//*******************************************************************************
//                                                                              *
//   PE Decoder Version 1.0,  implemented with C++                              *
//																				*
//   Created By HQ(Fahrenheit), 04CS, NJU										*
//   Finished On Oct 14th 2006													*
//																				*
//   Contact me if you have good ideas.											*
//   Email : fahrenheit871116@163.com											*
//																				*
//*******************************************************************************


#include <windows.h>
#include <iostream>
#include <fstream>
#include <iomanip>
using namespace std;
	

	VOID ToNumeric( LPDWORD ptr, CHAR buf[], INT start, INT size )
	{
	  if ( start<0 || size<0 )
	  {
		return;
	  }

	  *ptr = buf[start+size-1];
	  for ( INT i=size-2; i>=0; i-- )
	  {
		(*ptr) <<= 8;
		(*ptr) |= (UCHAR)buf[i+start];
	  }
	}
	
	VOID ToString( LPSTR ptr, CHAR buf[], INT start, INT size)
	{
	  if ( start<0 || size<0 )
	  {
		return;
	  }

	  for ( INT i=0; i<size; i++ )
	  {
		ptr[i] = buf[i+start];
	  }
	}




    class DataDump 
	{
	  private :
		IMAGE_FILE_HEADER FILE_HEADER;
		IMAGE_OPTIONAL_HEADER32 OPTIONAL_HEADER32;
		PIMAGE_SECTION_HEADER SECTION_HEADER;
		IMAGE_IMPORT_DESCRIPTOR IMPORT_DESCRIPTOR;
		PIMAGE_EXPORT_DIRECTORY EXPORT_DIRECTORY;

		DWORD ExVRk, ImVRk;

	  public :
		DataDump();
		~DataDump();

		BOOL Set_FILE_HEADER( CHAR [], INT );
		BOOL Set_OPTIONAL_HEADER32( CHAR [], INT );
		BOOL Set_SECTION_HEADER32( CHAR [], INT );
		BOOL Set_EXPORT_TABLE( CHAR [],  INT );
		
        VOID GetReady( CHAR [] );
		DWORD Get_OPTIONAL_HEADER_SIZE( VOID ) const; 
		DWORD Get_SECTION_NUMBER( VOID ) const;
		DWORD Get_EXPORT_TABLE_RAW( VOID ) const;
		DWORD Get_IMPORT_TABLE_RAW( VOID ) const;

		VOID Set_Export_VRk( VOID );
		VOID Set_Import_VRk( VOID );
		BOOL Export_Table_Existed( VOID ) const;
		BOOL Import_Table_Existed( VOID ) const;
		
		BOOL Show_FILE_HEADER( ofstream& ) const;
		BOOL Show_OPTIONAL_HEADER32( ofstream& ) const;
		BOOL Show_SECTION_HEADER32( ofstream& ) const;
		BOOL Show_EXPORT_TABLE( ifstream&, ofstream& ) const;
		BOOL Show_IMPORT_TABLE( ifstream&, ofstream& ) const;

	};

	DataDump::DataDump( VOID )
	{
	  SECTION_HEADER = NULL;
	  ExVRk = ImVRk = 0x00000000;
	}

	DataDump::~DataDump()
	{
	  if ( SECTION_HEADER ) 
	  {
		delete [] SECTION_HEADER;
	  }
	  if ( EXPORT_DIRECTORY ) 
	  {
		delete EXPORT_DIRECTORY;
	  }

	}

	BOOL DataDump::Set_FILE_HEADER( CHAR buf[], INT size )
	{
	  if ( size!=20 )
	  {
		return FALSE;
	  }

	  ToNumeric((LPDWORD)&FILE_HEADER.Machine, buf, 0, 2);
	  ToNumeric((LPDWORD)&FILE_HEADER.NumberOfSections, buf, 2, 2);
	  ToNumeric((LPDWORD)&FILE_HEADER.TimeDateStamp, buf, 4, 4);
	  ToNumeric((LPDWORD)&FILE_HEADER.PointerToSymbolTable, buf, 8, 4);
	  ToNumeric((LPDWORD)&FILE_HEADER.NumberOfSymbols, buf, 12, 4);
	  ToNumeric((LPDWORD)&FILE_HEADER.SizeOfOptionalHeader, buf, 16, 2);
	  ToNumeric((LPDWORD)&FILE_HEADER.Characteristics, buf, 18, 2);

	  return TRUE;
	}

	BOOL DataDump::Set_OPTIONAL_HEADER32( CHAR buf[], INT size )
	{
	  if ( size<1 )
	  {
		return FALSE;
	  }

      ToNumeric((LPDWORD)&OPTIONAL_HEADER32.Magic, buf, 0, 2);

	  ToNumeric((LPDWORD)&OPTIONAL_HEADER32.MajorLinkerVersion, buf, 2, 1);
	  ToNumeric((LPDWORD)&OPTIONAL_HEADER32.AddressOfEntryPoint, buf, 16, 4);
	  ToNumeric((LPDWORD)&OPTIONAL_HEADER32.BaseOfCode, buf, 20, 4);
	  ToNumeric((LPDWORD)&OPTIONAL_HEADER32.BaseOfData, buf, 24, 4);
	  ToNumeric((LPDWORD)&OPTIONAL_HEADER32.ImageBase, buf, 28, 4);
	  ToNumeric((LPDWORD)&OPTIONAL_HEADER32.SectionAlignment, buf, 32, 4);
	  ToNumeric((LPDWORD)&OPTIONAL_HEADER32.FileAlignment, buf, 36, 4);
	  ToNumeric((LPDWORD)&OPTIONAL_HEADER32.MajorImageVersion, buf, 44, 2);	
	  ToNumeric((LPDWORD)&OPTIONAL_HEADER32.MajorSubsystemVersion, buf, 48, 2);
	  ToNumeric((LPDWORD)&OPTIONAL_HEADER32.SizeOfImage, buf, 56, 4);
	  ToNumeric((LPDWORD)&OPTIONAL_HEADER32.SizeOfHeaders, buf, 60, 4);
	  ToNumeric((LPDWORD)&OPTIONAL_HEADER32.CheckSum, buf, 64, 4);
	  ToNumeric((LPDWORD)&OPTIONAL_HEADER32.Subsystem, buf, 68, 4);
	  ToNumeric((LPDWORD)&OPTIONAL_HEADER32.DllCharacteristics, buf, 70, 4);
	  ToNumeric((LPDWORD)&OPTIONAL_HEADER32.NumberOfRvaAndSizes, buf, 92, 4);

	  for ( INT i=0, j=0; i<OPTIONAL_HEADER32.NumberOfRvaAndSizes; i++, j+=8 )
	  {
	    ToNumeric((LPDWORD)&OPTIONAL_HEADER32.DataDirectory[i].VirtualAddress, buf, 96+j, 4);
		ToNumeric((LPDWORD)&OPTIONAL_HEADER32.DataDirectory[i].Size, buf, 100+j, 4);
	  }
      
	  return TRUE;
	}

	BOOL DataDump::Set_SECTION_HEADER32( CHAR buf[], INT size )
	{
	  if ( size<1 || size%40!=0 )
	  {
		  return FALSE;
	  }

	  SECTION_HEADER = new IMAGE_SECTION_HEADER [FILE_HEADER.NumberOfSections];

	  for ( INT i=0, j=0; i<FILE_HEADER.NumberOfSections; i++, j+=40 )
	  {
		ToString((LPSTR)&SECTION_HEADER[i].Name, buf, j, 8);
        ToNumeric((LPDWORD)&SECTION_HEADER[i].Misc, buf, j+8, 4);
		ToNumeric((LPDWORD)&SECTION_HEADER[i].VirtualAddress, buf, j+12, 4);
		ToNumeric((LPDWORD)&SECTION_HEADER[i].SizeOfRawData, buf, j+16, 4);
		ToNumeric((LPDWORD)&SECTION_HEADER[i].PointerToRawData, buf, j+20, 4);
		ToNumeric((LPDWORD)&SECTION_HEADER[i].PointerToRelocations, buf, j+24, 4);
		ToNumeric((LPDWORD)&SECTION_HEADER[i].PointerToLinenumbers, buf, j+28, 4);
		ToNumeric((LPDWORD)&SECTION_HEADER[i].NumberOfRelocations, buf, j+32, 2);
		ToNumeric((LPDWORD)&SECTION_HEADER[i].NumberOfLinenumbers, buf, j+34, 2);
		ToNumeric((LPDWORD)&SECTION_HEADER[i].Characteristics, buf, j+36, 4);
	  }

	  Set_Export_VRk();
	  Set_Import_VRk();

	  return TRUE;
	}

	BOOL DataDump::Set_EXPORT_TABLE( CHAR buf[],  INT size )
	{
	  if ( size<1 )
	  {
		  return FALSE;
	  }
      EXPORT_DIRECTORY = new IMAGE_EXPORT_DIRECTORY;

	  ToNumeric((LPDWORD)&EXPORT_DIRECTORY->Characteristics, buf, 0, 4);
	  ToNumeric((LPDWORD)&EXPORT_DIRECTORY->TimeDateStamp, buf, 4, 4);
	  ToNumeric((LPDWORD)&EXPORT_DIRECTORY->MajorVersion, buf, 8, 2);
	  ToNumeric((LPDWORD)&EXPORT_DIRECTORY->MinorVersion, buf, 10, 2);
	  ToNumeric((LPDWORD)&EXPORT_DIRECTORY->Name, buf, 12, 4);
	  ToNumeric((LPDWORD)&EXPORT_DIRECTORY->Base, buf, 16, 4);
	  ToNumeric((LPDWORD)&EXPORT_DIRECTORY->NumberOfFunctions, buf, 20, 4);
	  ToNumeric((LPDWORD)&EXPORT_DIRECTORY->NumberOfNames, buf, 24, 4);
	  ToNumeric((LPDWORD)&EXPORT_DIRECTORY->AddressOfFunctions, buf, 28, 4);
	  ToNumeric((LPDWORD)&EXPORT_DIRECTORY->AddressOfNames, buf, 32, 4);
	  ToNumeric((LPDWORD)&EXPORT_DIRECTORY->AddressOfNameOrdinals, buf, 36, 4);

