API tools faq
paste
Advertisement
alien_fx_fiend

PE-Explorer Backup B4 TestFixes

alien_fx_fiend
Nov 25th, 2024
47
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ 35.29 KB | Source Code | 0 0
raw download clone embed print report
  1. ==++Here's the full sourcecode for (file 1/2) "main.cpp"::++==
  2. #define STRICT
  3. #define WIN32_LEAN_AND_MEAN
  4. #include <Windows.h>
  5. #include <winternl.h>
  6. #include <CommCtrl.h>
  7. #include <commdlg.h>
  8. #include <string>
  9. #include <strsafe.h>
  10. #include <sstream>
  11. #include <iomanip>
  12. #include <stdio.h>
  13. #include "helpers.h"
  14. #include "resource.h"
  15. #pragma comment(lib, "comctl32.lib")
  16.  
  17. using namespace std;
  18.  
  19. // At the top of your file, change the window class name to wide string
  20. #define WINDOW_CLASS_NAME L"PEAnalyzerWindow"
  21. //const wchar_t* const WINDOW_CLASS_NAME = L"PEAnalyzerWindow";
  22.  
  23. // Use ANSI versions explicitly
  24. //#undef CreateWindow
  25. //#undef CreateWindowEx
  26. //#define CreateWindow  CreateWindowW
  27. //#define CreateWindowEx CreateWindowExW
  28.  
  29. // Helper function to replace printf with GUI output
  30. #define OUTPUT(format, ...) AppendToOutput(L##format, ##__VA_ARGS__)
  31. //#define OUTPUT(format, ...) AppendToOutput(format, ##__VA_ARGS__)
  32. //#define printf(format, ...) AppendToOutput(format, ##__VA_ARGS__)
  33.  
  34. // Window dimensions
  35. #define WINDOW_WIDTH    1024
  36. #define WINDOW_HEIGHT   768
  37. #define EDIT_MARGIN    10
  38.  
  39. // Global variables
  40. HWND g_hMainWindow = NULL;
  41. HWND g_hEditControl = NULL;
  42. HFONT g_hFont = NULL;
  43. std::wstringstream g_OutputText;
  44. WCHAR filePathW[MAX_PATH];
  45. std::wstring tempBuffer; // Declare tempBuffer globally
  46.  
  47. // Function declarations
  48. LRESULT CALLBACK WindowProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam);
  49. void CreateMainWindow(HINSTANCE hInstance);
  50. void InitializeControls(HWND hwnd);
  51. void AddMenus(HWND hwnd);
  52. void OpenFileDialog(HWND hwnd);
  53. //void AnalyzePEFile(const WCHAR* filePathW);
  54. void AnalyzePEFile(const wchar_t* filePathW);
  55. HANDLE GetFileContent(const wchar_t* lpFilePath);
  56. void GetDataDirectories(PIMAGE_DATA_DIRECTORY pImageDataDirectory);
  57. PIMAGE_SECTION_HEADER GetSections(const PIMAGE_SECTION_HEADER pImageSectionHeader,
  58.    int NumberOfSections, DWORD dImportAddress);
  59. void GetImports32(PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor,
  60.    DWORD dRawOffset, const PIMAGE_SECTION_HEADER pImageImportSection);
  61. void GetImports64(PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor,
  62.    DWORD dRawOffset, const PIMAGE_SECTION_HEADER pImageImportSection);
  63. void AppendToOutput(const wchar_t* format, ...);
  64. void UpdateEditControl();
  65.  
  66. // Main window class name
  67. //const char* const WINDOW_CLASS_NAME = "PEAnalyzerWindow";
  68.  
  69. int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
  70.    INITCOMMONCONTROLSEX icc = { sizeof(INITCOMMONCONTROLSEX), ICC_WIN95_CLASSES };
  71.    InitCommonControlsEx(&icc);
  72.  
  73.    CreateMainWindow(hInstance);
  74.    if (!g_hMainWindow) return -1;
  75.  
  76.    ShowWindow(g_hMainWindow, nCmdShow);
  77.    UpdateWindow(g_hMainWindow);
  78.  
  79.    MSG msg = {};
  80.    while (GetMessage(&msg, NULL, 0, 0)) {
  81.        TranslateMessage(&msg);
  82.        DispatchMessage(&msg);
  83.    }
  84.  
  85.    if (g_hFont) DeleteObject(g_hFont);
  86.    return (int)msg.wParam;
  87. }
  88.  
  89. void CreateMainWindow(HINSTANCE hInstance) {
  90.    WNDCLASSEXW wc = { sizeof(WNDCLASSEXW), 0, WindowProc, 0, 0, hInstance, NULL, LoadCursor(NULL, IDC_ARROW), (HBRUSH)(COLOR_WINDOW + 1), NULL, WINDOW_CLASS_NAME, NULL };
  91.    RegisterClassExW(&wc);
  92.    g_hMainWindow = CreateWindowExW(0, WINDOW_CLASS_NAME, L"PE File Analyzer", WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, WINDOW_WIDTH, WINDOW_HEIGHT, nullptr, nullptr, hInstance, nullptr);
  93. }
  94.  
  95. void InitializeControls(HWND hwnd) {
  96.    g_hEditControl = CreateWindowExW(WS_EX_CLIENTEDGE, L"EDIT", L"", WS_CHILD | WS_VISIBLE | WS_VSCROLL | WS_HSCROLL | ES_MULTILINE | ES_AUTOVSCROLL | ES_AUTOHSCROLL, EDIT_MARGIN, EDIT_MARGIN, WINDOW_WIDTH - (2 * EDIT_MARGIN), WINDOW_HEIGHT - (2 * EDIT_MARGIN), hwnd, nullptr, (HINSTANCE)GetWindowLongPtr(hwnd, GWLP_HINSTANCE), nullptr);
  97.    g_hFont = CreateFont(-14, 0, 0, 0, FW_NORMAL, FALSE, FALSE, 0, ANSI_CHARSET, OUT_DEFAULT_PRECIS, CLIP_DEFAULT_PRECIS, DEFAULT_QUALITY, DEFAULT_PITCH | FF_MODERN, L"Consolas");
  98.    if (g_hFont) SendMessage(g_hEditControl, WM_SETFONT, (WPARAM)g_hFont, TRUE);
  99. }
  100.  
