|
|
曾经一个vbs就实现了的功能!
dim m_FileData
dim m_EsiPeFileName
Dim m_OutInfFileName
dim m_TempFileName
Dim m_fso
Set m_fso = CreateObject("Scripting.FileSystemObject") 'vbs 文件系统对象
m_EsiPeFileName = FormatPath( GetCmdLineOldStr( 1 ) )
m_TempFileName = FormatPath( GetCmdLineOldStr( 2 ) )
if not m_fso.FileExists( m_EsiPeFileName ) And ( "" = GetCmdLineOldStr( 2 ) ) then m_EsiPeFileName = Inputbox ("请输入要进行导入模块列表搜索的PE文件:")
if not m_fso.FileExists( m_EsiPeFileName ) And ( "" = GetCmdLineOldStr( 3 ) ) Then
WSH.echo "没有找到你要进行导入模块列表搜索的PE文件!"
wscript.quit
End if
if "" = m_TempFileName Then
m_TempFileName = FormatPath( GetVbsPath() ) & "\" & GetFileNameString( m_EsiPeFileName , 3 ) & " 导入模块列表.txt"
end if
if m_fso.FileExists( m_TempFileName ) Then m_fso.getfile( m_TempFileName ).delete
MyAddFileStr m_TempFileName , m_EsiPeFileName
FileData = ReadBinary( m_EsiPeFileName )
Get_PEImportDirectory_ListToFile FileData , Len( FileData ) , m_TempFileName
if "" = GetCmdLineOldStr( 3 ) then WSH.echo "操作结束!"
wscript.quit
'==============================================================================================================================
'获取输入表字符串 输出到文件 I_OutListFileName
Public Function Get_PEImportDirectory_ListToFile( ByVal I_FileData , ByVal I_FileData_Len , ByVal I_OutListFileName )
dim t_TempOffset
dim t_PeHOffset ' PE头部的RVA PE标签(00004550) 的RVA PE文件头部 大小 24B
dim t_SizeOfOptionalHeader ' PE可选头部的大小
dim t_PEOptiHeader ' PE扩展头部的RVA
dim t_PEDataDirectory ' PE数据目录的RVA
dim t_PESectionHeader ' 节表的RVA
dim t_NumberOfSections ' 节表计数
dim t_Magic ' PE类型标签 这里区分32位还是64位的PE
dim t_FileAlignment ' PE节数据在文件中的对齐粒度
dim t_ImportDirectory_Rva ' 输入表的 RVA
dim t_ImportDirectory_Len ' 输入表的 大小
if 0 = IsPEFile_InHexStr( I_FileData , I_FileData_Len ) then
Exit Function
end if
'PE 标签的 RVA
t_PeHOffset = Clng( "&H" & H2H( mid( I_FileData , 121 , 8 )))
if ( 24 + t_PeHOffset ) * 2 >= I_FileData_Len then
Exit Function
end if
'PE扩展头部的大小
t_SizeOfOptionalHeader = Clng( "&H" & H2H( mid( I_FileData , ( t_PeHOffset + 20 ) * 2 + 1 , 4 )))
'PE扩展头部的RVA
t_PEOptiHeader = t_PeHOffset + 24
if ( t_PEOptiHeader + t_SizeOfOptionalHeader ) * 2 >= I_FileData_Len then
Exit Function
end if
t_Magic = Clng( "&H" & H2H( mid( I_FileData , t_PEOptiHeader * 2 + 1 , 4)))
'PE数据目录的RVA
t_PEDataDirectory = 0
if 523 = t_Magic then
t_PEDataDirectory = &H180 - &H110 + t_PEOptiHeader
end if
if 267 = t_Magic then
t_PEDataDirectory = &H160 - &H100 + t_PEOptiHeader
end if
if 0 = t_PEDataDirectory then
Exit Function
end if
' 节表计数
t_NumberOfSections = Clng( "&H" & H2H( mid( I_FileData , ( t_PeHOffset + 6 ) * 2 + 1 , 4)))
'节表的RVA
t_PESectionHeader = t_PEOptiHeader + t_SizeOfOptionalHeader
if ( t_PESectionHeader + t_NumberOfSections * 40 ) * 2 >= I_FileData_Len then
Exit Function
end if
' PE节数据在文件中的对齐粒度
t_FileAlignment = 0
if 523 = t_Magic then
t_FileAlignment = &H134 - &H110 + t_PEOptiHeader
end if
if 267 = t_Magic then
t_FileAlignment = &H124 - &H100 + t_PEOptiHeader
