PE Explorer /w Fixes Implemented

1. ==++Here's the full sourcecode for (file 1/2) "main.cpp"::++==
2. #define STRICT
3. #define WIN32_LEAN_AND_MEAN
4. #include <Windows.h>
5. #include <winternl.h>
6. #include <CommCtrl.h>
7. #include <commdlg.h>
8. #include <string>
9. #include <strsafe.h>
10. #include <sstream>
11. #include <iomanip>
12. #include <stdio.h>
13. #include <Richedit.h>
14. #include "helpers.h"
15. #include "resource.h"
16. #pragma comment(lib, "comctl32.lib")
17. #pragma comment(lib, "Msftedit.lib")
18.  
19. using namespace std;
20.  
21. // At the top of your file, change the window class name to wide string
22. #define WINDOW_CLASS_NAME L"PEAnalyzerWindow"
23. //const wchar_t* const WINDOW_CLASS_NAME = L"PEAnalyzerWindow";
24.  
25. // Use ANSI versions explicitly
26. //#undef CreateWindow
27. //#undef CreateWindowEx
28. //#define CreateWindow  CreateWindowW
29. //#define CreateWindowEx CreateWindowExW
30.  
31. // Helper function to replace printf with GUI output
32. #define OUTPUT(format, ...) AppendToOutput(L##format, ##__VA_ARGS__)
33. //#define OUTPUT(format, ...) AppendToOutput(format, ##__VA_ARGS__)
34. //#define printf(format, ...) AppendToOutput(format, ##__VA_ARGS__)
35.  
36. // Window dimensions
37. #define WINDOW_WIDTH    1024
38. #define WINDOW_HEIGHT   768
39. #define EDIT_MARGIN    10
40.  
41. // Global variables
42. HWND g_hMainWindow = NULL;
43. HWND g_hEditControl = NULL;
44. HFONT g_hFont = NULL;
45. std::wstringstream g_OutputText;
46. WCHAR filePathW[MAX_PATH];
47. std::vector<wchar_t> g_OutputBuffer;
48. std::wstring tempBuffer; // Declare tempBuffer globally
49.  
50. // Function declarations
51. LRESULT CALLBACK WindowProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam);
52. void CreateMainWindow(HINSTANCE hInstance);
53. void InitializeControls(HWND hwnd);
54. void AddMenus(HWND hwnd);
55. void OpenFileDialog(HWND hwnd);
56. //void AnalyzePEFile(const WCHAR* filePathW);
57. void AnalyzePEFile(const wchar_t* filePathW);
58. HANDLE GetFileContent(const wchar_t* lpFilePath);
59. void GetDataDirectories(PIMAGE_DATA_DIRECTORY pImageDataDirectory);
60. PIMAGE_SECTION_HEADER GetSections(const PIMAGE_SECTION_HEADER pImageSectionHeader,
61.    int NumberOfSections, DWORD dImportAddress);
62. void GetImports32(PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor,
63.    DWORD dRawOffset, const PIMAGE_SECTION_HEADER pImageImportSection);
64. void GetImports64(PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor,
65.    DWORD dRawOffset, const PIMAGE_SECTION_HEADER pImageImportSection);
66. void AppendToOutput(const wchar_t* format, ...);
67. void UpdateEditControl();
68.  
69. // Main window class name
70. //const char* const WINDOW_CLASS_NAME = "PEAnalyzerWindow";
71.  
72. int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
73.    INITCOMMONCONTROLSEX icc = { sizeof(INITCOMMONCONTROLSEX), ICC_WIN95_CLASSES };
74.    InitCommonControlsEx(&icc);
75.  
76.    CreateMainWindow(hInstance);
77.    if (!g_hMainWindow) return -1;
78.  
79.    ShowWindow(g_hMainWindow, nCmdShow);
80.    UpdateWindow(g_hMainWindow);
81.  
82.    MSG msg = {};
83.    while (GetMessage(&msg, NULL, 0, 0)) {
84.        TranslateMessage(&msg);
85.        DispatchMessage(&msg);
86.    }
87.  
88.    if (g_hFont) DeleteObject(g_hFont);
89.    return (int)msg.wParam;
90. }
91.  
92. void CreateMainWindow(HINSTANCE hInstance) {
93.    WNDCLASSEXW wc = { sizeof(WNDCLASSEXW), 0, WindowProc, 0, 0, hInstance, NULL, LoadCursor(NULL, IDC_ARROW), (HBRUSH)(COLOR_WINDOW + 1), NULL, WINDOW_CLASS_NAME, NULL };
94.    RegisterClassExW(&wc);
95.    g_hMainWindow = CreateWindowExW(0, WINDOW_CLASS_NAME, L"PE File Analyzer", WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, WINDOW_WIDTH, WINDOW_HEIGHT, nullptr, nullptr, hInstance, nullptr);
96. }
97.  
98. g_hEditControl = CreateWindowExW(WS_EX_CLIENTEDGE, MSFTEDIT_CLASS, L"",
99.    WS_CHILD | WS_VISIBLE | WS_VSCROLL | ES_MULTILINE | ES_AUTOVSCROLL | ES_READONLY,
100.    EDIT_MARGIN, EDIT_MARGIN, WINDOW_WIDTH - (2 * EDIT_MARGIN),
101.    WINDOW_HEIGHT - (2 * EDIT_MARGIN), hwnd, nullptr,
102.    (HINSTANCE)GetWindowLongPtr(hwnd, GWLP_HINSTANCE), nullptr);
103.  
104.  
105. void AddMenus(HWND hwnd) {
106.    HMENU hMenuBar = CreateMenu();
107.    HMENU hFileMenu = CreateMenu();
108.    AppendMenu(hMenuBar, MF_POPUP, (UINT_PTR)hFileMenu, L"&File");
109.    AppendMenu(hFileMenu, MF_STRING, 1, L"&Open");
110.    AppendMenu(hFileMenu, MF_STRING, 2, L"E&xit");
111.    SetMenu(hwnd, hMenuBar);
112. }
113.  
