www.pudn.com > BAV.v2.rar > ParsePE.cpp, change:2005-08-21,size:3663b
#include "StdAfx.h"
#include "MemFileObject.h"
#include ".\ParsePE.h"
CParsePE::CParsePE(void)
{
}
CParsePE::~CParsePE(void)
{
}
bool CParsePE::BasicParse(IN CMemFileObject* pScanObj, OUT FSPE* pFSPE)
{
if(!pScanObj->IsOpened())
return false;
DWORD dwObjSize = pScanObj->GetObjectSize();
//Check size
if( dwObjSize sizeof(PIMAGE_DOS_HEADER) ) return FALSE;
pFSPE->m_pImageDosHeader = (PIMAGE_DOS_HEADER)pScanObj->GetBuffer();
//check "MZ" signature
if( IMAGE_DOS_SIGNATURE != pFSPE->m_pImageDosHeader->e_magic )
{
pFSPE->m_bMZFile = false;
return false;
}
pFSPE->m_bMZFile = true;
if(pFSPE->m_pImageDosHeader->e_lfanew+sizeof(IMAGE_NT_SIGNATURE)>dwObjSize)
{
pFSPE->m_bPEFile = false;
return true;
}
pFSPE->m_pNtHeaders = (PIMAGE_NT_HEADERS)(pFSPE->m_pImageDosHeader->e_lfanew + pScanObj->GetBuffer());
//check "PE" signature
if( IMAGE_NT_SIGNATURE != pFSPE->m_pNtHeaders->Signature)
{
pFSPE->m_bPEFile = false;
return true;
}
pFSPE->m_bPEFile = true;
pFSPE->m_pFileHeader = &pFSPE->m_pNtHeaders->FileHeader;
pFSPE->m_pOptionalHeader = &pFSPE->m_pNtHeaders->OptionalHeader;
//SECTIONS
PIMAGE_SECTION_HEADER pSectionHeader = (PIMAGE_SECTION_HEADER)(pFSPE->m_pOptionalHeader + 1);
pFSPE->m_nSectionCount = pFSPE->m_pFileHeader->NumberOfSections;
ASSERT( pFSPE->m_nSectionCount MAX_SECTIONS );
for(int i=0; i<pFSPE->m_nSectionCount; i++)
{
pFSPE->m_aSectionHeaders[i] = pSectionHeader;
pSectionHeader++;
}
// Entry point
pFSPE->m_pEntryPoint = AddrM2F(pFSPE, (LPVOID)pFSPE->m_pOptionalHeader->AddressOfEntryPoint) + pScanObj->GetBuffer();
if( pFSPE->m_pEntryPoint > (dwObjSize + pScanObj->GetBuffer()) )
return false;
//IMPORT TABLE
PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)(AddrM2F(pFSPE, (LPVOID)pFSPE->m_pOptionalHeader->DataDirectory[1].VirtualAddress) + pScanObj->GetBuffer());
if( (LPBYTE)pImportDescriptor > (dwObjSize + pScanObj->GetBuffer()) )
return false;
for(i=0; pImportDescriptor&&pImportDescriptor->Characteristics; i++,pImportDescriptor++)
{
ASSERT( i<MAX_IMPORTS );
pFSPE->m_aImportDescriptors[i] = pImportDescriptor;
}
pFSPE->m_nImportCount = i;
//EXPORT TABLE
if(pFSPE->m_pOptionalHeader->DataDirectory[0].VirtualAddress)
pFSPE->m_pExportDirectory = (PIMAGE_EXPORT_DIRECTORY)(AddrM2F(pFSPE, (LPVOID)pFSPE->m_pOptionalHeader->DataDirectory[0].VirtualAddress) + pScanObj->GetBuffer());
if( (LPBYTE)pFSPE->m_pExportDirectory > (dwObjSize + pScanObj->GetBuffer()) )
return false;
//RESOURCE
if(pFSPE->m_pOptionalHeader->DataDirectory[2].VirtualAddress)
pFSPE->m_pResourceDirectory = (PIMAGE_RESOURCE_DIRECTORY)(AddrM2F(pFSPE, (LPVOID)pFSPE->m_pOptionalHeader->DataDirectory[2].VirtualAddress) + pScanObj->GetBuffer());
if( (LPBYTE)pFSPE->m_pResourceDirectory > (dwObjSize + pScanObj->GetBuffer()) )
return false;
return true;
}
DWORD CParsePE::AddrM2F(IN FSPE* pFSPE, IN LPVOID lpMemAddr)
{
if( lpMemAddr (LPVOID)pFSPE->m_aSectionHeaders[0]->VirtualAddress &&
lpMemAddr >= NULL)
return (DWORD)lpMemAddr;
for(INT i=0; i<pFSPE->m_nSectionCount; i++)
{
if( lpMemAddr >= LPVOID(pFSPE->m_aSectionHeaders[i]->VirtualAddress) &&
lpMemAddr = LPVOID(pFSPE->m_aSectionHeaders[i]->VirtualAddress + pFSPE->m_aSectionHeaders[i]->Misc.VirtualSize) )
{
DWORD dwOffset = DWORD( (LPBYTE)lpMemAddr - (LPBYTE)pFSPE->m_aSectionHeaders[i]->VirtualAddress );
if( dwOffset<pFSPE->m_aSectionHeaders[i]->SizeOfRawData )
return pFSPE->m_aSectionHeaders[i]->PointerToRawData + dwOffset;
}
}
return 0;
}