end if
if 0 = t_FileAlignment then
Exit Function
end if
t_FileAlignment = Clng( "&H" & H2H( mid( I_FileData , t_FileAlignment * 2 + 1 , 8)))
' 输入表的 RVA
t_ImportDirectory_Rva = Clng( "&H" & H2H( mid( I_FileData , ( t_PEDataDirectory + 8 ) * 2 + 1 , 8)))
' 输入表的 大小
t_ImportDirectory_Len = Clng( "&H" & H2H( mid( I_FileData , ( t_PEDataDirectory + 12 ) * 2 + 1 , 8)))
if ( 0 = t_ImportDirectory_Rva ) Or ( 0 = t_ImportDirectory_Len ) then
Exit Function
end if
dim th_ImportDirectory ' 输入表的偏移量
dim i , tti
dim t_DllName
dim th_DllName
dim t_DllName_Rva
th_ImportDirectory = GetRvaInPESectionHeader( I_FileData , I_FileData_Len , t_PESectionHeader , t_NumberOfSections , t_FileAlignment , t_ImportDirectory_Rva )
if 0 = th_ImportDirectory then
Exit Function
end if
if th_ImportDirectory + t_ImportDirectory_Len * 2 >= I_FileData_Len then
Exit Function
end if
i = 12 * 2
do while 1
if th_ImportDirectory + i + 8 >= I_FileData_Len then
Exit Do
end if
t_DllName = H2H( mid( I_FileData , th_ImportDirectory + i , 8 ))
if "00000000" = t_DllName then
Exit Do
end if
t_DllName_Rva = Clng( "&H" & t_DllName )
th_DllName = GetRvaInPESectionHeader( I_FileData , I_FileData_Len , t_PESectionHeader , t_NumberOfSections , t_FileAlignment , t_DllName_Rva )
if 0 = th_DllName then
Exit Do
end if
t_DllName = ""
tti = 0
do while 1
if "00" = mid( I_FileData , th_DllName + tti , 2 ) then
Exit Do
end if
t_DllName = t_DllName + Chr("&H" & mid( I_FileData , th_DllName + tti , 2 ))
tti = tti + 2
Loop
if "" = t_DllName then
Exit Do
end if
MyAddFileStr I_OutListFileName , "\" & t_DllName
i = i + 40
Loop
'msgbox mid( I_FileData , th_ImportDirectory , t_ImportDirectory_Len )
End Function
'==============================================================================================================================
'文件名和路径字符串的提取
Function GetFileNameString( ByVal I_FileName , ByVal I_Type )
Dim pos
Dim t_Len
t_Len = Len( I_FileName )
GetFileNameString = I_FileName
if 0 = I_Type Then '获取盘符
GetFileNameString = ""
if ( 1 < t_Len ) And ( ":" = mid( I_FileName , 2 , 1 )) Then GetFileNameString = Left( I_FileName , 1 )
Exit Function
End if
if 1 = I_Type Then '获取目录路径
pos = InStrRev( I_FileName , "\" )
if 0 = pos Then
GetFileNameString = GetFileNameString( Wscript.ScriptFullName , 1 )
Else
GetFileNameString = Left( I_FileName , pos - 1 )
End if
Exit Function
End if
if 2 = I_Type Then '获取上一级目录名
I_FileName = GetFileNameString( I_FileName , 1 )
GetFileNameString = GetFileNameString( I_FileName , 3 )
Exit Function
End if
if 3 = I_Type Then '获取文件名(带扩展名)
pos = InStrRev( I_FileName , "\" ) '从字符串尾部向前搜索子串("\")
if 0 = pos Then
GetFileNameString = I_FileName
Else
GetFileNameString = Right( I_FileName , t_Len - pos )
End if
Exit Function
End if
if 4 = I_Type Then '获取文件名(不带扩展名)
I_FileName = GetFileNameString( I_FileName , 3 )
t_Len = Len( I_FileName )
pos = InStrRev( I_FileName , "." ) '从字符串尾部向前搜索子串(".")
