C# 讀取PE

最后分析結果會放在 一個DATASET里

ResourceDirectory這個TABLE 增加了 GUID列 為了好實現數結構

using System;
using System.IO;
using System.Data;
using System.Collections;

namespace PETEST
{
?
?/// <summary>
?/// PeInfo 的摘要說明。
?/// zgke@sina.com
?/// </summary>
?public class PeInfo
?{
? /// <summary>
? /// 全部文件數據
? /// </summary>
? private byte[] PEFileByte;
? private bool _OpenFile = false;
? /// <summary>
? /// 獲取是否正常打開文件
? /// </summary>
? public bool OpenFile { get { return _OpenFile; } }
? /// <summary>
? /// 文件讀取的位置
? /// </summary>
? private long PEFileIndex = 0;


? private DosHeader _DosHeader;
? private DosStub _DosStub;
? private PEHeader _PEHeader;
? private OptionalHeader _OptionalHeader;
? private OptionalDirAttrib _OptionalDirAttrib;
? private SectionTable _SectionTable;
? private ExportDirectory _ExportDirectory;
? private ImportDirectory _ImportDirectory;
? private ResourceDirectory _ResourceDirectory;

? public PeInfo(string FileName)
? {
?? _OpenFile = false;

?? System.IO.FileStream File = new FileStream(FileName, System.IO.FileMode.Open);
?? PEFileByte = new byte[File.Length];
?? File.Read(PEFileByte, 0, PEFileByte.Length);
?? File.Close();
?? LoadFile();
?? _OpenFile = true;

? }


? #region 讀表方法
? /// <summary>
? /// 開始讀取
? /// </summary>
? private void LoadFile()
? {
?? LoadDosHeader();//取DOS
?? LoadDosStub();
?? LoadPEHeader();
?? LoadOptionalHeader();
?? LoadOptionalDirAttrib();
?? LoadSectionTable();? //獲取節表

?? LoadExportDirectory();? //獲取輸出表
?? LoadImportDirectory();? //獲取輸入表

?? LoadResourceDirectory();
? }

? /// <summary>
? /// 獲得DOS頭
? /// </summary>
? private void LoadDosHeader()
? {
?? _DosHeader = new DosHeader();

?? _DosHeader.FileStarIndex = PEFileIndex;
??????????
?? Loadbyte(ref _DosHeader.e_magic);
?? Loadbyte(ref _DosHeader.e_cblp);
?? Loadbyte(ref _DosHeader.e_cp);
?? Loadbyte(ref _DosHeader.e_crlc);
?? Loadbyte(ref _DosHeader.e_cparhdr);
?? Loadbyte(ref _DosHeader.e_minalloc);
?? Loadbyte(ref _DosHeader.e_maxalloc);
?? Loadbyte(ref _DosHeader.e_ss);
?? Loadbyte(ref _DosHeader.e_sp);
?? Loadbyte(ref _DosHeader.e_csum);
?? Loadbyte(ref _DosHeader.e_ip);
?? Loadbyte(ref _DosHeader.e_cs);
?? Loadbyte(ref _DosHeader.e_rva);
?? Loadbyte(ref _DosHeader.e_fg);
?? Loadbyte(ref _DosHeader.e_bl1);
?? Loadbyte(ref _DosHeader.e_oemid);
?? Loadbyte(ref _DosHeader.e_oeminfo);
?? Loadbyte(ref _DosHeader.e_bl2);
?? Loadbyte(ref _DosHeader.e_PESTAR);

?? _DosHeader.FileEndIndex = PEFileIndex;
? }

? /// <summary>
? /// 獲得DOS SUB字段
? /// </summary>
? private void LoadDosStub()
? {
?? long Size = GetLong(_DosHeader.e_PESTAR) - PEFileIndex;?? //獲得SUB的大小
?? _DosStub = new DosStub(Size);

?? _DosStub.FileStarIndex = PEFileIndex;
?? Loadbyte(ref _DosStub.DosStubData);
?? _DosStub.FileEndIndex = PEFileIndex;
? }

? /// <summary>
? /// 獲得PE的文件頭
? /// </summary>
? /// <param name="Fileindex"></param>
? /// <returns></returns>
? private void LoadPEHeader()
? {
?? _PEHeader = new PEHeader();
?? _PEHeader.FileStarIndex = PEFileIndex;
?? Loadbyte(ref _PEHeader.Header);
?? Loadbyte(ref _PEHeader.Machine);
?? Loadbyte(ref _PEHeader.NumberOfSections);
?? Loadbyte(ref _PEHeader.TimeDateStamp);
?? Loadbyte(ref _PEHeader.PointerToSymbolTable);
?? Loadbyte(ref _PEHeader.NumberOfSymbols);
?? Loadbyte(ref _PEHeader.SizeOfOptionalHeader);
?? Loadbyte(ref _PEHeader.Characteristics);
?? _PEHeader.FileEndIndex = PEFileIndex;
? }

? /// <summary>
? /// 獲得OPTIONAL PE擴展屬性
? /// </summary>
? /// <param name="Fileindex"></param>
? /// <returns></returns>
? private void LoadOptionalHeader()
? {
?? _OptionalHeader = new OptionalHeader();

?? _OptionalHeader.FileStarIndex = PEFileIndex;

?? Loadbyte(ref _OptionalHeader.Magic);
?? Loadbyte(ref _OptionalHeader.MajorLinkerVersion);
?? Loadbyte(ref _OptionalHeader.MinorLinkerVersion);
?? Loadbyte(ref _OptionalHeader.SizeOfCode);
?? Loadbyte(ref _OptionalHeader.SizeOfInitializedData);
?? Loadbyte(ref _OptionalHeader.SizeOfUninitializedData);
?? Loadbyte(ref _OptionalHeader.AddressOfEntryPoint);
?? Loadbyte(ref _OptionalHeader.BaseOfCode);
?? Loadbyte(ref _OptionalHeader.ImageBase);
?? Loadbyte(ref _OptionalHeader.ImageFileCode);
?? Loadbyte(ref _OptionalHeader.SectionAlign);
?? Loadbyte(ref _OptionalHeader.FileAlign);

?? Loadbyte(ref _OptionalHeader.MajorOSV);
?? Loadbyte(ref _OptionalHeader.MinorOSV);
?? Loadbyte(ref _OptionalHeader.MajorImageVer);
?? Loadbyte(ref _OptionalHeader.MinorImageVer);
?? Loadbyte(ref _OptionalHeader.MajorSV);
?? Loadbyte(ref _OptionalHeader.MinorSV);
?? Loadbyte(ref _OptionalHeader.UNKNOW);
?? Loadbyte(ref _OptionalHeader.SizeOfImage);
?? Loadbyte(ref _OptionalHeader.SizeOfHeards);
?? Loadbyte(ref _OptionalHeader.CheckSum);
?? Loadbyte(ref _OptionalHeader.Subsystem);
?? Loadbyte(ref _OptionalHeader.DLL_Characteristics);
?? Loadbyte(ref _OptionalHeader.Bsize);
?? Loadbyte(ref _OptionalHeader.TimeBsize);
?? Loadbyte(ref _OptionalHeader.AucBsize);
?? Loadbyte(ref _OptionalHeader.SizeOfBsize);
?? Loadbyte(ref _OptionalHeader.FuckBsize);
?? Loadbyte(ref _OptionalHeader.DirectCount);

?? _OptionalHeader.FileEndIndex = PEFileIndex;
? }

? /// <summary>
? /// 獲取目錄表
? /// </summary>
? /// <param name="Fileindex"></param>
? /// <returns></returns>
? private void LoadOptionalDirAttrib()
? {
?? _OptionalDirAttrib = new OptionalDirAttrib();

?? _OptionalDirAttrib.FileStarIndex = PEFileIndex;

?? long DirCount = GetLong(_OptionalHeader.DirectCount);

?? for (int i = 0; i != DirCount; i++)
?? {
??? OptionalDirAttrib.DirAttrib DirectAttrib = new OptionalDirAttrib.DirAttrib();

??? Loadbyte(ref DirectAttrib.DirRva);
??? Loadbyte(ref DirectAttrib.DirSize);

??? _OptionalDirAttrib.DirByte.Add(DirectAttrib);
?? }
?? _OptionalDirAttrib.FileEndIndex = PEFileIndex;
? }

? /// <summary>
? /// 獲取節表
? /// </summary>
? private void LoadSectionTable()
? {
?? _SectionTable = new SectionTable();
?? long Count = GetLong(_PEHeader.NumberOfSections);
?? _SectionTable.FileStarIndex = PEFileIndex;
?? for (long i = 0; i != Count; i++)
?? {
??? SectionTable.SectionData Section = new SectionTable.SectionData();

??? Loadbyte(ref Section.SectName);
??? Loadbyte(ref Section.VirtualAddress);
??? Loadbyte(ref Section.SizeOfRawDataRVA);
??? Loadbyte(ref Section.SizeOfRawDataSize);
??? Loadbyte(ref Section.PointerToRawData);
??? Loadbyte(ref Section.PointerToRelocations);
??? Loadbyte(ref Section.PointerToLinenumbers);
??? Loadbyte(ref Section.NumberOfRelocations);
??? Loadbyte(ref Section.NumberOfLinenumbers);
??? Loadbyte(ref Section.Characteristics);
??? _SectionTable.Section.Add(Section);

?? }
?? _SectionTable.FileEndIndex = PEFileIndex;
? }

? /// <summary>
? /// 讀取輸出表
? /// </summary>
? private void LoadExportDirectory()
? {

