2

我正在编写一个小型 PE 文件分析器,我必须读取 PE 文件的内容。我是通过ReadFile函数来​​做的,如下图:

function TMainForm.GetPEData(var filename: string) : boolean;
var
  hFile:   DWORD;
  IDH:     TImageDosHeader;
  INH:     TImageNtHeaders;
  ISH:     TImageSectionHeader;
  dwRead: DWORD;
  szBuff: array[0..7] of Char;
  i:      WORD;
  PE: TPEFile;
begin
  Result := False;
  PE := TPeFile.Create;
  if PE.LoadFromFile (filename) then  
    Form2.edEntryPoint.Text := IntToHex(PE.RvaToFileOffset(PE.AddressOfEntryPoint), 8);
  SplashScreen.sLabel1.Caption := 'PE File Loaded';
  hFile := CreateFile(PChar(filename), GENERIC_READ, 
                      FILE_SHARE_WRITE, nil, 
                      OPEN_EXISTING, 0, 0);
  if hFile <> INVALID_HANDLE_VALUE then
  begin
    SetFilePointer(hFile, 0, nil, FILE_BEGIN);
    SplashScreen.sLabel1.Caption := 'Reading DOS File Headers...';
    ReadFile(hFile, IDH, 64, dwRead, nil);
    if IDH.e_magic = IMAGE_DOS_SIGNATURE then
    begin
      SetFilePointer(hFile, IDH._lfanew, nil, FILE_BEGIN);
      SplashScreen.sLabel1.Caption := 'Reading NT File Headers...';
      //Here is where the UI freezes while the file is read...
      ReadFile(hFile, INH, 248, dwRead, nil);
      if INH.Signature = IMAGE_NT_SIGNATURE then
      begin
        Form2.edImageBase.Text := IntToHex(INH.OptionalHeader.ImageBase, 8);
        Form2.edSizeOfImage.Text := IntToHex(INH.OptionalHeader.SizeOfImage, 8);
        Form2.edLinkerVersion.Text := IntToStr(INH.OptionalHeader.MajorLinkerVersion) + '.' + 
              IntToStr(INH.OptionalHeader.MinorLinkerVersion);
        Form2.edFileAlignment.Text := IntToHex(INH.OptionalHeader.FileAlignment, 8);
        Form2.edSectionAlignment.Text := IntToHex(INH.OptionalHeader.SectionAlignment, 8);
        Form2.edSubSystem.Text := IntToHex(INH.OptionalHeader.Subsystem, 4);
        Form2.edEPFilestamp.Text := IntToStr(INH.FileHeader.TimeDateStamp);
        Form2.edFileType.Text := GetPEFileType(PE.ImageNtHeaders.Signature);

        for i := 0 to INH.FileHeader.NumberOfSections - 1 do
        begin
          SetFilePointer(hFile, IDH._lfanew + 248 + i * 40, nil, FILE_BEGIN);
          ReadFile(hFile, ISH, 40, dwRead, nil);
          CopyMemory(@szBuff[0], @ISH.Name[0], 8);

          with Form2.sListView1.Items.Add do
          begin
            Caption := ShortString(szBuff);
            SubItems.Add(IntToHex(ISH.VirtualAddress, 8));
            SubItems.Add(IntToHex(ISH.Misc.VirtualSize, 8));
            SubItems.Add(IntToHex(ISH.PointerToRawData, 8));
            SubItems.Add(IntToHex(ISH.SizeOfRawData, 8));
            SubItems.Add(IntToHex(ISH.Characteristics, 8));
          end;
        end;
      end;
    end;
    CloseHandle(hFile);
    Result := True;
  end;
end;

不好的是,根据文件的大小,我注意到它ReadFile经常会滞后——而且它是同步发生的。与此同时,UI 冻结并且对用户来说看起来非常错误,他们会很想终止它。我考虑过线程,但我只是想看看是否有任何方法可以ReadFile在异步模式下使用。如果没有,我会跳到线程,即使我的代码有很多要修改的地方。

先感谢您。

4

2 回答 2

1

ReadFile 函数从文件中读取数据,并从文件指针指示的位置开始。您可以将此函数用于同步和异步操作。

可以异步使用 ReadFile,但根据您的 UI,这可能不是最佳解决方案。您是否希望您的用户在等待 PE 文件加载时执行任何操作?

如果您希望您的用户等待但确信您的程序没有冻结,您可以添加进度条或仅更新您的 SplashScreen。

for i := 0 to INH.FileHeader.NumberOfSections - 1 do
begin
   SplashScreen.sLabel1.Caption := 'Reading section ' + IntToStr(i) + ' of ' + IntToStr(INH.FileHeader.NumberOfSections);
   SplashScreen.sLabel1.Update; // see Ken Whites comment
   // Application.ProcessMessages;
   ...
end
于 2012-07-17T19:53:46.227 回答
1

在这种情况下,我总是将整个文件读取到内存中,并且我使用 TFileStream 类来简化操作。

将整个文件放在内存中更简单,PE 文件通常很小。

  type
    TSections = array [0..0] of TImageSectionHeader;
    PSections = ^TSections;

var
  Form1: TForm1;

implementation

{$R *.dfm}

procedure TForm1.Button1Click(Sender: TObject);
var
  FS : TFileStream;
  fisier : PImageDosHeader;
  INH : PImageNtHeaders;
  ISH : PSections;
  i   : Word;
begin
  FS := TFileStream.Create('fisierul_tau.exe',fmOpenRead);
  GetMem(fisier,FS.size); //Aloci memorie pentru fisier
  FS.Read(fisier^,FS.Size); // Il citesti;
  FS.Free;
  INH := PImageNtHeaders(DWORD(fisier) + DWORD(fisier^._lfanew));
  ISH := PSections(DWORD(INH) + SizeOf(TImageNtHeaders));
  for i := 0 to INH^.FileHeader.NumberOfSections - 1 do
  begin
      ShowMessage(PAnsiChar(@ISH[i].Name[0]));
  end;
end;
于 2012-07-18T12:03:11.603 回答