滴水三期PE解析实例Funtion.cpp58.44 KB-C++/C-卡了网

//函数文件#include#include"Funtion.h"#include"tools.h"#include "malloc.h"//动态申请分配内存函数需要的头文件BOOL Initialization_PROCESS(HWND hDlg)//hDlg是主窗口句柄{LV_COLUMN lv; //LV_COLUMN是框的表头属性包含(显示文本,多少行,多少列)HWND hListProcess;//控件框句柄memset(&lv,0,sizeof(LV_COLUMN));//将lv写0,在堆栈中建立的里面有垃圾值//获取主窗口上控件框句柄 hListProcess=GetDlgItem(hDlg,IDC_LIST_PROCESS);//设置整行选中风格,发消息给系统告诉系统这个框里面的内容如果被选中就整行选中SendMessage(hListProcess,LVM_SETEXTENDEDLISTVIEWSTYLE,LVS_EX_FULLROWSELECT,LVS_EX_FULLROWSELECT);//设置表头lv.mask=LVCF_TEXT | LVCF_WIDTH | LVCF_SUBITEM;//设置表头第一列 iSubItem=0 ,0开始lv.pszText=TEXT("进程"); //列标题lv.cx= 300; //列宽lv.iSubItem=0; //这是第几列SendMessage(hListProcess,LVM_INSERTCOLUMN,0,(DWORD)&lv);//第二列lv.pszText=TEXT("PID");lv.cx= 65;lv.iSubItem=1; //这是第几列SendMessage(hListProcess,LVM_INSERTCOLUMN,1,(DWORD)&lv);//第三列lv.pszText=TEXT("镜像基址");lv.cx= 110;lv.iSubItem=2; //这是第几列SendMessage(hListProcess,LVM_INSERTCOLUMN,2,(DWORD)&lv);//第四列lv.pszText=TEXT("镜像大小");lv.cx= 110;lv.iSubItem=3; //这是第几列SendMessage(hListProcess,LVM_INSERTCOLUMN,3,(DWORD)&lv);EnumProcess(hListProcess); return TRUE;}//初始化Moudle框的表头属性BOOL Initialization_MOUDLE(HWND hDlg){LV_COLUMN lv;HWND hListMoudle;memset(&lv,0,sizeof(LV_COLUMN));hListMoudle=GetDlgItem(hDlg,IDC_LIST_MOUDLE);//设置整行选中SendMessage(hListMoudle,LVM_SETEXTENDEDLISTVIEWSTYLE,LVS_EX_FULLROWSELECT,LVS_EX_FULLROWSELECT);lv.mask=LVCF_TEXT | LVCF_WIDTH | LVCF_SUBITEM;//指定LV_COLUMN结构里成员几个有效这里是-->表头内容,表头列宽,表头列下标(索引)lv.pszText=TEXT("模块名");lv.cx=292;lv.iSubItem=0;ListView_InsertColumn(hListMoudle,0,&lv);//和send函数一样插入表头0列属性lv.pszText=TEXT("模块基址");lv.cx=293;lv.iSubItem=1;ListView_InsertColumn(hListMoudle,1,&lv);//和send函数一样插入表头1列属性return TRUE;}//遍历所有进程将其显示在LIST_PROCESS框里BOOL EnumProcess(HWND hLstprocess)//hLstprocess是主窗口上面那个列表框的句柄{CHAR a[260]={0};HANDLE hSnapshot=0;//创建进程快照句柄变量PROCESSENTRY32 pi;//创建进程信息结构体变量(该结构体包含进程信息属性如PID,模块,线程,基址,路径等等)memset(&pi,0,sizeof(PROCESSENTRY32));//写0 栈中分配所以要写0LV_ITEM vitem;//这是列表框中显示的内容结构memset(&vitem,0,sizeof(LV_ITEM));//写0;vitem.mask=LVIF_TEXT;hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPALL,0);//获取系统进程快照信息pi.dwSize=sizeof(PROCESSENTRY32);//将大小初始化//首次遍历BOOL bRet=Process32First(hSnapshot,&pi);if(bRet==FALSE){return FALSE; } int i=0;int i1=0;int i3=0;char str[25];//堆栈中的数组用于将数据转换成unicode格式memset(&m_module,0,sizeof(ModuleEntry32));//写0ModuleEntry32* Pm_module=&m_module;//定义一个指针指向模块结构 //开始循环遍历进程信息while(bRet){memset(&m_module,0,sizeof(ModuleEntry32));//写0 EnumMoudle(pi.th32ProcessID,pi.szExeFile,Pm_module);//获取当前进程中模块名基址和大小if(m_module.hModule!=0){vitem.pszText=(TCHAR*)pi.szExeFile;vitem.iItem=i3; //行i3 ;//列表框下一行vitem.iSubItem=0; //列SendMessage(hLstprocess,LVM_INSERTITEM,0,(DWORD)&vitem);//LVM_INSERTITEM是插入1行memset(str,0,25);sprintf(str,"%x",pi.th32ProcessID);//将整数型转为char型字符串 i=0; i1=0;/*DbgPrintf("%s, %x\n",pi.szExeFile,pi.th32ProcessID);*/ while(str[i]!=0){a[i1]=str[i];a[i1 1]=0;a[i1 2]=0;i ;i1=i1 2;}vitem.pszText=(TCHAR*)a;//uncode字符串vitem.iSubItem=1;//列SendMessage(hLstprocess,LVM_SETITEM,0,(DWORD)&vitem);//LVM_SETITEM是设置1行memset(str,0,25);sprintf(str,"%x",m_module.hModule);//将整数型转为char型字符串i=0;i1=0;//DbgPrintf("%s, %x\n",pi.szExeFile,pi.th32DefaultHeapID);while(str[i]!=0){a[i1]=str[i];a[i1 1]=0;a[i1 2]=0;i ;i1=i1 2;}vitem.pszText=(TCHAR*)a;//uncode字符串vitem.iSubItem=2;//列SendMessage(hLstprocess,LVM_SETITEM,0,(DWORD)&vitem);//LVM_INSERTITEM是设置1行 //这是镜像大小//DbgPrintf("%x, %x\n",m_module.modBaseAddr,m_module.modBaseSize);memset(str,0,25);sprintf(str,"%x",m_module.modBaseSize);//将整数型转为char型字符串i=0;i1=0;//DbgPrintf("%s, %x\n",pi.szExeFile,pi.th32DefaultHeapID);while(str[i]!=0){a[i1]=str[i]; //复制为unicode字符串类型a[i1 1]=0;a[i1 2]=0;i ;i1=i1 2;}vitem.pszText=(TCHAR*)a;//uncode字符串vitem.iSubItem=3;//列SendMessage(hLstprocess,LVM_SETITEM,0,(DWORD)&vitem);//LVM_SETITEM是设置1行}bRet = Process32Next(hSnapshot,&pi);//获取pi里的进程的下一个进程 }CloseHandle (hSnapshot); //关闭 return TRUE;}//遍历当前进程模块函数BOOL EnumMoudle(DWORD PID,WCHAR* Modulename,ModuleEntry32* pModule)//参数1系统进程快照句柄,参数2 需遍历的进程PID,参数三是OUT参数模块结构体{ //创建遍历模块需要的结构体MODULEENTRY32 m_Module;memset(&m_Module,0,sizeof(MODULEENTRY32));//堆中分配写0安全HANDLE hSnapshot;//创建进程块照信息变量m_Module.dwSize=sizeof(MODULEENTRY32);//必须初始化大小才能用Module32First函数hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,PID);//获取系统进程快照信息//开始遍历所有模块///*ModuleEntry32* m_pModule;*/BOOL bRet=Module32First(hSnapshot,&m_Module);//首次遍历进程快照信息int i=0;int i1=0;TCHAR a[50];memset(a,0,50);while(bRet){while(i1>=0){if((m_Module.szModule[i1])!=0&&(m_Module.szModule[i1 1]!=0))//判断模块名多长用于内存比较{ i ;//模块名长度}else{ i1=-2;} i1 ;}if(memcmp(m_Module.szModule,Modulename,i-8)==0)//判断这个模块是不是属于我这个进程{memcpy(pModule,&m_Module,sizeof(MODULEENTRY32));//复制进我传进来的结构体内} bRet=Module32Next(hSnapshot,&m_Module);//获取当前m_Module里面的进程的下一个进程信息; } CloseHandle (hSnapshot); //关闭进程快照 return TRUE;}//遍历选中进程的所有模块,将其显示在Listcontrol_MODULE控件窗口上BOOL ENummoduleTolistcrotrol(HWND hLstprocess,HWND hwndDLg)//hLstprocess是Listcontrol_PROCESS控件的句柄;{//hLstprocess得到列表框当前选中项的PID的值DWORD dwRowId=0;//进程pid变量LV_ITEM lv; lv.mask=LVCF_TEXT | LVCF_WIDTH | LVCF_SUBITEM;TCHAR szPid[0x20];char a[0x20]={0};int i3=0;BOOL mFalse;HWND hListModule;TCHAR a1[0x20]={0};hListModule=GetDlgItem(hwndDLg,IDC_LIST_MOUDLE);//获取主窗口模块列表框句柄;SendMessage(hListModule,LVM_DELETEALLITEMS,0,0);//清空列表框里面的内容memset(&lv,0,sizeof(LV_ITEM));memset(szPid,0,0x20);dwRowId=SendMessage(hLstprocess,LVM_GETNEXTITEM,-1,LVNI_SELECTED);//得到当前选中行if(dwRowId==-1){MessageBox(NULL,TEXT("请选择进程"),TEXT("ERROR"),MB_OK); return FALSE;}lv.iSubItem=1;//要获取的列lv.pszText=szPid;//指定储存查询结构的缓冲区lv.cchTextMax=0x20;//指定缓冲区大小SendMessage(hLstprocess,LVM_GETITEMTEXT,dwRowId,(DWORD)&lv);//得到选中行中第1列里面的信息即选中进程PID值;//MessageBox(NULL,szPid,TEXT("PID"),MB_OK); //创建遍历模块需要的结构体int i=0;int i1=0;while(szPid[i]!