114. LRESULT CALLBACK WindowProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam) {
115.    switch (uMsg) {
116.    case WM_CREATE: InitializeControls(hwnd); AddMenus(hwnd); return 0;
117.    case WM_SIZE: SetWindowPos(g_hEditControl, NULL, EDIT_MARGIN, EDIT_MARGIN, LOWORD(lParam) - (2 * EDIT_MARGIN), HIWORD(lParam) - (2 * EDIT_MARGIN), SWP_NOZORDER); return 0;
118.    case WM_COMMAND: if (LOWORD(wParam) == 1) OpenFileDialog(hwnd); if (LOWORD(wParam) == 2) PostQuitMessage(0); return 0;
119.    case WM_DESTROY: PostQuitMessage(0); return 0;
120.    }
121.    return DefWindowProc(hwnd, uMsg, wParam, lParam);
122. }
123.  
124. void OpenFileDialog(HWND hwnd) {
125.    WCHAR fileName[MAX_PATH] = L"";
126.    OPENFILENAMEW ofn = { sizeof(OPENFILENAMEW), hwnd, NULL, L"Executable Files (*.exe;*.dll)\0*.exe;*.dll\0All Files (*.*)\0*.*\0", NULL, 0, 1, fileName, MAX_PATH, NULL, 0, NULL, NULL, OFN_EXPLORER | OFN_FILEMUSTEXIST | OFN_HIDEREADONLY, 0, 0, L"exe", NULL, NULL, NULL };
127.    if (GetOpenFileNameW(&ofn)) {
128.        SetWindowTextW(g_hEditControl, L"");
129.        g_OutputText.str(L"");
130.        g_OutputText.clear();
131.        AnalyzePEFile(ofn.lpstrFile);
132.        UpdateEditControl();
133.    }
134. }
135.  
136. /*
137. void AppendToOutput(const wchar_t* format, ...) {
138.    wchar_t buffer[16384]; // Ensure sufficient buffer size
139.    va_list args;
140.    va_start(args, format);
141.    StringCchVPrintfW(buffer, ARRAYSIZE(buffer), format, args);
142.    va_end(args);
143.  
144.    tempBuffer += buffer;
145.  
146.    // Update Edit Control periodically to improve performance
147.    if (tempBuffer.size() > 8000) {
148.        g_OutputText << tempBuffer;
149.        tempBuffer.clear();
150.  
151.        SetWindowTextW(g_hEditControl, g_OutputText.str().c_str());
152.        SendMessage(g_hEditControl, EM_SETSEL, -1, -1);
153.        SendMessage(g_hEditControl, EM_SCROLLCARET, 0, 0);
154.    }
155. }
156.  
157.  
158. // Final update to flush any remaining content
159. void FlushOutput() {
160.    if (!tempBuffer.empty()) {
161.        g_OutputText << tempBuffer;
162.        tempBuffer.clear();
163.  
164.        SetWindowTextW(g_hEditControl, g_OutputText.str().c_str());
165.        SendMessage(g_hEditControl, EM_SETSEL, -1, -1);
166.        SendMessage(g_hEditControl, EM_SCROLLCARET, 0, 0);
167.    }
168. }
169. */
170.  
171. //currentlatest
172. /*
173. void AppendToOutput(const wchar_t* format, ...) {
174.    wchar_t buffer[4096];
175.    va_list args;
176.    va_start(args, format);
177.    StringCchVPrintfW(buffer, ARRAYSIZE(buffer), format, args);
178.    va_end(args);
179.    g_OutputText << buffer;
180.    SetWindowTextW(g_hEditControl, g_OutputText.str().c_str());
181.    SendMessage(g_hEditControl, EM_SETSEL, -1, -1);
182.    SendMessage(g_hEditControl, EM_SCROLLCARET, 0, 0);
183. }
184. */
185.  
186. //usingthistestfix(old)
187. /*
188. std::vector<wchar_t> g_OutputBuffer;
189.  
190. void AppendToOutput(const wchar_t* format, ...) {
191.    wchar_t buffer[16384];
192.    va_list args;
193.    va_start(args, format);
194.    StringCchVPrintfW(buffer, ARRAYSIZE(buffer), format, args);
195.    va_end(args);
196.  
197.    size_t len = wcslen(buffer);
198.    g_OutputBuffer.insert(g_OutputBuffer.end(), buffer, buffer + len);
199.  
200.    // Update the EditBox in chunks to prevent overloading
201.    if (g_OutputBuffer.size() > 8000) {
202.        g_OutputBuffer.push_back(L'\0'); // Null-terminate
203.        SetWindowTextW(g_hEditControl, &g_OutputBuffer[0]);
204.        g_OutputBuffer.clear(); // Clear buffer after update
205.    }
206. }
207.  
208. void FlushOutput() {
209.    if (!g_OutputBuffer.empty()) {
210.        g_OutputBuffer.push_back(L'\0'); // Null-terminate
211.        SetWindowTextW(g_hEditControl, &g_OutputBuffer[0]);
212.        g_OutputBuffer.clear();
213.    }
214. }
215. */
216.  
217. //using-latest-below-/w-dyanmic-vector
218. void AppendToOutput(const wchar_t* format, ...) {
219.    va_list args;
220.    va_start(args, format);
221.  
222.    // Use a vector as a dynamically resizable buffer
223.    std::vector<wchar_t> buffer(1024); // Start with an initial size
224.    int result = -1;
225.  
226.    while (true) {
227.        // Attempt to format the string
228.        result = _vsnwprintf(buffer.data(), buffer.size(), format, args);
229.  
230.        if (result >= 0 && static_cast<size_t>(result) < buffer.size()) {
231.            // Successfully formatted within the current buffer size
232.            break;
233.        }
234.  
235.        // Resize the buffer and try again
236.        buffer.resize(buffer.size() * 2);
237.    }
238.    va_end(args);
239.  
240.    // Convert `\n` to `\r\n` for proper display in the EditBox
241.    std::wstring formattedOutput(buffer.data());
242.    size_t pos = 0;
243.    while ((pos = formattedOutput.find(L'\n', pos)) != std::wstring::npos) {
244.        formattedOutput.replace(pos, 1, L"\r\n");
245.        pos += 2; // Move past the replacement
246.    }
247.  
248.    // Append to the global output buffer
249.    g_OutputText << formattedOutput;
250.  
