#include <windows.h>
#include <ImageHlp.h>
#include <wchar.h>
LPVOID LoadFile(wchar_t *pFileName,DWORD *psize)
{
HANDLE hFile, hMap ;
LPVOID pData;
hFile = hMap = pData = NULL;
hFile = CreateFileW(pFileName,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,0,NULL);
if(hFile == INVALID_HANDLE_VALUE)
{
return NULL;
}
hMap = CreateFileMappingW(hFile,NULL,PAGE_READONLY,0,0,NULL);
if(hMap == NULL)
{
goto clean;
}
if(psize)
*psize = GetFileSize(hFile, NULL);
pData = MapViewOfFile(hMap,FILE_MAP_READ,0,0,0);
clean:
if(hMap)
CloseHandle(hMap);
if(hFile != INVALID_HANDLE_VALUE)
CloseHandle(hFile);
return pData;
}
void UnLoadFile(LPVOID lpData)
{
UnmapViewOfFile(lpData);
}
void ShowNtHeaderInfo(IMAGE_NT_HEADERS *pNtHeaders)
{
if(pNtHeaders->Signature != IMAGE_NT_SIGNATURE)
{
wprintf(L"NT Signature mismatch\n");
goto out;
}
wprintf(L"----------------------------------------\n");
wprintf(L"Image file header info:\n");
wprintf(L"----------------------------------------\n");
wprintf(L"\tMachine 0x%04X\n",pNtHeaders->FileHeader.Machine);
wprintf(L"\tNumberOfSections %u\n",pNtHeaders->FileHeader.NumberOfSections);
wprintf(L"\tTimeDateStamp 0x%08X\n",pNtHeaders->FileHeader.TimeDateStamp);
wprintf(L"\tPointerToSymbolTable 0x%08X\n",pNtHeaders->FileHeader.PointerToSymbolTable);
wprintf(L"\tNumberOfSymbols %u\n",pNtHeaders->FileHeader.NumberOfSymbols);
wprintf(L"\tSizeOfOptionalHeader %u\n",pNtHeaders->FileHeader.SizeOfOptionalHeader);
wprintf(L"\tCharacteristics 0x%04X\n",pNtHeaders->FileHeader.Characteristics);
wprintf(L"----------------------------------------\n");
wprintf(L"Image optional header:\n");
wprintf(L"----------------------------------------\n");
wprintf(L"\tMagic: 0x%04X\n",pNtHeaders->OptionalHeader.Magic);
wprintf(L"\tMajorLinkerVersion: %u\n",pNtHeaders->OptionalHeader.MajorLinkerVersion);
wprintf(L"\tMinorLinkerVersion: %u\n",pNtHeaders->OptionalHeader.MinorLinkerVersion);
wprintf(L"\tSizeOfCode: %u\n",pNtHeaders->OptionalHeader.SizeOfCode);
wprintf(L"\tSizeOfInitializedData: %u\n",pNtHeaders->OptionalHeader.SizeOfInitializedData);
wprintf(L"\tSizeOfUninitializedData: %u\n",pNtHeaders->OptionalHeader.SizeOfUninitializedData);
wprintf(L"\tAddressOfEntryPoint: 0x%08X\n",pNtHeaders->OptionalHeader.AddressOfEntryPoint);
wprintf(L"\tBaseOfCode: 0x%08X\n",pNtHeaders->OptionalHeader.BaseOfCode);
wprintf(L"\tBaseOfData: 0x%08X\n",pNtHeaders->OptionalHeader.BaseOfData);
wprintf(L"\tImageBase: 0x%08X\n",pNtHeaders->OptionalHeader.ImageBase);
wprintf(L"\tSectionAlignment: 0x%08X\n",pNtHeaders->OptionalHeader.SectionAlignment);
wprintf(L"\tFileAlignment: 0x%08X\n",pNtHeaders->OptionalHeader.FileAlignment);
wprintf(L"\tMajorOperatingSystemVersion: %u\n",pNtHeaders->OptionalHeader.MajorOperatingSystemVersion);
wprintf(L"\tMinorOperatingSystemVersion: %u\n",pNtHeaders->OptionalHeader.MinorOperatingSystemVersion);
wprintf(L"\tMajorImageVersion: %u\n",pNtHeaders->OptionalHeader.MajorImageVersion);
wprintf(L"\tMinorImageVersion: %u\n",pNtHeaders->OptionalHeader.MinorImageVersion);
wprintf(L"\tMajorSubsystemVersion: %u\n",pNtHeaders->OptionalHeader.MajorSubsystemVersion);
wprintf(L"\tMinorSubsystemVersion: %u\n",pNtHeaders->OptionalHeader.MinorSubsystemVersion);
wprintf(L"\tWin32VersionValue: 0x%08X\n",pNtHeaders->OptionalHeader.Win32VersionValue);
wprintf(L"\tSizeOfImage: %u\n",pNtHeaders->OptionalHeader.SizeOfImage);
wprintf(L"\tSizeOfHeaders: %u\n",pNtHeaders->OptionalHeader.SizeOfHeaders);
wprintf(L"\tCheckSum: 0x%08X\n",pNtHeaders->OptionalHeader.CheckSum);
wprintf(L"\tSubsystem: 0x%04X\n",pNtHeaders->OptionalHeader.Subsystem);
wprintf(L"\tDllCharacteristics: 0x%08X\n",pNtHeaders->OptionalHeader.DllCharacteristics);
