formato portable ejecutable

malektaus27A · 30 Enero 2008, 02:49 AM

cuando me dedique estudiar algo del formato portable ejecutable de winodws (en espavirus hay buena informacion, y en la msdn) decidi, hacer este code. Es un rustico analizador pe, analiza la cabecera pe, la tabla de importaciones, tabla de exportaciones, algo basico de el directorio de debug y el directorio de recursos. hay algo de codigo por optimizar y no se la forma de convertir el formato de la fecha, tal vez debe haber alguna api. si alguien sabe por favor responder.

------------------------------------- inicio del code ----------------------------------

Código (vb) [Seleccionar]

'agregar un listbox llamado list1
'agregar un menu llamado archivo
'unos sub menus "o como se llamen " llamdos abrir, guardar, limpiar  y salir

Private Type IMAGE_DOS_HEADER
    e_magic As Integer
    e_cblp As Integer
    e_cp As Integer
    e_crlc As Integer
    e_cparhdr As Integer
    e_minalloc As Integer
    e_maxalloc As Integer
    e_ss As Integer
    e_sp As Integer
    e_csum As Integer
    e_ip As Integer
    e_cs As Integer
    e_lfarlc As Integer
    e_ovno As Integer
    e_res(0 To 3) As Integer
    e_oemid As Integer
    e_oeminfo As Integer
    e_res2(0 To 9) As Integer
    e_lfanew As Long
End Type

Const IMAGE_DOS_SIGNATURE = &H5A4D
Const IMAGE_NUMBEROF_DIRECTORY_ENTRIES = 16
Const IMAGE_NT_SIGNATURE = &H4550

Private Type IMAGE_FILE_HEADER
    Machine                 As Integer
    NumberOfSections        As Integer
    TimeDateStamp           As Long
    PointerToSymbolTable    As Long
    NumberOfSymbols         As Long
    SizeOfOptionalHeader    As Integer
    Characteristics         As Integer
End Type

Private Type IMAGE_DATA_DIRECTORY
    VirtualAddress As Long
    size As Long
End Type

Private Type IMAGE_OPTIONAL_HEADER
    Magic As Integer
    MajorLinkerVersion As Byte
    MinorLinkerVersion As Byte
    SizeOfCode As Long
    SizeOfInitializedData As Long
    SizeOfUninitializedData As Long
    AddressOfEntryPoint As Long
    BaseOfCode  As Long
    BaseOfData  As Long
    ImageBase  As Long
    SectionAlignment  As Long
    FileAlignment As Long
    MajorOperatingSystemVersion As Integer
    MinorOperatingSystemVersion As Integer
    MajorImageVersion As Integer
    MinorImageVersion As Integer
    MajorSubsystemVersion As Integer
    MinorSubsystemVersion As Integer
    Win32VersionValue As Long
    SizeOfImage As Long
    SizeOfHeaders As Long
    CheckSum As Long
    subsystem As Integer
    DllCharacteristics As Integer
    SizeOfStackReserve As Long
    SizeOfStackCommit As Long
    SizeOfHeapReserve As Long
    SizeOfHeapCommit As Long
    LoaderFlags As Long
    NumberOfRvaAndSizes As Long
    DataDirectory(0 To IMAGE_NUMBEROF_DIRECTORY_ENTRIES - 1) As IMAGE_DATA_DIRECTORY
End Type

Private Type IMAGE_NT_HEADERS
    Signature As Long
    FileHeader As IMAGE_FILE_HEADER
    OptionalHeader As IMAGE_OPTIONAL_HEADER
End Type

Const IMAGE_SIZEOF_SHORT_NAME = 8

Private Type IMAGE_SECTION_HEADER
   SectionName(IMAGE_SIZEOF_SHORT_NAME - 1)  As Byte
   Address           As Long
   VirtualAddress    As Long
   SizeOfData        As Long
   PData             As Long
   PReloc            As Long
   PLineNums         As Long
   RelocCount        As Integer
   LineCount         As Integer
   Characteristics   As Long
End Type

Private Type IMAGE_IMPORT_DESCRIPTOR
OriginalFirstThunk As Long
TimeDateStamp As Long
ForwarderChain As Long
Name As Long
FirstThunk As Long
End Type

Private Type IMAGE_EXPORT_DIRECTORY
Characteristics As Long
TimeDateStamp As Long
MajorVersion As Integer
MinorVersion As Integer
Name As Long
base As Long
NumberOfFunctions As Long
NumberOfNames As Long
AddressOfFunctions As Long
AddressOfNames As Long
AddressOfNameOrdinals As Long
End Type

Private Type IMAGE_RESOURCE_DATA_ENTRY
OffsetToData As Long
size As Long
CodePage As Long
Reserved As Long
End Type

Private Type IMAGE_RESOURCE_DIRECTORY
Characteristics As Long
TimeDateStamp As Long
MajorVersion As Integer
MinorVersion As Integer
NumberOfNamedEntries As Integer
NumberOfIdEntries As Integer
End Type

Private Type RESORUCE
Id As Long
Offset_to_directory As Long
End Type

Private Type IMAGE_DEBUG_DIRECTORY
Characteristics As Long
TimeDateStamp As Long
MajorVersion As Integer
MinorVersion As Integer
Type As Long
SizeOfData As Long
AddressOfRawData As Long
PointerToRawData As Long
End Type

Private Type IMAGE_BOUND_IMPORT_DESCRIPTOR
TimeDateStamp As Long
OffsetModuleName As Integer
NumberOfModuleForwarderRefs As Integer
End Type

Private Type OPENFILENAME
    lStructSize As Long
    hwndOwner As Long
    hInstance As Long
    lpstrFilter As String
    lpstrCustomFilter As String
    nMaxCustFilter As Long
    nFilterIndex As Long
    lpstrFile As String
    nMaxFile As Long
    lpstrFileTitle As String
    nMaxFileTitle As Long
    lpstrInitialDir As String
    lpstrTitle As String
    flags As Long
    nFileOffset As Integer
    nFileExtension As Integer
    lpstrDefExt As String
    lCustData As Long
    lpfnHook As Long
    lpTemplateName As String
End Type

Private Type SYSTEMTIME
    wYear As Integer
    wMonth As Integer
    wDayOfWeek As Integer
    wDay As Integer
    wHour As Integer
    wMinute As Integer
    wSecond As Integer
    wMilliseconds As Integer
End Type
Private Type FILETIME
        dwLowDateTime As Long
        dwHighDateTime As Long
End Type

Const MAX_PATH = 260

Private Type WIN32_FIND_DATA
        dwFileAttributes As Long
        ftCreationTime As FILETIME
        ftLastAccessTime As FILETIME
        ftLastWriteTime As FILETIME
        nFileSizeHigh As Long
        nFileSizeLow As Long
        dwReserved0 As Long
        dwReserved1 As Long
        cFileName As String * MAX_PATH
        cAlternate As String * 14
End Type

