[更新376#2825]PECMD2012.1.80.13_Win32_64.多窗口多线程.裸机系统2.3.3.1+18M酷M...

没想到 · 发表于 2025-9-18 15:32:06

本帖最后由没想到于 2025-9-18 21:21 编辑

PART -iv=1 list drv C:,分区
这个分区是物理号还是分区号

孤山飞雪 · 发表于 2025-9-20 10:01:22

唏嘘学习

红毛樱木 · 发表于 2025-9-20 19:25:31

没想到发表于 2025-9-18 15:32
PART -iv=1 list drv C:,分区
这个分区是物理号还是分区号

-phy#
加上这个对比一下就知道啦

abelll · 发表于 2025-9-20 20:23:08

占楼

没想到 · 发表于 2025-9-20 21:04:02

红毛樱木发表于 2025-9-20 19:25
-phy#
加上这个对比一下就知道啦

测试到了，默认分区号

Elixon · 发表于 2025-9-20 23:29:26

多看多学习，支持一下！

abelll · 发表于 2025-9-24 13:12:52

占楼

海上 · 发表于 2025-9-25 23:18:55

感谢分享

scglc · 发表于 2025-9-27 11:44:17

谢谢制作辛苦了

30482670 · 发表于 2025-10-9 16:39:34

谢谢分享，学习一下，谢谢。

2747157 · 发表于 2025-10-10 10:21:48

看看

a66 · 发表于 2025-10-16 12:17:21

多窗口

a66 · 发表于 2025-10-16 12:17:54

多看多学习，支持一下！

a66 · 发表于 2025-10-16 13:30:38

好东西

a66 · 发表于 2025-10-16 13:30:58

测试

a66 · 发表于 2025-10-16 16:30:38

干货满满！很给力~

a66 · 发表于 2025-10-16 16:31:20

支持大佬，收下备用！

a66 · 发表于 2025-10-16 16:31:33

正需要，很不错

a66 · 发表于 2025-10-16 16:31:44

经典资源，收藏备用

Zap · 发表于 2025-11-3 23:07:22

获取程序图标组中第一个图标的ID
定位 RT_GROUP_ICON（类型ID=14）的资源目录，跳过无关资源类型。
简化偏移计算，利用PE文件的 IMAGE_DATA_DIRECTORY 直接定位资源节。
求翻译PECMD怎样写

#include <windows.h>
#include <stdio.h>
DWORD GetFirstIconGroupID(LPCWSTR exePath) {
HANDLE hFile = CreateFileW(exePath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE) return 0;
DWORD fileSize = GetFileSize(hFile, NULL);
HANDLE hMap = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, fileSize, NULL);
LPVOID pBase = MapViewOfFile(hMap, FILE_MAP_READ, 0, 0, 0);
if (!pBase) { CloseHandle(hMap); CloseHandle(hFile); return 0; }
PIMAGE_DOS_HEADER dos = (PIMAGE_DOS_HEADER)pBase;
PIMAGE_NT_HEADERS nt = (PIMAGE_NT_HEADERS)((BYTE*)pBase + dos->e_lfanew);
if (nt->Signature != IMAGE_NT_SIGNATURE) { UnmapViewOfFile(pBase); CloseHandle(hMap); CloseHandle(hFile); return 0; }
// 定位资源目录
auto& resDir = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE];
if (resDir.VirtualAddress == 0) { UnmapViewOfFile(pBase); CloseHandle(hMap); CloseHandle(hFile); return 0; }
// 定位资源节（.rsrc）
PIMAGE_SECTION_HEADER section = IMAGE_FIRST_SECTION(nt);
for (int i = 0; i < nt->FileHeader.NumberOfSections; i++, section++) {
if (resDir.VirtualAddress >= section->VirtualAddress &&
resDir.VirtualAddress < section->VirtualAddress + section->Misc.VirtualSize) break;
}
// 计算资源目录在文件中的实际偏移
DWORD resOffset = resDir.VirtualAddress - section->VirtualAddress + section->PointerToRawData;
PIMAGE_RESOURCE_DIRECTORY rootDir = (PIMAGE_RESOURCE_DIRECTORY)((BYTE*)pBase + resOffset);
// 遍历资源类型，找到 RT_GROUP_ICON（ID=14）
PIMAGE_RESOURCE_DIRECTORY_ENTRY typeEntry = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)(rootDir + 1);
for (DWORD i = 0; i < rootDir->NumberOfIdEntries; i++, typeEntry++) {
if (typeEntry->Id == 14) { // RT_GROUP_ICON = 14
// 获取第一个图标ID（进入ID目录的第一个条目）
PIMAGE_RESOURCE_DIRECTORY iconDir = (PIMAGE_RESOURCE_DIRECTORY)((BYTE*)rootDir + typeEntry->OffsetToDirectory);
PIMAGE_RESOURCE_DIRECTORY_ENTRY iconIdEntry = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)(iconDir + 1);
DWORD firstIconId = iconIdEntry->Id;
UnmapViewOfFile(pBase);
CloseHandle(hMap);
CloseHandle(hFile);
return firstIconId;
}
}
UnmapViewOfFile(pBase);
CloseHandle(hMap);
CloseHandle(hFile);
return 0;
}
// 调用示例：获取 Photoshop.exe 的第一个图标ID
int main() {
LPCWSTR exePath = L"D:\\软件\\Photoshop\\Photoshop.exe";
DWORD iconId = GetFirstIconGroupID(exePath);
printf("第一个图标ID: %u\n", iconId); // 输出：1000 或 1 等
return 0;
}