251.    // Update the EditBox periodically to prevent overloading
252.    if (g_OutputText.str().size() > 8000) {
253.        SetWindowTextW(g_hEditControl, g_OutputText.str().c_str());
254.        SendMessage(g_hEditControl, EM_SETSEL, -1, -1);
255.        SendMessage(g_hEditControl, EM_SCROLLCARET, 0, 0);
256.    }
257. }
258.  
259. //do I need this?!?!
260. void FlushOutput() {
261.    if (!g_OutputBuffer.empty()) {
262.        g_OutputBuffer.push_back(L'\0'); // Null-terminate
263.        SetWindowTextW(g_hEditControl, &g_OutputBuffer[0]);
264.        g_OutputBuffer.clear();
265.    }
266. }
267. //using-latest-above-/w-dyanmic-vector
268.  
269. /*
270. //basic test function
271. void AnalyzePEFile(const wchar_t* filePathW) {
272.    OUTPUT("[+] Analyzing file: %s\n", filePathW);
273.    LPVOID lpFileContent = GetFileContent(filePathW);
274.    if (!lpFileContent) { OUTPUT("[-] Could not read file.\n"); return; }
275.    PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)lpFileContent;
276.    if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE) { OUTPUT("[-] Invalid DOS signature.\n"); HeapFree(GetProcessHeap(), 0, lpFileContent); return; }
277.    PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)((DWORD_PTR)lpFileContent + dosHeader->e_lfanew);
278.    if (ntHeaders->Signature != IMAGE_NT_SIGNATURE) { OUTPUT("[-] Invalid NT signature.\n"); HeapFree(GetProcessHeap(), 0, lpFileContent); return; }
279.    OUTPUT("[+] PE file analyzed successfully.\n");
280.    HeapFree(GetProcessHeap(), 0, lpFileContent);
281.    UpdateEditControl();
282. }
283. */
284.  
285. //use vectors for unlimited size growth of buffer, use an alternative to editbox, check for fast loops overloading, in its primitive form it works properly! try w/o getimports3264 datadirectories getsections
286.  
287.  
288. //use below vv
289. void AnalyzePEFile(const wchar_t* filePathW) {
290.    OUTPUT("[+] Starting PE Analysis for: %s\n\n", filePathW);
291.  
292.    LPVOID lpFileContent = GetFileContent(filePathW);
293.    if (!lpFileContent) {
294.        OUTPUT("[-] Failed to read file content!\n");
295.        return;
296.    }
297.  
298.    const auto pImageDosHeader = static_cast<PIMAGE_DOS_HEADER>(lpFileContent);
299.    if (pImageDosHeader->e_magic != IMAGE_DOS_SIGNATURE) {
300.        OUTPUT("[-] Invalid DOS signature!\n");
301.        HeapFree(GetProcessHeap(), 0, lpFileContent);
302.        return;
303.    }
304.  
305.    const auto pImageNtHeaders = reinterpret_cast<PIMAGE_NT_HEADERS>((DWORD_PTR)lpFileContent + pImageDosHeader->e_lfanew);
306.    if (pImageNtHeaders->Signature != IMAGE_NT_SIGNATURE) {
307.        OUTPUT("[-] Invalid NT signature!\n");
308.        HeapFree(GetProcessHeap(), 0, lpFileContent);
309.        return;
310.    }
311.  
312.    UpdateEditControl(); //added just now remove line!
313.  
314.    OUTPUT("[+] PE FILE HEADER\n");
315.    OUTPUT("\tMachine : 0x%X\n", (uintptr_t)pImageNtHeaders->FileHeader.Machine);
316.    OUTPUT("\tNumberOfSections : 0x%X\n", (uintptr_t)pImageNtHeaders->FileHeader.NumberOfSections);
317.    OUTPUT("\tTimeDateStamp : 0x%X\n", (uintptr_t)pImageNtHeaders->FileHeader.TimeDateStamp);
318.    OUTPUT("\tPointerToSymbolTable : 0x%X\n", (uintptr_t)pImageNtHeaders->FileHeader.PointerToSymbolTable);
319.    OUTPUT("\tNumberOfSymbols : 0x%X\n", (uintptr_t)pImageNtHeaders->FileHeader.NumberOfSymbols);
320.    OUTPUT("\tSizeOfOptionalHeader : 0x%X\n", (uintptr_t)pImageNtHeaders->FileHeader.SizeOfOptionalHeader);
321.    OUTPUT("\tCharacteristics : 0x%X %s\n\n", (uintptr_t)pImageNtHeaders->FileHeader.Characteristics, GetImageCharacteristics(pImageNtHeaders->FileHeader.Characteristics));
322.  
323.    OUTPUT("[+] PE OPTIONAL HEADER\n");
324.    OUTPUT("\tMagic : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.Magic);
325.    OUTPUT("\tAddressOfEntryPoint : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.AddressOfEntryPoint);
326.    OUTPUT("\tImageBase : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.ImageBase);
327.    OUTPUT("\tSectionAlignment : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SectionAlignment);
328.    OUTPUT("\tFileAlignment : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.FileAlignment);
329.    OUTPUT("\tMajorOperatingSystemVersion : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.MajorOperatingSystemVersion);
330.    OUTPUT("\tMinorOperatingSystemVersion : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.MinorOperatingSystemVersion);
331.    OUTPUT("\tMajorImageVersion : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.MajorImageVersion);
332.    OUTPUT("\tMinorImageVersion : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.MinorImageVersion);
333.    OUTPUT("\tMajorSubsystemVersion : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.MajorSubsystemVersion);
334.    OUTPUT("\tMinorSubsystemVersion : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.MinorSubsystemVersion);
335.    OUTPUT("\tWin32VersionValue : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.Win32VersionValue);
336.    OUTPUT("\tSizeOfImage : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SizeOfImage);
337.    OUTPUT("\tSizeOfHeaders : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SizeOfHeaders);
338.    OUTPUT("\tCheckSum : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.CheckSum);
339.    OUTPUT("\tSubsystem : 0x%X %s\n", (uintptr_t)pImageNtHeaders->OptionalHeader.Subsystem, GetSubsystem(pImageNtHeaders->OptionalHeader.Subsystem));
340.    OUTPUT("\tDllCharacteristics : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.DllCharacteristics);
341.    OUTPUT("\tSizeOfStackReserve : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SizeOfStackReserve);
342.    OUTPUT("\tSizeOfStackCommit : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SizeOfStackCommit);
343.    OUTPUT("\tSizeOfHeapReserve : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SizeOfHeapReserve);
344.    OUTPUT("\tSizeOfHeapCommit : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SizeOfHeapCommit);
345.    OUTPUT("\tLoaderFlags : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.LoaderFlags);
346.    OUTPUT("\tNumberOfRvaAndSizes : 0x%X\n\n", (uintptr_t)pImageNtHeaders->OptionalHeader.NumberOfRvaAndSizes);
347.  