  101. void AddMenus(HWND hwnd) {
  102.    HMENU hMenuBar = CreateMenu();
  103.    HMENU hFileMenu = CreateMenu();
  104.    AppendMenu(hMenuBar, MF_POPUP, (UINT_PTR)hFileMenu, L"&File");
  105.    AppendMenu(hFileMenu, MF_STRING, 1, L"&Open");
  106.    AppendMenu(hFileMenu, MF_STRING, 2, L"E&xit");
  107.    SetMenu(hwnd, hMenuBar);
  108. }
  109.  
  110. LRESULT CALLBACK WindowProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam) {
  111.    switch (uMsg) {
  112.    case WM_CREATE: InitializeControls(hwnd); AddMenus(hwnd); return 0;
  113.    case WM_SIZE: SetWindowPos(g_hEditControl, NULL, EDIT_MARGIN, EDIT_MARGIN, LOWORD(lParam) - (2 * EDIT_MARGIN), HIWORD(lParam) - (2 * EDIT_MARGIN), SWP_NOZORDER); return 0;
  114.    case WM_COMMAND: if (LOWORD(wParam) == 1) OpenFileDialog(hwnd); if (LOWORD(wParam) == 2) PostQuitMessage(0); return 0;
  115.    case WM_DESTROY: PostQuitMessage(0); return 0;
  116.    }
  117.    return DefWindowProc(hwnd, uMsg, wParam, lParam);
  118. }
  119.  
  120. void OpenFileDialog(HWND hwnd) {
  121.    WCHAR fileName[MAX_PATH] = L"";
  122.    OPENFILENAMEW ofn = { sizeof(OPENFILENAMEW), hwnd, NULL, L"Executable Files (*.exe;*.dll)\0*.exe;*.dll\0All Files (*.*)\0*.*\0", NULL, 0, 1, fileName, MAX_PATH, NULL, 0, NULL, NULL, OFN_EXPLORER | OFN_FILEMUSTEXIST | OFN_HIDEREADONLY, 0, 0, L"exe", NULL, NULL, NULL };
  123.    if (GetOpenFileNameW(&ofn)) {
  124.        SetWindowTextW(g_hEditControl, L"");
  125.        g_OutputText.str(L"");
  126.        g_OutputText.clear();
  127.        AnalyzePEFile(ofn.lpstrFile);
  128.        UpdateEditControl();
  129.    }
  130. }
  131.  
  132. /*
  133. void AppendToOutput(const wchar_t* format, ...) {
  134.    wchar_t buffer[16384]; // Ensure sufficient buffer size
  135.    va_list args;
  136.    va_start(args, format);
  137.    StringCchVPrintfW(buffer, ARRAYSIZE(buffer), format, args);
  138.    va_end(args);
  139.  
  140.    tempBuffer += buffer;
  141.  
  142.    // Update Edit Control periodically to improve performance
  143.    if (tempBuffer.size() > 8000) {
  144.        g_OutputText << tempBuffer;
  145.        tempBuffer.clear();
  146.  
  147.        SetWindowTextW(g_hEditControl, g_OutputText.str().c_str());
  148.        SendMessage(g_hEditControl, EM_SETSEL, -1, -1);
  149.        SendMessage(g_hEditControl, EM_SCROLLCARET, 0, 0);
  150.    }
  151. }
  152.  
  153.  
  154. // Final update to flush any remaining content
  155. void FlushOutput() {
  156.    if (!tempBuffer.empty()) {
  157.        g_OutputText << tempBuffer;
  158.        tempBuffer.clear();
  159.  
  160.        SetWindowTextW(g_hEditControl, g_OutputText.str().c_str());
  161.        SendMessage(g_hEditControl, EM_SETSEL, -1, -1);
  162.        SendMessage(g_hEditControl, EM_SCROLLCARET, 0, 0);
  163.    }
  164. }
  165. */
  166.  
  167. void AppendToOutput(const wchar_t* format, ...) {
  168.    wchar_t buffer[4096];
  169.    va_list args;
  170.    va_start(args, format);
  171.    StringCchVPrintfW(buffer, ARRAYSIZE(buffer), format, args);
  172.    va_end(args);
  173.    g_OutputText << buffer;
  174.    SetWindowTextW(g_hEditControl, g_OutputText.str().c_str());
  175.    SendMessage(g_hEditControl, EM_SETSEL, -1, -1);
  176.    SendMessage(g_hEditControl, EM_SCROLLCARET, 0, 0);
  177. }
  178.  
  179. /*
  180. //basic test function
  181. void AnalyzePEFile(const wchar_t* filePathW) {
  182.    OUTPUT("[+] Analyzing file: %s\n", filePathW);
  183.    LPVOID lpFileContent = GetFileContent(filePathW);
  184.    if (!lpFileContent) { OUTPUT("[-] Could not read file.\n"); return; }
  185.    PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)lpFileContent;
  186.    if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE) { OUTPUT("[-] Invalid DOS signature.\n"); HeapFree(GetProcessHeap(), 0, lpFileContent); return; }
  187.    PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)((DWORD_PTR)lpFileContent + dosHeader->e_lfanew);
  188.    if (ntHeaders->Signature != IMAGE_NT_SIGNATURE) { OUTPUT("[-] Invalid NT signature.\n"); HeapFree(GetProcessHeap(), 0, lpFileContent); return; }
  189.    OUTPUT("[+] PE file analyzed successfully.\n");
  190.    HeapFree(GetProcessHeap(), 0, lpFileContent);
  191.    UpdateEditControl();
  192. }
  193. */
  194.  
  195. //use vectors for unlimited size growth of buffer, use an alternative to editbox, check for fast loops overloading, in its primitive form it works properly! try w/o getimports3264 datadirectories getsections
  196.  
  197.  
  198. //use below vv
  199. void AnalyzePEFile(const wchar_t* filePathW) {
  200.    OUTPUT("[+] Starting PE Analysis for: %s\n\n", filePathW);
  201.  