复制代码

5315929 · 发表于 2025-11-4 11:31:02

谢谢楼主分享

红毛樱木 · 发表于 2025-11-5 10:33:45

Zap 发表于 2025-11-3 23:07
获取程序图标组中第一个图标的ID
定位 RT_GROUP_ICON（类型ID=14）的资源目录，跳过无关资源类型。
...

这里有几个结构体，要用PECMD搞，太烦了。

红毛樱木 · 发表于 2025-11-5 16:14:08

本帖最后由红毛樱木于 2025-11-5 16:16 编辑

Zap 发表于 2025-11-3 23:07
获取程序图标组中第一个图标的ID
定位 RT_GROUP_ICON（类型ID=14）的资源目录，跳过无关资源类型。
...

//LOGS * %&CurDir%\log.log
ENVI^ ENVIMODE=1
// PECMD2012 内部本身就是宽字符Unicode。路径\\可以直接写真实路径\，自动转义。
ENVI &exePath=D:\软件\Photoshop\Photoshop.exe
CALL GetFirstIconGroupID "%&exePath%" &iconId
MESS. 第一个图标ID: %&iconId%@
_SUB GetFirstIconGroupID
ENVI &&exePath=%~1
ENVI &&GENERIC_READ=0x80000000
ENVI &&FILE_SHARE_READ=0x00000001
ENVI &&OPEN_EXISTING=3
ENVI &&INVALID_HANDLE_VALUE=-1
CALL$--qd --ret:&&hFile Kernel32.dll,CreateFileW,$%&exePath%,#%&GENERIC_READ%,#%&FILE_SHARE_READ%,#0,#%&OPEN_EXISTING%,#0,#0 // C中的NULL就是0，在PECMD中用数值 #0
IFEX #%&hFile%=%&INVALID_HANDLE_VALUE%,
{*
EXIT= 0
EXIT _SUB
}
CALL$--qd --ret:&&fileSize Kernel32.dll,GetFileSize,#%&hFile%,#0
ENVI &&PAGE_READONLY=0x02
CALL$--qd --ret:&&hMap Kernel32.dll,CreateFileMappingW,#%&hFile%,#0,#%&PAGE_READONLY%,#0,#%&fileSize%,0 //CreateFileMapping 要用实际的 CreateFileMappingW
ENVI &&FILE_MAP_READ=0x0004
CALL$--qd --16 --ret:&&pBase Kernel32.dll,MapViewOfFile,#%&hMap%,#%&FILE_MAP_READ%,#0,#0,#0
//MESS. %&pBase%@&pBase
IFEX #%&pBase%=0,
{*
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hMap%
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hFile%
ENVI-ret %~2=0
EXIT _SUB
}
// PIMAGE_DOS_HEADER 的结构体 IMAGE_DOS_HEADER 64字节
//SET$# &dos=*64 0
SET-mkfixdummy &dos=%&pBase%@0;*64
SET?longs dos=&&dos.e_lfanew:60
//MESS. %&dos.e_lfanew%@&dos.e_lfanew
// PIMAGE_NT_HEADERS 的结构体(64位为 IMAGE_NT_HEADERS64 大小 264字节)(32位为 IMAGE_NT_HEADERS32 大小 248字节)
IFEX #%&bX64%=3,
{*
//SET$# &nt=*264 0
SET-mkfixdummy &nt=(%&pBase%+%&dos.e_lfanew%)@0;*264
}!
{*
//SET$# &nt=*248 0
SET-mkfixdummy &nt=(%&pBase%+%&dos.e_lfanew%)@0;*248
}
//GETF &nt,0#*,&&nt_Hex
//MESS. %&nt_Hex%@&nt_Hex
SET?long nt=&&nt.Signature:0
//MESS. %&nt.Signature%@&nt.Signature
ENVI &&IMAGE_NT_SIGNATURE=0x00004550 // PE00
IFEX #%&nt.Signature%<>%&IMAGE_NT_SIGNATURE%,
{*
CALL$--qd --bool --ret:&&UnmapViewOfFileRet Kernel32.dll,UnmapViewOfFile,#%&pBase%;
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hMap%
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hFile%
ENVI-ret %~2=0
EXIT _SUB
}
// 定位资源目录
// auto& resDir = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE];
