#include "stdafx.h"
#include<stdio.h>
#include<windows.h>
#include<malloc.h>
//////////////////////////////////////////////////////////////////
//FileBuffer函数
DWORD ReadPEFile(LPVOID* ppFileBuffer)
{
FILE* pFile=NULL;
DWORD SizeFileBuffer=0;
pFile=fopen("C://Documents and Settings//ma_lic//桌面//RebPE.dll","rb");
if(!pFile)
{
printf("打开notepad失败\n");
return 0;
}
//获取文件大小
fseek(pFile,0,SEEK_END);
SizeFileBuffer=ftell(pFile);
fseek(pFile,0,SEEK_SET);
if(!SizeFileBuffer)
{
printf("读取文件大小失败\n");
return 0;
}
//开辟空间
*ppFileBuffer=malloc(SizeFileBuffer);
if(!*ppFileBuffer)
{
printf("开辟空间失败\n");
fclose(pFile);
return 0;
}
//复制数据
size_t n=fread(*ppFileBuffer,SizeFileBuffer,1,pFile);
if(!n)
{
printf("复制数据失败\n");
free(*ppFileBuffer);
fclose(pFile);
return 0;
}
fclose(pFile);
return SizeFileBuffer;
}
DWORD RavToFoa(LPVOID pFileBuffer,DWORD Rav)
{
PIMAGE_DOS_HEADER pDosHeader=NULL;
PIMAGE_NT_HEADERS pNTHeader=NULL;
PIMAGE_FILE_HEADER pFileHeader=NULL;
PIMAGE_OPTIONAL_HEADER pOptionalHeader=NULL;
PIMAGE_SECTION_HEADER pSectionHeader=NULL;
PIMAGE_SECTION_HEADER NextSectionHeader=NULL;
DWORD Foa=0;
pDosHeader=(PIMAGE_DOS_HEADER)pFileBuffer;
pNTHeader=(PIMAGE_NT_HEADERS)((DWORD)pFileBuffer+pDosHeader->e_lfanew);
pFileHeader=(PIMAGE_FILE_HEADER)((DWORD)pNTHeader+4);
pOptionalHeader=(PIMAGE_OPTIONAL_HEADER)((DWORD)pFileHeader+20);
pSectionHeader=(PIMAGE_SECTION_HEADER)((DWORD)pOptionalHeader+pFileHeader->SizeOfOptionalHeader);
if(Rav<pOptionalHeader->SizeOfHeaders)
{
printf("Rav在Header里面\n");
return Rav;
}
NextSectionHeader=pSectionHeader+1;
for(int i=1;i<pFileHeader->NumberOfSections;i++,pSectionHeader++,NextSectionHeader++)
{
if(Rav>pSectionHeader->VirtualAddress && Rav<NextSectionHeader->VirtualAddress)
{
Foa=Rav-pSectionHeader->VirtualAddress+pSectionHeader->PointerToRawData;
return Foa;
}
}
//循环到最后一个节
if(Rav>pSectionHeader->VirtualAddress && Rav<pOptionalHeader->SizeOfImage)
{
Foa=Rav-pSectionHeader->VirtualAddress+pSectionHeader->PointerToRawData;
return Foa;
}
else
{
printf("Rav大于sizeofimage!!!\n");
return 0;
}
}
VOID PrintExport(LPVOID pFileBuffer)
{
PIMAGE_DOS_HEADER pDosHeader=NULL;
PIMAGE_NT_HEADERS pNTHeader=NULL;
PIMAGE_FILE_HEADER pFileHeader=NULL;
PIMAGE_OPTIONAL_HEADER pOptionalHeader=NULL;
PIMAGE_SECTION_HEADER pSectionHeader=NULL;
PIMAGE_DATA_DIRECTORY pDataDirHeader=NULL;
PIMAGE_EXPORT_DIRECTORY pExportHeader=NULL;
if(!pFileBuffer)
{
printf("FileBuffer函数调用失败\n");
}
printf("%x\n",pFileBuffer);
//判断是否是PE文件
pDosHeader=(PIMAGE_DOS_HEADER)pFileBuffer;
if(pDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志\n");
}
pNTHeader=(PIMAGE_NT_HEADERS)((DWORD)pFileBuffer+pDosHeader->e_lfanew);
if(pNTHeader->Signature!=IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志\n");
}
pFileHeader=(PIMAGE_FILE_HEADER)(((DWORD)pNTHeader)+4);
pOptionalHeader=(PIMAGE_OPTIONAL_HEADER)((DWORD)pFileHeader+20);
pDataDirHeader=(PIMAGE_DATA_DIRECTORY)((DWORD)pOptionalHeader+0x60);