Private Type my_res
nombre_res As String
rva As Long
End Type

Const IMAGE_FILE_MACHINE_UNKNOWN = 0
Const IMAGE_FILE_MACHINE_I386 = &H14C
Const IMAGE_FILE_MACHINE_BIG_ENDIAN = &H160
Const IMAGE_FILE_MACHINE_R3000 = &H162
Const IMAGE_FILE_MACHINE_R4000 = &H166
Const IMAGE_FILE_MACHINE_R10000 = &H168
Const IMAGE_FILE_MACHINE_WCEMIPSV2 = &H169
Const IMAGE_FILE_MACHINE_ALPHA = &H184
Const IMAGE_FILE_MACHINE_POWERPC = &H1F0
Const IMAGE_FILE_MACHINE_SH3 = &H1A2
Const IMAGE_FILE_MACHINE_SH3E = &H1A4
Const IMAGE_FILE_MACHINE_SH4 = &H1A6
Const IMAGE_FILE_MACHINE_ARM = &H1C0
Const IMAGE_FILE_MACHINE_THUMB = &H1C2
Const IMAGE_FILE_MACHINE_IA64 = &H200
Const IMAGE_FILE_MACHINE_MIPS16 = &H266
Const IMAGE_FILE_MACHINE_MIPSFPU = &H366
Const IMAGE_FILE_MACHINE_MIPSFPU16 = &H466
Const IMAGE_FILE_MACHINE_ALPHA64 = &H284

Const IMAGE_SUBSYSTEM_UNKNOWN = 0
Const IMAGE_SUBSYSTEM_NATIVE = 1
Const IMAGE_SUBSYSTEM_WINDOWS_GUI = 2
Const IMAGE_SUBSYSTEM_WINDOWS_CUI = 3
Const IMAGE_SUBSYSTEM_OS2_CUI = 5
Const IMAGE_SUBSYSTEM_POSIX_CUI = 7
Const IMAGE_SUBSYSTEM_NATIVE_WINDOWS = 8
Const IMAGE_SUBSYSTEM_WINDOWS_CE_GUI = 9

Const IMAGE_FILE_RELOCS_STRIPPED = &H1
Const IMAGE_FILE_EXECUTABLE_IMAGE = &H2
Const IMAGE_FILE_LINE_NUMS_STRIPPED = &H4
Const IMAGE_FILE_LOCAL_SYMS_STRIPPED = &H8
Const IMAGE_FILE_AGGRESIVE_WS_TRIM = &H10
Const IMAGE_FILE_LARGE_ADDRESS_AWARE = &H20
Const IMAGE_FILE_BYTES_REVERSED_LO = &H80
Const IMAGE_FILE_32BIT_MACHINE = &H100
Const IMAGE_FILE_DEBUG_STRIPPED = &H200
Const IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP = &H400
Const IMAGE_FILE_NET_RUN_FROM_SWAP = &H800
Const IMAGE_FILE_SYSTEM = &H1000
Const IMAGE_FILE_DLL = &H2000
Const IMAGE_FILE_UP_SYSTEM_ONLY = &H4000
Const IMAGE_FILE_BYTES_REVERSED_HI = &H8000

Const IMAGE_SCN_TYPE_REG = &H0
Const IMAGE_SCN_TYPE_DSECT = &H1
Const IMAGE_SCN_TYPE_NOLOAD = &H2
Const IMAGE_SCN_TYPE_GROUP = &H4
Const IMAGE_SCN_TYPE_NO_PAD = &H8
Const IMAGE_SCN_TYPE_COPY = &H10
Const IMAGE_SCN_CNT_CODE = &H20
Const IMAGE_SCN_CNT_INITIALIZED_DATA = &H40
Const IMAGE_SCN_CNT_UNINITIALIZED_DATA = &H80
Const IMAGE_SCN_LNK_OTHER = &H100
Const IMAGE_SCN_LNK_INFO = &H200
Const IMAGE_SCN_TYPE_OVER = &H400
Const IMAGE_SCN_LNK_REMOVE = &H800
Const IMAGE_SCN_LNK_COMDAT = &H1000
Const IMAGE_SCN_NO_DEFER_SPEC_EXC = &H4000
Const IMAGE_SCN_GPREL = &H8000
Const IMAGE_SCN_MEM_FARDATA = &H8000
Const IMAGE_SCN_MEM_SYSHEAP = &H10000
Const IMAGE_SCN_MEM_PURGEABLE = &H20000
Const IMAGE_SCN_MEM_16BIT = &H20000
Const IMAGE_SCN_MEM_LOCKED = &H40000
Const IMAGE_SCN_MEM_PRELOAD = &H80000
Const IMAGE_SCN_ALIGN_1BYTES = &H100000
Const IMAGE_SCN_ALIGN_2BYTES = &H200000
Const IMAGE_SCN_ALIGN_4BYTES = &H300000
Const IMAGE_SCN_ALIGN_8BYTES = &H400000
Const IMAGE_SCN_ALIGN_16BYTES = &H500000
Const IMAGE_SCN_ALIGN_32BYTES = &H600000
Const IMAGE_SCN_ALIGN_64BYTES = &H700000
Const IMAGE_SCN_ALIGN_128BYTES = &H800000
Const IMAGE_SCN_ALIGN_256BYTES = &H900000
Const IMAGE_SCN_ALIGN_512BYTES = &HA00000
Const IMAGE_SCN_ALIGN_1024BYTES = &HB00000
Const IMAGE_SCN_ALIGN_2048BYTES = &HC00000
Const IMAGE_SCN_ALIGN_4096BYTES = &HD00000
Const IMAGE_SCN_ALIGN_8192BYTES = &HE00000
Const IMAGE_SCN_LNK_NRELOC_OVFL = &H1000000
Const IMAGE_SCN_MEM_DISCARDABLE = &H2000000
Const IMAGE_SCN_MEM_NOT_CACHED = &H4000000
Const IMAGE_SCN_MEM_NOT_PAGED = &H8000000
Const IMAGE_SCN_MEM_SHARED = &H10000000
Const IMAGE_SCN_MEM_EXECUTE = &H20000000
Const IMAGE_SCN_MEM_READ = &H40000000
Const IMAGE_SCN_MEM_WRITE = &H80000000

Const IMAGE_DEBUG_TYPE_UNKNOWN = 0
Const IMAGE_DEBUG_TYPE_COFF = 1
Const IMAGE_DEBUG_TYPE_CODEVIEW = 2
Const IMAGE_DEBUG_TYPE_FPO = 3
Const IMAGE_DEBUG_TYPE_MISC = 4
Const IMAGE_DEBUG_TYPE_EXCEPTION = 5
Const IMAGE_DEBUG_TYPE_FIXUP = 6
Const IMAGE_DEBUG_TYPE_OMAP_TO_SRC = 7
Const IMAGE_DEBUG_TYPE_OMAP_FROM_SRC = 8
Const IMAGE_DEBUG_TYPE_BORLAND = 9
Const IMAGE_DEBUG_TYPE_RESERVED10 = 10

Const ROM_IMAGE = &H107
Const NORMAL_EXECUTABLE_IMAGE = &H10B
Const IMAGE_SIZEOF_FILE_HEADER = 20
Const IMAGE_SIZEOF_NT_HEADER = 248

