FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN,
FILE_SYNCHRONOUS_IO_ALERT|FILE_NON_DIRECTORY_FILE,
NULL,
0,
0,
NULL,
IO_NO_PARAMETER_CHECKING);
if (NT_SUCCESS(status))
{
byteOffset.LowPart = 0x3C;
byteOffset.HighPart= 0x0;
status=ZwReadFile(hFile,NULL,NULL,NULL,&iosb,&NtHeadersOffset,4,&byteOffset
,
NULL);
if (NT_SUCCESS(status))
{
byteOffset.LowPart = NtHeadersOffset;
byteOffset.HighPart= 0x0;
status=ZwReadFile(hFile,NULL,NULL,NULL,&iosb,&PESignature,4,&byteOffset,
NULL);
if (!NT_SUCCESS(status))
return result;
//不是PE 文件
if ((WORD)PESignature!=0x4550)
return result;
byteOffset.LowPart=NtHeadersOffset + 0x28;
byteOffset.HighPart=0;
//得到PE 文件的OEP
status=ZwReadFile(hFile,NULL,NULL,NULL,&iosb,&AddressOfEntryPoint,4,&byt
eOffset,NULL);
if (NT_SUCCESS(status))
{
byteOffset.LowPart = NtHeadersOffset +0x50;
byteOffset.HighPart = 0;
//得到 PE文件装入内存的总大小
status=ZwReadFile(hFile,NULL,NULL,NULL,&iosb,&SizeofImage,4,&byteOffset,
NULL);
if (NT_SUCCESS(status))
{
byteOffset.LowPart=NtHeadersOffset + 0x34;
byteOffset.HighPart=0;
//得到 PE文件的 ImageBase的位置
status=ZwReadFile(hFile,NULL,NULL,NULL,&iosb,&ImageBase,4,&byteOffset,NU
LL);
if (NT_SUCCESS(status))
{
NeedSize = SizeofImage - AddressOfEntryPoint;
if (NeedSize<=0)
return result;
FileContent=ExAllocatePoolWithTag(NonPagedPool,NeedSize,0);
if (FileContent)
{
byteOffset.LowPart=AddressOfEntryPoint;
byteOffset.HighPart=0;
//得到 PE从 OEP 开始的代码,因为含有dispatch routine的 RVA
status =
ZwReadFile(hFile,NULL,NULL,NULL,&iosb,FileContent,NeedSize,&byteOffset,N
ULL);
if (NT_SUCCESS(status))
{
for (i=0;i<=NeedSize;i++)
{
if ( (FileContent[i]==0xC7) && (FileContent[i+1]==0x46) && |
