?? lion-petut-c05.htm
字號:
wsprintf,addr buffer,addr template,[esi].SizeOfRawData <br>
lea eax,buffer <br>
mov
lvi.pszText,eax <br>
inc lvi.iSubItem
<br>
invoke
SendDlgItemMessage,hDlg,IDC_SECTIONLIST,LVM_SETITEM,0,addr lvi <br>
invoke
wsprintf,addr buffer,addr template,[esi].PointerToRawData <br>
lea eax,buffer <br>
mov
lvi.pszText,eax <br>
inc lvi.iSubItem
<br>
invoke
SendDlgItemMessage,hDlg,IDC_SECTIONLIST,LVM_SETITEM,0,addr lvi <br>
invoke
wsprintf,addr buffer,addr template,[esi].Characteristics <br>
lea eax,buffer <br>
mov
lvi.pszText,eax <br>
inc lvi.iSubItem
<br>
invoke
SendDlgItemMessage,hDlg,IDC_SECTIONLIST,LVM_SETITEM,0,addr lvi <br>
inc lvi.iItem <br>
dec edi <br>
add esi, sizeof
IMAGE_SECTION_HEADER <br>
.endw <br>
.elseif <br>
uMsg==WM_CLOSE <br>
invoke
EndDialog,hDlg,NULL <br>
.else <br>
mov eax,FALSE <br>
ret <br>
.endif <br>
mov eax,TRUE <br>
ret <br>
DlgProc endp <br>
<br>
ShowSectionInfo proc uses edi <br>
mov edi, pMapping <br>
assume edi:ptr IMAGE_DOS_HEADER <br>
add edi, [edi].e_lfanew <br>
assume edi:ptr IMAGE_NT_HEADERS <br>
mov ax,[edi].FileHeader.NumberOfSections <br>
movzx eax,ax <br>
mov NumberOfSections,eax <br>
add edi,sizeof IMAGE_NT_HEADERS <br>
invoke DialogBoxParam, hInstance,
IDD_SECTIONTABLE,NULL, addr DlgProc, edi<br>
ret <br>
ShowSectionInfo endp <br>
end start </font></p>
<h3>分析<font face="Arial, Helvetica, sans-serif">:</font></h3>
<p><font size="2">本例重用了</font><font size="2"
face="MS Sans Serif">PE</font><font size="2">教程</font><font
size="2" face="MS Sans Serif">2</font><font size="2">的代碼,校驗</font><font
size="2" face="MS Sans Serif">PE</font><font size="2">文件的有效性后,繼續(xù)調(diào)用函數(shù)</font><font
size="2" face="MS Sans Serif">ShowSectionInfo</font><font
size="2">顯示各節(jié)信息。</font></p>
<p><font face="Fixedsys">ShowSectionInfo proc uses edi <br>
mov edi, pMapping <br>
assume edi:ptr IMAGE_DOS_HEADER <br>
add edi, [edi].e_lfanew<br>
assume edi:ptr IMAGE_NT_HEADERS</font></p>
<p><font size="2">我們將</font><font size="2"
face="MS Sans Serif">edi</font><font size="2">用作指向</font><font
size="2" face="MS Sans Serif">PE</font><font size="2">文件數(shù)據(jù)的指針。首先,將指向</font><font
size="2" face="MS Sans Serif">DOS header</font><font size="2">地址的</font><font
size="2" face="MS Sans Serif">pMapping</font><font size="2">賦給</font><font
size="2" face="MS Sans Serif">edi</font><font size="2">,再加上</font><font
color="#FFFFCC" size="2" face="MS Sans Serif"><b>e_lfanew</b></font><font
size="2">域值等于</font><font size="2" face="MS Sans Serif">PE
header</font><font size="2">的地址。</font></p>
<p><font face="Fixedsys"> mov
ax,[edi].FileHeader.NumberOfSections<br>
mov NumberOfSections,ax </font></p>
<p><font size="2">因為我們要遍歷節(jié)表,所以必須先獲取文件的節(jié)數(shù)目。這就得靠</font><font
size="2" face="MS Sans Serif">file header</font><font size="2">里的</font><font
size="2" face="MS Sans Serif">NumberOfSections</font><font
size="2">域了,切記這是個</font><font size="2"
face="MS Sans Serif">word</font><font size="2">域。</font></p>
<p><font face="Fixedsys"> add edi,sizeof
IMAGE_NT_HEADERS </font></p>
<p><font size="2">現(xiàn)在</font><font size="2"
face="MS Sans Serif">edi</font><font size="2">正指向</font><font
size="2" face="MS Sans Serif">PE header</font><font size="2">的起始地址,加上</font><font
size="2" face="MS Sans Serif">PE header</font><font size="2">結(jié)構(gòu)大小后恰好指向節(jié)表了。</font></p>
<p><font face="Fixedsys"> invoke DialogBoxParam,
hInstance, IDD_SECTIONTABLE,NULL, addr DlgProc, edi</font></p>
<p><font size="2">調(diào)用 </font><font color="#FFFFCC" size="2"
face="MS Sans Serif"><b>DialogBoxParam</b></font><font size="2"
face="MS Sans Serif"> </font><font size="2">顯示列表對話框,注意我們已將節(jié)表地址作為最后一個參數(shù)傳遞過去了,該值可從</font><font
color="#CCFFCC" size="2" face="MS Sans Serif"><b>WM_INITDIALOG</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">消息的</font><font
size="2" face="MS Sans Serif">lParam</font><font size="2">參數(shù)中提取。</font></p>
<p><font size="2">在對話框過程里我們響應(yīng)</font><font
size="2" face="MS Sans Serif">WM_INITDIALOG</font><font size="2">消息,將</font><font
size="2" face="MS Sans Serif">lParam</font><font size="2">值 </font><font
size="2" face="MS Sans Serif">(</font><font size="2">節(jié)表地址</font><font
