반응형
#include "header.h"
void print_dos_header(FILE* fp, IMAGE_DOS_HEADER* idh)
{
printf("=============== [Dos Header] ===============\n\n");
// 파일의 처음으로 이동하여 offset 가져오기
offset = set_file_offset(fp, 0);
printf("[%08X] - e_magic[%zdbyte]\t: %04X\n", offset, sizeof(idh->e_magic), idh->e_magic);
offset = get_file_offset(fp, sizeof(idh->e_magic));
printf("[%08X] - e_cblp[%zdbyte]\t: %04X\n", offset, sizeof(idh->e_cblp), idh->e_cblp);
offset = get_file_offset(fp, sizeof(idh->e_cblp));
printf("[%08X] - e_cp[%zdbyte]\t: %04X\n", offset, sizeof(idh->e_cp), idh->e_cp);
offset = get_file_offset(fp, sizeof(idh->e_cp));
printf("[%08X] - e_crlc[%zdbyte]\t: %04X\n", offset, sizeof(idh->e_crlc), idh->e_crlc);
offset = get_file_offset(fp, sizeof(idh->e_crlc));
printf("[%08X] - e_cparhdr[%zdbyte]\t: %04X\n", offset, sizeof(idh->e_cparhdr), idh->e_cparhdr);
offset = get_file_offset(fp, sizeof(idh->e_cparhdr));
printf("[%08X] - e_minalloc[%zdbyte]\t: %04X\n", offset, sizeof(idh->e_minalloc), idh->e_minalloc);
offset = get_file_offset(fp, sizeof(idh->e_minalloc));
printf("[%08X] - e_maxalloc[%zdbyte]\t: %04X\n", offset, sizeof(idh->e_maxalloc), idh->e_maxalloc);
offset = get_file_offset(fp, sizeof(idh->e_maxalloc));
printf("[%08X] - e_ss[%zdbyte]\t: %04X\n", offset, sizeof(idh->e_ss), idh->e_ss);
offset = get_file_offset(fp, sizeof(idh->e_ss));
printf("[%08X] - e_sp[%zdbyte]\t: %04X\n", offset, sizeof(idh->e_sp), idh->e_sp);
offset = get_file_offset(fp, sizeof(idh->e_sp));
printf("[%08X] - e_csum[%zdbyte]\t: %04X\n", offset, sizeof(idh->e_csum), idh->e_csum);
offset = get_file_offset(fp, sizeof(idh->e_csum));
printf("[%08X] - e_ip[%zdbyte]\t: %04X\n", offset, sizeof(idh->e_ip), idh->e_ip);
offset = get_file_offset(fp, sizeof(idh->e_ip));
printf("[%08X] - e_cs[%zdbyte]\t: %04X\n", offset, sizeof(idh->e_cs), idh->e_cs);
offset = get_file_offset(fp, sizeof(idh->e_cs));
printf("[%08X] - e_lfarlc[%zdbyte]\t: %04X\n", offset, sizeof(idh->e_lfarlc), idh->e_lfarlc);
offset = get_file_offset(fp, sizeof(idh->e_lfarlc));
printf("[%08X] - e_ovno[%zdbyte]\t: %04X\n", offset, sizeof(idh->e_ovno), idh->e_ovno);
offset = get_file_offset(fp, sizeof(idh->e_ovno));
for (int i = 0; i < 4; i++)
{
printf("[%08X] - e_res[%d][%zdbyte]\t: %04X\n", offset, i, sizeof(idh->e_res[i]), idh->e_res[i]);
offset = get_file_offset(fp, sizeof(idh->e_res[i]));
}
printf("[%08X] - e_oemid[%zdbyte]\t: %04X\n", offset, sizeof(idh->e_oemid), idh->e_oemid);
offset = get_file_offset(fp, sizeof(idh->e_oemid));
printf("[%08X] - e_oeminfo[%zdbyte]\t: %04X\n", offset, sizeof(idh->e_oeminfo), idh->e_oeminfo);
offset = get_file_offset(fp, sizeof(idh->e_oeminfo));
for (int i = 0; i < 10; i++)
{
printf("[%08X] - e_res2[%d][%zdbyte]\t: %04X\n", offset, i, sizeof(idh->e_res2[i]), idh->e_res2[i]);
offset = get_file_offset(fp, sizeof(idh->e_res2[i]));
}
printf("[%08X] - e_lfanew[%zdbyte]\t: %08X\n", offset, sizeof(idh->e_lfanew), idh->e_lfanew);
offset = get_file_offset(fp, sizeof(idh->e_lfanew));
printf("\n============================================\n\n");
}
매개변수
void print_dos_header(FILE* fp, IMAGE_DOS_HEADER* idh)
인자로 파일 포인터와 dos header 구조체 정보를 받는다.