?? if (_OptionalDirAttrib.DirByte.Count == 0) return;
?? OptionalDirAttrib.DirAttrib ExporRVA = (OptionalDirAttrib.DirAttrib)_OptionalDirAttrib.DirByte[0];
?? if (GetLong(ExporRVA.DirRva) == 0) return;


?? long ExporAddress = GetLong(ExporRVA.DirRva);? //獲取的位置

?? _ExportDirectory = new ExportDirectory();
?? for (int i = 0; i != _SectionTable.Section.Count; i++) //循環節表
?? {
??? SectionTable.SectionData Sect = (SectionTable.SectionData)_SectionTable.Section[i];

??? long StarRva = GetLong(Sect.SizeOfRawDataRVA);
??? long EndRva = GetLong(Sect.SizeOfRawDataSize);

??? if (ExporAddress >= StarRva && ExporAddress < StarRva + EndRva)
??? {
???? PEFileIndex = ExporAddress - GetLong(Sect.SizeOfRawDataRVA) + GetLong(Sect.PointerToRawData);
???????????????????
???? _ExportDirectory.FileStarIndex = PEFileIndex;
???? _ExportDirectory.FileEndIndex = PEFileIndex + GetLong(ExporRVA.DirSize);

???? Loadbyte(ref _ExportDirectory.Characteristics);
???? Loadbyte(ref _ExportDirectory.TimeDateStamp);
???? Loadbyte(ref _ExportDirectory.MajorVersion);
???? Loadbyte(ref _ExportDirectory.MinorVersion);
???? Loadbyte(ref _ExportDirectory.Name);
???? Loadbyte(ref _ExportDirectory.Base);
???? Loadbyte(ref _ExportDirectory.NumberOfFunctions);
???? Loadbyte(ref _ExportDirectory.NumberOfNames);
???? Loadbyte(ref _ExportDirectory.AddressOfFunctions);
???? Loadbyte(ref _ExportDirectory.AddressOfNames);
???? Loadbyte(ref _ExportDirectory.AddressOfNameOrdinals);

???? PEFileIndex = GetLong(_ExportDirectory.AddressOfFunctions) - GetLong(Sect.SizeOfRawDataRVA) + GetLong(Sect.PointerToRawData);
???? long EndIndex = GetLong(_ExportDirectory.AddressOfNames) - GetLong(Sect.SizeOfRawDataRVA) + GetLong(Sect.PointerToRawData);
???? long Numb = (EndIndex - PEFileIndex) / 4;
???? for (long z = 0; z != Numb; z++)
???? {
????? byte[] Data = new byte[4];
????? Loadbyte(ref Data);
????? _ExportDirectory.AddressOfFunctionsList.Add(Data);
???? }

???? Numb = 0;
???? PEFileIndex = EndIndex;
???? EndIndex = GetLong(_ExportDirectory.AddressOfNameOrdinals) - GetLong(Sect.SizeOfRawDataRVA) + GetLong(Sect.PointerToRawData);
???? Numb = (EndIndex - PEFileIndex) / 4;
???? for (long z = 0; z != Numb; z++)
???? {
????? byte[] Data = new byte[4];
????? Loadbyte(ref Data);
????? _ExportDirectory.AddressOfNamesList.Add(Data);
???? }

???? Numb = 0;
???? PEFileIndex = EndIndex;
???? EndIndex = GetLong(_ExportDirectory.Name) - GetLong(Sect.SizeOfRawDataRVA) + GetLong(Sect.PointerToRawData);
???? Numb = (EndIndex - PEFileIndex) / 2;
???? for (long z = 0; z != Numb; z++)
???? {
????? byte[] Data = new byte[2];
????? Loadbyte(ref Data);
????? _ExportDirectory.AddressOfNameOrdinalsList.Add(Data);
???? }


???? PEFileIndex = EndIndex;

???? long ReadIndex = 0;
???? while (true)
???? {
????? if (PEFileByte[PEFileIndex + ReadIndex] == 0)
????? {
?????? if (PEFileByte[PEFileIndex + ReadIndex + 1] == 0) break;

?????? byte[] Date = new byte[ReadIndex];
?????? Loadbyte(ref Date);
?????? _ExportDirectory.NameList.Add(Date);

?????? PEFileIndex++;
?????? ReadIndex = 0;
????? }
????? ReadIndex++;
???? }
???? break;
??? }

?? }

? }

? /// <summary>
? /// 讀取輸入表
? /// </summary>
? private void LoadImportDirectory()
? {

?? if (_OptionalDirAttrib.DirByte.Count < 1) return;
?? OptionalDirAttrib.DirAttrib ImporRVA = (OptionalDirAttrib.DirAttrib)_OptionalDirAttrib.DirByte[1];


?? long ImporAddress = GetLong(ImporRVA.DirRva);? //獲取的位置
?? if (ImporAddress == 0) return;
?? long ImporSize = GetLong(ImporRVA.DirSize);? //獲取大小

?? _ImportDirectory = new ImportDirectory();

?? long SizeRva = 0;
?? long PointerRva = 0;

?? long StarRva = 0;
?? long EndRva = 0;

?? #region 獲取位置
?? for (int i = 0; i != _SectionTable.Section.Count; i++) //循環節表
?? {
??? SectionTable.SectionData Sect = (SectionTable.SectionData)_SectionTable.Section[i];

??? StarRva = GetLong(Sect.SizeOfRawDataRVA);
??? EndRva = GetLong(Sect.SizeOfRawDataSize);

??? if (ImporAddress >= StarRva && ImporAddress < StarRva + EndRva)
??? {
???? SizeRva = GetLong(Sect.SizeOfRawDataRVA);
???? PointerRva = GetLong(Sect.PointerToRawData);
???? PEFileIndex = ImporAddress - SizeRva + PointerRva;

???? _ImportDirectory.FileStarIndex = PEFileIndex;
???? _ImportDirectory.FileEndIndex = PEFileIndex + ImporSize;


???? break;
??? }

?? }

?? if (SizeRva == 0 && PointerRva == 0) return;
?? #endregion


?? #region 輸入表結構
?? while (true)
?? {

??? ImportDirectory.ImportDate Import = new PeInfo.ImportDirectory.ImportDate();

??? Loadbyte(ref Import.OriginalFirstThunk);
??? Loadbyte(ref Import.TimeDateStamp);
??? Loadbyte(ref Import.ForwarderChain);
??? Loadbyte(ref Import.Name);
??? Loadbyte(ref Import.FirstThunk);

??? if (GetLong(Import.Name) == 0) break;

??? _ImportDirectory.ImportList.Add(Import); //添加
?? }
?? #endregion


?? #region 獲取輸入DLL名稱
?? for (int z = 0; z != _ImportDirectory.ImportList.Count; z++)???? //獲取引入DLL名字
?? {
??? ImportDirectory.ImportDate Import = (ImportDirectory.ImportDate)_ImportDirectory.ImportList[z];

??? long ImportDLLName = GetLong(Import.Name) - SizeRva + PointerRva;
??? PEFileIndex = ImportDLLName;
??? long ReadCount = 0;
??? while (true) //獲取引入名
??? {
???? if (PEFileByte[PEFileIndex + ReadCount] == 0)
???? {
????? Import.DLLName = new byte[ReadCount];
????? Loadbyte(ref Import.DLLName);

????? break;
???? }
???? ReadCount++;
??? }
?? }
?? #endregion


?? #region 獲取引入方法 先獲取地址 然后獲取名字和頭
?? for (int z = 0; z != _ImportDirectory.ImportList.Count; z++)???? //獲取引入方法
?? {
??? ImportDirectory.ImportDate Import = (ImportDirectory.ImportDate)_ImportDirectory.ImportList[z];
??? long ImportDLLName = GetLong(Import.OriginalFirstThunk) - SizeRva + PointerRva;


??? PEFileIndex = ImportDLLName;
??? while (true)
??? {

???? ImportDirectory.ImportDate.FunctionList Function = new PeInfo.ImportDirectory.ImportDate.FunctionList();
???? Loadbyte(ref Function.OriginalFirst);

???? long LoadIndex = GetLong(Function.OriginalFirst);
???? if (LoadIndex == 0) break;
???? long OldIndex = PEFileIndex;

???? PEFileIndex = LoadIndex - SizeRva + PointerRva;

???? if (LoadIndex >= StarRva && LoadIndex < StarRva + EndRva)? //發現有些數字超級大
???? {
????? int ReadCount = 0;

????? while (true)
????? {
?????? if (ReadCount == 0) Loadbyte(ref Function.FunctionHead);
?????? if (PEFileByte[PEFileIndex + ReadCount] == 0)
?????? {
??????? byte[] FunctionName = new byte[ReadCount];
??????? Loadbyte(ref FunctionName);
??????? Function.FunctionName = FunctionName;

??????? break;
?????? }
?????? ReadCount++;
????? }
???? }
???? else
???? {
????? Function.FunctionName = new byte[1];
???? }


???? PEFileIndex = OldIndex;

???? Import.DllFunctionList.Add(Function);
??? }
?? }
?? #endregion

? }

? /// <summary>
? /// 讀取資源表
? /// </summary>
? private void LoadResourceDirectory()
? {
?? #region 初始化
?? if (_OptionalDirAttrib.DirByte.Count < 3) return;
?? OptionalDirAttrib.DirAttrib ImporRVA = (OptionalDirAttrib.DirAttrib)_OptionalDirAttrib.DirByte[2];

?? long ImporAddress = GetLong(ImporRVA.DirRva);? //獲取的位置
?? if (ImporAddress == 0) return;
?? long ImporSize = GetLong(ImporRVA.DirSize);? //獲取大小


?? _ResourceDirectory = new ResourceDirectory();

?? long SizeRva = 0;
?? long PointerRva = 0;

?? long StarRva = 0;
?? long EndRva = 0;
?? long PEIndex = 0;
?? #endregion

?? #region 獲取位置
?? for (int i = 0; i != _SectionTable.Section.Count; i++) //循環節表
?? {
??? SectionTable.SectionData Sect = (SectionTable.SectionData)_SectionTable.Section[i];

??? StarRva = GetLong(Sect.SizeOfRawDataRVA);
??? EndRva = GetLong(Sect.SizeOfRawDataSize);

??? if (ImporAddress >= StarRva && ImporAddress < StarRva + EndRva)
??? {
???? SizeRva = GetLong(Sect.SizeOfRawDataRVA);
???? PointerRva = GetLong(Sect.PointerToRawData);
???? PEFileIndex = ImporAddress - SizeRva + PointerRva;
???? PEIndex = PEFileIndex;


???? _ResourceDirectory.FileStarIndex = PEFileIndex;
???? _ResourceDirectory.FileEndIndex = PEFileIndex + ImporSize;

?????????????????
???? break;
??? }

?? }

??????