  202.    LPVOID lpFileContent = GetFileContent(filePathW);
  203.    if (!lpFileContent) {
  204.        OUTPUT("[-] Failed to read file content!\n");
  205.        return;
  206.    }
  207.  
  208.    const auto pImageDosHeader = static_cast<PIMAGE_DOS_HEADER>(lpFileContent);
  209.    if (pImageDosHeader->e_magic != IMAGE_DOS_SIGNATURE) {
  210.        OUTPUT("[-] Invalid DOS signature!\n");
  211.        HeapFree(GetProcessHeap(), 0, lpFileContent);
  212.        return;
  213.    }
  214.  
  215.    const auto pImageNtHeaders = reinterpret_cast<PIMAGE_NT_HEADERS>((DWORD_PTR)lpFileContent + pImageDosHeader->e_lfanew);
  216.    if (pImageNtHeaders->Signature != IMAGE_NT_SIGNATURE) {
  217.        OUTPUT("[-] Invalid NT signature!\n");
  218.        HeapFree(GetProcessHeap(), 0, lpFileContent);
  219.        return;
  220.    }
  221.  
  222.    UpdateEditControl(); //added just now remove line!
  223.  
  224.    OUTPUT("[+] PE FILE HEADER\n");
  225.    OUTPUT("\tMachine : 0x%X\n", (uintptr_t)pImageNtHeaders->FileHeader.Machine);
  226.    OUTPUT("\tNumberOfSections : 0x%X\n", (uintptr_t)pImageNtHeaders->FileHeader.NumberOfSections);
  227.    OUTPUT("\tTimeDateStamp : 0x%X\n", (uintptr_t)pImageNtHeaders->FileHeader.TimeDateStamp);
  228.    OUTPUT("\tPointerToSymbolTable : 0x%X\n", (uintptr_t)pImageNtHeaders->FileHeader.PointerToSymbolTable);
  229.    OUTPUT("\tNumberOfSymbols : 0x%X\n", (uintptr_t)pImageNtHeaders->FileHeader.NumberOfSymbols);
  230.    OUTPUT("\tSizeOfOptionalHeader : 0x%X\n", (uintptr_t)pImageNtHeaders->FileHeader.SizeOfOptionalHeader);
  231.    OUTPUT("\tCharacteristics : 0x%X %s\n\n", (uintptr_t)pImageNtHeaders->FileHeader.Characteristics, GetImageCharacteristics(pImageNtHeaders->FileHeader.Characteristics));
  232.  
  233.    OUTPUT("[+] PE OPTIONAL HEADER\n");
  234.    OUTPUT("\tMagic : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.Magic);
  235.    OUTPUT("\tAddressOfEntryPoint : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.AddressOfEntryPoint);
  236.    OUTPUT("\tImageBase : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.ImageBase);
  237.    OUTPUT("\tSectionAlignment : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SectionAlignment);
  238.    OUTPUT("\tFileAlignment : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.FileAlignment);
  239.    OUTPUT("\tMajorOperatingSystemVersion : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.MajorOperatingSystemVersion);
  240.    OUTPUT("\tMinorOperatingSystemVersion : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.MinorOperatingSystemVersion);
  241.    OUTPUT("\tMajorImageVersion : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.MajorImageVersion);
  242.    OUTPUT("\tMinorImageVersion : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.MinorImageVersion);
  243.    OUTPUT("\tMajorSubsystemVersion : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.MajorSubsystemVersion);
  244.    OUTPUT("\tMinorSubsystemVersion : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.MinorSubsystemVersion);
  245.    OUTPUT("\tWin32VersionValue : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.Win32VersionValue);
  246.    OUTPUT("\tSizeOfImage : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SizeOfImage);
  247.    OUTPUT("\tSizeOfHeaders : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SizeOfHeaders);
  248.    OUTPUT("\tCheckSum : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.CheckSum);
  249.    OUTPUT("\tSubsystem : 0x%X %s\n", (uintptr_t)pImageNtHeaders->OptionalHeader.Subsystem, GetSubsystem(pImageNtHeaders->OptionalHeader.Subsystem));
  250.    OUTPUT("\tDllCharacteristics : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.DllCharacteristics);
  251.    OUTPUT("\tSizeOfStackReserve : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SizeOfStackReserve);
  252.    OUTPUT("\tSizeOfStackCommit : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SizeOfStackCommit);
  253.    OUTPUT("\tSizeOfHeapReserve : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SizeOfHeapReserve);
  254.    OUTPUT("\tSizeOfHeapCommit : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SizeOfHeapCommit);
  255.    OUTPUT("\tLoaderFlags : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.LoaderFlags);
  256.    OUTPUT("\tNumberOfRvaAndSizes : 0x%X\n\n", (uintptr_t)pImageNtHeaders->OptionalHeader.NumberOfRvaAndSizes);
  257.  
  258.    UpdateEditControl(); //added just now remove line!
  259.  
  260.    GetDataDirectories(&pImageNtHeaders->OptionalHeader.DataDirectory[0]);
  261.  
  262.    const auto pImageSectionHeader = reinterpret_cast<PIMAGE_SECTION_HEADER>((DWORD_PTR)pImageNtHeaders + sizeof(IMAGE_NT_HEADERS));
  263.    const auto pImageImportSection = GetSections(pImageSectionHeader, pImageNtHeaders->FileHeader.NumberOfSections, pImageNtHeaders->OptionalHeader.DataDirectory[1].VirtualAddress);
  264.  
  265.    if (!pImageImportSection) {
  266.        OUTPUT("[-] Error: Could not find import section!\n");
  267.        HeapFree(GetProcessHeap(), 0, lpFileContent);
  268.        return;
  269.    }
  270.  
  271.    const auto pImageImportDescriptor = reinterpret_cast<PIMAGE_IMPORT_DESCRIPTOR>((DWORD_PTR)lpFileContent + pImageImportSection->PointerToRawData);
  272.    if (pImageNtHeaders->FileHeader.Machine == IMAGE_FILE_MACHINE_I386) {
  273.        GetImports32(pImageImportDescriptor, (DWORD)lpFileContent + pImageImportSection->PointerToRawData, pImageImportSection);
  274.    }
  275.    else if (pImageNtHeaders->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64) {
  276.        GetImports64(pImageImportDescriptor, (DWORD)lpFileContent + pImageImportSection->PointerToRawData, pImageImportSection);
  277.    }
  278.    else {
  279.        OUTPUT("[-] Unsupported architecture!\n");
  280.    }
  281.  
