工程文件petype.cpp通过调用pefile类中的函数获取文件类型。
文件类型的判断通过5个监测点完成。
监测点1:dos头的e_magic
监测点2:nt头的Signature
监测点3:文件头的Characteristics
监测点4:可选头的Magic
监测点5:可选头的Subsystem
通过监测点1和2判断是否是pe文件;
通过监测点3判断文件是否是动态库文件
通过监测点4判断文件是pe32还是pe32+还是rom映像
通过监测点5判断文件是否是0环可执行文件[驱动文件],还是3环可执行文件[exe文件]
具体代码参见下面:
pefile.h
1 #ifndef PE_FILE_H 2 #define PE_FILE_H 3 #include "windows.h" 4 5 #define ISMZHEADER (*(WORD*)File_memory == 0x5a4d) 6 #define ISPEHEADER (*(WORD*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c)) == 0x4550) 7 #define ISPE32MAGIC (*(WORD*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c) + sizeof(MX_IMAGE_FILE_HEADER) + 4) == 0x10b) 8 #define ISPE64MAGIC (*(WORD*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c) + sizeof(MX_IMAGE_FILE_HEADER) + 4) == 0x20b) 9 #define ISPEROMMAGIC (*(WORD*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c) + sizeof(MX_IMAGE_FILE_HEADER) + 4) == 0x107) 10 11 12 #define X_PE_32 32 13 #define X_PE_64 64 14 15 #define READ_ERRO 0x0 16 #define NOT_PE_FILE 0x200 17 #define PE_FILE 0x100 18 #define PE64_FILE 0x40 19 #define PE32_FILE 0x20 20 #define ROM_IMAGE 0x10 21 #define EXE_FILE 0x8 22 #define DLL_FILE 0x4 23 #define SYS_FILE 0x2 24 #define OTHER_FILE 0x1 25 26 27 #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16 28 #define X_EXPORT 0 29 #define X_IMPORT 1 30 #define X_RESOURSE 2 31 #define X_EXCEPTION 3 32 #define X_CERTIFICATE 4 33 #define X_BASE_RELOCATION 5 34 #define X_DEBUG 6 35 #define X_ARCHITECTURE 7 36 #define X_GLOBAL_PTR 8 37 #define X_TLS 9 38 #define X_LOAD_CONFIG 10 39 #define X_BAND_IMPORT 11 40 #define X_IAT 12 41 #define X_DELAY_IMPORT 13 42 #define X_COM_HEADER 14 43 #define X_RESERVED 15 44 45 typedef struct X_IMAGE_DOS_HEADER { // DOS .EXE header 46 WORD e_magic; // Magic number 47 WORD e_cblp; // Bytes on last page of file 48 WORD e_cp; // Pages in file 49 WORD e_crlc; // Relocations 50 WORD e_cparhdr; // Size of header in paragraphs 51 WORD e_minalloc; // Minimum extra paragraphs needed 52 WORD e_maxalloc; // Maximum extra paragraphs needed 53 WORD e_ss; // Initial (relative) SS value 54 WORD e_sp; // Initial SP value 55 WORD e_csum; // Checksum 56 WORD e_ip; // Initial IP value 57 WORD e_cs; // Initial (relative) CS value 58 WORD e_lfarlc; // File address of relocation table 59 WORD e_ovno; // Overlay number 60 WORD e_res[4]; // Reserved words 61 WORD e_oemid; // OEM identifier (for e_oeminfo) 62 WORD e_oeminfo; // OEM information; e_oemid specific 63 WORD e_res2[10]; // Reserved words 64 LONG e_lfanew; // File address of new exe header 65 } MX_IMAGE_DOS_HEADER; 66 67 typedef struct X_IMAGE_FILE_HEADER { 68 WORD Machine; 69 WORD NumberOfSections; 70 DWORD TimeDateStamp; 71 DWORD PointerToSymbolTable; 72 DWORD NumberOfSymbols; 73 WORD SizeOfOptionalHeader; 74 WORD Characteristics; 75 } MX_IMAGE_FILE_HEADER; 76 77 typedef