Excel VBAでファイル解析(EXEファイル編)
■EXEファイルの概要
EXEファイルは、MS-DOSやWindowsで使用される実行形式ファイルで、代表的な拡張子は「.EXE」「.DLL」です。
本稿ではWindows用のPE(Portable Executable)フォーマットについて、概要を説明します。
⇒詳細はMicrosoftのサイト(PE形式)を参照して下さい。
EXEファイルの構成
EXEファイルの構成は下図のようになっており、「MS-DOS Header」「Image NT Headers」「Image Section Header」「セクション・データ」の順に配置されています。
(EXEファイルの構成)
MS-DOS Header | Image NT Headers | Image Data Directory | セクション・データ |
MS-DOS Headerのフォーマット
MS-DOS HeaderはMS-DOSとの互換性を保つために設けられており、先頭のヘッダ部分はMS-DOS時代のEXEヘッダとほぼ同形式です。
フォーマットは下表の通りですが、この形式のEXEファイルをMS-DOS(またはWindowsのコマンド・プロンプト)で実行すると、MS-DOS Stubに格納されているプログラムが実行されます。
(MS-DOS Headerのフォーマット)
オフセット | 長さ | 説明 |
---|---|---|
X’0000′ | 2 | Magic number('MZ’) |
X’0002′ | 2 | Bytes on last page of file |
X’0004′ | 2 | Pages in file |
X’0006′ | 2 | Relocations |
X’0008′ | 2 | Size of header in paragraphs |
X’000A’ | 2 | Minimum extra paragraphs needed |
X’000C’ | 2 | Maximum extra paragraphs needed |
X’000E’ | 2 | Initial (relative) SS value |
X’0010′ | 2 | Initial SP value |
X’0012′ | 2 | Checksum |
X’0014′ | 2 | Initial IP value |
X’0016′ | 2 | Initial (relative) CS value |
X’0018′ | 2 | File address of relocation table(X’0040′) ↑MS-DOS Stubの開始位置 |
X’001A’ | 2 | Overlay number |
X’001C’ | 8 | Reserved words |
X’0024′ | 2 | OEM identifier (for e_oeminfo) |
X’0026′ | 2 | OEM information; e_oemid specific |
X’0028′ | 20 | Reserved words |
X’003C’ | 4 | File address of new exe header(X’00000100′) ↑Image NT Headersの開始位置 |
X’0040′ | 192 | MS-DOS Stub |
Image NT Headersのフォーマット
Image NT Headersは、「Image File Header」と「Image Optional Header」の2つの部分に分かれており、フォーマットは下表の通りです。
(Image NT Headersのフォーマット)
オフセット | 長さ | 説明 |
---|---|---|
X’0100′ | 4 | Signature('PE’+X’0000’) |
Image File Header | ||
X’0104′ | 2 | Machine |
X’0106′ | 2 | NumberOfSections ↑セクションの個数 |
X’0108′ | 4 | TimeDateStamp |
X’010C’ | 4 | PointerToSymbolTable |
X’0110′ | 4 | NumberOfSymbols |
X’0114′ | 2 | SizeOfOptionalHeader ↑Image Optional Headerのサイズ |
X’0116′ | 2 | Characteristics |
Image Optional Header | ||
X’0118′ | 2 | Magic |
X’011A’ | 1 | MajorLinkerVersion |
X’011B’ | 1 | MinorLinkerVersion |
X’011C’ | 4 | SizeOfCode |
X’0120′ | 4 | SizeOfInitializedData |
X’0124′ | 4 | SizeOfUninitializedData |
X’0128′ | 4 | AddressOfEntryPoint |
X’012C’ | 4 | BaseOfCode |
X’0130′ | 4 | BaseOfData |
X’0134′ | 4 | ImageBase |
X’0138′ | 4 | SectionAlignment |
X’013C’ | 4 | FileAlignment |
X’0140′ | 2 | MajorOperatingSystemVersion |
X’0142′ | 2 | MinorOperatingSystemVersion |
X’0144′ | 2 | MajorImageVersion |
X’0146′ | 2 | MinorImageVersion |
X’0148′ | 2 | MajorSubsystemVersion |
X’014A’ | 2 | MinorSubsystemVersion |
X’014C’ | 4 | Win32VersionValue |
X’0150′ | 4 | SizeOfUninitializedData |
X’0124′ | 4 | SizeOfImage |
X’0154′ | 4 | SizeOfHeaders |
X’0158′ | 4 | CheckSum |
X’015C’ | 2 | Subsystem |
X’015E’ | 2 | DllCharacteristics |
X’0160′ | 4 | SizeOfStackReserve |
X’0164′ | 4 | SizeOfStackCommit |
X’0168′ | 4 | SizeOfHeapReserve |
X’016C’ | 4 | SizeOfHeapCommit |
X’0170′ | 4 | LoaderFlags |
X’0174′ | 4 | NumberOfRvaAndSizes |
X’0178′ | – | Image Data Directory(次項参照) |
Image Data Directoryのフォーマット
Image Data Directoryは下表の16エントリから成り、各エントリは「VirtualAddress(4バイト)」「Size(4バイト)」の2項目から成っています。
(Image Data Directoryのフォーマット)
オフセット | 長さ | 説明 |
---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | ||
X’0178′ | 4 | VirtualAddress |
X’017C’ | 4 | Size |
IMAGE_DIRECTORY_ENTRY_IMPORT | ||
X’0180′ | 4 | VirtualAddress |
X’0184′ | 4 | Size |
IMAGE_DIRECTORY_ENTRY_RESOURCE | ||
X’0188′ | 4 | VirtualAddress |
X’018C’ | 4 | Size |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | ||
X’0190′ | 4 | VirtualAddress |
X’0194′ | 4 | Size |
IMAGE_DIRECTORY_ENTRY_SECURITY | ||
X’0198′ | 4 | VirtualAddress |
X’019C’ | 4 | Size |
IMAGE_DIRECTORY_ENTRY_BASERELOC | ||
X’01A0′ | 4 | VirtualAddress |
X’01A4′ | 4 | Size |
IMAGE_DIRECTORY_ENTRY_DEBUG | ||
X’01A8′ | 4 | VirtualAddress |
X’01AC’ | 4 | Size |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | ||
X’01B0′ | 4 | VirtualAddress |
X’01B4′ | 4 | Size |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | ||
X’01B8′ | 4 | VirtualAddress |
X’01BC’ | 4 | Size |
IMAGE_DIRECTORY_ENTRY_TLS | ||
X’01C0′ | 4 | VirtualAddress |
X’01C4′ | 4 | Size |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | ||
X’01C8′ | 4 | VirtualAddress |
X’01CC’ | 4 | Size |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | ||
X’01D0′ | 4 | VirtualAddress |
X’01D4′ | 4 | Size |
IMAGE_DIRECTORY_ENTRY_IAT | ||
X’01D8′ | 4 | VirtualAddress |
X’01DC’ | 4 | Size |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | ||
X’01E0′ | 4 | VirtualAddress |
X’01E4′ | 4 | Size |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | ||
X’01E8′ | 4 | VirtualAddress |
X’01EC’ | 4 | Size |
Reserved | ||
X’01F0′ | 4 | VirtualAddress |
X’01F4′ | 4 | Size |
Image Section Headerのフォーマット
Image Section Headerは、Image File Headerの「NumberOfSections」の数だけエントリを持ち、各エントリのフォーマットは下表の通りです。
(Image Section Headerのフォーマット)
オフセット | 長さ | 説明 |
---|---|---|
