PE6.0格式研究 (1)
作者:陆麟
转载请征得作者同意.
1999.8.2
PE6.0首先在一个可执行文件的偏移3ch处有一个指向'PE\0\0'标记的指针.如果没有这个标记.该文件就不是一个PE的文件.下面演示了一个检测PE文件的函数.
/* DetectPe(char *) Written by Lu Lin. 1999.8.2
Only tested on MS complier and linker.
Entery :
parameter *p: point to the file name. eg. "c:\\command.com"
return :
true if the file is in PE format.
false if the file is not a PE file.
*/
BOOL DetectPe(char *p){
HANDLE hf; //handle for the file detecting
short ppe; //point to pe signature
long sig; //signature value retrieved
DWORD res; //store ReadFile()'s actual read bytes
hf=CreateFile(p,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,0);
if (hf==INVALID_HANDLE_VALUE){
GetLastError();
return 0;
}
if (!SetFilePointer(hf,0x3c,0,FILE_BEGIN)){
CloseHandle(hf);
return 0;
}
if (!ReadFile(hf,&psig,2,&res,0)){
CloseHandle(hf);
return 0;
}
if (res!=2){
CloseHandle(hf);
return 0;
}
if (!SetFilePointer(hf,(long)psig,0,FILE_BEGIN)){
CloseHandle(hf);
return 0;
}
if (!ReadFile(hf,&sig,4,&res,0)){
CloseHandle(hf);
return 0;
}
if (res!=4){
CloseHandle(hf);
return 0;
}
if (sig!=0x4550) return 0;
return 1;
}