PEInfo:(目标)
(1).独立开发PE分析和修改工具, 并将包含代码的节内容反汇编显示出来.
http://www.anqn.com/jiamijiemi/gongjujiqiao/2008-11-04/a09103385.shtml
(2).运用进程调试知识, 显示目标程序所运行的指令序列.
(1):
pe分析
#include <windos.h>
int main(int argc ,char* argv[])
{
if (argc<2)return 1;
char* pFileName=argv[1];
if(pFileName)
{ FILE * filept=fopen(pFileName,”r”);
IMAGE_DOS_HEADER dosHdr;
IMAGE_NT_HEADER ntHdr;
if(filept)
{ fread(&dosHdr,sizeof(IMAGE_DOS_HEADER,1,filept);//read dos header
fseek(fliept,dosHdr.e_lfanew,SEEK_SET); //seek to nt header
fread(&ntHdr,sizeof(IMAGE_NT_HEADER,1,filept); //read from nt header
if ((dosHdr.e_magic==IMAGE_DOS_SIGNATURE)&&(ntHdr.sinature==IMAGE_NT_SIGNATURE ))
//two of pe fields should be.
printf(“%s is PE /n”,pFileName);
else
printf(“%s is not PE /n”,pFileName);
}
else
printf(“open %s error ./n”,pFileName);
}
return 0;
}
(2)
PE修改
a.使用pe_editor工具来通过添加新节来修改pe文件。
b. c++编程实现修改pe文件