?? if (SizeRva == 0 && PointerRva == 0) return;
?? #endregion

?? AddResourceNode(_ResourceDirectory, PEIndex, 0, StarRva);
? }

? private void AddResourceNode(ResourceDirectory Node, long PEIndex, long RVA, long ResourSectRva)
? {
?? PEFileIndex = PEIndex + RVA;????????? //設置位置
?? Loadbyte(ref Node.Characteristics);
?? Loadbyte(ref Node.TimeDateStamp);
?? Loadbyte(ref Node.MajorVersion);
?? Loadbyte(ref Node.MinorVersion);
?? Loadbyte(ref Node.NumberOfNamedEntries);
?? Loadbyte(ref Node.NumberOfIdEntries);

?? long NameRVA = GetLong(Node.NumberOfNamedEntries);
?? for (int i = 0; i != NameRVA; i++)
?? {
??? ResourceDirectory.DirectoryEntry Entry = new ResourceDirectory.DirectoryEntry();
??? Loadbyte(ref Entry.Name);
??? Loadbyte(ref Entry.Id);
??? byte[] Temp = new byte[2];
??? Temp[0] = Entry.Name[0];
??? Temp[1] = Entry.Name[1];

??? long NameIndex = GetLong(Temp) + PEIndex;
??? Temp[0] = PEFileByte[NameIndex + 0];
??? Temp[1] = PEFileByte[NameIndex + 1];

??? long NameCount = GetLong(Temp);
??? Node.Name = new byte[NameCount * 2];

??? for (int z = 0; z != Node.Name.Length; z++)
??? {
???? Node.Name[z] = PEFileByte[NameIndex + 2 + z];
??? }
???????????????
??? //System.Windows.Forms.MessageBox.Show(GetString(Entry.ID));

?????????????
??? Temp[0] = Entry.Id[2];
??? Temp[1] = Entry.Id[3];

??? long OldIndex = PEFileIndex;

??? if (GetLong(Temp) == 0)
??? {
???? Temp[0] = Entry.Id[0];
???? Temp[1] = Entry.Id[1];

???? PEFileIndex = GetLong(Temp) + PEIndex;

???? ResourceDirectory.DirectoryEntry.DataEntry DataRVA = new ResourceDirectory.DirectoryEntry.DataEntry();

???? Loadbyte(ref DataRVA.ResourRVA);
???? Loadbyte(ref DataRVA.ResourSize);
???? Loadbyte(ref DataRVA.ResourTest);
???? Loadbyte(ref DataRVA.ResourWen);

???? PEFileIndex = OldIndex;
???? Entry.DataEntryList.Add(DataRVA);

???? //System.Windows.Forms.MessageBox.Show(GetString(DataRVA.ResourRVA)+"*"+GetString(DataRVA.ResourSize));

??? }
??? else
??? {
???? Temp[0] = Entry.Id[0];
???? Temp[1] = Entry.Id[1];


???? ResourceDirectory Resource = new ResourceDirectory();
???? Entry.NodeDirectoryList.Add(Resource);
???? AddResourceNode(Resource, PEIndex, GetLong(Temp), ResourSectRva);
??? }

??? PEFileIndex = OldIndex;

??? Node.EntryList.Add(Entry);

?? }

?? long Count = GetLong(Node.NumberOfIdEntries);
?? for (int i = 0; i != Count; i++)
?? {
??? ResourceDirectory.DirectoryEntry Entry = new ResourceDirectory.DirectoryEntry();
??? Loadbyte(ref Entry.Name);
??? Loadbyte(ref Entry.Id);

??? //System.Windows.Forms.MessageBox.Show(GetString(Entry.Name)+"_"+GetString(Entry.Id));

??? byte[] Temp = new byte[2];
??? Temp[0] = Entry.Id[2];
??? Temp[1] = Entry.Id[3];

??? long OldIndex = PEFileIndex;

??? if (GetLong(Temp) == 0)
??? {
???? Temp[0] = Entry.Id[0];
???? Temp[1] = Entry.Id[1];

???? PEFileIndex = GetLong(Temp) + PEIndex;

???? ResourceDirectory.DirectoryEntry.DataEntry DataRVA = new ResourceDirectory.DirectoryEntry.DataEntry();

???? Loadbyte(ref DataRVA.ResourRVA);
???? Loadbyte(ref DataRVA.ResourSize);
???? Loadbyte(ref DataRVA.ResourTest);
???? Loadbyte(ref DataRVA.ResourWen);

???? long FileRva = GetLong(DataRVA.ResourRVA) - ResourSectRva + PEIndex;

???? DataRVA.FileStarIndex = FileRva;
???? DataRVA.FileEndIndex = FileRva + GetLong(DataRVA.ResourSize);


??????????????????
???? PEFileIndex = OldIndex;
???? Entry.DataEntryList.Add(DataRVA);

???? //System.Windows.Forms.MessageBox.Show(GetString(DataRVA.ResourRVA)+"*"+GetString(DataRVA.ResourSize));

??? }
??? else
??? {
???? Temp[0] = Entry.Id[0];
???? Temp[1] = Entry.Id[1];


???? ResourceDirectory Resource = new ResourceDirectory();
???? Entry.NodeDirectoryList.Add(Resource);
???? AddResourceNode(Resource, PEIndex, GetLong(Temp), ResourSectRva);
??? }

??? PEFileIndex = OldIndex;


??? Node.EntryList.Add(Entry);
?? }

? }

? #endregion

? #region 類
? /// <summary>
? /// DOS文件都MS開始
? /// </summary>
? private class DosHeader
? {
?? public byte[] e_magic = new byte[2]; // 魔術數字
?? public byte[] e_cblp = new byte[2];? // 文件最后頁的字節數
?? public byte[] e_cp = new byte[2];??? // 文件頁數
?? public byte[] e_crlc = new byte[2]; // 重定義元素個數
?? public byte[] e_cparhdr = new byte[2]; // 頭部尺寸,以段落為單位
?? public byte[] e_minalloc = new byte[2]; // 所需的最小附加段
?? public byte[] e_maxalloc = new byte[2]; // 所需的最大附加段
?? public byte[] e_ss = new byte[2]; // 初始的SS值(相對偏移量)
?? public byte[] e_sp = new byte[2]; // 初始的SP值
?? public byte[] e_csum = new byte[2]; // 校驗和
?? public byte[] e_ip = new byte[2]; // 初始的IP值
?? public byte[] e_cs = new byte[2]; // 初始的CS值(相對偏移量)
?? public byte[] e_rva = new byte[2];
?? public byte[] e_fg = new byte[2];
?? public byte[] e_bl1 = new byte[8];
?? public byte[] e_oemid = new byte[2];
?? public byte[] e_oeminfo = new byte[2];
?? public byte[] e_bl2 = new byte[20];
?? public byte[] e_PESTAR = new byte[2]; //PE開始 +自己的位置


?? public long FileStarIndex = 0;
?? public long FileEndIndex = 0;
? }

? /// <summary>
? /// DOS程序 提示
? /// </summary>
? private class DosStub
? {
?? public byte[] DosStubData;
?? public DosStub(long Size)
?? {
??? DosStubData = new byte[Size];
?? }

?? public long FileStarIndex = 0;
?? public long FileEndIndex = 0;
? }

? /// <summary>
? /// PE文件頭
? /// </summary>
? private class PEHeader
? {
?? public byte[] Header = new byte[4];? //PE文件標記
?? public byte[] Machine = new byte[2];//該文件運行所要求的CPU。對于Intel平臺,該值是IMAGE_FILE_MACHINE_I386 (14Ch)。我們嘗試了LUEVELSMEYER的pe.txt聲明的14Dh和14Eh,但Windows不能正確執行。看起來,除了禁止程序執行之外,本域對我們來說用處不大。
?? public byte[] NumberOfSections = new byte[2];//文件的節數目。如果我們要在文件中增加或刪除一個節,就需要修改這個值。
?? public byte[] TimeDateStamp = new byte[4];//文件創建日期和時間。我們不感興趣。
?? public byte[] PointerToSymbolTable = new byte[4];//用于調試。
?? public byte[] NumberOfSymbols = new byte[4];//用于調試。
?? public byte[] SizeOfOptionalHeader = new byte[2];//指示緊隨本結構之后的 OptionalHeader 結構大小,必須為有效值。
?? public byte[] Characteristics = new byte[2];//關于文件信息的標記,比如文件是exe還是dll。

