QuasarApp/pe-parse
4
0
Fork 0
mirror of https://github.com/QuasarApp/pe-parse.git synced 2025-05-13 03:39:33 +00:00
Code Issues Projects Releases Wiki Activity

pretty-printing meta-programming

Browse Source
This commit is contained in:
Andrew 2013-07-26 09:36:05 -04:00
parent f84bffdebe
commit 240928b373
3 changed files with 33 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
dump-prog/dump.cpp
View File

@ -23,9 +23,19 @@ THE SOFTWARE.
*/ */
#include <iostream> #include <iostream>
#include <sstream>
#include "parse.h" #include "parse.h"
using namespace std; using namespace std;
using namespace boost;
template <class T>
static
string to_string(T t, ios_base & (*f)(ios_base&)) {
ostringstream oss;
oss << f << t;
return oss.str();
}
void printImports(void *N, RVA impAddr, string &impName) { void printImports(void *N, RVA impAddr, string &impName) {
@ -43,6 +53,21 @@ int main(int argc, char *argv[]) {
if(p != NULL) { if(p != NULL) {
//print out some things //print out some things
#define DUMP_FIELD(x) \
cout << "" #x << ": "; \
cout << to_string<uint32_t>(p->peHeader.x, hex) << endl;
DUMP_FIELD(nt.Signature);
DUMP_FIELD(nt.FileHeader.Machine);
DUMP_FIELD(nt.FileHeader.NumberOfSections);
DUMP_FIELD(nt.FileHeader.TimeDateStamp);
DUMP_FIELD(nt.FileHeader.PointerToSymbolTable);
DUMP_FIELD(nt.FileHeader.NumberOfSymbols);
DUMP_FIELD(nt.FileHeader.SizeOfOptionalHeader);
DUMP_FIELD(nt.FileHeader.Characteristics);
#undef DUMP_FIELD
IterImpRVAString(p, printImports, NULL); IterImpRVAString(p, printImports, NULL);
IterRelocs(p, printRelocs, NULL); IterRelocs(p, printRelocs, NULL);

11
parser-library/parse.cpp
View File

@ -174,9 +174,7 @@ bool readNtHeader(bounded_buffer *b, nt_header_32 &header) {
return true; return true;
} }
bool getHeader(bounded_buffer *file) { bool getHeader(bounded_buffer *file, pe_header &p) {
pe_header p;
if(file == NULL) { if(file == NULL) {
return false; return false;
} }
@ -197,11 +195,12 @@ bool getHeader(bounded_buffer *file) {
curOffset += offset; curOffset += offset;
//now, we can read out the fields of the NT headers //now, we can read out the fields of the NT headers
nt_header_32 nt; if(readNtHeader(splitBuffer(file, curOffset, file->bufLen), p.nt) == false) {
if(readNtHeader(splitBuffer(file, curOffset, file->bufLen), nt) == false) {
return false; return false;
} }
//and done, headers populated
return true; return true;
} }
@ -232,7 +231,7 @@ parsed_pe *ParsePEFromFile(const char *filePath) {
//now, we need to do some actual PE parsing and file carving. //now, we need to do some actual PE parsing and file carving.
//get header information //get header information
if(getHeader(p->fileBuffer) == false) { if(getHeader(p->fileBuffer, p->peHeader) == false) {
deleteBuffer(p->fileBuffer); deleteBuffer(p->fileBuffer);
delete p; delete p;
return NULL; return NULL;

5
parser-library/parse.h
View File

@ -27,6 +27,8 @@ THE SOFTWARE.
#include <string> #include <string>
#include <boost/cstdint.hpp> #include <boost/cstdint.hpp>
#include "nt-headers.h"
typedef boost::uint32_t RVA; typedef boost::uint32_t RVA;
typedef struct _bounded_buffer { typedef struct _bounded_buffer {
@ -46,8 +48,7 @@ void deleteBuffer(bounded_buffer *b);
struct parsed_pe_internal; struct parsed_pe_internal;
typedef struct _pe_header { typedef struct _pe_header {
RVA entryPoint; nt_header_32 nt;
bounded_buffer headerData;
} pe_header; } pe_header;
typedef struct _parsed_pe { typedef struct _parsed_pe {