348.    UpdateEditControl(); //added just now remove line!
349.  
350.    GetDataDirectories(&pImageNtHeaders->OptionalHeader.DataDirectory[0]);
351.  
352.    const auto pImageSectionHeader = reinterpret_cast<PIMAGE_SECTION_HEADER>((DWORD_PTR)pImageNtHeaders + sizeof(IMAGE_NT_HEADERS));
353.    const auto pImageImportSection = GetSections(pImageSectionHeader, pImageNtHeaders->FileHeader.NumberOfSections, pImageNtHeaders->OptionalHeader.DataDirectory[1].VirtualAddress);
354.  
355.    if (!pImageImportSection) {
356.        OUTPUT("[-] Error: Could not find import section!\n");
357.        HeapFree(GetProcessHeap(), 0, lpFileContent);
358.        return;
359.    }
360.  
361.    const auto pImageImportDescriptor = reinterpret_cast<PIMAGE_IMPORT_DESCRIPTOR>((DWORD_PTR)lpFileContent + pImageImportSection->PointerToRawData);
362.    if (pImageNtHeaders->FileHeader.Machine == IMAGE_FILE_MACHINE_I386) {
363.        GetImports32(pImageImportDescriptor, (DWORD)lpFileContent + pImageImportSection->PointerToRawData, pImageImportSection);
364.    }
365.    else if (pImageNtHeaders->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64) {
366.        GetImports64(pImageImportDescriptor, (DWORD)lpFileContent + pImageImportSection->PointerToRawData, pImageImportSection);
367.    }
368.    else {
369.        OUTPUT("[-] Unsupported architecture!\n");
370.    }
371.  
372.    HeapFree(GetProcessHeap(), 0, lpFileContent);
373.    UpdateEditControl();
374. }
375.  
376. void GetDataDirectories(PIMAGE_DATA_DIRECTORY pImageDataDirectory) {
377.    OUTPUT("[+] PE DATA DIRECTORIES\n");
378.    for (int i = 0; i < IMAGE_NUMBEROF_DIRECTORY_ENTRIES; ++i, ++pImageDataDirectory) {
379.        if (pImageDataDirectory->VirtualAddress == 0) continue;
380.        OUTPUT("\tDataDirectory (%s) VirtualAddress : 0x%X\n", GetDataDirectoryName(i), (uintptr_t)pImageDataDirectory->VirtualAddress);
381.        OUTPUT("\tDataDirectory (%s) Size : 0x%X\n\n", GetDataDirectoryName(i), (uintptr_t)pImageDataDirectory->Size);
382.    }
383. }
384.  
385. PIMAGE_SECTION_HEADER GetSections(const PIMAGE_SECTION_HEADER pImageSectionHeader, int NumberOfSections, DWORD dImportAddress) {
386.    PIMAGE_SECTION_HEADER pImageImportHeader = nullptr;
387.    OUTPUT("\n[+] PE IMAGE SECTIONS\n");
388.    for (int i = 0; i < NumberOfSections; ++i) {
389.        const auto pCurrentSectionHeader = reinterpret_cast<PIMAGE_SECTION_HEADER>((DWORD_PTR)pImageSectionHeader + i * sizeof(IMAGE_SECTION_HEADER));
390.        OUTPUT("\n\tSECTION : %s\n", (wchar_t*)pCurrentSectionHeader->Name);
391.        OUTPUT("\t\tMisc (PhysicalAddress) : 0x%X\n", (uintptr_t)pCurrentSectionHeader->Misc.PhysicalAddress);
392.        OUTPUT("\t\tMisc (VirtualSize) : 0x%X\n", (uintptr_t)pCurrentSectionHeader->Misc.VirtualSize);
393.        OUTPUT("\t\tVirtualAddress : 0x%X\n", (uintptr_t)pCurrentSectionHeader->VirtualAddress);
394.        OUTPUT("\t\tSizeOfRawData : 0x%X\n", (uintptr_t)pCurrentSectionHeader->SizeOfRawData);
395.        OUTPUT("\t\tPointerToRawData : 0x%X\n", (uintptr_t)pCurrentSectionHeader->PointerToRawData);
396.        OUTPUT("\t\tCharacteristics : 0x%X %s\n", (uintptr_t)pCurrentSectionHeader->Characteristics, GetSectionProtection(pCurrentSectionHeader->Characteristics));
397.  
398.        if (dImportAddress >= pCurrentSectionHeader->VirtualAddress && dImportAddress < pCurrentSectionHeader->VirtualAddress + pCurrentSectionHeader->Misc.VirtualSize) {
399.            pImageImportHeader = pCurrentSectionHeader;
400.        }
401.    }
402.    return pImageImportHeader;
403. }
404.  
405. void GetImports32(PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor, DWORD dRawOffset, const PIMAGE_SECTION_HEADER pImageImportSection) {
406.    OUTPUT("\n[+] IMPORTED DLL\n");
407.    while (pImageImportDescriptor->Name != 0) {
408.        OUTPUT("\n\tDLL NAME : %s\n", (wchar_t*)(dRawOffset + (pImageImportDescriptor->Name - pImageImportSection->VirtualAddress)));
409.        if (pImageImportDescriptor->OriginalFirstThunk == 0) {
410.            ++pImageImportDescriptor;
411.            continue;
412.        }
413.        auto pOriginalFirstThunk = reinterpret_cast<PIMAGE_THUNK_DATA32>(dRawOffset + (pImageImportDescriptor->OriginalFirstThunk - pImageImportSection->VirtualAddress));
414.        while (pOriginalFirstThunk->u1.AddressOfData != 0) {
415.            const auto pImageImportByName = reinterpret_cast<PIMAGE_IMPORT_BY_NAME>(dRawOffset + (pOriginalFirstThunk->u1.AddressOfData - pImageImportSection->VirtualAddress));
416.            if (pImageImportByName) {
417.                OUTPUT("\t\tFunction: %s\n", (char*)pImageImportByName->Name);
418.            }
419.            pOriginalFirstThunk++;
420.        }
421.        pImageImportDescriptor++;
422.    }
423. }
424.  
425. void GetImports64(PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor, DWORD dRawOffset, const PIMAGE_SECTION_HEADER pImageImportSection) {
426.    OUTPUT("\n[+] IMPORTED DLL\n");
427.    while (pImageImportDescriptor->Name != 0) {
428.        OUTPUT("\n\tDLL NAME : %s\n", (wchar_t*)(dRawOffset + (pImageImportDescriptor->Name - pImageImportSection->VirtualAddress)));
429.        if (pImageImportDescriptor->OriginalFirstThunk == 0) {
430.            ++pImageImportDescriptor;
431.            continue;
432.        }
433.        auto pOriginalFirstThunk = reinterpret_cast<PIMAGE_THUNK_DATA64>(dRawOffset + (pImageImportDescriptor->OriginalFirstThunk - pImageImportSection->VirtualAddress));
434.        while (pOriginalFirstThunk->u1.AddressOfData != 0) {
435.            const auto pImageImportByName = reinterpret_cast<PIMAGE_IMPORT_BY_NAME>(dRawOffset + (pOriginalFirstThunk->u1.AddressOfData - pImageImportSection->VirtualAddress));
436.            if (pImageImportByName) {
437.                OUTPUT("\t\tFunction: %s\n", (char*)pImageImportByName->Name);
438.            }
439.            pOriginalFirstThunk++;
440.        }
441.        pImageImportDescriptor++;
442.    }
443. }
444. //use above ^^
445.  
446.  
447.  
448. /*
449. // Main PE Analysis function
450. void AnalyzePEFile(const wchar_t* filePathW)
451. {
452.    //WCHAR filePathW[MAX_PATH];
453.    //MultiByteToWideChar(CP_ACP, 0, filePathA, -1, filePathW, MAX_PATH);
454.    OUTPUT("[+] Starting PE Analysis for: %s\n\n", filePathW);
455.    //AppendToOutput(L"[+] Starting PE Analysis for: %ls\n\n", filePathW);
456.  
457.    // Get file content
458.    LPVOID lpFileContent = GetFileContent(filePathW);
459.    if (!lpFileContent)
460.    {
461.        OUTPUT("[-] Failed to read file content!\n");
462.        return;
463.    }
464.  
465.    // Get DOS header
466.    const auto pImageDosHeader = static_cast<PIMAGE_DOS_HEADER>(lpFileContent);
467.    if (pImageDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
468.    {
469.        OUTPUT("[-] Invalid DOS signature!\n");
470.        HeapFree(GetProcessHeap(), 0, lpFileContent);
471.        return;
472.    }
473.  
474.    // Get NT headers
475.    const auto pImageNtHeaders = reinterpret_cast<PIMAGE_NT_HEADERS>((DWORD_PTR)lpFileContent + pImageDosHeader->e_lfanew);
476.    if (pImageNtHeaders->Signature != IMAGE_NT_SIGNATURE)
477.    {
478.        OUTPUT("[-] Invalid NT signature!\n");
479.        HeapFree(GetProcessHeap(), 0, lpFileContent);
480.        return;
481.    }
482.  
483.    // Display File Header information
484.    OUTPUT("[+] PE FILE HEADER\n");
485.    OUTPUT("\tMachine : 0x%X\n", (uintptr_t)pImageNtHeaders->FileHeader.Machine);
486.    OUTPUT("\tNumberOfSections : 0x%X\n", (uintptr_t)pImageNtHeaders->FileHeader.NumberOfSections);
487.    OUTPUT("\tTimeDateStamp : 0x%X\n", (uintptr_t)pImageNtHeaders->FileHeader.TimeDateStamp);
488.    OUTPUT("\tPointerToSymbolTable : 0x%X\n", (uintptr_t)pImageNtHeaders->FileHeader.PointerToSymbolTable);
489.    OUTPUT("\tNumberOfSymbols : 0x%X\n", (uintptr_t)pImageNtHeaders->FileHeader.NumberOfSymbols);
490.    OUTPUT("\tSizeOfOptionalHeader : 0x%X\n", (uintptr_t)pImageNtHeaders->FileHeader.SizeOfOptionalHeader);
491.    OUTPUT("\tCharacteristics : 0x%X %s\n\n",
492.        (uintptr_t)pImageNtHeaders->FileHeader.Characteristics,
493.        GetImageCharacteristics(pImageNtHeaders->FileHeader.Characteristics));
494.  
495.    // Display Optional Header information
496.    OUTPUT("[+] PE OPTIONAL HEADER\n");
497.    OUTPUT("\tMagic : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.Magic);
498.    OUTPUT("\tAddressOfEntryPoint : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.AddressOfEntryPoint);
499.    OUTPUT("\tImageBase : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.ImageBase);
500.    OUTPUT("\tSectionAlignment : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SectionAlignment);
501.    OUTPUT("\tFileAlignment : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.FileAlignment);
502.    OUTPUT("\tMajorOperatingSystemVersion : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.MajorOperatingSystemVersion);
503.    OUTPUT("\tMinorOperatingSystemVersion : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.MinorOperatingSystemVersion);
504.    OUTPUT("\tMajorImageVersion : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.MajorImageVersion);
505.    OUTPUT("\tMinorImageVersion : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.MinorImageVersion);
506.    OUTPUT("\tMajorSubsystemVersion : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.MajorSubsystemVersion);
507.    OUTPUT("\tMinorSubsystemVersion : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.MinorSubsystemVersion);
508.    OUTPUT("\tWin32VersionValue : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.Win32VersionValue);
509.    OUTPUT("\tSizeOfImage : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SizeOfImage);
510.    OUTPUT("\tSizeOfHeaders : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SizeOfHeaders);
511.    OUTPUT("\tCheckSum : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.CheckSum);
512.    OUTPUT("\tSubsystem : 0x%X %s\n",
513.        (uintptr_t)pImageNtHeaders->OptionalHeader.Subsystem,
514.        GetSubsystem(pImageNtHeaders->OptionalHeader.Subsystem));
515.    OUTPUT("\tDllCharacteristics : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.DllCharacteristics);
516.    OUTPUT("\tSizeOfStackReserve : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SizeOfStackReserve);
517.    OUTPUT("\tSizeOfStackCommit : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SizeOfStackCommit);
518.    OUTPUT("\tSizeOfHeapReserve : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SizeOfHeapReserve);
519.    OUTPUT("\tSizeOfHeapCommit : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SizeOfHeapCommit);
520.    OUTPUT("\tLoaderFlags : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.LoaderFlags);
521.    OUTPUT("\tNumberOfRvaAndSizes : 0x%X\n\n", (uintptr_t)pImageNtHeaders->OptionalHeader.NumberOfRvaAndSizes);
522.  
523.    // Get Data Directories
524.    GetDataDirectories(&pImageNtHeaders->OptionalHeader.DataDirectory[0]);
525.  
526.    // Get the import section
527.    const auto pImageSectionHeader = reinterpret_cast<PIMAGE_SECTION_HEADER>(
528.        (DWORD_PTR)pImageNtHeaders + sizeof(IMAGE_NT_HEADERS));
529.  
530.    const auto pImageImportSection = GetSections(
531.        pImageSectionHeader,
532.        pImageNtHeaders->FileHeader.NumberOfSections,
533.        pImageNtHeaders->OptionalHeader.DataDirectory[1].VirtualAddress);
534.  
535.    if (!pImageImportSection)
536.    {
537.        OUTPUT("[-] Error: Could not find import section!\n");
538.        HeapFree(GetProcessHeap(), 0, lpFileContent);
539.        return;
540.    }
541.  
542.    // Get imports based on architecture
543.    const auto pImageImportDescriptor = reinterpret_cast<PIMAGE_IMPORT_DESCRIPTOR>(
544.        (DWORD_PTR)lpFileContent + pImageImportSection->PointerToRawData);
545.  
546.    if (pImageNtHeaders->FileHeader.Machine == IMAGE_FILE_MACHINE_I386)
547.    {
548.        GetImports32(
549.            pImageImportDescriptor,
550.            (DWORD)lpFileContent + pImageImportSection->PointerToRawData,
551.            pImageImportSection);
552.    }
553.    else if (pImageNtHeaders->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64)
554.    {
555.        GetImports64(
556.            pImageImportDescriptor,
557.            (DWORD)lpFileContent + pImageImportSection->PointerToRawData,
558.            pImageImportSection);
559.    }
560.    else
561.    {
562.        OUTPUT("[-] Unsupported architecture!\n");
563.    }
564.  
565.    // Cleanup
566.    HeapFree(GetProcessHeap(), 0, lpFileContent);
567.  
568.    // Update the GUI with the analysis results
569.    UpdateEditControl();
570. }
571.  
572. void GetDataDirectories(PIMAGE_DATA_DIRECTORY pImageDataDirectory)
573. {
574.    OUTPUT("[+] PE DATA DIRECTORIES\n");
575.    for (int i = 0; i < IMAGE_NUMBEROF_DIRECTORY_ENTRIES; ++i, ++pImageDataDirectory)
576.    {
577.        if (pImageDataDirectory->VirtualAddress == 0)
578.            continue;
579.  
580.        OUTPUT("\tDataDirectory (%s) VirtualAddress : 0x%X\n",
581.            GetDataDirectoryName(i),
582.            (uintptr_t)pImageDataDirectory->VirtualAddress);
583.        OUTPUT("\tDataDirectory (%s) Size : 0x%X\n\n",
584.            GetDataDirectoryName(i),
585.            (uintptr_t)pImageDataDirectory->Size);
586.    }
587. }
588.  
589. PIMAGE_SECTION_HEADER GetSections(const PIMAGE_SECTION_HEADER pImageSectionHeader,
590.    int NumberOfSections, DWORD dImportAddress)
591. {
592.    PIMAGE_SECTION_HEADER pImageImportHeader = nullptr;
593.  
594.    OUTPUT("\n[+] PE IMAGE SECTIONS\n");
595.  
596.    for (int i = 0; i < NumberOfSections; ++i)
597.    {
598.        const auto pCurrentSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD_PTR)pImageSectionHeader +
599.            i * sizeof(IMAGE_SECTION_HEADER));
600.  
601.        OUTPUT("\n\tSECTION : %s\n", (wchar_t*)pCurrentSectionHeader->Name);
602.        OUTPUT("\t\tMisc (PhysicalAddress) : 0x%X\n",
603.            (uintptr_t)pCurrentSectionHeader->Misc.PhysicalAddress);
604.        OUTPUT("\t\tMisc (VirtualSize) : 0x%X\n",
605.            (uintptr_t)pCurrentSectionHeader->Misc.VirtualSize);
606.        OUTPUT("\t\tVirtualAddress : 0x%X\n",
607.            (uintptr_t)pCurrentSectionHeader->VirtualAddress);
608.        OUTPUT("\t\tSizeOfRawData : 0x%X\n",
609.            (uintptr_t)pCurrentSectionHeader->SizeOfRawData);
610.        OUTPUT("\t\tPointerToRawData : 0x%X\n",
611.            (uintptr_t)pCurrentSectionHeader->PointerToRawData);
612.        OUTPUT("\t\tPointerToRelocations : 0x%X\n",
613.            (uintptr_t)pCurrentSectionHeader->PointerToRelocations);
614.        OUTPUT("\t\tPointerToLinenumbers : 0x%X\n",
615.            (uintptr_t)pCurrentSectionHeader->PointerToLinenumbers);
616.        OUTPUT("\t\tNumberOfRelocations : 0x%X\n",
617.            (uintptr_t)pCurrentSectionHeader->NumberOfRelocations);
618.        OUTPUT("\t\tNumberOfLinenumbers : 0x%X\n",
619.            (uintptr_t)pCurrentSectionHeader->NumberOfLinenumbers);
620.        OUTPUT("\t\tCharacteristics : 0x%X %s\n",
621.            (uintptr_t)pCurrentSectionHeader->Characteristics,
622.            GetSectionProtection(pCurrentSectionHeader->Characteristics));
623.  
