ch02_codes.rar OEP.cpp

www.pudn.com > ch02_codes.rar > OEP.cpp
// oep.cpp:读取OEP的实例. 
// 
#include  
#include  
 
BOOL ReadOEPbyMemory(LPCSTR szFileName); 
BOOL ReadOEPbyFile(LPCSTR szFileName); 
 
void main() 
{ 
	ReadOEPbyFile("..\\calc.exe"); 
	ReadOEPbyMemory("..\\calc.exe"); 
	getchar(); 
} 
 
// 通过文件读取OEP值. 
BOOL ReadOEPbyFile(LPCSTR szFileName) 
{ 
	HANDLE hFile; 
	 
	// 打开文件. 
	if ((hFile = CreateFile(szFileName, GENERIC_READ, 
		FILE_SHARE_READ, 0, OPEN_EXISTING,  
		FILE_FLAG_SEQUENTIAL_SCAN, 0)) == INVALID_HANDLE_VALUE) 
	{ 
		printf("can't not open file.\n"); 
		return FALSE; 
	} 
	 
	DWORD dwOEP,cbRead; 
	IMAGE_DOS_HEADER dos_head[sizeof(IMAGE_DOS_HEADER)]; 
    if (!ReadFile(hFile, dos_head, sizeof(IMAGE_DOS_HEADER), &cbRead, NULL)){  
		printf("read image_dos_header failed.\n"); 
		CloseHandle(hFile); 
		return FALSE; 
	} 
	 
	int nEntryPos=dos_head->e_lfanew+40; 
    SetFilePointer(hFile, nEntryPos, NULL, FILE_BEGIN); 
	 
    if (!ReadFile(hFile, &dwOEP, sizeof(dwOEP), &cbRead, NULL)){  
		printf("read OEP failed.\n"); 
		CloseHandle(hFile); 
		return FALSE; 
	} 
	 
	// 关闭文件. 
	CloseHandle(hFile); 
	 
	// 显示OEP地址. 
	printf("OEP by file:%d\n",dwOEP); 
	return TRUE; 
} 
 
// 通过文件内存映射读取OEP值. 
BOOL ReadOEPbyMemory(LPCSTR szFileName) 
{ 
	struct PE_HEADER_MAP 
	{ 
		DWORD signature; 
		IMAGE_FILE_HEADER _head; 
		IMAGE_OPTIONAL_HEADER opt_head; 
		IMAGE_SECTION_HEADER section_header[6]; 
	} *header; 
 
	HANDLE hFile; 
	HANDLE hMapping; 
	void *basepointer; 
	 
	// 打开文件. 
	if ((hFile = CreateFile(szFileName, GENERIC_READ, 
		FILE_SHARE_READ,0,OPEN_EXISTING,  
		FILE_FLAG_SEQUENTIAL_SCAN,0)) == INVALID_HANDLE_VALUE) 
	{ 
		printf("can't open file.\n"); 
		return FALSE; 
	} 
	 
	// 创建内存映射文件. 
	if (!(hMapping = CreateFileMapping(hFile,0,PAGE_READONLY|SEC_COMMIT,0,0,0))) 
	{ 
		printf("mapping failed\n"); 
		CloseHandle(hFile); 
		return FALSE; 
	} 
	 
	// 把文件头映象存入baseointer. 
	if (!(basepointer = MapViewOfFile(hMapping,FILE_MAP_READ,0,0,0))) 
	{ 
		printf("view failed.\n"); 
		CloseHandle(hMapping); 
		CloseHandle(hFile); 
		return FALSE; 
	} 
	IMAGE_DOS_HEADER * dos_head =(IMAGE_DOS_HEADER *)basepointer; 
	 
	// 得到PE文件头. 
	header = (PE_HEADER_MAP *)((char *)dos_head + dos_head->e_lfanew); 
	 
	// 得到OEP地址. 
	DWORD dwOEP=header->opt_head.AddressOfEntryPoint; 
	 
    // 清除内存映射和关闭文件. 
	UnmapViewOfFile(basepointer); 
	CloseHandle(hMapping); 
	CloseHandle(hFile);	 
	 
	// 显示OEP地址. 
	printf("OEP by memory:%d\n",dwOEP); 
	return TRUE; 
}