  282.    HeapFree(GetProcessHeap(), 0, lpFileContent);
  283.    UpdateEditControl();
  284. }
  285.  
  286. void GetDataDirectories(PIMAGE_DATA_DIRECTORY pImageDataDirectory) {
  287.    OUTPUT("[+] PE DATA DIRECTORIES\n");
  288.    for (int i = 0; i < IMAGE_NUMBEROF_DIRECTORY_ENTRIES; ++i, ++pImageDataDirectory) {
  289.        if (pImageDataDirectory->VirtualAddress == 0) continue;
  290.        OUTPUT("\tDataDirectory (%s) VirtualAddress : 0x%X\n", GetDataDirectoryName(i), (uintptr_t)pImageDataDirectory->VirtualAddress);
  291.        OUTPUT("\tDataDirectory (%s) Size : 0x%X\n\n", GetDataDirectoryName(i), (uintptr_t)pImageDataDirectory->Size);
  292.    }
  293. }
  294.  
  295. PIMAGE_SECTION_HEADER GetSections(const PIMAGE_SECTION_HEADER pImageSectionHeader, int NumberOfSections, DWORD dImportAddress) {
  296.    PIMAGE_SECTION_HEADER pImageImportHeader = nullptr;
  297.    OUTPUT("\n[+] PE IMAGE SECTIONS\n");
  298.    for (int i = 0; i < NumberOfSections; ++i) {
  299.        const auto pCurrentSectionHeader = reinterpret_cast<PIMAGE_SECTION_HEADER>((DWORD_PTR)pImageSectionHeader + i * sizeof(IMAGE_SECTION_HEADER));
  300.        OUTPUT("\n\tSECTION : %s\n", (wchar_t*)pCurrentSectionHeader->Name);
  301.        OUTPUT("\t\tMisc (PhysicalAddress) : 0x%X\n", (uintptr_t)pCurrentSectionHeader->Misc.PhysicalAddress);
  302.        OUTPUT("\t\tMisc (VirtualSize) : 0x%X\n", (uintptr_t)pCurrentSectionHeader->Misc.VirtualSize);
  303.        OUTPUT("\t\tVirtualAddress : 0x%X\n", (uintptr_t)pCurrentSectionHeader->VirtualAddress);
  304.        OUTPUT("\t\tSizeOfRawData : 0x%X\n", (uintptr_t)pCurrentSectionHeader->SizeOfRawData);
  305.        OUTPUT("\t\tPointerToRawData : 0x%X\n", (uintptr_t)pCurrentSectionHeader->PointerToRawData);
  306.        OUTPUT("\t\tCharacteristics : 0x%X %s\n", (uintptr_t)pCurrentSectionHeader->Characteristics, GetSectionProtection(pCurrentSectionHeader->Characteristics));
  307.  
  308.        if (dImportAddress >= pCurrentSectionHeader->VirtualAddress && dImportAddress < pCurrentSectionHeader->VirtualAddress + pCurrentSectionHeader->Misc.VirtualSize) {
  309.            pImageImportHeader = pCurrentSectionHeader;
  310.        }
  311.    }
  312.    return pImageImportHeader;
  313. }
  314.  
  315. void GetImports32(PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor, DWORD dRawOffset, const PIMAGE_SECTION_HEADER pImageImportSection) {
  316.    OUTPUT("\n[+] IMPORTED DLL\n");
  317.    while (pImageImportDescriptor->Name != 0) {
  318.        OUTPUT("\n\tDLL NAME : %s\n", (wchar_t*)(dRawOffset + (pImageImportDescriptor->Name - pImageImportSection->VirtualAddress)));
  319.        if (pImageImportDescriptor->OriginalFirstThunk == 0) {
  320.            ++pImageImportDescriptor;
  321.            continue;
  322.        }
  323.        auto pOriginalFirstThunk = reinterpret_cast<PIMAGE_THUNK_DATA32>(dRawOffset + (pImageImportDescriptor->OriginalFirstThunk - pImageImportSection->VirtualAddress));
  324.        while (pOriginalFirstThunk->u1.AddressOfData != 0) {
  325.            const auto pImageImportByName = reinterpret_cast<PIMAGE_IMPORT_BY_NAME>(dRawOffset + (pOriginalFirstThunk->u1.AddressOfData - pImageImportSection->VirtualAddress));
  326.            if (pImageImportByName) {
  327.                OUTPUT("\t\tFunction: %s\n", (char*)pImageImportByName->Name);
  328.            }
  329.            pOriginalFirstThunk++;
  330.        }
  331.        pImageImportDescriptor++;
  332.    }
  333. }
  334.  
  335. void GetImports64(PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor, DWORD dRawOffset, const PIMAGE_SECTION_HEADER pImageImportSection) {
  336.    OUTPUT("\n[+] IMPORTED DLL\n");
  337.    while (pImageImportDescriptor->Name != 0) {
  338.        OUTPUT("\n\tDLL NAME : %s\n", (wchar_t*)(dRawOffset + (pImageImportDescriptor->Name - pImageImportSection->VirtualAddress)));
  339.        if (pImageImportDescriptor->OriginalFirstThunk == 0) {
  340.            ++pImageImportDescriptor;
  341.            continue;
  342.        }
  343.        auto pOriginalFirstThunk = reinterpret_cast<PIMAGE_THUNK_DATA64>(dRawOffset + (pImageImportDescriptor->OriginalFirstThunk - pImageImportSection->VirtualAddress));
  344.        while (pOriginalFirstThunk->u1.AddressOfData != 0) {
  345.            const auto pImageImportByName = reinterpret_cast<PIMAGE_IMPORT_BY_NAME>(dRawOffset + (pOriginalFirstThunk->u1.AddressOfData - pImageImportSection->VirtualAddress));
  346.            if (pImageImportByName) {
  347.                OUTPUT("\t\tFunction: %s\n", (char*)pImageImportByName->Name);
  348.            }
  349.            pOriginalFirstThunk++;
  350.        }
  351.        pImageImportDescriptor++;
  352.    }
  353. }
  354. //use above ^^
  355.  