X’0000′ | 8 | Name |
X’0008′ | 4 | PhysicalAddress&VirtualSize |
X’000C’ | 4 | VirtualAddress |
X’0010′ | 4 | SizeOfRawData |
X’0014′ | 4 | PointerToRawData |
X’0018′ | 4 | PointerToRelocations |
X’001C’ | 4 | PointerToLinenumbers |
X’0020′ | 2 | NumberOfRelocations |
X’0022′ | 2 | NumberOfLinenumbers |
X’0024′ | 4 | Characteristics |
■EXEファイルのヘッダ情報をExcelシートに表示する処理
EXEファイルのヘッダを読み込み、Excelシートに「オフセット」「長さ」「項目」「値」を表示するプログラムです。
⇒サンプル・プログラムで使用している、Binary Fileクラスの詳細については、Excel VBAでファイル解析(事前準備編)を参照して下さい。
処理の概要
処理の流れは以下の通りです。
①Binary Fileオブジェクトをインスタンス化し、EXEファイルを読み込み
②EXEファイルのヘッダを解析し、必要な情報を取得してExcelシートにセット
③使用済のオブジェクトを破棄
プログラムが少し大きいので、4つに分けて掲載します。
⇒フォーマットに従って項目を表示しているだけなので、規模は大きめですが、難易度は低いです。
データ宣言部とMS-DOS Headerに関する処理
行番号16でBinary Fileオブジェクトをインスタンス化し、行番号17でEXEファイルを読み込んでいます。
行番号22~97でMS-DOS Headerの各項目を順に表示し、行番号98~116でMS-DOS Stubを16進ダンプ形式で表示しています。
行番号98でImage NT Headersの開始位置を取得し、行番号101でCurrentPositionとの差を求め、その範囲をMS-DOS Stubとみなしています。
(※)EXEファイルの数値データ(サイズ、オフセット等)は全てリトル・エンディアンで格納されているため、計算に使用する場合はエンディアン変換が必要です。
- Dim sht, bf As Object
- Dim wLoc As String
- Dim wID As String
- Dim wSize As Long
- Dim wLen As Long
- Dim EntNum As Long
- Dim EntLen As Long
- Dim SectionHeadderPtr As Long
- Dim NumberOfSections As Integer
- Dim lcnt As Long
- Dim i As Long
- Private Sub Sample1()
- Set sht = ActiveSheet
- sht.Cells.NumberFormatLocal = “@"
- Set bf = New BinaryFile
- bf.InputFile (“C:\work\xxx.exe")
- lcnt = 0
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “[MS-DOS Header]"
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Magic number"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(2), 4)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Bytes on last page of file"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(2), 4)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Pages in file"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(2), 4)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Relocations"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(2), 4)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Size of header in paragraphs"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(2), 4)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Minimum extra paragraphs needed"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(2), 4)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Maximum extra paragraphs needed"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(2), 4)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Initial (relative) SS value"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(2), 4)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Initial SP value"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(2), 4)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Checksum"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(2), 4)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Initial IP value"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(2), 4)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Initial (relative) CS value"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(2), 4)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “File address of relocation table"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(2), 4)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Overlay number"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(2), 4)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Reserved words"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(8), 16)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “OEM identifier (for e_oeminfo)"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(2), 4)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “OEM information; e_oemid specific"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(2), 4)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Reserved words"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(20), 40)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “File address of new exe header"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- wLen = CLng(“&H" & Mid(sht.Cells(lcnt, 3), 1, 2)) + CLng(“&H" & Mid(sht.Cells(lcnt, 3), 3, 2)) * 256 + CLng(“&H" & Mid(sht.Cells(lcnt, 3), 5, 2)) * 32768 + CLng(“&H" & Mid(sht.Cells(lcnt, 3), 7, 2)) * 4194304
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “[MS-DOS Stub]"
- wSize = wLen – bf.CurrentPosition
- EntNum = wSize / 16
- If wSize Mod 16 <> 0 Then
- EntNum = EntNum + 1
- End If
- For i = 1 To EntNum
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “MS-DOS Program(" & Format(i, “000") & “)"
- If wSize > 16 Then
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(16), 32)
- wSize = wSize – 16
- Else
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(wSize), wSize * 2)
- End If
- Next i
Image NT Headers(Image Data Directoryを除く)に関する処理
行番号1~6でSignature、行番号7~38でImage File Header、行番号39~162でImage Optional Headerの各項目を順に表示しています。
