Here's my code :
Code: Select all// peInfo.cpp : définit le point d'entrée pour l'application console.
//
#include <stdio.h>
#include <tchar.h>
#include <Windows.h>
bool parseFile(TCHAR* filePath);
bool getDosHeader(FILE* f, PIMAGE_DOS_HEADER pDosHeader);
bool getNtHeaders(FILE* f, PIMAGE_NT_HEADERS pNtHeaders, LONG offset);
bool getSections(FILE* f, PIMAGE_SECTION_HEADER pSectionHeaders, int nbSections, LONG offset);
int _tmain(int argc, _TCHAR* argv[])
{
//parseFile(L"C:\\Documents and Settings\\Tigzy\\Mes documents\\Visual Studio 2010\\Projects\\testSimple\\Debug\\testSimple.exe");
parseFile(L"C:\\Tools\\ThreatBlaster\\Hook\\Hook\\Debug\\Hook.dll");
//parseFile(L"C:\\windows\\system32\\ntoskrnl.exe");
system("PAUSE");
return 0;
}
bool parseFile(TCHAR* filePath)
{
FILE *f;
BYTE NameSection[IMAGE_SIZEOF_SHORT_NAME+1];
IMAGE_DOS_HEADER DosHeader;
IMAGE_NT_HEADERS NtHeaders;
PIMAGE_SECTION_HEADER pSectionHeaders;
f = _tfopen(filePath, L"r");
if (f != NULL)
{
// Get dos header
if (!getDosHeader(f, &DosHeader))
return false;
// Get PE header
if (!getNtHeaders(f, &NtHeaders, DosHeader.e_lfanew))
return false;
// allocate space for sections
pSectionHeaders = (PIMAGE_SECTION_HEADER) malloc(sizeof(IMAGE_SECTION_HEADER) * NtHeaders.FileHeader.NumberOfSections);
getSections(f, pSectionHeaders, NtHeaders.FileHeader.NumberOfSections, DosHeader.e_lfanew + sizeof(IMAGE_NT_HEADERS));
for (int i = 0; i < NtHeaders.FileHeader.NumberOfSections ; i++)
{
memset(NameSection, '\0', IMAGE_SIZEOF_SHORT_NAME+1);
memcpy(NameSection, pSectionHeaders[i].Name, IMAGE_SIZEOF_SHORT_NAME);
printf ("%s : 0x%x\n", NameSection, pSectionHeaders[i].VirtualAddress);
}
free (pSectionHeaders);
// Import table
printf ("Import table : 0x%x -- %d\n", NtHeaders.OptionalHeader.DataDirectory[1].VirtualAddress, NtHeaders.OptionalHeader.DataDirectory[1].Size);
// Export table
printf ("Export table : 0x%x -- %d\n", NtHeaders.OptionalHeader.DataDirectory[0].VirtualAddress, NtHeaders.OptionalHeader.DataDirectory[0].Size);
fclose (f);
return true;
}
return false;
}
bool getDosHeader(FILE* f, PIMAGE_DOS_HEADER pDosHeader)
{
// beginning
fseek(f, 0, SEEK_SET);
// read
fread(pDosHeader, sizeof(BYTE), sizeof(IMAGE_DOS_HEADER), f);
// Is valid header
if (pDosHeader->e_magic == IMAGE_DOS_SIGNATURE)
return true;
else return false;
}
bool getNtHeaders(FILE* f, PIMAGE_NT_HEADERS pNtHeaders, LONG offset)
{
// at offset getted from dos header
fseek(f, offset, SEEK_SET);
// read
fread(pNtHeaders, sizeof(BYTE), sizeof(IMAGE_NT_HEADERS), f);
// Is valid header
if (pNtHeaders->Signature == IMAGE_NT_SIGNATURE)
return true;
else return false;
}
bool getSections(FILE* f, PIMAGE_SECTION_HEADER pSectionHeaders, int nbSections, LONG offset)
{
// at offset
fseek(f, offset, SEEK_SET);
// read
fread(pSectionHeaders, sizeof(BYTE), sizeof(IMAGE_SECTION_HEADER) * nbSections, f);
return true;
}
What I got:
Last line of the file :
0x63010
Capture.PNG (118.92 KiB) Viewed 448 times
What is "object image"?
I mean Image in RAM