Reading PE-structure.

Printable View

April 20th, 2009, 02:45 PM
monoceres

Reading PE-structure.

I'm going freaking insane over this code. Why in the world won't it return the correct data?

Code:

#include <windows.h> #include <iostream> using namespace std; int main() { HANDLE hFile = CreateFile(L"C:\\offer.exe",GENERIC_READ|GENERIC_WRITE,0,NULL,OPEN_ALWAYS,0,NULL); cout << "File handle: " << hFile << endl; DWORD fsize=GetFileSize(hFile,NULL); DWORD buffersize=fsize;//+0x2000; BYTE *buffer = new BYTE[buffersize]; DWORD read; ReadFile(hFile,buffer,fsize,&read,NULL); // Get the IMAGE_DOS_HEADER, this works ok.. IMAGE_DOS_HEADER *idh = (IMAGE_DOS_HEADER*)buffer; cout << "DOS signature: " << idh->e_magic << endl; if (idh->e_magic!=IMAGE_DOS_SIGNATURE) cout << "DOS signature mismatch!" << endl; // This screws up for some reason IMAGE_NT_HEADERS *inh = (IMAGE_NT_HEADERS*)idh+idh->e_lfanew; cout << "NT signature: " << inh->Signature << endl; if (inh->Signature!=IMAGE_NT_SIGNATURE) cout << "NT signature mismatch!" << endl; delete []buffer; CloseHandle(hFile); }

I just cannot see where I'm going wrong, beginning to suspect microsoft for provoding me with the wrong structures.
April 20th, 2009, 03:14 PM
rxbagain

Re: Reading PE-structure.

e_lfanew is the byte offset from the beginning of the data. You're trying to add it to the pointer type IMAGE_DOS_HEADER which will treat it as array of IMAGE_DOS_HEADER. It should be

Code:

IMAGE_NT_HEADERS *inh = (IMAGE_NT_HEADERS*)buffer + idh->e_lfanew;
April 20th, 2009, 03:16 PM
Lindley

Re: Reading PE-structure.

Just a guess, but this:

Code:

IMAGE_NT_HEADERS *inh = (IMAGE_NT_HEADERS*)idh+idh->e_lfanew;

could be your problem. If an IMAGE_NT_HEADERS isn't the same size as an IMAGE_DOS_HEADER, then the pointer arithmetic you're attempting might not be doing what you think. You'd better use parens to make it clearer whether you want to increment idh by idh->e_lfanew*sizeof(IMAGE_DOS_HEADER), idh->e_lfanew*sizeof(IMAGE_NT_HEADERS), or idh->e_lfanew*sizeof(char).
April 20th, 2009, 03:24 PM
monoceres

Re: Reading PE-structure.

Thanks for the suggestion but nothing seem to work.
I always end up with the same wrong signature.

The annoying thing is that I have done this before, or rather I have done but without the file reading. I got the address of a loaded module with GetModuleHandle and used the exact same logic, it worked like a charm.

Annoying.
April 20th, 2009, 04:08 PM
monoceres

Re: Reading PE-structure.

Okay I managed it, as you guys said it was my pointer arithmetic that was wrong. For future reference this is how it should have been done:

Code:

IMAGE_NT_HEADERS *inh = (IMAGE_NT_HEADERS*)((buffer)+(idh->e_lfanew));

Thanks again.
April 20th, 2009, 04:15 PM
rxbagain

Re: Reading PE-structure.

Yes, my mistake :D It should not be typecasted to IMAGE_NT_HEADERS before adding the offset. It could also be this way

Code:

IMAGE_NT_HEADERS *inh = (IMAGE_NT_HEADERS*)&buffer[idh->e_lfanew];