Make your own free website on Tripod.com
Main Page   Namespace List   Class Hierarchy   Alphabetical List   Compound List   File List   Compound Members   File Members  

PeFile Class Reference

#include <pefile.hpp>

List of all members.

Public Types

typedef void(* PImportProc )(uint32_t address, uint32_t hint, const char *dll_name, const char *func_name, void *param)
typedef void(* PRelocationProc )(uint32_t address, unsigned type, void *param)
typedef void(* PResourceProc )(ICFile &file, const PeResourceDirectoryData *data, const PeResourceDirectoryInfo *info, unsigned level, void *param)
typedef void(* PExportProc )(uint32_t address, uint32_t hint, const char *dll_name, const char *func_name, void *param)

Public Methods

 PeFile (ICFile &file)
 ~PeFile ()
const PE_IMAGE_FILE_HEADERGetFileHeader () const
const PE_IMAGE_OPTIONAL_HEADERGetOptionalHeader () const
const PE_IMAGE_SECTION_HEADERGetSections () const
const PE_IMAGE_SECTION_HEADERGetSection (int n) const
unsigned GetSectionCount () const
const PE_IMAGE_DATA_DIRECTORYGetDataDirectory (unsigned n) const
uint32_t GetImageBase () const
void WriteResource ()
void ParseImport (PImportProc proc, void *param)
void ParseRelocations (PRelocationProc proc, void *param)
void ParseResource (PResourceProc proc, void *param)
void ParseExport (PExportProc proc, void *param)
RVAFileTranslatorGetRVA ()
const RVAFileTranslatorGetRVA () const

Static Public Methods

void WriteFileHdr (const PE_IMAGE_FILE_HEADER &hdr)
void WriteOptionalHdr (const PE_IMAGE_OPTIONAL_HEADER &hdr)
void WriteSectionHdr (const PE_IMAGE_SECTION_HEADER &hdr)
void WriteExport (uint32_t address, uint32_t hint, const char *dll_name, const char *func_name, void *param)
void WriteImport (uint32_t address, uint32_t hint, const char *dll_name, const char *func_name, void *param)
void WriteRelocation (uint32_t address, unsigned type, void *param)

Private Attributes

PE_IMAGE_NT_HEADERS nt_hdr
PE_IMAGE_SECTION_HEADERsections
unsigned numSection
ICFilefile
RVAFileTranslatorrva


Member Typedef Documentation

typedef void(* PeFile::PExportProc)(uint32_t address,uint32_t hint,const char* dll_name,const char* func_name,void* param)
 

Definition at line 104 of file pefile.hpp.

typedef void(* PeFile::PImportProc)(uint32_t address,uint32_t hint,const char* dll_name,const char* func_name,void* param)
 

Definition at line 90 of file pefile.hpp.

typedef void(* PeFile::PRelocationProc)(uint32_t address,unsigned type,void* param)
 

Definition at line 92 of file pefile.hpp.

typedef void(* PeFile::PResourceProc)(ICFile& file,const PeResourceDirectoryData* data,const PeResourceDirectoryInfo* info,unsigned level,void* param)
 

Definition at line 101 of file pefile.hpp.

Referenced by ParseResourceDirectory().


Constructor & Destructor Documentation

PeFile::PeFile ICFile   file
 

Definition at line 62 of file pefile.cpp.

References _PE_IMAGE_DOS_HEADER::e_lfanew, _PE_IMAGE_DOS_HEADER::e_magic, Error, FIELD_OFFSET, file, _PE_IMAGE_NT_HEADERS::FileHeader, IMAGE_DOS_SIGNATURE, IMAGE_NT_OPTIONAL_HDR_MAGIC, IMAGE_NT_SIGNATURE, _PE_IMAGE_OPTIONAL_HEADER::Magic, nt_hdr, _PE_IMAGE_FILE_HEADER::NumberOfSections, numSection, _PE_IMAGE_NT_HEADERS::OptionalHeader, RawRead(), rva, sections, ICFile::Seek(), _PE_IMAGE_NT_HEADERS::Signature, and _PE_IMAGE_FILE_HEADER::SizeOfOptionalHeader.

00062                            :
00063   file(_file),rva(NULL)
00064 {
00065   file.Seek(0);
00066 
00067         PE_IMAGE_DOS_HEADER dos_hdr;
00068   RawRead(file,dos_hdr);
00069   if ( dos_hdr.e_magic != IMAGE_DOS_SIGNATURE )
00070         Error("File is not a valid DOS EXE");
00071   file.Seek(dos_hdr.e_lfanew);
00072 
00073   RawRead(file,nt_hdr);
00074   if ( nt_hdr.Signature != IMAGE_NT_SIGNATURE )
00075         Error("Invalid NT EXE file");
00076 
00077   if ( nt_hdr.OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR_MAGIC )
00078         Error("Invalid NT optional header");
00079 
00080   long sections_pos =
00081       dos_hdr.e_lfanew + FIELD_OFFSET( PE_IMAGE_NT_HEADERS, OptionalHeader ) +
00082       nt_hdr.FileHeader.SizeOfOptionalHeader;
00083   file.Seek(sections_pos);
00084 
00085   numSection = nt_hdr.FileHeader.NumberOfSections;
00086   sections = new PE_IMAGE_SECTION_HEADER[numSection];
00087   for (unsigned i=0; i<numSection; ++i)
00088   {
00089         RawRead(file,sections[i]);
00090   }
00091 
00092 //  new (&GetRVA()) RVAFileTranslator(sections,numSection);
00093   rva = new RVAFileTranslator(sections,numSection);
00094 }

PeFile::~PeFile  
 

Definition at line 96 of file pefile.cpp.

References rva, and sections.

00097 {
00098 //  GetRVA().RVAFileTranslator::~RVAFileTranslator();
00099   delete rva;
00100   delete [] sections;
00101 }


Member Function Documentation

const PE_IMAGE_DATA_DIRECTORY& PeFile::GetDataDirectory unsigned    n const [inline]
 

Definition at line 73 of file pefile.hpp.

References _PE_IMAGE_OPTIONAL_HEADER::DataDirectory, and GetOptionalHeader().

Referenced by main(), ParseExport(), ParseImport(), ParseRelocations(), and ParseResource().

00074   { return GetOptionalHeader().DataDirectory[n]; };

const PE_IMAGE_FILE_HEADER& PeFile::GetFileHeader   const [inline]
 

Definition at line 59 of file pefile.hpp.

References _PE_IMAGE_NT_HEADERS::FileHeader, and nt_hdr.

Referenced by main().

00060   { return nt_hdr.FileHeader; };

uint32_t PeFile::GetImageBase   const [inline]
 

Definition at line 77 of file pefile.hpp.

References GetOptionalHeader(), and _PE_IMAGE_OPTIONAL_HEADER::ImageBase.

Referenced by main().

00078   { return GetOptionalHeader().ImageBase; };

const PE_IMAGE_OPTIONAL_HEADER& PeFile::GetOptionalHeader   const [inline]
 

Definition at line 61 of file pefile.hpp.

References nt_hdr, and _PE_IMAGE_NT_HEADERS::OptionalHeader.

Referenced by GetDataDirectory(), GetImageBase(), and main().

00062   { return nt_hdr.OptionalHeader; };

const RVAFileTranslator& PeFile::GetRVA   const [inline]
 

Definition at line 110 of file pefile.hpp.

References rva.

00110 { return *rva; }

RVAFileTranslator& PeFile::GetRVA   [inline]
 

Definition at line 108 of file pefile.hpp.

References rva.

Referenced by main(), ParseExport(), ParseImport(), ParseRelocations(), and ParseResource().

00108 { return *rva; }

const PE_IMAGE_SECTION_HEADER& PeFile::GetSection int    n const [inline]
 

Definition at line 67 of file pefile.hpp.

References sections.

Referenced by main().

00068   { return sections[n]; };

unsigned PeFile::GetSectionCount   const [inline]
 

Definition at line 69 of file pefile.hpp.

References numSection.

Referenced by main().

00070   { return numSection; };

const PE_IMAGE_SECTION_HEADER* PeFile::GetSections   const [inline]
 

Definition at line 65 of file pefile.hpp.

References sections.

00066   { return sections; };

void PeFile::ParseExport PExportProc    proc,
void *    param
 

Definition at line 362 of file pefile.cpp.

References _PE_IMAGE_EXPORT_DIRECTORY::AddressOfFunctions, _PE_IMAGE_EXPORT_DIRECTORY::AddressOfNameOrdinals, _PE_IMAGE_EXPORT_DIRECTORY::AddressOfNames, _PE_IMAGE_EXPORT_DIRECTORY::Base, file, GetDataDirectory(), GetRVA(), IMAGE_DIRECTORY_ENTRY_EXPORT, _PE_IMAGE_EXPORT_DIRECTORY::Name, _PE_IMAGE_EXPORT_DIRECTORY::NumberOfFunctions, _PE_IMAGE_EXPORT_DIRECTORY::NumberOfNames, RawRead(), ICFile::ReadString(), RVAFileTranslator::RVA2FileSafe(), ICFile::Seek(), _PE_IMAGE_DATA_DIRECTORY::Size, ICFile::Tell(), and _PE_IMAGE_DATA_DIRECTORY::VirtualAddress.

Referenced by main().