if 0 = pos Then
GetFileNameString = Replace( I_FileName , ":" , "盘" )
Else
GetFileNameString = Replace( Left( I_FileName , pos - 1 ) , ":" , "盘" )
End if
Exit Function
End if
if 5 = I_Type Then '获取文件扩展名 带.
I_FileName = GetFileNameString( I_FileName , 3 )
t_Len = Len( I_FileName )
pos = InStrRev( I_FileName , "." ) '从字符串尾部向前搜索子串(".")
if 0 = pos Then
GetFileNameString = ""
Else
GetFileNameString = Right( I_FileName , t_Len - pos + 1 )
End if
Exit Function
End if
End Function
'==============================================================================================================================
'去掉目录后面的\
Public Function FormatPath (ByVal thePath)
thePath = Trim(thePath)
FormatPath = thePath
If Right(thePath, 1) = "\" Then
FormatPath = Mid(thePath, 1, Len(thePath) - 1)
End if
End Function
'==============================================================================================================================
'获取VBS的脚本目录
Public Function GetVbsPath()
GetVbsPath = FormatPath( m_fso.GetFile(Wscript.ScriptFullName).ParentFolder.Path )
End Function
'==============================================================================================================================
'获取桌面 目录
Public Function GetDesktopPath()
GetDesktopPath = WScript.CreateObject("WScript.Shell").SpecialFolders("Desktop")
End Function
'==============================================================================================================================
'vbs 获取命令行参数
Public Function GetCmdLineOldStr( ByVal I_Old )
GetCmdLineOldStr = ""
Set objArgs = WScript. Arguments
For x = 0 to objArgs.Count - 1
'msgbox objArgs(x)
if I_Old = ( x + 1 ) then
GetCmdLineOldStr = objArgs(x)
end if
Next
End Function
'==============================================================================================================================
'文件追加写入
Public Sub MyAddFileStr( ByVal I_EsiFileName , ByVal I_SaveData )
on error resume next
dim t_FileH
if not m_fso.FileExists( I_EsiFileName ) then
set t_FileH = m_fso.CreateTextFile ( I_EsiFileName , 2)
else
set t_FileH = m_fso.OpenTextFile( I_EsiFileName , 8 , 1 )
End if
if "" <> I_SaveData then
t_FileH.WriteLine I_SaveData
end if
t_FileH.close
End Sub
'==============================================================================================================================
'计算出RVA 在 I_FileData 中的位置
Public Function GetRvaInPESectionHeader( ByVal I_FileData , ByVal I_FileData_Len , _
ByVal I_PESectionHeader , ByVal I_NumberOfSections , _
ByVal I_FileAlignment , ByVal I_Rva )
dim t_VirtualAddress '节的Rva
dim t_PointerToRawData '节数据起始在文件中的偏移量
dim t_SizeOfRawData '节数据在文件中的大小
dim i
GetRvaInPESectionHeader = 0
for i = 1 to I_NumberOfSections
t_VirtualAddress = Clng( "&H" & H2H( mid( I_FileData , ( I_PESectionHeader + ( i - 1) * 40 + 12 ) * 2 + 1 , 8)))
t_PointerToRawData = Clng( "&H" & H2H( mid( I_FileData , ( I_PESectionHeader + ( i - 1) * 40 + 20 ) * 2 + 1 , 8)))
t_SizeOfRawData = Clng( "&H" & H2H( mid( I_FileData , ( I_PESectionHeader + ( i - 1) * 40 + 16 ) * 2 + 1 , 8)))
