工程文件petype.cpp通过调用pefile类中的函数获取文件类型。
文件类型的判断通过5个监测点完成。
监测点1:dos头的e_magic
监测点2:nt头的Signature
监测点3:文件头的Characteristics
监测点4:可选头的Magic
监测点5:可选头的Subsystem
通过监测点1和2判断是否是pe文件;
通过监测点3判断文件是否是动态库文件
通过监测点4判断文件是pe32还是pe32+还是rom映像
通过监测点5判断文件是否是0环可执行文件[驱动文件],还是3环可执行文件[exe文件]
具体代码参见下面:
pefile.h
1 #ifndef PE_FILE_H 2 #define PE_FILE_H 3 #include "windows.h" 4 5 #define ISMZHEADER (*(WORD*)File_memory == 0x5a4d) 6 #define ISPEHEADER (*(WORD*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c)) == 0x4550) 7 #define ISPE32MAGIC (*(WORD*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c) + sizeof(MX_IMAGE_FILE_HEADER) + 4) == 0x10b) 8 #define ISPE64MAGIC (*(WORD*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c) + sizeof(MX_IMAGE_FILE_HEADER) + 4) == 0x20b) 9 #define ISPEROMMAGIC (*(WORD*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c) + sizeof(MX_IMAGE_FILE_HEADER) + 4) == 0x107) 10 11 12 #define X_PE_32 32 13 #define X_PE_64 64 14 15 #define READ_ERRO 0x0 16 #define NOT_PE_FILE 0x200 17 #define PE_FILE 0x100 18 #define PE64_FILE 0x40 19 #define PE32_FILE 0x20 20 #define ROM_IMAGE 0x10 21 #define EXE_FILE 0x8 22 #define DLL_FILE 0x4 23 #define SYS_FILE 0x2 24 #define OTHER_FILE 0x1 25 26 27 #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16 28 #define X_EXPORT 0 29 #define X_IMPORT 1 30 #define X_RESOURSE 2 31 #define X_EXCEPTION 3 32 #define X_CERTIFICATE 4 33 #define X_BASE_RELOCATION 5 34 #define X_DEBUG 6 35 #define X_ARCHITECTURE 7 36 #define X_GLOBAL_PTR 8 37 #define X_TLS 9 38 #define X_LOAD_CONFIG 10 39 #define X_BAND_IMPORT 11 40 #define X_IAT 12 41 #define X_DELAY_IMPORT 13 42 #define X_COM_HEADER 14 43 #define X_RESERVED 15 44 45 typedef struct X_IMAGE_DOS_HEADER { // DOS .EXE header 46 WORD e_magic; // Magic number 47 WORD e_cblp; // Bytes on last page of file 48 WORD e_cp; // Pages in file 49 WORD e_crlc; // Relocations 50 WORD e_cparhdr; // Size of header in paragraphs 51 WORD e_minalloc; // Minimum extra paragraphs needed 52 WORD e_maxalloc; // Maximum extra paragraphs needed 53 WORD e_ss; // Initial (relative) SS value 54 WORD e_sp; // Initial SP value 55 WORD e_csum; // Checksum 56 WORD e_ip; // Initial IP value 57 WORD e_cs; // Initial (relative) CS value 58 WORD e_lfarlc; // File address of relocation table 59 WORD e_ovno; // Overlay number 60 WORD e_res[4]; // Reserved words 61 WORD e_oemid; // OEM identifier (for e_oeminfo) 62 WORD e_oeminfo; // OEM information; e_oemid specific 63 WORD e_res2[10]; // Reserved words 64 LONG e_lfanew; // File address of new exe header 65 } MX_IMAGE_DOS_HEADER; 66 67 typedef struct X_IMAGE_FILE_HEADER { 68 WORD Machine; 69 WORD NumberOfSections; 70 DWORD TimeDateStamp; 71 DWORD PointerToSymbolTable; 72 DWORD