00363 {
00364   // export renamed to export_, in some compiler this is a keyword
00365   const PE_IMAGE_DATA_DIRECTORY& export_ =
00366     GetDataDirectory(IMAGE_DIRECTORY_ENTRY_EXPORT);
00367   if ( export_.VirtualAddress == 0 || export_.Size == 0 )
00368     return;
00369 
00370   file.Seek(GetRVA().RVA2FileSafe(export_.VirtualAddress));
00371 
00372   PE_IMAGE_EXPORT_DIRECTORY desc;
00373   RawRead(file,desc);
00374 
00375   // read DLL name
00376   file.Seek(GetRVA().RVA2FileSafe(desc.Name));
00377   char *pDllName = file.ReadString();
00378   proc(0,0,pDllName,NULL,param);
00379 
00380   // delete ".dll" after name
00381   int len = strlen(pDllName);
00382   if (len>=4 && stricmp(pDllName+(len-4),".dll") == 0)
00383         pDllName[len-4] = '\0';
00384 
00385   // scan export for this DLL
00386   int ordBase = desc.Base;
00387   long functionPos = GetRVA().RVA2FileSafe(desc.AddressOfFunctions);
00388   long ordinalPos  = GetRVA().RVA2FileSafe(desc.AddressOfNameOrdinals);
00389   long namePos     = GetRVA().RVA2FileSafe(desc.AddressOfNames);
00390 
00391   char **names= new char*[desc.NumberOfFunctions];
00392 
00393   // initialize functions
00394   unsigned n;
00395   for( n = 0; n<desc.NumberOfFunctions; ++n)
00396     names[n] = NULL;
00397 
00398   for( n = 0; n<desc.NumberOfNames; ++n)
00399   {
00400     uint16_t ordinal;
00401     char *pName;
00402 
00403     // read name pos
00404     uint32_t pos;
00405     file.Seek(namePos);
00406     RawRead(file,pos);
00407     namePos = file.Tell();
00408 
00409     // read name
00410     file.Seek(GetRVA().RVA2FileSafe(pos));
00411     pName = file.ReadString();
00412 
00413     // read ordinal
00414     file.Seek(ordinalPos);
00415     RawRead(file,ordinal);
00416     ordinalPos = file.Tell();
00417 
00418     // check ordinal
00419     if (ordinal >= desc.NumberOfFunctions )
00420       throw std::runtime_error("bad ordinal");
00421 
00422     names[ordinal] = pName;
00423   }
00424 
00425   file.Seek(functionPos);
00426   for( n = 0; n<desc.NumberOfFunctions; ++n)
00427   {
00428     // read function RVA
00429     uint32_t funcRVA;
00430     if (file.Tell() != functionPos)
00431       file.Seek(functionPos);
00432     RawRead(file,funcRVA);
00433 
00434     if (funcRVA != 0)
00435         proc(funcRVA,ordBase + n,pDllName,names[n],param);
00436     functionPos += 4;
00437 
00438     delete[] names[n];
00439   }
00440 
00441   delete[] names;
00442   delete[] pDllName;
00443 }

void PeFile::ParseImport PImportProc    proc,
void *    param
 

Definition at line 290 of file pefile.cpp.

References _PE_IMAGE_IMPORT_DESCRIPTOR::Characteristics, file, _PE_IMAGE_IMPORT_DESCRIPTOR::FirstThunk, GetDataDirectory(), GetRVA(), IMAGE_DIRECTORY_ENTRY_IMPORT, IMAGE_ORDINAL, IMAGE_SNAP_BY_ORDINAL, _PE_IMAGE_IMPORT_DESCRIPTOR::Name, _PE_IMAGE_IMPORT_DESCRIPTOR::OriginalFirstThunk, RawRead(), ICFile::ReadString(), ICFile::Seek(), _PE_IMAGE_DATA_DIRECTORY::Size, ICFile::Tell(), _PE_IMAGE_THUNK_DATA32::u1, and _PE_IMAGE_DATA_DIRECTORY::VirtualAddress.

Referenced by main().

00291 {
00292   const PE_IMAGE_DATA_DIRECTORY& imports =
00293     GetDataDirectory(IMAGE_DIRECTORY_ENTRY_IMPORT);
00294   if ( imports.VirtualAddress == 0 || imports.Size == 0 )
00295     return;
00296 
00297   file.Seek(GetRVA().RVA2FileSafe(imports.VirtualAddress));
00298   for (;;)
00299   {
00300     PE_IMAGE_IMPORT_DESCRIPTOR desc;
00301     RawRead(file,desc);
00302     long pos = file.Tell();
00303 
00304     // imports finished
00305     if (desc.Characteristics == 0 && desc.FirstThunk == 0)
00306       break;
00307 
00308     uint32_t address = desc.FirstThunk;
00309 
00310     // read DLL name
00311     file.Seek(GetRVA().RVA2FileSafe(desc.Name));
00312     char *pDllName = file.ReadString();
00313     proc(0,0,pDllName,NULL,param);
00314 
00315     // delete ".dll" after name
00316     int len = strlen(pDllName);
00317     if (len>=4 && stricmp(pDllName+(len-4),".dll") == 0)
00318         pDllName[len-4] = '\0';
00319 
00320     // scan import for this DLL
00321                 // hintname is at the same address of FirstThunk ?
00322                 if (desc.OriginalFirstThunk == 0)
00323                         file.Seek(GetRVA().RVA2FileSafe((uint32_t)desc.FirstThunk));
00324                 else
00325                         file.Seek(GetRVA().RVA2FileSafe((uint32_t)desc.OriginalFirstThunk));
00326     for (;;)
00327     {
00328       PE_IMAGE_THUNK_DATA thunk;
00329       RawRead(file,thunk);
00330       long pos2 = file.Tell();
00331 
00332       // finish with this DLL
00333       if (thunk.u1.Ordinal == 0)
00334         break;
00335 
00336       if (IMAGE_SNAP_BY_ORDINAL(thunk.u1.Ordinal))
00337       {
00338         // import by ordinal
00339         proc(address,IMAGE_ORDINAL(thunk.u1.Ordinal),pDllName,NULL,param);
00340       }
00341       else
00342       {
00343         // import by name
00344         uint16_t hint;
00345 
00346         // read hint and import name
00347         file.Seek(GetRVA().RVA2FileSafe((uint32_t)thunk.u1.AddressOfData));
00348         RawRead(file,hint);
00349         char *p = file.ReadString();
00350         proc(address,hint,pDllName,p,param);
00351         delete [] p;
00352       }
00353       address += sizeof(PE_IMAGE_THUNK_DATA);
00354 
00355       file.Seek(pos2);
00356     }
00357     file.Seek(pos);
00358     delete[] pDllName;
00359   }
00360 }

