Simple PE Viewer

PE_header.h

#pragma once
//#include <WinNT.h>    //PE Format 참고
#include <windows.h>
#include <cstdio>
#include <cstdlib>
#include <cstring>
 
typedef long                LONG;
typedef unsigned long       DWORD;
typedef unsigned char       BYTE;
typedef unsigned short      WORD;
 
//
// Image Format
//
 
#define IMAGE_DOS_SIGNATURE                 0x5A4D      // MZ
#define IMAGE_OS2_SIGNATURE                 0x454E      // NE
#define IMAGE_OS2_SIGNATURE_LE              0x454C      // LE
#define IMAGE_VXD_SIGNATURE                 0x454C      // LE
#define IMAGE_NT_SIGNATURE                  0x00004550  // PE00
 
typedef struct _DOS_HEADER {      // DOS .EXE header
    WORD   e_magic;                     // Magic number
    WORD   e_cblp;                      // Bytes on last page of file
    WORD   e_cp;                        // Pages in file
    WORD   e_crlc;                      // Relocations
    WORD   e_cparhdr;                   // Size of header in paragraphs
    WORD   e_minalloc;                  // Minimum extra paragraphs needed
    WORD   e_maxalloc;                  // Maximum extra paragraphs needed
    WORD   e_ss;                        // Initial (relative) SS value
    WORD   e_sp;                        // Initial SP value
    WORD   e_csum;                      // Checksum
    WORD   e_ip;                        // Initial IP value
    WORD   e_cs;                        // Initial (relative) CS value
    WORD   e_lfarlc;                    // File address of relocation table
    WORD   e_ovno;                      // Overlay number
    WORD   e_res[4];                    // Reserved words
    WORD   e_oemid;                     // OEM identifier (for e_oeminfo)
    WORD   e_oeminfo;                   // OEM information; e_oemid specific
    WORD   e_res2[10];                  // Reserved words
    LONG   e_lfanew;                    // File address of new exe header
  } DOS_HEADER, *PDOS_HEADER;
 
//
// File header format.
//
 
typedef struct _FILE_HEADER {
    WORD    Machine;
    WORD    NumberOfSections;
    DWORD   TimeDateStamp;
    DWORD   PointerToSymbolTable;
    DWORD   NumberOfSymbols;
    WORD    SizeOfOptionalHeader;
    WORD    Characteristics;
} FILE_HEADER, *PFILE_HEADER;
 
#define IMAGE_SIZEOF_FILE_HEADER             20
 
#define IMAGE_FILE_RELOCS_STRIPPED           0x0001  // Relocation info stripped from file.
#define IMAGE_FILE_EXECUTABLE_IMAGE          0x0002  // File is executable  (i.e. no unresolved externel references).
#define IMAGE_FILE_LINE_NUMS_STRIPPED        0x0004  // Line nunbers stripped from file.
#define IMAGE_FILE_LOCAL_SYMS_STRIPPED       0x0008  // Local symbols stripped from file.
#define IMAGE_FILE_AGGRESIVE_WS_TRIM         0x0010  // Agressively trim working set
#define IMAGE_FILE_LARGE_ADDRESS_AWARE       0x0020  // App can handle >2gb addresses
#define IMAGE_FILE_BYTES_REVERSED_LO         0x0080  // Bytes of machine word are reversed.
#define IMAGE_FILE_32BIT_MACHINE             0x0100  // 32 bit word machine.
#define IMAGE_FILE_DEBUG_STRIPPED            0x0200  // Debugging info stripped from file in .DBG file
#define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP   0x0400  // If Image is on removable media, copy and run from the swap file.
#define IMAGE_FILE_NET_RUN_FROM_SWAP         0x0800  // If Image is on Net, copy and run from the swap file.
#define IMAGE_FILE_SYSTEM                    0x1000  // System File.
#define IMAGE_FILE_DLL                       0x2000  // File is a DLL.
#define IMAGE_FILE_UP_SYSTEM_ONLY            0x4000  // File should only be run on a UP machine
#define IMAGE_FILE_BYTES_REVERSED_HI         0x8000  // Bytes of machine word are reversed.
 
#define IMAGE_FILE_MACHINE_UNKNOWN           0
#define IMAGE_FILE_MACHINE_I386              0x014c  // Intel 386.
#define IMAGE_FILE_MACHINE_R3000             0x0162  // MIPS little-endian, 0x160 big-endian
#define IMAGE_FILE_MACHINE_R4000             0x0166  // MIPS little-endian
#define IMAGE_FILE_MACHINE_R10000            0x0168  // MIPS little-endian
#define IMAGE_FILE_MACHINE_WCEMIPSV2         0x0169  // MIPS little-endian WCE v2
#define IMAGE_FILE_MACHINE_ALPHA             0x0184  // Alpha_AXP
#define IMAGE_FILE_MACHINE_SH3               0x01a2  // SH3 little-endian
#define IMAGE_FILE_MACHINE_SH3DSP            0x01a3
#define IMAGE_FILE_MACHINE_SH3E              0x01a4  // SH3E little-endian
#define IMAGE_FILE_MACHINE_SH4               0x01a6  // SH4 little-endian
#define IMAGE_FILE_MACHINE_SH5               0x01a8  // SH5
#define IMAGE_FILE_MACHINE_ARM               0x01c0  // ARM Little-Endian
#define IMAGE_FILE_MACHINE_THUMB             0x01c2
#define IMAGE_FILE_MACHINE_AM33              0x01d3
#define IMAGE_FILE_MACHINE_POWERPC           0x01F0  // IBM PowerPC Little-Endian
#define IMAGE_FILE_MACHINE_POWERPCFP         0x01f1
#define IMAGE_FILE_MACHINE_IA64              0x0200  // Intel 64
#define IMAGE_FILE_MACHINE_MIPS16            0x0266  // MIPS
#define IMAGE_FILE_MACHINE_ALPHA64           0x0284  // ALPHA64
#define IMAGE_FILE_MACHINE_MIPSFPU           0x0366  // MIPS
#define IMAGE_FILE_MACHINE_MIPSFPU16         0x0466  // MIPS
#define IMAGE_FILE_MACHINE_AXP64             IMAGE_FILE_MACHINE_ALPHA64
#define IMAGE_FILE_MACHINE_TRICORE           0x0520  // Infineon
#define IMAGE_FILE_MACHINE_CEF               0x0CEF
#define IMAGE_FILE_MACHINE_EBC               0x0EBC  // EFI Byte Code
#define IMAGE_FILE_MACHINE_AMD64             0x8664  // AMD64 (K8)
#define IMAGE_FILE_MACHINE_M32R              0x9041  // M32R little-endian
#define IMAGE_FILE_MACHINE_CEE               0xC0EE
 
//
// Directory format.
//
 
typedef struct _DATA_DIRECTORY {
    DWORD   VirtualAddress;
    DWORD   Size;
} DATA_DIRECTORY, *PDATA_DIRECTORY;
 
#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES    16
 
//
// Optional header format.
//
 
typedef struct _OPTIONAL_HEADER {
    //
    // Standard fields.
    //
 
    WORD    Magic;
    BYTE    MajorLinkerVersion;
    BYTE    MinorLinkerVersion;
    DWORD   SizeOfCode;
    DWORD   SizeOfInitializedData;
    DWORD   SizeOfUninitializedData;
    DWORD   AddressOfEntryPoint;
    DWORD   BaseOfCode;
    DWORD   BaseOfData;
 
    //
    // NT additional fields.
    //
 
    DWORD   ImageBase;
    DWORD   SectionAlignment;
    DWORD   FileAlignment;
    WORD    MajorOperatingSystemVersion;
    WORD    MinorOperatingSystemVersion;
    WORD    MajorImageVersion;
    WORD    MinorImageVersion;
    WORD    MajorSubsystemVersion;
    WORD    MinorSubsystemVersion;
    DWORD   Win32VersionValue;
    DWORD   SizeOfImage;
    DWORD   SizeOfHeaders;
    DWORD   CheckSum;
    WORD    Subsystem;
    WORD    DllCharacteristics;
    DWORD   SizeOfStackReserve;
    DWORD   SizeOfStackCommit;
    DWORD   SizeOfHeapReserve;
    DWORD   SizeOfHeapCommit;
    DWORD   LoaderFlags;
    DWORD   NumberOfRvaAndSizes;
    IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} OPTIONAL_HEADER, *POPTIONAL_HEADER;
 
#define IMAGE_NT_OPTIONAL_HDR32_MAGIC      0x10b
#define IMAGE_NT_OPTIONAL_HDR64_MAGIC      0x20b
#define IMAGE_ROM_OPTIONAL_HDR_MAGIC       0x107
 
typedef struct _NT_HEADERS {
    DWORD Signature;
    FILE_HEADER FileHeader;
    OPTIONAL_HEADER OptionalHeader;
} NT_HEADERS, *PNT_HEADERS;
 
// Subsystem Values
 
#define IMAGE_SUBSYSTEM_UNKNOWN              0   // Unknown subsystem.
#define IMAGE_SUBSYSTEM_NATIVE               1   // Image doesn't require a subsystem.
#define IMAGE_SUBSYSTEM_WINDOWS_GUI          2   // Image runs in the Windows GUI subsystem.
#define IMAGE_SUBSYSTEM_WINDOWS_CUI          3   // Image runs in the Windows character subsystem.
#define IMAGE_SUBSYSTEM_OS2_CUI              5   // image runs in the OS/2 character subsystem.
#define IMAGE_SUBSYSTEM_POSIX_CUI            7   // image runs in the Posix character subsystem.
#define IMAGE_SUBSYSTEM_NATIVE_WINDOWS       8   // image is a native Win9x driver.
#define IMAGE_SUBSYSTEM_WINDOWS_CE_GUI       9   // Image runs in the Windows CE subsystem.
#define IMAGE_SUBSYSTEM_EFI_APPLICATION      10  //
#define IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER  11   //
#define IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER   12  //
#define IMAGE_SUBSYSTEM_EFI_ROM              13
#define IMAGE_SUBSYSTEM_XBOX                 14
#define IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION 16
 
// DllCharacteristics Entries
 
#define IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE 0x0040     // DLL can move.
#define IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY    0x0080     // Code Integrity Image
#define IMAGE_DLLCHARACTERISTICS_NX_COMPAT    0x0100     // Image is NX compatible
#define IMAGE_DLLCHARACTERISTICS_NO_ISOLATION 0x0200     // Image understands isolation and doesn't want it
#define IMAGE_DLLCHARACTERISTICS_NO_SEH       0x0400     // Image does not use SEH.  No SE handler may reside in this image
#define IMAGE_DLLCHARACTERISTICS_NO_BIND      0x0800     // Do not bind this image..
#define IMAGE_DLLCHARACTERISTICS_WDM_DRIVER   0x2000     // Driver uses WDM model
#define IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE     0x8000
 
// Directory Entries
 
#define IMAGE_DIRECTORY_ENTRY_EXPORT          0   // Export Directory
#define IMAGE_DIRECTORY_ENTRY_IMPORT          1   // Import Directory
#define IMAGE_DIRECTORY_ENTRY_RESOURCE        2   // Resource Directory
#define IMAGE_DIRECTORY_ENTRY_EXCEPTION       3   // Exception Directory
#define IMAGE_DIRECTORY_ENTRY_SECURITY        4   // Security Directory
#define IMAGE_DIRECTORY_ENTRY_BASERELOC       5   // Base Relocation Table
#define IMAGE_DIRECTORY_ENTRY_DEBUG           6   // Debug Directory
#define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE    7   // Architecture Specific Data
#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR       8   // RVA of GP
#define IMAGE_DIRECTORY_ENTRY_TLS             9   // TLS Directory
#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG    10   // Load Configuration Directory
#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT   11   // Bound Import Directory in headers
#define IMAGE_DIRECTORY_ENTRY_IAT            12   // Import Address Table
#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT   13   // Delay Load Import Descriptors
#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14   // COM Runtime descriptor
 
//
// Section header format.
//
 
#define IMAGE_SIZEOF_SHORT_NAME              8
 
typedef struct _SECTION_HEADER {
    BYTE    Name[IMAGE_SIZEOF_SHORT_NAME];
    union {
            DWORD   PhysicalAddress;
            DWORD   VirtualSize;
    } Misc;
    DWORD   VirtualAddress;
    DWORD   SizeOfRawData;
    DWORD   PointerToRawData;
    DWORD   PointerToRelocations;
    DWORD   PointerToLinenumbers;
    WORD    NumberOfRelocations;
    WORD    NumberOfLinenumbers;
    DWORD   Characteristics;
} SECTION_HEADER, *PSECTION_HEADER;
 
#define IMAGE_SIZEOF_SECTION_HEADER          40
 
// Section characteristics.
 
#define IMAGE_SCN_TYPE_NO_PAD                0x00000008  // Reserved.
 
#define IMAGE_SCN_CNT_CODE                   0x00000020  // Section contains code.
#define IMAGE_SCN_CNT_INITIALIZED_DATA       0x00000040  // Section contains initialized data.
#define IMAGE_SCN_CNT_UNINITIALIZED_DATA     0x00000080  // Section contains uninitialized data.
 
#define IMAGE_SCN_LNK_OTHER                  0x00000100  // Reserved.
#define IMAGE_SCN_LNK_INFO                   0x00000200  // Section contains comments or some other type of information.
#define IMAGE_SCN_LNK_REMOVE                 0x00000800  // Section contents will not become part of image.
#define IMAGE_SCN_LNK_COMDAT                 0x00001000  // Section contents comdat.
#define IMAGE_SCN_NO_DEFER_SPEC_EXC          0x00004000  // Reset speculative exceptions handling bits in the TLB entries for this section.
#define IMAGE_SCN_GPREL                      0x00008000  // Section content can be accessed relative to GP
#define IMAGE_SCN_MEM_FARDATA                0x00008000
#define IMAGE_SCN_MEM_PURGEABLE              0x00020000
#define IMAGE_SCN_MEM_16BIT                  0x00020000
#define IMAGE_SCN_MEM_LOCKED                 0x00040000
#define IMAGE_SCN_MEM_PRELOAD                0x00080000
 
#define IMAGE_SCN_ALIGN_1BYTES               0x00100000  //
#define IMAGE_SCN_ALIGN_2BYTES               0x00200000  //
#define IMAGE_SCN_ALIGN_4BYTES               0x00300000  //
#define IMAGE_SCN_ALIGN_8BYTES               0x00400000  //
#define IMAGE_SCN_ALIGN_16BYTES              0x00500000  // Default alignment if no others are specified.
#define IMAGE_SCN_ALIGN_32BYTES              0x00600000  //
#define IMAGE_SCN_ALIGN_64BYTES              0x00700000  //
#define IMAGE_SCN_ALIGN_128BYTES             0x00800000  //
#define IMAGE_SCN_ALIGN_256BYTES             0x00900000  //
#define IMAGE_SCN_ALIGN_512BYTES             0x00A00000  //
#define IMAGE_SCN_ALIGN_1024BYTES            0x00B00000  //
#define IMAGE_SCN_ALIGN_2048BYTES            0x00C00000  //
#define IMAGE_SCN_ALIGN_4096BYTES            0x00D00000  //
#define IMAGE_SCN_ALIGN_8192BYTES            0x00E00000  //
#define IMAGE_SCN_ALIGN_MASK                 0x00F00000
 
#define IMAGE_SCN_LNK_NRELOC_OVFL            0x01000000  // Section contains extended relocations.
#define IMAGE_SCN_MEM_DISCARDABLE            0x02000000  // Section can be discarded.
#define IMAGE_SCN_MEM_NOT_CACHED             0x04000000  // Section is not cachable.
#define IMAGE_SCN_MEM_NOT_PAGED              0x08000000  // Section is not pageable.
#define IMAGE_SCN_MEM_SHARED                 0x10000000  // Section is shareable.
#define IMAGE_SCN_MEM_EXECUTE                0x20000000  // Section is executable.
#define IMAGE_SCN_MEM_READ                   0x40000000  // Section is readable.
#define IMAGE_SCN_MEM_WRITE                  0x80000000  // Section is writeable.
 
#define TotalSection(x, y) x*y
 
// Section Header & Data
typedef struct _IMAGE_SECTION_ALL {
    SECTION_HEADER psh;
    char* shdata;
}IMAGE_SECTION_ALL, *PIMAGE_SECTION_ALL;
 
//PE File Format
typedef struct _PE_Format {
    DOS_HEADER idh;
    NT_HEADERS inh;
    PIMAGE_SECTION_ALL psa;         //포인터로 선언했을 뿐... 내용물이 없음
}PE_Format, *PPE_Format;
 
PE_Format g_pf;
 
#define SAFE_FREE(a) if(a){free(a); a=NULL;}
 
void Print_DOS_Header(const PDOS_HEADER pidh)
{
    printf("\n PE Format Structure - IMAGE_DOS_HEADER\n");
    printf("┌───────────────────────\n");
    printf("│Magic Number : 0x%02x\n", pidh->e_magic);
    printf("│Bytes on last page of file : 0x%02x\n", pidh->e_cblp);
    printf("│Pages in file : 0x%02x\n", pidh->e_cp);
    printf("│Relocations : 0x%02x\n", pidh->e_crlc);
    printf("│Size of header in paragraphs : 0x%02x\n", pidh->e_crlc);
    printf("│Minimum extra paragraphs needed : 0x%02x\n", pidh->e_minalloc);
    printf("│Maximum extra paragraphs needed : 0x%02x\n", pidh->e_maxalloc);
    printf("│Initial (relative) SS value : 0x%02x\n", pidh->e_ss);
    printf("│Initial SP value : 0x%02x\n", pidh->e_sp);
    printf("│Checksum : 0x%02x\n", pidh->e_csum);
    printf("│Initial IP value : 0x%02x\n", pidh->e_ip);
    printf("│Initial (relative) CS value : 0x%02x\n", pidh->e_cs);
    printf("│File address of relocation table : 0x%02x\n", pidh->e_lfarlc);
    printf("│Overlay number : 0x%02x\n", pidh->e_ovno);
    printf("│Reserved words : 0x%02x %02x %02x %02x\n", pidh->e_res[0], pidh->e_res[1], pidh->e_res[2], pidh->e_res[3]);
    printf("│OEM identifier (for e_oeminfo) : 0x%02x\n", pidh->e_oemid);
    printf("│OEM information; e_oemid specific : 0x%02x\n", pidh->e_oeminfo);
    printf("│Reserved words : 0x");
    for(int i=0; i<10; i++)
        printf("%02x ", pidh->e_res2[i]);
    printf("\n│File address of new exe header : 0x%04x\n", pidh->e_lfanew);
    printf("└───────────────────────\n");
}
 
void Print_FILE_Header(const PFILE_HEADER pfh)
{
    printf("\n PE Format Structure - IMAGE_FILE_HEADER\n");
    printf("┌───────────────────────\n");
    printf("│Machine : 0x%02x\n", pfh->Machine);
    printf("│NumberOfSections : 0x%02x\n", pfh->NumberOfSections);
    printf("│TimeDateStamp : 0x%04x\n", pfh->TimeDateStamp);
    printf("│PointerToSymbolTable : 0x%04x\n", pfh->PointerToSymbolTable);
    printf("│NumberOfSymbols : 0x%04x\n", pfh->NumberOfSymbols);
    printf("│SizeOfOptionalHeader : 0x%02x\n", pfh->SizeOfOptionalHeader);
    printf("│Characteristics : 0x%02x\n", pfh->Characteristics);
    printf("└───────────────────────\n");
}
 
void Print_OPTIONAL_Header(const POPTIONAL_HEADER poh)
{
    printf("\n PE Format Structure - IMAGE_OPTIONAL_HEADER\n");
    printf("┌───────────────────────\n");
    printf("│Magic : 0x%02x\n", poh->Magic);
    printf("│MagorLinkerVersion : 0x%01x\n", poh->MajorLinkerVersion);
    printf("│MinorLinkerVersion : 0x%01x\n", poh->MinorLinkerVersion);
    printf("│SizeOfCode : 0x%04x\n", poh->SizeOfCode);
    printf("│SizeOfInitializedData : 0x%04x\n", poh->SizeOfInitializedData);
    printf("│SizeOfUninitializedData : 0x%04x\n", poh->SizeOfUninitializedData);
    printf("│AddressOfEntryPoint : 0x%04x\n", poh->AddressOfEntryPoint);
    printf("│BaseOfCode : 0x%04x\n", poh->BaseOfCode);
    printf("│BaseOfData : 0x%04x\n", poh->BaseOfData);
    printf("│\n");
    printf("│ImageBase : 0x%04x\n", poh->ImageBase);
    printf("│SectionAlignment : 0x%04x\n", poh->SectionAlignment);
    printf("│FileAlignment : 0x%04x\n", poh->FileAlignment);
    printf("│MajorOperatingSystemVersion : 0x%02x\n", poh->MajorOperatingSystemVersion);
    printf("│MinorOperatingSystemVersion : 0x%02x\n", poh->MinorOperatingSystemVersion);
    printf("│MajorImageVersion : 0x%02x\n", poh->MajorImageVersion);
    printf("│MinorImageVersion : 0x%02x\n", poh->MinorImageVersion);
    printf("│MajorSubsystemVersion : 0x%02x\n", poh->MajorSubsystemVersion);
    printf("│MinorSubsystemVersion : 0x%02x\n", poh->MinorSubsystemVersion);
    printf("│Win32VersionValue : 0x%04x\n", poh->Win32VersionValue);
    printf("│SizeOfImage : 0x%04x\n", poh->SizeOfImage);
    printf("│SizeOfHeaders : 0x%04x\n", poh->SizeOfHeaders);
    printf("│CheckSum : 0x%04x\n", poh->CheckSum);
    printf("│Subsystem : 0x%02x\n", poh->Subsystem);
    printf("│DllCharacteristics : 0x%02x\n", poh->DllCharacteristics);
    printf("│SizeOfStackReserve : 0x%04x\n", poh->SizeOfStackReserve);
    printf("│SizeOfStackCommit : 0x%04x\n", poh->SizeOfStackCommit);
    printf("│SizeOfHeapReserve : 0x%04x\n", poh->SizeOfHeapReserve);
    printf("│SizeOfHeapCommit : 0x%04x\n", poh->SizeOfHeapCommit);
    printf("│LoaderFlags : 0x%04x\n", poh->LoaderFlags);
    printf("│NumberOfRvaAndSizes : 0x%04x\n", poh->NumberOfRvaAndSizes);
    printf("│\n│PE Format Structure - IMAGE_NT_HEADER - IMAGE_OPTIONAL_HEADER - IMAGE_DATA_DIRECTORY\n");
    for(int i=0; i<IMAGE_NUMBEROF_DIRECTORY_ENTRIES; i++)
    {
        printf("│<%u>│VirtualAddress : 0x%04x\n", i, poh->DataDirectory[i].VirtualAddress);
        printf("│<%u>│Size : 0x%04x\n", i, poh->DataDirectory[i].Size);
    }
    printf("└───────────────────────\n");
}
 
void Print_NT_Header(const PNT_HEADERS pnh)
{
    printf("\n PE Format Structure - IMAGE_NT_HEADER\n");
    printf("┌───────────────────────\n");
    printf("│Signature : 0x%04x\n", pnh->Signature);
    printf("└───────────────────────\n");
    Print_FILE_Header(&pnh->FileHeader);
    Print_OPTIONAL_Header(&pnh->OptionalHeader);
}
 
void Print_SECTION_Header(const PSECTION_HEADER psh)
{
    printf("\n PE Format Structure - IMAGE_SECTION_HEADERS\n");
    printf("┌───────────────────────\n");
    printf("│Name : %-8s\n", psh->Name);
    printf("│Misc : 0x%04x\n", psh->Misc);
    printf("│VirtualAddress : 0x%04x\n", psh->VirtualAddress);
    printf("│SizeOfRawData : 0x%04x\n", psh->SizeOfRawData);
    printf("│PointerToRawData : 0x%04x\n", psh->PointerToRawData);
    printf("│PointerToRelocations : 0x%04x\n", psh->PointerToRelocations);
    printf("│PointerToLinenumbers : 0x%04x\n", psh->PointerToLinenumbers);
    printf("│NumberOfRelocations : 0x%02x\n", psh->NumberOfRelocations);
    printf("│NumberOfLinenumbers : 0x%02x\n", psh->NumberOfLinenumbers);
    printf("│Characteristics : 0x%04x\n", psh->Characteristics);
    printf("└───────────────────────\n");
}
 
// PE Format 정보를 획득
BOOL Get_PE_Format(const char* temp_mem)
{
    unsigned int mem_offset = 0;
    int i = 0;
 
    memcpy(&g_pf.idh, temp_mem, sizeof(DOS_HEADER));
    mem_offset = g_pf.idh.e_lfanew;
    memcpy(&g_pf.inh, &temp_mem[mem_offset], sizeof(NT_HEADERS));
    mem_offset += sizeof(NT_HEADERS);
 
    g_pf.psa = (PIMAGE_SECTION_ALL) calloc(TotalSection(sizeof(IMAGE_SECTION_ALL), g_pf.inh.FileHeader.NumberOfSections), 1);      
    //PE의 모든 Section을 저장하기 위한 구조체 배열 생성
    for(i=0; i<g_pf.inh.FileHeader.NumberOfSections; i++)
    {
        memcpy(&(g_pf.psa[i].psh), &temp_mem[mem_offset], sizeof(SECTION_HEADER));
        mem_offset += sizeof(SECTION_HEADER);
 
        if(g_pf.psa[i].psh.SizeOfRawData != 0)              //섹션 데이터 읽어와서 저장
        {
            g_pf.psa[i].shdata = (char*) calloc(g_pf.psa[i].psh.SizeOfRawData, sizeof(char));     //new heap memory
            memcpy(g_pf.psa[i].shdata, &temp_mem[g_pf.psa[i].psh.PointerToRawData], g_pf.psa[i].psh.SizeOfRawData);
        }
    }
 
    return TRUE;
}
 
// 프로그램 시작시 호출
BOOL Init_PE_Format(const char* pe_file)
{
    FILE* pefp = NULL;
    char* temp_mem = NULL;
    unsigned int fsize = 0;
    pefp = fopen(pe_file, "rb");
    if(!pefp) return FALSE;
    fseek(pefp, 0, SEEK_END);
    fsize = ftell(pefp);
    rewind(pefp);
 
    temp_mem = (char*) calloc(fsize, sizeof(char));
    if(temp_mem == 0) return FALSE;
    if(fread(temp_mem, fsize, 1, pefp) == fsize) return FALSE;
    fclose(pefp);
    if(!Get_PE_Format(temp_mem)) return FALSE;
 
    SAFE_FREE(temp_mem);
 
    return TRUE;
}
 
// Exit시 호출
BOOL Destroy_PE_Format(void)
{
    for(int i=0; i<g_pf.inh.FileHeader.NumberOfSections; i++)       //섹션 데이터 해제
    {
        if(g_pf.psa[i].psh.SizeOfRawData != 0)
        {
            SAFE_FREE(g_pf.psa[i].shdata);
        }
    }
    SAFE_FREE(g_pf.psa);
 
    return TRUE;
}

main.cpp

#include "PE_header.h"
 
int main(void)
{
    Init_PE_Format("C:\\helloworld.exe");
 
    return 0;
}

PE 파일의 IMAGE DOS Header, IMAGE NT Header, IMAGE SECTION Headers를 저장하고 출력한다. 이것 이상의 기능은 구현하지 않았고, 필요에 따라서 추가해서 사용하면 된다.