nihonium
/
mipt_2024_win_pedump
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
mipt_2024_win_pedump/pedump.cpp

88 lines
2.5 KiB
C++
Raw Permalink Normal View History Unescape Escape

Initial commit
6 days ago
#include "windows.h"
#include "stdio.h"
#include <iostream>
BOOL LoadPeFile(LPCWSTR FilePath, PUCHAR* ppImageBase)
{
HANDLE hFile = CreateFileW(FilePath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (INVALID_HANDLE_VALUE == hFile) {
printf("ERROR: LoadPeFile: CreateFile fails with %d error \n", GetLastError());
return false;
}
HANDLE hFileMapping = CreateFileMapping(hFile, NULL, PAGE_READONLY | SEC_IMAGE_NO_EXECUTE, 0, 0, NULL);
if (NULL == hFileMapping) {
printf("ERROR: LoadPeFile: CreateFileMapping fails with %d error \n", GetLastError());
return false;
}
LPVOID p = MapViewOfFile(hFileMapping, FILE_MAP_READ, 0, 0, 0);
if (NULL == p) {
printf("ERROR: LoadPeFile: MapViewOfFile fails with %d error \n", GetLastError());
return false;
}
*ppImageBase = (PUCHAR)p;
return true;
}
#define TO_PSTRUCT(TYPE, offset) (TYPE)(pImageBase+(offset)) //RVA
#define VAR_OF_PSTRUCT(var, TYPE, offset) TYPE var = TO_PSTRUCT(TYPE, offset)
#define READ_BYTES(var, header) var = (PUCHAR)(&header->Signature)
int wmain(int argc, wchar_t* argv[])
{
if (argc != 2) {
printf("Usage: %ls PeFilePath \n", argv[0]);
return -1;
}
LPCWSTR g_FilePath = argv[1];
PUCHAR pImageBase = nullptr;
if (!LoadPeFile(g_FilePath, &pImageBase)) return -1;
printf("MS-DOS Signature: %c%c \n", pImageBase[0], pImageBase[1]);
if (pImageBase[0] != 'M' || pImageBase[1] != 'Z') {
printf("Not a valid PE file!\n");
return -1;
}
PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)pImageBase;
VAR_OF_PSTRUCT(pTempPeHeader, PIMAGE_NT_HEADERS, pDosHeader->e_lfanew); //offset to PE Header
PUCHAR p;
READ_BYTES(p, pTempPeHeader);
printf("PE Signature: %c%c %x%x \n", p[0], p[1], p[2], p[3]);
WORD nSections = pTempPeHeader->FileHeader.NumberOfSections;
printf("PE Sections total %d \n", nSections);
PIMAGE_SECTION_HEADER pSectionHeader = nullptr;
switch (pTempPeHeader->FileHeader.Machine) {
case IMAGE_FILE_MACHINE_I386:
printf("PE Architecture: x86 \n");
pSectionHeader = (PIMAGE_SECTION_HEADER)(((PUCHAR)pTempPeHeader) + sizeof(IMAGE_NT_HEADERS32));
break;
case IMAGE_FILE_MACHINE_AMD64:
printf("PE Architecture: x64 \n");
pSectionHeader = (PIMAGE_SECTION_HEADER)(((PUCHAR)pTempPeHeader) + sizeof(IMAGE_NT_HEADERS64));
break;
default:
printf("PE Architecture: unknown \n");
return -1;
break;
}
CHAR nmSection[9];
memset(nmSection, 0, sizeof(nmSection));
for (int i = 0; i < nSections; i++) {
memcpy(nmSection, pSectionHeader->Name, 8);
printf("section #%i %s \n", i, nmSection);
pSectionHeader++;
}
return 0;
}