PE文件

// 插入区块
bool InsertSection(BYTE *decBuf)
{
 cout<<"计算区块各参数:";
 // 插入区块， 先获取OEP
 const int offDOSStub = 0x3C;
 long      off_elfanew = 0;   // 根据类型直接读出即可。
    char  szPEHead[5];           // PE00
 WORD  Machine = 0;           // CPU类型   
 DWORD AddressOfEntryPoint = 0; // 程序执行入口RVA
 DWORD ImageBase = 0;         // 程序默认装入基址
    WORD  SubSystem = 0;         // 子系统， 控制台或其他
    DWORD SizeOfImage = 0;       // 内存中整个PE映像大小
    WORD  SizeOfOptionalHeader = 0; // 可选映像头大小
    DWORD SectionTableHeaderValue = 0;  // 块表首值  PE(Base) + 0x12 + SizeOfOptionalHeader
    WORD NumberOfSections        = 0;  // 块(Section)个数
 DWORD SectionsLength          = 0;  // 块长度

 FILE* test = fopen("test.txt", "wb");

 memcpy(&off_elfanew, &decBuf[offDOSStub], sizeof(long));
 fwrite(&off_elfanew, 1, sizeof(off_elfanew), test);
 memcpy(szPEHead, &decBuf[off_elfanew], sizeof(szPEHead));
 fwrite(szPEHead, 1, sizeof(szPEHead)-1, test);
 memcpy(&Machine, &decBuf[off_elfanew + 0x4], sizeof(WORD));
 if(Machine == 0x14C)
   printf("CPU Intel i386或以上系列: %X\n", Machine);
    memcpy(&AddressOfEntryPoint, &decBuf[off_elfanew + 0x28], sizeof(DWORD));
 printf("程序入口点: 0x0%X\n", AddressOfEntryPoint);
    memcpy(&ImageBase, &decBuf[off_elfanew + 0x34], sizeof(DWORD));
 printf("镜像基址: 0x0%X\n", ImageBase);
    memcpy(&SubSystem, &decBuf[off_elfanew + 0x5C], sizeof(WORD));
 switch(SubSystem)
 {
 case 0:
  printf("未知子系统\n");
  break;
 case 1:
        printf("不需要子系统: 0x0%X\n", SubSystem);
  break;
 case 2:
  printf("图形接口子系统(GUI): 0x0%X\n", SubSystem);
  break;
 case 3:
  printf("控制台子系统(Console or DOS or CUI): 0x0%X\n", SubSystem);
  break;
 case 5:
  printf("OS/2字符子系统: 0x0%X\n", SubSystem);
  break;
 case 7:
  printf("POSIX字符子系统: 0x0%X\n", SubSystem);
  break;
 
 default:
  printf("未知子系统\n");
  break;
 }
 memcpy(&SizeOfImage, &decBuf[off_elfanew + 0x50], sizeof(DWORD));
 printf("内存镜像大小: 0x%X\n", SizeOfImage);
    memcpy(&SizeOfOptionalHeader, &decBuf[off_elfanew + 0x14], sizeof(WORD));
 printf("可选映像头大小: %d字节(%X)\n", SizeOfOptionalHeader,SizeOfOptionalHeader);
    memcpy(&SectionTableHeaderValue, &decBuf[off_elfanew + 0x18 + SizeOfOptionalHeader], sizeof(DWORD));
 printf("块表首值: %X\n", SectionTableHeaderValue);
    memcpy(&NumberOfSections, &decBuf[off_elfanew + 0x06], sizeof(WORD));
 printf("块(Sections)个数: %X\n", NumberOfSections);
   
 IMAGE_SECTION_HEADER  tISH;   // 块表结构实例
 printf("块表项结构大小: %d字节\n", sizeof(tISH));
 int t_totalSectionLength = sizeof(tISH) * NumberOfSections;
    printf("总块表长度: %d字节(%X)\n", t_totalSectionLength, t_totalSectionLength);
    int t_InsertPosition = 0x18 + SizeOfOptionalHeader + t_totalSectionLength;
 printf("插块表项偏移位置: 0x0%X\n", t_InsertPosition);

 fclose(test);
 return 0;
}