从Delphi中的.exe文件(如strings.exe)读取字符串
我想编写一个程序来读取/提取.exe文件中的所有有效字符串(例如:“此程序必须在Win”或“MZ”下运行),就像从Delphi中的.exe文件(如strings.exe)读取字符串,string,delphi,exe,String,Delphi,Exe,我想编写一个程序来读取/提取.exe文件中的所有有效字符串(例如:“此程序必须在Win”或“MZ”下运行),就像sysinternals的strings.exe一样。 实际上,我想扫描一个.exe文件,如果其中包含特殊的字符串值,例如“ekrn.exe”或“Filrefox.exe”,则将该文件检测为可疑文件(杀死ekrn.exe或将恶意代码注入firefox.exe) 我用Delphi编写了以下代码: const TargetName = 'E:\AntiDebugg.exe'; var
sysinternals的strings.exe
一样。
实际上,我想扫描一个.exe
文件,如果其中包含特殊的字符串值,例如“ekrn.exe”
或“Filrefox.exe”
,则将该文件检测为可疑文件(杀死ekrn.exe
或将恶意代码注入firefox.exe
)
我用Delphi编写了以下代码:
const
TargetName = 'E:\AntiDebugg.exe';
var
hFile: THandle;
tmp: AnsiString;
dwFileSize, lChar, lSearch: Integer;
dwNumRead: Cardinal;
dwBuffer: array of AnsiChar;
begin
mmo1.Clear;
hFile := CreateFileA(TargetName, GENERIC_READ, FILE_SHARE_READ, nil,
OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
dwFileSize := GetFileSize(hFile, nil);
SetLength(dwBuffer, dwFileSize);
lChar := 0;
lSearch := 0;
while lChar <= dwFileSize do
begin
ReadFile(hFile, dwBuffer[lChar], SizeOf(dwBuffer), dwNumRead, nil);
while dwBuffer[lChar] <> '' do
begin
tmp := tmp + dwBuffer[lChar];
Inc(lChar, 1);
end;
lSearch := 0;
Inc(lChar, 1);
end;
mmo1.Text := (tmp);
CloseHandle(hFile);
但这不是我想要的结果,我想要的结果是:
MZP
This program must be run under Win32
.text
`.itext
`.data
.bss
.idata
.didata
.tls
.rdata
@.reloc
B.rsrc
Boolean
False
True
System
AnsiChar
Char
Integer
Byte
Word
Pointer
Cardinal
NativeInt
NativeUInt
ShortString
PAnsiChar0
string
TClass
HRESULT
TGUID
- 在本例中,由Delphi编译的
AntiDebugg.exe
“AntiDebugg.exe”字符串的Strings.exe
结果
有什么想法吗?
我该怎么办?试试这样的方法:
const
TargetName = 'E:\AntiDebugg.exe';
MinStringLength = 2;
var
hFile: THandle;
hMapping: THandle;
pView: Pointer;
dwFileSize: DWORD;
pCurrent, pEOF, pStart: PAnsiChar;
iLen: Integer;
begin
mmo1.Clear;
hFile := CreateFile(TargetName, GENERIC_READ, FILE_SHARE_READ, nil, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
if hFile = INVALID_HANDLE_VALUE then RaiseLastOSError;
try
dwFileSize := GetFileSize(hFile, nil);
if dwFileSize = $FFFFFFFF then RaiseLastOSError;
hMapping := CreateFileMapping(hFile, nil, PAGE_READONLY, 0, dwFileSize, nil);
if hMapping = 0 then RaiseLastOSError;
try
pView := MapViewOfFile(hMapping, FILE_MAP_READ, 0, 0, dwFileSize);
if pView = nil then RaiseLastOSError;
try
pCurrent := PAnsiChar(pView);
pEOF := pCurrent + dwFileSize;
pStart := nil;
while pCurrent < pEOF do
begin
if pCurrent^ in [#9, #10, #13, #32..#128] then
begin
if pStart = nil then
pStart := pCurrent;
end
else if pStart <> nil then
begin
iLen := Integer(pCurrent - pStart);
if iLen >= MinStringLength then
