//Robin PE Tool version 1.02 //Coded by Robinh00d //Display the data structures of PE file //Date:2005-12-20 #include #include #pragma comment(lib,"kernel32.lib") //variable definition HANDLE hFile ; HANDLE hMapping ; LPVOID lpMapping ; USHORT sNumOfSections ; DWORD dwImportTableVA ; DWORD dwImportTableVS ; DWORD dwExportDirectoryVA ; DWORD dwExportDirectoryVS ; char *cFunNameTable ; DWORD *vFunNameTable ; DWORD dwFunNameTable ; DWORD dwFunIndexTable ; DWORD dwFunAddrTable ; WORD *wFunIndexTable ; DWORD *vFunAddrTable ; PIMAGE_DOS_HEADER pImageDosHeader ; PIMAGE_NT_HEADERS pImageNtHeaders ; PIMAGE_FILE_HEADER pImageFileHeader ; PIMAGE_OPTIONAL_HEADER pImageOptionalHeader ; PIMAGE_DATA_DIRECTORY pImageDataDirectory ; PIMAGE_SECTION_HEADER pImageSectionHeader ; PIMAGE_SECTION_HEADER pSection ; PIMAGE_SECTION_HEADER pCurSection ; PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor ; PIMAGE_THUNK_DATA pImageThunkData ; PIMAGE_IMPORT_BY_NAME pImageImportByName ; PIMAGE_EXPORT_DIRECTORY pImageExportDirectory ; int PrtInfo() { printf("#-----------------------------------------#\n") ; printf("#Robin PE Viewer v1.02\n") ; printf("#Author:Robinh00d[ADH-CN]\n") ; printf("#Email:robinh00d_at_163_dot_com\n") ; printf("#Web:http://cr4zyexpl0rer.googlepages.com\n") ; printf("#Blog:http://hi.baidu.com/robinh00d\n") ; printf("#-----------------------------------------#\n") ; return 0 ; } //RVA????? DWORD Rva2Offset(DWORD dwRva, PIMAGE_SECTION_HEADER dwSecRva, USHORT uNumOfSecs) { for (USHORT i=0; i= dwSecRva->VirtualAddress) { if (dwRva < dwSecRva->VirtualAddress + dwSecRva->Misc.VirtualSize) { //printf("?%s?\n", dwSecRva->Name) ; return (DWORD)(dwRva - dwSecRva->VirtualAddress + dwSecRva->PointerToRawData) ; } } dwSecRva ++ ; } return (DWORD)-1 ; } int main(int argc, char *argv[]) { PrtInfo() ; if (2 == argc) { hFile = CreateFile(argv[1], FILE_ALL_ACCESS, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL) ; if (INVALID_HANDLE_VALUE == hFile) { printf ("Could not open file! ErrorCode:%ld\n", GetLastError()) ; return -1 ; } hMapping = CreateFileMapping(hFile, NULL, PAGE_READWRITE, 0, 0, NULL) ; if (NULL == hMapping) { printf("Could not create file mapping object! ErrorCode:%ld\n", GetLastError()) ; return -1 ; } lpMapping = MapViewOfFile(hMapping, FILE_MAP_ALL_ACCESS, 0, 0, 0) ; if (NULL == lpMapping) { printf("Could not map view of file! ErrorCode:%ld\n", GetLastError()) ; return -1 ; } pImageDosHeader = (PIMAGE_DOS_HEADER) lpMapping ; if (pImageDosHeader->e_magic == IMAGE_DOS_SIGNATURE) { pImageNtHeaders = (PIMAGE_NT_HEADERS) ((DWORD)lpMapping + pImageDosHeader->e_lfanew) ; } if (pImageNtHeaders->Signature == IMAGE_NT_SIGNATURE) { //??IMAGE_DOS_HEADER sNumOfSections = pImageNtHeaders->FileHeader.NumberOfSections ;//????? printf("File Name:[%s]\n", argv[1]) ; printf("\nIMAGE_DOS_HEADER\n") ; printf("~~~~~~~~~~~~~~~~~~\n") ; printf("e_magic %04X\n", pImageDosHeader->e_magic) ; printf("e_cblp %04X\n", pImageDosHeader->e_cblp) ; printf("e_p %04X\n", pImageDosHeader->e_cp) ; printf("e_crlc %04X\n", pImageDosHeader->e_crlc) ; printf("e_cparhdr %04X\n", pImageDosHeader->e_cparhdr) ; printf("e_minalloc %04X\n", pImageDosHeader->e_minalloc) ; printf("e_maxalloc %04X\n", pImageDosHeader->e_maxalloc) ; printf("e_ss %04X\n", pImageDosHeader->e_ss) ; printf("e_sp %04X\n", pImageDosHeader->e_sp) ; printf("e_csum %04X\n", pImageDosHeader->e_csum) ; printf("e_ip %04X\n", pImageDosHeader->e_ip) ; printf("e_cs %04X\n", pImageDosHeader->e_cs) ; printf("e_lfarlc %04X\n", pImageDosHeader->e_lfarlc) ; printf("e_ovno %04X\n", pImageDosHeader->e_ovno) ; printf("e_res ") ; for (int i =0; i<4; i++) { printf("%04X", pImageDosHeader->e_res[i]) ; } printf("\n") ; printf("e_oemid %04X\n", pImageDosHeader->e_oemid) ; printf("e_oeminfo %04X\n", pImageDosHeader->e_oeminfo) ; printf("e_res2 ") ; for (i=0; i<10; i++) { printf("%04X", pImageDosHeader->e_res2[i]) ; } printf("\n") ; printf("e_lfanew %08lX\n", pImageDosHeader->e_lfanew) ; } ////////////////////////////////////////////////////////////////////////// pImageFileHeader = &pImageNtHeaders->FileHeader ; //printf("Signature:%04lx\n", pImageNtHeaders->Signature) ; //??IMAGE_NT_HEADERS //printf("IMAGE_NT_HEADERS STRUCTURE\n") ; printf("\nIMAGE_FILE_HEADER\n") ; printf("~~~~~~~~~~~~~~~~~~~\n") ; printf("Machine %04X", pImageFileHeader->Machine) ; switch (pImageFileHeader->Machine) { case IMAGE_FILE_MACHINE_I386: printf("[Intel 386]\n") ; break ; case IMAGE_FILE_MACHINE_R3000: printf("[MIPS little-endian, 0x160 big endian]\n") ; break ; case IMAGE_FILE_MACHINE_R4000: printf("[MIPS little-endian]\n") ; break ; case IMAGE_FILE_MACHINE_R10000: printf("[MIPS little-endlian]\n") ; break ; case IMAGE_FILE_MACHINE_ALPHA: printf("[Alpha_AXP]\n") ; break ; case IMAGE_FILE_MACHINE_POWERPC: printf("[IBM PowerPC Little-Endian]\n") ; break ; default: printf("[Unknown Machine]\n") ; } printf("NumberOfSections %04d\n", pImageFileHeader->NumberOfSections) ; printf("TimeDateStamp %08lx\n", pImageFileHeader->TimeDateStamp) ; printf("PointerToSymbolTable %08lx\n", pImageFileHeader->PointerToSymbolTable) ; printf("NumberOfSymbols %08lx\n", pImageFileHeader->NumberOfSymbols) ; printf("SizeOfOptionalHeader %04x\n",pImageFileHeader->SizeOfOptionalHeader) ; printf("Characteristics %04x\n", pImageFileHeader->Characteristics) ; ////////////////////////////////////////////////////////////////////////// printf("\nIMAGE_OPTIONAL_HEADER\n") ; printf("~~~~~~~~~~~~~~~~~~~~~\n") ; pImageOptionalHeader = &pImageNtHeaders->OptionalHeader ; printf("Magic %04x\n", pImageOptionalHeader->Magic) ; printf("Major Link Version %04x\n", pImageOptionalHeader->MajorLinkerVersion) ; printf("Minor Link Version %04x\n", pImageOptionalHeader->MinorLinkerVersion) ; printf("Size Of Code %08lx\n", pImageOptionalHeader->SizeOfCode) ; printf("Size Of Initialized Data %08lx\n", pImageOptionalHeader->SizeOfInitializedData) ; printf("Size Of Uninitialized Data %08lx\n", pImageOptionalHeader->SizeOfUninitializedData) ; printf("Address Of Entry Point %08lx\n", pImageOptionalHeader->AddressOfEntryPoint) ; printf("Base