624.        if (dImportAddress >= pCurrentSectionHeader->VirtualAddress &&
625.            dImportAddress < pCurrentSectionHeader->VirtualAddress +
626.            pCurrentSectionHeader->Misc.VirtualSize)
627.        {
628.            pImageImportHeader = pCurrentSectionHeader;
629.        }
630.    }
631.  
632.    return pImageImportHeader;
633. }
634. void GetImports32(PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor,
635.    DWORD dRawOffset, const PIMAGE_SECTION_HEADER pImageImportSection)
636. {
637.    OUTPUT("\n[+] IMPORTED DLL\n");
638.  
639.    while (pImageImportDescriptor->Name != 0)
640.    {
641.        OUTPUT("\n\tDLL NAME : %s\n",
642.            (wchar_t*)(dRawOffset + (pImageImportDescriptor->Name - pImageImportSection->VirtualAddress)));
643.        OUTPUT("\tCharacteristics : 0x%X\n",
644.            (uintptr_t)(dRawOffset + (pImageImportDescriptor->Characteristics - pImageImportSection->VirtualAddress)));
645.        OUTPUT("\tOriginalFirstThunk : 0x%X\n",
646.            (uintptr_t)(dRawOffset + (pImageImportDescriptor->OriginalFirstThunk - pImageImportSection->VirtualAddress)));
647.        OUTPUT("\tTimeDateStamp : 0x%X\n",
648.            (uintptr_t)(dRawOffset + (pImageImportDescriptor->TimeDateStamp - pImageImportSection->VirtualAddress)));
649.        OUTPUT("\tForwarderChain : 0x%X\n",
650.            (uintptr_t)(dRawOffset + (pImageImportDescriptor->ForwarderChain - pImageImportSection->VirtualAddress)));
651.        OUTPUT("\tFirstThunk : 0x%X\n",
652.            (uintptr_t)(dRawOffset + (pImageImportDescriptor->FirstThunk - pImageImportSection->VirtualAddress)));
653.  
654.        if (pImageImportDescriptor->OriginalFirstThunk == 0)
655.        {
656.            ++pImageImportDescriptor;
657.            continue;
658.        }
659.  
660.        auto pOriginalFirstThrunk = (PIMAGE_THUNK_DATA32)(dRawOffset +
661.            (pImageImportDescriptor->OriginalFirstThunk - pImageImportSection->VirtualAddress));
662.  
663.        OUTPUT("\n\tImported Functions : \n\n");
664.  
665.        while (pOriginalFirstThrunk->u1.AddressOfData != 0)
666.        {
667.            if (pOriginalFirstThrunk->u1.AddressOfData >= IMAGE_ORDINAL_FLAG32)
668.            {
669.                ++pOriginalFirstThrunk;
670.                continue;
671.            }
672.  
673.            const auto pImageImportByName = (PIMAGE_IMPORT_BY_NAME)(dRawOffset +
674.                (pOriginalFirstThrunk->u1.AddressOfData - pImageImportSection->VirtualAddress));
675.  
676.            if (pImageImportByName == nullptr)
677.            {
678.                ++pOriginalFirstThrunk;
679.                continue;
680.            }
681.  
682.            if (pOriginalFirstThrunk->u1.Ordinal & IMAGE_ORDINAL_FLAG32)
683.            {
684.                OUTPUT("\t\t0x%X (Ordinal) : %s\n",
685.                    (uintptr_t)pOriginalFirstThrunk->u1.AddressOfData,
686.                    (wchar_t*)((DWORD_PTR)dRawOffset + (pImageImportByName->Name - pImageImportSection->VirtualAddress)));
687.            }
688.            else
689.            {
690.                OUTPUT("\t\t%s\n",
691.                    (wchar_t*)((DWORD_PTR)dRawOffset + (pImageImportByName->Name - pImageImportSection->VirtualAddress)));
692.            }
693.  
694.            ++pOriginalFirstThrunk;
695.        }
696.  
697.        ++pImageImportDescriptor;
698.    }
699. }
700.  
701. void GetImports64(PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor,
702.    DWORD dRawOffset, const PIMAGE_SECTION_HEADER pImageImportSection)
703. {
704.    OUTPUT("\n[+] IMPORTED DLL\n");
705.  
706.    while (pImageImportDescriptor->Name != 0)
707.    {
708.        OUTPUT("\n\tDLL NAME : %s\n",
709.            (wchar_t*)(dRawOffset + (pImageImportDescriptor->Name - pImageImportSection->VirtualAddress)));
710.        OUTPUT("\tCharacteristics : 0x%X\n",
711.            (uintptr_t)(dRawOffset + (pImageImportDescriptor->Characteristics - pImageImportSection->VirtualAddress)));
712.        OUTPUT("\tOriginalFirstThunk : 0x%X\n",
713.            (uintptr_t)(dRawOffset + (pImageImportDescriptor->OriginalFirstThunk - pImageImportSection->VirtualAddress)));
714.        OUTPUT("\tTimeDateStamp : 0x%X\n",
715.            (uintptr_t)(dRawOffset + (pImageImportDescriptor->TimeDateStamp - pImageImportSection->VirtualAddress)));
716.        OUTPUT("\tForwarderChain : 0x%X\n",
717.            (uintptr_t)(dRawOffset + (pImageImportDescriptor->ForwarderChain - pImageImportSection->VirtualAddress)));
718.        OUTPUT("\tFirstThunk : 0x%X\n",
719.            (uintptr_t)(dRawOffset + (pImageImportDescriptor->FirstThunk - pImageImportSection->VirtualAddress)));
720.  
721.        if (pImageImportDescriptor->OriginalFirstThunk == 0)
722.        {
723.            ++pImageImportDescriptor;
724.            continue;
725.        }
726.  
727.        auto pOriginalFirstThrunk = (PIMAGE_THUNK_DATA64)(dRawOffset +
728.            (pImageImportDescriptor->OriginalFirstThunk - pImageImportSection->VirtualAddress));
729.  
730.        OUTPUT("\n\tImported Functions : \n\n");
731.  
