LSE; } // 关闭文件. CloseHandle(hFile); // 显示OEP地址. printf("OEP by file:%d\n",dwOEP); return TRUE; } // 通过文件内存映射读取OEP值. BOOL ReadOEPbyMemory(LPCSTR szFileName) { struct PE_HEADER_MAP { DWORD signature; IMAGE_FILE_HEADER _head; IMAGE_OPTIONAL_HEADER opt_head; IMAGE_SECTION_HEADER section_header[6]; } *header; HANDLE hFile; HANDLE hMapping; void *basepointer; // 打开文件. if ((hFile = CreateFile(szFileName, GENERIC_READ, FILE_SHARE_READ,0,OPEN_EXISTING, FILE_FLAG_SEQUENTIAL_SCAN,0)) == INVALID_HANDLE_VALUE) { printf("can't open file.\n"); return FALSE; } // 创建内存映射文件. if (!(hMapping = CreateFileMapping(hFile,0,PAGE_READONLY|SEC_COMMIT,0,0,0))) { printf("mapping failed\n"); CloseHandle(hFile); return FALSE; } // 把文件头映象存入baseointer. if (!(basepointer = MapViewOfFile(hMapping,FILE_MAP_READ,0,0,0))) { printf("view failed.\n"); CloseHandle(hMapping); CloseHandle(hFile); return FALSE; } IMAGE_DOS_HEADER * dos_head =(IMAGE_DOS_HEADER *)basepointer; // 得到PE文件头. header = (PE_HEADER_MAP *)((char *)dos_head + dos_head->e_lfanew); // 得到OEP地址. DWORD dwOEP=header->opt_head.AddressOfEntryPoint; // 清除内存映射和关闭文件. UnmapViewOfFile(basepointer); CloseHandle(hMapping); CloseHandle(hFile); // 显示OEP地址. printf("OEP by memory:%d\n",dwOEP); return TRUE; }
弹出对话框汇编代码如下 [cpp] ;msgbx.asm file. .386p .model flat, stdcall option casemap:none include \masm32\include\windows.inc include \masm32\include\user32.inc includelib \masm32\lib\user32.lib .code start: push MB_ICONINFORMATION or MB_OK call Func1 db "Test",0 Func1: call Func2 db "Hello",0 Func2: push NULL call MessageBoxA ; ret end start
摘自 yincheng01
|