Private Declare Function CreateFile Lib "kernel32" Alias "CreateFileA" (ByVal lpFileName As String, ByVal dwDesiredAccess As Long, ByVal dwShareMode As Long, lpSecurityAttributes As Long, ByVal dwCreationDisposition As Long, ByVal dwFlagsAndAttributes As Long, ByVal hTemplateFile As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function CreateFileMapping Lib "kernel32" Alias "CreateFileMappingA" (ByVal hFile As Long, lpFileMappigAttributes As Long, ByVal flProtect As Long, ByVal dwMaximumSizeHigh As Long, ByVal dwMaximumSizeLow As Long, ByVal lpName As String) As Long
Private Declare Function MapViewOfFile Lib "kernel32" (ByVal hFileMappingObject As Long, ByVal dwDesiredAccess As Long, ByVal dwFileOffsetHigh As Long, ByVal dwFileOffsetLow As Long, ByVal dwNumberOfBytesToMap As Long) As Long
Private Declare Function UnmapViewOfFile Lib "kernel32" (lpBaseAddress As Any) As Long
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
Private Declare Function GetModuleFileName Lib "kernel32.dll" Alias "GetModuleFileNameA" (ByVal hModule As Long, ByVal lpFileName As String, ByVal nSize As Long) As Long
Private Declare Sub ExitProcess Lib "kernel32.dll" (ByVal uExitCode As Long)
Private Declare Function GetOpenFileName Lib "comdlg32.dll" Alias "GetOpenFileNameA" (pOpenfilename As OPENFILENAME) As Long
Private Declare Function FindFirstFile Lib "kernel32" Alias "FindFirstFileA" (ByVal lpFileName As String, lpFindFileData As WIN32_FIND_DATA) As Long
Private Declare Function FindClose Lib "kernel32" (ByVal hFindFile As Long) As Long
Private Declare Function FileTimeToSystemTime Lib "kernel32.dll" (ByRef lpFileTime As FILETIME, ByRef lpSystemTime As SYSTEMTIME) As Long

Const GENERIC_READ = &H80000000
Const FILE_SHARE_READ = &H1
Const OPEN_EXISTING = 3
Const FILE_ATTRIBUTE_NORMAL = &H80
Const PAGE_READONLY = &H2
Const SECTION_MAP_READ = &H4
Const FILE_MAP_READ = SECTION_MAP_READ
Const MAXDWORD = &HFFFF
Const INVALID_HANDLE_VALUE = -1
Const IMAGE_ORDINAL_FLAG32 = &H80000000

Private Function directorio(num) As String
Select Case num
Case 0
directorio = "EXPORT" 'IMAGE_DIRECTORY_ENTRY_EXPORT (0) => El directorio de simbolos exportados; mayormente usados por DLLs.
Case 1
directorio = "IMPORT" 'IMAGE_DIRECTORY_ENTRY_IMPORT (1) => El directorio de simbolos importados.
Case 2
directorio = "RESOURCE" 'IMAGE_DIRECTORY_ENTRY_RESOURCE (2) => Directorio de recursos.
Case 3
directorio = "EXCEPTION" 'IMAGE_DIRECTORY_ENTRY_EXCEPTION (3) => 'Directorio de Excepción – Propósito y estructura desconocida.
Case 4
directorio = "SECURITY" 'IMAGE_DIRECTORY_ENTRY_SECURITY (4) => Directorio de seguridad - Propósito y estructura desconocida.
Case 5
directorio = "BASERELOC" 'IMAGE_DIRECTORY_ENTRY_BASERELOC (5) => Tabla base de relocaciones.
Case 6
directorio = "DEBUG" 'IMAGE_DIRECTORY_ENTRY_DEBUG (6) => Directorio de Debug.
Case 7
directorio = "COPYRIGHT" 'IMAGE_DIRECTORY_ENTRY_COPYRIGHT (7) => Cadena de descripción – alguna nota arbitraria de copyright o parecido.
Case 8
directorio = "GLOBALPTR" 'IMAGE_DIRECTORY_ENTRY_GLOBALPTR (8) => Valor Maquina (MIPS GP) - Propósito y estructura desconocida.
Case 9
directorio = "TLS" 'IMAGE_DIRECTORY_ENTRY_TLS (9) => Thread local storage directory – Estructura desconocida; contiene variables que son declaradas como "__declspec(thread)".
Case 10
directorio = "LOAD_CONFIG" 'IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG (10) => Directorio de configuracion de cargado - Propósito y estructura desconocida.
Case 11
directorio = "BOUND_IMPORT" 'IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (11) => Limite del directorio de importacion.
Case 12
directorio = "ENTRY_IAT" 'IMAGE_DIRECTORY_ENTRY_IAT (12) => Tabla de direcciones importadas.
Case 13
directorio = "DELAY_IMPORT" 'IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT (13) => Delay Load Import Descriptors
Case 14
directorio = "COM_DESCRIPTOR" 'IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR (14) => COM+ Runtime descriptor
End Select
End Function

Private Function maquina(num As Integer) As String
Select Case num
Case IMAGE_FILE_MACHINE_UNKNOWN
maquina = "desconocido"
Case IMAGE_FILE_MACHINE_I386
maquina = "Intel 386"
Case IMAGE_FILE_MACHINE_BIG_ENDIAN
maquina = "Big Endian"
Case IMAGE_FILE_MACHINE_R3000
maquina = "MIPS little-endian"
Case IMAGE_FILE_MACHINE_R4000
maquina = "MIPS little-endian"
Case IMAGE_FILE_MACHINE_R10000
maquina = "MIPS little-endian"
Case IMAGE_FILE_MACHINE_WCEMIPSV2
maquina = "MIPS little-endian WCE v2"
Case IMAGE_FILE_MACHINE_ALPHA
maquina = "Alpha_AXP"
Case IMAGE_FILE_MACHINE_POWERPC
maquina = "IBM PowerPC Little-Endian"
Case IMAGE_FILE_MACHINE_SH3
maquina = "SH3 little-endian"
Case IMAGE_FILE_MACHINE_SH3E
maquina = "SH3E little-endian"
Case IMAGE_FILE_MACHINE_SH4
maquina = "SH4 little-endian"
Case IMAGE_FILE_MACHINE_ARM
maquina = "ARM Little-Endian"
Case IMAGE_FILE_MACHINE_THUMB
Case IMAGE_FILE_MACHINE_IA64
maquina = "Intel 64"
Case IMAGE_FILE_MACHINE_MIPS16
maquina = "MIPS"
Case IMAGE_FILE_MACHINE_MIPSFPU
maquina = "MIPS"
Case IMAGE_FILE_MACHINE_MIPSFPU16
maquina = "MIPS"
Case IMAGE_FILE_MACHINE_ALPHA64
maquina = "ALPHA64"
Case Else
maquina = "Desconocida"
End Select
End Function

