1.요약

실행 파일의 헤더안에 저장되어 있는 정보를 읽는 것은 심볼릭 정보나
실행 파일에 대한 더 자세한 것을 얻을 수 있는 방법입니다.

2.본문

다음의 예제는 실행 파일의 헤더(바이너리 정보)로부터 파일의 이름을 얻어오는
루틴입니다. 이 예제는 Debug 시에 실행 파일이 읽어 들이는 모듈의 내용을 확인할
때에 사용될 수 있습니다.

3.예제

// ************************************************************************
// FUNCTION : GetModuleFileNameFromHeader( HANDLE, HANDLE, DWORD, LPTSTR, DWORD )
// PURPOSE  : Retrieves the DLL module name for a given file handle of a
//            the module.  Reads the module name from the EXE header.
// COMMENTS :
//   Retrieves onl　y the module name and not the pathname.  Returns the
//   number of characters copies to the buffer, else returns 0.
// ************************************************************************

DWORD

GetModuleFileNameFromHeader( HANDLE hProcess, HANDLE hFile, DWORD BaseOfDll,
                            LPTSTR lpszPath, DWORD cchPath )
{
#define IMAGE_SECOND_HEADER_OFFSET    (15 * sizeof(ULONG)) // relative to file beginning

#define IMAGE_BASE_OFFSET             (13 * sizeof(DWORD)) // relative to PE header base

#define IMAGE_EXPORT_TABLE_RVA_OFFSET (30 * sizeof(DWORD)) // relative to PE header base

#define IMAGE_NAME_RVA_OFFSET         offsetof(IMAGE_EXPORT_DIRECTORY, Name)

    WORD   DosSignature;

    DWORD  NtSignature;

    DWORD  dwNumberOfBytesRead = 0;

    DWORD  PeHeader, ImageBase, ExportTableRVA, NameRVA;

    //-- verify that the handle is not NULL

    if( !hFile ) {

        lstrcpy( lpszPath, "Invalid File Handle" );

        return( 0 );
    }

    //-- verify that the handle is for a disk file

    if( GetFileType(hFile) != FILE_TYPE_DISK ) {

        lstrcpy( lpszPath, "Invalid File Type" );

        return( 0 );
    }

    //-- Extract the filename from the EXE header

    SetFilePointer( hFile, 0L, NULL, FILE_BEGIN );

    ReadFile( hFile, &DosSignature, sizeof(DosSignature), &dwNumberOfBytesRead,
        (LPOVERLAPPED) NULL);

    //-- verify DOS signature found

    if( DosSignature != IMAGE_DOS_SIGNATURE ) {

        wsprintf( lpszPath, TEXT( "Bad MZ Signature: 0x%x" ), DosSignature );

        return( 0 );
    }

    SetFilePointer( hFile, IMAGE_SECOND_HEADER_OFFSET, (LPLONG) NULL,
        FILE_BEGIN );

    ReadFile( hFile, &PeHeader, sizeof(PeHeader), &dwNumberOfBytesRead,
        (LPOVERLAPPED) NULL );

    SetFilePointer( hFile, PeHeader, (LPLONG) NULL, FILE_BEGIN );

    ReadFile( hFile, &NtSignature, sizeof(NtSignature), &dwNumberOfBytesRead,
        (LPOVERLAPPED) NULL);

    //-- verify Windows NT (PE) signature found

    if( NtSignature != IMAGE_NT_SIGNATURE ) {

        wsprintf( lpszPath, TEXT( "Bad PE Signature: 0x%x" ), DosSignature );

        return( 0 );
    }

    SetFilePointer( hFile, PeHeader + IMAGE_BASE_OFFSET, (LPLONG) NULL,
        FILE_BEGIN );

    ReadFile( hFile, &ImageBase, sizeof(ImageBase), &dwNumberOfBytesRead,
        (LPOVERLAPPED) NULL);

    SetFilePointer( hFile, PeHeader + IMAGE_EXPORT_TABLE_RVA_OFFSET,
        (LPLONG) NULL, FILE_BEGIN );

    ReadFile( hFile, &ExportTableRVA, sizeof(ExportTableRVA),
        &dwNumberOfBytesRead, (LPOVERLAPPED) NULL);

    //-- now read from the virtual address space in the process

    ReadProcessMemory( hProcess,
        (LPVOID) (BaseOfDll + ExportTableRVA + IMAGE_NAME_RVA_OFFSET),
        &NameRVA, sizeof(NameRVA), &dwNumberOfBytesRead );

    lstrcpy( lpszPath, "Empty!" );

    if( !ReadProcessMemory( hProcess,
        (LPVOID) (BaseOfDll + NameRVA),
        lpszPath, cchPath, &dwNumberOfBytesRead ) )
        lstrcpy( lpszPath, "Access Denied!" );

    return( dwNumberOfBytesRead );
}