?? public long FileStarIndex = 0;
?? public long FileEndIndex = 0;
? }
? /// <summary>
? /// Optinal
? /// </summary>
? private class OptionalHeader
? {
?? public byte[] Magic = new byte[2]; //Magic 010B=普通可以執行,0107=ROM映像
?? public byte[] MajorLinkerVersion = new byte[1]; //主版本號
?? public byte[] MinorLinkerVersion = new byte[1]; //副版本號
?? public byte[] SizeOfCode = new byte[4]; //代碼段大小
?? public byte[] SizeOfInitializedData = new byte[4]; //已初始化數據大小
?? public byte[] SizeOfUninitializedData = new byte[4]; //未初始化數據大小
?? public byte[] AddressOfEntryPoint = new byte[4]; //執行將從這里開始(RVA)
?? public byte[] BaseOfCode = new byte[4]; //代碼基址(RVA)
?? public byte[] ImageBase = new byte[4]; //數據基址(RVA)
?? public byte[] ImageFileCode = new byte[4]; //映象文件基址
?? public byte[] SectionAlign = new byte[4]; //區段列隊
?? public byte[] FileAlign = new byte[4]; //文件列隊

?? public byte[] MajorOSV = new byte[2]; //操作系統主版本號
?? public byte[] MinorOSV = new byte[2]; //操作系統副版本號
?? public byte[] MajorImageVer = new byte[2]; //映象文件主版本號
?? public byte[] MinorImageVer = new byte[2]; //映象文件副版本號
?? public byte[] MajorSV = new byte[2]; //子操作系統主版本號
?? public byte[] MinorSV = new byte[2]; //子操作系統副版本號
?? public byte[] UNKNOW = new byte[4]; //Win32版本值
?? public byte[] SizeOfImage = new byte[4]; //映象文件大小
?? public byte[] SizeOfHeards = new byte[4]; //標志頭大小
?? public byte[] CheckSum = new byte[4]; //文件效驗
?? public byte[] Subsystem = new byte[2];//子系統(映象文件)1本地 2WINDOWS-GUI 3WINDOWS-CUI 4 POSIX-CUI
?? public byte[] DLL_Characteristics = new byte[2];//DLL標記
?? public byte[] Bsize = new byte[4]; //保留棧的大小
?? public byte[] TimeBsize = new byte[4]; //初始時指定棧大小
?? public byte[] AucBsize = new byte[4]; //保留堆的大小
?? public byte[] SizeOfBsize = new byte[4]; //初始時指定堆大小
?? public byte[] FuckBsize = new byte[4]; //加載器標志
?? public byte[] DirectCount = new byte[4]; //數據目錄數

?? public long FileStarIndex = 0;
?? public long FileEndIndex = 0;


? }
? /// <summary>
? /// 目錄結構
? /// </summary>
? private class OptionalDirAttrib
? {
?? public ArrayList DirByte = new ArrayList();

?? public class DirAttrib
?? {
??? public byte[] DirRva = new byte[4];?? //地址
??? public byte[] DirSize = new byte[4];? //大小
?? }

?? public long FileStarIndex = 0;
?? public long FileEndIndex = 0;
? }
? /// <summary>
? /// 節表
? /// </summary>
? private class SectionTable
? {
?? public ArrayList Section = new ArrayList();
?? public class SectionData
?? {
??? public byte[] SectName = new byte[8];?? //名字
??? public byte[] VirtualAddress = new byte[4]; //虛擬內存地址
??? public byte[] SizeOfRawDataRVA = new byte[4]; //RVA偏移
??? public byte[] SizeOfRawDataSize = new byte[4]; //RVA大小
??? public byte[] PointerToRawData = new byte[4]; //指向RAW數據
??? public byte[] PointerToRelocations = new byte[4]; //指向定位號
??? public byte[] PointerToLinenumbers = new byte[4]; //指向行數
??? public byte[] NumberOfRelocations = new byte[2]; //定位號
??? public byte[] NumberOfLinenumbers = new byte[2]; //行數號
??? public byte[] Characteristics = new byte[4]; //區段標記
?? }

?? public long FileStarIndex = 0;
?? public long FileEndIndex = 0;
? }

? /// <summary>
? /// 輸出表
? /// </summary>
? private class ExportDirectory
? {


?? public byte[] Characteristics = new byte[4];//一個保留字段,目前為止值為0。
?? public byte[] TimeDateStamp = new byte[4];//產生的時間。
?? public byte[] MajorVersion = new byte[2];//主版本號
?? public byte[] MinorVersion = new byte[2];//副版本號
?? public byte[] Name = new byte[4];//一個RVA,指向一個dll的名稱的ascii字符串。
?? public byte[] Base = new byte[4];//輸出函數的起始序號。一般為1。
?? public byte[] NumberOfFunctions = new byte[4];//輸出函數入口地址的數組 中的元素個數。
?? public byte[] NumberOfNames = new byte[4];//輸出函數名的指針的數組 中的元素個數,也是輸出函數名對應的序號的數組 中的元素個數。
?? public byte[] AddressOfFunctions = new byte[4]; // 一個RVA,指向輸出函數入口地址的數組。
?? public byte[] AddressOfNames = new byte[4]; // 一個RVA,指向輸出函數名的指針的數組。
?? public byte[] AddressOfNameOrdinals = new byte[4]; // 一個RVA,指向輸出函數名對應的序號的數組。

?? public ArrayList AddressOfFunctionsList = new ArrayList();
?? public ArrayList AddressOfNamesList = new ArrayList();
?? public ArrayList AddressOfNameOrdinalsList = new ArrayList();
?? public ArrayList NameList = new ArrayList();

?? public long FileStarIndex = 0;
?? public long FileEndIndex = 0;
? }

? /// <summary>
? /// 輸入表
? /// </summary>
? private class ImportDirectory
? {
?? public ArrayList ImportList = new ArrayList();

?? public class ImportDate
?? {
??? public byte[] OriginalFirstThunk = new byte[4]; //這里實際上保存著一個RVA,這個RVA指向一個DWORD數組,這個數組可以叫做輸入查詢表。每個數組元素,或者叫一個表項,保存著一個指向函數名的RVA或者保存著一個函數的序號。???
??? public byte[] TimeDateStamp = new byte[4];//當這個值為0的時候,表明還沒有bind。不為0的話,表示已經bind過了。有關bind的內容后面介紹。
??? public byte[] ForwarderChain = new byte[4];
??? public byte[] Name = new byte[4]; //一個RVA,這個RVA指向一個ascii以空字符結束的字符串,這個字符串就是本結構對應的dll文件的名字。
??? public byte[] FirstThunk = new byte[4]; //一個RVA,這個RVA指向一個DWORD數組,這個數組可以叫輸入地址表。如果bind了的話,這個數組的每個元素,就是一個輸入函數的入口地址。


??? public byte[] DLLName;? //DLL名稱
??? public ArrayList DllFunctionList = new ArrayList();
??? public class FunctionList
??? {
???? public byte[] OriginalFirst = new byte[4];
???? public byte[] FunctionName;
???? public byte[] FunctionHead = new byte[2];
??? }

?? }
?? public long FileStarIndex = 0;
?? public long FileEndIndex = 0;
? }

? /// <summary>
? /// 資源表
? /// </summary>
? private class ResourceDirectory
? {
?? public byte[] Characteristics = new byte[4];
?? public byte[] TimeDateStamp = new byte[4];
?? public byte[] MajorVersion = new byte[2];
?? public byte[] MinorVersion = new byte[2];
?? public byte[] NumberOfNamedEntries = new byte[2];
?? public byte[] NumberOfIdEntries = new byte[2];

?? public byte[] Name;


?? public ArrayList EntryList = new ArrayList();

?? public class DirectoryEntry
?? {
??? public byte[] Name = new byte[4];
??? public byte[] Id = new byte[4];

??? public ArrayList DataEntryList = new ArrayList();

??? public ArrayList NodeDirectoryList = new ArrayList();


??? public class DataEntry
??? {
???? public byte[] ResourRVA = new byte[4];
???? public byte[] ResourSize = new byte[4];
???? public byte[] ResourTest = new byte[4];
???? public byte[] ResourWen = new byte[4];

???? public long FileStarIndex = 0;
???? public long FileEndIndex = 0;

??? }
?? }

?? public long FileStarIndex = 0;
?? public long FileEndIndex = 0;