Private Function subsystem(num As Integer) As String
Select Case num
Case IMAGE_SUBSYSTEM_UNKNOWN
subsystem = "UNKNOWN"
Case IMAGE_SUBSYSTEM_NATIVE
subsystem = "NATIVE"
Case IMAGE_SUBSYSTEM_WINDOWS_GUI
subsystem = "WINDOWS_GUI"
Case IMAGE_SUBSYSTEM_WINDOWS_CUI
subsystem = "WINDOWS_CUI"
Case IMAGE_SUBSYSTEM_OS2_CUI
subsystem = "OS2_CUI"
Case IMAGE_SUBSYSTEM_POSIX_CUI
subsystem = "POSIX_CUI"
Case IMAGE_SUBSYSTEM_NATIVE_WINDOWS
subsystem = "NATIVE_WINDOWS"
Case IMAGE_SUBSYSTEM_WINDOWS_CE_GUI
subsystem = "WINDOWS_CE_GUI"
Case Else
subsystem = "UNKNOWN"
End Select
End Function

Private Function chracteritics(num As Long) As String
If num < 0 Then
num = num - IMAGE_FILE_BYTES_REVERSED_HI
temp = "BYTES_REVERSED_HI" & vbCrLf
End If
Dim arr(15) As Long
For i = 0 To UBound(arr)
arr(i) = 2 ^ i
Next
For i = UBound(arr) To 0 Step -1
If (num - arr(i)) >= 0 Then
num = num - arr(i)
temp = temp & chract(arr(i)) & vbCrLf
End If
Next
chracteritics = Mid(temp, 1, Len(temp) - 2)
End Function

Private Function chract(num As Long) As String
Select Case num
Case IMAGE_FILE_RELOCS_STRIPPED
chract = "RELOCS_STRIPPED"
Case IMAGE_FILE_EXECUTABLE_IMAGE
chract = "EXECUTABLE_IMAGE"
Case IMAGE_FILE_LINE_NUMS_STRIPPED
chract = "LINE_NUMS_STRIPPED"
Case IMAGE_FILE_LOCAL_SYMS_STRIPPED
chract = "LOCAL_SYMS_STRIPPED"
Case IMAGE_FILE_AGGRESIVE_WS_TRIM
chract = "AGGRESIVE_WS_TRIM"
Case IMAGE_FILE_LARGE_ADDRESS_AWARE
chract = "LARGE_ADDRESS_AWARE"
Case IMAGE_FILE_BYTES_REVERSED_LO
chract = "BYTES_REVERSED_LO"
Case IMAGE_FILE_32BIT_MACHINE
chract = "32BIT_MACHINE"
Case IMAGE_FILE_DEBUG_STRIPPED
chract = "DEBUG_STRIPPED"
Case IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
chract = "REMOVABLE_RUN_FROM_SWAP"
Case IMAGE_FILE_NET_RUN_FROM_SWAP
chract = "NET_RUN_FROM_SWAP"
Case IMAGE_FILE_SYSTEM
chract = "SYSTEM"
Case IMAGE_FILE_DLL
chract = "DLL"
Case IMAGE_FILE_UP_SYSTEM_ONLY
chract = "UP_SYSTEM_ONLY"
Case Else
chract = "UNKNOWN"
End Select
End Function

Private Function sec_chract(num As Variant) As String
Select Case num
Case IMAGE_SCN_TYPE_DSECT
sec_chract = "TYPE_DSECT"
Case IMAGE_SCN_TYPE_NOLOAD
sec_chract = "TYPE_NOLOAD"
Case IMAGE_SCN_TYPE_GROUP
sec_chract = "TYPE_GROUP"
Case IMAGE_SCN_TYPE_NO_PAD
sec_chract = "TYPE_NO_PAD"
Case IMAGE_SCN_TYPE_COPY
sec_chract = "TYPE_COPY"
Case IMAGE_SCN_CNT_CODE
sec_chract = "CNT_CODE"
Case IMAGE_SCN_CNT_INITIALIZED_DATA
sec_chract = "CNT_INITIALIZED_DATA"
Case IMAGE_SCN_CNT_UNINITIALIZED_DATA
sec_chract = "CNT_UNINITIALIZED_DATA"
Case IMAGE_SCN_LNK_OTHER
sec_chract = "LNK_OTHER"
Case IMAGE_SCN_LNK_INFO
sec_chract = "LNK_INFO"
Case IMAGE_SCN_TYPE_OVER
sec_chract = "TYPE_OVER"
Case IMAGE_SCN_LNK_REMOVE
sec_chract = "LNK_REMOVE"
Case IMAGE_SCN_LNK_COMDAT
sec_chract = "LNK_COMDAT"
Case IMAGE_SCN_NO_DEFER_SPEC_EXC
sec_chract = "NO_DEFER_SPEC_EXC"
Case IMAGE_SCN_MEM_FARDATA
sec_chract = "MEM_FARDATA"
Case IMAGE_SCN_MEM_SYSHEAP
sec_chract = "MEM_SYSHEAP"
Case IMAGE_SCN_MEM_PURGEABLE
sec_chract = "MEM_PURGEABLE"
Case IMAGE_SCN_MEM_LOCKED
sec_chract = "MEM_LOCKED"
Case IMAGE_SCN_MEM_PRELOAD
sec_chract = "MEM_PRELOAD"
Case IMAGE_SCN_ALIGN_1BYTES
sec_chract = "ALIGN_1BYTES"
Case IMAGE_SCN_ALIGN_2BYTES
sec_chract = "ALIGN_2BYTES"
'Case IMAGE_SCN_ALIGN_4BYTES
Case IMAGE_SCN_ALIGN_8BYTES
sec_chract = "ALIGN_8BYTES"
'Case IMAGE_SCN_ALIGN_16BYTES
'Case IMAGE_SCN_ALIGN_32BYTES
'Case IMAGE_SCN_ALIGN_64BYTES
Case IMAGE_SCN_ALIGN_128BYTES
sec_chract = "ALIGN_128BYTES"
'Case IMAGE_SCN_ALIGN_256BYTES
'Case IMAGE_SCN_ALIGN_512BYTES
'Case IMAGE_SCN_ALIGN_1024BYTES
'Case IMAGE_SCN_ALIGN_2048BYTES
'Case IMAGE_SCN_ALIGN_4096BYTES
'Case IMAGE_SCN_ALIGN_8192BYTES
Case IMAGE_SCN_LNK_NRELOC_OVFL
sec_chract = "LNK_NRELOC_OVFL"
Case IMAGE_SCN_MEM_DISCARDABLE
sec_chract = "MEM_DISCARDABLE"
Case IMAGE_SCN_MEM_NOT_CACHED
sec_chract = "MEM_NOT_CACHED"
Case IMAGE_SCN_MEM_NOT_PAGED
sec_chract = "MEM_NOT_PAGED"
Case IMAGE_SCN_MEM_SHARED
sec_chract = "MEM_SHARED"
Case IMAGE_SCN_MEM_EXECUTE
sec_chract = "MEM_EXECUTE"
Case IMAGE_SCN_MEM_READ
sec_chract = "MEM_READ"
Case IMAGE_SCN_MEM_WRITE
sec_chract = "MEM_WRITE"
Case Else
sec_chract = "UNKNOWN"
End Select
End Function

Private Function secton_chracteritics(num) As String
Dim arr(31)
For i = 0 To UBound(arr)
arr(i) = 2 ^ i
Next
secton_chracteritics = ""