//ENVI &&IMAGE_DIRECTORY_ENTRY_RESOURCE=2 // Resource Directory
ENVI &&IMAGE_DIRECTORY_ENTRY_RESOURCE=0 // 测试
IFEX #%&bX64%=3,
{*
SET-mkfixdummy &resDir=&nt@(4+20+112+(8*%&IMAGE_DIRECTORY_ENTRY_RESOURCE%));*8
}!
{*
SET-mkfixdummy &resDir=&nt@(4+20+96+(8*%&IMAGE_DIRECTORY_ENTRY_RESOURCE%));*8
}
//GETF &resDir,0#*,&&resDir_Hex
//MESS. %&resDir_Hex%@&resDir_Hex
SET?long resDir=&&resDir.VirtualAddress:0
//MESS. %&resDir.VirtualAddress%@&resDir.VirtualAddress
// 定位资源节（.rsrc）
ENVI &&i=0
SET?shorts nt=&&nt.FileHeader.NumberOfSections:(4+2) //WORD 2 字节，用short和wchar都可以
//MESS. %&nt.FileHeader.NumberOfSections%@&nt.FileHeader.NumberOfSections
SET?shorts nt=&&nt.FileHeader.SizeOfOptionalHeader:(4+2+2+4+4+4)
//MESS. %&nt.FileHeader.SizeOfOptionalHeader%@&nt.FileHeader.SizeOfOptionalHeader
//SET-mkfixdummy &section=&nt
LOOP #%&i%<%&nt.FileHeader.NumberOfSections%,
{*
//#define IMAGE_FIRST_SECTION( ntheader ) ((PIMAGE_SECTION_HEADER) ((ULONG_PTR)(ntheader) + FIELD_OFFSET( IMAGE_NT_HEADERS, OptionalHeader ) + ((ntheader))->FileHeader.SizeOfOptionalHeader ))
SET-mkfixdummy &section=(%&pBase%+%&dos.e_lfanew%+(4+20+%&nt.FileHeader.SizeOfOptionalHeader%))@(40*%&i%);*40 // 相当于 section++
//GETF &section,0#40,&&section_Hex
//MESS. %&section_Hex%@&section_Hex
SET?long section=&&section.VirtualAddress:12
//MESS. &section.VirtualAddress:%&section.VirtualAddress%@%&i%
SET?long section=&&section.Misc.VirtualSize:8
//MESS. IFEX #[ ( %&resDir.VirtualAddress% >= %&section.VirtualAddress% ) & ( %&resDir.VirtualAddress% < ( %&section.VirtualAddress% + %&section.Misc.VirtualSize% ) ) ],@%&i%
//IFEX #[ ( %&resDir.VirtualAddress% >= %&section.VirtualAddress% ) & ( %&resDir.VirtualAddress% < ( %&section.VirtualAddress% + %&section.Misc.VirtualSize% ) ) ], // IFEX 存在BUG，不能这样嵌套使用，先算出来吧。
IFEX #%&resDir.VirtualAddress% >= %&section.VirtualAddress%,
{*
CALC &&Fix=%&section.VirtualAddress% + %&section.Misc.VirtualSize%
IFEX #%&resDir.VirtualAddress% < %&Fix%,
{*
EXIT LOOP
}
}
CALC #&i=%&i% + 1
}
// 计算资源目录在文件中的实际偏移
SET?long section=&&section.PointerToRawData:20
CALC #&&resOffset=%&resDir.VirtualAddress% - %&section.VirtualAddress% + %&section.PointerToRawData%
//MESS. %&resOffset%<&i:%&i%><CALC #&&resOffset=%&resDir.VirtualAddress% - %&section.VirtualAddress% + %&section.PointerToRawData%>@&resOffset
SET-mkfixdummy &rootDir=(%&pBase%+%&resOffset%)@0;*16
SET?short rootDir=&&rootDir.NumberOfIdEntries:(4+4+2+2+2)
//MESS. %&rootDir.NumberOfIdEntries%@&rootDir.NumberOfIdEntries