? }

? #endregion

? #region 工具方法
? /// <summary>
? /// 讀數據 讀byte[]的數量 會改邊PEFileIndex的值
? /// </summary>
? /// <param name="Data"></param>
? private void Loadbyte(ref byte[] Data)
? {
?? for (int i = 0; i != Data.Length; i++)
?? {
??? Data[i] = PEFileByte[PEFileIndex];
??? PEFileIndex++;
?? }
? }
? /// <summary>
? /// 轉換byte為字符串
? /// </summary>
? /// <param name="Data">byte[]</param>
? /// <returns>AA BB CC DD</returns>
? private string GetString(byte[] Data)
? {
?? string Temp = "";
?? for (int i = 0; i != Data.Length - 1; i++)
?? {
??? Temp += Data[i].ToString("X02") + " ";
?? }
?? Temp += Data[Data.Length - 1].ToString("X02");
?? return Temp;
? }
? /// <summary>
? /// 轉換字符為顯示數據
? /// </summary>
? /// <param name="Data">byte[]</param>
? /// <param name="Type">ASCII DEFAULT UNICODE BYTE</param>
? /// <returns></returns>
? private string GetString(byte[] Data, string Type)
? {
?? if (Type.Trim().ToUpper() == "ASCII") return System.Text.Encoding.ASCII.GetString(Data);
?? if (Type.Trim().ToUpper() == "DEFAULT") return System.Text.Encoding.Default.GetString(Data);
?? if (Type.Trim().ToUpper() == "UNICODE") return System.Text.Encoding.Unicode.GetString(Data);
?? if (Type.Trim().ToUpper() == "BYTE")
?? {
??? string Temp = "";
??? for (int i = Data.Length - 1; i != 0; i--)
??? {
???? Temp += Data[i].ToString("X02") + " ";
??? }
??? Temp += Data[0].ToString("X02");
??? return Temp;
?? }
?? return GetInt(Data);
? }
? /// <summary>
? /// 轉換BYTE為INT
? /// </summary>
? /// <param name="Data"></param>
? /// <returns></returns>
? private string GetInt(byte[] Data)
? {
?? string Temp = "";
?? for (int i = 0; i != Data.Length - 1; i++)
?? {
??? int ByteInt = (int)Data[i];
??? Temp += ByteInt.ToString() + " ";
?? }
?? int EndByteInt = (int)Data[Data.Length - 1];
?? Temp += EndByteInt.ToString();
?? return Temp;

? }
? /// <summary>
? /// 轉換數據為LONG
? /// </summary>
? /// <param name="Data"></param>
? /// <returns></returns>
? private long GetLong(byte[] Data)
? {
?? string MC = "";
?? if (Data.Length <= 4)
?? {

??? for (int i = Data.Length - 1; i != -1; i--)
??? {

???? MC += Data[i].ToString("X02");

??? }
?? }
?? else
?? {
??? return 0;
?? }
?? return Convert.ToInt64(MC, 16);
? }
? /// <summary>
? /// 添加一行信息
? /// </summary>
? /// <param name="RefTable">表</param>
? /// <param name="Data">數據</param>
? /// <param name="Name">名稱</param>
? /// <param name="Describe">說明</param>
? private void AddTableRow(DataTable RefTable, byte[] Data, string Name, string Describe)
? {
?? RefTable.Rows.Add(new string[]{
???????????? Name,
???????????? Data.Length.ToString(),
???????????? GetString(Data),
???????????? GetLong(Data).ToString(),
???????????? GetString(Data,"ASCII"),
???????????? Describe
????

??????????? });
? }
? #endregion

? #region Table繪制
? /// <summary>
? /// 獲取PE信息 DataSet方式
? /// </summary>
? /// <returns>多個表 最后資源表 繪制成樹結構TABLE </returns>
? public DataSet GetPETable()
? {
?? if (_OpenFile == false) return null;

?? DataSet Ds = new DataSet("PEFile");
?? if (_DosHeader != null) Ds.Tables.Add(TableDosHeader());
?? if (_PEHeader != null) Ds.Tables.Add(TablePEHeader());
?? if (_OptionalHeader != null) Ds.Tables.Add(TableOptionalHeader());
?? if (_OptionalDirAttrib != null) Ds.Tables.Add(TableOptionalDirAttrib());
?? if (_SectionTable != null) Ds.Tables.Add(TableSectionData());
?? if (_ExportDirectory != null)
?? {
??? Ds.Tables.Add(TableExportDirectory());
??? Ds.Tables.Add(TableExportFunction());
?? }
?? if (_ImportDirectory != null)
?? {
??? Ds.Tables.Add(TableImportDirectory());
??? Ds.Tables.Add(TableImportFunction());
?? }
?? if (_ResourceDirectory != null)
?? {
??? Ds.Tables.Add(TableResourceDirectory());

?? }
?? return Ds;
? }

? private DataTable TableDosHeader()
? {
?? DataTable ReturnTable = new DataTable("DosHeader FileStar{" + _DosHeader.FileStarIndex.ToString() + "}FileEnd{" + _DosHeader.FileEndIndex.ToString() + "}");
?? ReturnTable.Columns.Add("Name");
?? ReturnTable.Columns.Add("Size");
?? ReturnTable.Columns.Add("Value16");
?? ReturnTable.Columns.Add("Value10");
?? ReturnTable.Columns.Add("ASCII");
?? ReturnTable.Columns.Add("Describe");

?? AddTableRow(ReturnTable, _DosHeader.e_magic, "e_magic", "魔術數字");
?? AddTableRow(ReturnTable, _DosHeader.e_cblp, "e_cblp", "文件最后頁的字節數");
?? AddTableRow(ReturnTable, _DosHeader.e_cp, "e_cp", "文件頁數");
?? AddTableRow(ReturnTable, _DosHeader.e_crlc, "e_crlc", "重定義元素個數");
?? AddTableRow(ReturnTable, _DosHeader.e_cparhdr, "e_cparhdr", "頭部尺寸,以段落為單位");
?? AddTableRow(ReturnTable, _DosHeader.e_minalloc, "e_minalloc", "所需的最小附加段");
?? AddTableRow(ReturnTable, _DosHeader.e_maxalloc, "e_maxalloc", "所需的最大附加段");
?? AddTableRow(ReturnTable, _DosHeader.e_ss, "e_ss", "初始的SS值(相對偏移量)");
?? AddTableRow(ReturnTable, _DosHeader.e_sp, "e_sp", "初始的SP值");
?? AddTableRow(ReturnTable, _DosHeader.e_csum, "e_csum", "校驗和");
?? AddTableRow(ReturnTable, _DosHeader.e_ip, "e_ip", "初始的IP值");
?? AddTableRow(ReturnTable, _DosHeader.e_cs, "e_cs", "初始的CS值(相對偏移量)");
?? AddTableRow(ReturnTable, _DosHeader.e_rva, "e_rva", "");
?? AddTableRow(ReturnTable, _DosHeader.e_fg, "e_fg", "");
?? AddTableRow(ReturnTable, _DosHeader.e_bl1, "e_bl1", "");
?? AddTableRow(ReturnTable, _DosHeader.e_oemid, "e_oemid", "");
?? AddTableRow(ReturnTable, _DosHeader.e_oeminfo, "e_oeminfo", "");
?? AddTableRow(ReturnTable, _DosHeader.e_bl2, "e_bl2", "");
?? AddTableRow(ReturnTable, _DosHeader.e_PESTAR, "e_PESTAR", "PE開始 +本結構的位置");

?? return ReturnTable;
? }

? private DataTable TablePEHeader()
? {
?? DataTable ReturnTable = new DataTable("PeHeader FileStar{" + _PEHeader.FileStarIndex.ToString() + "}FileEnd{" + _PEHeader.FileEndIndex.ToString() + "}");
?? ReturnTable.Columns.Add("Name");
?? ReturnTable.Columns.Add("Size");
?? ReturnTable.Columns.Add("Value16");
?? ReturnTable.Columns.Add("Value10");
?? ReturnTable.Columns.Add("ASCII");
?? ReturnTable.Columns.Add("Describe");


?? AddTableRow(ReturnTable, _PEHeader.Header, "Header", "PE文件標記");
?? AddTableRow(ReturnTable, _PEHeader.Machine, "Machine", "該文件運行所要求的CPU。對于Intel平臺,該值是IMAGE_FILE_MACHINE_I386 (14Ch)。我們嘗試了LUEVELSMEYER的pe.txt聲明的14Dh和14Eh,但Windows不能正確執行。 ");
?? AddTableRow(ReturnTable, _PEHeader.NumberOfSections, "NumberOfSections", "文件的節數目。如果我們要在文件中增加或刪除一個節,就需要修改這個值。");
?? AddTableRow(ReturnTable, _PEHeader.TimeDateStamp, "TimeDateStamp", "文件創建日期和時間。 ");
?? AddTableRow(ReturnTable, _PEHeader.PointerToSymbolTable, "PointerToSymbolTable", "用于調試。 ");
?? AddTableRow(ReturnTable, _PEHeader.NumberOfSymbols, "NumberOfSymbols", "用于調試。 ");
?? AddTableRow(ReturnTable, _PEHeader.SizeOfOptionalHeader, "SizeOfOptionalHeader", "指示緊隨本結構之后的 OptionalHeader 結構大小,必須為有效值。");
?? AddTableRow(ReturnTable, _PEHeader.Characteristics, "Characteristics", "關于文件信息的標記,比如文件是exe還是dll。");

?? return ReturnTable;
? }

? private DataTable TableOptionalHeader()
? {
?? DataTable ReturnTable = new DataTable("OptionalHeader FileStar{" + _OptionalHeader.FileStarIndex.ToString() + "}FileEnd{" + _OptionalHeader.FileEndIndex.ToString() + "}");
?? ReturnTable.Columns.Add("Name");
?? ReturnTable.Columns.Add("Size");
?? ReturnTable.Columns.Add("Value16");
?? ReturnTable.Columns.Add("Value10");
?? ReturnTable.Columns.Add("ASCII");
?? ReturnTable.Columns.Add("Describe");