NumberOfSymbols; 73 WORD SizeOfOptionalHeader; 74 WORD Characteristics; 75 } MX_IMAGE_FILE_HEADER; 76 77 typedef struct X_IMAGE_DATA_DIRECTORY { 78 DWORD VirtualAddress; 79 DWORD Size; 80 } MX_IMAGE_DATA_DIRECTORY; 81 82 typedef struct X_IMAGE_OPTIONAL_HEADER32 { 83 WORD Magic; 84 BYTE MajorLinkerVersion; 85 BYTE MinorLinkerVersion; 86 DWORD SizeOfCode; 87 DWORD SizeOfInitializedData; 88 DWORD SizeOfUninitializedData; 89 DWORD AddressOfEntryPoint; 90 DWORD BaseOfCode; 91 DWORD BaseOfData; 92 DWORD ImageBase; 93 DWORD SectionAlignment; 94 DWORD FileAlignment; 95 WORD MajorOperatingSystemVersion; 96 WORD MinorOperatingSystemVersion; 97 WORD MajorImageVersion; 98 WORD MinorImageVersion; 99 WORD MajorSubsystemVersion; 100 WORD MinorSubsystemVersion; 101 DWORD Win32VersionValue; 102 DWORD SizeOfImage; 103 DWORD SizeOfHeaders; 104 DWORD CheckSum; 105 WORD Subsystem; 106 WORD DllCharacteristics; 107 DWORD SizeOfStackReserve; 108 DWORD SizeOfStackCommit; 109 DWORD SizeOfHeapReserve; 110 DWORD SizeOfHeapCommit; 111 DWORD LoaderFlags; 112 DWORD NumberOfRvaAndSizes; 113 MX_IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; 114 } MX_IMAGE_OPTIONAL_HEADER32; 115 116 117 typedef struct X_IMAGE_OPTIONAL_HEADER64 { 118 WORD Magic; 119 BYTE MajorLinkerVersion; 120 BYTE MinorLinkerVersion; 121 DWORD SizeOfCode; 122 DWORD SizeOfInitializedData; 123 DWORD SizeOfUninitializedData; 124 DWORD AddressOfEntryPoint; 125 DWORD BaseOfCode; 126 ULONGLONG ImageBase; 127 DWORD SectionAlignment; 128 DWORD FileAlignment; 129 WORD MajorOperatingSystemVersion; 130 WORD MinorOperatingSystemVersion; 131 WORD MajorImageVersion; 132 WORD MinorImageVersion; 133 WORD MajorSubsystemVersion; 134 WORD MinorSubsystemVersion; 135 DWORD Win32VersionValue; 136 DWORD SizeOfImage; 137 DWORD SizeOfHeaders; 138 DWORD CheckSum; 139 WORD Subsystem; 140 WORD DllCharacteristics; 141 ULONGLONG SizeOfStackReserve; 142 ULONGLONG SizeOfStackCommit; 143 ULONGLONG SizeOfHeapReserve; 144 ULONGLONG SizeOfHeapCommit; 145 DWORD LoaderFlags; 146 DWORD NumberOfRvaAndSizes; 147 IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; 148 } MX_IMAGE_OPTIONAL_HEADER64; 149 150 typedef struct X_IMAGE_NT_HEADERS32 { 151 DWORD Signature; 152 MX_IMAGE_FILE_HEADER FileHeader; 153 MX_IMAGE_OPTIONAL_HEADER32 OptionalHeader; 154 } MX_IMAGE_NT_HEADERS32; 155 156 typedef struct X_IMAGE_NT_HEADERS64 { 157 DWORD Signature; 158 MX_IMAGE_FILE_HEADER FileHeader; 159 MX_IMAGE_OPTIONAL_HEADER64 OptionalHeader; 160 } MX_IMAGE_NT_HEADERS64; 161 162 class XPEFILE 163 { 164 public: 165 XPEFILE(char* lpFileName); 166 virtual ~XPEFILE(); 167 int GetType(); 168 int GetSize(); 169 private: 170 void* File_memory; 171 int File_size; 172 int File_type; 173 }; 174 175 #endif