windows里面所有的exe程序,dll程序,lib程序,sys….都遵循PE结构
    即数据和指令按照一定顺序存放在文件中,这种格式叫做PE格式

    1、DLL文件装入进程地址空间后,是否是装入到dll文件规定的最合适的地址

    1. #include<windows.h>
    2. #include<tchar.h>
    3. #include<TlHelp32.h>
    5. #define ID 2520
    7. //这段代码直接在MSDN中拷贝的
    8. typedef BOOL(WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL);
    10. LPFN_ISWOW64PROCESS fnIsWow64Process;
    12. BOOL IsWow64(HANDLE hProcess) //稍微修改了下,判断是不是64位的程序
    13. {
    14.     BOOL bIsWow64 = FALSE;
    16.     //IsWow64Process is not available on all supported versions of Windows.
    17.     //Use GetModuleHandle to get a handle to the DLL that contains the function
    18.     //and GetProcAddress to get a pointer to the function if available.
    20.     fnIsWow64Process = (LPFN_ISWOW64PROCESS)GetProcAddress(
    21.         GetModuleHandle(TEXT("kernel32")), "IsWow64Process");
    23.     if (NULL != fnIsWow64Process)
    24.     {
    25.         if (!fnIsWow64Process(hProcess, &bIsWow64))
    26.         {
    27.             //handle error
    28.         }
    29.     }
    30.     return bIsWow64;
    31. }
    33. //判断是否装入在合适的位置
    34. PVOID GetModulePreferredBaseAddr(DWORD dwProcessId, PVOID pvModuleRemote) {
    36.     PVOID pvModulePreferredBaseAddr = NULL;
    37.     IMAGE_DOS_HEADER idh;
    38.     IMAGE_NT_HEADERS inth;
    40.     // Read the remote module's DOS header
    41.     Toolhelp32ReadProcessMemory(dwProcessId,
    42.         pvModuleRemote, &idh, sizeof(idh), NULL); //pvModuleRemote起始地址
    44.     // Verify the DOS image header
    45.     if (idh.e_magic == IMAGE_DOS_SIGNATURE) {
    46.         // Read the remote module's NT header
    47.         Toolhelp32ReadProcessMemory(dwProcessId,
    48.             (PBYTE)pvModuleRemote + idh.e_lfanew, &inth, sizeof(inth), NULL); //e_lfanew偏移量
    50.         // Verify the NT image header
    51.         if (inth.Signature == IMAGE_NT_SIGNATURE) {
    52.             // This is valid NT header, get the image's preferred base address
    53.             pvModulePreferredBaseAddr = (PVOID)inth.OptionalHeader.ImageBase;
    54.         }
    55.     }
    56.     return(pvModulePreferredBaseAddr); //返回进程最合适的地址
    57. }
    59. int _tmain()
    60. {
    61.     DWORD nFlags = 0;
    63.     HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,ID);
    64. //    BOOL Is32 = IsWow64(hProcess);   //判断是否位32 位的程序
    66.     //    _tprintf(L"Is 32 Process!\n");
    67.         nFlags = TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32;
    69.     HANDLE hSnapshot = CreateToolhelp32Snapshot(nFlags, ID);
    71.     MODULEENTRY32 me = {0};
    72.     me.dwSize = sizeof(me);
    73.     Module32First(hSnapshot,&me);
    74.     do{
    76.         PVOID pPre = GetModulePreferredBaseAddr(
    77.             ID,me.modBaseAddr);
    78.         //me.modBaseAddr:是现在这个模块或者说dll在进程地址空间中的地址
    79.         //pPre获得的是,dll模块装入进程空间的最佳地址
    81.         if (pPre!=me.modBaseAddr) //如果没有装入合适的位置,输出
    82.             _tprintf(L"hModule=%0x,BaseAddr=%0x,ModSize=%0x,pPre=%0x,\n%s\n", me.hModule, me.modBaseAddr,
    83.                         me.modBaseSize,pPre, me.szModule);
    86.     } while (Module32Next(hSnapshot, &me));
    88.     _gettchar();
    90.     CloseHandle(hProcess);
    91.     return 0;
    92. }