?? AddTableRow(ReturnTable, _OptionalHeader.Magic, "Magic", "Magic 010B=普通可以執行,0107=ROM映像");
?? AddTableRow(ReturnTable, _OptionalHeader.MajorLinkerVersion, "MajorLinkerVersion", "主版本號");
?? AddTableRow(ReturnTable, _OptionalHeader.MinorLinkerVersion, "MinorLinkerVersion", "副版本號");
?? AddTableRow(ReturnTable, _OptionalHeader.SizeOfCode, "SizeOfCode", "代碼段大小");
?? AddTableRow(ReturnTable, _OptionalHeader.SizeOfInitializedData, "SizeOfInitializedData", "已初始化數據大小");
?? AddTableRow(ReturnTable, _OptionalHeader.SizeOfUninitializedData, "SizeOfUninitializedData", "未初始化數據大小");
?? AddTableRow(ReturnTable, _OptionalHeader.AddressOfEntryPoint, "AddressOfEntryPoint", "執行將從這里開始(RVA)");
?? AddTableRow(ReturnTable, _OptionalHeader.BaseOfCode, "BaseOfCode", "代碼基址(RVA)");
?? AddTableRow(ReturnTable, _OptionalHeader.ImageBase, "ImageBase", "數據基址(RVA)");
?? AddTableRow(ReturnTable, _OptionalHeader.ImageFileCode, "ImageFileCode", "映象文件基址");
?? AddTableRow(ReturnTable, _OptionalHeader.SectionAlign, "SectionAlign", "區段列隊");
?? AddTableRow(ReturnTable, _OptionalHeader.MajorOSV, "MajorOSV", "文件列隊");
?? AddTableRow(ReturnTable, _OptionalHeader.MinorOSV, "MinorOSV", "操作系統主版本號");
?? AddTableRow(ReturnTable, _OptionalHeader.MajorImageVer, "MajorImageVer", "映象文件主版本號");
?? AddTableRow(ReturnTable, _OptionalHeader.MinorImageVer, "MinorImageVer", "映象文件副版本號");
?? AddTableRow(ReturnTable, _OptionalHeader.MajorSV, "MajorSV", "子操作系統主版本號");
?? AddTableRow(ReturnTable, _OptionalHeader.MinorSV, "MinorSV", "子操作系統副版本號");
?? AddTableRow(ReturnTable, _OptionalHeader.UNKNOW, "UNKNOW", "Win32版本值");
?? AddTableRow(ReturnTable, _OptionalHeader.SizeOfImage, "SizeOfImage", "映象文件大小");
?? AddTableRow(ReturnTable, _OptionalHeader.SizeOfHeards, "SizeOfHeards", "標志頭大小");
?? AddTableRow(ReturnTable, _OptionalHeader.CheckSum, "CheckSum", "文件效驗");
?? AddTableRow(ReturnTable, _OptionalHeader.Subsystem, "Subsystem", "子系統(映象文件)1本地 2WINDOWS-GUI 3WINDOWS-CUI 4 POSIX-CUI");
?? AddTableRow(ReturnTable, _OptionalHeader.DLL_Characteristics, "DLL_Characteristics", "DLL標記");
?? AddTableRow(ReturnTable, _OptionalHeader.Bsize, "Bsize", "保留棧的大小");
?? AddTableRow(ReturnTable, _OptionalHeader.TimeBsize, "TimeBsize", "初始時指定棧大小");
?? AddTableRow(ReturnTable, _OptionalHeader.AucBsize, "AucBsize", "保留堆的大小");
?? AddTableRow(ReturnTable, _OptionalHeader.SizeOfBsize, "SizeOfBsize", "初始時指定堆大小");
?? AddTableRow(ReturnTable, _OptionalHeader.FuckBsize, "FuckBsize", "加載器標志");
?? AddTableRow(ReturnTable, _OptionalHeader.DirectCount, "DirectCount", "數據目錄數");

?? return ReturnTable;

? }

? private DataTable TableOptionalDirAttrib()
? {
?? DataTable ReturnTable = new DataTable("OptionalDirAttrib? FileStar{" + _OptionalDirAttrib.FileStarIndex.ToString() + "}FileEnd{" + _OptionalDirAttrib.FileEndIndex.ToString() + "}");
?? ReturnTable.Columns.Add("Name");
?? ReturnTable.Columns.Add("Size");
?? ReturnTable.Columns.Add("Value16");
?? ReturnTable.Columns.Add("Value10");
?? ReturnTable.Columns.Add("ASCII");
?? ReturnTable.Columns.Add("Describe");

?? Hashtable TableName = new Hashtable();


?? TableName.Add("0", "輸出表");
?? TableName.Add("1", "輸入表");
?? TableName.Add("2", "資源表");
?? TableName.Add("3", "異常表");
?? TableName.Add("4", "安全表");
?? TableName.Add("5", "基部重定位表");
?? TableName.Add("6", "調試數據");
?? TableName.Add("7", "版權數據");
?? TableName.Add("8", "全局PTR");
?? TableName.Add("9", "TLS表");
?? TableName.Add("10", "裝入配置表");
?? TableName.Add("11", "其他表1");
?? TableName.Add("12", "其他表2");
?? TableName.Add("13", "其他表3");
?? TableName.Add("14", "其他表4");
?? TableName.Add("15", "其他表5");

?? for (int i = 0; i != _OptionalDirAttrib.DirByte.Count; i++)
?? {
??? OptionalDirAttrib.DirAttrib MyDirByte = (OptionalDirAttrib.DirAttrib)_OptionalDirAttrib.DirByte[i];

??? string Name = "未知表";

??? if (TableName[i.ToString()] != null) Name = TableName[i.ToString()].ToString();

??? AddTableRow(ReturnTable, MyDirByte.DirRva, Name, "地址");
??? AddTableRow(ReturnTable, MyDirByte.DirSize, "", "大小");
?? }

?? return ReturnTable;
? }

? private DataTable TableSectionData()
? {
?? DataTable ReturnTable = new DataTable("SectionData FileStar{" + _SectionTable.FileStarIndex.ToString() + "}FileEnd{" + _SectionTable.FileEndIndex.ToString() + "}");
?? ReturnTable.Columns.Add("Name");
?? ReturnTable.Columns.Add("Size");
?? ReturnTable.Columns.Add("Value16");
?? ReturnTable.Columns.Add("Value10");
?? ReturnTable.Columns.Add("ASCII");
?? ReturnTable.Columns.Add("Describe");

?? for (int i = 0; i != _SectionTable.Section.Count; i++)
?? {
??? SectionTable.SectionData SectionDate = (SectionTable.SectionData)_SectionTable.Section[i];

??? AddTableRow(ReturnTable, SectionDate.SectName, "SectName", "名字");
??? AddTableRow(ReturnTable, SectionDate.VirtualAddress, "VirtualAddress", "虛擬內存地址");
??? AddTableRow(ReturnTable, SectionDate.SizeOfRawDataRVA, "SizeOfRawDataRVA", "RVA偏移");
??? AddTableRow(ReturnTable, SectionDate.SizeOfRawDataSize, "SizeOfRawDataSize", "RVA大小");
??? AddTableRow(ReturnTable, SectionDate.PointerToRawData, "PointerToRawData", "指向RAW數據");
??? AddTableRow(ReturnTable, SectionDate.PointerToRelocations, "PointerToRelocations", "指向定位號");
??? AddTableRow(ReturnTable, SectionDate.PointerToLinenumbers, "PointerToLinenumbers", "指向行數");
??? AddTableRow(ReturnTable, SectionDate.NumberOfRelocations, "NumberOfRelocations", "定位號");
??? AddTableRow(ReturnTable, SectionDate.NumberOfLinenumbers, "NumberOfLinenumbers", "行數號");
??? AddTableRow(ReturnTable, SectionDate.Characteristics, "Characteristics", "區段標記");

?? }

?? return ReturnTable;
? }

? private DataTable TableExportDirectory()
? {
?? DataTable ReturnTable = new DataTable("ExportDirectory FileStar{" + _ExportDirectory.FileStarIndex.ToString() + "}FileEnd{" + _ExportDirectory.FileEndIndex.ToString() + "}");
?? ReturnTable.Columns.Add("Name");
?? ReturnTable.Columns.Add("Size");
?? ReturnTable.Columns.Add("Value16");
?? ReturnTable.Columns.Add("Value10");
?? ReturnTable.Columns.Add("ASCII");
?? ReturnTable.Columns.Add("Describe");

?? AddTableRow(ReturnTable, _ExportDirectory.Characteristics, "Characteristics", "一個保留字段,目前為止值為0。");
?? AddTableRow(ReturnTable, _ExportDirectory.TimeDateStamp, "TimeDateStamp", "產生的時間。");
?? AddTableRow(ReturnTable, _ExportDirectory.MajorVersion, "MajorVersion", "主版本號");
?? AddTableRow(ReturnTable, _ExportDirectory.MinorVersion, "MinorVersion", "副版本號");
?? AddTableRow(ReturnTable, _ExportDirectory.Name, "Name", "一個RVA,指向一個dll的名稱的ascii字符串。");
?? AddTableRow(ReturnTable, _ExportDirectory.Base, "Base", "輸出函數的起始序號。一般為1。");
?? AddTableRow(ReturnTable, _ExportDirectory.NumberOfFunctions, "NumberOfFunctions", "輸出函數入口地址的數組 中的元素個數。");
?? AddTableRow(ReturnTable, _ExportDirectory.NumberOfNames, "NumberOfNames", "輸出函數名的指針的數組 中的元素個數,也是輸出函數名對應的序號的數組 中的元素個數。");
?? AddTableRow(ReturnTable, _ExportDirectory.AddressOfFunctions, "AddressOfFunctions", "一個RVA,指向輸出函數入口地址的數組。");
?? AddTableRow(ReturnTable, _ExportDirectory.AddressOfNames, "AddressOfNames", "一個RVA,指向輸出函數名的指針的數組。");
?? AddTableRow(ReturnTable, _ExportDirectory.AddressOfNameOrdinals, "AddressOfNameOrdinals", "一個RVA,指向輸出函數名對應的序號的數組。");