=0){a[i1]=szPid[i];a[i1 1]=0;i ;i1 ;}DWORD PID=ConvertDWORD(a);MODULEENTRY32 m_Module;memset(&m_Module,0,sizeof(MODULEENTRY32));//堆中分配写0安全HANDLE hSnapshot;//创建进程块照信息变量m_Module.dwSize=sizeof(MODULEENTRY32);//必须初始化大小才能用Module32First函数hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,PID);//获取系统进程快照信息//开始遍历所有模块/*ModuleEntry32* m_pModule;*/BOOL bRet=Module32First(hSnapshot,&m_Module);//首次遍历进程快照信息while(bRet){lv.iItem=i3;i3 ; lv.pszText=m_Module.szModule;lv.iSubItem=0;SendMessage(hListModule,LVM_INSERTITEM,0,(DWORD)&lv);//LVM_INSERTITEM是插入1行mFalse=ConvertUNICODE((DWORD)m_Module.hModule,a1);if(mFalse==FALSE){ return FALSE;}lv.pszText=a1;lv.iSubItem=1;SendMessage(hListModule,LVM_SETITEM,0,(DWORD)&lv);//LVM_INSERTITEM是插入1行 bRet=Module32Next(hSnapshot,&m_Module);//获取当前m_Module里面的进程的下一个进程信息;} CloseHandle (hSnapshot); //关闭进程快照 return TRUE;}DWORD ConvertDWORD(char* a)//将ascii数字字符串转换成16进制DWORD类型返回参数a是需要被转字符串指针{//a=4578char b[22]={'0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f','A','B','C','D','E','F'};//一个个相等找到了再用相等的表下标..int c[22]={0,1,2,3,4,5,6,7,8,9,0xa,0xb,0xc,0xd,0xe,0xf};//int型表DWORD A=0;DWORD B=0;int i=0;int i2=0;while(i>=0)//这个循环判断字符串的长度{if (a[i]!=0){ i2 ;//}else{ i=-2;} i ;}if(i2==0){return -1;}int i3=0;for(i=0;i>4;//取数字高4位与c数组元素相比较e=b2[i-1];e=e<<4;//取数字低4位与c数组元素相比较e=e>>4;for(int i1=0;i1<16;i1 ){if (d==c[i1])//高4位如果相等则说明找到相匹配的数字然后让其等于相匹配的字符串即可{d=b1[i1];//d等于c[i1]相符的字符串 }if (e==c[i1])//低4位如果相等则说明找到相匹配的数字然后让其等于相匹配的字符串即可{e=b1[i1];//e等于c[i1]相符的字符串}}if (i==4&&d=='0'&&e=='0'){ i--;continue;//如果等于4或者表明4字节前面1字节为0不用显示; }if((d!='0')|(i3==-1)){ a3[i2]=d; i2 ; i3=-1;}if((e!='0')|(i3==-1)){ a3[i2]=e; i2 ; i3=-1;} i--;} i=0; while(a3[i]) { b[i]=a3[i]; i ; } return TRUE;}//弹出打开窗口获取文件路径名函数BOOL FindFileName(HWND hwndDLg) //hwndDLg主窗口句柄{OPENFILENAME stOpenFile;//获取文件路径名窗口需要的结构;(文件打开窗口) TCHAR szFileName[256];//将获取到的文件路径名存到这个缓冲区 unicode类型memset(szFileName,0,256);//写0memset(&stOpenFile,0,sizeof(OPENFILENAME));//写0stOpenFile.lStructSize=sizeof(OPENFILENAME); //指定结构大小stOpenFile.Flags=OFN_FILEMUSTEXIST|OFN_PATHMUSTEXIST;//上MSDN查记不住这么多stOpenFile.hwndOwner=hwndDLg;//指定'打开窗口'的父进程//注意这里的 \0 '\0'前面是显示文本(提示用户过滤些什么),'\0'后面是真实过滤器, 总之注意这里的过滤怎么写的stOpenFile.lpstrFilter=TEXT("PE文件(*.exe;*.dll;*.scr;*.drv;*.sys)\0*.exe;*.dll;*.scr;*.drv;*.sys\0所有文件(*.*)\0*.*\0\0"); stOpenFile.lpstrFile=szFileName;//指定获取到的文件路径名放到这个缓冲区stOpenFile.nMaxFile=MAX_PATH;//指定参数作用自己上MSDN查GetOpenFileName(&stOpenFile);//获取 int len=WideCharToMultiByte(CP_ACP,0,szFileName,-1,NULL,0,NULL,NULL);//取长度 unicode转化函数需要WideCharToMultiByte(CP_ACP,0,szFileName,-1,pFileName,len,NULL,NULL);//将其转化成unicode字符串并写入全局变量if(pFileName[0]==0){return FALSE;}DbgPrintf("wenjianming= %s\n",pFileName);//这里写弹出PE信息窗口 ,记住要写个回调事件处理函数DialogBox(hINSTANCE,LPCTSTR(IDD_DIALOG_PE_CHECK),NULL,wndproc_PE);//弹出窗口 return TRUE;}//PE查看信息窗口回调事件处理函数BOOL CALLBACK wndproc_PE( HWND hwndDLg,UINT uMsg,WPARAM wParam,LPARAM lParam){hPe=hwndDLg;switch(uMsg){ case WM_INITDIALOG: //窗口创建完成在显示前会发送一条这种消息{ //在这里需要加入LIST_CROTROL_PROCESS和LIST_CROTORL_MOUDLE 的行与列;初始化函数 HICON hIcon; hIcon=LoadIcon(hINSTANCE,MAKEINTRESOURCE(IDI_ICON1));//加载图标资源,这步还没显示 SendMessage(hwndDLg,WM_SETICON,ICON_BIG,(DWORD)hIcon);//发送消息显示大图标SendMessage(hwndDLg,WM_SETICON,ICON_SMALL,(DWORD)hIcon);//发送消息显示小图标ReadPE(hwndDLg);//读取pe基本信息 //在这里加入遍历PE文件的函数 return TRUE;}//标准控件走这;case WM_COMMAND:{switch(LOWORD(wParam)) { case IDC_BUTTON_PE_OUT://这是自己添加的按钮 { DestroyWindow(hPe); hPe=NULL; SendMessage(MainWnd,WM_SETFOCUS,0,0);//激活窗口 return TRUE; } case IDC_BUTTON_PE_SEC: //这是自己添加的按钮 { DialogBox(hINSTANCE,LPCTSTR(IDD_DIALOG_SECTIONS),NULL,wndproc_Section);//弹出窗口 return TRUE; } case IDC_BUTTON_PE_CATALOG://这是自己添加的按钮 {//MessageBox(NULL,TEXT("目录"),TEXT("目录"),MB_OK); DialogBox(hINSTANCE,LPCTSTR(IDD_DIALOG_CATALOG),NULL,wndproc_Catalog);//弹出窗口 return TRUE; } case IDCANCEL://窗口上的X键消息 { DestroyWindow(hPe); hPe=NULL; SendMessage(MainWnd,WM_SETFOCUS,0,0);//激活窗口 return TRUE; } break; } break;}break;}return FALSE;//其余消息全部走这里出去}//读取PE信息函数BOOL ReadPE(HWND hwndDLg){if(pFileName[0]==0){MessageBox(0,TEXT("文件路径名错误!"),TEXT("Error"),MB_OK);return FALSE;}//定义局部变量区FILE* A=NULL;char* a=NULL;DWORD c=0;TCHAR Text[0x20]={0};HWND hEdit_IMAGEBASE=GetDlgItem(hwndDLg,IDC_EDIT_IMAGEBASE); //镜像基址编辑框HWND hEdit_SizeOfImage=GetDlgItem(hwndDLg,IDC_EDIT_SizeOfImage); //镜像大小编辑框HWND hEdit_BASEOFCODE=GetDlgItem(hwndDLg,IDC_EDIT_BASEOFCODE); //代码基址HWND hEdit_BASEOFDATA=GetDlgItem(hwndDLg,IDC_EDIT_BASEOFDATA); //数据基址HWND hEdit_SECTIONALIGNMENT=GetDlgItem(hwndDLg,IDC_EDIT_SECTIONALIGNMENT); //内存对齐HWND hEdit_FILEALIGNMENT=GetDlgItem(hwndDLg,IDC_EDIT_FILEALIGNMENT); //文件对齐HWND hEdit_WIN32VERSIONVALUE=GetDlgItem(hwndDLg,IDC_EDIT_WIN32VERSIONVALUE); //子系统HWND hEdit_E_MAGIC=GetDlgItem(hwndDLg,IDC_EDIT_E_MAGIC); //标志字HWND hEdit_NUMBEROFSECTIONS=GetDlgItem(hwndDLg,IDC_EDIT_NUMBEROFSECTIONS);//节区数目HWND hEdit_TIMEDATASTAMP=GetDlgItem(hwndDLg,IDC_EDIT_TIMEDATASTAMP);//时间戳HWND hEdit_SIZEOFHEADERS=GetDlgItem(hwndDLg,IDC_EDIT_SIZEOFHEADERS);//PE头大小HWND hEdit_CHARACTERISTICS=GetDlgItem(hwndDLg,IDC_EDIT_CHARACTERISTICS);//特征值HWND hEdit_CHECKSUM=GetDlgItem(hwndDLg,IDC_EDIT_CHECKSUM);//效验和HWND hEdit_SIZEOFOPTIONALHEADER=GetDlgItem(hwndDLg,IDC_EDIT_SIZEOFOPTIONALHEADER);//可选PE头大小HWND hEdit_NUMBEROFRVAANDSIZES=GetDlgItem(hwndDLg,IDC_EDIT_NUMBEROFRVAANDSIZES);//目录项数量HWND hEdit_AddressOfEntryPoint=GetDlgItem(hwndDLg,IDC_EDIT_AddressOfEntryPoint);//程序入口//-------------------------------------局部变量区c=longfile(pFileName);if (c<=0){ MessageBox(0,TEXT("文件路径名错误!"),TEXT("Error"),MB_OK);return FALSE;}a=(char*)malloc(sizeof(char)*c);memset(a,0,c);//写0;A=fopen(pFileName,"rb");fread(a,sizeof(char),c,A);fclose(A);PE