Reading PE-structure.

[monoceres]

I'm going freaking insane over this code. Why in the world won't it return the correct data?

Code:

#include <windows.h>
#include <iostream>

using namespace std;

int main()
{

	HANDLE hFile = CreateFile(L"C:\\offer.exe",GENERIC_READ|GENERIC_WRITE,0,NULL,OPEN_ALWAYS,0,NULL);
	cout << "File handle: " << hFile << endl; 
	
	DWORD fsize=GetFileSize(hFile,NULL);
	DWORD buffersize=fsize;//+0x2000;
	BYTE *buffer = new BYTE[buffersize];

	DWORD read;
	ReadFile(hFile,buffer,fsize,&read,NULL);


	// Get the IMAGE_DOS_HEADER, this works ok..
	IMAGE_DOS_HEADER *idh = (IMAGE_DOS_HEADER*)buffer;
	cout << "DOS signature: " << idh->e_magic << endl;
	if (idh->e_magic!=IMAGE_DOS_SIGNATURE)
		cout << "DOS signature mismatch!" << endl;
	
	// This screws up for some reason
	IMAGE_NT_HEADERS *inh = (IMAGE_NT_HEADERS*)idh+idh->e_lfanew;
	cout << "NT signature: " << inh->Signature << endl;
	if (inh->Signature!=IMAGE_NT_SIGNATURE)
		cout << "NT signature mismatch!" << endl;

	

	delete []buffer;
	CloseHandle(hFile);
}

I just cannot see where I'm going wrong, beginning to suspect microsoft for provoding me with the wrong structures.

[rxbagain]

e_lfanew is the byte offset from the beginning of the data. You're trying to add it to the pointer type IMAGE_DOS_HEADER which will treat it as array of IMAGE_DOS_HEADER. It should be

Code:

IMAGE_NT_HEADERS *inh = (IMAGE_NT_HEADERS*)buffer + idh->e_lfanew;

[Lindley]

Just a guess, but this:

Code:

	IMAGE_NT_HEADERS *inh = (IMAGE_NT_HEADERS*)idh+idh->e_lfanew;

could be your problem. If an IMAGE_NT_HEADERS isn't the same size as an IMAGE_DOS_HEADER, then the pointer arithmetic you're attempting might not be doing what you think. You'd better use parens to make it clearer whether you want to increment idh by idh->e_lfanew*sizeof(IMAGE_DOS_HEADER), idh->e_lfanew*sizeof(IMAGE_NT_HEADERS), or idh->e_lfanew*sizeof(char).

[monoceres]

Thanks for the suggestion but nothing seem to work.
I always end up with the same wrong signature.

The annoying thing is that I have done this before, or rather I have done but without the file reading. I got the address of a loaded module with GetModuleHandle and used the exact same logic, it worked like a charm.

Annoying.

[monoceres]

Okay I managed it, as you guys said it was my pointer arithmetic that was wrong. For future reference this is how it should have been done:

Code:

IMAGE_NT_HEADERS *inh = (IMAGE_NT_HEADERS*)((buffer)+(idh->e_lfanew));

Thanks again.

[rxbagain]

Yes, my mistake It should not be typecasted to IMAGE_NT_HEADERS before adding the offset. It could also be this way

Code:

IMAGE_NT_HEADERS *inh = (IMAGE_NT_HEADERS*)&buffer[idh->e_lfanew];