If num = 0 Then
secton_chracteritics = "TYPE_REG"
Exit Function
End If

If num < 0 Then
If num > IMAGE_SCN_MEM_WRITE Then
num = num - IMAGE_SCN_MEM_WRITE
temp = "MEM_WRITE or "
End If
End If

For i = UBound(arr) To 0 Step -1
If (num - arr(i)) >= 0 Then
num = num - arr(i)
temp = temp & sec_chract(arr(i)) & " or "
End If
Next
secton_chracteritics = Mid(temp, 1, Len(temp) - 3)
End Function

Private Function type_debug(num As Integer) As String
Select Case num
Case IMAGE_DEBUG_TYPE_UNKNOWN
type_debug = "UNKNOWN"
Case IMAGE_DEBUG_TYPE_COFF
type_debug = "COFF"
Case IMAGE_DEBUG_TYPE_CODEVIEW
type_debug = "CODEVIEW"
Case IMAGE_DEBUG_TYPE_FPO
type_debug = "FPO"
Case IMAGE_DEBUG_TYPE_MISC
type_debug = "MISC"
Case IMAGE_DEBUG_TYPE_EXCEPTION
type_debug = "EXCEPTION"
Case IMAGE_DEBUG_TYPE_FIXUP
type_debug = "FIXUP"
Case IMAGE_DEBUG_TYPE_OMAP_TO_SRC
type_debug = "OMAP_TO_SRC"
Case IMAGE_DEBUG_TYPE_OMAP_FROM_SRC
type_debug = "OMAP_FROM_SRC"
Case IMAGE_DEBUG_TYPE_BORLAND
type_debug = "BORLAND"
Case IMAGE_DEBUG_TYPE_RESERVED10
type_debug = "RESERVED10"
End Select
End Function

Private Function dir(num As Long, dirres As Long) As String
dir = vbNullString

If num And IMAGE_ORDINAL_FLAG32 Then
num = num - IMAGE_ORDINAL_FLAG32

Dim bitdir As Byte
Dim countdir As Integer
Dim desdir As Long
desdir = dirres + num
CopyMemory countdir, ByVal desdir, 2
desdir = desdir + 2
While countdir > 0
CopyMemory bitdir, ByVal desdir, 1
dir = dir & Chr(bitdir)
desdir = desdir + 2
countdir = countdir - 1
Wend

Else

Select Case num
Case 1
dir = "CURSOR"
Case 2
dir = "BITMAP"
Case 3
dir = "ICON"
Case 5
dir = "DIALOG"
Case 6
dir = "STRING"
Case 11
dir = "MESSAGE_TABLE"
Case 12
dir = "GROUP_CURSOR"
Case 14
dir = "GROUP_ICON"
Case 16
dir = "VERSION"
Case 22
dir = "ANIICON"
Case 24
dir = "MANIFEST"
Case Else
dir = "???"
End Select
End If
End Function

Private Function cero_dir(num As String) As String
diff = 4 - Len(num)
cero_dir = num
For i = 1 To diff
cero_dir = "0" & cero_dir
Next
End Function

Private Function msb(num) As Long
msb = num
If num And IMAGE_ORDINAL_FLAG32 Then
msb = num - IMAGE_ORDINAL_FLAG32
End If
End Function

Private Function obtener_string(base As Long, rva As Long, tipo As Integer, raw As Long) As String
Dim nom As Byte
Dim desp As Long
If rva <= 2 Then
Exit Function
End If
desp = base + rva - raw
CopyMemory nom, ByVal desp, tipo
While nom
temp = temp & Chr(nom)
desp = desp + 1
CopyMemory nom, ByVal desp, tipo
Wend
obtener_string = temp
End Function

Private Function desp_offset(dirbase As Long, rva As Long) As Long
Dim image_dos_head As IMAGE_DOS_HEADER
Dim image_nt_header As IMAGE_NT_HEADERS
Dim image_section_head As IMAGE_SECTION_HEADER
Dim despl As Long
CopyMemory image_dos_head, ByVal (dirbase), Len(image_dos_head)
despl = dirbase + image_dos_head.e_lfanew
CopyMemory image_nt_header, ByVal (despl), IMAGE_SIZEOF_NT_HEADER
nos = image_nt_header.FileHeader.NumberOfSections
despl = despl + IMAGE_SIZEOF_NT_HEADER
CopyMemory image_section_head, ByVal (despl), Len(image_section_head)
desp_offset = 0
Do While nos
If rva >= image_section_head.VirtualAddress Then
temp = image_section_head.VirtualAddress + image_section_head.SizeOfData
If rva < temp Then
desp_offset = image_section_head.VirtualAddress - image_section_head.PData
Exit Do
End If
End If
nos = nos - 1
despl = despl + Len(image_section_head)
CopyMemory image_section_head, ByVal (despl), Len(image_section_head)
Loop
End Function

Private Function analizador_pe(archivo As String, list As ListBox)
Dim lngdirbase As Long
Dim image_dos_head As IMAGE_DOS_HEADER
Dim image_nt_header As IMAGE_NT_HEADERS
Dim image_section_head() As IMAGE_SECTION_HEADER
Dim raw_offset As Long
Dim va As Long
Dim tam As Long
Dim r As Long
Dim addr As Long
Dim ord As Integer
list.Clear

hArch = CreateFile(archivo, GENERIC_READ, FILE_SHARE_READ, ByVal 0&, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0)
If hArch = INVALID_HANDLE_VALUE Then
MsgBox "El Archivo NO se Pudo Abrir", vbExclamation, "Error"
Exit Function
End If

hMap = CreateFileMapping(hArch, ByVal 0&, PAGE_READONLY, 0, 0, 0)
CloseHandle hArch
If hMap = 0 Then
MsgBox "NO se pudo Crear el Objeto de Mapeo", vbExclamation, "Error"
Exit Function
End If

lngdirbase = MapViewOfFile(hMap, FILE_MAP_READ, 0, 0, 0)
CloseHandle hMap
If lngdirbase = 0 Then
MsgBox "NO se ha Podido Mapear el Archivo en Memoria", vbExclamation, "Error"
Exit Function
End If

CopyMemory image_dos_head, ByVal lngdirbase, Len(image_dos_head)
If image_dos_head.e_magic = IMAGE_DOS_SIGNATURE Then
CopyMemory image_nt_header, ByVal (image_dos_head.e_lfanew + lngdirbase), Len(image_nt_header)
If image_nt_header.Signature = IMAGE_NT_SIGNATURE Then

list.AddItem "Offset hacia PE_HEADER: " & Hex(image_dos_head.e_lfanew) & "h"
'''''''''''''
'cabecera pe'
'''''''''''''
list.AddItem "Imagen Base " & Hex(image_nt_header.OptionalHeader.ImageBase) & "h"
list.AddItem "Direccion del Punto de Entrada(RVA) " & Hex(image_nt_header.OptionalHeader.AddressOfEntryPoint) & "h"
list.AddItem "Base of Code " & Hex(image_nt_header.OptionalHeader.BaseOfCode) & "h"
list.AddItem "Maquina: " & maquina(image_nt_header.FileHeader.Machine)
list.AddItem "Memoria reservada para el arhcivo: " & Hex(image_nt_header.OptionalHeader.SizeOfImage) & "h"
list.AddItem "time to data stamp: " & Hex(image_nt_header.FileHeader.TimeDateStamp) & "h"
list.AddItem "Caracteristicas: " & Hex(image_nt_header.FileHeader.Characteristics) & "h"
list.AddItem chracteritics(CLng(image_nt_header.FileHeader.Characteristics))
list.AddItem "Subsistema: " & subsystem(image_nt_header.OptionalHeader.subsystem)
list.AddItem "Carcteristicas Dll:" & Hex(image_nt_header.OptionalHeader.DllCharacteristics)
Select Case image_nt_header.OptionalHeader.Magic
Case ROM_IMAGE
magi = "ROM_IMAGE"
Case NORMAL_EXECUTABLE_IMAGE
magi = "NORMAL_EXECUTABLE_IMAGE"
Case Else
magi = "UNKNOWN"
End Select
list.AddItem "Tipo de Fichero: " & magi
For i = 0 To IMAGE_NUMBEROF_DIRECTORY_ENTRIES - 1
If image_nt_header.OptionalHeader.DataDirectory(i).size Then
list.AddItem "DIRECTORIO " & directorio(i) & ": "
list.AddItem "Direccion Virtual: " & Hex(image_nt_header.OptionalHeader.DataDirectory(i).VirtualAddress) & "h"
list.AddItem "Tamaño: " & Hex(image_nt_header.OptionalHeader.DataDirectory(i).size) & "h"
End If
Next
'''''''''''''''''''
'tabla de seciones'
'''''''''''''''''''
list.AddItem "Numero de Secciones " & image_nt_header.FileHeader.NumberOfSections
list.AddItem "SECCIONES: "
ReDim image_section_head(0 To image_nt_header.FileHeader.NumberOfSections - 1)
For i = 0 To image_nt_header.FileHeader.NumberOfSections - 1
tam = lngdirbase + image_dos_head.e_lfanew + IMAGE_SIZEOF_NT_HEADER + Len(image_section_head(0)) * i
CopyMemory image_section_head(i), ByVal (tam), Len(image_section_head(0))
sección = ""
For j = 0 To 7
sección = sección & Chr(image_section_head(i).SectionName(j))
Next
list.AddItem "Nombre de la sección " & i + 1 & "  " & sección
list.AddItem "Direccion Virtual " & Hex(image_section_head(i).VirtualAddress) & "h"
list.AddItem "pointer to raw data " & Hex(image_section_head(i).PData) & "h"
list.AddItem "size of raw data " & Hex(image_section_head(i).SizeOfData) & "h"
list.AddItem "Caractersiticas de la sección " & Hex(image_section_head(i).Characteristics) & "h"
list.AddItem secton_chracteritics(image_section_head(i).Characteristics)
list.AddItem "Fin de la sección"
Next
list.AddItem "Fin de las Secciones"
'''''''''''''''''''
'directorio bound'
'''''''''''''''''''
If image_nt_header.OptionalHeader.DataDirectory(11).size Then
list.AddItem "DIRECTORIO BOUND_IMPORT"
Dim bound_import_descriptor As IMAGE_BOUND_IMPORT_DESCRIPTOR
raw_offset = desp_offset(lngdirbase, image_nt_header.OptionalHeader.DataDirectory(11).VirtualAddress)
tam = lngdirbase + image_nt_header.OptionalHeader.DataDirectory(11).VirtualAddress
CopyMemory bound_import_descriptor, ByVal tam, Len(bound_import_descriptor)
While Not ((bound_import_descriptor.NumberOfModuleForwarderRefs = 0) And (bound_import_descriptor.OffsetModuleName = 0))
list.AddItem "time to data stamp " & Hex(bound_import_descriptor.TimeDateStamp) & "h"
list.AddItem "Nombre del Modulo: " & obtener_string(lngdirbase, image_nt_header.OptionalHeader.DataDirectory(11).VirtualAddress + bound_import_descriptor.OffsetModuleName, 1, raw_offset)
list.AddItem "Offset al Nombre del Modulo " & Hex(bound_import_descriptor.OffsetModuleName) & "h"
tam = tam + Len(bound_import_descriptor)
CopyMemory bound_import_descriptor, ByVal tam, Len(bound_import_descriptor)
Wend
list.AddItem "Fin del Directorio BOUND_IMPORT"
Else
list.AddItem "NO HAY DIRECTORIO BOUND_IMPORT"
End If
'''''''''''''''''''''''''''''
'directorio de importaciones'
'''''''''''''''''''''''''''''
If image_nt_header.OptionalHeader.DataDirectory(1).size Then
Dim image_import As IMAGE_IMPORT_DESCRIPTOR
raw_offset = desp_offset(lngdirbase, image_nt_header.OptionalHeader.DataDirectory(1).VirtualAddress)
list.AddItem "DIRECTORIO DE IMPORTACIONES"
tam = lngdirbase + image_nt_header.OptionalHeader.DataDirectory(1).VirtualAddress - raw_offset
CopyMemory image_import, ByVal (tam), Len(image_import)
i = 0
While Not ((image_import.FirstThunk = 0) And (image_import.ForwarderChain = 0) And (image_import.Name = 0) And (image_import.OriginalFirstThunk = 0) And (image_import.TimeDateStamp = 0))

list.AddItem "Importacion " & i + 1
list.AddItem "Nombre del Archivo: " & obtener_string(lngdirbase, image_import.Name, 1, raw_offset)
list.AddItem "(RVA) Nombre: " & Hex(image_import.Name) & "h"
list.AddItem "ForwarderChain " & Hex(image_import.ForwarderChain) & "h"
list.AddItem "TimeDateStamp " & Hex(image_import.TimeDateStamp) & "h"
list.AddItem "(RVA) Tabla de Importacion por Direcciones: " & Hex(image_import.FirstThunk) & "h"
list.AddItem "(RVA) Tabla de Importacion de Nombres: " & Hex(image_import.OriginalFirstThunk) & "h"

If image_import.OriginalFirstThunk Then

r = lngdirbase + image_import.OriginalFirstThunk - raw_offset
nof = 0
CopyMemory va, ByVal r, 4
While va
If va And IMAGE_ORDINAL_FLAG32 Then
va = msb(va)
nom = "por Ordinal " & Hex(va) & "h"
Else
nom = obtener_string(lngdirbase, va + 2, 2, raw_offset)
End If
tam = lngdirbase - raw_offset + nof * 4 + image_import.FirstThunk
CopyMemory addr, ByVal tam, 4
list.AddItem "Funcion Importada: " & nom & "  --> IAT:  " & Hex(addr) & "h"
nof = nof + 1
r = r + 4
CopyMemory va, ByVal r, 4
Wend

Else

r = lngdirbase + image_import.FirstThunk - raw_offset
CopyMemory va, ByVal r, 4
While va
list.AddItem "Funcion Importada: " & Hex(va) & "h"
r = r + 4
CopyMemory va, ByVal r, 4
Wend

End If

i = i + 1
tam = lngdirbase + i * Len(image_import) + image_nt_header.OptionalHeader.DataDirectory(1).VirtualAddress - raw_offset
CopyMemory image_import, ByVal (tam), Len(image_import)
Wend
list.AddItem "Fin del Directorio de Importaciones"

Else
list.AddItem "EL ARCHIVO NO IMPORTA FUNCIONES"

End If
'''''''''''''''''''''''''''''
'directorio de exportaciones'
'''''''''''''''''''''''''''''
If image_nt_header.OptionalHeader.DataDirectory(0).size Then
Dim image_export As IMAGE_EXPORT_DIRECTORY
raw_offset = desp_offset(lngdirbase, image_nt_header.OptionalHeader.DataDirectory(0).VirtualAddress)
CopyMemory image_export, ByVal (lngdirbase + image_nt_header.OptionalHeader.DataDirectory(0).VirtualAddress - raw_offset), Len(image_export)
list.AddItem "DIRECTORIO DE EXPORTACIONES "
list.AddItem "Nombre Original: " & obtener_string(lngdirbase, image_export.Name, 1, raw_offset)
list.AddItem "(RVA) Nombre" & Hex(image_export.Name) & "h"
list.AddItem "time to data stamp " & Hex(image_export.TimeDateStamp) & "h"
list.AddItem "Numero de Funciones Exportadas " & image_export.NumberOfFunctions
list.AddItem "Numero de Nombres Exportados " & image_export.NumberOfNames
list.AddItem "(RVA) Tabla de Exportacion por Direcciones: " & Hex(image_export.AddressOfFunctions) & "h"
list.AddItem "(RVA) Tabla de Nombres: " & Hex(image_export.AddressOfNames) & "h"
list.AddItem "(RVA) Tabla de Ordinales : " & Hex(image_export.AddressOfNameOrdinals) & "h"

If image_export.NumberOfNames Then

r = lngdirbase + image_export.AddressOfNames - raw_offset
CopyMemory va, ByVal r, 4
nof = 0
While nof < image_export.NumberOfNames
nom = obtener_string(lngdirbase, CLng(va), 2, raw_offset)
tam = lngdirbase - raw_offset + nof * 2 + image_export.AddressOfNameOrdinals
CopyMemory ord, ByVal tam, 2
tam = lngdirbase - raw_offset + ord * 4 + image_export.AddressOfFunctions
CopyMemory addr, ByVal tam, 4
list.AddItem "Funcion Exportada:  " & nom & "  Ordinal  " & (ord + image_export.base) & "  --> EAT:  " & Hex(addr) & "h"
r = r + 4
nof = nof + 1
CopyMemory va, ByVal r, 4
Wend

Else

r = lngdirbase + image_export.AddressOfFunctions - raw_offset
nof = 0
CopyMemory va, ByVal r, 4
While nof < image_export.NumberOfFunctions
list.AddItem "Funcion Exportada: " & Hex(va) & "h"
r = r + 4
nof = nof + 1
CopyMemory va, ByVal r, 4
Wend

End If

list.AddItem "Fin del Directorio de Exportaciones"
Else
list.AddItem "EL ARCHIVO NO EXPORTA FUNCIONES"

End If
'''''''''''''''''''''
'directorio de debug'
'''''''''''''''''''''
If image_nt_header.OptionalHeader.DataDirectory(6).size Then
Dim image_debug() As IMAGE_DEBUG_DIRECTORY
raw_offset = desp_offset(lngdirbase, image_nt_header.OptionalHeader.DataDirectory(6).VirtualAddress)
ReDim image_debug(0 To image_nt_header.OptionalHeader.DataDirectory(6).size / Len(image_debug(0)))
list.AddItem "DIRECTORIO DE DEBUG"
For i = 0 To UBound(image_debug) - 1
tam = lngdirbase + image_nt_header.OptionalHeader.DataDirectory(6).VirtualAddress - raw_offset + i * Len(image_debug(0))
CopyMemory image_debug(i), ByVal tam, Len(image_debug(i))
list.AddItem "Subdirectorio de Debug " & i + 1
list.AddItem "time to data stamp: " & Hex(image_debug(i).TimeDateStamp) & "h"
list.AddItem "Tipo: " & type_debug(CInt(image_debug(i).Type))
list.AddItem "RVA: " & Hex(image_debug(i).AddressOfRawData) & "h"
list.AddItem "Tamaño: " & image_debug(i).SizeOfData
list.AddItem "Data Offset: " & Hex(image_debug(i).PointerToRawData) & "h"
list.AddItem "Fin del Subdirectorio"
Next
list.AddItem "Fin del Directorio de Debug"
Else
list.AddItem "NO HAY DIRECTORIO DE DEBUG"
End If
''''''''''''''''''''''''
'directorio de recursos'
''''''''''''''''''''''''
If image_nt_header.OptionalHeader.DataDirectory(2).size Then
raw_offset = desp_offset(lngdirbase, image_nt_header.OptionalHeader.DataDirectory(2).VirtualAddress)
list.AddItem "DIRECTORIO DE RECURSOS"
''''''
'Type'
''''''
Dim image_resource As IMAGE_RESOURCE_DIRECTORY
CopyMemory image_resource, ByVal (lngdirbase + image_nt_header.OptionalHeader.DataDirectory(2).VirtualAddress - raw_offset), Len(image_resource)
n_rsc = image_resource.NumberOfNamedEntries + image_resource.NumberOfIdEntries
Dim rsc() As RESORUCE
Dim nom_d() As String
ReDim rsc(n_rsc - 1)
ReDim nom_d(n_rsc - 1)
For i = 0 To n_rsc - 1
tam = lngdirbase + image_nt_header.OptionalHeader.DataDirectory(2).VirtualAddress - raw_offset + Len(image_resource) + Len(rsc(0)) * i
CopyMemory rsc(i), ByVal tam, Len(rsc(0))
nom_d(i) = dir(rsc(i).Id, lngdirbase + image_nt_header.OptionalHeader.DataDirectory(2).VirtualAddress - raw_offset)
Next
''''''
'Name'
''''''
Dim rsc_2() As RESORUCE
Dim my_re() As my_res
cont = 0
Dim image_resource_2() As IMAGE_RESOURCE_DIRECTORY
ReDim image_resource_2(n_rsc - 1)
For i = 0 To n_rsc - 1
tam = lngdirbase + image_nt_header.OptionalHeader.DataDirectory(2).VirtualAddress - raw_offset + msb(rsc(i).Offset_to_directory)
CopyMemory image_resource_2(i), ByVal tam, Len(image_resource)
n_res = image_resource_2(i).NumberOfNamedEntries + image_resource_2(i).NumberOfIdEntries
ReDim rsc_2(n_res - 1)
ReDim Preserve my_re(cont + n_res)
r = 0
For j = 0 To n_res - 1
r = tam + Len(image_resource) + j * Len(rsc(0))
CopyMemory rsc_2(j), ByVal (r), Len(rsc(0))
my_re(j + cont).nombre_res = nom_d(i) & " " & cero_dir(CStr(Hex(rsc_2(j).Id)))
my_re(j + cont).rva = msb(rsc_2(j).Offset_to_directory)
Next
cont = cont + n_res
Next
''''''''''
'Language'
''''''''''
Dim image_resource_3() As IMAGE_RESOURCE_DIRECTORY
Dim rsc_3() As RESORUCE
cont = 0
Dim rva_to_de() As my_res
ReDim image_resource_3(UBound(my_re) - 1)
For i = 0 To UBound(my_re) - 1
tam = lngdirbase + image_nt_header.OptionalHeader.DataDirectory(2).VirtualAddress - raw_offset + my_re(i).rva
CopyMemory image_resource_3(i), ByVal tam, Len(image_resource)
n_res = image_resource_3(i).NumberOfNamedEntries + image_resource_3(i).NumberOfIdEntries
r = 0
ReDim rsc_3(n_res)
ReDim Preserve rva_to_de(cont + n_res)
For j = 0 To n_res - 1
r = tam + Len(image_resource) + j * Len(rsc(0))
CopyMemory rsc_3(j), ByVal r, Len(rsc(0))
rva_to_de(j + cont).rva = rsc_3(j).Offset_to_directory
rva_to_de(j + cont).nombre_res = my_re(i).nombre_res & " " & cero_dir(CStr(Hex(rsc_3(j).Id)))
Next
cont = cont + n_res
Next
'''''''''''''''''''''''''''
'image resource data entry'
'''''''''''''''''''''''''''
Dim data_entry() As IMAGE_RESOURCE_DATA_ENTRY
ReDim data_entry(UBound(rva_to_de) - 1)
For i = 0 To UBound(rva_to_de) - 1
tam = lngdirbase + image_nt_header.OptionalHeader.DataDirectory(2).VirtualAddress - raw_offset + rva_to_de(i).rva
CopyMemory data_entry(i), ByVal tam, Len(data_entry(0))
list.AddItem "Directorio " & rva_to_de(i).nombre_res
list.AddItem "(RVA) Datos: " & Hex(data_entry(i).OffsetToData) & "h"
list.AddItem "Tamaño " & data_entry(i).size
list.AddItem "Code Page " & Hex(data_entry(i).CodePage) & "h"
list.AddItem "Fin del Directorio"
Next

list.AddItem "Fin del Directorio de Recursos"

Else
list.AddItem "NO HAY DIRECTORIO DE RECURSOS"
End If

UnmapViewOfFile lngdirbase

Else
UnmapViewOfFile lngdirbase
MsgBox "No es Formato PE Valido", vbExclamation
Exit Function
End If

Else
UnmapViewOfFile lngdirbase
MsgBox "No es un Formato Pe Valido", vbExclamation
Exit Function
End If

End Function

Private Sub Abrir_Click()
Dim ofn As OPENFILENAME
ofn.lStructSize = Len(ofn)
ofn.hwndOwner = Me.hWnd
ofn.hInstance = App.hInstance
'extensiones *.exe *.dll *.sys *.ocx *.cpl .src
ofn.lpstrFilter = "Archivos Ejecutables (*.exe)" & vbNullChar & "*.exe" & vbNullChar & "Librerias de Enlace Dinamico (*.dll)" & vbNullChar & "*.dll" & vbNullChar & "Controles Active X (*.ocx)" & vbNullChar & "*.ocx" & vbNullChar & "Archivos de Panel de Control (*.cpl)" & vbNullChar & "*.cpl" & vbNullChar & "Archivos del Sistema (*.sys)" & vbNullChar & "*.sys" & vbNullChar & "Screensavers (*.scr)" & vbNullChar & "*.scr" & vbNullChar
ofn.lpstrFile = Space$(254)
ofn.nMaxFile = 255
ofn.lpstrFileTitle = Space$(254)
ofn.nMaxFileTitle = 255
ofn.lpstrTitle = "Analizar archivos"
ofn.flags = 0
If GetOpenFileName(ofn) Then
Form1.MousePointer = vbHourglass
Call analizador_pe(ofn.lpstrFile, List1)
If List1.ListCount > 0 Then: Me.Caption = Trim(ofn.lpstrFile)
Form1.MousePointer = vbArrow
End If
End Sub

Private Sub arch_Click()
If List1.ListCount > 0 Then
Me.Limpiar.Enabled = True
Else
Me.Limpiar.Enabled = False
End If
End Sub

Private Sub Form_Load()
Me.Caption = "Analizador PE by MALEK"
List1.Height = 3180
List1.Width = 5895
End Sub

Private Sub Form_Resize()
If (Form1.Width - 350) > 0 Then: List1.Width = Form1.Width - 350
If (Form1.Height - 850) > 0 Then: List1.Height = Form1.Height - 850
End Sub

Private Sub Guardar_Click()
Dim buffer As String * MAX_PATH
Dim wfd As WIN32_FIND_DATA
Dim st As SYSTEMTIME
If List1.ListCount > 0 Then
Form1.MousePointer = vbHourglass
Set fso = CreateObject("Scripting.FileSystemObject")
archivo = Me.Caption
pos = InStr(1, StrReverse(archivo), "\", vbBinaryCompare)
pos_arc = Len(archivo) - pos + 1
Path = Mid(archivo, 1, pos_arc - 1)
nombre_arch = Mid(archivo, pos_arc + 1, Len(archivo))
'Call GetModuleFileName(0&, buffer, 255)
'directory = Replace(buffer, Chr(0), vbNullString)
file = App.Path & "\" & Mid(nombre_arch, 1, Len(nombre_arch) - 4) & ".txt"
hwnd_ff = FindFirstFile(archivo, wfd)
Call FileTimeToSystemTime(wfd.ftCreationTime, st)
Call FindClose(hwnd_ff)
fso.CreateTextFile file
Set file = fso.GetFile(file)
Set ts = file.OpenAsTextStream(8)
ts.writeline "Ubicacion: " & Path
ts.writeline "Archivo: " & nombre_arch
ts.writeline "Creado: " & st.wDay & "\" & st.wMonth & "\" & st.wYear
ts.writeline "Tamaño: " & (wfd.nFileSizeHigh * MAXDWORD + wfd.nFileSizeLow) & " bytes"
ts.writeline ""
ts.writeline "ANALISIS PE"
ts.writeline ""
For i = 0 To List1.ListCount - 1
List1.ListIndex = i
ts.writeline Trim(List1.Text)
Next
ts.Close
List1.ListIndex = 0
Form1.MousePointer = vbArrow
MsgBox "La Informacion ha Sido Guardada Correctamente " & vbCrLf & file, vbOKOnly
Else
MsgBox "Debe Analizar Algun Archivo", vbInformation
End If
End Sub

Private Sub Limpiar_Click()
Me.Caption = "Analizador PE by MALEK"
List1.Clear
End Sub

Private Sub Salir_Click()
Call ExitProcess(0&)
End Sub

--------------------------------- fin del code -------------------------------------

los tipos del directorio de recursos no los tengo todos y no he podido encontrarlos todos, ahi solo estan los basico.

cualquier suguerencia o comentario favor responder malektaus27A@gmail.com

~~ · 31 Enero 2008, 18:12 PM

No lo probé, pero parece qrecoje un buen numero de datos, ta chulo

Test Foro de elhacker.net SMF 2.1

formato portable ejecutable

malektaus27A

~~