  356.  
  357.  
  358. /*
  359. // Main PE Analysis function
  360. void AnalyzePEFile(const wchar_t* filePathW)
  361. {
  362.    //WCHAR filePathW[MAX_PATH];
  363.    //MultiByteToWideChar(CP_ACP, 0, filePathA, -1, filePathW, MAX_PATH);
  364.    OUTPUT("[+] Starting PE Analysis for: %s\n\n", filePathW);
  365.    //AppendToOutput(L"[+] Starting PE Analysis for: %ls\n\n", filePathW);
  366.  
  367.    // Get file content
  368.    LPVOID lpFileContent = GetFileContent(filePathW);
  369.    if (!lpFileContent)
  370.    {
  371.        OUTPUT("[-] Failed to read file content!\n");
  372.        return;
  373.    }
  374.  
  375.    // Get DOS header
  376.    const auto pImageDosHeader = static_cast<PIMAGE_DOS_HEADER>(lpFileContent);
  377.    if (pImageDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
  378.    {
  379.        OUTPUT("[-] Invalid DOS signature!\n");
  380.        HeapFree(GetProcessHeap(), 0, lpFileContent);
  381.        return;
  382.    }
  383.  
  384.    // Get NT headers
  385.    const auto pImageNtHeaders = reinterpret_cast<PIMAGE_NT_HEADERS>((DWORD_PTR)lpFileContent + pImageDosHeader->e_lfanew);
  386.    if (pImageNtHeaders->Signature != IMAGE_NT_SIGNATURE)
  387.    {
  388.        OUTPUT("[-] Invalid NT signature!\n");
  389.        HeapFree(GetProcessHeap(), 0, lpFileContent);
  390.        return;
  391.    }
  392.  
  393.    // Display File Header information
  394.    OUTPUT("[+] PE FILE HEADER\n");
  395.    OUTPUT("\tMachine : 0x%X\n", (uintptr_t)pImageNtHeaders->FileHeader.Machine);
  396.    OUTPUT("\tNumberOfSections : 0x%X\n", (uintptr_t)pImageNtHeaders->FileHeader.NumberOfSections);
  397.    OUTPUT("\tTimeDateStamp : 0x%X\n", (uintptr_t)pImageNtHeaders->FileHeader.TimeDateStamp);
  398.    OUTPUT("\tPointerToSymbolTable : 0x%X\n", (uintptr_t)pImageNtHeaders->FileHeader.PointerToSymbolTable);
  399.    OUTPUT("\tNumberOfSymbols : 0x%X\n", (uintptr_t)pImageNtHeaders->FileHeader.NumberOfSymbols);
  400.    OUTPUT("\tSizeOfOptionalHeader : 0x%X\n", (uintptr_t)pImageNtHeaders->FileHeader.SizeOfOptionalHeader);
  401.    OUTPUT("\tCharacteristics : 0x%X %s\n\n",
  402.        (uintptr_t)pImageNtHeaders->FileHeader.Characteristics,
  403.        GetImageCharacteristics(pImageNtHeaders->FileHeader.Characteristics));
  404.  
  405.    // Display Optional Header information
  406.    OUTPUT("[+] PE OPTIONAL HEADER\n");
  407.    OUTPUT("\tMagic : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.Magic);
  408.    OUTPUT("\tAddressOfEntryPoint : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.AddressOfEntryPoint);
  409.    OUTPUT("\tImageBase : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.ImageBase);
  410.    OUTPUT("\tSectionAlignment : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SectionAlignment);
  411.    OUTPUT("\tFileAlignment : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.FileAlignment);
  412.    OUTPUT("\tMajorOperatingSystemVersion : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.MajorOperatingSystemVersion);
  413.    OUTPUT("\tMinorOperatingSystemVersion : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.MinorOperatingSystemVersion);
  414.    OUTPUT("\tMajorImageVersion : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.MajorImageVersion);
  415.    OUTPUT("\tMinorImageVersion : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.MinorImageVersion);
  416.    OUTPUT("\tMajorSubsystemVersion : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.MajorSubsystemVersion);
  417.    OUTPUT("\tMinorSubsystemVersion : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.MinorSubsystemVersion);
  418.    OUTPUT("\tWin32VersionValue : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.Win32VersionValue);
  419.    OUTPUT("\tSizeOfImage : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SizeOfImage);
  420.    OUTPUT("\tSizeOfHeaders : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SizeOfHeaders);
  421.    OUTPUT("\tCheckSum : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.CheckSum);
  422.    OUTPUT("\tSubsystem : 0x%X %s\n",
  423.        (uintptr_t)pImageNtHeaders->OptionalHeader.Subsystem,
  424.        GetSubsystem(pImageNtHeaders->OptionalHeader.Subsystem));
  425.    OUTPUT("\tDllCharacteristics : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.DllCharacteristics);
  426.    OUTPUT("\tSizeOfStackReserve : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SizeOfStackReserve);
  427.    OUTPUT("\tSizeOfStackCommit : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SizeOfStackCommit);
  428.    OUTPUT("\tSizeOfHeapReserve : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SizeOfHeapReserve);
  429.    OUTPUT("\tSizeOfHeapCommit : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SizeOfHeapCommit);
  430.    OUTPUT("\tLoaderFlags : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.LoaderFlags);
  431.    OUTPUT("\tNumberOfRvaAndSizes : 0x%X\n\n", (uintptr_t)pImageNtHeaders->OptionalHeader.NumberOfRvaAndSizes);
  432.  
  433.    // Get Data Directories
  434.    GetDataDirectories(&pImageNtHeaders->OptionalHeader.DataDirectory[0]);
  435.  
  436.    // Get the import section
  437.    const auto pImageSectionHeader = reinterpret_cast<PIMAGE_SECTION_HEADER>(
  438.        (DWORD_PTR)pImageNtHeaders + sizeof(IMAGE_NT_HEADERS));
  439.  