// 遍历资源类型，找到 RT_GROUP_ICON（ID=14）
//SET-mkfixdummy &typeEntry=(%&pBase%+%&resOffset%)@16;*8
//GETF &typeEntry,0#8,&&typeEntry_Hex
//MESS. %&typeEntry_Hex%@&typeEntry_Hex
ENVI &&i=0
LOOP #%&i%<%&rootDir.NumberOfIdEntries%,
{*
SET-mkfixdummy &typeEntry=(%&pBase%+%&resOffset%)@(16+(8*%&i%));*8
SET?short typeEntry=&&typeEntry.Id:0
//MESS. %&typeEntry.Id%@%&i%
IFEX #%&typeEntry.Id%=14, // RT_GROUP_ICON = 14
{*
// 获取第一个图标ID（进入ID目录的第一个条目）
SET?long typeEntry=&&typeEntry.OffsetToDirectory:4
CALC #&typeEntry.OffsetToDirectory=%&typeEntry.OffsetToDirectory% & 0x7FFFFFFF
SET-mkfixdummy &iconDir=(%&pBase%+%&resOffset%)@%&typeEntry.OffsetToDirectory%;*16
SET-mkfixdummy &iconIdEntry=(%&pBase%+%&resOffset%)@(%&typeEntry.OffsetToDirectory%+16);*8
SET?short iconIdEntry=&&iconIdEntry.Id:0
CALC &&firstIconId=%&iconIdEntry.Id% // 不知道源码这里为什么用DWORD计算WORD
//MESS. %&firstIconId%@
CALL$--qd --bool --ret:&&UnmapViewOfFileRet Kernel32.dll,UnmapViewOfFile,#%&pBase%;
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hMap%
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hFile%
ENVI-ret~ %~2=&firstIconId
EXIT _SUB
}
CALC #&i=%&i% + 1
}
CALL$--qd --bool --ret:&&UnmapViewOfFileRet Kernel32.dll,UnmapViewOfFile,#%&pBase%;
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hMap%
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hFile%
ENVI-ret %~2=0
_END
EXIT FILE
typedef struct _IMAGE_RESOURCE_DIRECTORY_ENTRY {
union {
struct {
DWORD NameOffset:31;
DWORD NameIsString:1;
} DUMMYSTRUCTNAME;
DWORD Name;
WORD Id;
} DUMMYUNIONNAME;
union {
DWORD OffsetToData;
struct {
DWORD OffsetToDirectory:31;
DWORD DataIsDirectory:1;
} DUMMYSTRUCTNAME2;
} DUMMYUNIONNAME2;
} IMAGE_RESOURCE_DIRECTORY_ENTRY, *PIMAGE_RESOURCE_DIRECTORY_ENTRY; //8b
typedef struct _IMAGE_RESOURCE_DIRECTORY {
DWORD Characteristics;
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
WORD NumberOfNamedEntries;
WORD NumberOfIdEntries;
// IMAGE_RESOURCE_DIRECTORY_ENTRY DirectoryEntries[];
} IMAGE_RESOURCE_DIRECTORY, *PIMAGE_RESOURCE_DIRECTORY; /16b
typedef struct _IMAGE_SECTION_HEADER {
BYTE Name[IMAGE_SIZEOF_SHORT_NAME];
union {
DWORD PhysicalAddress;
DWORD VirtualSize;
} Misc;
DWORD VirtualAddress;
DWORD SizeOfRawData;
DWORD PointerToRawData;
DWORD PointerToRelocations;
DWORD PointerToLinenumbers;
WORD NumberOfRelocations;
WORD NumberOfLinenumbers;
DWORD Characteristics;
} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER; //40b
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