printf("-----------------------------------------------------\n");
printf("导出表\n");
printf("virtualAddress=%x\n",pDataDirHeader->VirtualAddress);
printf("size=%x\n",pDataDirHeader->Size);
printf("-----------------------------------------------------\n");
pExportHeader=(PIMAGE_EXPORT_DIRECTORY)(RavToFoa(pFileBuffer,(DWORD)pDataDirHeader->VirtualAddress)+(DWORD)pFileBuffer);
printf("Characteristics=%x\n",pExportHeader->Characteristics);
printf("TimeDateStamp=%x\n",pExportHeader->TimeDateStamp);
printf("MajorVersion=%x\n",pExportHeader->MajorVersion);
printf("Name=%x\n",pExportHeader->Name);
printf("Base=%x\n",pExportHeader->Base);
printf("NumberOfFunctions=%x\n",pExportHeader->NumberOfNames);
printf("NumberOfNames=%x\n",pExportHeader->NumberOfNames);
printf("--------------------------------------------------\n");
printf("AddressOfFun\n");
PDWORD pAddressOfFun=NULL;
pAddressOfFun=(PDWORD)(RavToFoa(pFileBuffer,pExportHeader->AddressOfFunctions)+(DWORD)pFileBuffer);
for(int i=0;i<pExportHeader->NumberOfFunctions;i++,pAddressOfFun++)
{
printf("下标:%d, ",i);
printf("函数地址:%x\n",*(PDWORD)pAddressOfFun);
}
printf("------------------------------------------------\n");
printf("AddressOfNameOrdinals\n");
PWORD pAddressOfNameOrdinal=NULL;
pAddressOfNameOrdinal=(PWORD)(RavToFoa(pFileBuffer,(DWORD)pExportHeader->AddressOfNameOrdinals)+(DWORD)pFileBuffer);
for(int j=0;j<pExportHeader->NumberOfNames;j++,pAddressOfNameOrdinal++)
{
printf("下标:%d, , ",j);
printf("序号%x\n",*(PWORD)pAddressOfNameOrdinal);
}
printf("------------------------------------------------\n");
printf("AddressOfNames\n");
PDWORD pAddressOfName=NULL;
char* Name=NULL;
pAddressOfName=(PDWORD)(RavToFoa(pFileBuffer,pExportHeader->AddressOfNames)+(DWORD)pFileBuffer);
for(int k=0;k<pExportHeader->NumberOfNames;k++,pAddressOfName++)
{
Name=(char*)(RavToFoa(pFileBuffer,(DWORD)*pAddressOfName)+(DWORD)pFileBuffer);
printf("下标:%d, , ",k);
printf("函数名称=%s\n",Name);
}
}
LPVOID GetFunAddressByOrdinal(LPVOID pFileBuffer)
{
PIMAGE_DOS_HEADER pDosHeader=NULL;
PIMAGE_NT_HEADERS pNTHeader=NULL;
PIMAGE_FILE_HEADER pFileHeader=NULL;
PIMAGE_OPTIONAL_HEADER pOptionalHeader=NULL;
PIMAGE_SECTION_HEADER pSectionHeader=NULL;
PIMAGE_DATA_DIRECTORY pDataDirHeader=NULL;
PIMAGE_EXPORT_DIRECTORY pExportHeader=NULL;
if(!pFileBuffer)
{
printf("FileBuffer函数调用失败\n");
}
printf("%x\n",pFileBuffer);
//判断是否是PE文件
pDosHeader=(PIMAGE_DOS_HEADER)pFileBuffer;
if(pDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志\n");
}
pNTHeader=(PIMAGE_NT_HEADERS)((DWORD)pFileBuffer+pDosHeader->e_lfanew);
if(pNTHeader->Signature!=IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志\n");
}
pFileHeader=(PIMAGE_FILE_HEADER)(((DWORD)pNTHeader)+4);
pOptionalHeader=(PIMAGE_OPTIONAL_HEADER)((DWORD)pFileHeader+20);
pDataDirHeader=(PIMAGE_DATA_DIRECTORY)((DWORD)pOptionalHeader+0x60);