  440.    const auto pImageImportSection = GetSections(
  441.        pImageSectionHeader,
  442.        pImageNtHeaders->FileHeader.NumberOfSections,
  443.        pImageNtHeaders->OptionalHeader.DataDirectory[1].VirtualAddress);
  444.  
  445.    if (!pImageImportSection)
  446.    {
  447.        OUTPUT("[-] Error: Could not find import section!\n");
  448.        HeapFree(GetProcessHeap(), 0, lpFileContent);
  449.        return;
  450.    }
  451.  
  452.    // Get imports based on architecture
  453.    const auto pImageImportDescriptor = reinterpret_cast<PIMAGE_IMPORT_DESCRIPTOR>(
  454.        (DWORD_PTR)lpFileContent + pImageImportSection->PointerToRawData);
  455.  
  456.    if (pImageNtHeaders->FileHeader.Machine == IMAGE_FILE_MACHINE_I386)
  457.    {
  458.        GetImports32(
  459.            pImageImportDescriptor,
  460.            (DWORD)lpFileContent + pImageImportSection->PointerToRawData,
  461.            pImageImportSection);
  462.    }
  463.    else if (pImageNtHeaders->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64)
  464.    {
  465.        GetImports64(
  466.            pImageImportDescriptor,
  467.            (DWORD)lpFileContent + pImageImportSection->PointerToRawData,
  468.            pImageImportSection);
  469.    }
  470.    else
  471.    {
  472.        OUTPUT("[-] Unsupported architecture!\n");
  473.    }
  474.  
  475.    // Cleanup
  476.    HeapFree(GetProcessHeap(), 0, lpFileContent);
  477.  
  478.    // Update the GUI with the analysis results
  479.    UpdateEditControl();
  480. }
  481.  
  482. void GetDataDirectories(PIMAGE_DATA_DIRECTORY pImageDataDirectory)
  483. {
  484.    OUTPUT("[+] PE DATA DIRECTORIES\n");
  485.    for (int i = 0; i < IMAGE_NUMBEROF_DIRECTORY_ENTRIES; ++i, ++pImageDataDirectory)
  486.    {
  487.        if (pImageDataDirectory->VirtualAddress == 0)
  488.            continue;
  489.  
  490.        OUTPUT("\tDataDirectory (%s) VirtualAddress : 0x%X\n",
  491.            GetDataDirectoryName(i),
  492.            (uintptr_t)pImageDataDirectory->VirtualAddress);
  493.        OUTPUT("\tDataDirectory (%s) Size : 0x%X\n\n",
  494.            GetDataDirectoryName(i),
  495.            (uintptr_t)pImageDataDirectory->Size);
  496.    }
  497. }
  498.  
  499. PIMAGE_SECTION_HEADER GetSections(const PIMAGE_SECTION_HEADER pImageSectionHeader,
  500.    int NumberOfSections, DWORD dImportAddress)
  501. {
  502.    PIMAGE_SECTION_HEADER pImageImportHeader = nullptr;
  503.  
  504.    OUTPUT("\n[+] PE IMAGE SECTIONS\n");
  505.  
  506.    for (int i = 0; i < NumberOfSections; ++i)
  507.    {
  508.        const auto pCurrentSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD_PTR)pImageSectionHeader +
  509.            i * sizeof(IMAGE_SECTION_HEADER));
  510.  
  511.        OUTPUT("\n\tSECTION : %s\n", (wchar_t*)pCurrentSectionHeader->Name);
  512.        OUTPUT("\t\tMisc (PhysicalAddress) : 0x%X\n",
  513.            (uintptr_t)pCurrentSectionHeader->Misc.PhysicalAddress);
  514.        OUTPUT("\t\tMisc (VirtualSize) : 0x%X\n",
  515.            (uintptr_t)pCurrentSectionHeader->Misc.VirtualSize);
  516.        OUTPUT("\t\tVirtualAddress : 0x%X\n",
  517.            (uintptr_t)pCurrentSectionHeader->VirtualAddress);
  518.        OUTPUT("\t\tSizeOfRawData : 0x%X\n",
  519.            (uintptr_t)pCurrentSectionHeader->SizeOfRawData);
  520.        OUTPUT("\t\tPointerToRawData : 0x%X\n",
  521.            (uintptr_t)pCurrentSectionHeader->PointerToRawData);
  522.        OUTPUT("\t\tPointerToRelocations : 0x%X\n",
  523.            (uintptr_t)pCurrentSectionHeader->PointerToRelocations);
  524.        OUTPUT("\t\tPointerToLinenumbers : 0x%X\n",
  525.            (uintptr_t)pCurrentSectionHeader->PointerToLinenumbers);
  526.        OUTPUT("\t\tNumberOfRelocations : 0x%X\n",
  527.            (uintptr_t)pCurrentSectionHeader->NumberOfRelocations);
  528.        OUTPUT("\t\tNumberOfLinenumbers : 0x%X\n",
  529.            (uintptr_t)pCurrentSectionHeader->NumberOfLinenumbers);
  530.        OUTPUT("\t\tCharacteristics : 0x%X %s\n",
  531.            (uintptr_t)pCurrentSectionHeader->Characteristics,
  532.            GetSectionProtection(pCurrentSectionHeader->Characteristics));
  533.  
  534.        if (dImportAddress >= pCurrentSectionHeader->VirtualAddress &&
  535.            dImportAddress < pCurrentSectionHeader->VirtualAddress +
  536.            pCurrentSectionHeader->Misc.VirtualSize)
  537.        {
  538.            pImageImportHeader = pCurrentSectionHeader;
  539.        }
  540.    }
  541.  
  542.    return pImageImportHeader;
  543. }
  544. void GetImports32(PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor,
  545.    DWORD dRawOffset, const PIMAGE_SECTION_HEADER pImageImportSection)
  546. {
  547.    OUTPUT("\n[+] IMPORTED DLL\n");
  548.  