struct X_IMAGE_DATA_DIRECTORY { 78 DWORD VirtualAddress; 79 DWORD Size; 80 } MX_IMAGE_DATA_DIRECTORY; 81 82 typedef struct X_IMAGE_OPTIONAL_HEADER32 { 83 WORD Magic; 84 BYTE MajorLinkerVersion; 85 BYTE MinorLinkerVersion; 86 DWORD SizeOfCode; 87 DWORD SizeOfInitializedData; 88 DWORD SizeOfUninitializedData; 89 DWORD AddressOfEntryPoint; 90 DWORD BaseOfCode; 91 DWORD BaseOfData; 92 DWORD ImageBase; 93 DWORD SectionAlignment; 94 DWORD FileAlignment; 95 WORD MajorOperatingSystemVersion; 96 WORD MinorOperatingSystemVersion; 97 WORD MajorImageVersion; 98 WORD MinorImageVersion; 99 WORD MajorSubsystemVersion; 100 WORD MinorSubsystemVersion; 101 DWORD Win32VersionValue; 102 DWORD SizeOfImage; 103 DWORD SizeOfHeaders; 104 DWORD CheckSum; 105 WORD Subsystem; 106 WORD DllCharacteristics; 107 DWORD SizeOfStackReserve; 108 DWORD SizeOfStackCommit; 109 DWORD SizeOfHeapReserve; 110 DWORD SizeOfHeapCommit; 111 DWORD LoaderFlags; 112 DWORD NumberOfRvaAndSizes; 113 MX_IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; 114 } MX_IMAGE_OPTIONAL_HEADER32; 115 116 117 typedef struct X_IMAGE_OPTIONAL_HEADER64 { 118 WORD Magic; 119 BYTE MajorLinkerVersion; 120 BYTE MinorLinkerVersion; 121 DWORD SizeOfCode; 122 DWORD SizeOfInitializedData; 123 DWORD SizeOfUninitializedData; 124 DWORD AddressOfEntryPoint; 125 DWORD BaseOfCode; 126 ULONGLONG ImageBase; 127 DWORD SectionAlignment; 128 DWORD FileAlignment; 129 WORD MajorOperatingSystemVersion; 130 WORD MinorOperatingSystemVersion; 131 WORD MajorImageVersion; 132 WORD MinorImageVersion; 133 WORD MajorSubsystemVersion; 134 WORD MinorSubsystemVersion; 135 DWORD Win32VersionValue; 136 DWORD SizeOfImage; 137 DWORD SizeOfHeaders; 138 DWORD CheckSum; 139 WORD Subsystem; 140 WORD DllCharacteristics; 141 ULONGLONG SizeOfStackReserve; 142 ULONGLONG SizeOfStackCommit; 143 ULONGLONG SizeOfHeapReserve; 144 ULONGLONG SizeOfHeapCommit; 145 DWORD LoaderFlags; 146 DWORD NumberOfRvaAndSizes; 147 IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; 148 } MX_IMAGE_OPTIONAL_HEADER64; 149 150 typedef struct X_IMAGE_NT_HEADERS32 { 151 DWORD Signature; 152 MX_IMAGE_FILE_HEADER FileHeader; 153 MX_IMAGE_OPTIONAL_HEADER32 OptionalHeader; 154 } MX_IMAGE_NT_HEADERS32; 155 156 typedef struct X_IMAGE_NT_HEADERS64 { 157 DWORD Signature; 158 MX_IMAGE_FILE_HEADER FileHeader; 159 MX_IMAGE_OPTIONAL_HEADER64 OptionalHeader; 160 } MX_IMAGE_NT_HEADERS64; 161 162 class XPEFILE 163 { 164 public: 165 XPEFILE(char* lpFileName); 166 virtual ~XPEFILE(); 167 int GetType(); 168 int GetSize(); 169 private: 170 void* File_memory; 171 int File_size; 172 int File_type; 173 }; 174 175 #endif
pefile.cpp
