PE文件基本解析
本帖最后由 新空气 于 2019-9-16 07:46 编辑链接:https://pan.baidu.com/s/1nsUO2XCAQumCY64MRkq-Eg
提取码:faru
复制这段内容后打开百度网盘手机App,操作更方便哦
厉害~~~~~~~~~~{:1_183:} 我以为pe是pre... environment 预装环境呢 看到这楼主的长篇小说,被想起来翻了一下硬盘,不记得以前什么时候有写过的vbs 脚本,发出来分享好了{:1_201:}{:1_201:}{:1_201:}
Include "..\VBS类\类.vbs"
Sub Include(sInstFile)
Dim oFSO, f, s
Set oFSO = CreateObject("Scripting.FileSystemObject")
Set f = oFSO.OpenTextFile(sInstFile)
s = f.ReadAll
f.Close
ExecuteGlobal s
End Sub
Set m_Filec = New MyFileClass
Set m_Regc= New MyRegClass
Set m_Strc= new MyStrGetStrClass
dim FileData
dim m_FileListFileName
dim m_TempFileName
dim m_SetOutFile
dim m_SetOutFileName
m_SetOutFileName = "集中输出列表在一个文件中.txt"
m_SetOutFile = 0
m_FileListFileName = "默认处理文件列表.txt"
m_Filec.MyCreaterFile m_FileListFileName , m_SetOutFileName
m_Filec.MyReadFileLineStr_Old m_FileListFileName , 1 , m_TempFileName
if m_SetOutFileName = m_TempFileName then
m_SetOutFile = 1
m_Filec.MyDeleteFile m_SetOutFileName
end if
m_Filec.SetReadFileName m_FileListFileName
do while m_Filec.TestReadFileLineStr()
m_FileListFileName = m_Filec.ReadFileLineStr()
if 1 = m_Filec.MyCheckFile( m_FileListFileName ) then
FileData = ReadBinary( m_FileListFileName )
if 1 = m_SetOutFile then
m_TempFileName = m_SetOutFileName
else
m_TempFileName = m_Strc.GetShortFileNameStr( m_FileListFileName ) & "_需要的输入模块列表.txt"
m_Filec.MyDeleteFile m_TempFileName
end if
Get_PEImportDirectory_ListToFile FileData , Len(FileData) , m_TempFileName
End if
Loop
msgbox "操作结束"
'获取输入表字符串 输出到文件 I_OutListFileName
Public Function Get_PEImportDirectory_ListToFile( ByVal I_FileData , ByVal I_FileData_Len , ByVal I_OutListFileName )
dim t_TempOffset
dim t_PeHOffset ' PE头部的RVA PE标签(00004550) 的RVAPE文件头部 大小 24B
dim t_SizeOfOptionalHeader ' PE可选头部的大小
dim t_PEOptiHeader ' PE扩展头部的RVA
dim t_PEDataDirectory ' PE数据目录的RVA
dim t_PESectionHeader ' 节表的RVA
dim t_NumberOfSections ' 节表计数
dim t_Magic ' PE类型标签 这里区分32位还是64位的PE
dim t_FileAlignment ' PE节数据在文件中的对齐粒度
dim t_ImportDirectory_Rva' 输入表的 RVA
dim t_ImportDirectory_Len' 输入表的 大小
if 0 = IsPEFile_InHexStr( I_FileData , I_FileData_Len ) then
Exit Function
end if
'PE 标签的 RVA
t_PeHOffset = Clng( "&H" & H2H( mid( I_FileData , 121 , 8 )))
if ( 24 + t_PeHOffset ) * 2 >= I_FileData_Len then
Exit Function
end if
'PE扩展头部的大小
t_SizeOfOptionalHeader = Clng( "&H" & H2H( mid( I_FileData , ( t_PeHOffset + 20 ) * 2 + 1 , 4 )))
'PE扩展头部的RVA
t_PEOptiHeader = t_PeHOffset + 24
if ( t_PEOptiHeader + t_SizeOfOptionalHeader ) * 2 >= I_FileData_Len then
Exit Function
end if
t_Magic = Clng( "&H" & H2H( mid( I_FileData , t_PEOptiHeader * 2 + 1 , 4)))
'PE数据目录的RVA
t_PEDataDirectory = 0
if 523 = t_Magic then