begin
SetString(tmp, pStart, iLen);
mmo1.Lines.Add(tmp);
end;
pStart := nil;
end;
Inc(pCurrent);
end;
finally
UnmapViewOfFile(pView);
end;
finally
CloseHandle(hMapping);
end;
finally
CloseHandle(hFile);
end;
end;
const
TargetName='E:\AntiDebugg.exe';
最小长度=2;
变量
hFile:THandle;
hMapping:THandle;
pView:指针;
dwFileSize:DWORD;
pCurrent、pEOF、pStart:PAnsiChar;
iLen:整数;
开始
mmo1.清晰;
hFile:=CreateFile(TargetName,GENERIC\u READ,FILE\u SHARE\u READ,nil,OPEN\u EXISTING,FILE\u ATTRIBUTE\u NORMAL,0);
如果hFile=无效的句柄值,则RAISELASTERROR;
尝试
dwFileSize:=GetFileSize(hFile,nil);
如果dwFileSize=$FFFFFFFF,则RaiseLastOSError;
hMapping:=CreateFileMapping(hFile,nil,PAGE_READONLY,0,dwFileSize,nil);
如果hMapping=0,则RAISELASTERROR;
尝试
pView:=MapViewOfFile(hMapping,FILE\u MAP\u READ,0,0,dwFileSize);
如果pView=nil,则为r;
尝试
pCurrent:=PAnsiChar(pView);
pEOF:=pCurrent+dwFileSize;
pStart:=零;
而pCurrent=分钟,则
开始
设置管柱(tmp、pStart、iLen);
mmo1.行.添加(tmp);
结束;
pStart:=零;
结束;
公司(PCCurrent);
结束;
最后
取消pviewoffile(pView);
结束;
最后
闭柄(hMapping);
结束;
最后
闭合手柄(hFile);
结束;
结束;
尝试以下方法:
const
TargetName = 'E:\AntiDebugg.exe';
MinStringLength = 2;
var
hFile: THandle;
hMapping: THandle;
pView: Pointer;
dwFileSize: DWORD;
pCurrent, pEOF, pStart: PAnsiChar;
iLen: Integer;
begin
mmo1.Clear;
hFile := CreateFile(TargetName, GENERIC_READ, FILE_SHARE_READ, nil, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
if hFile = INVALID_HANDLE_VALUE then RaiseLastOSError;
try
dwFileSize := GetFileSize(hFile, nil);
if dwFileSize = $FFFFFFFF then RaiseLastOSError;
hMapping := CreateFileMapping(hFile, nil, PAGE_READONLY, 0, dwFileSize, nil);
if hMapping = 0 then RaiseLastOSError;
try
pView := MapViewOfFile(hMapping, FILE_MAP_READ, 0, 0, dwFileSize);
if pView = nil then RaiseLastOSError;
try
pCurrent := PAnsiChar(pView);
pEOF := pCurrent + dwFileSize;
pStart := nil;
while pCurrent < pEOF do
begin
if pCurrent^ in [#9, #10, #13, #32..#128] then
begin
if pStart = nil then
pStart := pCurrent;
end
else if pStart <> nil then
begin
iLen := Integer(pCurrent - pStart);
if iLen >= MinStringLength then
begin
SetString(tmp, pStart, iLen);
mmo1.Lines.Add(tmp);
end;
pStart := nil;
end;
Inc(pCurrent);
end;
finally
UnmapViewOfFile(pView);
end;
finally
CloseHandle(hMapping);
end;
finally
CloseHandle(hFile);
end;
end;
const
TargetName='E:\AntiDebugg.exe';
最小长度=2;
变量
hFile:THandle;
hMapping:THandle;
pView:指针;
dwFileSize:DWORD;
pCurrent、pEOF、pStart:PAnsiChar;
iLen:整数;
开始
mmo1.清晰;
hFile:=CreateFile(TargetName,GENERIC\u READ,FILE\u SHARE\u READ,nil,OPEN\u EXISTING,FILE\u ATTRIBUTE\u NORMAL,0);
如果hFile=无效的句柄值,则RAISELASTERROR;
尝试
dwFileSize:=GetFileSize(hFile,nil);