fp는 offset도 같이 출력해주기 위함이다.
IMAGE_DOS_HEADER 구조체 정의
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
WORD e_magic; // Magic number
WORD e_cblp; // Bytes on last page of file
WORD e_cp; // Pages in file
WORD e_crlc; // Relocations
WORD e_cparhdr; // Size of header in paragraphs
WORD e_minalloc; // Minimum extra paragraphs needed
WORD e_maxalloc; // Maximum extra paragraphs needed
WORD e_ss; // Initial (relative) SS value
WORD e_sp; // Initial SP value
WORD e_csum; // Checksum
WORD e_ip; // Initial IP value
WORD e_cs; // Initial (relative) CS value
WORD e_lfarlc; // File address of relocation table
WORD e_ovno; // Overlay number
WORD e_res[4]; // Reserved words
WORD e_oemid; // OEM identifier (for e_oeminfo)
WORD e_oeminfo; // OEM information; e_oemid specific
WORD e_res2[10]; // Reserved words
LONG e_lfanew; // File address of new exe header
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
Image_dos_header 구조체는 winnt.h 헤더 파일에 위와 같이 되어 있다.
중요한 멤버는 e_magic과 e_lfanew이다.
e_magic의 값으로 PE 파일인지 판단하고, e_lfanew의 값으로 NT header의 시작 offset을 알 수 있다.
출력 코드
offset = set_file_offset(fp, 0);
printf("[%08X] - e_magic[%zdbyte]\t: %04X\n", offset, sizeof(idh->e_magic), idh->e_magic);
offset = get_file_offset(fp, sizeof(idh->e_magic));
printf("[%08X] - e_cblp[%zdbyte]\t: %04X\n", offset, sizeof(idh->e_cblp), idh->e_cblp);
offset = get_file_offset(fp, sizeof(idh->e_cblp));
printf("[%08X] - e_cp[%zdbyte]\t: %04X\n", offset, sizeof(idh->e_cp), idh->e_cp);
offset = get_file_offset(fp, sizeof(idh->e_cp));
printf("[%08X] - e_crlc[%zdbyte]\t: %04X\n", offset, sizeof(idh->e_crlc), idh->e_crlc);
offset = get_file_offset(fp, sizeof(idh->e_crlc));
printf("[%08X] - e_cparhdr[%zdbyte]\t: %04X\n", offset, sizeof(idh->e_cparhdr), idh->e_cparhdr);
offset = get_file_offset(fp, sizeof(idh->e_cparhdr));
printf("[%08X] - e_minalloc[%zdbyte]\t: %04X\n", offset, sizeof(idh->e_minalloc), idh->e_minalloc);
offset = get_file_offset(fp, sizeof(idh->e_minalloc));
printf("[%08X] - e_maxalloc[%zdbyte]\t: %04X\n", offset, sizeof(idh->e_maxalloc), idh->e_maxalloc);
offset = get_file_offset(fp, sizeof(idh->e_maxalloc));
printf("[%08X] - e_ss[%zdbyte]\t: %04X\n", offset, sizeof(idh->e_ss), idh->e_ss);
offset = get_file_offset(fp, sizeof(idh->e_ss));
printf("[%08X] - e_sp[%zdbyte]\t: %04X\n", offset, sizeof(idh->e_sp), idh->e_sp);