?? return ReturnTable;

? }
? private DataTable TableExportFunction()
? {
?? DataTable ReturnTable = new DataTable("ExportFunctionList");
?? ReturnTable.Columns.Add("Name");
?? ReturnTable.Columns.Add("Size");
?? ReturnTable.Columns.Add("Value16");
?? ReturnTable.Columns.Add("Value10");
?? ReturnTable.Columns.Add("ASCII");
?? ReturnTable.Columns.Add("Describe");

?? for (int i = 0; i != _ExportDirectory.NameList.Count; i++)
?? {
??? AddTableRow(ReturnTable, (byte[])_ExportDirectory.NameList[i], "Name", "_ExportDirectory.Name-Sect.SizeOfRawDataRVA+Sect.PointerToRawData");

?? }

?? for (int i = 0; i != _ExportDirectory.AddressOfNamesList.Count; i++)
?? {
??? AddTableRow(ReturnTable, (byte[])_ExportDirectory.AddressOfNamesList[i], "NamesList", "");

?? }


?? for (int i = 0; i != _ExportDirectory.AddressOfFunctionsList.Count; i++)
?? {
??? AddTableRow(ReturnTable, (byte[])_ExportDirectory.AddressOfFunctionsList[i], "Functions", "");

?? }

?? for (int i = 0; i != _ExportDirectory.AddressOfNameOrdinalsList.Count; i++)
?? {
??? AddTableRow(ReturnTable, (byte[])_ExportDirectory.AddressOfNameOrdinalsList[i], "NameOrdinals", "");

?? }


?? return ReturnTable;
? }
? private DataTable TableImportDirectory()
? {
?? DataTable ReturnTable = new DataTable("ImportDirectory FileStar{" + _ImportDirectory.FileStarIndex.ToString() + "}FileEnd{" + _ImportDirectory.FileEndIndex.ToString() + "}");
?? ReturnTable.Columns.Add("Name");
?? ReturnTable.Columns.Add("Size");
?? ReturnTable.Columns.Add("Value16");
?? ReturnTable.Columns.Add("Value10");
?? ReturnTable.Columns.Add("ASCII");
?? ReturnTable.Columns.Add("Describe");

?? for (int i = 0; i != _ImportDirectory.ImportList.Count; i++)
?? {
??? ImportDirectory.ImportDate ImportByte = (ImportDirectory.ImportDate)_ImportDirectory.ImportList[i];

??? AddTableRow(ReturnTable, ImportByte.DLLName, "輸入DLL名稱", "**********");
??? AddTableRow(ReturnTable, ImportByte.OriginalFirstThunk, "OriginalFirstThunk", "這里實際上保存著一個RVA,這個RVA指向一個DWORD數組,這個數組可以叫做輸入查詢表。每個數組元素,或者叫一個表項,保存著一個指向函數名的RVA或者保存著一個函數的序號。");
??? AddTableRow(ReturnTable, ImportByte.TimeDateStamp, "TimeDateStamp", "當這個值為0的時候,表明還沒有bind。不為0的話,表示已經bind過了。有關bind的內容后面介紹。");
??? AddTableRow(ReturnTable, ImportByte.ForwarderChain, "ForwarderChain", "");
??? AddTableRow(ReturnTable, ImportByte.Name, "Name", "一個RVA,這個RVA指向一個ascii以空字符結束的字符串,這個字符串就是本結構對應的dll文件的名字。");
??? AddTableRow(ReturnTable, ImportByte.FirstThunk, "FirstThunk", "一個RVA,這個RVA指向一個DWORD數組,這個數組可以叫輸入地址表。如果bind了的話,這個數組的每個元素,就是一個輸入函數的入口地址。");
?? }

?? return ReturnTable;

? }
? private DataTable TableImportFunction()
? {
?? DataTable ReturnTable = new DataTable("ImportFunctionList");
?? ReturnTable.Columns.Add("Name");
?? ReturnTable.Columns.Add("Size");
?? ReturnTable.Columns.Add("Value16");
?? ReturnTable.Columns.Add("Value10");
?? ReturnTable.Columns.Add("ASCII");
?? ReturnTable.Columns.Add("Describe");

?? for (int i = 0; i != _ImportDirectory.ImportList.Count; i++)
?? {
??? ImportDirectory.ImportDate ImportByte = (ImportDirectory.ImportDate)_ImportDirectory.ImportList[i];
??? AddTableRow(ReturnTable, ImportByte.DLLName, "DLL-Name", "**********");

??? for (int z = 0; z != ImportByte.DllFunctionList.Count; z++)
??? {
???? ImportDirectory.ImportDate.FunctionList Function = (ImportDirectory.ImportDate.FunctionList)ImportByte.DllFunctionList[z];

???? AddTableRow(ReturnTable, Function.FunctionName, "FunctionName", "");
???? AddTableRow(ReturnTable, Function.FunctionHead, "FunctionHead", "");
???? AddTableRow(ReturnTable, Function.OriginalFirst, "OriginalFirstThunk", "");
??? }
?? }
?? return ReturnTable;
? }
? private DataTable TableResourceDirectory()
? {
?? DataTable ReturnTable = new DataTable("ResourceDirectory FileStar{" + _ResourceDirectory.FileStarIndex.ToString() + "}FileEnd{" + _ResourceDirectory.FileEndIndex.ToString() + "}");
?? ReturnTable.Columns.Add("GUID");

?? ReturnTable.Columns.Add("Text");
?? ReturnTable.Columns.Add("ParentID");

?? AddResourceDirectoryRow(ReturnTable, _ResourceDirectory, "");


?? return ReturnTable;

? }
? private void AddResourceDirectoryRow(DataTable MyTable, ResourceDirectory Node, string ParentID)
? {
?? string Name = "";
?? if (Node.Name != null)
?? {
??? Name = GetString(Node.Name, "UNICODE");???????????????
?? }

?? for (int i = 0; i != Node.EntryList.Count; i++)
?? {
??? ResourceDirectory.DirectoryEntry Entry = (ResourceDirectory.DirectoryEntry)Node.EntryList[i];
??? long ID = GetLong(Entry.Name);
???????????????
??? string GUID = Guid.NewGuid().ToString();???????????????

??? string IDNAME = "ID{" + ID + "}";
??? if (Name.Length != 0) IDNAME += "Name{" + Name + "}";

??? if (ParentID.Length == 0)
??? {
???? switch (ID)
???? {
????? case 1:
?????? IDNAME += "Type{Cursor}";
?????? break;
????? case 2:
?????? IDNAME += "Type{Bitmap}";
?????? break;
????? case 3:
?????? IDNAME += "Type{Icon}";
?????? break;
????? case 4:
?????? IDNAME += "Type{Cursor}";
?????? break;
????? case 5:
?????? IDNAME += "Type{Menu}";
?????? break;
????? case 6:
?????? IDNAME += "Type{Dialog}";
?????? break;
????? case 7:
?????? IDNAME += "Type{String Table}";
?????? break;
????? case 8:
?????? IDNAME += "Type{Font Directory}";
?????? break;
????? case 9:
?????? IDNAME += "Type{Font}";
?????? break;
????? case 10:
?????? IDNAME += "Type{Accelerators}";
?????? break;
????? case 11:
?????? IDNAME += "Type{Unformatted}";
?????? break;
????? case 12:
?????? IDNAME += "Type{Message Table}";
?????? break;
????? case 13:
?????? IDNAME += "Type{Group Cursor}";
?????? break;
????? case 14:
?????? IDNAME += "Type{Group Icon}";
?????? break;
????? case 15:
?????? IDNAME += "Type{Information}";
?????? break;
????? case 16:
?????? IDNAME += "Type{Version}";
?????? break;
????? default:
?????? IDNAME += "Type{未定義}";
?????? break;
???? }
??? }

??? MyTable.Rows.Add(new string[] { GUID, IDNAME, ParentID });

??? for (int z = 0; z != Entry.DataEntryList.Count; z++)
??? {
???? ResourceDirectory.DirectoryEntry.DataEntry Data = (ResourceDirectory.DirectoryEntry.DataEntry)Entry.DataEntryList[z];

???? string Text = "Address{" + GetString(Data.ResourRVA) + "} Size{" + GetString(Data.ResourSize) + "} FileBegin{" + Data.FileStarIndex.ToString() + "-" + Data .FileEndIndex.ToString()+ "}";

???? MyTable.Rows.Add(new string[] { Guid.NewGuid().ToString(), Text, GUID });
??? }

??? for (int z = 0; z != Entry.NodeDirectoryList.Count; z++)
??? {
???? AddResourceDirectoryRow(MyTable, (ResourceDirectory)Entry.NodeDirectoryList[z], GUID);
??? }

?? }

? }
? #endregion
?}

}

楊航收集技術資料,分享給大家



本文來自互聯網用戶投稿,該文觀點僅代表作者本人,不代表本站立場。本站僅提供信息存儲空間服務,不擁有所有權,不承擔相關法律責任。
如若轉載,請注明出處:http://www.pswp.cn/news/388283.shtml
繁體地址,請注明出處:http://hk.pswp.cn/news/388283.shtml
英文地址,請注明出處:http://en.pswp.cn/news/388283.shtml

如若內容造成侵權/違法違規/事實不符,請聯系多彩編程網進行投訴反饋email:809451989@qq.com,一經查實,立即刪除!