  549.    while (pImageImportDescriptor->Name != 0)
  550.    {
  551.        OUTPUT("\n\tDLL NAME : %s\n",
  552.            (wchar_t*)(dRawOffset + (pImageImportDescriptor->Name - pImageImportSection->VirtualAddress)));
  553.        OUTPUT("\tCharacteristics : 0x%X\n",
  554.            (uintptr_t)(dRawOffset + (pImageImportDescriptor->Characteristics - pImageImportSection->VirtualAddress)));
  555.        OUTPUT("\tOriginalFirstThunk : 0x%X\n",
  556.            (uintptr_t)(dRawOffset + (pImageImportDescriptor->OriginalFirstThunk - pImageImportSection->VirtualAddress)));
  557.        OUTPUT("\tTimeDateStamp : 0x%X\n",
  558.            (uintptr_t)(dRawOffset + (pImageImportDescriptor->TimeDateStamp - pImageImportSection->VirtualAddress)));
  559.        OUTPUT("\tForwarderChain : 0x%X\n",
  560.            (uintptr_t)(dRawOffset + (pImageImportDescriptor->ForwarderChain - pImageImportSection->VirtualAddress)));
  561.        OUTPUT("\tFirstThunk : 0x%X\n",
  562.            (uintptr_t)(dRawOffset + (pImageImportDescriptor->FirstThunk - pImageImportSection->VirtualAddress)));
  563.  
  564.        if (pImageImportDescriptor->OriginalFirstThunk == 0)
  565.        {
  566.            ++pImageImportDescriptor;
  567.            continue;
  568.        }
  569.  
  570.        auto pOriginalFirstThrunk = (PIMAGE_THUNK_DATA32)(dRawOffset +
  571.            (pImageImportDescriptor->OriginalFirstThunk - pImageImportSection->VirtualAddress));
  572.  
  573.        OUTPUT("\n\tImported Functions : \n\n");
  574.  
  575.        while (pOriginalFirstThrunk->u1.AddressOfData != 0)
  576.        {
  577.            if (pOriginalFirstThrunk->u1.AddressOfData >= IMAGE_ORDINAL_FLAG32)
  578.            {
  579.                ++pOriginalFirstThrunk;
  580.                continue;
  581.            }
  582.  
  583.            const auto pImageImportByName = (PIMAGE_IMPORT_BY_NAME)(dRawOffset +
  584.                (pOriginalFirstThrunk->u1.AddressOfData - pImageImportSection->VirtualAddress));
  585.  
  586.            if (pImageImportByName == nullptr)
  587.            {
  588.                ++pOriginalFirstThrunk;
  589.                continue;
  590.            }
  591.  
  592.            if (pOriginalFirstThrunk->u1.Ordinal & IMAGE_ORDINAL_FLAG32)
  593.            {
  594.                OUTPUT("\t\t0x%X (Ordinal) : %s\n",
  595.                    (uintptr_t)pOriginalFirstThrunk->u1.AddressOfData,
  596.                    (wchar_t*)((DWORD_PTR)dRawOffset + (pImageImportByName->Name - pImageImportSection->VirtualAddress)));
  597.            }
  598.            else
  599.            {
  600.                OUTPUT("\t\t%s\n",
  601.                    (wchar_t*)((DWORD_PTR)dRawOffset + (pImageImportByName->Name - pImageImportSection->VirtualAddress)));
  602.            }
  603.  
  604.            ++pOriginalFirstThrunk;
  605.        }
  606.  
  607.        ++pImageImportDescriptor;
  608.    }
  609. }
  610.  
  611. void GetImports64(PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor,
  612.    DWORD dRawOffset, const PIMAGE_SECTION_HEADER pImageImportSection)
  613. {
  614.    OUTPUT("\n[+] IMPORTED DLL\n");
  615.  
  616.    while (pImageImportDescriptor->Name != 0)
  617.    {
  618.        OUTPUT("\n\tDLL NAME : %s\n",
  619.            (wchar_t*)(dRawOffset + (pImageImportDescriptor->Name - pImageImportSection->VirtualAddress)));
  620.        OUTPUT("\tCharacteristics : 0x%X\n",
  621.            (uintptr_t)(dRawOffset + (pImageImportDescriptor->Characteristics - pImageImportSection->VirtualAddress)));
  622.        OUTPUT("\tOriginalFirstThunk : 0x%X\n",
  623.            (uintptr_t)(dRawOffset + (pImageImportDescriptor->OriginalFirstThunk - pImageImportSection->VirtualAddress)));
  624.        OUTPUT("\tTimeDateStamp : 0x%X\n",
  625.            (uintptr_t)(dRawOffset + (pImageImportDescriptor->TimeDateStamp - pImageImportSection->VirtualAddress)));
  626.        OUTPUT("\tForwarderChain : 0x%X\n",
  627.            (uintptr_t)(dRawOffset + (pImageImportDescriptor->ForwarderChain - pImageImportSection->VirtualAddress)));
  628.        OUTPUT("\tFirstThunk : 0x%X\n",
  629.            (uintptr_t)(dRawOffset + (pImageImportDescriptor->FirstThunk - pImageImportSection->VirtualAddress)));
  630.  
  631.        if (pImageImportDescriptor->OriginalFirstThunk == 0)
  632.        {
  633.            ++pImageImportDescriptor;
  634.            continue;
  635.        }
  636.  
  637.        auto pOriginalFirstThrunk = (PIMAGE_THUNK_DATA64)(dRawOffset +
  638.            (pImageImportDescriptor->OriginalFirstThunk - pImageImportSection->VirtualAddress));
  639.  
  640.        OUTPUT("\n\tImported Functions : \n\n");
  641.  
  642.        while (pOriginalFirstThrunk->u1.AddressOfData != 0)
  643.        {
  644.            if (pOriginalFirstThrunk->u1.AddressOfData >= IMAGE_ORDINAL_FLAG64)
  645.            {
  646.                ++pOriginalFirstThrunk;
  647.                continue;
  648.            }
  649.  
  650.            const auto pImageImportByName = (PIMAGE_IMPORT_BY_NAME)((DWORD_PTR)dRawOffset +
  651.                (pOriginalFirstThrunk->u1.AddressOfData - pImageImportSection->VirtualAddress));
  652.  
