讀取的欄位都是一樣的，只是一個直接從PE檔案中讀取，一個對映到記憶體後再讀取

1.檔案直接訪問法

BOOL ReadOEPByFile(LPCTSTR szFileName) { HANDLE hFile; hFile=CreateFile(szFileName,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_FLAG_SEQUENTIAL_SCAN,0); if (INVALID_HANDLE_VALUE==hFile) { AfxMessageBox(_T("開啟檔案失敗！")); return FALSE; } DWORD dwOEP,cbRead; IMAGE_DOS_HEADER dos_header[sizeof(IMAGE_DOS_HEADER)];//IMAGE_DOS_HEADER dos_header[1]; if (!ReadFile(hFile,dos_header,sizeof(IMAGE_DOS_HEADER),&cbRead,NULL)) { AfxMessageBox(_T("讀取DOS頭部失敗！")); CloseHandle(hFile); return FALSE; } int nEntryPos=dos_header->e_lfanew+40; SetFilePointer(hFile,nEntryPos,NULL,FILE_BEGIN); if (!ReadFile(hFile,&dwOEP,sizeof(dwOEP),&cbRead,NULL)) { CloseHandle(hFile); return FALSE; } CloseHandle(hFile); CString strOEP; strOEP.Format(_T("OEP:0x%X"),dwOEP); AfxMessageBox(strOEP); return TRUE; }

2.通過記憶體對映讀取

BOOL ReadOEPByMemory(LPCTSTR szFileName) { HANDLE hFile; HANDLE hMapping; PVOID pBaseAddr; if ((hFile=CreateFile(szFileName,GENERIC_READ,FILE_SHARE_READ, 0,OPEN_EXISTING,FILE_FLAG_SEQUENTIAL_SCAN,0))==INVALID_HANDLE_VALUE) { AfxMessageBox(_T("開啟檔案失敗！")); return FALSE; } //建立記憶體對映檔案 if (!(hMapping=CreateFileMapping(hFile,0,PAGE_READONLY|SEC_COMMIT,0,0,0))) { AfxMessageBox(_T("Mapping failed.")); CloseHandle(hFile); return FALSE; } //把檔案映像存入pBaseAddr if (!(pBaseAddr=MapViewOfFile(hMapping,FILE_MAP_READ,0,0,0))) { AfxMessageBox(_T("View Failed.")); CloseHandle(hMapping); CloseHandle(hFile); return FALSE; } IMAGE_DOS_HEADER *dos_header=(IMAGE_DOS_HEADER *)pBaseAddr; IMAGE_NT_HEADERS *nt_header=(IMAGE_NT_HEADERS *)((DWORD)pBaseAddr+dos_header->e_lfanew); DWORD dwOEP=nt_header->OptionalHeader.AddressOfEntryPoint; //清除記憶體對映和關閉檔案 UnmapViewOfFile(pBaseAddr); CloseHandle(hMapping); CloseHandle(hFile); CString strOEP; strOEP.Format(_T("OEP:0x%X"),dwOEP); AfxMessageBox(strOEP); return TRUE; }

第二種方法要注意DOS STUP與PE頭不一定是緊挨著的，一定要通過(DWORD)pBaseAddr+dos_header->e_lfanew定位到IMAGE_NT_HEADERS

如果還要讀入口點的程式碼或其它東西，把PAGE_READONLY|SEC_COMMIT換成PAGE_READONLY|SEC_COMMIT|SEC_IMAGE會給你帶來很大的便利

謝謝列寧。