加载 PE 标头 [英] Loading PE Headers

问题描述

基本上，我想做的是找到 PE 文件的最后一部分.我已经很仔细地阅读了 PE 规范，但我无法发现我的代码哪里出错了.

Basically, what I am trying to do is to find last section of PE file. I have read PE specification very attentively, yet I can't discover where my code fails.

PIMAGE_DOS_HEADER pidh = (PIMAGE_DOS_HEADER)buffer;
PIMAGE_NT_HEADERS pinh = (PIMAGE_NT_HEADERS)(pidh + pidh->e_lfanew);
PIMAGE_FILE_HEADER pifh = (PIMAGE_FILE_HEADER)&pinh->FileHeader;
PIMAGE_OPTIONAL_HEADER pioh = (PIMAGE_OPTIONAL_HEADER)&pinh->OptionalHeader;
PIMAGE_SECTION_HEADER pish = (PIMAGE_SECTION_HEADER)(pinh + sizeof(IMAGE_NT_HEADERS) + (pifh->NumberOfSections - 1) * sizeof(IMAGE_SECTION_HEADER));

buffer 是一个包含加载的可执行文件的字节数组，pish 是指向最后一段的指针.由于某种原因，节数似乎超过 20 000.

buffer is a byte array containing loaded executable, and pish is a pointer to the last section. For some reason, it appears that number of sections is over 20 000.

有什么想法吗?提前致谢

Any ideas ? Thanks in advance

推荐答案

我看到一个问题:e_lfanew 是 IMAGE_NT_HEADERS 结构的偏移量，以字节为单位.您将此字节数添加到 IMAGE_DOS_HEADER 指针，因此您向前移动了 sizeof(IMAGE_DOS_HEADER)*pidh->e_lfanew 字节.

There is one problem I see off hand: e_lfanew is the offset to the IMAGE_NT_HEADERS structure in bytes. You are adding this number of bytes to a IMAGE_DOS_HEADER pointer, so you are moving forward by sizeof(IMAGE_DOS_HEADER)*pidh->e_lfanew bytes.

固定版本:

PIMAGE_DOS_HEADER pidh = (PIMAGE_DOS_HEADER)buffer;
PIMAGE_NT_HEADERS pinh = (PIMAGE_NT_HEADERS)((BYTE*)pidh + pidh->e_lfanew);
PIMAGE_FILE_HEADER pifh = (PIMAGE_FILE_HEADER)&pinh->FileHeader;
PIMAGE_OPTIONAL_HEADER pioh = (PIMAGE_OPTIONAL_HEADER)&pinh->OptionalHeader;
PIMAGE_SECTION_HEADER pish = (PIMAGE_SECTION_HEADER)((BYTE*)pinh + sizeof(IMAGE_NT_HEADERS) + (pifh->NumberOfSections - 1) * sizeof(IMAGE_SECTION_HEADER));

调试此类问题的最佳方法是将调试器放入代码中，然后自己查看内存中的 PE 数据.例如，您可以打开 Visual Studio 十六进制编辑器并查看所有字节数据以及您实际读取的值.

The best way to debug problems like this is to drop into the code with your debugger and view the PE data yourself in memory. You can open up the Visual Studio hex editor for example and see all of the byte data, and which values you are actually reading out.

以下是在 VS 2010 中查看程序内存的一些信息:http://msdn.microsoft.com/en-us/library/s3aw423e.aspx

Here's some information on viewing program memory in VS 2010: http://msdn.microsoft.com/en-us/library/s3aw423e.aspx

这篇关于加载 PE 标头的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！