732.        while (pOriginalFirstThrunk->u1.AddressOfData != 0)
733.        {
734.            if (pOriginalFirstThrunk->u1.AddressOfData >= IMAGE_ORDINAL_FLAG64)
735.            {
736.                ++pOriginalFirstThrunk;
737.                continue;
738.            }
739.  
740.            const auto pImageImportByName = (PIMAGE_IMPORT_BY_NAME)((DWORD_PTR)dRawOffset +
741.                (pOriginalFirstThrunk->u1.AddressOfData - pImageImportSection->VirtualAddress));
742.  
743.            if (pImageImportByName == nullptr)
744.            {
745.                ++pOriginalFirstThrunk;
746.                continue;
747.            }
748.  
749.            if (pOriginalFirstThrunk->u1.Ordinal & IMAGE_ORDINAL_FLAG64)
750.            {
751.                OUTPUT("\t\t0x%llX (Ordinal) : %s\n",
752.                    pOriginalFirstThrunk->u1.AddressOfData,
753.                    (wchar_t*)((DWORD_PTR)dRawOffset + (pImageImportByName->Name - pImageImportSection->VirtualAddress)));
754.            }
755.            else
756.            {
757.                OUTPUT("\t\t%s\n",
758.                    (wchar_t*)((DWORD_PTR)dRawOffset + (pImageImportByName->Name - pImageImportSection->VirtualAddress)));
759.            }
760.  
761.            ++pOriginalFirstThrunk;
762.        }
763.  
764.        ++pImageImportDescriptor;
765.    }
766. }
767. */
768.  
769. HANDLE GetFileContent(const wchar_t* lpFilePath) {
770.    HANDLE hFile = CreateFileW(lpFilePath, GENERIC_READ, 0, nullptr, OPEN_EXISTING, 0, nullptr);
771.    if (hFile == INVALID_HANDLE_VALUE) return nullptr;
772.    DWORD fileSize = GetFileSize(hFile, nullptr);
773.    auto lpFileContent = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, fileSize);
774.    DWORD bytesRead;
775.    ReadFile(hFile, lpFileContent, fileSize, &bytesRead, nullptr);
776.    CloseHandle(hFile);
777.    return lpFileContent;
778. }
779.  
780. void UpdateEditControl() {
781.    SetWindowTextW(g_hEditControl, g_OutputText.str().c_str());
782.    SendMessage(g_hEditControl, EM_SETSEL, -1, -1);
783.    SendMessage(g_hEditControl, EM_SCROLLCARET, 0, 0);
784. }
785.  
786. ==++Here's the full sourcecode for (file 2/2) "helpers.h"::++==
787. #pragma once
788. #include <Windows.h>
789. #include <strsafe.h>
790.  
791. // Helper function declarations
792. const wchar_t* GetImageCharacteristics(DWORD dCharacteristics);
793. const wchar_t* GetSubsystem(WORD Subsystem);
794. const wchar_t* GetDataDirectoryName(int DirectoryNumber);
795. const wchar_t* GetSectionProtection(DWORD dCharacteristics);
796.  
797. // Helper function implementations
798. const wchar_t* GetImageCharacteristics(DWORD dCharacteristics)
799. {
800.     if (dCharacteristics & IMAGE_FILE_DLL)
801.         return L"(DLL)";
802.     if (dCharacteristics & IMAGE_FILE_SYSTEM)
803.         return L"(DRIVER)";
804.     if (dCharacteristics & IMAGE_FILE_EXECUTABLE_IMAGE)
805.         return L"(EXE)";
806.     return L"(UNKNOWN)";
807. }
808.  
809. const wchar_t* GetSubsystem(WORD Subsystem)
810. {
811.     if (Subsystem == 1)
812.         return L"(NATIVE / DRIVER)";
813.     if (Subsystem == 2)
814.         return L"(GUI APP)";
815.     if (Subsystem == 3)
816.         return L"(CONSOLE APP)";
817.     return L"(UNKNOWN)";
818. }
819.  
820. const wchar_t* GetDataDirectoryName(int DirectoryNumber)
821. {
822.     switch (DirectoryNumber)
823.     {
824.     case 0: return L"Export Table";
825.     case 1: return L"Import Table";
826.     case 2: return L"Resource Table";
827.     case 3: return L"Exception Entry";
828.     case 4: return L"Security Entry";
829.     case 5: return L"Relocation Table";
830.     case 6: return L"Debug Entry";
831.     case 7: return L"Copyright Entry";
832.     case 8: return L"Global PTR Entry";
833.     case 9: return L"TLS Entry";
834.     case 10: return L"Configuration Entry";
835.     case 11: return L"Bound Import Entry";
836.     case 12: return L"IAT";
837.     case 13: return L"Delay Import Descriptor";
838.     case 14: return L"COM Descriptor";
839.     default: return nullptr;
840.     }
841. }
842.  
843. const wchar_t* GetSectionProtection(DWORD dCharacteristics) {
844.     static wchar_t lpSectionProtection[1024] = {};
845.     StringCchCopyW(lpSectionProtection, ARRAYSIZE(lpSectionProtection), L"(");
846.     bool bExecute = false, bRead = false;
847.  
848.     if (dCharacteristics & IMAGE_SCN_MEM_EXECUTE) {
849.         bExecute = true;
850.         StringCchCatW(lpSectionProtection, ARRAYSIZE(lpSectionProtection), L"EXECUTE");
851.     }
852.  
853.     if (dCharacteristics & IMAGE_SCN_MEM_READ) {
854.         bRead = true;
855.         if (bExecute)
856.             StringCchCatW(lpSectionProtection, ARRAYSIZE(lpSectionProtection), L" | ");
857.         StringCchCatW(lpSectionProtection, ARRAYSIZE(lpSectionProtection), L"READ");
858.     }
859.  
860.     if (dCharacteristics & IMAGE_SCN_MEM_WRITE) {
861.         if (bExecute || bRead)
862.             StringCchCatW(lpSectionProtection, ARRAYSIZE(lpSectionProtection), L" | ");
863.         StringCchCatW(lpSectionProtection, ARRAYSIZE(lpSectionProtection), L"WRITE");
864.     }
865.  
866.     StringCchCatW(lpSectionProtection, ARRAYSIZE(lpSectionProtection), L")");
867.     return lpSectionProtection;
868. }