进pe不能保存文件吗-(进pe不能保存文件吗)

PE加载到内存到还原文件的过程

以下代码，是有问题的.先看代码

PIMAGE_SECTION_HEADER temp_section_header = section_header;for (int i = 0; i < file_header->NumberOfSections; i ){ ///每次获取第一节的内存地址void* des = (void*)((unsigned 路由知识 long)temp_buffer temp_section_header->VirtualAddress); void* src = (void*)((unsigned long)ptemp (temp_section_header i)->PointerToRawData); // ///每次都是一个节的大小memcpy(des, src, temp_section_header->SizeOfRawData); }

循环中的三行代码，有两个代码代码(第一行和第三行).

PIMAGE_SECTION_HEADER temp_section_header = section_header;for (int i = 0; i < file_header->NumberOfSections; i ){PIMAGE_SECTION_HEADER psection = temp_section_header i; //这里void* des = (void*)((unsigned long)temp_buffer psection->VirtualAddress); //temp_section_header 1,移动多少？void* src = (void*)((unsigned long)ptemp psection->PointerToRawData); memcpy(des, src, psection->SizeOfRawData);}拉伸

拉伸:读取section(节)在文件中PointerToRawData(文件中的偏移量)，大小为SizeOfRawData(文件中对齐的长度)，转向内存布局.

//将pe将文件转换为内存或文件布局pe在内存布局unsigned long buffer_to_image(char** file_buffer, char** image_buffer){PIMAGE_DOS_HEADER dos_header = NULL;PIMAGE_NT_HEADERS nt_header = NULL;PIMAGE_FILE_HEADER file_header = NULL;PIMAGE_OPTIONAL_HEADER optional_header = NULL;PIMAGE_SECTION_HEADER section_header = NULL;char* ptemp = *file_buffer;void* temp_buffer = NULL;if (file_buffer == NULL) rintf("file_buff is null\ ");return 0;}if (*(short*)ptemp != IMAGE_DOS_SIGNATURE) rintf("\bx\ ", *(short*)ptemp);///检查是否为dos头 pe开头为mzreturn 0;}dos_header = (PIMAGE_DOS_HEADER)ptemp;if (*(short*)((unsigned long)ptemp dos_header->e_lfanew) != IMAGE_NT_SIGNATURE){//校验nt头是否有pe标志 PEreturn 0;}nt_header = (PIMAGE_NT_HEADERS)((unsigned long)ptemp dos_header->e_lfanew);file_header = (PIMAGE_FILE_HEADER)((unsigned long)nt_header 4);optional_header = (PIMAGE_OPTIONAL_HEADER)((unsigned long)file_header IMAGE_SIZEOF_FILE_HEADER);section_header = (PIMAGE_SECTION_HEADER)((unsigned long)optional_header file_header->SizeOfOptionalHeader);//分配空间temp_buffer = calloc(1, optional_header->SizeOfImage);if (!temp_buffer) emp_buffer = NULL;return 0;}//从dos头开始复制，复制第一部 块表的大小，到内存memcpy(temp_buffer, dos_header, optional_header->SizeOfHeaders); //SizeOfHeaders是第一和块表(第一部 块表的大小PIMAGE_SECTION_HEADER temp_section_header = section_header;for (int i = 0; i < file_header->NumberOfSections; i ){PIMAGE_SECTION_HEADER psection = temp_section_header i;void* des = (void*)((unsigned long)temp_buffer psection->VirtualAddress);void* src = (void*)((unsigned long)ptemp psection->PointerToRawData); memcpy(des, src, psection->SizeOfRawData);}*image_buffer = temp_buffer;return optional_header->SizeOfImage; //SizeOfImage整个内存PE图像的大小}还原

///从内存还原为文件int recovery_file(void** image_buffer, char* file, int size){PIMAGE_DOS_HEADER dos_header = NULL;PIMAGE_NT_HEADERS nt_header = NULL;PIMAGE_FILE_HEADER file_header = NULL;PIMAGE_OPTIONAL_HEADER optional_header = NULL;PIMAGE_SECTION_HEADER section_header = NULL;char* ptemp = *image_buffer;dos_header = (PIMAGE_DOS_HEADER)ptemp;if (*(short*)((unsigned long)ptemp dos_header->e_lfanew) != IMAGE_NT_SIGNATURE){//校验nt头是否有pe标志 PEreturn 0;}nt_header = (PIMAGE_NT_HEADERS)((unsigned long)ptemp dos_header->e_lfanew);file_header = (PIMAGE_FILE_HEADER)((unsigned long)nt_header 4);optional_header = (PIMAGE_OPTIONAL_HEADER)((unsigned long)file_header IMAGE_SIZEOF_FILE_HEADER);section_header = (PIMAGE_SECTION_HEADER)((unsigned long)optional_header file_header->SizeOfOptionalHeader);char* file_buffer = calloc(1, size);memcpy(file_buffer, dos_header, optional_header->SizeOfHeaders);PIMAGE_SECTION_HEADER temp_section_header = section_header;for (int i = 0; i < file_header->NumberOfSections; i ){PIMAGE_SECTION_HEADER psection = temp_section_header i;void* des = (void*)((unsigned long)file_buffer psection->PointerToRawData);void* src = (void*)((unsigned long)ptemp psection->VirtualAddress); memcpy(des, src, psection->SizeOfRawData);}FILE* fp = fopen(file, "wb ");if (fp != NULL){fwrite((void*)file_buffer, size, 1, fp);}fclose(fp);}

个人能力有限。如果你发现有什么问题，请给我发私信

假如你觉得对你有用，可以点赞或者加注意，欢迎您进行技术交流