword **) Calloc (nbyindexdllcount, sizeof (dword *)); // prince 25 for (i = 0; i ) {** pdwFunctionIndex = (DWORD) pITD-> u1.AddressOfData;} pITD - = * pnByIndexDllFunctionsCount; * pdwFunctionIndex - = * pnByIndexDllFunctionsCount;! PnByIndexDllFunctionsCount ; pdwFunctionIndex ;} if (pITD = NULL) // release prince 12 {free (pITD); pITD = NULL;}} if (nByIndexDllCount = 0!) {pnByIndexDllFunctionsCount - = nByIndexDllCount; pdwFunctionIndex - = nByIndexDllCount;} pdwFunctionOfDll - = nDllCount; pFirstThunkOfFileOffset - = nDllCount; pnFunctionCountPerDll - = nDllCount; pbByIndex - = nDllCount; if (PfirstthunkoffileOffset! = null) // Release Prince 05 {Free (pfirstthunkoffileoffset); PfirstthunkoffileOffset = null;} // ------------------------------------------------------------------------------------------------------------------------------------ Triple pointer PDWFunctionOfdll ultimately point to function name --------------------------- // // ----------- ---------- Sequence number of functions introduced by the serial number -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- // for (i = 0; i pdwFunctionIndex ;}} // restore pointer pName - = nDllCount; pnFunctionCountPerDll - = nDllCount; pdwFunctionOfDll - = nDllCount; pbByIndex - = nDllCount; pnByIndexDllFunctionsCount - = nByIndexDllCount; pdwFunctionIndex - = nByIndexDllCount; for (i = 0; i , PdwFunctionIndex ) // release prince 26 {if (* pdwFunctionIndex = NULL) {free (* pdwFunctionIndex); * pdwFunctionIndex = NULL;}!} PdwFunctionIndex - = nByIndexDllCount;! If (pdwFunctionIndex = NULL) // release prince 25 {free (pdwFunctionIndex); pdwFunctionIndex = NULL;}} else {printf ( "enter table positioning error!");} // file offset calculation subroutine to VA DWORD OnConvertVAToRawA (DWORD dwFileOffset) {IMAGE_SECTION_HEADER * pmySectionHeader = (IMAGE_SECTION_HEADER *) calloc (m_nSectionCount, sizeof (IMAGE_SECTION_HEADER)); // prince 14 fseek (pFile, (e_lfanew 4 sizeof (IMAGE_FILE_HEADER) sizeof (IMAGE_OPTIONAL_HEADER32)), SEEK_SET); fread (pmySectionHeader, sizeof (IMAGE_SECTION_HEADER), m_nSectionCount, pFile) ; DWORD dwFilePos; DWORD dwOffset; DWORD * pdwVA = (DWORD *) malloc (sizeof (DWORD) * m_nSectionCount); // prince 15 DWORD * pdwRowA = (DWORD *) malloc (sizeof (DWORD) * m_nSectionCount); // prince 16 for (int i = 0; i NULL) // release prince 14 {free (pmySectionHeader); pmySectionHeader = NULL;} return dwFilePos;}} pdwVA - = m_nSectionCount; pdwRowA - = m_nSectionCount; if (pmySectionHeader = NULL) // release prince 14 {free (pmySectionHeader)! PMYSECTIONHEADER = NULL;} if (pdwva! = null) // Release Prince 15 {Free (PDWVA); PDWVA = NULL;} if (pdwrowa! = null) // Release Prince 16 {Free (pdwrowa); pdwrowa = null } return -1;} The entire series of PE files will come here. In nearly one month, through the study of PE file format, I fully understand the details of the exe file execution from the forward perspective, and I have been exercised and improved to me, but I have limited programming level. This pile-up spam has a serious indecent and defect. I hope that the master can make a valuable time to give me one or two; at the same time, I hope that these small little little Experience can make the wages of the majority as the knowledge and pursuit of software technology, get what they really want. Still the old saying, throwing bricks, I am writing it. I will continue to study the resources of the PE file to see the principle of compression of resources, that is, the principle of compressing shells, and other achievements and share it. Here I hope that everyone will continue to develop their thinking while learning knowledge and truly raise themselves at the level of technology. All VC source code will be released, I hope to communicate with you with you, the program is rotten, please advise. All VC source code and compiled Win32 procedures:
