加载PE头 [英] Loading PE Headers

问题描述

基本上，我试图做的是找到PE文件的最后一节。我已阅读PE规范很专心，但我不能发现在我的code失败。

Basically, what I am trying to do is to find last section of PE file. I have read PE specification very attentively, yet I can't discover where my code fails.

PIMAGE_DOS_HEADER pidh = (PIMAGE_DOS_HEADER)buffer;
PIMAGE_NT_HEADERS pinh = (PIMAGE_NT_HEADERS)(pidh + pidh->e_lfanew);
PIMAGE_FILE_HEADER pifh = (PIMAGE_FILE_HEADER)&pinh->FileHeader;
PIMAGE_OPTIONAL_HEADER pioh = (PIMAGE_OPTIONAL_HEADER)&pinh->OptionalHeader;
PIMAGE_SECTION_HEADER pish = (PIMAGE_SECTION_HEADER)(pinh + sizeof(IMAGE_NT_HEADERS) + (pifh->NumberOfSections - 1) * sizeof(IMAGE_SECTION_HEADER));

缓存是包含加载的可执行的字节数组，而 pish 是一个指向最后一节。出于某种原因，似乎部分，这个数字超过20万人。

buffer is a byte array containing loaded executable, and pish is a pointer to the last section. For some reason, it appears that number of sections is over 20 000.

任何想法？
在此先感谢

Any ideas ? Thanks in advance

推荐答案

有一个问题，我看到过的手：在 IMAGE_NT_HEADERS 结构>字节的。你加入这个字节数为 IMAGE_DOS_HEADER 指针，所以你向前的sizeof（IMAGE_DOS_HEADER）* pidh-＆GT动人; e_lfanew 字节。

There is one problem I see off hand: e_lfanew is the offset to the IMAGE_NT_HEADERS structure in bytes. You are adding this number of bytes to a IMAGE_DOS_HEADER pointer, so you are moving forward by sizeof(IMAGE_DOS_HEADER)*pidh->e_lfanew bytes.

修正版本：

PIMAGE_DOS_HEADER pidh = (PIMAGE_DOS_HEADER)buffer;
PIMAGE_NT_HEADERS pinh = (PIMAGE_NT_HEADERS)((BYTE*)pidh + pidh->e_lfanew);
PIMAGE_FILE_HEADER pifh = (PIMAGE_FILE_HEADER)&pinh->FileHeader;
PIMAGE_OPTIONAL_HEADER pioh = (PIMAGE_OPTIONAL_HEADER)&pinh->OptionalHeader;
PIMAGE_SECTION_HEADER pish = (PIMAGE_SECTION_HEADER)((BYTE*)pinh + sizeof(IMAGE_NT_HEADERS) + (pifh->NumberOfSections - 1) * sizeof(IMAGE_SECTION_HEADER));

要这样的调试问题的最好的办法就是放到code用调试器和查看数据PE自己在内存中。你可以打开例如Visual Studio的十六进制编辑器和查看所有字节的数据，和值您实际上读出。

The best way to debug problems like this is to drop into the code with your debugger and view the PE data yourself in memory. You can open up the Visual Studio hex editor for example and see all of the byte data, and which values you are actually reading out.

下面是在2010年观看VS程序存储器的一些信息：
<一href=\"http://msdn.microsoft.com/en-us/library/s3aw423e.aspx\">http://msdn.microsoft.com/en-us/library/s3aw423e.aspx

Here's some information on viewing program memory in VS 2010: http://msdn.microsoft.com/en-us/library/s3aw423e.aspx

这篇关于加载PE头的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！