PE-Explorer GUI-based Port in C *BUGGY* (WIP)

1. ==++ Here's the full code for (file 1/2) "main.cpp"::++==
2. #define STRICT
3. #define WIN32_LEAN_AND_MEAN
4. #include <Windows.h>
5. #include <winternl.h>
6. #include <CommCtrl.h>
7. #include <commdlg.h>
8. #include <string>
9. #include <strsafe.h>
10. #include <sstream>
11. #include <iomanip>
12. #include <stdio.h>
13. #include "helpers.h"
14. #include "resource.h"
15. #pragma comment(lib, "comctl32.lib")
16.  
17. using namespace std;
18.  
19. // At the top of your file, change the window class name to wide string
20. #define WINDOW_CLASS_NAME L"PEAnalyzerWindow"
21. //const wchar_t* const WINDOW_CLASS_NAME = L"PEAnalyzerWindow";
22.  
23. // Use ANSI versions explicitly
24. //#undef CreateWindow
25. //#undef CreateWindowEx
26. //#define CreateWindow  CreateWindowW
27. //#define CreateWindowEx CreateWindowExW
28.  
29. // Helper function to replace printf with GUI output
30. #define OUTPUT(format, ...) AppendToOutput(L##format, ##__VA_ARGS__)
31. //#define OUTPUT(format, ...) AppendToOutput(format, ##__VA_ARGS__)
32. //#define printf(format, ...) AppendToOutput(format, ##__VA_ARGS__)
33.  
34. // Window dimensions
35. #define WINDOW_WIDTH    1024
36. #define WINDOW_HEIGHT   768
37. #define EDIT_MARGIN    10
38.  
39. // Global variables
40. HWND g_hMainWindow = NULL;
41. HWND g_hEditControl = NULL;
42. HFONT g_hFont = NULL;
43. std::wstringstream g_OutputText;
44. WCHAR filePathW[MAX_PATH];
45.  
46. // Function declarations
47. LRESULT CALLBACK WindowProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam);
48. void CreateMainWindow(HINSTANCE hInstance);
49. void InitializeControls(HWND hwnd);
50. void AddMenus(HWND hwnd);
51. void OpenFileDialog(HWND hwnd);
52. void AnalyzePEFile(const WCHAR* filePathW);
53. HANDLE GetFileContent(const wchar_t* lpFilePath);
54. void GetDataDirectories(PIMAGE_DATA_DIRECTORY pImageDataDirectory);
55. PIMAGE_SECTION_HEADER GetSections(const PIMAGE_SECTION_HEADER pImageSectionHeader,
56.    int NumberOfSections, DWORD dImportAddress);
57. void GetImports32(PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor,
58.    DWORD dRawOffset, const PIMAGE_SECTION_HEADER pImageImportSection);
59. void GetImports64(PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor,
60.    DWORD dRawOffset, const PIMAGE_SECTION_HEADER pImageImportSection);
61. void AppendToOutput(const wchar_t* format, ...);
62. void UpdateEditControl();
63.  
64. // Main window class name
65. //const char* const WINDOW_CLASS_NAME = "PEAnalyzerWindow";
66.  
67. int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
68. {
69.    // Initialize Common Controls
70.    INITCOMMONCONTROLSEX icc;
71.    icc.dwSize = sizeof(INITCOMMONCONTROLSEX);
72.    icc.dwICC = ICC_WIN95_CLASSES;
73.    InitCommonControlsEx(&icc);
74.  
75.    // Create the main window
76.    CreateMainWindow(hInstance);
77.    if (!g_hMainWindow)
78.        return -1;
79.  
80.    // Show the window
81.    ShowWindow(g_hMainWindow, nCmdShow);
82.    UpdateWindow(g_hMainWindow);
83.  
84.    // Message loop
85.    MSG msg = {};
86.    while (GetMessage(&msg, NULL, 0, 0))
87.    {
88.        TranslateMessage(&msg);
89.        DispatchMessage(&msg);
90.    }
91.  
92.    // Cleanup
93.    if (g_hFont)
94.        DeleteObject(g_hFont);
95.  
96.    return (int)msg.wParam;
97. }
98.  
99. void CreateMainWindow(HINSTANCE hInstance)
100. {
101.    WNDCLASSEXW wc = {};
102.    wc.cbSize = sizeof(WNDCLASSEXW);
103.    wc.lpfnWndProc = WindowProc;
104.    wc.hInstance = hInstance;
105.    wc.lpszClassName = WINDOW_CLASS_NAME;
106.    wc.hCursor = LoadCursor(NULL, IDC_ARROW);
107.    wc.hbrBackground = (HBRUSH)(COLOR_WINDOW + 1);
108.  
109.    if (!RegisterClassExW(&wc))
110.        return;
111.  