wprintf(L"\tSizeOfStackReserve: %u\n",pNtHeaders->OptionalHeader.SizeOfStackReserve);
wprintf(L"\tSizeOfStackCommit: 0x%08X\n",pNtHeaders->OptionalHeader.SizeOfStackCommit);
wprintf(L"\tSizeOfHeapReserve: %u\n",pNtHeaders->OptionalHeader.SizeOfHeapReserve);
wprintf(L"\tSizeOfHeapCommit: 0x%08X\n",pNtHeaders->OptionalHeader.SizeOfHeapCommit);
wprintf(L"\tLoaderFlags: 0x%08X\n",pNtHeaders->OptionalHeader.LoaderFlags);
wprintf(L"\tNumberOfRvaAndSizes: %u\n",pNtHeaders->OptionalHeader.NumberOfRvaAndSizes);
wprintf(L"----------------------------------------\n");
wprintf(L"Image Directory Entries:\n");
wprintf(L"----------------------------------------\n");
wprintf(L" SIZE\t\tRVA\n");
wprintf(L"export: %-8u\t\t0x%08X\n",
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size,
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
wprintf(L"import: %-8u\t\t0x%08X\n",
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size,
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
wprintf(L"resource: %-8u\t\t0x%08X\n",
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size,
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress);
wprintf(L"exception: %-8u\t\t0x%08X\n",
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXCEPTION].Size,
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXCEPTION].VirtualAddress);
wprintf(L"security: %-8u\t\t0x%08X\n",
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].Size,
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress);
wprintf(L"basereloc: %-8u\t\t0x%08X\n",
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size,
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
wprintf(L"debug: %-8u\t\t0x%08X\n",
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG].Size,
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG].VirtualAddress);
wprintf(L"copyright: %-8u\t\t0x%08X\n",
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_ARCHITECTURE].Size,
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_ARCHITECTURE].VirtualAddress);
wprintf(L"global ptr: %-8u\t\t0x%08X\n",
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_GLOBALPTR].Size,
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_GLOBALPTR].VirtualAddress);
wprintf(L"tls: %-8u\t\t0x%08X\n",
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size,
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress);
wprintf(L"load config: %-8u\t\t0x%08X\n",
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size,
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress);
wprintf(L"bound import: %-8u\t\t0x%08X\n",
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size,
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress);
wprintf(L"IAT: %-8u\t\t0x%08X\n",
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size,
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress);
wprintf(L"delay import: %-8u\t\t0x%08X\n",
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT].Size,
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT].VirtualAddress);
wprintf(L"COM descriptor: %-8u\t\t0x%08X\n",
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size,
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress);
out:
return;
}
int main(int argc, wchar_t **argv)
{
IMAGE_NT_HEADERS *pNtHeaders;
IMAGE_DOS_HEADER *pDosHeader;
pDosHeader = (PIMAGE_DOS_HEADER)LoadFile(L"c:\\windows\\system32\\ntdll.dll",NULL);
if(pDosHeader == NULL)
{
wprintf(L"Load file failed!\n");
return -1;
}
pNtHeaders = (PIMAGE_NT_HEADERS)(PIMAGE_NT_HEADERS)(((DWORD) pDosHeader) + pDosHeader->e_lfanew);
ShowNtHeaderInfo(pNtHeaders);
UnLoadFile(pDosHeader);
return 0;
}