void PeFile::ParseRelocations PRelocationProc    proc,
void *    param
 

Definition at line 469 of file pefile.cpp.

References file, GetDataDirectory(), GetRVA(), IMAGE_DIRECTORY_ENTRY_BASERELOC, PRelocationProc, RawRead(), ICFile::Seek(), _PE_IMAGE_DATA_DIRECTORY::Size, _PE_IMAGE_BASE_RELOCATION::SizeOfBlock, ICFile::Tell(), _PE_IMAGE_BASE_RELOCATION::VirtualAddress, _PE_IMAGE_DATA_DIRECTORY::VirtualAddress, and WriteRelocation().

Referenced by main().

00470 {
00471   const PE_IMAGE_DATA_DIRECTORY& relocation =
00472     GetDataDirectory(IMAGE_DIRECTORY_ENTRY_BASERELOC);
00473   if ( relocation.VirtualAddress == 0 || relocation.Size == 0 )
00474     return;
00475 
00476   file.Seek(GetRVA().RVA2FileSafe(relocation.VirtualAddress));
00477   if (proc == PeFile::WriteRelocation)
00478   {
00479     printf("\nRelocations\n");
00480     printf("Address  Type\n");
00481   }
00482   for (;;)
00483   {
00484     PE_IMAGE_BASE_RELOCATION chunk;
00485     long pos = file.Tell();
00486     RawRead(file,chunk);
00487     if (chunk.VirtualAddress == 0)
00488       break;
00489     for (int i=(chunk.SizeOfBlock - sizeof(chunk))>>1; i>0; --i)
00490     {
00491       uint16_t info;
00492       RawRead(file,info);
00493       if (info == 0)
00494         break;
00495       proc(chunk.VirtualAddress+(info&0xFFFu),info>>12,param);
00496     }
00497     file.Seek(pos+chunk.SizeOfBlock);
00498   }
00499   printf("\n");
00500 }

void PeFile::ParseResource PResourceProc    proc,
void *    param
 

Definition at line 726 of file pefile.cpp.

References file, GetDataDirectory(), GetRVA(), PeResourceDirectoryInfo::highLevel, PeResourceId::id, IMAGE_DIRECTORY_ENTRY_RESOURCE, PeResourceId::name, ParseResourceDirectory(), RVAFileTranslator::RVA2FileSafe(), ICFile::Seek(), _PE_IMAGE_DATA_DIRECTORY::Size, and _PE_IMAGE_DATA_DIRECTORY::VirtualAddress.

Referenced by ResourceExtract::ExtractIcons(), and WriteResource().

00727 {
00728   const PE_IMAGE_DATA_DIRECTORY& resource =
00729     GetDataDirectory(IMAGE_DIRECTORY_ENTRY_RESOURCE);
00730   if ( resource.VirtualAddress == 0 || resource.Size == 0 )
00731     return;
00732 
00733   uint32_t start = GetRVA().RVA2FileSafe(resource.VirtualAddress);
00734   file.Seek(start);
00735 
00736   // init directory info (root)
00737   PeResourceDirectoryInfo info;
00738   info.name = NULL;
00739   info.id   = 0;
00740   info.highLevel = NULL;
00741 
00742   ParseResourceDirectory(GetRVA(),start,&info,0,file,proc,param);
00743 }

void PeFile::WriteExport uint32_t    address,
uint32_t    hint,
const char *    dll_name,
const char *    func_name,
void *    param
[static]
 

Definition at line 276 of file pefile.cpp.

00277 {
00278   if (address == 0)
00279     printf("\nDLL: %s\n",dll_name);
00280   else
00281   {
00282     printf(" Addr:%08lX ",(long int)address);
00283     if (func_name==NULL)
00284         printf("Ordinal:%u(%04X)\n",hint,hint);
00285     else
00286         printf("hint:%u(%04X) Name:%s\n",hint,hint,func_name);
00287   }
00288 }

void PeFile::WriteFileHdr const PE_IMAGE_FILE_HEADER   hdr [static]
 

Definition at line 103 of file pefile.cpp.

