ch02_codes.rar OEP.cpp

www.pudn.com > ch02_codes.rar > OEP.cpp

// oep.cpp:读取OEP的实例.
//
#include <windows.h>
#include <stdio.h>

BOOL ReadOEPbyMemory(LPCSTR szFileName);
BOOL ReadOEPbyFile(LPCSTR szFileName);

void main()
{
ReadOEPbyFile("..\\calc.exe");
ReadOEPbyMemory("..\\calc.exe");
getchar();
}

// 通过文件读取OEP值.
BOOL ReadOEPbyFile(LPCSTR szFileName)
{
HANDLE hFile;

// 打开文件.
if ((hFile = CreateFile(szFileName, GENERIC_READ,
FILE_SHARE_READ, 0, OPEN_EXISTING,
FILE_FLAG_SEQUENTIAL_SCAN, 0)) == INVALID_HANDLE_VALUE)
{
printf("can't not open file.\n");
return FALSE;
}

DWORD dwOEP,cbRead;
IMAGE_DOS_HEADER dos_head[sizeof(IMAGE_DOS_HEADER)];
if (!ReadFile(hFile, dos_head, sizeof(IMAGE_DOS_HEADER), &amt;cbRead, NULL)){
printf("read image_dos_header failed.\n");
CloseHandle(hFile);
return FALSE;
}

int nEntryPos=dos_head->e_lfanew+40;
SetFilePointer(hFile, nEntryPos, NULL, FILE_BEGIN);

if (!ReadFile(hFile, &amt;dwOEP, sizeof(dwOEP), &amt;cbRead, NULL)){
printf("read OEP failed.\n");
CloseHandle(hFile);
return FALSE;
}

// 关闭文件.
CloseHandle(hFile);

// 显示OEP地址.
printf("OEP by file:>d\n",dwOEP);
return TRUE;
}

// 通过文件内存映射读取OEP值.
BOOL ReadOEPbyMemory(LPCSTR szFileName)
{
struct PE_HEADER_MAP
{
DWORD signature;
IMAGE_FILE_HEADER _head;
IMAGE_OPTIONAL_HEADER opt_head;
IMAGE_SECTION_HEADER section_header[6];
} *header;

HANDLE hFile;
HANDLE hMapping;
void *basepointer;

// 打开文件.
if ((hFile = CreateFile(szFileName, GENERIC_READ,
FILE_SHARE_READ,0,OPEN_EXISTING,
FILE_FLAG_SEQUENTIAL_SCAN,0)) == INVALID_HANDLE_VALUE)
{
printf("can't open file.\n");
return FALSE;
}

// 创建内存映射文件.
if (!(hMapping = CreateFileMapping(hFile,0,PAGE_READONLY|SEC_COMMIT,0,0,0)))
{
printf("mapping failed\n");
CloseHandle(hFile);
return FALSE;
}

// 把文件头映象存入baseointer.
if (!(basepointer = MapViewOfFile(hMapping,FILE_MAP_READ,0,0,0)))
{
printf("view failed.\n");
CloseHandle(hMapping);
CloseHandle(hFile);
return FALSE;
}
IMAGE_DOS_HEADER * dos_head =(IMAGE_DOS_HEADER *)basepointer;

// 得到PE文件头.
header = (PE_HEADER_MAP *)((char *)dos_head + dos_head->e_lfanew);

// 得到OEP地址.
DWORD dwOEP=header->opt_head.AddressOfEntryPoint;

// 清除内存映射和关闭文件.
UnmapViewOfFile(basepointer);
CloseHandle(hMapping);
CloseHandle(hFile);

// 显示OEP地址.
printf("OEP by memory:>d\n",dwOEP);
return TRUE;
}