if 0 <> t_SizeOfRawData then
't_SizeOfRawData = Clng(( t_SizeOfRawData + I_FileAlignment - 1) / I_FileAlignment ) '这里的运算视乎有问题
if (( t_VirtualAddress + t_SizeOfRawData ) > I_Rva ) and ( I_Rva >= t_VirtualAddress ) then
if ( t_PointerToRawData + t_SizeOfRawData ) * 2 > I_FileData_Len then
Exit Function
end if
GetRvaInPESectionHeader = ( I_Rva - t_VirtualAddress + t_PointerToRawData ) * 2 + 1
Exit Function
end if
end if
Next
End Function
'==============================================================================================================================
'简单判断 pe 格式
Public Function IsPEFile_InHexStr( ByVal I_FileData , ByVal I_FileData_Len )
IsPEFile_InHexStr = 0
if "5A4D" <> ucase( H2H( mid( I_FileData , 1 , 4 ))) then
Exit Function
end if
if 128 >= I_FileData_Len then
Exit Function
end if
t_PeHOffset = Clng( "&H" & H2H( mid( I_FileData , 121 , 8 ))) * 2 + 1
if (t_PeHOffset + 8) >= I_FileData_Len then
Exit Function
end if
if "00004550" <> H2H( mid( I_FileData , t_PeHOffset , 8 )) then
Exit Function
end if
IsPEFile_InHexStr = 1
End Function
'==============================================================================================================================
'十六进制字符串反序
Public Function H2H( ByVal Hex )
H2H = ""
t_StrLen = Len( Hex )
if ( 4 = t_StrLen ) then
H2H = mid( Hex , 3 , 2 ) & mid( Hex , 1 , 2 )
end if
if ( 8 = t_StrLen ) then
H2H = mid( Hex , 7 , 2 ) & mid( Hex , 5 , 2 ) & mid( Hex , 3 , 2 ) & mid( Hex , 1 , 2 )
end if
End Function
'==============================================================================================================================
'读二进制文件按字节数据转换成十六进制字符串显示
Function ReadBinary(FileName)
Const adTypeBinary = 1
Dim stream, xmldom, node
Set xmldom = CreateObject("Microsoft.XMLDOM")
Set node = xmldom.CreateElement("binary")
node.DataType = "bin.hex"
Set stream = CreateObject("ADODB.Stream")
stream.Type = adTypeBinary
stream.Open
stream.LoadFromFile FileName
node.NodeTypedValue = stream.Read
stream.Close
Set stream = Nothing
ReadBinary = node.Text
Set node = Nothing
Set xmldom = Nothing
End Function
'==============================================================================================================================
'写二进制文件按字节数据转换成十六进制字符串显示
Sub WriteBinary(FileName, Buf)
Const adTypeBinary = 1
Const adSaveCreateOverWrite = 2
Dim stream, xmldom, node
Set xmldom = CreateObject("Microsoft.XMLDOM")
Set node = xmldom.CreateElement("binary")
node.DataType = "bin.hex"
node.Text = Buf
Set stream = CreateObject("ADODB.Stream")
stream.Type = adTypeBinary
stream.Open
stream.write node.NodeTypedValue
stream.saveToFile FileName, adSaveCreateOverWrite
stream.Close
Set stream = Nothing
Set node = Nothing
Set xmldom = Nothing
End Sub
'==============================================================================================================================
|
评分
-
查看全部评分
|
[复制链接]
IP卡
狗仔卡
发表于 2021-9-9 16:56:23
收藏
支持
反对
提升卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡
楼主
发表于 2021-9-9 18:16:27
