|
|
PE machine type
November 20th, 2009CobeinLeave a commentGo to comments
A pretty simple source to determine what type of machine is the PE compiled for. Its useful for instance if you are coding a crypter and you want to make sure the PE is not a 64 bit app.
'---------------------------------------------------------------------------------------
' Module : mPE_MachineType
' DateTime : 11/20/2009 16:28
' Author : Cobein
' Mail : cobein27@hotmail.com
' WebPage : http://www.advancevb.com.ar
' Purpose : Determine what type of machine the PE was compiled for.
' Usage : At your own risk
' Requirements: None
' Distribution: You can freely use this code in your own
' applications, but you may not reproduce
' or publish this code on any web site,
' online service, or distribute as source
' on any media without express permission.
'
' History : 11/20/2009 First Cut....................................................
'---------------------------------------------------------------------------------------
Option Explicit
Private Const IMAGE_DOS_SIGNATURE As Long = &H5A4D&
Private Const IMAGE_NT_SIGNATURE As Long = &H4550&
Private Const IMAGE_NT_OPTIONAL_HDR32_MAGIC As Long = &H10B&
Private Const SIZE_DOS_HEADER As Long = &H40
Private Const SIZE_NT_HEADERS As Long = &HF8
Private Const SIZE_SECTION_HEADER As Long = &H28
Public Enum eMachine
IMAGE_FILE_MACHINE_UNKNOWN = &H0 'The contents of this field are assumed to be applicable to any machine type
IMAGE_FILE_MACHINE_AM33 = &H1D3 'Matsushita AM33
IMAGE_FILE_MACHINE_AMD64 = &H8664 'x64
IMAGE_FILE_MACHINE_ARM = &H1C0 'ARM little endian
IMAGE_FILE_MACHINE_EBC = &HEBC 'EFI byte code
IMAGE_FILE_MACHINE_I386 = &H14C 'Intel 386 or later processors and compatible processors
IMAGE_FILE_MACHINE_IA64 = &H200 'Intel Itanium processor family
IMAGE_FILE_MACHINE_M32R = &H9041 'Mitsubishi M32R little endian
IMAGE_FILE_MACHINE_MIPS16 = &H266 'MIPS16
IMAGE_FILE_MACHINE_MIPSFPU = &H366 'MIPS with FPU
IMAGE_FILE_MACHINE_MIPSFPU16 = &H466 'MIPS16 with FPU
IMAGE_FILE_MACHINE_POWERPC = &H1F0 'Power PC little endian
IMAGE_FILE_MACHINE_POWERPCFP = &H1F1 'Power PC with floating point support
IMAGE_FILE_MACHINE_R4000 = &H166 'MIPS little endian
IMAGE_FILE_MACHINE_SH3 = &H1A2 'Hitachi SH3
IMAGE_FILE_MACHINE_SH3DSP = &H1A3 'Hitachi SH3 DSP
IMAGE_FILE_MACHINE_SH4 = &H1A6 'Hitachi SH4
IMAGE_FILE_MACHINE_SH5 = &H1A8 'Hitachi SH5
IMAGE_FILE_MACHINE_THUMB = &H1C2 'Thumb
IMAGE_FILE_MACHINE_WCEMIPSV2 = &H169 'MIPS little-endian WCE v2
End Enum
Private Type IMAGE_DOS_HEADER
e_magic As Integer
e_cblp As Integer
e_cp As Integer
e_crlc As Integer
e_cparhdr As Integer
e_minalloc As Integer
e_maxalloc As Integer
e_ss As Integer
e_sp As Integer
e_csum As Integer
e_ip As Integer
e_cs As Integer
e_lfarlc As Integer
e_ovno As Integer
e_res(0 To 3) As Integer
e_oemid As Integer
e_oeminfo As Integer
e_res2(0 To 9) As Integer
e_lfanew As Long
End Type
Private Type IMAGE_FILE_HEADER
Machine As Integer
NumberOfSections As Integer
TimeDateStamp As Long
PointerToSymbolTable As Long
NumberOfSymbols As Long
SizeOfOptionalHeader As Integer
characteristics As Integer
End Type
Private Type IMAGE_DATA_DIRECTORY
VirtualAddress As Long
Size As Long
End Type
Private Type IMAGE_OPTIONAL_HEADER
Magic As Integer
MajorLinkerVersion As Byte
MinorLinkerVersion As Byte
SizeOfCode As Long
SizeOfInitializedData As Long
SizeOfUnitializedData As Long
AddressOfEntryPoint As Long
BaseOfCode As Long
BaseOfData As Long
ImageBase As Long
SectionAlignment As Long
FileAlignment As Long
MajorOperatingSystemVersion As Integer
MinorOperatingSystemVersion As Integer
MajorImageVersion As Integer
MinorImageVersion As Integer
MajorSubsystemVersion As Integer
MinorSubsystemVersion As Integer
W32VersionValue As Long
SizeOfImage As Long
SizeOfHeaders As Long
CheckSum As Long
SubSystem As Integer
DllCharacteristics As Integer
SizeOfStackReserve As Long
SizeOfStackCommit As Long
SizeOfHeapReserve As Long
SizeOfHeapCommit As Long
LoaderFlags As Long
NumberOfRvaAndSizes As Long
DataDirectory(0 To 15) As IMAGE_DATA_DIRECTORY
End Type
Private Type IMAGE_NT_HEADERS
Signature As Long
FileHeader As IMAGE_FILE_HEADER
OptionalHeader As IMAGE_OPTIONAL_HEADER
End Type
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Dest As Any, Src As Any, ByVal L As Long)
Public Function GetMachineTypeFromFile( _
ByVal sSrcFile As String) As eMachine
Dim bvData() As Byte
On Local Error GoTo GetMachineTypeFromFile_Error
Open sSrcFile For Binary Access Read As #1
ReDim bvData(LOF(1) - 1)
Get #1, , bvData()
Close
GetMachineTypeFromFile = GetMachineTypeFromBytes(bvData)
On Error GoTo 0
Exit Function
GetMachineTypeFromFile_Error:
End Function
Public Function GetMachineTypeFromBytes( _
ByRef bvData() As Byte) As Integer
Dim tIMAGE_DOS_HEADER As IMAGE_DOS_HEADER
Dim tIMAGE_NT_HEADERS As IMAGE_NT_HEADERS
CopyMemory tIMAGE_DOS_HEADER, bvData(0), SIZE_DOS_HEADER
If Not tIMAGE_DOS_HEADER.e_magic = IMAGE_DOS_SIGNATURE Then
Exit Function
End If
CopyMemory tIMAGE_NT_HEADERS, bvData(tIMAGE_DOS_HEADER.e_lfanew), SIZE_NT_HEADERS
If Not tIMAGE_NT_HEADERS.Signature = IMAGE_NT_SIGNATURE Then
Exit Function
End If
GetMachineTypeFromBytes = tIMAGE_NT_HEADERS.FileHeader.Machine
End Function |
|
发表于 2011-1-16 01:04:14
发表于 2011-10-20 21:37:14