WORD e_magic; // Magic number
WORD e_cblp; // Bytes on last page of file
WORD e_cp; // Pages in file
WORD e_crlc; // Relocations
WORD e_cparhdr; // Size of header in paragraphs
WORD e_minalloc; // Minimum extra paragraphs needed
WORD e_maxalloc; // Maximum extra paragraphs needed
WORD e_ss; // Initial (relative) SS value
WORD e_sp; // Initial SP value
WORD e_csum; // Checksum
WORD e_ip; // Initial IP value
WORD e_cs; // Initial (relative) CS value
WORD e_lfarlc; // File address of relocation table
WORD e_ovno; // Overlay number
WORD e_res[4]; // Reserved words
WORD e_oemid; // OEM identifier (for e_oeminfo)
WORD e_oeminfo; // OEM information; e_oemid specific
WORD e_res2[10]; // Reserved words
LONG e_lfanew; // File address of new exe header
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER; //64b
typedef struct _IMAGE_FILE_HEADER {
WORD Machine;
WORD NumberOfSections;
DWORD TimeDateStamp;
DWORD PointerToSymbolTable;
DWORD NumberOfSymbols;
WORD SizeOfOptionalHeader;
WORD Characteristics;
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER; //20b
typedef struct _IMAGE_DATA_DIRECTORY {
DWORD VirtualAddress;
DWORD Size;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY; //8b
typedef struct _IMAGE_OPTIONAL_HEADER {
//
// Standard fields.
//
WORD Magic;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
DWORD BaseOfData;
//
// NT additional fields.
//
DWORD ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
DWORD SizeOfStackReserve;
DWORD SizeOfStackCommit;
DWORD SizeOfHeapReserve;
DWORD SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; //偏移地址 96b
} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
typedef struct _IMAGE_OPTIONAL_HEADER64 {
WORD Magic;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
ULONGLONG ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
ULONGLONG SizeOfStackReserve;
ULONGLONG SizeOfStackCommit;
ULONGLONG SizeOfHeapReserve;
ULONGLONG SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; //偏移地址 112b
} IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64;
typedef struct _IMAGE_NT_HEADERS64 {
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER64 OptionalHeader;
} IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64;
typedef struct _IMAGE_NT_HEADERS {
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
#include <windows.h>
#include <stdio.h>
DWORD GetFirstIconGroupID(LPCWSTR exePath) {
HANDLE hFile = CreateFileW(exePath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE) return 0;