如果dwFileSize=$FFFFFFFF,则RaiseLastOSError;
hMapping:=CreateFileMapping(hFile,nil,PAGE_READONLY,0,dwFileSize,nil);
如果hMapping=0,则RAISELASTERROR;
尝试
pView:=MapViewOfFile(hMapping,FILE\u MAP\u READ,0,0,dwFileSize);
如果pView=nil,则为r;
尝试
pCurrent:=PAnsiChar(pView);
pEOF:=pCurrent+dwFileSize;
pStart:=零;
而pCurrent=分钟,则
开始
设置管柱(tmp、pStart、iLen);
mmo1.行.添加(tmp);
结束;
pStart:=零;
结束;
公司(PCCurrent);
结束;
最后
取消pviewoffile(pView);
结束;
最后
闭柄(hMapping);
结束;
最后
闭合手柄(hFile);
结束;
结束;
ascidump由{steve10120@ic0de.org}
function FileToPtr(szFilePath: string; var pFile: Pointer;
var dwFileSize: DWORD): Boolean;
var
hFile: DWORD;
dwRead: DWORD;
begin
Result := FALSE;
hFile := CreateFile(PChar(szFilePath), GENERIC_READ, 0, nil,
OPEN_EXISTING, 0, 0);
if (hFile <> INVALID_HANDLE_VALUE) then
begin
dwFileSize := GetFileSize(hFile, nil);
if (dwFileSize > 0) then
begin
pFile := VirtualAlloc(nil, dwFileSize, MEM_COMMIT, PAGE_READWRITE);
if (Assigned(pFile)) then
begin
SetFilePointer(hFile, 0, nil, FILE_BEGIN);
ReadFile(hFile, pFile^, dwFileSize, dwRead, nil);
if (dwRead = dwFileSize) then
Result := TRUE;
end;
end;
CloseHandle(hFile);
end;
end;
function FindASCIIStringsA(szFilePath: string; dwMinLength: DWORD;
szDumpPath: string): Boolean;
var
pFile: Pointer;
dwFileSize: DWORD;
i: DWORD;
szDump: string;
dwLength: DWORD;
hFile: TextFile;
begin
Result := FALSE;
if (FileToPtr(szFilePath, pFile, dwFileSize)) then
begin
dwLength := 0;
AssignFile(hFile, szDumpPath);
// yeah I don't like it but its easiest for writing lines..
Rewrite(hFile);
for i := 0 to (dwFileSize - 1) do
begin
if (PByte(DWORD(pFile) + i)^ in [$20 .. $7E]) then
begin
szDump := szDump + Char(PByte(DWORD(pFile) + i)^);
// WriteLn(hFile, '0x' + IntToHex(i - dwLength, 8) + ': ' + szDump);
Inc(dwLength);
end
else
begin
if (dwLength >= dwMinLength) then
WriteLn(hFile, '0x' + IntToHex(i - dwLength, 8) + ': ' + szDump);
dwLength := 0;
szDump := '';
end;
end;
if (FileSize(hFile) > 0) then
Result := TRUE;
CloseFile(hFile);
VirtualFree(pFile, 0, MEM_RELEASE);
end;
end;
function FindASCIIStrings(szFilePath:string; dwMinLength:DWORD; szDumpPath:string):Boolean;
var
pFile: Pointer;
dwFileSize: DWORD;
IDH: PImageDosHeader;
INH: PImageNtHeaders;
i: DWORD;
szDump: string;
dwLength: DWORD;
hFile: TextFile;
begin
Result := FALSE;
if (FileToPtr(szFilePath, pFile, dwFileSize)) then
begin
IDH := pFile;
if (IDH^.e_magic = IMAGE_DOS_SIGNATURE) then
begin
INH := Pointer(DWORD(pFile) + IDH^._lfanew);
if (INH^.Signature = IMAGE_NT_SIGNATURE) then
begin
dwLength := 0;
AssignFile(hFile, szDumpPath); // yeah I don't like it but its easiest for writing lines..
