我正在编写一个小型PE文件分析器,我必须读取PE文件的内容。我通过 ReadFile 函数执行此操作,如下所示:
function TMainForm.GetPEData(var filename: string) : boolean;
var
hFile: DWORD;
IDH: TImageDosHeader;
INH: TImageNtHeaders;
ISH: TImageSectionHeader;
dwRead: DWORD;
szBuff: array[0..7] of Char;
i: WORD;
PE: TPEFile;
begin
Result := False;
PE := TPeFile.Create;
if PE.LoadFromFile (filename) then
Form2.edEntryPoint.Text := IntToHex(PE.RvaToFileOffset(PE.AddressOfEntryPoint), 8);
SplashScreen.sLabel1.Caption := 'PE File Loaded';
hFile := CreateFile(PChar(filename), GENERIC_READ,
FILE_SHARE_WRITE, nil,
OPEN_EXISTING, 0, 0);
if hFile <> INVALID_HANDLE_VALUE then
begin
SetFilePointer(hFile, 0, nil, FILE_BEGIN);
SplashScreen.sLabel1.Caption := 'Reading DOS File Headers...';
ReadFile(hFile, IDH, 64, dwRead, nil);
if IDH.e_magic = IMAGE_DOS_SIGNATURE then
begin
SetFilePointer(hFile, IDH._lfanew, nil, FILE_BEGIN);
SplashScreen.sLabel1.Caption := 'Reading NT File Headers...';
//Here is where the UI freezes while the file is read...
ReadFile(hFile, INH, 248, dwRead, nil);
if INH.Signature = IMAGE_NT_SIGNATURE then
begin
Form2.edImageBase.Text := IntToHex(INH.OptionalHeader.ImageBase, 8);
Form2.edSizeOfImage.Text := IntToHex(INH.OptionalHeader.SizeOfImage, 8);
Form2.edLinkerVersion.Text := IntToStr(INH.OptionalHeader.MajorLinkerVersion) + '.' +
IntToStr(INH.OptionalHeader.MinorLinkerVersion);
Form2.edFileAlignment.Text := IntToHex(INH.OptionalHeader.FileAlignment, 8);
Form2.edSectionAlignment.Text := IntToHex(INH.OptionalHeader.SectionAlignment, 8);
Form2.edSubSystem.Text := IntToHex(INH.OptionalHeader.Subsystem, 4);
Form2.edEPFilestamp.Text := IntToStr(INH.FileHeader.TimeDateStamp);
Form2.edFileType.Text := GetPEFileType(PE.ImageNtHeaders.Signature);
for i := 0 to INH.FileHeader.NumberOfSections - 1 do
begin
SetFilePointer(hFile, IDH._lfanew + 248 + i * 40, nil, FILE_BEGIN);
ReadFile(hFile, ISH, 40, dwRead, nil);
CopyMemory(@szBuff[0], @ISH.Name[0], 8);
with Form2.sListView1.Items.Add do
begin
Caption := ShortString(szBuff);
SubItems.Add(IntToHex(ISH.VirtualAddress, 8));
SubItems.Add(IntToHex(ISH.Misc.VirtualSize, 8));
SubItems.Add(IntToHex(ISH.PointerToRawData, 8));
SubItems.Add(IntToHex(ISH.SizeOfRawData, 8));
SubItems.Add(IntToHex(ISH.Characteristics, 8));
end;
end;
end;
end;
CloseHandle(hFile);
Result := True;
end;
end;
坏事是,根据文件的大小,我注意到 ReadFile 经常会滞后 - 而且它是同步发生的。与此同时,用户界面会卡住,并且对用户来说看起来非常错误,用户会想终止它。我考虑过线程,但我只是想看看是否有任何方法可以在异步模式下使用 ReadFile 。如果没有,我会跳转到线程,即使我的代码中有很多需要修改的地方。
提前谢谢您。
最佳答案
在这种情况下,我总是将整个文件读取到内存中,并且我使用 TFileStream 类来更轻松地进行操作。
将整个文件放在内存中会更简单,而且 PE 文件通常很小。
type
TSections = array [0..0] of TImageSectionHeader;
PSections = ^TSections;
var
Form1: TForm1;
implementation
{$R *.dfm}
procedure TForm1.Button1Click(Sender: TObject);
var
FS : TFileStream;
fisier : PImageDosHeader;
INH : PImageNtHeaders;
ISH : PSections;
i : Word;
begin
FS := TFileStream.Create('fisierul_tau.exe',fmOpenRead);
GetMem(fisier,FS.size); //Aloci memorie pentru fisier
FS.Read(fisier^,FS.Size); // Il citesti;
FS.Free;
INH := PImageNtHeaders(DWORD(fisier) + DWORD(fisier^._lfanew));
ISH := PSections(DWORD(INH) + SizeOf(TImageNtHeaders));
for i := 0 to INH^.FileHeader.NumberOfSections - 1 do
begin
ShowMessage(PAnsiChar(@ISH[i].Name[0]));
end;
end;
关于multithreading - Delphi XE2中的异步ReadFile,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/11529639/