  653.            if (pImageImportByName == nullptr)
  654.            {
  655.                ++pOriginalFirstThrunk;
  656.                continue;
  657.            }
  658.  
  659.            if (pOriginalFirstThrunk->u1.Ordinal & IMAGE_ORDINAL_FLAG64)
  660.            {
  661.                OUTPUT("\t\t0x%llX (Ordinal) : %s\n",
  662.                    pOriginalFirstThrunk->u1.AddressOfData,
  663.                    (wchar_t*)((DWORD_PTR)dRawOffset + (pImageImportByName->Name - pImageImportSection->VirtualAddress)));
  664.            }
  665.            else
  666.            {
  667.                OUTPUT("\t\t%s\n",
  668.                    (wchar_t*)((DWORD_PTR)dRawOffset + (pImageImportByName->Name - pImageImportSection->VirtualAddress)));
  669.            }
  670.  
  671.            ++pOriginalFirstThrunk;
  672.        }
  673.  
  674.        ++pImageImportDescriptor;
  675.    }
  676. }
  677. */
  678.  
  679. HANDLE GetFileContent(const wchar_t* lpFilePath) {
  680.    HANDLE hFile = CreateFileW(lpFilePath, GENERIC_READ, 0, nullptr, OPEN_EXISTING, 0, nullptr);
  681.    if (hFile == INVALID_HANDLE_VALUE) return nullptr;
  682.    DWORD fileSize = GetFileSize(hFile, nullptr);
  683.    auto lpFileContent = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, fileSize);
  684.    DWORD bytesRead;
  685.    ReadFile(hFile, lpFileContent, fileSize, &bytesRead, nullptr);
  686.    CloseHandle(hFile);
  687.    return lpFileContent;
  688. }
  689.  
  690. void UpdateEditControl() {
  691.    SetWindowTextW(g_hEditControl, g_OutputText.str().c_str());
  692.    SendMessage(g_hEditControl, EM_SETSEL, -1, -1);
  693.    SendMessage(g_hEditControl, EM_SCROLLCARET, 0, 0);
  694. }
  695.  
  696. ==++Here's the full sourcecode for (file 2/2) "helpers.h"::++==
  697. #pragma once
  698. #include <Windows.h>
  699. #include <strsafe.h>
  700.  
  701. // Helper function declarations
  702. const wchar_t* GetImageCharacteristics(DWORD dCharacteristics);
  703. const wchar_t* GetSubsystem(WORD Subsystem);
  704. const wchar_t* GetDataDirectoryName(int DirectoryNumber);
  705. const wchar_t* GetSectionProtection(DWORD dCharacteristics);
  706.  
  707. // Helper function implementations
  708. const wchar_t* GetImageCharacteristics(DWORD dCharacteristics)
  709. {
  710.     if (dCharacteristics & IMAGE_FILE_DLL)
  711.         return L"(DLL)";
  712.     if (dCharacteristics & IMAGE_FILE_SYSTEM)
  713.         return L"(DRIVER)";
  714.     if (dCharacteristics & IMAGE_FILE_EXECUTABLE_IMAGE)
  715.         return L"(EXE)";
  716.     return L"(UNKNOWN)";
  717. }
  718.  
  719. const wchar_t* GetSubsystem(WORD Subsystem)
  720. {
  721.     if (Subsystem == 1)
  722.         return L"(NATIVE / DRIVER)";
  723.     if (Subsystem == 2)
  724.         return L"(GUI APP)";
  725.     if (Subsystem == 3)
  726.         return L"(CONSOLE APP)";
  727.     return L"(UNKNOWN)";
  728. }
  729.  
  730. const wchar_t* GetDataDirectoryName(int DirectoryNumber)
  731. {
  732.     switch (DirectoryNumber)
  733.     {
  734.     case 0: return L"Export Table";
  735.     case 1: return L"Import Table";
  736.     case 2: return L"Resource Table";
  737.     case 3: return L"Exception Entry";
  738.     case 4: return L"Security Entry";
  739.     case 5: return L"Relocation Table";
  740.     case 6: return L"Debug Entry";
  741.     case 7: return L"Copyright Entry";
  742.     case 8: return L"Global PTR Entry";
  743.     case 9: return L"TLS Entry";
  744.     case 10: return L"Configuration Entry";
  745.     case 11: return L"Bound Import Entry";
  746.     case 12: return L"IAT";
  747.     case 13: return L"Delay Import Descriptor";
  748.     case 14: return L"COM Descriptor";
  749.     default: return nullptr;
  750.     }
  751. }
  752.  
  753. const wchar_t* GetSectionProtection(DWORD dCharacteristics) {
  754.     static wchar_t lpSectionProtection[1024] = {};
  755.     StringCchCopyW(lpSectionProtection, ARRAYSIZE(lpSectionProtection), L"(");
  756.     bool bExecute = false, bRead = false;
  757.  
  758.     if (dCharacteristics & IMAGE_SCN_MEM_EXECUTE) {
  759.         bExecute = true;
  760.         StringCchCatW(lpSectionProtection, ARRAYSIZE(lpSectionProtection), L"EXECUTE");
  761.     }
  762.  
  763.     if (dCharacteristics & IMAGE_SCN_MEM_READ) {
  764.         bRead = true;
  765.         if (bExecute)
  766.             StringCchCatW(lpSectionProtection, ARRAYSIZE(lpSectionProtection), L" | ");
  767.         StringCchCatW(lpSectionProtection, ARRAYSIZE(lpSectionProtection), L"READ");
  768.     }
  769.  
  770.     if (dCharacteristics & IMAGE_SCN_MEM_WRITE) {
  771.         if (bExecute || bRead)
  772.             StringCchCatW(lpSectionProtection, ARRAYSIZE(lpSectionProtection), L" | ");
  773.         StringCchCatW(lpSectionProtection, ARRAYSIZE(lpSectionProtection), L"WRITE");
  774.     }
  775.  
  776.     StringCchCatW(lpSectionProtection, ARRAYSIZE(lpSectionProtection), L")");
  777.     return lpSectionProtection;
  778. }
Tags: #prob-in-Output+Buffer+EditBox
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!