1 #include "stdafx.h" 2 #include "windows.h" 3 #include "pefile.h" 4 #include <iostream> 5 6 XPEFILE::XPEFILE(char* strFileName) 7 { 8 HANDLE hfile; 9 unsigned long sizehigh; 10 void* lpmemory; 11 12 File_memory = NULL; 13 File_type = READ_ERRO; 14 15 hfile = CreateFile(strFileName, GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,0,OPEN_EXISTING,FILE_FLAG_SEQUENTIAL_SCAN,0); 16 if (hfile != INVALID_HANDLE_VALUE) 17 { 18 File_size = GetFileSize(hfile, NULL); 19 lpmemory = LocalAlloc(LPTR,File_size); 20 if(ReadFile(hfile,lpmemory,File_size,&sizehigh,0) != NULL) 21 { 22 File_memory = lpmemory; 23 } 24 CloseHandle(hfile); 25 } 26 } 27 28 29 30 31 XPEFILE::~XPEFILE() 32 { 33 if (File_memory == NULL) 34 { 35 LocalFree(File_memory); 36 } 37 } 38 39 int XPEFILE::GetSize() 40 { 41 return File_size; 42 } 43 44 int XPEFILE::GetType() 45 { 46 MX_IMAGE_NT_HEADERS32* ntheader32; 47 MX_IMAGE_NT_HEADERS64* ntheader64; 48 49 File_type = READ_ERRO; 50 51 if (File_memory == NULL) 52 { 53 return File_type; 54 } 55 File_type = NOT_PE_FILE; 56 // if ((*(WORD*)File_memory == 0x5a4d) && (*(WORD*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c)) == 0x4550)) 57 if(ISMZHEADER && ISPEHEADER) 58 { 59 File_type = PE_FILE; 60 } 61 if (File_type == PE_FILE) 62 { 63 // if (*(WORD*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c) + sizeof(MX_IMAGE_FILE_HEADER) + 4) == 0x10b) 64 if (ISPE32MAGIC) 65 { 66 File_type = File_type | PE32_FILE; 67 ntheader32 = (MX_IMAGE_NT_HEADERS32*) ((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c)); 68 if (ntheader32->FileHeader.Characteristics & 0x2000) 69 { 70 File_type = File_type | DLL_FILE; 71 } 72 else if ((ntheader32->OptionalHeader.Subsystem & 2)|(ntheader32->OptionalHeader.Subsystem & 3)) 73 { 74 File_type = File_type | EXE_FILE; 75 } 76 else if (ntheader32->OptionalHeader.Subsystem & 1) 77 { 78 File_type = File_type | SYS_FILE; 79 } 80 } 81 // if (*(WORD*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c) + sizeof(MX_IMAGE_FILE_HEADER) + 4) == 0x20b) 82 if (ISPE64MAGIC) 83 { 84 File_type = File_type | PE64_FILE; 85 ntheader64 = (MX_IMAGE_NT_HEADERS64*) ((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c)); 86 if (ntheader64->FileHeader.Characteristics & 0x2000) 87 { 88 File_type = File_type | DLL_FILE; 89 } 90 else if ((ntheader64->OptionalHeader.Subsystem & 2)|(ntheader64->OptionalHeader.Subsystem & 3)) 91 { 92 File_type = File_type | EXE_FILE; 93 } 94 else if (ntheader64->OptionalHeader.Subsystem & 1) 95 { 96 File_type = File_type | SYS_FILE; 97 } 98 } 99 // if (*(WORD*)((BYTE*)File_memory + *(DWORD*)((BYTE*)File_memory + 0x3c) + sizeof(MX_IMAGE_FILE_HEADER) + 4) == 0x107) 100 if (ISPEROMMAGIC) 101 { 102 File_type = File_type | ROM_IMAGE; 103 } 104 } 105 return File_type; 106 }
petype.cpp
1 #include "stdafx.h" 2 #include "pefile.h" 3 #include <iostream> 4 5 int main(int argc, char* argv[]) 6 { 7 int filetype; 8 9 char* file = "c:\\1.exe"; 10 XPEFILE pefile1(file); 11 12 filetype = pefile1.GetType(); 13 14 system("pause"); 15 return 0; 16 }