後続の処理で使用するため、行番号17でセクション数、行番号34と44でImage Section Headerの開始位置を取得しています。
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “[IMAGE_NT_HEADERS]"
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Signature"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “[IMAGE_FILE_HEADER]"
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Machine"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(2), 4)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “NumberOfSections"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(2), 4)
- NumberOfSections = CLng(“&H" & Mid(sht.Cells(lcnt, 3), 1, 2)) + CLng(“&H" & Mid(sht.Cells(lcnt, 3), 3, 2)) * 256
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “TimeDateStamp"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “PointerToSymbolTable"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “NumberOfSymbols"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “SizeOfOptionalHeader"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(2), 4)
- SectionHeadderPtr = CLng(“&H" & Mid(sht.Cells(lcnt, 3), 1, 2)) + CLng(“&H" & Mid(sht.Cells(lcnt, 3), 3, 2)) * 256
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Characteristics"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(2), 4)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “[IMAGE_OPTIONAL_HEADER]"
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetPositionHex, 8)
- SectionHeadderPtr = SectionHeadderPtr + CLng(“&H" & Mid(sht.Cells(lcnt, 3), 1, 2)) * 4194304 + CLng(“&H" & Mid(sht.Cells(lcnt, 3), 3, 2)) * 32768 + CLng(“&H" & Mid(sht.Cells(lcnt, 3), 5, 2)) * 256 + CLng(“&H" & Mid(sht.Cells(lcnt, 3), 7, 2))
- sht.Cells(lcnt, 2) = “Magic"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(2), 4)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “MajorLinkerVersion"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(1), 2)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “MinorLinkerVersion"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(1), 2)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “SizeOfCode"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “SizeOfInitializedData"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “SizeOfUninitializedData"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “AddressOfEntryPoint"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “BaseOfCode"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “BaseOfData"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “ImageBase"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “SectionAlignment"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “FileAlignment"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “MajorOperatingSystemVersion"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(2), 4)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “MinorOperatingSystemVersion"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(2), 4)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “MajorImageVersion"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(2), 4)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “MinorImageVersion"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(2), 4)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “MajorSubsystemVersion"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(2), 4)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “MinorSubsystemVersion"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(2), 4)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Win32VersionValue"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “SizeOfImage"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “SizeOfHeaders"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “CheckSum"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Subsystem"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(2), 4)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “DllCharacteristics"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(2), 4)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “SizeOfStackReserve"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “SizeOfStackCommit"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “SizeOfHeapReserve"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “SizeOfHeapCommit"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “LoaderFlags"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “NumberOfRvaAndSizes"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
Image Data Directoryに関する処理
行番号3~162でImage Data Directory(16エントリ)の各項目を順に表示しています。
行番号163~178は、Image Section Headerまでのデータ(パディング・エリア)に関する処理です。
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “[IMAGE_DATA_DIRECTORY DataDirectory[16]]"
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “[IMAGE_DIRECTORY_ENTRY_EXPORT]"
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “VirtualAddress"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Size"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “[IMAGE_DIRECTORY_ENTRY_IMPORT]"