112.    // Create the window
113.    g_hMainWindow = CreateWindowExW(
114.        0,                              // Optional window styles
115.        (LPCWSTR)WINDOW_CLASS_NAME,     // Window class name (explicitly cast)
116.        L"PE File Analyzer",             // Window text
117.        WS_OVERLAPPEDWINDOW,           // Window style
118.        CW_USEDEFAULT, CW_USEDEFAULT,  // Position
119.        WINDOW_WIDTH, WINDOW_HEIGHT,    // Size
120.        nullptr,                           // Parent window    
121.        nullptr,                          // Menu
122.        hInstance,                     // Instance handle
123.        nullptr                           // Additional application data
124.    );
125. }
126.  
127. void InitializeControls(HWND hwnd)
128. {
129.    // Create edit control
130.        g_hEditControl = CreateWindowExW(
131.            WS_EX_CLIENTEDGE,
132.            L"EDIT",
133.            L"",
134.            WS_CHILD | WS_VISIBLE | WS_VSCROLL | WS_HSCROLL | ES_MULTILINE | ES_AUTOVSCROLL | ES_AUTOHSCROLL,
135.            EDIT_MARGIN, EDIT_MARGIN,
136.            WINDOW_WIDTH - (2 * EDIT_MARGIN),
137.            WINDOW_HEIGHT - (2 * EDIT_MARGIN),
138.            hwnd,
139.            nullptr,
140.            (HINSTANCE)GetWindowLongPtr(hwnd, GWLP_HINSTANCE),
141.            nullptr
142.        );
143.  
144.    // Create and set font
145.    g_hFont = CreateFont(
146.        -14,                    // Height
147.        0,                      // Width
148.        0,                      // Escapement
149.        0,                      // Orientation
150.        FW_NORMAL,             // Weight
151.        FALSE,                 // Italic
152.        FALSE,                 // Underline
153.        0,                     // StrikeOut
154.        ANSI_CHARSET,          // CharSet
155.        OUT_DEFAULT_PRECIS,    // OutPrecision
156.        CLIP_DEFAULT_PRECIS,   // ClipPrecision
157.        DEFAULT_QUALITY,       // Quality
158.        DEFAULT_PITCH | FF_MODERN, // PitchAndFamily
159.        L"Consolas"             // Face Name
160.    );
161.  
162.    if (g_hFont)
163.        SendMessage(g_hEditControl, WM_SETFONT, (WPARAM)g_hFont, TRUE);
164. }
165. void AddMenus(HWND hwnd)
166. {
167.    HMENU hMenuBar = CreateMenu();
168.    HMENU hFileMenu = CreateMenu();
169.  
170.    AppendMenu(hMenuBar, MF_POPUP, (UINT_PTR)hFileMenu, L"&File");
171.    AppendMenu(hFileMenu, MF_STRING, ID_FILE_OPEN, L"&Open");
172.    AppendMenu(hFileMenu, MF_SEPARATOR, 0, NULL);
173.    AppendMenu(hFileMenu, MF_STRING, ID_FILE_EXIT, L"E&xit");
174.  
175.    SetMenu(hwnd, hMenuBar);
176. }
177.  
178. LRESULT CALLBACK WindowProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam)
179. {
180.    switch (uMsg)
181.    {
182.    case WM_CREATE:
183.        InitializeControls(hwnd);
184.        AddMenus(hwnd);
185.        return 0;
186.  
187.    case WM_SIZE:
188.    {
189.        // Resize edit control to match window size
190.        int clientWidth = LOWORD(lParam);
191.        int clientHeight = HIWORD(lParam);
192.        SetWindowPos(g_hEditControl, NULL,
193.            EDIT_MARGIN, EDIT_MARGIN,
194.            clientWidth - (2 * EDIT_MARGIN),
195.            clientHeight - (2 * EDIT_MARGIN),
196.            SWP_NOZORDER);
197.        return 0;
198.    }
199.  
200.    case WM_COMMAND:
201.        switch (LOWORD(wParam))
202.        {
203.        case ID_FILE_OPEN:
204.            OpenFileDialog(hwnd);
205.            return 0;
206.  
207.        case ID_FILE_EXIT:
208.            PostQuitMessage(0);
209.            return 0;
210.        }
211.        break;
212.  
213.    case WM_DESTROY:
214.        PostQuitMessage(0);
215.        return 0;
216.    }
217.    return DefWindowProc(hwnd, uMsg, wParam, lParam);
218. }
219.  
220. void OpenFileDialog(HWND hwnd)
221. {
222.    WCHAR fileName[MAX_PATH] = L"";
223.    OPENFILENAMEW ofn = { 0 };
224.    ofn.lStructSize = sizeof(OPENFILENAMEW);
225.    ofn.hwndOwner = hwnd;
226.    ofn.lpstrFilter = L"Executable Files (*.exe;*.dll)\0*.exe;*.dll\0All Files (*.*)\0*.*\0";
227.    ofn.lpstrFile = fileName;
228.    ofn.nMaxFile = MAX_PATH;
229.    ofn.Flags = OFN_EXPLORER | OFN_FILEMUSTEXIST | OFN_HIDEREADONLY;
230.    ofn.lpstrDefExt = L"exe";
231.  