References _PE_IMAGE_FILE_HEADER::Characteristics, IMAGE_FILE_32BIT_MACHINE, IMAGE_FILE_BYTES_REVERSED_HI, IMAGE_FILE_BYTES_REVERSED_LO, IMAGE_FILE_DEBUG_STRIPPED, IMAGE_FILE_DLL, IMAGE_FILE_EXECUTABLE_IMAGE, IMAGE_FILE_LINE_NUMS_STRIPPED, IMAGE_FILE_LOCAL_SYMS_STRIPPED, IMAGE_FILE_NET_RUN_FROM_SWAP, IMAGE_FILE_RELOCS_STRIPPED, IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP, IMAGE_FILE_SYSTEM, _PE_IMAGE_FILE_HEADER::Machine, _PE_IMAGE_FILE_HEADER::NumberOfSections, _PE_IMAGE_FILE_HEADER::NumberOfSymbols, _PE_IMAGE_FILE_HEADER::PointerToSymbolTable, _PE_IMAGE_FILE_HEADER::SizeOfOptionalHeader, and _PE_IMAGE_FILE_HEADER::TimeDateStamp.

Referenced by main().

00104 {
00105 #define FIELD "%-30s"
00106   const char *machine = "Unknown";
00107   switch (hdr.Machine) {
00108   default:
00109   case IMAGE_FILE_MACHINE_UNKNOWN:
00110     break;
00111   case IMAGE_FILE_MACHINE_I386:    machine = "I386"; break;
00112   case IMAGE_FILE_MACHINE_R3000:   machine = "R3000"; break;
00113   case IMAGE_FILE_MACHINE_R4000:   machine = "R4000"; break;
00114   case IMAGE_FILE_MACHINE_R10000:  machine = "R10000"; break;
00115   case IMAGE_FILE_MACHINE_ALPHA:   machine = "Alpha"; break;
00116   case IMAGE_FILE_MACHINE_POWERPC: machine = "PowerPC"; break;
00117   }
00118   printf("File header information\n\n");
00119   printf(FIELD "%s\n","Machine",machine);
00120   printf(FIELD "%u\n","Section #",hdr.NumberOfSections);
00121   printf(FIELD "%08X\n","TimeStamp",hdr.TimeDateStamp);
00122   printf(FIELD "%08X\n","SymbolTable pointer",hdr.PointerToSymbolTable);
00123   printf(FIELD "%u\n","Symbol #",hdr.NumberOfSymbols);
00124   printf(FIELD "%u\n","Optional header size",hdr.SizeOfOptionalHeader);
00125   uint_fast16_t car = hdr.Characteristics;
00126   printf("Characteristics %X\n",(int)car);
00127   if ( car&IMAGE_FILE_RELOCS_STRIPPED )
00128     printf("  Relocation info stripped from file\n");
00129   if ( car&IMAGE_FILE_EXECUTABLE_IMAGE )
00130     printf("  File is executable\n");
00131   if ( car&IMAGE_FILE_LINE_NUMS_STRIPPED )
00132     printf("  Line nunbers stripped from file\n");
00133   if ( car&IMAGE_FILE_LOCAL_SYMS_STRIPPED )
00134     printf("  Local symbols stripped from file\n");
00135   if ( car&IMAGE_FILE_BYTES_REVERSED_LO )
00136     printf("  Bytes of machine word are reversed\n");
00137   if ( car&IMAGE_FILE_32BIT_MACHINE )
00138     printf("  32 bit word machine\n");
00139   if ( car&IMAGE_FILE_DEBUG_STRIPPED )
00140     printf("  Debugging info stripped from file in .DBG file\n");
00141   if ( car&IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP )
00142     printf("  If Image is on removable media, copy and run from the swap file\n");
00143   if ( car&IMAGE_FILE_NET_RUN_FROM_SWAP )
00144     printf("  If Image is on Net, copy and run from the swap file\n");
00145   if ( car&IMAGE_FILE_SYSTEM )
00146     printf("  System File\n");
00147   if ( car&IMAGE_FILE_DLL )
00148     printf("  File is a DLL\n");
00149   if ( car&IMAGE_FILE_BYTES_REVERSED_HI )
00150     printf("  Bytes of machine word are reversed\n");
00151   printf("\n");
00152 #undef FIELD
00153 }

void PeFile::WriteImport uint32_t    address,
uint32_t    hint,
const char *    dll_name,
const char *    func_name,
void *    param
[static]
 

Definition at line 253 of file pefile.cpp.

References ApiCache::GetFullApiName().

Referenced by main().