Of Code %08lx\n", pImageOptionalHeader->BaseOfCode) ; printf("Base Of Data %08lx\n", pImageOptionalHeader->BaseOfData) ; printf("Image Base %08lx\n", pImageOptionalHeader->ImageBase) ; printf("Section Alignment %08lx\n", pImageOptionalHeader->SectionAlignment) ; printf("File Alignment %08lx\n", pImageOptionalHeader->FileAlignment) ; printf("Major Operating System Version %04x\n", pImageOptionalHeader->MajorOperatingSystemVersion) ; printf("Minor Operating System Version %04x\n", pImageOptionalHeader->MinorOperatingSystemVersion) ; printf("Major Image Version %04x\n", pImageOptionalHeader->MajorImageVersion) ; printf("Minor Image Version %04x\n", pImageOptionalHeader->MinorImageVersion) ; printf("Major Subsystem Version %04x\n", pImageOptionalHeader->MajorSubsystemVersion) ; printf("Minor Subsystem Version %04x\n", pImageOptionalHeader->MinorSubsystemVersion) ; printf("Win32 Version Value %008lx\n", pImageOptionalHeader->Win32VersionValue) ; printf("Size Of Image %08lx\n", pImageOptionalHeader->SizeOfImage) ; printf("Size Of Headers %08lx\n", pImageOptionalHeader->SizeOfHeaders) ; printf("Checksum %08lx\n", pImageOptionalHeader->CheckSum) ; printf("Subsystem %04x\n", pImageOptionalHeader->Subsystem) ; printf("DLL Characteristics %04x\n", pImageOptionalHeader->DllCharacteristics) ; printf("Size Of Stack Reserve %08lx\n", pImageOptionalHeader->SizeOfStackReserve) ; printf("Size Of Stack Commit %08lx\n", pImageOptionalHeader->SizeOfStackCommit) ; printf("Size Of Heap Reserve %08lx\n", pImageOptionalHeader->SizeOfHeapReserve) ; printf("Size Of Heap Commit %08lx\n", pImageOptionalHeader->SizeOfHeapCommit) ; printf("Loader Flag %08lx\n", pImageOptionalHeader->LoaderFlags) ; printf("Num Of Rva And Sizes %08lx\n", pImageOptionalHeader->NumberOfRvaAndSizes) ; printf("\nIMAGE_DATA_DIRECTORY\n") ; printf("~~~~~~~~~~~~~~~~~~~~\n") ; pImageDataDirectory = pImageOptionalHeader->DataDirectory ; printf("Size VirtualAddress Name\n") ; printf("-----------------------------------------------------------------\n") ; for (int i=0; i<16; i++) { printf("%08lx %08lx ", pImageDataDirectory->Size, pImageDataDirectory->VirtualAddress) ; switch(i) { case IMAGE_DIRECTORY_ENTRY_EXPORT: dwExportDirectoryVA = pImageDataDirectory->VirtualAddress ; dwExportDirectoryVS = pImageDataDirectory->Size ; printf("Export Table\n") ; break ; case IMAGE_DIRECTORY_ENTRY_IMPORT: dwImportTableVA = pImageDataDirectory->VirtualAddress ; dwImportTableVS = pImageDataDirectory->Size ; printf("Import Table\n") ; break ; case IMAGE_DIRECTORY_ENTRY_RESOURCE: printf("Resource\n") ; break ; case IMAGE_DIRECTORY_ENTRY_EXCEPTION: printf("Exception\n") ; break ; case IMAGE_DIRECTORY_ENTRY_SECURITY: printf("Security\n") ; break ; case IMAGE_DIRECTORY_ENTRY_BASERELOC: printf("Base Relocation Table\n") ; break ; case IMAGE_DIRECTORY_ENTRY_DEBUG: printf("Debug\n") ; break ; case IMAGE_DIRECTORY_ENTRY_ARCHITECTURE: printf("Architecture\n") ; break ; case IMAGE_DIRECTORY_ENTRY_GLOBALPTR: printf("GlobalPtr\n") ; break ; case IMAGE_DIRECTORY_ENTRY_TLS: printf("TLS\n") ; break ; case IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG: printf("LoadConfig\n") ; break ; case IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT: printf("Bound\n") ; break ; case IMAGE_DIRECTORY_ENTRY_IAT: printf("IAT\n") ; break ; case IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT: printf("DelayLoadImport\n") ; break ; case IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR: printf("COM\n") ; break ; case 15: printf("Reserved\n") ; break ; } pImageDataDirectory ++ ; } pImageSectionHeader = (PIMAGE_SECTION_HEADER) ((DWORD) lpMapping + pImageDosHeader->e_lfanew + sizeof(IMAGE_NT_HEADERS)) ; pSection = pImageSectionHeader ; pCurSection = pImageSectionHeader ; //???? printf("\nIMAGE_SECTION_HEADER\n") ; printf("~~~~~~~~~~~~~~~~~~~~\n") ; for (i=0; iName) ; printf("Physical Address %08lX\n", pSection->Misc.PhysicalAddress) ; printf("Virtual Address %08lX\n", pSection->VirtualAddress) ; printf("Virtual Size %08LX\n", pSection->Misc.VirtualSize) ; printf("Size Of Raw Data %08lX\n", pSection->SizeOfRawData) ; printf("Pointer To Raw Data %08lX\n", pSection->PointerToRawData) ; printf("Pointer To Relocations %08lX\n", pSection->PointerToRelocations) ; printf("Pointer To Line Numbers %08lX\n", pSection->PointerToLinenumbers) ; printf("Characteristics %08lX\n", pSection->Characteristics) ; pSection ++ ; printf("-------------------------------------------------\n") ; } //??????? __try { if (dwImportTableVS != 0) { pImageImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD) lpMapping + Rva2Offset(dwImportTableVA, pCurSection, sNumOfSections)) ; printf("\nIMAGE_IMPORT_DESCRIPTOR\n") ; printf("~~~~~~~~~~~~~~~~~~~~~~~~~\n") ; while (pImageImportDescriptor->Name != NULL) { printf("Name ") ; printf("%s\n", (char *)((DWORD) lpMapping + Rva2Offset(pImageImportDescriptor->Name, pCurSection, sNumOfSections))) ; printf("OriginalFirstThunk %08lX\n", pImageImportDescriptor->OriginalFirstThunk) ; printf("TimeDateStamp %08lX\n", pImageImportDescriptor->TimeDateStamp) ; printf("ForwarderChain %08lX\n", pImageImportDescriptor->ForwarderChain) ; printf("FirstThunk %08lX\n", pImageImportDescriptor->FirstThunk) ; if (pImageImportDescriptor->OriginalFirstThunk != 0) { pImageThunkData = (PIMAGE_THUNK_DATA) ((DWORD) lpMapping + Rva2Offset(pImageImportDescriptor->OriginalFirstThunk, pCurSection, sNumOfSections)) ; } else { pImageThunkData = (PIMAGE_THUNK_DATA) ((DWORD) lpMapping + Rva2Offset(pImageImportDescriptor->FirstThunk, pCurSection, sNumOfSections)) ; } printf("\nHint Function\n") ; printf("------------------------------------------------------\n") ; while (pImageThunkData->u1.Ordinal != 0) { pImageImportByName = (PIMAGE_IMPORT_BY_NAME) ((DWORD) lpMapping + Rva2Offset(pImageThunkData->u1.Function, pCurSection, sNumOfSections)) ; if (pImageThunkData->u1.Ordinal & IMAGE_ORDINAL_FLAG32) { //??????? printf("Hint %08lX\n", pImageThunkData->u1.Ordinal - IMAGE_ORDINAL_FLAG32) ; } else { //???????? printf("%08lX %s\n", pImageImportByName->Hint, pImageImportByName->Name) ; } pImageThunkData ++ ; } printf("\n") ; pImageImportDescriptor ++ ; } } else { printf("No Import Table!