t_PEDataDirectory = &H180 - &H110 + t_PEOptiHeader
end if
if 267 = t_Magic then
t_PEDataDirectory = &H160 - &H100 + t_PEOptiHeader
end if
if 0 = t_PEDataDirectory then
Exit Function
end if
' 节表计数
t_NumberOfSections = Clng( "&H" & H2H( mid( I_FileData , ( t_PeHOffset + 6 ) * 2 + 1 , 4)))
'节表的RVA
t_PESectionHeader = t_PEOptiHeader + t_SizeOfOptionalHeader
if ( t_PESectionHeader + t_NumberOfSections * 40 ) * 2 >= I_FileData_Len then
Exit Function
end if
' PE节数据在文件中的对齐粒度
t_FileAlignment = 0
if 523 = t_Magic then
t_FileAlignment= &H134 - &H110 + t_PEOptiHeader
end if
if 267 = t_Magic then
t_FileAlignment = &H124 - &H100 + t_PEOptiHeader
end if
if 0 = t_FileAlignment then
Exit Function
end if
t_FileAlignment = Clng( "&H" & H2H( mid( I_FileData , t_FileAlignment * 2 + 1 , 8)))
' 输入表的 RVA
t_ImportDirectory_Rva = Clng( "&H" & H2H( mid( I_FileData , ( t_PEDataDirectory + 8 ) * 2 + 1 , 8)))
' 输入表的 大小
t_ImportDirectory_Len = Clng( "&H" & H2H( mid( I_FileData , ( t_PEDataDirectory + 12 ) * 2 + 1 , 8)))
if ( 0 = t_ImportDirectory_Rva ) Or ( 0 = t_ImportDirectory_Len ) then
Exit Function
end if
dim th_ImportDirectory' 输入表的偏移量
dim i , tti
dim t_DllName
dim th_DllName
dim t_DllName_Rva
Set t_Filec = New MyFileClass
th_ImportDirectory = GetRvaInPESectionHeader( I_FileData , I_FileData_Len , t_PESectionHeader , t_NumberOfSections , t_FileAlignment , t_ImportDirectory_Rva )
if 0 = th_ImportDirectory then
Exit Function
end if
if th_ImportDirectory + t_ImportDirectory_Len * 2>= I_FileData_Len then
Exit Function
end if
i = 12 * 2
do while 1
if th_ImportDirectory + i + 8 >= I_FileData_Len then
Exit Do
end if
t_DllName = H2H( mid( I_FileData , th_ImportDirectory + i , 8 ))
if "00000000" = t_DllName then
Exit Do
end if
t_DllName_Rva = Clng( "&H" & t_DllName )
th_DllName = GetRvaInPESectionHeader( I_FileData , I_FileData_Len , t_PESectionHeader , t_NumberOfSections , t_FileAlignment , t_DllName_Rva )
if 0 = th_DllName then
Exit Do
end if
t_DllName = ""
tti = 0
do while 1
if "00" = mid( I_FileData , th_DllName + tti , 2 ) then
Exit Do
end if
t_DllName = t_DllName + Chr("&H" & mid( I_FileData , th_DllName + tti , 2 ))
tti = tti + 2
Loop
if "" = t_DllName then
Exit Do
end if
t_Filec.MyAddFileStr I_OutListFileName , "\" & t_DllName
i = i + 40
Loop
'msgbox mid( I_FileData , th_ImportDirectory , t_ImportDirectory_Len )
End Function
'计算出RVA 在 I_FileData 中的位置
Public Function GetRvaInPESectionHeader( ByVal I_FileData , ByVal I_FileData_Len , _
ByVal I_PESectionHeader , ByVal I_NumberOfSections , _
ByVal I_FileAlignment , ByVal I_Rva )
dim t_VirtualAddress '节的Rva
dim t_PointerToRawData '节数据起始在文件中的偏移量
dim t_SizeOfRawData '节数据在文件中的大小
