PE基本结构
直接上代码解析pe头
#include <stdio.h>
#include <Windows.h>
//Dos 头
int main()
{
FILE *pFile = NULL;
char * buffer;
int nFileLength = 0;
pFile = fopen("E:\test\pe_test.exe","rb");
fseek(pFile, 0, SEEK_END);
nFileLength = ftell(pFile);
rewind(pFile);
int imagerLength = nFileLength * sizeof(char) + 1;
buffer = (char *)malloc(imagerLength); //申请内存
memset(buffer, 0, nFileLength * sizeof(char) + 1); //把申请到的内存刷成0
fread(buffer, 1, imagerLength, pFile);//写入内存
//_IMAGE_DOS_HEADER Dos头 PIMAGE_DOS_HEADER结构体
PIMAGE_DOS_HEADER ReadDosHeader;
ReadDosHeader = (PIMAGE_DOS_HEADER)buffer; //这里的PIMAGE_DOS_HEADER,强制类型转换
printf("Info:
");
printf("PE头偏移:%x
", ReadDosHeader->e_lfanew);//%x 打印16进制
// _IMAGE_NT_HEADERS PE头
PIMAGE_NT_HEADERS ReadNTHeaders;
ReadNTHeaders = (PIMAGE_NT_HEADERS)(buffer + ReadDosHeader->e_lfanew);
printf("PE标志位:%x
", ReadNTHeaders->Signature);
printf("ImageBase入口点:%x
", ReadNTHeaders->OptionalHeader.ImageBase);
printf("AddressOfEntryPoint镜像基质:%x
", ReadNTHeaders->OptionalHeader.AddressOfEntryPoint);
printf("FileAlignment文件对齐:%x
", ReadNTHeaders->OptionalHeader.FileAlignment);
printf("ImageBase内存对齐:%x
", ReadNTHeaders->OptionalHeader.ImageBase);
printf("SizeOfHeader 文件对齐,头的大小:%x
", ReadNTHeaders->OptionalHeader.SizeOfHeaders);
printf("区段数目:%x
", ReadNTHeaders->FileHeader.NumberOfSections);
free(buffer);
return 0;
}
//.text 代码段
//.data 可读写,全局变量
//.rdata 只读数据段
//.idata 导入表信息
//.edata 导出表信息
//.rsrc 资源
//.bss 未初始化数据
//.crt c++库
//.tls
//.reloc
//等待