\n") ; } //??? if (dwExportDirectoryVS != 0) { pImageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((DWORD) lpMapping + Rva2Offset(dwExportDirectoryVA, pCurSection, sNumOfSections)) ; printf("\nIMAGE_EXPORT_DIRECTORY\n") ; printf("~~~~~~~~~~~~~~~~~~~~~~~~\n") ; printf("Characteristics %08lX\n", pImageExportDirectory->Characteristics) ; printf("TimeDateStamp %08lX\n", pImageExportDirectory->TimeDateStamp) ; printf("MajorVersion %04X\n", pImageExportDirectory->MajorVersion) ; printf("MinorVersion %04X\n", pImageExportDirectory->MinorVersion) ; printf("Name RVA %08lX\n", pImageExportDirectory->Name) ; if ((DWORD) lpMapping + Rva2Offset(pImageExportDirectory->Name, pCurSection, sNumOfSections) > (DWORD) lpMapping) { printf("Name%s\n", (char *)((DWORD) lpMapping + Rva2Offset(pImageExportDirectory->Name, pCurSection, sNumOfSections))) ; } else { printf("Name NULL\n") ; } printf("Base %08lX\n", pImageExportDirectory->Base) ; printf("NumberOfFunctions %08lX\n", pImageExportDirectory->NumberOfFunctions) ; printf("NumberOfNames %08lX\n", pImageExportDirectory->NumberOfNames) ; printf("NumberOfFunctions %08lX\n", pImageExportDirectory->NumberOfFunctions) ; printf("AddressOfFunctions %08lX\n", pImageExportDirectory->AddressOfFunctions) ; printf("AddressOfNames %08lX\n", pImageExportDirectory->AddressOfNames) ; printf("AddressOfNameOrdinals %08lX\n", pImageExportDirectory->AddressOfNameOrdinals) ; printf("\n") ; dwFunNameTable = (DWORD) lpMapping + Rva2Offset(pImageExportDirectory->AddressOfNames, pImageSectionHeader, sNumOfSections) ; dwFunIndexTable = (DWORD) lpMapping + Rva2Offset(pImageExportDirectory->AddressOfNameOrdinals, pImageSectionHeader, sNumOfSections) ; dwFunAddrTable = (DWORD) lpMapping + Rva2Offset(pImageExportDirectory->AddressOfFunctions, pImageSectionHeader, sNumOfSections) ; vFunNameTable = (DWORD *)dwFunNameTable ; wFunIndexTable = (WORD *)dwFunIndexTable ; vFunAddrTable = (DWORD *)dwFunAddrTable ; printf("Ordinal Function Address Function\n") ; printf("----------------------------------------------------\n") ; for (DWORD j=0; jNumberOfNames; j++) { printf ("%i ", *wFunIndexTable) ; printf ("%08lX ", *vFunAddrTable) ; printf ("%s\n", (char *)((DWORD) lpMapping + Rva2Offset(*vFunNameTable, pImageSectionHeader, sNumOfSections))) ; vFunAddrTable ++; wFunIndexTable ++ ; vFunNameTable ++; } } else { printf("No Export Table!\n") ; } } __except(EXCEPTION_EXECUTE_HANDLER) { if (EXCEPTION_ACCESS_VIOLATION == GetExceptionCode()) { printf("======Exception: EXCEPTION_ACCESS_VIOLATION======\n") ; } printf("Error about Export Table\n") ; } ////////////////////////////////////////////////////////////////////////// CloseHandle(hMapping) ; CloseHandle(hFile) ; UnmapViewOfFile(LPVOID(lpMapping)) ; hMapping = NULL ; hFile = NULL ; lpMapping = NULL ; } else { printf ("Argument Error!\n") ; return -1 ; } return 0 ; }