我正在尝试获取 .text 部分的标题。 似乎有效的是:
// Get the DOS header.
pDosHeader = (PIMAGE_DOS_HEADER) hMap;
// Get header of first section
pSectionHeader = (PIMAGE_SECTION_HEADER) ((DWORD) hMap + pDosHeader->e_lfanew + sizeof(IMAGE_NT_HEADERS));
// Get last section's header.
pLastSectionHeader = pSectionHeader + (pNtHeaders->FileHeader.NumberOfSections - 1);
但我不太明白为什么。我本以为最后一条指令必须是:
// Get last section's header.
pLastSectionHeader = pSectionHeader + (pNtHeaders->FileHeader.NumberOfSections - 1) * sizeof(IMAGE_SECTION_HEADER);
以便指针按节标题方向移动。
另外,
(pNtHeaders->FileHeader.NumberOfSections - 1)原因
pLastSectionHeader = pSectionHeader + (pNtHeaders->FileHeader.NumberOfSections - 1);
是正确的,
pSectionHeaderPIMAGE_SECTION_HEADERIMAGE_SECTION_HEADER您不应假设链接器放置不同部分的顺序。最好循环遍历所有节标题,例如将部分名称与
.text另外,我不建议使用
sizeof(IMAGE_NT_HEADERS)IMAGE_OPTIONAL_HEADERIMAGE_NT_HEADERSIMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];NumberOfRvaAndSizes最后,我建议您使用
IMAGE_XYZ32IMAGE_XYZ64IMAGE_XYZ给你:
// Get DOS and PE Header
PIMAGE_DOS_HEADER hdos = (PIMAGE_DOS_HEADER)pe_file.data();
PIMAGE_NT_HEADERS hpe = (PIMAGE_NT_HEADERS)((DWORD)hdos + hdos->e_lfanew);
// Get header of first section
DWORD section_offset = (DWORD)hdos + hdos->e_lfanew + sizeof(IMAGE_NT_HEADERS);
PIMAGE_SECTION_HEADER text_section = (PIMAGE_SECTION_HEADER)(section_offset);
.text.textPE 文件部分有一个
IMAGE_SCN_CNT_CODE请注意
sizeof(IMAGE_NT_HEADERS)IMAGE_NT_HEADERS->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + sizeof(DWORD)检查代码(C代码):
PIMAGE_NT_HEADERS NtHeaders = (PIMAGE_NT_HEADERS)(hMod + ((PIMAGE_DOS_HEADER)hMod)->e_lfanew);
PIMAGE_SECTION_HEADER SectionHeaders = IMAGE_FIRST_SECTION(NtHeaders);
PIMAGE_SECTION_HEADER codeSection2;
for (WORD SectionIndex = 0; SectionIndex < NtHeaders->FileHeader.NumberOfSections; SectionIndex++)
{
PIMAGE_SECTION_HEADER SectionHeader = &SectionHeaders[SectionIndex];
if (SectionHeader->Characteristics & IMAGE_SCN_CNT_CODE){
codeSection2 = SectionHeader;
break;
}
}
IMAGE_SECTION_HEADER codeSection = *codeSection2;