dim i
GetRvaInPESectionHeader = 0
for i = 1 to I_NumberOfSections
t_VirtualAddress = Clng( "&H" & H2H( mid( I_FileData , ( I_PESectionHeader + ( i - 1) * 40 + 12 ) * 2 + 1 , 8)))
t_PointerToRawData = Clng( "&H" & H2H( mid( I_FileData , ( I_PESectionHeader + ( i - 1) * 40 + 20 ) * 2 + 1 , 8)))
t_SizeOfRawData = Clng( "&H" & H2H( mid( I_FileData , ( I_PESectionHeader + ( i - 1) * 40 + 16 ) * 2 + 1 , 8)))
if 0 <> t_SizeOfRawData then
't_SizeOfRawData = Clng(( t_SizeOfRawData + I_FileAlignment - 1) / I_FileAlignment ) '这里的运算视乎有问题
if (( t_VirtualAddress + t_SizeOfRawData ) > I_Rva ) and ( I_Rva >= t_VirtualAddress ) then
if ( t_PointerToRawData + t_SizeOfRawData )* 2 > I_FileData_Len then
Exit Function
end if
GetRvaInPESectionHeader = ( I_Rva - t_VirtualAddress + t_PointerToRawData ) * 2 + 1
Exit Function
end if
end if
Next
End Function
'简单判断 pe 格式
Public Function IsPEFile_InHexStr( ByVal I_FileData , ByVal I_FileData_Len )
IsPEFile_InHexStr = 0
if "5A4D" <> ucase( H2H( mid( I_FileData , 1 , 4 ))) then
Exit Function
end if
if 128 >= I_FileData_Len then
Exit Function
end if
t_PeHOffset = Clng( "&H" & H2H( mid( I_FileData , 121 , 8 ))) * 2 + 1
if (t_PeHOffset + 8) >= I_FileData_Len then
Exit Function
end if
if "00004550" <> H2H( mid( I_FileData , t_PeHOffset , 8 )) then
Exit Function
end if
IsPEFile_InHexStr = 1
End Function
'十六进制字符串反序
Public Function H2H( ByVal Hex )
H2H = ""
t_StrLen = Len( Hex )
if ( 4 = t_StrLen ) then
H2H = mid( Hex , 3 , 2 ) & mid( Hex , 1 , 2 )
end if
if ( 8 = t_StrLen ) then
H2H = mid( Hex , 7 , 2 ) & mid( Hex , 5 , 2 ) & mid( Hex , 3 , 2 ) & mid( Hex , 1 , 2 )
end if
End Function
'读二进制文件按字节数据转换成十六进制字符串显示
Function ReadBinary(FileName)
Const adTypeBinary = 1
Dim stream, xmldom, node
Set xmldom = CreateObject("Microsoft.XMLDOM")
Set node = xmldom.CreateElement("binary")
node.DataType = "bin.hex"
Set stream = CreateObject("ADODB.Stream")
stream.Type = adTypeBinary
stream.Open
stream.LoadFromFile FileName
node.NodeTypedValue = stream.Read
stream.Close
Set stream = Nothing
ReadBinary = node.Text
Set node = Nothing
Set xmldom = Nothing
End Function
'写二进制文件按字节数据转换成十六进制字符串显示
Sub WriteBinary(FileName, Buf)
Const adTypeBinary = 1
Const adSaveCreateOverWrite = 2
Dim stream, xmldom, node
Set xmldom = CreateObject("Microsoft.XMLDOM")
Set node = xmldom.CreateElement("binary")
node.DataType = "bin.hex"
node.Text = Buf
Set stream = CreateObject("ADODB.Stream")
stream.Type = adTypeBinary
stream.Open
stream.write node.NodeTypedValue
stream.saveToFile FileName, adSaveCreateOverWrite
stream.Close
Set stream = Nothing
Set node = Nothing
Set xmldom = Nothing
End Sub
此PE非彼PE,哈
页:
[1]