	  return TRUE;
	}

	BOOL DataDump::Show_IMPORT_TABLE( ifstream& PE_file, ofstream& fout ) const
	{
	  CHAR buf[33];
	  DWORD ImOffset = Get_IMPORT_TABLE_RAW(), ThunkValue = 0x00000001, Thunk;
	  WORD hint = 0x00000000;

	  buf[28] = 0;
	  fout.clear();
	  fout<<"++++++++++++++++++++++++++ Import Table Information +++++++++++++++++++++"<<endl<<endl;
	  if ( Import_Table_Existed() )
	  {
		PE_file.clear();
	    for ( INT i=0; ; i++ )
		{
		  PE_file.seekg(ImOffset+i*20);
	      PE_file.read(buf, 20);

	      ToNumeric((LPDWORD)&IMPORT_DESCRIPTOR.FirstThunk, buf, 16, 4);

		  if ( IMPORT_DESCRIPTOR.FirstThunk==0xCCCCCCCC )
		  {
		    return FALSE;
		  }

		  if ( !IMPORT_DESCRIPTOR.FirstThunk )
		  {
		    break;
		  }

	      ToNumeric((LPDWORD)&IMPORT_DESCRIPTOR.TimeDateStamp, buf, 4, 4);
	      ToNumeric((LPDWORD)&IMPORT_DESCRIPTOR.ForwarderChain, buf, 8, 4);
	      ToNumeric((LPDWORD)&IMPORT_DESCRIPTOR.Name, buf, 12, 4);
	      ToNumeric((LPDWORD)&IMPORT_DESCRIPTOR.OriginalFirstThunk, buf, 0, 4);
		
		  fout<<"   ------------------------------------------------------------------------"<<endl<<endl;
		  fout<<setfill(' ')<<setw(20)<<"Name";
		  fout<<"    "<<setfill('0')<<setw(8)<<IMPORT_DESCRIPTOR.Name;
		  fout<<setfill(' ')<<setw(20)<<"TimeDateStamp";
		  fout<<"    "<<setfill('0')<<setw(8)<<IMPORT_DESCRIPTOR.TimeDateStamp<<endl;
		  fout<<setfill(' ')<<setw(20)<<"OriginalFirstThunk";	
		  fout<<"    "<<setfill('0')<<setw(8)<<IMPORT_DESCRIPTOR.OriginalFirstThunk;
		  fout<<setfill(' ')<<setw(20)<<"FirstThunk";
		  fout<<"    "<<setfill('0')<<setw(8)<<IMPORT_DESCRIPTOR.FirstThunk<<endl;	
		  fout<<setfill(' ')<<setw(20)<<"ForwarderChain";	
		  fout<<"    "<<setfill('0')<<setw(8)<<IMPORT_DESCRIPTOR.ForwarderChain;
		  fout<<setfill(' ')<<setw(20)<<"Characteristics";
		  fout<<"    "<<setfill('0')<<setw(8)<<IMPORT_DESCRIPTOR.Characteristics<<endl<<endl;

		  PE_file.seekg(IMPORT_DESCRIPTOR.Name-ImVRk);
		  PE_file.read(buf, 24);
		  fout.fill(0);
		  fout<<" -> DLL Name : "<<buf<<endl;
		  fout<<"  |"<<endl;
		  fout<<"  -> "<<setw(12)<<"ThunkRVA"<<setw(16)<<"ThunkValue"<<setw(12)<<"Hint"<<setw(28)<<"Function Name"<<endl;
		  fout<<"     ----------------------------------------------------------------------"<<endl;
		
		  if ( IMPORT_DESCRIPTOR.OriginalFirstThunk )
		  {
		    Thunk = IMPORT_DESCRIPTOR.OriginalFirstThunk;
		  }
		  else
		  {
		    Thunk = IMPORT_DESCRIPTOR.FirstThunk;
		  }

		  if ( Thunk )
		  {
		    for ( INT j=0; ; j++, Thunk+=4 )
			{
		      PE_file.seekg(Thunk-ImVRk);
		      PE_file.read(buf, 4);
		      ToNumeric((LPDWORD)&ThunkValue, buf, 0, 4);
		    
			  if ( !ThunkValue )
			  {
			    break;
			  }

		      fout<<"         "<<setfill('0')<<setw(8)<<Thunk<<"        "<<setw(8)<<ThunkValue;

              if ( !(ThunkValue & 0x80000000) )                     // MSB Setted '0' Represents It Is A Pointer To IMAGE_IMPORT_BY_NAME
			  {
			    PE_file.seekg(ThunkValue-ImVRk);
		        PE_file.read(buf, 2);
		        ToNumeric((LPDWORD)&hint, buf, 0, 2);
			
			    PE_file.read(buf, 28);
			    fout<<"        "<<setfill('0')<<setw(4)<<hint;