A1;A1.getdata(a,0);ConvertUNICODE(A1.IMAGEBASE,Text);SendMessage(hEdit_IMAGEBASE,WM_SETTEXT,0,(LPARAM)Text);//镜像基址memset(Text,0,0x20);ConvertUNICODE(A1.sizeofimage,Text);SendMessage(hEdit_SizeOfImage,WM_SETTEXT,0,(LPARAM)Text);//镜像大小memset(Text,0,0x20);ConvertUNICODE(A1.baseofcode,Text);SendMessage(hEdit_BASEOFCODE,WM_SETTEXT,0,(LPARAM)Text);//代码基址memset(Text,0,0x20);ConvertUNICODE(A1.baseofdata,Text);SendMessage(hEdit_BASEOFDATA,WM_SETTEXT,0,(LPARAM)Text);//数据基址memset(Text,0,0x20);ConvertUNICODE(A1.sectionalignment,Text);SendMessage(hEdit_SECTIONALIGNMENT,WM_SETTEXT,0,(LPARAM)Text);//内存对齐memset(Text,0,0x20);ConvertUNICODE(A1.filealignment,Text);SendMessage(hEdit_FILEALIGNMENT,WM_SETTEXT,0,(LPARAM)Text);//文件对齐memset(Text,0,0x20);ConvertUNICODE(A1.minorsubsystemversion,Text);SendMessage(hEdit_WIN32VERSIONVALUE,WM_SETTEXT,0,(LPARAM)Text);//子系统memset(Text,0,0x20);ConvertUNICODE(A1.e_magic,Text);SendMessage(hEdit_E_MAGIC,WM_SETTEXT,0,(LPARAM)Text);//标志字memset(Text,0,0x20);ConvertUNICODE(A1.numberofsections,Text);SendMessage(hEdit_NUMBEROFSECTIONS,WM_SETTEXT,0,(LPARAM)Text);//节区数量memset(Text,0,0x20);ConvertUNICODE(A1.timedatestamp,Text);SendMessage(hEdit_TIMEDATASTAMP,WM_SETTEXT,0,(LPARAM)Text);//时间戳memset(Text,0,0x20);ConvertUNICODE(A1.sizeofheaders,Text);SendMessage(hEdit_SIZEOFHEADERS,WM_SETTEXT,0,(LPARAM)Text);//PE头大小memset(Text,0,0x20);ConvertUNICODE(A1.characteristics,Text);SendMessage(hEdit_CHARACTERISTICS,WM_SETTEXT,0,(LPARAM)Text);//特征值memset(Text,0,0x20);ConvertUNICODE(A1.cheecksum,Text);SendMessage(hEdit_CHECKSUM,WM_SETTEXT,0,(LPARAM)Text);//效验和memset(Text,0,0x20);ConvertUNICODE(A1.sizeofoptionalheader,Text);SendMessage(hEdit_SIZEOFOPTIONALHEADER,WM_SETTEXT,0,(LPARAM)Text);//可选PE头大小memset(Text,0,0x20);ConvertUNICODE(A1.numberofrvaandsizes,Text);SendMessage(hEdit_NUMBEROFRVAANDSIZES,WM_SETTEXT,0,(LPARAM)Text);//目录项数量memset(Text,0,0x20);ConvertUNICODE(A1.addressofentrypoint,Text);SendMessage(hEdit_AddressOfEntryPoint,WM_SETTEXT,0,(LPARAM)Text);//程序入口//读取文件至内存filebuff,先打开free(a);return TRUE;}DWORD longfile(char* x)//返回文件长度，即filebuff所需的空间；{DWORD y=0,z=0;FILE* a;a=fopen(x,"r");//打开文件至流中y=ftell(a);//保存当前光标的位置fseek(a,0,SEEK_END);//当前光标移动到文件末z=ftell(a);//把当前光标离文件首位置距离赋值给zfseek(a,y,SEEK_SET);//把当前光标移回去fclose(a);//关闭流return z;}//PE查看信息窗口回调事件处理函数BOOL CALLBACK wndproc_Section( HWND hwndDLg,UINT uMsg,WPARAM wParam,LPARAM lParam){hSection=hwndDLg;switch(uMsg){ case WM_INITDIALOG: //窗口创建完成在显示前会发送一条这种消息{ //在这里需要加入LIST_CROTROL_PROCESS和LIST_CROTORL_MOUDLE 的行与列;初始化函数 HICON hIcon; hIcon=LoadIcon(hINSTANCE,MAKEINTRESOURCE(IDI_ICON1));//加载图标资源,这步还没显示 SendMessage(hwndDLg,WM_SETICON,ICON_BIG,(DWORD)hIcon);//发送消息显示大图标SendMessage(hwndDLg,WM_SETICON,ICON_SMALL,(DWORD)hIcon);//发送消息显示小图标PE_Section(hwndDLg); //在这里加入遍历PE文件节表的函数 return TRUE;}//标准控件走这;case WM_COMMAND:{switch(LOWORD(wParam)) { case IDCANCEL://窗口上的X键消息 { DestroyWindow(hwndDLg); hSection=NULL; SendMessage(hPe,WM_SETFOCUS,0,0);//激活窗口 return TRUE; }break; } }break;}return FALSE;//其余消息全部走这里出去}//遍历节表将其显示在窗口上BOOL PE_Section(HWND hwndDLg){if(pFileName[0]==0){MessageBox(0,TEXT("文件路径名错误!"),TEXT("Error"),MB_OK);return FALSE;}//定义局部变量区FILE* A=NULL;char* a=NULL;DWORD c=0;DWORD c1=0;int c2=0;int i3=0;section_table* A3;section_table A2;char* a2=NULL;WCHAR b[9]={0};//-------------------------------------局部变量区LV_COLUMN lv; //LV_COLUMN是框的表头属性包含(显示文本,多少行,多少列)LV_ITEM vitem;//这是列表框中显示的内容结构HWND hListProcess;//控件框句柄memset(&lv,0,sizeof(LV_COLUMN));//将lv写0,在堆栈中建立的里面有垃圾值memset(&vitem,0,sizeof(LV_ITEM));vitem.mask=LVIF_TEXT;//获取主窗口上控件框句柄 hListProcess=GetDlgItem(hwndDLg,IDC_LIST_SECTION_SECTION);//设置整行选中风格,发消息给系统告诉系统这个框里面的内容如果被选中就整行选中SendMessage(hListProcess,LVM_SETEXTENDEDLISTVIEWSTYLE,LVS_EX_FULLROWSELECT,LVS_EX_FULLROWSELECT);//设置表头lv.mask=LVCF_TEXT | LVCF_WIDTH | LVCF_SUBITEM;//设置表头第一列 iSubItem=0 ,0开始lv.pszText=TEXT("节名"); //列标题lv.cx= 80; //列宽lv.iSubItem=0; //这是第几列SendMessage(hListProcess,LVM_INSERTCOLUMN,0,(DWORD)&lv);//第二列lv.pszText=TEXT("文件偏移");lv.cx= 100;lv.iSubItem=1; //这是第几列SendMessage(hListProcess,LVM_INSERTCOLUMN,1,(DWORD)&lv);//第三列lv.pszText=TEXT("文件大小");lv.cx= 100;lv.iSubItem=2; //这是第几列SendMessage(hListProcess,LVM_INSERTCOLUMN,2,(DWORD)&lv);//第四列lv.pszText=TEXT("内存偏移");lv.cx= 100;lv.iSubItem=3; //这是第几列SendMessage(hListProcess,LVM_INSERTCOLUMN,3,(DWORD)&lv);lv.pszText=TEXT("内存大小");lv.cx= 100;lv.iSubItem=4; //这是第几列SendMessage(hListProcess,LVM_INSERTCOLUMN,4,(DWORD)&lv);lv.pszText=TEXT("节区属性");lv.cx= 100;lv.iSubItem=5; //这是第几列SendMessage(hListProcess,LVM_INSERTCOLUMN,5,(DWORD)&lv);c=longfile(pFileName);if (c<=0){ MessageBox(0,TEXT("文件路径名错误!"),TEXT("Error"),MB_OK);return FALSE;}a=(char*)malloc(sizeof(char)*c);memset(a,0,c);//写0;A=fopen(pFileName,"rb");fread(a,sizeof(char),c,A);fclose(A);PE A1;A1.getdata(a,0);//初始化c1=*A1.e_lfanew 0x4 0x14 A1.sizeofoptionalheader;//得到第一个节表所在偏移a2=&a[c1];A3=(section_table*)a2;c2=1;while(c2){A2.getdata(a2);//节区名字写入列表框for(int i=0;i<8;i ){b[i]=A2.name[i];b[i 1]=0;} vitem.pszText=b;vitem.iItem=i3; //行i3 ;//列表框下一行vitem.iSubItem=0; //列SendMessage(hListProcess,LVM_INSERTITEM,0,(DWORD)&vitem);//LVM_INSERTITEM是插入1行memset(b,0,18);//文件偏移写入列表框ConvertUNICODE( A2.Pteradata,b);if(b[0]==0){b[0]='0';} vitem.pszText=b;//uncode字符串vitem.iSubItem=1;//列SendMessage(hListProcess,LVM_SETITEM,0,(DWORD)&vitem);//LVM_SETITEM是设置1行memset(b,0,18);//文件大小写入列表框ConvertUNICODE( A2.Sizeradata,b);if(b[0]==0){b[0]='0';} vitem.pszText=b;//uncode字符串vitem.iSubItem=2;//列SendMessage(hListProcess,LVM_SETITEM,0,(DWORD)&vitem);//LVM_SETITEM是设置1行memset(b,0,18);//内存偏移写入列表框ConvertUNICODE( A2.VIAddress,b);if(b[0]==0){b[0]='0';} vitem.pszText=b;//uncode字符串vitem.iSubItem=3;//列SendMessage(hListProcess,LVM_SETITEM,0,(DWORD)&vitem);//LVM_SETITEM是设置1行memset(b,0,18);//内存大小写入列表框ConvertUNICODE( A2.Misc,b);if(b[0]==0){b[0]='0';} vitem.pszText=b;//uncode字符串vitem.iSubItem=4;//列SendMessage(hListProcess,LVM_SETITEM,0,(DWORD)&vitem);//LVM_SETITEM是设置1行memset(b,0,18);//节属性写入列表框ConvertUNICODE( A2.Charstics,b);if(b[0]==0){b[0]='0';} vitem.pszText=b;//uncode字符串vitem.iSubItem=5;//列SendMessage(hListProcess,LVM_SETITEM,0,(DWORD)&vitem);//LVM_SETITEM是设置1行 memset(b,0,18);a2=a2 0x28; A3=(section_table*)a2; if(A3->Pteradata==0&&A3->VIAddress==0&&A3->Sizeradata==0) { c2=0;//跳出循环 }}free(a); return TRUE;}//PE查看信息窗口回调事件处理函数BOOL CALLBACK wndproc_Catalog( HWND hwndDLg,UINT uMsg,WPARAM wParam,LPARAM lParam){hCatalog=hwndDLg;switch(uMsg){ case WM_INITDIALOG: //窗口创建完成在显示前会发送一条这种消息{ //在这里需要加入LIST_CROTROL_PROCESS和LIST_CROTORL_MOUDLE 的行与列;初始化函数 HICON hIcon; hIcon=LoadIcon(hINSTANCE,MAKEINTRESOURCE(IDI_ICON1));//加载图标资源,这步还没显示 SendMessage(hwndDLg,WM_SETICON,ICON_BIG,(DWORD)hIcon);//发送消息显示大图标 SendMessage(hwndDLg,WM_SETICON,ICON_SMALL,(DWORD)hIcon);//发送消息显示小图标 EnumCatalog(hwndDLg); //在这里加入遍历PE文件目录项的函数 return TRUE;}//标准控件走这;case WM_COMMAND:{switch(LOWORD(wParam)) { case IDCANCEL://窗口上的X键消息 { DestroyWindow(hwndDLg); hCatalog=NULL; SendMessage(hPe,WM_SETFOCUS,0,0);//激活窗口参数1是需激活的窗口句柄 return TRUE; } case IDC_BUTTON_CATALOG_EXPORT: { Enumport(1); return TRUE; } case IDC_BUTTON_CATALOG_IMPORT: { Enumport(2); return TRUE; } case IDC_BUTTON_CATALOG_RESOURCE: { Enumport(3); return TRUE; } case IDC_BUTTON_CATALOG_RELOCATION: { Enumport(4); return TRUE; } case IDC_BUTTON_CATALOG_IMPORTDES: { Enumport(5); return TRUE; } case IDC_BUTTON_CATALOG_IAT: { Enumport(6); return TRUE; } break;}} break;}return FALSE;//其余消息全部走这里出去}//PE查看信息窗口回调事件处理函数BOOL CALLBACK wndproc_MINUTE( HWND hwndDLg,UINT uMsg,WPARAM wParam,LPARAM lParam){hMinute=hwndDLg;switch(uMsg){ case WM_INITDIALOG: //窗口创建完成在显示前会发送一条这种消息{ //在这里需要加入LIST_CROTROL_PROCESS和LIST_CROTORL_MOUDLE 的行与列;初始化函数 HICON hIcon; hIcon=LoadIcon(hINSTANCE,MAKEINTRESOURCE(IDI_ICON1));//加载图标资源,这步还没显示 SendMessage(hwndDLg,WM_SETICON,ICON_BIG,(DWORD)hIcon);//发送消息显示大图标 SendMessage(hwndDLg,WM_SETICON,ICON_SMALL,(DWORD)hIcon);//发送消息显示小图标 Getmport(); //在这里加入遍历表里面详细信息的函数 return TRUE;}//标准控件走这;case WM_COMMAND:{switch(LOWORD(wParam)) { case IDCANCEL://窗口上的X键消息 { DestroyWindow(hwndDLg); hMinute=NULL; hListuse=0; SendMessage(hCatalog,WM_SETFOCUS,0,0);//激活窗口参数1是需激活的窗口句柄 return TRUE; }break; }}case WM_SETFOCUS://当窗口被激活时调用遍历各种表的函数{Getmport(); return FALSE;//返回未处理让系统显示窗口} break;}return FALSE;//其余消息全部走这里出去}BOOL Enumport(int c){mEnumport=c;if (hMinute==0)//等于0证明详细窗口还未创建{DialogBox(hINSTANCE,LPCTSTR(IDD_DIALOG_MINUTE),NULL,wndproc_MINUTE);//弹出详细窗口return TRUE;}SendMessage(hMinute,WM_SETFOCUS,0,0);//激活窗口return TRUE;} //ascii转成unicode字符串 //参数1是ascii字符串指针,参数2是接收转换后字符串的缓冲区指针,参数3接收的缓冲区大小; BOOL MByteToWChar(LPCSTR lpcszStr, LPWSTR lpwszStr, DWORD dwSize) { // 获取接收Unicode字符串的缓冲区的所需大小。 DWORD dwMinSize; dwMinSize = MultiByteToWideChar (CP_ACP, 0, lpcszStr, -1, NULL, 0); //如果获取到所需缓冲区大小比参数3接收缓冲区大小大则不转直接返回 if(dwSize < dwMinSize) { return FALSE; } // 将ascii字符串转换成unicode字符串 MultiByteToWideChar (CP_ACP, 0, lpcszStr, -1, lpwszStr, dwMinSize); return TRUE; } //参数1是需转换unicode字符串指针,参数2是接收ascii字符串缓冲区指针,参数3是接收缓冲区的大小; BOOL WCharToMByte(LPCWSTR lpcwszStr, LPSTR lpszStr, DWORD dwSize) { DWORD dwMinSize; //获取需求接收缓冲区的大小 dwMinSize = WideCharToMultiByte(CP_ACP,0,lpcwszStr,-1,NULL,0,NULL,0); if(dwSize < dwMinSize)//如果需要缓冲区比接收缓冲区大则返回 { return FALSE; } //转换函数 WideCharToMultiByte(CP_ACP,0,lpcwszStr,-1,lpszStr,dwSize,NULL,NULL); return TRUE; } //遍历可选PE头里面16个表的目录项将其显示在目录项窗口 BOOL EnumCatalog(HWND hwndDLg) { if (pFileName[0]==0) { MessageBox(0,TEXT("文件路径丢失,无法读取信息"),TEXT("Error"),MB_OK); return FALSE; } TCHAR str[0x10]={0}; char* a=NULL; char* b=NULL; DWORD c=0; DWORD c1=0; FILE* A=NULL; PE B; //变量定义区 HWND hEditexport1=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_EXPORT_RVA); HWND hEditexport2=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_EXPORT_FOA);//导出表 HWND hEditexport3=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_EXPORT_SIZE); HWND hEditimport1=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_IMPORT_RVA); HWND hEditimport2=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_IMPORT_FOA);//导入表 HWND hEditimport3=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_IMPORT_SIZE); HWND hEditresport1=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_RESOURCE_RVA); HWND hEditresport2=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_RESOURCE_FOA);//资源表 HWND hEditresport3=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_RESOURCE_SIZE); HWND hEditexceport1=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_EXCEPTION_RVA); HWND hEditexceport2=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_EXCEPTION_FOA);//异常表 HWND hEditexceport3=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_EXCEPTION_SIZE); HWND hEditsafeport1=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_SAFEPORT_RVA); HWND hEditsafeport2=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_SAFEPORT_FOA);//安全表 HWND hEditsafeport3=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_SAFEPORT_SIZE); HWND hEditrecport1=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_RELOCATION_RVA); HWND hEditrecport2=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_RELOCATION_FOA);//重定位表 HWND hEditrecport3=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_RELOCATION_SIZE); HWND hEditdeport1=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_DEBUG_RVA); HWND hEditdeport2=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_DEBUG_FOA);//调试表 HWND hEditdeport3=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_DEBUG_SIZE); HWND hEditcopport1=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_COPYRIGHT_RVA); HWND hEditcopport2=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_COPYRIGHT_FOA);//版权表 HWND hEditcopport3=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_COPYRIGHT_SIZE); HWND hEditgobport1=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_GLOBALPT_RVA); HWND hEditgobport2=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_GLOBALPT_FOA);//全局指针 HWND hEditgobport3=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_GLOBALPT_SIZE); HWND hEdittlsport1=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_TLSPORT_RVA); HWND hEdittlsport2=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_TLSPORT_FOA);//TLS HWND hEdittlsport3=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_TLSPORT_SIZE); HWND hEditimporttool1=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_IMPORTTOOL_RVA); HWND hEditimporttool2=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_IMPORTTOOL_FOA);//导入配置 HWND hEditimporttool3=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_IMPORTTOOL_SIZE); HWND hEditimportdes1=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_IMPORTDES_RVA); HWND hEditimportdes2=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_IMPORTDES_FOA);//绑定导入 HWND hEditimportdes3=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_IMPORTDES_SIZE); HWND hEditIATport1=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_IATPORT_RVA); HWND hEditIATport2=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_IATPORT_FOA);//IAT表 HWND hEditIATport3=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_IATPORT_SIZE); HWND hEditimportdea1=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_IMPORTDEA_RVA); HWND hEditimportdea2=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_IMPORTDEA_FOA);//延迟导入 HWND hEditimportdea3=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_IMPORTDEA_SIZE); HWND hEditcomport1=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_COMPORT_RVA); HWND hEditcomport2=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_COMPORT_FOA);//COM HWND hEditcomport3=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_COMPORT_SIZE); HWND hEditreserve1=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_RESERVE_RVA); HWND hEditreserve2=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_RESERVE_FOA);//保留 HWND hEditreserve3=GetDlgItem(hwndDLg,IDC_EDIT_CATALOG_RESERVE_SIZE); //-----------------------↑获取编辑框句柄-------------------------------------- c=longfile(pFileName); if (c==0) { return FALSE; } a=(char*)malloc(sizeof(char)*c); memset(a,0,c); A=fopen(pFileName,"rb"); fread(a,sizeof(char),c,A); fclose(A); B.getdata(a,0); if(B.DataDirectory->VirtualAddress==0) { str[0]=L'无'; SendMessage(hEditexport2,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; SendMessage(hEditexport3,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; SendMessage(hEditexport1,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; }else { ConvertUNICODE(B.DataDirectory->VirtualAddress,str); SendMessage(hEditexport1,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); ConvertUNICODE(B.DataDirectory->SIZE,str); SendMessage(hEditexport3,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); c1=RVA_FOA(B.DataDirectory->VirtualAddress,a,0); ConvertUNICODE(c1,str); SendMessage(hEditexport2,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); } B.getdata(a,1); if(B.DataDirectory->VirtualAddress==0) { str[0]=L'无'; SendMessage(hEditimport1,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; SendMessage(hEditimport3,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; SendMessage(hEditimport2,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; }else { ConvertUNICODE(B.DataDirectory->VirtualAddress,str); SendMessage(hEditimport1,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); ConvertUNICODE(B.DataDirectory->SIZE,str); SendMessage(hEditimport3,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); c1=RVA_FOA(B.DataDirectory->VirtualAddress,a,0); ConvertUNICODE(c1,str); SendMessage(hEditimport2,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); } B.getdata(a,2); if(B.DataDirectory->VirtualAddress==0) { str[0]=L'无'; SendMessage(hEditresport1,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; SendMessage(hEditresport2,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; SendMessage(hEditresport3,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; }else { ConvertUNICODE(B.DataDirectory->VirtualAddress,str); SendMessage(hEditresport1,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); ConvertUNICODE(B.DataDirectory->SIZE,str); SendMessage(hEditresport3,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); c1=RVA_FOA(B.DataDirectory->VirtualAddress,a,0); ConvertUNICODE(c1,str); SendMessage(hEditresport2,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); } B.getdata(a,3);if(B.DataDirectory->VirtualAddress==0) { str[0]=L'无'; SendMessage(hEditexceport1,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; SendMessage(hEditexceport2,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; SendMessage(hEditexceport3,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; }else { ConvertUNICODE(B.DataDirectory->VirtualAddress,str); SendMessage(hEditexceport1,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); ConvertUNICODE(B.DataDirectory->SIZE,str); SendMessage(hEditexceport3,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); c1=RVA_FOA(B.DataDirectory->VirtualAddress,a,0); ConvertUNICODE(c1,str); SendMessage(hEditexceport2,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); } B.getdata(a,4); if(B.DataDirectory->VirtualAddress==0) { str[0]=L'无'; SendMessage(hEditsafeport1,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; SendMessage(hEditsafeport2,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; SendMessage(hEditsafeport3,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; }else { ConvertUNICODE(B.DataDirectory->VirtualAddress,str); SendMessage(hEditsafeport1,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); ConvertUNICODE(B.DataDirectory->SIZE,str); SendMessage(hEditsafeport3,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); c1=RVA_FOA(B.DataDirectory->VirtualAddress,a,0); ConvertUNICODE(c1,str); SendMessage(hEditsafeport2,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); } B.getdata(a,5); if(B.DataDirectory->VirtualAddress==0) { str[0]=L'无'; SendMessage(hEditrecport1,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; SendMessage(hEditrecport2,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; SendMessage(hEditrecport3,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; }else { ConvertUNICODE(B.DataDirectory->VirtualAddress,str); SendMessage(hEditrecport1,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); ConvertUNICODE(B.DataDirectory->SIZE,str); SendMessage(hEditrecport3,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); c1=RVA_FOA(B.DataDirectory->VirtualAddress,a,0); ConvertUNICODE(c1,str); SendMessage(hEditrecport2,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); } B.getdata(a,6); if(B.DataDirectory->VirtualAddress==0) { str[0]=L'无'; SendMessage(hEditdeport1,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; SendMessage(hEditdeport2,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; SendMessage(hEditdeport3,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; }else { ConvertUNICODE(B.DataDirectory->VirtualAddress,str); SendMessage(hEditdeport1,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); ConvertUNICODE(B.DataDirectory->SIZE,str); SendMessage(hEditdeport3,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); c1=RVA_FOA(B.DataDirectory->VirtualAddress,a,0); ConvertUNICODE(c1,str); SendMessage(hEditdeport2,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); } B.getdata(a,7); if(B.DataDirectory->VirtualAddress==0) { str[0]=L'无'; SendMessage(hEditcopport1,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; SendMessage(hEditcopport2,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; SendMessage(hEditcopport3,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; }else { ConvertUNICODE(B.DataDirectory->VirtualAddress,str); SendMessage(hEditcopport1,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); ConvertUNICODE(B.DataDirectory->SIZE,str); SendMessage(hEditcopport3,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); c1=RVA_FOA(B.DataDirectory->VirtualAddress,a,0); ConvertUNICODE(c1,str); SendMessage(hEditcopport2,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); } B.getdata(a,8); if(B.DataDirectory->VirtualAddress==0) { str[0]=L'无'; SendMessage(hEditgobport1,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; SendMessage(hEditgobport2,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; SendMessage(hEditgobport3,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; }else { ConvertUNICODE(B.DataDirectory->VirtualAddress,str); SendMessage(hEditgobport1,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); ConvertUNICODE(B.DataDirectory->SIZE,str); SendMessage(hEditgobport3,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); c1=RVA_FOA(B.DataDirectory->VirtualAddress,a,0); ConvertUNICODE(c1,str); SendMessage(hEditgobport2,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); } B.getdata(a,9); if(B.DataDirectory->VirtualAddress==0) { str[0]=L'无'; SendMessage(hEdittlsport1,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; SendMessage(hEdittlsport2,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; SendMessage(hEdittlsport3,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; }else { ConvertUNICODE(B.DataDirectory->VirtualAddress,str); SendMessage(hEdittlsport1,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); ConvertUNICODE(B.DataDirectory->SIZE,str); SendMessage(hEdittlsport3,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); c1=RVA_FOA(B.DataDirectory->VirtualAddress,a,0); ConvertUNICODE(c1,str); SendMessage(hEdittlsport2,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); } B.getdata(a,10); if(B.DataDirectory->VirtualAddress==0) { str[0]=L'无'; SendMessage(hEditimporttool1,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; SendMessage(hEditimporttool2,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; SendMessage(hEditimporttool3,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; }else { ConvertUNICODE(B.DataDirectory->VirtualAddress,str); SendMessage(hEditimporttool1,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); ConvertUNICODE(B.DataDirectory->SIZE,str); SendMessage(hEditimporttool3,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); c1=RVA_FOA(B.DataDirectory->VirtualAddress,a,0); ConvertUNICODE(c1,str); SendMessage(hEditimporttool2,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); } B.getdata(a,11);if(B.DataDirectory->VirtualAddress==0) { str[0]=L'无'; SendMessage(hEditimportdes1,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; SendMessage(hEditimportdes2,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; SendMessage(hEditimportdes3,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; }else { ConvertUNICODE(B.DataDirectory->VirtualAddress,str); SendMessage(hEditimportdes1,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); ConvertUNICODE(B.DataDirectory->SIZE,str); SendMessage(hEditimportdes3,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); c1=RVA_FOA(B.DataDirectory->VirtualAddress,a,0); ConvertUNICODE(c1,str); SendMessage(hEditimportdes2,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); } B.getdata(a,12); if(B.DataDirectory->VirtualAddress==0) { str[0]=L'无'; SendMessage(hEditIATport1,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; SendMessage(hEditIATport2,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; SendMessage(hEditIATport3,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; }else { ConvertUNICODE(B.DataDirectory->VirtualAddress,str); SendMessage(hEditIATport1,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); ConvertUNICODE(B.DataDirectory->SIZE,str); SendMessage(hEditIATport3,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); c1=RVA_FOA(B.DataDirectory->VirtualAddress,a,0); ConvertUNICODE(c1,str); SendMessage(hEditIATport2,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); } B.getdata(a,13); if(B.DataDirectory->VirtualAddress==0) { str[0]=L'无'; SendMessage(hEditimportdea1,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; SendMessage(hEditimportdea2,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; SendMessage(hEditimportdea3,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; }else { ConvertUNICODE(B.DataDirectory->VirtualAddress,str); SendMessage(hEditimportdea1,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); ConvertUNICODE(B.DataDirectory->SIZE,str); SendMessage(hEditimportdea3,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); c1=RVA_FOA(B.DataDirectory->VirtualAddress,a,0); ConvertUNICODE(c1,str); SendMessage(hEditimportdea2,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); } B.getdata(a,14); if(B.DataDirectory->VirtualAddress==0) { str[0]=L'无'; SendMessage(hEditcomport1,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; SendMessage(hEditcomport2,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; SendMessage(hEditcomport3,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; }else { ConvertUNICODE(B.DataDirectory->VirtualAddress,str); SendMessage(hEditcomport1,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); ConvertUNICODE(B.DataDirectory->SIZE,str); SendMessage(hEditcomport3,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); c1=RVA_FOA(B.DataDirectory->VirtualAddress,a,0); ConvertUNICODE(c1,str); SendMessage(hEditcomport2,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); } B.getdata(a,15); if(B.DataDirectory->VirtualAddress==0) { str[0]=L'无'; SendMessage(hEditreserve1,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; SendMessage(hEditreserve2,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; SendMessage(hEditreserve3,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; }else { ConvertUNICODE(B.DataDirectory->VirtualAddress,str); SendMessage(hEditreserve1,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); ConvertUNICODE(B.DataDirectory->SIZE,str); SendMessage(hEditreserve3,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; memset(str,0,0x10); c1=RVA_FOA(B.DataDirectory->VirtualAddress,a,0); ConvertUNICODE(c1,str); SendMessage(hEditreserve2,WM_SETTEXT,0,(LPARAM)str);//这是文本内容写入文本编辑框; } free(a); return TRUE; } BOOL SetEditzero(void)//设置详细窗口上编辑框的内容为空 { if(hListuse==0) { if(hMinute!=0) { hListuse=GetDlgItem(hMinute,IDC_LIST_DIALOG_MINUTE); }else { return FALSE; } } SendMessage(hListuse, LVM_DELETEALLITEMS, 0, 0);//删除所有行 return TRUE; } //遍历导出表函数地址表 ,序号表,函数名称表的值;BOOL Enumexport(void){if(pFileName[0]==0){MessageBox(0,TEXT("文件路径错误请从新打开文件"),TEXT("Error"),MB_OK);return FALSE;}SetEditzero();//将编辑框置0;Str_s=(TCHAR*)malloc(sizeof(TCHAR)*0x100);memset(Str_s,0,sizeof(TCHAR)*0x100);TCHAR m_str[80]={0};FILE* A=NULL;char* a=NULL;DWORD c=0;DWORD c1=0;memset(&m_lv,0,sizeof(LV_COLUMN));memset(&m_mlv,0,sizeof(LV_ITEM));m_mlv.mask=LVIF_TEXT;m_lv.mask=LVCF_TEXT | LVCF_WIDTH | LVCF_SUBITEM;m_hang=0;PE B; //PE头结构export_table B1;//导出表结构c=longfile(pFileName);if(c==0){MessageBox(0,TEXT("文件错误,无法打开!"),TEXT("Error"),MB_OK);return FALSE;}m_lv.pszText=TEXT("导出表详情");//表头标题m_lv.cx=580;//列宽m_lv.iSubItem=0;//第几列SendMessage(hListuse,LVM_INSERTCOLUMN,0,(DWORD)&m_lv);//设置表头标题m_mlv.pszText=Str_1;//这是导出表第一行字符m_mlv.iItem=m_hang;//这是行的下标m_mlv.iSubItem=0;m_hang ;SendMessage(hListuse,LVM_INSERTITEM,0,(DWORD)&m_mlv);a=(char*)malloc(sizeof(char)*c);//动态申请堆中内存读取文件filebuffmemset(a,0,c);//写0A=fopen(pFileName,"rb");fread(a,sizeof(char),c,A);fclose(A);B.getdata(a,0);c=RVA_FOA(B.DataDirectory->VirtualAddress,a,0);//将导出表rva地址转换成foa地址B1.getdata(&a[c]);//初始化导出表成员的值//将导出表成员的值输出出来;//第一个模块名 :成员nameStr_cat(Str_s,Str_Name); //成员名ConvertUNICODE(B1.Name,m_str);Str_cat(Str_s,m_str);memset(m_str,0,160);Str_cat(Str_s,Str_h);//得到模块名;c=RVA_FOA(B1.Name,a,0);MByteToWChar(&a[c],m_str,80);Str_cat(Str_s,m_str);memset(m_str,0,160);expListText(hListuse,Str_s);//第二个 base 起始序号;memset(Str_s,0,200);Str_cat(Str_s,Str_Base); ConvertUNICODE(B1.Base,m_str);Str_cat(Str_s,m_str);memset(m_str,0,160);Str_cat(Str_s,Str_h);//输出到列表框封装函数expListText(hListuse,Str_s);//第三个 NumberOfFunctions 所有导出函数个数;memset(Str_s,0,200);//写0Str_cat(Str_s,Str_NumberOfFunctions); //拼接成员名字ConvertUNICODE(B1.NumberOfFunctions,m_str);//转换数字成unicodeStr_cat(Str_s,m_str);//拼接数字转换后的字符串memset(m_str,0,160);//用完将缓冲区写0Str_cat(Str_s,Str_h);//拼接中间空格部分字符串//输出到列表框封装函数expListText(hListuse,Str_s);//第四个 NumberOfNames 所有以名字导出函数个数;memset(Str_s,0,200);//写0Str_cat(Str_s,Str_NumberOfNames); //拼接成员名字ConvertUNICODE(B1.NumberOfNames,m_str);//转换数字成unicodeStr_cat(Str_s,m_str);//拼接数字转换后的字符串memset(m_str,0,160);//用完将缓冲区写0Str_cat(Str_s,Str_h);//拼接中间空格部分字符串//输出到列表框封装函数expListText(hListuse,Str_s);//第五个 AddressOfFunctions 所有以名字导出函数个数;memset(Str_s,0,200);//写0Str_cat(Str_s,Str_AddressOfFunctions); //拼接成员名字ConvertUNICODE(B1.AddressOfFunctions,m_str);//转换数字成unicodeStr_cat(Str_s,m_str);//拼接数字转换后的字符串memset(m_str,0,160);//用完将缓冲区写0Str_cat(Str_s,Str_h);//拼接中间空格部分字符串//输出到列表框封装函数expListText(hListuse,Str_s);//第六个 AddressOfNames 所有以名字导出函数个数;memset(Str_s,0,200);//写0Str_cat(Str_s,Str_AddressOfNames); //拼接成员名字ConvertUNICODE(B1.AddressOfNames,m_str);//转换数字成unicodeStr_cat(Str_s,m_str);//拼接数字转换后的字符串memset(m_str,0,160);//用完将缓冲区写0Str_cat(Str_s,Str_h);//拼接中间空格部分字符串//输出到列表框封装函数expListText(hListuse,Str_s);//第七个 AddressOfNameOrdinals 所有以名字导出函数个数;memset(Str_s,0,200);//写0Str_cat(Str_s,Str_AddressOfNameOrdinals); //拼接成员名字ConvertUNICODE(B1.AddressOfNameOrdinals,m_str);//转换数字成unicodeStr_cat(Str_s,m_str);//拼接数字转换后的字符串memset(m_str,0,160);//用完将缓冲区写0Str_cat(Str_s,Str_h);//拼接中间空格部分字符串//输出到列表框封装函数expListText(hListuse,Str_s);//第八个 AddressOfNameOrdinals 所有以名字导出函数个数;memset(Str_s,0,200);//写0Str_cat(Str_s,Str_TimeDateStamp); //拼接成员名字ConvertUNICODE(B1.TimeDateStamp,m_str);//转换数字成unicodeStr_cat(Str_s,m_str);//拼接数字转换后的字符串memset(m_str,0,160);//用完将缓冲区写0Str_cat(Str_s,Str_h);//拼接中间空格部分字符串//输出到列表框封装函数expListText(hListuse,Str_s);expListText(hListuse,Str_h);expListText(hListuse,Str_h);expListText(hListuse,Str_h);expListText(hListuse,Str_n);expListText(hListuse,Str_h);expListText(hListuse,Str_h);//遍历导出函数地址表应该是名字加序号加地址再输出 expListText(hListuse,Str_EXaddress);expListText(hListuse,Str_h);c=RVA_FOA(B1.AddressOfFunctions,a,0);DWORD* C=(DWORD*)&a[c];WORD* C1=NULL;WORD* C2=NULL;DWORD* C3=NULL;DWORD* C5=NULL;char* C4=NULL;C1=(WORD*)&a[RVA_FOA(B1.AddressOfNameOrdinals,a,0)];C3=(DWORD*)&a[RVA_FOA(B1.AddressOfNames,a,0)];C5=C3;int i=0;int i2=0;int i3=0;int i5=0;int i1=0;int i4=0;i2=B1.NumberOfFunctions;i5=i2;while(i2){if(*C==0){ C=C 1; i2--; i ;//导出函数地址表下标 continue;}C2=C1;//遍历所有序号表找出函数地址表的下标 i1=0;i3=i5;while(i3) { if(*C2==i) { i4=0; break; }else { i4=-1; i1 ; } C2=C2 1;//指向序号表下一个序号 i3--; } if (i4==0){C3=C5 i1;C4=(char*)&a[RVA_FOA(*C3,a,0)];//得到名字在foa地址首地址memset(Str_s,0,200);MByteToWChar(C4,Str_s,100);}else{ memset(Str_s,0,200); Str_cat(Str_s,Str_h3);}Str_cat(Str_s,Str_h1);//函数名字拼好了,再拼序号ConvertUNICODE(i1 B1.Base,m_str);Str_cat(Str_s,m_str);memset(m_str,0,160);Str_cat(Str_s,Str_h2);//拼接函数地址ConvertUNICODE(*C,m_str);Str_cat(Str_s,m_str);memset(m_str,0,160);expListText(hListuse,Str_s);expListText(hListuse,Str_h);//拼接空格 C=C 1; i2--; i ;//导出函数地址表下标}free(Str_s);free(a);return TRUE;}BOOL Enumimport(void)//遍历导入表信息{if(pFileName[0]==0){MessageBox(0,TEXT("文件路径错误请从新打开文件"),TEXT("Error"),MB_OK);return FALSE;}SetEditzero();//将编辑框置0;Str_s=(TCHAR*)malloc(sizeof(TCHAR)*0x100);memset(Str_s,0,sizeof(TCHAR)*0x100);TCHAR m_str[80]={0};FILE* A=NULL;char* a=NULL;DWORD c=0;DWORD c1=0;DWORD c2=0;DWORD c3=0;DWORD* C=NULL;char* C1=NULL;unsigned int C2;memset(&m_lv,0,sizeof(LV_COLUMN));memset(&m_mlv,0,sizeof(LV_ITEM));m_mlv.mask=LVIF_TEXT;m_lv.mask=LVCF_TEXT | LVCF_WIDTH | LVCF_SUBITEM;m_hang=0;PE B; //PE头结构import_table* B1;//导出表结构c=longfile(pFileName);if(c==0){MessageBox(0,TEXT("文件错误,无法打开!"),TEXT("Error"),MB_OK);return FALSE;}m_lv.pszText=TEXT("导入表详情");//表头标题m_lv.cx=580;//列宽m_lv.iSubItem=0;//第几列SendMessage(hListuse,LVM_INSERTCOLUMN,0,(DWORD)&m_lv);//设置表头标题m_mlv.pszText=Str_2;//这是导入表第一行字符m_mlv.iItem=m_hang;//这是行的下标m_mlv.iSubItem=0;m_hang ;SendMessage(hListuse,LVM_INSERTITEM,0,(DWORD)&m_mlv);a=(char*)malloc(sizeof(char)*c);//动态申请堆中内存读取文件filebuffmemset(a,0,c);//写0A=fopen(pFileName,"rb");fread(a,sizeof(char),c,A);fclose(A);B.getdata(a,1);//第二个是导入表c=RVA_FOA(B.DataDirectory->VirtualAddress,a,0);//将导出表rva地址转换成foa地址//得到首个导入表首地址B1=(import_table*)&a[c];//int i=0;while(B1->Name){c=RVA_FOA(B1->Name,a,0);memset(m_str,0,160);MByteToWChar(&a[c],m_str,80);Str_cat(Str_s,Str_module);Str_cat(Str_s,m_str);expListText(hListuse,Str_s);//将模块名输出后输出各成员的值expListText(hListuse,Str_h);//第1个 OriginalFirstThunk 所有以名字导出函数个数;memset(Str_s,0,200);//写0memset(m_str,0,160);//用完将缓冲区写0Str_cat(Str_s,Str_OriginalFirstThunk); //拼接成员名字ConvertUNICODE(B1->OriginalFirstThunk,m_str);//转换数字成unicodeStr_cat(Str_s,m_str);//拼接数字转换后的字符串memset(m_str,0,160);//用完将缓冲区写0Str_cat(Str_s,Str_h);//拼接中间空格部分字符串expListText(hListuse,Str_s);//输出字符串 //第2个 TimeDateStamp 所有以名字导出函数个数;memset(Str_s,0,200);//写0Str_cat(Str_s,Str_TimeDateStamp); //拼接成员名字ConvertUNICODE(B1->TimeDateStamp,m_str);//转换数字成unicodeStr_cat(Str_s,m_str);//拼接数字转换后的字符串memset(m_str,0,160);//用完将缓冲区写0Str_cat(Str_s,Str_h);//拼接中间空格部分字符串expListText(hListuse,Str_s);//输出字符串 //第3个 Name 所有以名字导出函数个数;memset(Str_s,0,200);//写0Str_cat(Str_s,Str_Name); //拼接成员名字ConvertUNICODE(B1->Name,m_str);//转换数字成unicodeStr_cat(Str_s,m_str);//拼接数字转换后的字符串memset(m_str,0,160);//用完将缓冲区写0Str_cat(Str_s,Str_h);//拼接中间空格部分字符串expListText(hListuse,Str_s);//输出字符串 //第4个 FirstThunk 所有以名字导出函数个数;memset(Str_s,0,200);//写0Str_cat(Str_s,Str_FirstThunk); //拼接成员名字ConvertUNICODE(B1->FirstThunk,m_str);//转换数字成unicodeStr_cat(Str_s,m_str);//拼接数字转换后的字符串memset(m_str,0,160);//用完将缓冲区写0Str_cat(Str_s,Str_h);//拼接中间空格部分字符串expListText(hListuse,Str_s);//输出字符串expListText(hListuse,Str_h);//输出字符串expListText(hListuse,Str_n2);//输出字符串expListText(hListuse,Str_h);//输出字符串expListText(hListuse,Str_h);//输出字符串//所有成员输出后;输出该模块所有函数的名字及IAT地址//得到int地址表首地址判断int地址表里面的值最高位是否为1C=(DWORD*)&a[RVA_FOA(B1->OriginalFirstThunk,a,0)];while(*C){c1=*C;C2=c1;C2=C2>>31; memset(Str_s,0,200);//用完将缓冲区写0if(C2==1)//表明是序号{ C2=c1; C2=C2>>1; //得到序号输出ConvertUNICODE(C2,m_str);Str_cat(Str_s,m_str);//拼接数字转换后的字符串memset(m_str,0,160);//用完将缓冲区写0}else{C1=&a[RVA_FOA(c1,a,0)];C1=C1 2;MByteToWChar(C1,m_str,80);Str_cat(Str_s,m_str);//得到函数名字memset(m_str,0,160);//用完将缓冲区写0} Str_cat(Str_s,Str_h3);//得到函数名字Str_cat(Str_s,Str_IATaddr);//得到函数名字c=B1->FirstThunk i*4;ConvertUNICODE(c,m_str);Str_cat(Str_s,m_str);//得到IAT表地址 memset(m_str,0,160);//用完将缓冲区写0 expListText(hListuse,Str_s);//输出字符串 expListText(hListuse,Str_h);//输出字符串C=C 1;//指向INT表下一个下标i ;}memset(Str_s,0,200);//用完将缓冲区写0 expListText(hListuse,Str_h);//输出字符串 expListText(hListuse,Str_h);//输出字符串 expListText(hListuse,Str_n);//输出字符串 expListText(hListuse,Str_h);//输出字符串 expListText(hListuse,Str_h);//输出字符串 B1=B1 1;//指向下一个导入表}}//调用遍历表的函数BOOL Getmport(void){switch(mEnumport){case 1:Enumexport();//遍历导出表mEnumport=0;return TRUE;case 2:{//MessageBox(0,TEXT("这回对了吧2"),0,MB_OK);Enumimport();mEnumport=0;return TRUE;}case 3:{//MessageBox(0,TEXT("这回对了吧3"),0,MB_OK);mEnumport=0;return TRUE;}case 4:{//MessageBox(0,TEXT("这回对了吧4"),0,MB_OK);mEnumport=0;return TRUE;}case 5:{ //MessageBox(0,TEXT("这回对了吧5"),0,MB_OK);mEnumport=0;return TRUE;}case 6:{//MessageBox(0,TEXT("这回对了吧6"),0,MB_OK);mEnumport=0;return TRUE;}break;}return TRUE;}//将unicode输出到列表框中显示BOOL expListText(HWND hwndlist,TCHAR* a)//参数1需输出列表框句柄,参数2 unicode字符串;{TCHAR* b=NULL;if(hwndlist==0){return FALSE;}int len=WideCharToMultiByte(CP_ACP,0,a,-1,NULL,0,NULL,NULL);if(len>96){b=(TCHAR*)malloc(sizeof(TCHAR)*50);memset(b,0,100); memcpy(b,a,94);m_mlv.pszText=b;m_mlv.iItem=m_hang;m_hang ;SendMessage(hwndlist,LVM_INSERTITEM,0,(DWORD)&m_mlv);free(b);b=a 47; expListText(hwndlist,b);}else{m_mlv.pszText=a;m_mlv.iItem=m_hang;m_hang ;SendMessage(hwndlist,LVM_INSERTITEM,0,(DWORD)&m_mlv);} return TRUE;}//字符串拼接程序BOOL Str_cat(TCHAR* a,TCHAR* b)//字符串拼接将b的unicode字符串拼接到a字符串里面{if ((a==0)|(b==0)){return FALSE;}if(b[0]==0){ return FALSE;}int i=0;int i1=0;short a1=0;while(a[i]){i ;}while(b[i1]){a[i]=b[i1];i ;i1 ;}a[i 1]=0;return TRUE;}

滴水三期PE解析实例（Funtion.cpp）

用户评论

推荐下载