Rewrite(hFile);
for i := INH^.OptionalHeader.SizeOfHeaders to (dwFileSize - 1) do
begin
if (PByte(DWORD(pFile) + i)^ in [$20..$7E]) then
begin
szDump := szDump + Char(PByte(DWORD(pFile) + i)^);
Inc(dwLength);
end
else
begin
if (dwLength >= dwMinLength) then
WriteLn(hFile, '0x' + IntToHex(i - dwLength, 8) + ': ' + szDump);
dwLength := 0;
szDump := '';
end;
end;
if (FileSize(hFile) > 0) then
Result := TRUE;
CloseFile(hFile);
end;
end;
VirtualFree(pFile, 0, MEM_RELEASE);
end;
end;
procedure TForm2.btn1Click(Sender: TObject);
begin
FindASCIIStrings('e:\AntiDebugg.exe', 2,
IncludeTrailingPathDelimiter(ExtractFilePath(param str(0))) +
ExtractFileName(paramstr(1)) + '.dmp')
end;
函数FileToPtr(szFilePath:string;var-pFile:Pointer;
var dwFileSize:DWORD):布尔值;
变量
hFile:DWORD;
德雷德:德沃德;
开始
结果:=假;
hFile:=CreateFile(PChar(szFilePath),泛型_READ,0,nil,
打开(0,0);;
如果(hFile无效\u句柄\u值),则
开始
dwFileSize:=GetFileSize(hFile,nil);
如果(dwFileSize>0),则
开始
pFile:=VirtualAlloc(nil、dwFileSize、MEM\u COMMIT、PAGE\u READWRITE);
如果(已分配(pFile)),则
开始
SetFilePointer(hFile、0、nil、FILE_BEGIN);
ReadFile(hFile,pFile^,dwFileSize,dwRead,nil);
如果(dwRead=dwFileSize),则
结果:=真;
结束;
结束;
闭合手柄(hFile);
结束;
结束;
函数findascisitringsa(szFilePath:string;dwMinLength:DWORD;
szDumpPath:string):布尔值;
变量
pFile:指针;
dwFileSize:DWORD;
i:德沃德;
szDump:字符串;
dwLength:DWORD;
hFile:文本文件;
开始
结果:=假;
如果是(FileToPtr(szFilePath、pFile、dwFileSize)),则
开始
dwLength:=0;
AssignFile(hFile,szDumpPath);
//是的,我不喜欢,但它最容易写台词。。
重写(hFile);
对于i:=0到(dwFileSize-1)do
开始
如果(PByte(DWORD(pFile)+i)^in[$20..$7E]),则
开始
szDump:=szDump+Char(PByte(DWORD(pFile)+i)^);
//WriteLn(hFile,'0x'+IntToHex(i-dwLength,8)+':'+szDump);
Inc(dwLength);
结束
其他的
开始
如果(dwLength>=dwMinLength),则
WriteLn(hFile,'0x'+IntToHex(i-dwLength,8)+':'+szDump);
dwLength:=0;
szDump:='';
结束;
结束;
如果(文件大小(hFile)>0),则
结果:=真;
关闭文件(hFile);
VirtualFree(pFile,0,MEM_发布);
结束;
结束;
函数FindASCIIStrings(szFilePath:string;dwMinLength:DWORD;szDumpPath:s