-
April 20th, 2009, 02:45 PM
#1
Reading PE-structure.
I'm going freaking insane over this code. Why in the world won't it return the correct data?
Code:
#include <windows.h>
#include <iostream>
using namespace std;
int main()
{
HANDLE hFile = CreateFile(L"C:\\offer.exe",GENERIC_READ|GENERIC_WRITE,0,NULL,OPEN_ALWAYS,0,NULL);
cout << "File handle: " << hFile << endl;
DWORD fsize=GetFileSize(hFile,NULL);
DWORD buffersize=fsize;//+0x2000;
BYTE *buffer = new BYTE[buffersize];
DWORD read;
ReadFile(hFile,buffer,fsize,&read,NULL);
// Get the IMAGE_DOS_HEADER, this works ok..
IMAGE_DOS_HEADER *idh = (IMAGE_DOS_HEADER*)buffer;
cout << "DOS signature: " << idh->e_magic << endl;
if (idh->e_magic!=IMAGE_DOS_SIGNATURE)
cout << "DOS signature mismatch!" << endl;
// This screws up for some reason
IMAGE_NT_HEADERS *inh = (IMAGE_NT_HEADERS*)idh+idh->e_lfanew;
cout << "NT signature: " << inh->Signature << endl;
if (inh->Signature!=IMAGE_NT_SIGNATURE)
cout << "NT signature mismatch!" << endl;
delete []buffer;
CloseHandle(hFile);
}
I just cannot see where I'm going wrong, beginning to suspect microsoft for provoding me with the wrong structures.
-
April 20th, 2009, 03:14 PM
#2
Re: Reading PE-structure.
e_lfanew is the byte offset from the beginning of the data. You're trying to add it to the pointer type IMAGE_DOS_HEADER which will treat it as array of IMAGE_DOS_HEADER. It should be
Code:
IMAGE_NT_HEADERS *inh = (IMAGE_NT_HEADERS*)buffer + idh->e_lfanew;
-
April 20th, 2009, 03:16 PM
#3
Re: Reading PE-structure.
Just a guess, but this:
Code:
IMAGE_NT_HEADERS *inh = (IMAGE_NT_HEADERS*)idh+idh->e_lfanew;
could be your problem. If an IMAGE_NT_HEADERS isn't the same size as an IMAGE_DOS_HEADER, then the pointer arithmetic you're attempting might not be doing what you think. You'd better use parens to make it clearer whether you want to increment idh by idh->e_lfanew*sizeof(IMAGE_DOS_HEADER), idh->e_lfanew*sizeof(IMAGE_NT_HEADERS), or idh->e_lfanew*sizeof(char).
-
April 20th, 2009, 03:24 PM
#4
Re: Reading PE-structure.
Thanks for the suggestion but nothing seem to work.
I always end up with the same wrong signature.
The annoying thing is that I have done this before, or rather I have done but without the file reading. I got the address of a loaded module with GetModuleHandle and used the exact same logic, it worked like a charm.
Annoying.
-
April 20th, 2009, 04:08 PM
#5
Re: Reading PE-structure.
Okay I managed it, as you guys said it was my pointer arithmetic that was wrong. For future reference this is how it should have been done:
Code:
IMAGE_NT_HEADERS *inh = (IMAGE_NT_HEADERS*)((buffer)+(idh->e_lfanew));
Thanks again.
-
April 20th, 2009, 04:15 PM
#6
Re: Reading PE-structure.
Yes, my mistake It should not be typecasted to IMAGE_NT_HEADERS before adding the offset. It could also be this way
Code:
IMAGE_NT_HEADERS *inh = (IMAGE_NT_HEADERS*)&buffer[idh->e_lfanew];
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|