offset = get_file_offset(fp, sizeof(idh->e_sp));
printf("[%08X] - e_csum[%zdbyte]\t: %04X\n", offset, sizeof(idh->e_csum), idh->e_csum);
offset = get_file_offset(fp, sizeof(idh->e_csum));
printf("[%08X] - e_ip[%zdbyte]\t: %04X\n", offset, sizeof(idh->e_ip), idh->e_ip);
offset = get_file_offset(fp, sizeof(idh->e_ip));
printf("[%08X] - e_cs[%zdbyte]\t: %04X\n", offset, sizeof(idh->e_cs), idh->e_cs);
offset = get_file_offset(fp, sizeof(idh->e_cs));
printf("[%08X] - e_lfarlc[%zdbyte]\t: %04X\n", offset, sizeof(idh->e_lfarlc), idh->e_lfarlc);
offset = get_file_offset(fp, sizeof(idh->e_lfarlc));
printf("[%08X] - e_ovno[%zdbyte]\t: %04X\n", offset, sizeof(idh->e_ovno), idh->e_ovno);
offset = get_file_offset(fp, sizeof(idh->e_ovno));
for (int i = 0; i < 4; i++)
{
printf("[%08X] - e_res[%d][%zdbyte]\t: %04X\n", offset, i, sizeof(idh->e_res[i]), idh->e_res[i]);
offset = get_file_offset(fp, sizeof(idh->e_res[i]));
}
printf("[%08X] - e_oemid[%zdbyte]\t: %04X\n", offset, sizeof(idh->e_oemid), idh->e_oemid);
offset = get_file_offset(fp, sizeof(idh->e_oemid));
printf("[%08X] - e_oeminfo[%zdbyte]\t: %04X\n", offset, sizeof(idh->e_oeminfo), idh->e_oeminfo);
offset = get_file_offset(fp, sizeof(idh->e_oeminfo));
for (int i = 0; i < 10; i++)
{
printf("[%08X] - e_res2[%d][%zdbyte]\t: %04X\n", offset, i, sizeof(idh->e_res2[i]), idh->e_res2[i]);
offset = get_file_offset(fp, sizeof(idh->e_res2[i]));
}
printf("[%08X] - e_lfanew[%zdbyte]\t: %08X\n", offset, sizeof(idh->e_lfanew), idh->e_lfanew);
offset = get_file_offset(fp, sizeof(idh->e_lfanew));
printf("\n============================================\n\n");
PE 헤더에서 가장 맨 앞은 Dos header이기 때문에 파일 내에서의 현재 위치를 맨 처음으로 설정하고 그 값을 offset에 담는다.
offset 값, 각 IMAGE_DOS_HEADER 멤버의 크기, 각 IMAGE_DOS_HEADER 멤버의 값을 출력한다.
출력하고 나면, 출력했던 IMAGE_DOS_HEADER 멤버의 크기만큼 offset을 움직여 값을 가져와 offset 변수에 담는다.
위와 같이 출력하고, 파일 내에서 각 IMAGE_DOS_HEADER 멤버의 크기만큼 offset 값을 옮기는 것이 전부이다.
반응형
'toy project > Reversing' 카테고리의 다른 글
| [Toy Project] PE Viewer 툴 만들기(4) print_inh_ioh_datadirectory.c (0) | 2023.07.26 |
|---|---|
| [Toy Project] PE Viewer 툴 만들기(3) print_nt_header.c (0) | 2023.07.26 |
| [Toy Project] PE Viewer 툴 만들기(1) header.h (0) | 2023.07.25 |
| [Toy project] PE Viewer 툴 만들기(0) 사전 준비 (0) | 2023.07.05 |
| [Reversing toy project] windows xp 32bit 지뢰찾기.exe 분석 및 패치(Win32 API) (1) | 2022.11.25 |