相關文章

10 個深惡痛絕的 Java 異常。。

10 個深惡痛絕的 Java 異常。。

異常是 Java 程序中經常遇到的問題&#xff0c;我想每一個 Java 程序員都討厭異常&#xff0c;一 個異常就是一個 BUG&#xff0c;就要花很多時間來定位異常問題。 什么是異常及異常的分類請看這篇文章&#xff1a;一張圖搞清楚 Java 異常機制。今天&#xff0c;棧長來列一下 J…
閱讀更多...
POJ 2777 - Count Color(線段樹區間更新+狀態壓縮)

POJ 2777 - Count Color(線段樹區間更新+狀態壓縮)

題目鏈接 https://cn.vjudge.net/problem/POJ-2777 【題意】 有一個長度為 LLL 的區間 [1,L][1,L][1,L] &#xff0c;有 TTT 種顏色可以涂&#xff0c;有 QQQ 次操作&#xff0c;操作分兩種C A B CC \ A \ B \ CC A B C 把區間 [A,B][A,B][A,B] 涂成第 CCC 種顏色P A BP \ A \ …
閱讀更多...
如何實施成功的數據清理流程

如何實施成功的數據清理流程

干凈的數據是發現和洞察力的基礎。 如果數據很臟&#xff0c;您的團隊為分析&#xff0c;培養和可視化數據而付出的巨大努力完全是在浪費時間。 當然&#xff0c;骯臟的數據并不是新的。 它早在計算機變得普及之前就困擾著決策。 現在&#xff0c;計算機技術已普及到日常生活中…
閱讀更多...
nginx前端代理tomcat取真實客戶端IP

nginx前端代理tomcat取真實客戶端IP

nginx前端代理tomcat取真實客戶端IP2011年12月14日? nginx? 暫無評論? 被圍觀 3,000 次使用Nginx作為反向代理時&#xff0c;Tomcat的日志記錄的客戶端IP就不在是真實的客戶端IP&#xff0c;而是Nginx代理的IP。要解決這個問題可以在Nginx配置一個新的Header&#xff0c;用來…
閱讀更多...
kubeadm安裝kubernetes 1.13.2多master高可用集群

kubeadm安裝kubernetes 1.13.2多master高可用集群

1. 簡介 Kubernetes v1.13版本發布后&#xff0c;kubeadm才正式進入GA&#xff0c;可以生產使用,用kubeadm部署kubernetes集群也是以后的發展趨勢。目前Kubernetes的對應鏡像倉庫&#xff0c;在國內阿里云也有了鏡像站點&#xff0c;使用kubeadm部署Kubernetes集群變得簡單并且…
閱讀更多...
通才與專家_那么您準備聘請數據科學家了嗎? 通才還是專家?

通才與專家_那么您準備聘請數據科學家了嗎? 通才還是專家?

通才與專家Throughout my 10-year career, I have seen people often spend their time and energy in passionate debates about what data science can deliver, and what data scientists do or do not do. I submit that these are the wrong questions to focus on when y…
閱讀更多...
ubuntu opengl 安裝

ubuntu opengl 安裝

安裝相應的庫&#xff1a; sudo apt-get install build-essential libgl1-mesa-dev sudo apt-get install freeglut3-dev sudo apt-get install libglew-dev libsdl2-dev libsdl2-image-dev libglm-dev libfreetype6-dev 實例&#xff1a; #include "GL/glut.h" void…
閱讀更多...
分享一病毒源代碼,破壞MBR,危險!!僅供學習參考,勿運行(vc++2010已編譯通過)

分享一病毒源代碼,破壞MBR,危險!!僅供學習參考,勿運行(vc++2010已編譯通過)

我在編譯的時候&#xff0c;殺毒軟件提示病毒并將其攔截&#xff0c;所以會導致編譯不成功。 1>D:\c工程\windows\windows\MBR病毒.cpp : fatal error C1083: 無法打開編譯器中間文件:“C:\Users\lenovo\AppData\Local\Temp\_CL_953b34fein”: Permission denied 1> 1>…
閱讀更多...
HTTP請求錯誤400、401、402、403、404、405、406、407、412、414、500、501、502解析

HTTP請求錯誤400、401、402、403、404、405、406、407、412、414、500、501、502解析

【轉載】本文來自 chenxinchongcn 的CSDN 博客 &#xff0c;全文地址請點擊&#xff1a;https://blog.csdn.net/chenxinchongcn/article/details/54945998?utm_sourcecopy HTTP 錯誤 400 400 請求出錯 由于語法格式有誤&#xff0c;服務器無法理解此請求。不作修改&#xff0…
閱讀更多...
數據科學家 數據工程師_數據科學家實際上賺了多少錢?

數據科學家 數據工程師_數據科學家實際上賺了多少錢?

數據科學家 數據工程師目錄 (Table of Contents) Introduction 介紹 Junior Data Scientist 初級數據科學家 Mid-Level Data Scientist 中級數據科學家 Senior Data Scientist 資深數據科學家 Additional Compensation 額外補償 Summary 摘要 介紹 (Introduction) The lucrativ…
閱讀更多...
Spring Cloud構建微服務架構-Hystrix監控面板

Spring Cloud構建微服務架構-Hystrix監控面板

在Spring Cloud中構建一個Hystrix Dashboard非常簡單&#xff0c;只需要下面四步&#xff1a;愿意了解源碼的朋友直接求求交流分享技術 一零三八七七四六二六 創建一個標準的Spring Boot工程&#xff0c;命名為&#xff1a;hystrix-dashboard。 編輯pom.xml&#xff0c;具體依賴…
閱讀更多...
Google 地圖 API 參考

Google 地圖 API 參考

楊航收集技術資料&#xff0c;分享給大家 Google 地圖 API 參考 Google 地圖 API 現在與 Google AJAX API 載入器集成&#xff0c;后者創建了一個公共命名空間&#xff0c;以便載入和使用多個 Google AJAX API。該框架可讓您將可選 google.maps.* 命名空間用于當前在 Google …
閱讀更多...
spotify歌曲下載_使用Spotify數據預測哪些“ Novidades da semana”歌曲會成為熱門歌曲

spotify歌曲下載_使用Spotify數據預測哪些“ Novidades da semana”歌曲會成為熱門歌曲

spotify歌曲下載TL; DR (TL;DR) Spotify is my favorite digital music service and I’m very passionate about the potential to extract meaningful insights from data. Therefore, I decided to do this article to consolidate my knowledge of some classification mod…
閱讀更多...
Hook技術之Hook Activity

Hook技術之Hook Activity

一、Hook技術概述 Hook技術的核心實際上是動態分析技術&#xff0c;動態分析是指在程序運行時對程序進行調試的技術。眾所周知&#xff0c;Android系統的代碼和回調是按照一定的順序執行的&#xff0c;這里舉一個簡單的例子&#xff0c;如圖所示。 對象A調用類對象B&#xff0c…
閱讀更多...
(第三周)周報

(第三周)周報

此作業要求https://edu.cnblogs.com/campus/nenu/2018fall/homework/2143 1.本周PSP 總計&#xff1a;1422 min 2.本周進度條 (1)代碼累積折線圖 (2)博文字數累積折線圖 4.PSP餅狀圖 轉載于:https://www.cnblogs.com/gongylx/p/9761852.html
閱讀更多...
功能測試代碼python_如何使您的Python代碼更具功能性

功能測試代碼python_如何使您的Python代碼更具功能性

功能測試代碼pythonFunctional programming has been getting more and more popular in recent years. Not only is it perfectly suited for tasks like data analysis and machine learning. It’s also a powerful way to make code easier to test and maintain.近年來&am…
閱讀更多...
layou split 屬性

layou split 屬性

layou split&#xff1a;true - 顯示側分欄 轉載于:https://www.cnblogs.com/jasonlai2016/p/9764450.html
閱讀更多...
BZOJ4503:兩個串(bitset)

BZOJ4503:兩個串(bitset)

Description 兔子們在玩兩個串的游戲。給定兩個字符串S和T&#xff0c;兔子們想知道T在S中出現了幾次&#xff0c;分別在哪些位置出現。注意T中可能有“?”字符&#xff0c;這個字符可以匹配任何字符。Input 兩行兩個字符串&#xff0c;分別代表S和TOutput 第一行一個正整數k&…
閱讀更多...
C#Word轉Html的類

C#Word轉Html的類

C#Word轉Html的類/**//******************************************************************** created: 2007/11/02 created: 2:11:2007 23:13 filename: D:C#程序練習WordToChmWordToHtml.cs file path: D:C#程序練習WordToChm file bas…
閱讀更多...
分庫分表的幾種常見形式以及可能遇到的難題

分庫分表的幾種常見形式以及可能遇到的難題

前言 在談論數據庫架構和數據庫優化的時候&#xff0c;我們經常會聽到“分庫分表”、“分片”、“Sharding”…這樣的關鍵詞。讓人感到高興的是&#xff0c;這些朋友所服務的公司業務量正在&#xff08;或者即將面臨&#xff09;高速增長&#xff0c;技術方面也面臨著一些挑戰。…
閱讀更多...
最新文章

Copyright @ 2022~2023