首页
论坛
课程
招聘
[调试逆向] [分享]获得PE资源树代码
2009-1-8 16:07 5825

[调试逆向] [分享]获得PE资源树代码

2009-1-8 16:07
5825
当时做一个软件的副产品,贴出来,供有需要的参考(VB代码)。

' PE 文件资源部分结构
Private Type IMAGE_RESOURCE_DIRECTORY
    Characteristics As Long
    TimeDateStamp As Long
    MajorVersion As Integer
    MinorVersion As Integer
    NumberOfNamedEntries As Integer
    NumberOfIdEntries As Integer
End Type
Private Type IMAGE_RESOURCE_DIRECTORY_ENTRY
    Name As Long
    OffsetToData As Long
End Type
Private Type IMAGE_RESOURCE_DATA_ENTRY
    OffsetToData As Long
    Size As Long
    CodePage As Long
    Reserved As Long
End Type

'资源数据结构
Private Type ResourceLeafInfo
    nTypeID As Long      '资源类型
    pStructRA As Long    '此资源的 IMAGE_RESOURCE_DATA_ENTRY 结构相对地址(从资源段算起)
    pDataAA As Long      '此资源的绝对地址(从文件首部算起)
    cbSize As Long       '资源大小
End Type

'递归遍历资源树,获得叶节点相关数据
Private Sub PickLeaves(hFile As Long, _
                       pResOffset As Long, _
                       pNodeEntry As Long, _
                       nTypeID As Long, _
                       tResLeafInfo() As ResourceLeafInfo)
    
    Dim tResDir As IMAGE_RESOURCE_DIRECTORY
    Dim tResDirEntry As IMAGE_RESOURCE_DIRECTORY_ENTRY
    Dim tResDataEntry As IMAGE_RESOURCE_DATA_ENTRY
    Dim i As Long
    
    Call llseek(hFile, pResOffset + pNodeEntry, FILE_BEGIN)
    Call lread(hFile, tResDir, Len(tResDir))
    For i = 0 To tResDir.NumberOfIdEntries + tResDir.NumberOfNamedEntries - 1
        Call llseek(hFile, pResOffset + pNodeEntry + Len(tResDir) + Len(tResDirEntry) * i, FILE_BEGIN)
        Call lread(hFile, tResDirEntry, Len(tResDirEntry))
        If CBool(tResDirEntry.OffsetToData And &H80000000) Then '指向下一个目录节点
            Call PickLeaves(hFile, pResOffset, tResDirEntry.OffsetToData And &H7FFFFFFF, nTypeID, tResLeafInfo())
        Else '指向数据入口
            Call llseek(hFile, pResOffset + tResDirEntry.OffsetToData, FILE_BEGIN)
            Call lread(hFile, tResDataEntry, Len(tResDataEntry))
            ReDim Preserve tResLeafInfo(UBound(tResLeafInfo) + 1) As ResourceLeafInfo
            With tResLeafInfo(UBound(tResLeafInfo))
                .nTypeID = nTypeID
                .pStructRA = tResDirEntry.OffsetToData
                .pDataAA = tResDataEntry.OffsetToData
                .cbSize = tResDataEntry.Size
            End With
        End If
    Next i
End Sub

看雪社区年底排行榜,查查你的排名?

收藏
点赞0
打赏
分享
最新回复 (4)
雪    币: 212
活跃值: 活跃值 (10)
能力值: ( LV7,RANK:100 )
在线值:
发帖
回帖
粉丝
安摧 活跃值 2 2009-2-8 12:17
2
0
支持!
可惜是delphi的代码~~~
雪    币: 201
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
asirzcl 活跃值 2009-2-8 13:37
3
0
可惜不是DELPHI代码~~~
雪    币: 370
活跃值: 活跃值 (81)
能力值: ( LV12,RANK:240 )
在线值:
发帖
回帖
粉丝
bzhkl 活跃值 5 2009-2-8 14:27
4
0
可惜既不是DELPHI 又不是C代码~~~
雪    币: 502
活跃值: 活跃值 (34)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
BlueT 活跃值 2 2009-2-8 21:24
5
0
可惜又不是DELPHI 也不是C代码

游客
登录 | 注册 方可回帖
返回