如何在內存中讀取AddressOfEntryPoint

我正在努力分析惡意軟件，該惡意軟件嘗試將新文件寫入其他進程。他們將新文件的數據以MZ格式保存在內存中。我如何知道內存中PE文件入口點的地址？如何在內存中讀取AddressOfEntryPoint

2017-03-22 Mr.nothing

如果您可以提供更多詳細信息，請在堆棧交換[逆向工程網站]（http://reverseengineering.stackexchange.com/）上提出此問題。一些專業的惡意軟件分析師在那裏回答惡意軟件分析問題我們希望有更多的惡意軟件問題 –

查找下面的方法來查找入口點的地址以及讀取各種頭部參數。

LPCSTR fileName; //exe file to parse 
HANDLE hFile; 
HANDLE hFileMapping; 
LPVOID lpFileBase; 
PIMAGE_DOS_HEADER dosHeader; 
PIMAGE_NT_HEADERS peHeader; 

hFile = CreateFileA(fileName,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0); 

if(hFile==INVALID_HANDLE_VALUE) 
{ 
    printf("\n CreateFile failed in read mode \n"); 
    return 1; 
} 

hFileMapping = CreateFileMapping(hFile,NULL,PAGE_READONLY,0,0,NULL); 

if(hFileMapping==0) 
{ 
    printf("\n CreateFileMapping failed \n"); 
    CloseHandle(hFile); 
    return 1; 
} 

lpFileBase = MapViewOfFile(hFileMapping,FILE_MAP_READ,0,0,0); 

if(lpFileBase==0) 
{ 
    printf("\n MapViewOfFile failed \n"); 
    CloseHandle(hFileMapping); 
    CloseHandle(hFile); 
    return 1; 
} 

dosHeader = (PIMAGE_DOS_HEADER) lpFileBase; //pointer to dos headers 

if(dosHeader->e_magic==IMAGE_DOS_SIGNATURE) 
{ 
    //if it is executable file print different fileds of structure 
    //dosHeader->e_lfanew : RVA for PE Header 
    printf("\n DOS Signature (MZ) Matched"); 

    //pointer to PE/NT header 
    peHeader = (PIMAGE_NT_HEADERS) ((u_char*)dosHeader+dosHeader->e_lfanew); 

    if(peHeader->Signature==IMAGE_NT_SIGNATURE) 
    { 
     printf("\n PE Signature (PE) Matched \n"); 

     //address of entry point 
     //peHeader->OptionalHeader.AddressOfEntryPoint 

    } 
    UnmapViewOfFile(lpFileBase); 
    CloseHandle(hFileMapping); 
    CloseHandle(hFile); 
    return 0; 
} 
else 
{ 
    printf("\n DOS Signature (MZ) Not Matched \n"); 
    UnmapViewOfFile(lpFileBase); 
    CloseHandle(hFileMapping); 
    CloseHandle(hFile); 
    return 1; 
}

來源

2017-12-16 08:36:56

如何在內存中讀取AddressOfEntryPoint

回答

相關問題