size="2" face="MS Sans Serif">)</font><font size="2">存入</font><font
size="2" face="MS Sans Serif">esi</font><font size="2">,節(jié)數(shù)目賦給</font><font
size="2" face="MS Sans Serif">edi</font><font size="2">并設(shè)置列表控件。萬事俱備后,進入循環(huán)將各節(jié)信息插入到列表控件中,這部分相當簡單。</font></p>
<p><font face="Fixedsys"> .while
edi>0 <br>
mov
lvi.iSubItem,0 </font></p>
<p><font size="2">字符串置入第一列。</font></p>
<p><font face="Fixedsys">
invoke RtlZeroMemory,addr buffer,9 <br>
invoke
lstrcpyn,addr buffer,addr [esi].Name1,8 <br>
lea eax,buffer <br>
mov
lvi.pszText,eax </font></p>
<p><font size="2">要顯示節(jié)名,當然要將其轉(zhuǎn)換為</font><font
size="2" face="MS Sans Serif">ASCIIZ</font><font size="2">字符串先。</font></p>
<p><font face="Fixedsys">
invoke
SendDlgItemMessage,hDlg,IDC_SECTIONLIST,LVM_INSERTITEM,0,addr lvi
</font></p>
<p><font size="2">然后顯示第一列。<br>
繼續(xù)我們偉大的工程,顯示完本節(jié)中最后一個欲呈現(xiàn)的值后,立馬下一個結(jié)構(gòu)。</font></p>
<p><font face="Fixedsys">
dec edi <br>
add esi, sizeof
IMAGE_SECTION_HEADER <br>
.endw </font></p>
<p><font size="2">每處理完一節(jié)就遞減</font><font
size="2" face="MS Sans Serif">edi</font><font size="2">,然后將</font><font
size="2" face="MS Sans Serif">esi</font><font size="2">加上</font><font
color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_SECTION_HEADER</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">結(jié)構(gòu)大小,使其指向下一個</font><font
color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_SECTION_HEADER</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">結(jié)構(gòu)。</font></p>
<p><font size="2">遍歷節(jié)表的步驟</font><font size="2"
face="MS Sans Serif">:</font></p>
<ol>
<li><font size="2" face="MS Sans Serif">PE</font><font
size="2">文件有效性校驗。</font></li>
<li><font size="2">定位到 </font><font size="2"
face="MS Sans Serif">PE header </font><font size="2">的起始地址。</font></li>
<li><font size="2">從 </font><font size="2"
face="MS Sans Serif">file header </font><font size="2">的</font><font
color="#FFFFCC" size="2"><b> </b></font><font
color="#FFFFCC" size="2" face="MS Sans Serif"><b>NumberOfSections</b></font><font
size="2">域獲取節(jié)數(shù)。</font></li>
<li><font size="2">通過兩種方法定位節(jié)表</font><font
size="2" face="MS Sans Serif">: </font><font
color="#FFFFCC" size="2" face="MS Sans Serif"><b>ImageBase</b></font><font
size="2" face="MS Sans Serif">+</font><font
color="#FFFFCC" size="2" face="MS Sans Serif"><b>SizeOfHeaders</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">或者
</font><font size="2" face="MS Sans Serif">PE header</font><font
size="2">的起始地址</font><font size="2"
face="MS Sans Serif">+ PE header</font><font size="2">結(jié)構(gòu)大小。
</font><font size="2" face="MS Sans Serif">(</font><font
size="2">節(jié)表緊隨 </font><font size="2"
face="MS Sans Serif">PE header)</font><font size="2">。如果不是使用文件映射的方法,可以用</font><font
color="#FFFFCC" size="2" face="MS Sans Serif"><b>SetFilePointer</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">直接將文件指針定位到節(jié)表。節(jié)表的文件偏移量存放在
</font><font color="#FFFFCC" size="2"
face="MS Sans Serif"><b>SizeOfHeaders</b></font><font
size="2">域里。</font><font size="2"
face="MS Sans Serif">(</font><font color="#FFFFCC"
size="2" face="MS Sans Serif"><b>SizeOfHeaders</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">是 </font><font
color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_OPTIONAL_HEADER
</b></font><font size="2">的結(jié)構(gòu)成員</font><font
size="2" face="MS Sans Serif">)</font></li>
<li><font size="2">處理每個 </font><font color="#CCFFCC"
size="2" face="MS Sans Serif"><b>IMAGE_SECTION_HEADER</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">結(jié)構(gòu)。</font></li>
</ol>
<hr>
<p align="center"><font size="2"><b>翻譯:</b></font><font
size="2" face="MS Sans Serif"><b>iamgufeng [</b></font><a
href="http://win32asm.cjb.net/"><font size="2"
face="MS Sans Serif"><b>Iczelion's Win32 Assembly Homepage</b></font></a><font
size="2" face="MS Sans Serif"><b>]</b><strong>[</strong></font><a
href="http://asm.yeah.net"><font size="2" face="MS Sans Serif"><strong>LuoYunBin's
Win32 ASM Page</strong></font></a><font size="2"
face="MS Sans Serif"><strong>]</strong></font></p>
<p> </p>
</body>
</html>
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -