本文实例讲述了C++实现查壳程序代码,分享给大家供大家参考。具体方法分析如下:
一般来说,PEID是基于特征码的,用python只需要两行代码,用VC实现用了这么多代码……。
python中只要引入pefile模块,第一句代码指定数据库文件,第二句代码返回结果。具体的看pefile官方介绍吧
下面是C++的代码:
void CMyPeidDlg::OnBnClickedBtnOpen()
{
// 获取当前工作路径
CString strAppName;//当前工作目录
::GetModuleFileName(NULL, strAppName.GetBuffer(_MAX_PATH), _MAX_PATH);
strAppName.ReleaseBuffer();
int nPos = strAppName.ReverseFind('//');
strAppName = strAppName.Left(nPos + 1);
// AfxMessageBox(strAppName);
// 文件扩展名过滤器
LPCTSTR szFilter = "EXE Files (*.EXE)|*.EXE|DLL Files (*.DLL)|*.DLL|All Files (*.*)|*.*||";
//初始目录是c:/windows, 初始选择的文件名是test,初始后缀过滤器是 Chart Files (*.xlc)
CFileDialog dlg(TRUE,NULL ,strAppName.GetBuffer(_MAX_PATH) ,OFN_ENABLESIZING ,szFilter,NULL);
if(dlg.DoModal() == IDOK)
{
CString strFile = dlg.GetPathName(); // 全路径
GetDlgItem(IDC_EDT_FILE)->SetWindowText(strFile.GetBuffer(_MAX_PATH));
TRACE("/n&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&/n");
TRACE(strFile);
TRACE("/n&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&/n");
}
}
void CMyPeidDlg::OnBnClickedBtnOk()
{
GetDlgItem(IDC_EDT_FILE)->SetWindowText("c:\\1.exe");
char buf[_MAX_PATH];
ZeroMemory(buf, _MAX_PATH);
GetDlgItemText(IDC_EDT_FILE, buf, _MAX_PATH-1);
HANDLE hFile = CreateFile(buf, GENERIC_READ,FILE_SHARE_READ, NULL, OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
if (!hFile)
{
MessageBox("createFile failed..");
return;
}
HANDLE hMap = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0,NULL);
if (!hMap)
{
MessageBox("hMap failed..");
return;
}
LPVOID lpBase = MapViewOfFile(hMap, FILE_MAP_READ, 0, 0, 0);
if (!lpBase)
{
MessageBox("lpBase failed..");
return;
}
DWORD dwOEP;
IMAGE_DOS_HEADER *pDosHeader = (IMAGE_DOS_HEADER*)lpBase;
IMAGE_NT_HEADERS *pNtHeader = (IMAGE_NT_HEADERS*)((char*)lpBase + pDosHeader->e_lfanew);
dwOEP = pNtHeader->OptionalHeader.AddressOfEntryPoint;
PIMAGE_SECTION_HEADER pSectionHeader = IMAGE_FIRST_SECTION(pNtHeader);
CString strTemp;
strTemp.Format("%0x",dwOEP);
SetDlgItemText(IDC_EDT_OEP, strTemp.GetBuffer(4));
DWORD FileOffset;
for(int i=0; i<pNtHeader->FileHeader.NumberOfSections;i++)
{
if (dwOEP >= pSectionHeader->VirtualAddress &&
dwOEP < pSectionHeader->VirtualAddress + pSectionHeader->SizeOfRawData)
{
FileOffset = dwOEP - pSectionHeader->VirtualAddress + pSectionHeader->PointerToRawData;
}
pSectionHeader++;
}
strTemp.Empty();
strTemp.Format("%0x",FileOffset);
SetDlgItemText(IDC_EDT_FILEOFFSET, strTemp.GetBuffer(4));
//从文件偏移开始读特征码
CString strBuf;
DWORD dwReaded;
SetFilePointer(hFile, FileOffset,0, FILE_BEGIN);
ReadFile(hFile, strBuf.GetBuffer(16), 16, &dwReaded,NULL);
MessageBox(strBuf.GetBuffer(16));
char code[] = "\x60\xE8\x03\x00\x00\x00\xE9\xEB\04\x5D\x45\x55\xC3\xE8\x01";
char fileBuf[16];
memcpy(fileBuf, strBuf.GetBuffer(16),16);
char ctype[20];
for (int i=0;i<16;i++)
{
if (code[i]!=fileBuf[i])
{
StrCpy(ctype,"not found");
break;
}
else if (i==15)
{
StrCpy(ctype, "aspack");
}
}
SetDlgItemText(IDC_EDT_SHELLTYPE, ctype);
}
希望本文所述对大家的C++程序设计有所帮助。