映射文件后获取OEP

AKAsallen

1. 
   
2. #include <stdio.h>
   
3. #include <WINDOWS.H>
   
4. bool mapoep(LPCSTR szFilename)
   
5. {
   
6.   //申请一个文件句柄
   
7. HANDLE hfile;
   
8. //申请一个镜像句柄
   
9. HANDLE hmap;
   
10. //打开文件
    
11. if ( (hfile = CreateFile(szFilename,GENERIC_READ,FILE_SHARE_READ,
    
12.   0,OPEN_EXISTING,FILE_FLAG_SEQUENTIAL_SCAN,0)) == INVALID_HANDLE_VALUE)
    
13. {
    
14.   printf("open file failed\n");
    
15.   return false;
    
16. }
    
17. 
    
18. //创建文件镜像
    
19. if ( (hmap = CreateFileMapping(hfile,0,PAGE_READONLY|SEC_COMMIT,0,0,0) ) ==NULL)
    
20. {
    
21.   printf("maping failed \n");
    
22.   CloseHandle(hfile);
    
23.   return false;
    
24. }
    
25. //申请一个无类型指针imagebase
    
26. void* imagebase;
    
27. //读取内存镜像获取镜像基址,赋值给imagedos
    
28. if ( (imagebase = MapViewOfFile(hmap,FILE_MAP_READ,0,0,0)) == NULL)
    
29. {
    
30.   printf("ERROR \n");
    
31.   return false;
    
32. }
    
33. //创建一个IMAGE_DOS_HEADER指针
    
34. IMAGE_DOS_HEADER *idos;
    
35. //把镜像基址转换成PIMAGE_DOS_HEADER结构复制给idos
    
36. idos = (IMAGE_DOS_HEADER*)imagebase;
    
37. //创建一个IMAGE_NT_HEADERS指针,并从idos中获取NTHEADER的基址,初始化imnt
    
38. IMAGE_NT_HEADERS *imnt = (IMAGE_NT_HEADERS *)((ULONG)idos + idos->e_lfanew);
    
39. //从imnt中获取AddressOfEntryPoint,并保存到一个新创建DWORD变量OEP中
    
40. DWORD oep = imnt->OptionalHeader.AddressOfEntryPoint;
    
41. //输出OEP16进制数
    
42. printf("0x%X",oep);
    
43. //卸下镜像
    
44. UnmapViewOfFile(imagebase);
    
45. CloseHandle(hmap);
    
46. //关闭文件
    
47. CloseHandle(hfile);
    
48. return true;
    
49. }
    
50. void main()
    
51. {
    
52.   LPCSTR filename;
    
53.   filename = "nimei.exe";
    
54.   mapoep(filename);
    
55.   system("pause");
    
56. }

复制代码