最近在写一个PE工具

这东西很多人都已经写的不想写了，对于我来说，才是第一次啊

现在已经完成了

IsPeFile（判断一个文件是否为PE文件） ，ShowPeInfo（显示出IMAGE_DOS_HEADE\IMAGE_FILE_HEADER\IMAGE_OPTIONAL_HEADER的各个成员的值），

RVA2Offset（相对虚拟地址转化为文件偏移），PrintfImportTable（打印处输入表的信息）

写的过程中出现问题比较多的是忘记转化指针，导致输出的内容完全乱七八糟。

下面贴一段RVA2Offset的代码，写的不好，求指点。

DWORD RVA2Offset(LPVOID lpAddress,DWORD RVA)
{
	PIMAGE_DOS_HEADER dos_header = (PIMAGE_DOS_HEADER)lpAddress;
	PIMAGE_NT_HEADERS32 nt_header = (PIMAGE_NT_HEADERS32)((BYTE*)lpAddress+dos_header->e_lfanew);
	PIMAGE_SECTION_HEADER section_header = (PIMAGE_SECTION_HEADER)((BYTE*)nt_header+sizeof(IMAGE_NT_HEADERS32));
	PIMAGE_SECTION_HEADER p=section_header;
	DWORD NumberOfSections =nt_header->FileHeader.NumberOfSections;	
	DWORD ImageBase=nt_header->OptionalHeader.ImageBase;

	//判断RVA是那个段的，计算出所在段的delta值，delta=段的RVA-段的Offset，再用RVA-delta就得到了对应的Offset地址了。

	DWORD SectionStartRVA = NULL;//RVA
	DWORD SectionEndRVA = NULL;//RVA
	DWORD SectionStartOffset = NULL;//Offset
	DWORD SectionEndOffset = NULL;//Offset
	DWORD delta =NULL;
	DWORD offset = NULL;
	for(DWORD i=0;i<NumberOfSections;i++,p++)
	{
		SectionStartRVA = p->VirtualAddress;//这里的成员VirtualAddress是一个RVA，不要看到VritualAddress就认为是VA；
		SectionEndRVA = p->Misc.VirtualSize+p->VirtualAddress;
		SectionStartOffset = p->PointerToRawData;
		SectionEndOffset =p->SizeOfRawData+p->PointerToRawData;
		delta = SectionStartRVA-SectionStartOffset;
		if(RVA>=SectionStartRVA&&RVA<SectionEndRVA)
		{
			offset = RVA-delta;
	//		printf("0x%x对应的Offset是0x%x\n",RVA,offset);
			return offset;
		}
		
	
	}
	
	printf("该RVA不属于任何区段");
	return 0;
}

　　

 

整个程序运行效果：

please select a file!
PATH:C:\WINDOWS\system32\dllcache\AcGenral.dll
is a pe file!
SECTION NAME .text Characteristc 60000020
RAV 00001000 SIZE 00031FCD
RAW 00000400 Size 00032000
SECTION NAME .data Characteristc C0000040
RAV 00033000 SIZE 00008AFC
RAW 00032400 Size 00005C00
SECTION NAME .rsrc Characteristc 40000040
RAV 0003C000 SIZE 00187130
RAW 00038000 Size 00187200
SECTION NAME .reloc Characteristc 42000040
RAV 001C4000 SIZE 0000535E
RAW 001BF200 Size 00005400
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IMAGE_DOS_HEADER
PE address 0x000000e8
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IMAGE_FILE_HEADER
Machine 0x014C
Number of Section 0x0004
Time Stamp 0x4802BD6F
Size of Optional Header 0x00E0
Characteristic 0x210E
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IMAGE_OPTIONAL_HEADER
Entry Point 0x0002606E
ImageBase 0x58FB0000
Size of Image 0x001CA000
SizeOfHeaders 0x00000400
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Export Directory RVA:0x00032F70  SIZE:0x0000005D
IMPORT Directory RVA:0x000316C8  SIZE:0x0000012C
Resource Directory RVA:0x0003C000  SIZE:0x00187130
Relocation Directory RVA:0x001C4000  SIZE:0x000038FC
TLS Directory RVA:0x00000000  SIZE:0x00000000
Import Address Table RVA:0x00001000  SIZE:0x0000043C
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
该文件的输入表位于offset 0x00030AC8
DllName ntdll.dll Original First Thunk  0x00031BC4  TimeStamp 0xFFFFFFFF Forward
erChain 0xFFFFFFFF FirstThunk 0x000013D0
DllName KERNEL32.dll Original First Thunk  0x00031854  TimeStamp 0xFFFFFFFF Forw
arderChain 0xFFFFFFFF FirstThunk 0x00001060
DllName USER32.dll Original First Thunk  0x00031AE4  TimeStamp 0xFFFFFFFF Forwar
derChain 0xFFFFFFFF FirstThunk 0x000012F0
DllName GDI32.dll Original First Thunk  0x0003182C  TimeStamp 0xFFFFFFFF Forward
erChain 0xFFFFFFFF FirstThunk 0x00001038
DllName ADVAPI32.dll Original First Thunk  0x000317F4  TimeStamp 0xFFFFFFFF Forw
arderChain 0xFFFFFFFF FirstThunk 0x00001000
DllName WINMM.dll Original First Thunk  0x00031BBC  TimeStamp 0xFFFFFFFF Forward
erChain 0xFFFFFFFF FirstThunk 0x000013C8
DllName ole32.dll Original First Thunk  0x00031C18  TimeStamp 0xFFFFFFFF Forward
erChain 0xFFFFFFFF FirstThunk 0x00001424
DllName OLEAUT32.dll Original First Thunk  0x00031ABC  TimeStamp 0xFFFFFFFF Forw
arderChain 0xFFFFFFFF FirstThunk 0x000012C8
DllName MSACM32.dll Original First Thunk  0x00031AB0  TimeStamp 0xFFFFFFFF Forwa
rderChain 0xFFFFFFFF FirstThunk 0x000012BC
DllName VERSION.dll Original First Thunk  0x00031BAC  TimeStamp 0xFFFFFFFF Forwa
rderChain 0xFFFFFFFF FirstThunk 0x000013B8
DllName SHELL32.dll Original First Thunk  0x00031ACC  TimeStamp 0xFFFFFFFF Forwa
rderChain 0xFFFFFFFF FirstThunk 0x000012D8
DllName SHLWAPI.dll Original First Thunk  0x00031ADC  TimeStamp 0xFFFFFFFF Forwa
rderChain 0xFFFFFFFF FirstThunk 0x000012E8
DllName USERENV.dll Original First Thunk  0x00031B94  TimeStamp 0xFFFFFFFF Forwa
rderChain 0xFFFFFFFF FirstThunk 0x000013A0
DllName UxTheme.dll Original First Thunk  0x00031BA4  TimeStamp 0xFFFFFFFF Forwa
rderChain 0xFFFFFFFF FirstThunk 0x000013B0
ImportTable信息输出完毕

　　睡觉，明天继续搞起。