232.    if (GetOpenFileNameW(&ofn))
233.    {
234.        try {
235.            // Clear previous content
236.            SetWindowTextW(g_hEditControl, L"");
237.            g_OutputText.str(L"");
238.            g_OutputText.clear();
239.  
240.            // Analyze the selected PE file
241.            AnalyzePEFile(ofn.lpstrFile);
242.  
243.            // Update the edit control with the analysis results
244.            UpdateEditControl();
245.        }
246.        catch (...) {
247.            MessageBoxW(hwnd, L"An error occurred while analyzing the file.", L"Error", MB_OK | MB_ICONERROR);
248.        }
249.    }
250. }
251.  
252. // Corrected AppendToOutput function
253. void AppendToOutput(const wchar_t* format, ...) {
254.    wchar_t buffer[4096];
255.    va_list args;
256.    va_start(args, format);
257.    StringCchPrintfW(buffer, 4096, format, args);
258.    va_end(args);
259.  
260.    g_OutputText << buffer;
261.  
262.    // Update the edit control immediately
263.    SetWindowTextW(g_hEditControl, g_OutputText.str().c_str());
264.  
265.    // Auto-scroll to the bottom
266.    SendMessage(g_hEditControl, EM_SETSEL, -1, -1);
267.    SendMessage(g_hEditControl, EM_SCROLLCARET, 0, 0);
268. }
269.  
270. // Keep the original GetFileContent function as is, but modify the error reporting
271. HANDLE GetFileContent(const wchar_t* lpFilePath)
272. {
273.    HANDLE hFile = CreateFileW(lpFilePath, GENERIC_READ, 0, nullptr, OPEN_EXISTING, 0, nullptr);
274.    if (hFile == INVALID_HANDLE_VALUE)
275.    {
276.        OUTPUT("[-] Error opening PE file!\n");
277.        return nullptr;
278.    }
279.  
280.    DWORD fileSize = GetFileSize(hFile, nullptr);
281.    if (fileSize == INVALID_FILE_SIZE)
282.    {
283.        OUTPUT("[-] Error getting PE file size!\n");
284.        CloseHandle(hFile);
285.        return nullptr;
286.    }
287.  
288.    LPVOID lpFileContent = HeapAlloc(GetProcessHeap(), 0, fileSize);
289.    if (lpFileContent == nullptr)
290.    {
291.        OUTPUT("[-] Error allocating memory for PE file content!\n");
292.        //HeapFree(GetProcessHeap(), 0, lpFileContent);
293.        CloseHandle(hFile);
294.        return nullptr;
295.    }
296.  
297.    DWORD dwBytesRead;
298.    if (!ReadFile(hFile, lpFileContent, fileSize, &dwBytesRead, nullptr))
299.    {
300.        OUTPUT("[-] Error reading PE file content!\n");
301.        HeapFree(GetProcessHeap(), 0, lpFileContent);
302.        CloseHandle(hFile);
303.        return nullptr;
304.    }
305.  
306.    CloseHandle(hFile);
307.    return lpFileContent;
308. }
309.  
310. // Main PE Analysis function
311. void AnalyzePEFile(const wchar_t* filePathW)
312. {
313.    //WCHAR filePathW[MAX_PATH];
314.    //MultiByteToWideChar(CP_ACP, 0, filePathA, -1, filePathW, MAX_PATH);
315.    OUTPUT("[+] Starting PE Analysis for: %s\n\n", filePathW);
316.    //AppendToOutput(L"[+] Starting PE Analysis for: %ls\n\n", filePathW);
317.  
318.    // Get file content
319.    LPVOID lpFileContent = GetFileContent(filePathW);
320.    if (!lpFileContent)
321.    {
322.        OUTPUT("[-] Failed to read file content!\n");
323.        return;
324.    }
325.  
326.    // Get DOS header
327.    const auto pImageDosHeader = static_cast<PIMAGE_DOS_HEADER>(lpFileContent);
328.    if (pImageDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
329.    {
330.        OUTPUT("[-] Invalid DOS signature!\n");
331.        HeapFree(GetProcessHeap(), 0, lpFileContent);
332.        return;
333.    }
334.  
335.    // Get NT headers
336.    const auto pImageNtHeaders = reinterpret_cast<PIMAGE_NT_HEADERS>((DWORD_PTR)lpFileContent + pImageDosHeader->e_lfanew);
337.    if (pImageNtHeaders->Signature != IMAGE_NT_SIGNATURE)
338.    {
339.        OUTPUT("[-] Invalid NT signature!\n");
340.        HeapFree(GetProcessHeap(), 0, lpFileContent);
341.        return;
342.    }
343.  
344.    // Display File Header information
345.    OUTPUT("[+] PE FILE HEADER\n");
346.    OUTPUT("\tMachine : 0x%X\n", (uintptr_t)pImageNtHeaders->FileHeader.Machine);
347.    OUTPUT("\tNumberOfSections : 0x%X\n", (uintptr_t)pImageNtHeaders->FileHeader.NumberOfSections);
348.    OUTPUT("\tTimeDateStamp : 0x%X\n", (uintptr_t)pImageNtHeaders->FileHeader.TimeDateStamp);
349.    OUTPUT("\tPointerToSymbolTable : 0x%X\n", (uintptr_t)pImageNtHeaders->FileHeader.PointerToSymbolTable);
350.    OUTPUT("\tNumberOfSymbols : 0x%X\n", (uintptr_t)pImageNtHeaders->FileHeader.NumberOfSymbols);
351.    OUTPUT("\tSizeOfOptionalHeader : 0x%X\n", (uintptr_t)pImageNtHeaders->FileHeader.SizeOfOptionalHeader);
352.    OUTPUT("\tCharacteristics : 0x%X %s\n\n",
353.        (uintptr_t)pImageNtHeaders->FileHeader.Characteristics,
354.        GetImageCharacteristics(pImageNtHeaders->FileHeader.Characteristics));
355.  
356.    // Display Optional Header information
357.    OUTPUT("[+] PE OPTIONAL HEADER\n");
358.    OUTPUT("\tMagic : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.Magic);
359.    OUTPUT("\tAddressOfEntryPoint : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.AddressOfEntryPoint);
360.    OUTPUT("\tImageBase : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.ImageBase);
361.    OUTPUT("\tSectionAlignment : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SectionAlignment);
362.    OUTPUT("\tFileAlignment : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.FileAlignment);
363.    OUTPUT("\tMajorOperatingSystemVersion : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.MajorOperatingSystemVersion);
364.    OUTPUT("\tMinorOperatingSystemVersion : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.MinorOperatingSystemVersion);
365.    OUTPUT("\tMajorImageVersion : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.MajorImageVersion);
366.    OUTPUT("\tMinorImageVersion : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.MinorImageVersion);
367.    OUTPUT("\tMajorSubsystemVersion : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.MajorSubsystemVersion);
368.    OUTPUT("\tMinorSubsystemVersion : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.MinorSubsystemVersion);
369.    OUTPUT("\tWin32VersionValue : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.Win32VersionValue);
370.    OUTPUT("\tSizeOfImage : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SizeOfImage);
371.    OUTPUT("\tSizeOfHeaders : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SizeOfHeaders);
372.    OUTPUT("\tCheckSum : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.CheckSum);
373.    OUTPUT("\tSubsystem : 0x%X %s\n",
374.        (uintptr_t)pImageNtHeaders->OptionalHeader.Subsystem,
375.        GetSubsystem(pImageNtHeaders->OptionalHeader.Subsystem));
376.    OUTPUT("\tDllCharacteristics : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.DllCharacteristics);
377.    OUTPUT("\tSizeOfStackReserve : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SizeOfStackReserve);
378.    OUTPUT("\tSizeOfStackCommit : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SizeOfStackCommit);
379.    OUTPUT("\tSizeOfHeapReserve : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SizeOfHeapReserve);
380.    OUTPUT("\tSizeOfHeapCommit : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.SizeOfHeapCommit);
381.    OUTPUT("\tLoaderFlags : 0x%X\n", (uintptr_t)pImageNtHeaders->OptionalHeader.LoaderFlags);
382.    OUTPUT("\tNumberOfRvaAndSizes : 0x%X\n\n", (uintptr_t)pImageNtHeaders->OptionalHeader.NumberOfRvaAndSizes);
383.  
384.    // Get Data Directories
385.    GetDataDirectories(&pImageNtHeaders->OptionalHeader.DataDirectory[0]);
386.  
387.    // Get the import section
388.    const auto pImageSectionHeader = reinterpret_cast<PIMAGE_SECTION_HEADER>(
389.        (DWORD_PTR)pImageNtHeaders + sizeof(IMAGE_NT_HEADERS));
390.  
391.    const auto pImageImportSection = GetSections(
392.        pImageSectionHeader,
393.        pImageNtHeaders->FileHeader.NumberOfSections,
394.        pImageNtHeaders->OptionalHeader.DataDirectory[1].VirtualAddress);
395.  
396.    if (!pImageImportSection)
397.    {
398.        OUTPUT("[-] Error: Could not find import section!\n");
399.        HeapFree(GetProcessHeap(), 0, lpFileContent);
400.        return;
401.    }
402.  
403.    // Get imports based on architecture
404.    const auto pImageImportDescriptor = reinterpret_cast<PIMAGE_IMPORT_DESCRIPTOR>(
405.        (DWORD_PTR)lpFileContent + pImageImportSection->PointerToRawData);
406.  
407.    if (pImageNtHeaders->FileHeader.Machine == IMAGE_FILE_MACHINE_I386)
408.    {
409.        GetImports32(
410.            pImageImportDescriptor,
411.            (DWORD)lpFileContent + pImageImportSection->PointerToRawData,
412.            pImageImportSection);
413.    }
414.    else if (pImageNtHeaders->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64)
415.    {
416.        GetImports64(
417.            pImageImportDescriptor,
418.            (DWORD)lpFileContent + pImageImportSection->PointerToRawData,
419.            pImageImportSection);
420.    }
421.    else
422.    {
423.        OUTPUT("[-] Unsupported architecture!\n");
424.    }
425.  
426.    // Cleanup
427.    HeapFree(GetProcessHeap(), 0, lpFileContent);
428.  
429.    // Update the GUI with the analysis results
430.    UpdateEditControl();
431. }
432.  
433. void GetDataDirectories(PIMAGE_DATA_DIRECTORY pImageDataDirectory)
434. {
435.    OUTPUT("[+] PE DATA DIRECTORIES\n");
436.    for (int i = 0; i < IMAGE_NUMBEROF_DIRECTORY_ENTRIES; ++i, ++pImageDataDirectory)
437.    {
438.        if (pImageDataDirectory->VirtualAddress == 0)
439.            continue;
440.  
441.        OUTPUT("\tDataDirectory (%s) VirtualAddress : 0x%X\n",
442.            GetDataDirectoryName(i),
443.            (uintptr_t)pImageDataDirectory->VirtualAddress);
444.        OUTPUT("\tDataDirectory (%s) Size : 0x%X\n\n",
445.            GetDataDirectoryName(i),
446.            (uintptr_t)pImageDataDirectory->Size);
447.    }
448. }
449.  
450. PIMAGE_SECTION_HEADER GetSections(const PIMAGE_SECTION_HEADER pImageSectionHeader,
451.    int NumberOfSections, DWORD dImportAddress)
452. {
453.    PIMAGE_SECTION_HEADER pImageImportHeader = nullptr;
454.  
455.    OUTPUT("\n[+] PE IMAGE SECTIONS\n");
456.  
457.    for (int i = 0; i < NumberOfSections; ++i)
458.    {
459.        const auto pCurrentSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD_PTR)pImageSectionHeader +
460.            i * sizeof(IMAGE_SECTION_HEADER));
461.  
462.        OUTPUT("\n\tSECTION : %s\n", (wchar_t*)pCurrentSectionHeader->Name);
463.        OUTPUT("\t\tMisc (PhysicalAddress) : 0x%X\n",
464.            (uintptr_t)pCurrentSectionHeader->Misc.PhysicalAddress);
465.        OUTPUT("\t\tMisc (VirtualSize) : 0x%X\n",
466.            (uintptr_t)pCurrentSectionHeader->Misc.VirtualSize);
467.        OUTPUT("\t\tVirtualAddress : 0x%X\n",
468.            (uintptr_t)pCurrentSectionHeader->VirtualAddress);
469.        OUTPUT("\t\tSizeOfRawData : 0x%X\n",
470.            (uintptr_t)pCurrentSectionHeader->SizeOfRawData);
471.        OUTPUT("\t\tPointerToRawData : 0x%X\n",
472.            (uintptr_t)pCurrentSectionHeader->PointerToRawData);
473.        OUTPUT("\t\tPointerToRelocations : 0x%X\n",
474.            (uintptr_t)pCurrentSectionHeader->PointerToRelocations);
475.        OUTPUT("\t\tPointerToLinenumbers : 0x%X\n",
476.            (uintptr_t)pCurrentSectionHeader->PointerToLinenumbers);
477.        OUTPUT("\t\tNumberOfRelocations : 0x%X\n",
478.            (uintptr_t)pCurrentSectionHeader->NumberOfRelocations);
479.        OUTPUT("\t\tNumberOfLinenumbers : 0x%X\n",
480.            (uintptr_t)pCurrentSectionHeader->NumberOfLinenumbers);
481.        OUTPUT("\t\tCharacteristics : 0x%X %s\n",
482.            (uintptr_t)pCurrentSectionHeader->Characteristics,
483.            GetSectionProtection(pCurrentSectionHeader->Characteristics));
484.  
485.        if (dImportAddress >= pCurrentSectionHeader->VirtualAddress &&
486.            dImportAddress < pCurrentSectionHeader->VirtualAddress +
487.            pCurrentSectionHeader->Misc.VirtualSize)
488.        {
489.            pImageImportHeader = pCurrentSectionHeader;
490.        }
491.    }
492.  
493.    return pImageImportHeader;
494. }
495. void GetImports32(PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor,
496.    DWORD dRawOffset, const PIMAGE_SECTION_HEADER pImageImportSection)
497. {
498.    OUTPUT("\n[+] IMPORTED DLL\n");
499.  
500.    while (pImageImportDescriptor->Name != 0)
501.    {
502.        OUTPUT("\n\tDLL NAME : %s\n",
503.            (wchar_t*)(dRawOffset + (pImageImportDescriptor->Name - pImageImportSection->VirtualAddress)));
504.        OUTPUT("\tCharacteristics : 0x%X\n",
505.            (uintptr_t)(dRawOffset + (pImageImportDescriptor->Characteristics - pImageImportSection->VirtualAddress)));
506.        OUTPUT("\tOriginalFirstThunk : 0x%X\n",
507.            (uintptr_t)(dRawOffset + (pImageImportDescriptor->OriginalFirstThunk - pImageImportSection->VirtualAddress)));
508.        OUTPUT("\tTimeDateStamp : 0x%X\n",
509.            (uintptr_t)(dRawOffset + (pImageImportDescriptor->TimeDateStamp - pImageImportSection->VirtualAddress)));
510.        OUTPUT("\tForwarderChain : 0x%X\n",
511.            (uintptr_t)(dRawOffset + (pImageImportDescriptor->ForwarderChain - pImageImportSection->VirtualAddress)));
512.        OUTPUT("\tFirstThunk : 0x%X\n",
513.            (uintptr_t)(dRawOffset + (pImageImportDescriptor->FirstThunk - pImageImportSection->VirtualAddress)));
514.  
515.        if (pImageImportDescriptor->OriginalFirstThunk == 0)
516.        {
517.            ++pImageImportDescriptor;
518.            continue;
519.        }
520.  
521.        auto pOriginalFirstThrunk = (PIMAGE_THUNK_DATA32)(dRawOffset +
522.            (pImageImportDescriptor->OriginalFirstThunk - pImageImportSection->VirtualAddress));
523.  
524.        OUTPUT("\n\tImported Functions : \n\n");
525.  
526.        while (pOriginalFirstThrunk->u1.AddressOfData != 0)
527.        {
528.            if (pOriginalFirstThrunk->u1.AddressOfData >= IMAGE_ORDINAL_FLAG32)
529.            {
530.                ++pOriginalFirstThrunk;
531.                continue;
532.            }
533.  
534.            const auto pImageImportByName = (PIMAGE_IMPORT_BY_NAME)(dRawOffset +
535.                (pOriginalFirstThrunk->u1.AddressOfData - pImageImportSection->VirtualAddress));
536.  
537.            if (pImageImportByName == nullptr)
538.            {
539.                ++pOriginalFirstThrunk;
540.                continue;
541.            }
542.  
543.            if (pOriginalFirstThrunk->u1.Ordinal & IMAGE_ORDINAL_FLAG32)
544.            {
545.                OUTPUT("\t\t0x%X (Ordinal) : %s\n",
546.                    (uintptr_t)pOriginalFirstThrunk->u1.AddressOfData,
547.                    (wchar_t*)((DWORD_PTR)dRawOffset + (pImageImportByName->Name - pImageImportSection->VirtualAddress)));
548.            }
549.            else
550.            {
551.                OUTPUT("\t\t%s\n",
552.                    (wchar_t*)((DWORD_PTR)dRawOffset + (pImageImportByName->Name - pImageImportSection->VirtualAddress)));
553.            }
554.  
555.            ++pOriginalFirstThrunk;
556.        }
557.  
558.        ++pImageImportDescriptor;
559.    }
560. }
561.  
562. void GetImports64(PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor,
563.    DWORD dRawOffset, const PIMAGE_SECTION_HEADER pImageImportSection)
564. {
565.    OUTPUT("\n[+] IMPORTED DLL\n");
566.  
567.    while (pImageImportDescriptor->Name != 0)
568.    {
569.        OUTPUT("\n\tDLL NAME : %s\n",
570.            (wchar_t*)(dRawOffset + (pImageImportDescriptor->Name - pImageImportSection->VirtualAddress)));
571.        OUTPUT("\tCharacteristics : 0x%X\n",
572.            (uintptr_t)(dRawOffset + (pImageImportDescriptor->Characteristics - pImageImportSection->VirtualAddress)));
573.        OUTPUT("\tOriginalFirstThunk : 0x%X\n",
574.            (uintptr_t)(dRawOffset + (pImageImportDescriptor->OriginalFirstThunk - pImageImportSection->VirtualAddress)));
575.        OUTPUT("\tTimeDateStamp : 0x%X\n",
576.            (uintptr_t)(dRawOffset + (pImageImportDescriptor->TimeDateStamp - pImageImportSection->VirtualAddress)));
577.        OUTPUT("\tForwarderChain : 0x%X\n",
578.            (uintptr_t)(dRawOffset + (pImageImportDescriptor->ForwarderChain - pImageImportSection->VirtualAddress)));
579.        OUTPUT("\tFirstThunk : 0x%X\n",
580.            (uintptr_t)(dRawOffset + (pImageImportDescriptor->FirstThunk - pImageImportSection->VirtualAddress)));
581.  