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “VirtualAddress"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Size"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “[IMAGE_DIRECTORY_ENTRY_RESOURCE]"
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “VirtualAddress"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Size"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “[IMAGE_DIRECTORY_ENTRY_EXCEPTION]"
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “VirtualAddress"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Size"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “[IMAGE_DIRECTORY_ENTRY_SECURITY]"
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “VirtualAddress"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Size"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “[IMAGE_DIRECTORY_ENTRY_BASERELOC]"
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “VirtualAddress"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Size"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “[IMAGE_DIRECTORY_ENTRY_DEBUG]"
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “VirtualAddress"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Size"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “[IMAGE_DIRECTORY_ENTRY_COPYRIGHT]"
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “VirtualAddress"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Size"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “[IMAGE_DIRECTORY_ENTRY_GLOBALPTR]"
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “VirtualAddress"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Size"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “[IMAGE_DIRECTORY_ENTRY_TLS]"
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “VirtualAddress"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Size"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG]"
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “VirtualAddress"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Size"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT]"
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “VirtualAddress"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Size"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “[IMAGE_DIRECTORY_ENTRY_IAT]"
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “VirtualAddress"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Size"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT]"
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “VirtualAddress"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Size"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR]"
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “VirtualAddress"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Size"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “[Reserved]"
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “VirtualAddress"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Size"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- wSize = SectionHeadderPtr – bf.CurrentPosition
- EntNum = wSize / 16
- If wSize Mod 16 <> 0 Then
- EntNum = EntNum + 1
- End If
- For i = 1 To EntNum
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “予備(" & Format(i, “000") & “)"
- If wSize > 16 Then
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(16), 32)
- wSize = wSize – 16
- Else
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(wSize), wSize * 2)
- End If
- Next i
Image Section Headerに関する処理
行番号4~45の繰返し処理で、Image Section Headerの各エントリのデータを順に表示しています。
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “[IMAGE_SECTION_HEADER]"
- For i = 1 To NumberOfSections
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “[SECTION(" & Format(i, “000") & “)]"
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Name"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(8), 16)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “PhysicalAddress&VirtualSize"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “VirtualAddress"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “SizeOfRawData"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “PointerToRawData"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “PointerToRelocations"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “PointerToLinenumbers"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “NumberOfRelocations"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(2), 4)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “NumberOfLinenumbers"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(2), 4)
- lcnt = lcnt + 1
- sht.Cells(lcnt, 1) = “'" & bf.GetPositionHex
- sht.Cells(lcnt, 2) = “Characteristics"
- sht.Cells(lcnt, 3) = Right(“000" & bf.GetDataHex(4), 8)
- Next i
- Set bf = Nothing
- End Sub
出版社:インプレス
発売日:2022/3/23
単行本(ソフトカバー):A5判/912ページ
出版社:技術評論社
発売日:2021/1/9
単行本(ソフトカバー):A5判/800ページ
出版社:技術評論社
発売日:2019/11/25
単行本(ソフトカバー):B5変形判/576ページ
ディスカッション
コメント一覧
まだ、コメントがありません