00254 {
00255   if (address == 0)
00256     printf("\nDLL: %s\n",dll_name);
00257   else
00258   {
00259     printf(" Addr:%08lX ",(long int)address);
00260     if (func_name==NULL)
00261                 {
00262                         std::string name;
00263                         if (ApiCache::GetFullApiName(name,dll_name,hint))
00264         printf("Ordinal:%u(%04X) (%s)\n",hint,hint,name.c_str());
00265                         else
00266         printf("Ordinal:%u(%04X)\n",hint,hint);
00267                 }
00268     else
00269         printf("hint:%u(%04X) Name:%s\n",hint,hint,func_name);
00270   }
00271 }

void PeFile::WriteOptionalHdr const PE_IMAGE_OPTIONAL_HEADER   hdr [static]
 

Definition at line 155 of file pefile.cpp.

References _PE_IMAGE_OPTIONAL_HEADER::AddressOfEntryPoint, _PE_IMAGE_OPTIONAL_HEADER::BaseOfCode, _PE_IMAGE_OPTIONAL_HEADER::BaseOfData, _PE_IMAGE_OPTIONAL_HEADER::CheckSum, _PE_IMAGE_OPTIONAL_HEADER::DataDirectory, _PE_IMAGE_OPTIONAL_HEADER::DllCharacteristics, _PE_IMAGE_OPTIONAL_HEADER::FileAlignment, IMAGE_SUBSYSTEM_NATIVE, IMAGE_SUBSYSTEM_OS2_CUI, IMAGE_SUBSYSTEM_POSIX_CUI, IMAGE_SUBSYSTEM_UNKNOWN, IMAGE_SUBSYSTEM_WINDOWS_CUI, IMAGE_SUBSYSTEM_WINDOWS_GUI, _PE_IMAGE_OPTIONAL_HEADER::ImageBase, _PE_IMAGE_OPTIONAL_HEADER::LoaderFlags, _PE_IMAGE_OPTIONAL_HEADER::Magic, _PE_IMAGE_OPTIONAL_HEADER::MajorImageVersion, _PE_IMAGE_OPTIONAL_HEADER::MajorLinkerVersion, _PE_IMAGE_OPTIONAL_HEADER::MajorOperatingSystemVersion, _PE_IMAGE_OPTIONAL_HEADER::MajorSubsystemVersion, _PE_IMAGE_OPTIONAL_HEADER::MinorImageVersion, _PE_IMAGE_OPTIONAL_HEADER::MinorLinkerVersion, _PE_IMAGE_OPTIONAL_HEADER::MinorOperatingSystemVersion, _PE_IMAGE_OPTIONAL_HEADER::MinorSubsystemVersion, _PE_IMAGE_OPTIONAL_HEADER::NumberOfRvaAndSizes, _PE_IMAGE_OPTIONAL_HEADER::SectionAlignment, _PE_IMAGE_DATA_DIRECTORY::Size, _PE_IMAGE_OPTIONAL_HEADER::SizeOfCode, _PE_IMAGE_OPTIONAL_HEADER::SizeOfHeaders, _PE_IMAGE_OPTIONAL_HEADER::SizeOfHeapCommit, _PE_IMAGE_OPTIONAL_HEADER::SizeOfHeapReserve, _PE_IMAGE_OPTIONAL_HEADER::SizeOfImage, _PE_IMAGE_OPTIONAL_HEADER::SizeOfInitializedData, _PE_IMAGE_OPTIONAL_HEADER::SizeOfStackCommit, _PE_IMAGE_OPTIONAL_HEADER::SizeOfStackReserve, _PE_IMAGE_OPTIONAL_HEADER::SizeOfUninitializedData, _PE_IMAGE_OPTIONAL_HEADER::Subsystem, szDirectoryEntries, _PE_IMAGE_DATA_DIRECTORY::VirtualAddress, and _PE_IMAGE_OPTIONAL_HEADER::Win32VersionValue.

Referenced by main().

00156 {
00157 #define FIELD "%-30s"
00158   printf("Optional header information\n\n");
00159   printf(FIELD "%04X\n","Magic",hdr.Magic);
00160   printf(FIELD "%d.%d\n","Linker",hdr.MajorLinkerVersion,hdr.MinorLinkerVersion);
00161   printf(FIELD "%08X\n","Code size",hdr.SizeOfCode);
00162   printf(FIELD "%08X\n","Initialized data size",hdr.SizeOfInitializedData);
00163   printf(FIELD "%08X\n","Uninitialized data size",hdr.SizeOfUninitializedData);
00164   printf(FIELD "%08X\n","Entry point RVA",hdr.AddressOfEntryPoint);
00165   printf(FIELD "%08X\n","Code base RVA",hdr.BaseOfCode);
00166   printf(FIELD "%08X\n","Data base RVA",hdr.BaseOfData);
00167 
00168   printf(FIELD "%08X\n","Image base",hdr.ImageBase);
00169   printf(FIELD "%08X/%08X\n","Section/File align",hdr.SectionAlignment,hdr.FileAlignment);
00170   printf(FIELD "%d.%d\n","O/S version",hdr.MajorOperatingSystemVersion,hdr.MinorOperatingSystemVersion);
00171   printf(FIELD "%d.%d\n","Image version",hdr.MajorImageVersion,hdr.MinorImageVersion);
00172   printf(FIELD "%d.%d\n","Subsystem version",hdr.MajorSubsystemVersion,hdr.MinorSubsystemVersion);
00173   printf(FIELD "%08X\n","Win32 version",hdr.Win32VersionValue);
00174   printf(FIELD "%08X\n","Image size",hdr.SizeOfImage);
00175   printf(FIELD "%08X\n","Headers size",hdr.SizeOfHeaders);
00176   printf(FIELD "%08X\n","Checksum",hdr.CheckSum);
00177   const char *subsystem= "Unknown";
00178   switch (hdr.Subsystem) {
00179   default:
00180   case IMAGE_SUBSYSTEM_UNKNOWN:
00181     break;
00182   case IMAGE_SUBSYSTEM_NATIVE:       subsystem="Native"; break;
00183   case IMAGE_SUBSYSTEM_WINDOWS_GUI:  subsystem="Windows GUI"; break;
00184   case IMAGE_SUBSYSTEM_WINDOWS_CUI:  subsystem="Windows Consolle"; break;
00185   case IMAGE_SUBSYSTEM_OS2_CUI:      subsystem="OS2 Consolle"; break;
00186   case IMAGE_SUBSYSTEM_POSIX_CUI:    subsystem="Posix Consolle"; break;
00187   }
00188   printf(FIELD "%d (%s)\n","Subsystem",hdr.Subsystem,subsystem);
00189   printf(FIELD "%08X\n","DLL flags",hdr.DllCharacteristics);
00190   printf(FIELD "%08X/%08X\n","Stack reserve/commit",hdr.SizeOfStackReserve,hdr.SizeOfStackCommit);
00191   printf(FIELD "%08X/%08X\n","Heap reserve/commit",hdr.SizeOfHeapReserve,hdr.SizeOfHeapCommit);
00192   printf(FIELD "%08X\n","Loader flags",hdr.LoaderFlags);
00193   printf(FIELD "%u\n","RVA #",hdr.NumberOfRvaAndSizes);
00194   printf("\n%-20s%-10sSize\n","Name","RVA");
00195   printf("-----------------------------\n");
00196   for(int i=0; i<16; ++i)
00197     printf("%-20s%08X  %08X\n",szDirectoryEntries[i],hdr.DataDirectory[i].VirtualAddress,hdr.DataDirectory[i].Size);
00198   printf("\n");
00199 #undef FIELD
00200 }

void PeFile::WriteRelocation uint32_t    address,
unsigned    type,
void *    param
[static]
 

Definition at line 449 of file pefile.cpp.

References IMAGE_REL_BASED_ABSOLUTE, IMAGE_REL_BASED_HIGH, IMAGE_REL_BASED_HIGHADJ, IMAGE_REL_BASED_HIGHLOW, and IMAGE_REL_BASED_LOW.

Referenced by main(), and ParseRelocations().

00450 {
00451   printf("%08lX ",(long int)address);
00452   switch(type)
00453   {
00454   case IMAGE_REL_BASED_ABSOLUTE:
00455         printf("Absolute\n"); break;
00456   case IMAGE_REL_BASED_HIGH:
00457         printf("Relative High\n"); break;
00458   case IMAGE_REL_BASED_LOW:
00459         printf("Relative Low\n"); break;
00460   case IMAGE_REL_BASED_HIGHLOW:
00461         printf("Relative HighLow\n"); break;
00462   case IMAGE_REL_BASED_HIGHADJ:
00463         printf("Relative HighAdj\n"); break;
00464   default:
00465         printf("Unknown\n"); break;
00466   }
00467 }

void PeFile::WriteResource  
 

Definition at line 745 of file pefile.cpp.

References ParseResource(), and WriteResource().

Referenced by main(), and WriteResource().

00746 {
00747   ParseResource(::WriteResource,NULL);
00748 }

void PeFile::WriteSectionHdr const PE_IMAGE_SECTION_HEADER   hdr [static]
 

Definition at line 202 of file pefile.cpp.

References _PE_IMAGE_SECTION_HEADER::Characteristics, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_LNK_INFO, IMAGE_SCN_LNK_NRELOC_OVFL, IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_NOT_CACHED, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_WRITE, _PE_IMAGE_SECTION_HEADER::Misc, _PE_IMAGE_SECTION_HEADER::Name, _PE_IMAGE_SECTION_HEADER::NumberOfLinenumbers, _PE_IMAGE_SECTION_HEADER::NumberOfRelocations, _PE_IMAGE_SECTION_HEADER::PointerToLinenumbers, _PE_IMAGE_SECTION_HEADER::PointerToRawData, _PE_IMAGE_SECTION_HEADER::PointerToRelocations, _PE_IMAGE_SECTION_HEADER::SizeOfRawData, and _PE_IMAGE_SECTION_HEADER::VirtualAddress.

Referenced by main().

00203 {
00204 #define FIELD "%-30s"
00205   printf(FIELD "%-8.8s\n","Name",hdr.Name);
00206   printf(FIELD "%08X\n","PhysicalAddress",hdr.Misc.PhysicalAddress);
00207   printf(FIELD "%08X\n","VirtualAddress",hdr.VirtualAddress);
00208   printf(FIELD "%08X\n","Size of raw data",hdr.SizeOfRawData);
00209   printf(FIELD "%08X\n","Pointer to raw data",hdr.PointerToRawData);
00210   printf(FIELD "%08X\n","Pointer to relocations",hdr.PointerToRelocations);
00211   printf(FIELD "%08X\n","Pointer to linenumbers",hdr.PointerToLinenumbers);
00212   printf(FIELD "%04X\n","Number of relocations",hdr.NumberOfRelocations);
00213   printf(FIELD "%04X\n","Number of line numbers",hdr.NumberOfLinenumbers);
00214 
00215   printf("Characteristics\n");
00216   uint32_t car = hdr.Characteristics;
00217   if ( car&IMAGE_SCN_CNT_CODE )               printf("  Section contains code\n");
00218   if ( car&IMAGE_SCN_CNT_INITIALIZED_DATA )   printf("  Section contains initialized data\n");
00219   if ( car&IMAGE_SCN_CNT_UNINITIALIZED_DATA ) printf("  Section contains uninitialized data\n");
00220   if ( car&IMAGE_SCN_LNK_INFO )               printf("  Section contains comments or some other type of information\n");
00221   if ( car&IMAGE_SCN_LNK_REMOVE )             printf("  Section contents will not become part of image\n");
00222   if ( car&IMAGE_SCN_LNK_COMDAT )             printf("  Section contents comdat\n");
00223 
00224   if ( car&IMAGE_SCN_MEM_FARDATA )            printf("  FarData\n");
00225   if ( car&IMAGE_SCN_MEM_PURGEABLE )          printf("  Purgeable\n");
00226   if ( car&IMAGE_SCN_MEM_16BIT )              printf("  16bit\n");
00227   if ( car&IMAGE_SCN_MEM_LOCKED )             printf("  Locked\n");
00228   if ( car&IMAGE_SCN_MEM_PRELOAD )            printf("  Preload\n");
00229 
00230   if ( car&IMAGE_SCN_ALIGN_1BYTES )           printf("  Align 1 byte\n");
00231   if ( car&IMAGE_SCN_ALIGN_2BYTES )           printf("  Align 2 bytes\n");
00232   if ( car&IMAGE_SCN_ALIGN_4BYTES )           printf("  Align 4 bytes\n");
00233   if ( car&IMAGE_SCN_ALIGN_8BYTES )           printf("  Align 8 bytes\n");
00234   if ( car&IMAGE_SCN_ALIGN_16BYTES )          printf("  Align 16 bytes\n");
00235   if ( car&IMAGE_SCN_ALIGN_32BYTES )          printf("  Align 32 bytes\n");
00236   if ( car&IMAGE_SCN_ALIGN_64BYTES )          printf("  Align 64 bytes\n");
00237 
00238   if ( car&IMAGE_SCN_LNK_NRELOC_OVFL )        printf("  Section contains extended relocations\n");
00239   if ( car&IMAGE_SCN_MEM_DISCARDABLE )        printf("  Discardable\n");
00240   if ( car&IMAGE_SCN_MEM_NOT_CACHED )         printf("  Not cachable\n");
00241   if ( car&IMAGE_SCN_MEM_NOT_PAGED )          printf("  Not pageable\n");
00242   if ( car&IMAGE_SCN_MEM_SHARED )             printf("  Shareable\n");
00243   if ( car&IMAGE_SCN_MEM_EXECUTE )            printf("  Executable\n");
00244   if ( car&IMAGE_SCN_MEM_READ )               printf("  Readable\n");
00245   if ( car&IMAGE_SCN_MEM_WRITE )              printf("  Writeable\n");
00246   printf("\n");
00247 #undef FIELD
00248 }


Member Data Documentation

ICFile& PeFile::file [private]
 

Definition at line 115 of file pefile.hpp.

Referenced by ParseExport(), ParseImport(), ParseRelocations(), ParseResource(), and PeFile().

PE_IMAGE_NT_HEADERS PeFile::nt_hdr [private]
 

Definition at line 112 of file pefile.hpp.

Referenced by GetFileHeader(), GetOptionalHeader(), and PeFile().

unsigned PeFile::numSection [private]
 

Definition at line 114 of file pefile.hpp.

Referenced by GetSectionCount(), and PeFile().

RVAFileTranslator* PeFile::rva [private]
 

Definition at line 117 of file pefile.hpp.

Referenced by GetRVA(), PeFile(), and ~PeFile().

PE_IMAGE_SECTION_HEADER* PeFile::sections [private]
 

Definition at line 113 of file pefile.hpp.

Referenced by GetSection(), GetSections(), PeFile(), and ~PeFile().


The documentation for this class was generated from the following files:
Generated on Mon Jan 13 22:20:36 2003 for perdr by doxygen1.2.15