582.        if (pImageImportDescriptor->OriginalFirstThunk == 0)
583.        {
584.            ++pImageImportDescriptor;
585.            continue;
586.        }
587.  
588.        auto pOriginalFirstThrunk = (PIMAGE_THUNK_DATA64)(dRawOffset +
589.            (pImageImportDescriptor->OriginalFirstThunk - pImageImportSection->VirtualAddress));
590.  
591.        OUTPUT("\n\tImported Functions : \n\n");
592.  
593.        while (pOriginalFirstThrunk->u1.AddressOfData != 0)
594.        {
595.            if (pOriginalFirstThrunk->u1.AddressOfData >= IMAGE_ORDINAL_FLAG64)
596.            {
597.                ++pOriginalFirstThrunk;
598.                continue;
599.            }
600.  
601.            const auto pImageImportByName = (PIMAGE_IMPORT_BY_NAME)((DWORD_PTR)dRawOffset +
602.                (pOriginalFirstThrunk->u1.AddressOfData - pImageImportSection->VirtualAddress));
603.  
604.            if (pImageImportByName == nullptr)
605.            {
606.                ++pOriginalFirstThrunk;
607.                continue;
608.            }
609.  
610.            if (pOriginalFirstThrunk->u1.Ordinal & IMAGE_ORDINAL_FLAG64)
611.            {
612.                OUTPUT("\t\t0x%llX (Ordinal) : %s\n",
613.                    pOriginalFirstThrunk->u1.AddressOfData,
614.                    (wchar_t*)((DWORD_PTR)dRawOffset + (pImageImportByName->Name - pImageImportSection->VirtualAddress)));
615.            }
616.            else
617.            {
618.                OUTPUT("\t\t%s\n",
619.                    (wchar_t*)((DWORD_PTR)dRawOffset + (pImageImportByName->Name - pImageImportSection->VirtualAddress)));
620.            }
621.  
622.            ++pOriginalFirstThrunk;
623.        }
624.  
625.        ++pImageImportDescriptor;
626.    }
627. }
628.  
629. // Add this at the end of the analysis to ensure proper display
630. void UpdateEditControl() {
631.    SetWindowTextW(g_hEditControl, g_OutputText.str().c_str());
632.    SendMessage(g_hEditControl, EM_SETSEL, -1, -1);
633.    SendMessage(g_hEditControl, EM_SCROLLCARET, 0, 0);
634. }
635.  
636. ==++ Here's the full code for (file 2/2) "helpers.h"::++==
637. #pragma once
638. #include <Windows.h>
639. #include <strsafe.h>
640.  
641. // Helper function declarations
642. const wchar_t* GetImageCharacteristics(DWORD dCharacteristics);
643. const wchar_t* GetSubsystem(WORD Subsystem);
644. const wchar_t* GetDataDirectoryName(int DirectoryNumber);
645. const wchar_t* GetSectionProtection(DWORD dCharacteristics);
646.  
647. // Helper function implementations
648. const wchar_t* GetImageCharacteristics(DWORD dCharacteristics)
649. {
650.     if (dCharacteristics & IMAGE_FILE_DLL)
651.         return L"(DLL)";
652.     if (dCharacteristics & IMAGE_FILE_SYSTEM)
653.         return L"(DRIVER)";
654.     if (dCharacteristics & IMAGE_FILE_EXECUTABLE_IMAGE)
655.         return L"(EXE)";
656.     return L"(UNKNOWN)";
657. }
658.  
659. const wchar_t* GetSubsystem(WORD Subsystem)
660. {
661.     if (Subsystem == 1)
662.         return L"(NATIVE / DRIVER)";
663.     if (Subsystem == 2)
664.         return L"(GUI APP)";
665.     if (Subsystem == 3)
666.         return L"(CONSOLE APP)";
667.     return L"(UNKNOWN)";
668. }
669.  
670. const wchar_t* GetDataDirectoryName(int DirectoryNumber)
671. {
672.     switch (DirectoryNumber)
673.     {
674.     case 0: return L"Export Table";
675.     case 1: return L"Import Table";
676.     case 2: return L"Resource Table";
677.     case 3: return L"Exception Entry";
678.     case 4: return L"Security Entry";
679.     case 5: return L"Relocation Table";
680.     case 6: return L"Debug Entry";
681.     case 7: return L"Copyright Entry";
682.     case 8: return L"Global PTR Entry";
683.     case 9: return L"TLS Entry";
684.     case 10: return L"Configuration Entry";
685.     case 11: return L"Bound Import Entry";
686.     case 12: return L"IAT";
687.     case 13: return L"Delay Import Descriptor";
688.     case 14: return L"COM Descriptor";
689.     default: return nullptr;
690.     }
691. }
692.  
693. const wchar_t* GetSectionProtection(DWORD dCharacteristics)
694. {
695.     static wchar_t lpSectionProtection[1024] = {};
696.     StringCchCatW(lpSectionProtection, 1024, L"(");
697.     bool bExecute = false, bRead = false;
698.  
699.     if (dCharacteristics & IMAGE_SCN_MEM_EXECUTE)
700.     {
701.         bExecute = true;
702.         StringCchCatW(lpSectionProtection, 1024, L"EXECUTE");
703.     }
704.  
705.     if (dCharacteristics & IMAGE_SCN_MEM_READ)
706.     {
707.         bRead = true;
708.         if (bExecute)
709.             StringCchCatW(lpSectionProtection, 1024, L" | ");
710.         StringCchCatW(lpSectionProtection, 1024, L"READ");
711.     }
712.  
713.     if (dCharacteristics & IMAGE_SCN_MEM_WRITE)
714.     {
715.         if (bExecute || bRead)
716.             StringCchCatW(lpSectionProtection, 1024, L" | ");
717.         StringCchCatW(lpSectionProtection, 1024, L"WRITE");
718.     }
719.  
720.     StringCchCatW(lpSectionProtection, 1024, L")");
721.     return lpSectionProtection;
722. }
723.  
724. ==++ Here's the full code for (file 3/2) "helpers.h" (Original Working Backup Version Possible Fallback)::++==
725. /*
726. //#pragma once
727. #pragma once
728. #include <Windows.h>
729.  
730. // Helper function declarations
731. const char* GetImageCharacteristics(DWORD dCharacteristics);
732. const char* GetSubsytem(WORD Subsystem);
733. const char* GetDataDirectoryName(int DirectoryNumber);
734. const char* GetSectionProtection(DWORD dCharacteristics);
735.  
736. // Helper function implementations
737. const char* GetImageCharacteristics(DWORD dCharacteristics)
738. {
739.    if (dCharacteristics & IMAGE_FILE_DLL)
740.        return "(DLL)";
741.    if (dCharacteristics & IMAGE_FILE_SYSTEM)
742.        return "(DRIVER)";
743.    if (dCharacteristics & IMAGE_FILE_EXECUTABLE_IMAGE)
744.        return "(EXE)";
745.    return "(UNKNOWN)";
746. }
747.  
748. const char* GetSubsytem(WORD Subsystem)
749. {
750.    if (Subsystem == 1)
751.        return "(NATIVE / DRIVER)";
752.    if (Subsystem == 2)
753.        return "(GUI APP)";
754.    if (Subsystem == 3)
755.        return "(CONSOLE APP)";
756.    return "(UNKNOWN)";
757. }
758.  
759. const char* GetDataDirectoryName(int DirectoryNumber)
760. {
761.    switch (DirectoryNumber)
762.    {
763.    case 0: return "Export Table";
764.    case 1: return "Import Table";
765.    case 2: return "Ressource Table";
766.    case 3: return "Exception Entry";
767.    case 4: return "Security Entry";
768.    case 5: return "Relocation Table";
769.    case 6: return "Debug Entry";
770.    case 7: return "Copyright Entry";
771.    case 8: return "Global PTR Entry";
772.    case 9: return "TLS Entry";
773.    case 10: return "Configuration Entry";
774.    case 11: return "Bound Import Entry";
775.    case 12: return "IAT";
776.    case 13: return "Delay Import Descriptor";
777.    case 14: return "COM Descriptor";
778.    default: return nullptr;
779.    }
780. }
781.  
782. const char* GetSectionProtection(DWORD dCharacteristics)
783. {
784.    static char lpSectionProtection[1024] = {};
785.    StringCchCatA(lpSectionProtection, 1024, "(");
786.    bool bExecute = false, bRead = false;
787.  
788.    if (dCharacteristics & IMAGE_SCN_MEM_EXECUTE)
789.    {
790.        bExecute = true;
791.        StringCchCatA(lpSectionProtection, 1024, "EXECUTE");
792.    }
793.  
794.    if (dCharacteristics & IMAGE_SCN_MEM_READ)
795.    {
796.        bRead = true;
797.        if (bExecute)
798.            StringCchCatA(lpSectionProtection, 1024, " | ");
799.        StringCchCatA(lpSectionProtection, 1024, "READ");
800.    }
801.  
802.    if (dCharacteristics & IMAGE_SCN_MEM_WRITE)
803.    {
804.        if (bExecute || bRead)
805.            StringCchCatA(lpSectionProtection, 1024, " | ");
806.        StringCchCatA(lpSectionProtection, 1024, "WRITE");
807.    }
808.  
809.    StringCchCatA(lpSectionProtection, 1024, ")");
810.    return lpSectionProtection;
811. }
812. */