我有一个可移植可执行 (.exe) 文件,我想检索它的部分。我喜欢这样:
IMAGE_DOS_HEADER* pDOSHeader = (IMAGE_DOS_HEADER*) buffer; // DOS Header
IMAGE_NT_HEADERS* pNTHeaders = (IMAGE_NT_HEADERS*) ((BYTE *) pDOSHeader + pDOSHeader->e_lfanew); // PE Header
到目前为止一切都很好。我发现了这个:
The section table: This follows immediately after the PE header. It is an array of IMAGE_SECTION_HEADER structures, each containing the information about one section in the PE file such as its attribute and virtual offset. Remember the number of sections is the second member of FileHeader (6 bytes from the start of the PE header). If there are 8 sections in the PE file, there will be 8 duplicates of this structure in the table. Each header structure is 40 bytes apiece and there is no "padding" between them.
现在,当我这样做时:
IMAGE_SECTION_HEADER* pSection = (IMAGE_SECTION_HEADER*)
(pNTHeaders->FileHeader.PointerToSymbolTable);
或:
IMAGE_SECTION_HEADER* pSection = (IMAGE_SECTION_HEADER*) ((BYTE *) pNTHeaders + sizeof(IMAGE_NT_HEADERS));
pSection 的地址为 NULL (0)。
我必须提到 buffer 变量是我读取 PE 数据的地方。
最佳答案
您需要使用 SizeOfOptionalHeader 值来跳过可选 header 。不要依赖它的固定大小。 winnt.h 有一个你应该使用的宏:
#define IMAGE_FIRST_SECTION( ntheader ) ((PIMAGE_SECTION_HEADER) \
((ULONG_PTR)(ntheader) + \
FIELD_OFFSET( IMAGE_NT_HEADERS, OptionalHeader ) + \
((ntheader))->FileHeader.SizeOfOptionalHeader \
))
关于c - PE部分数据,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/23498583/