pExportHeader=(PIMAGE_EXPORT_DIRECTORY)(RavToFoa(pFileBuffer,(DWORD)pDataDirHeader->VirtualAddress)+(DWORD)pFileBuffer);
int num;
printf("输入你要查询的序号\n");
scanf("%d",&num);
int Ordinal;
Ordinal=num-pExportHeader->Base;
PDWORD pAddressOfFun=NULL;
pAddressOfFun=(PDWORD)(RavToFoa(pFileBuffer,pExportHeader->AddressOfFunctions)+(DWORD)pFileBuffer);
for(int i=0;i<Ordinal;i++,pAddressOfFun++)
{
printf("%d\n",i);
}
printf("你要寻找的函数地址是=%x\n",*(PDWORD)pAddressOfFun);
return (LPVOID)*(PDWORD)pAddressOfFun;
}
LPVOID GetAddressByName(LPVOID pFileBuffer,char* str)
{
PIMAGE_DOS_HEADER pDosHeader=NULL;
PIMAGE_NT_HEADERS pNTHeader=NULL;
PIMAGE_FILE_HEADER pFileHeader=NULL;
PIMAGE_OPTIONAL_HEADER pOptionalHeader=NULL;
PIMAGE_SECTION_HEADER pSectionHeader=NULL;
PIMAGE_DATA_DIRECTORY pDataDirHeader=NULL;
PIMAGE_EXPORT_DIRECTORY pExportHeader=NULL;
char* Name=NULL;
if(!pFileBuffer)
{
printf("FileBuffer函数调用失败\n");
}
printf("%x\n",pFileBuffer);
//判断是否是PE文件
pDosHeader=(PIMAGE_DOS_HEADER)pFileBuffer;
if(pDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志\n");
}
pNTHeader=(PIMAGE_NT_HEADERS)((DWORD)pFileBuffer+pDosHeader->e_lfanew);
if(pNTHeader->Signature!=IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志\n");
}
pFileHeader=(PIMAGE_FILE_HEADER)(((DWORD)pNTHeader)+4);
pOptionalHeader=(PIMAGE_OPTIONAL_HEADER)((DWORD)pFileHeader+20);
pDataDirHeader=(PIMAGE_DATA_DIRECTORY)((DWORD)pOptionalHeader+0x60);
pExportHeader=(PIMAGE_EXPORT_DIRECTORY)(RavToFoa(pFileBuffer,(DWORD)pDataDirHeader->VirtualAddress)+(DWORD)pFileBuffer);
PDWORD pAddressOfName=NULL;
pAddressOfName=(PDWORD)(RavToFoa(pFileBuffer,pExportHeader->AddressOfNames)+(DWORD)pFileBuffer);
for(int k=0;k<pExportHeader->NumberOfNames;k++,pAddressOfName++)
{
Name=(char*)(RavToFoa(pFileBuffer,(DWORD)*pAddressOfName)+(DWORD)pFileBuffer);
if(!strcmp(Name,str))
{
break;
}
}
int num=k;
PWORD pAddressOfNameOrdinal=NULL;
pAddressOfNameOrdinal=(PWORD)(RavToFoa(pFileBuffer,(DWORD)pExportHeader->AddressOfNameOrdinals)+(DWORD)pFileBuffer);
for(int j=0;j<k;j++,pAddressOfNameOrdinal++)
{
printf("下标:%d, , ",j);
}
WORD Ordinal=*(PWORD)pAddressOfNameOrdinal;
PDWORD pAddressOfFun=NULL;
pAddressOfFun=(PDWORD)(RavToFoa(pFileBuffer,pExportHeader->AddressOfFunctions)+(DWORD)pFileBuffer);
for(int i=0;i<Ordinal;i++,pAddressOfFun++)
{
printf("下标:%d, ",i);
}
printf("你要寻找的函数地址是=%x\n",*(PDWORD)pAddressOfFun);
return (LPVOID)*(PDWORD)pAddressOfFun;
}
int main()
{
LPVOID pFileBuffer=NULL;
LPVOID* ppFileBuffer=&pFileBuffer;
LPVOID pImageBuffer=NULL;
LPVOID* ppImageBuffer=&pImageBuffer;
DWORD SizeOfFileBuffer=0;
DWORD SizeOfImageBuffer=0;
DWORD SizeOfBuffer=0;
LPVOID pBuffer=NULL;
LPVOID* ppBuffer=&pBuffer;
//调用filebuffer函数
SizeOfFileBuffer=ReadPEFile(ppFileBuffer);
if(!SizeOfFileBuffer)
{
printf("FileBuffer函数调用失败 \n");
return 0;
}
pFileBuffer=*ppFileBuffer;
PrintExport(pFileBuffer);
GetAddressByName(pFileBuffer,"DumpFix");
return 0;
}
浙公网安备 33010602011771号