DWORD fileSize = GetFileSize(hFile, NULL);
HANDLE hMap = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, fileSize, NULL);
LPVOID pBase = MapViewOfFile(hMap, FILE_MAP_READ, 0, 0, 0);
if (!pBase) { CloseHandle(hMap); CloseHandle(hFile); return 0; }
PIMAGE_DOS_HEADER dos = (PIMAGE_DOS_HEADER)pBase;
PIMAGE_NT_HEADERS nt = (PIMAGE_NT_HEADERS)((BYTE*)pBase + dos->e_lfanew);
if (nt->Signature != IMAGE_NT_SIGNATURE) { UnmapViewOfFile(pBase); CloseHandle(hMap); CloseHandle(hFile); return 0; }
// 定位资源目录
auto& resDir = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE];
if (resDir.VirtualAddress == 0) { UnmapViewOfFile(pBase); CloseHandle(hMap); CloseHandle(hFile); return 0; }
// 定位资源节（.rsrc）
PIMAGE_SECTION_HEADER section = IMAGE_FIRST_SECTION(nt);
for (int i = 0; i < nt->FileHeader.NumberOfSections; i++, section++) {
if (resDir.VirtualAddress >= section->VirtualAddress &&
resDir.VirtualAddress < section->VirtualAddress + section->Misc.VirtualSize) break;
}
// 计算资源目录在文件中的实际偏移
DWORD resOffset = resDir.VirtualAddress - section->VirtualAddress + section->PointerToRawData;
PIMAGE_RESOURCE_DIRECTORY rootDir = (PIMAGE_RESOURCE_DIRECTORY)((BYTE*)pBase + resOffset);
// 遍历资源类型，找到 RT_GROUP_ICON（ID=14）
PIMAGE_RESOURCE_DIRECTORY_ENTRY typeEntry = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)(rootDir + 1);
for (DWORD i = 0; i < rootDir->NumberOfIdEntries; i++, typeEntry++) {
if (typeEntry->Id == 14) { // RT_GROUP_ICON = 14
// 获取第一个图标ID（进入ID目录的第一个条目）
PIMAGE_RESOURCE_DIRECTORY iconDir = (PIMAGE_RESOURCE_DIRECTORY)((BYTE*)rootDir + typeEntry->OffsetToDirectory);
PIMAGE_RESOURCE_DIRECTORY_ENTRY iconIdEntry = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)(iconDir + 1);
DWORD firstIconId = iconIdEntry->Id;
UnmapViewOfFile(pBase);
CloseHandle(hMap);
CloseHandle(hFile);
return firstIconId;
}
}
UnmapViewOfFile(pBase);
CloseHandle(hMap);
CloseHandle(hFile);
return 0;
}
// 调用示例：获取 Photoshop.exe 的第一个图标ID
int main() {
LPCWSTR exePath = L"D:\\软件\\Photoshop\\Photoshop.exe";
DWORD iconId = GetFirstIconGroupID(exePath);
printf("第一个图标ID: %u\n", iconId); // 输出：1000 或 1 等
return 0;
}

复制代码

这玩意写的太累人了。坐了一天，快点给钱吧

红毛樱木 · 发表于 2025-11-5 16:19:50

红毛樱木发表于 2025-11-5 16:14
这玩意写的太累人了。坐了一天，快点给钱吧

这代码应该还有地方有偏移地址计算错的。 ENVI &&IMAGE_DIRECTORY_ENTRY_RESOURCE=0 才可以，实际看源码是 ENVI &&IMAGE_DIRECTORY_ENTRY_RESOURCE=2。你看看自己能不能解决吧，解决不了回头我再看看。

527104427 · 发表于 2025-11-5 17:50:50

红毛樱木发表于 2025-11-5 16:14
这玩意写的太累人了。坐了一天，快点给钱吧

牛逼！目测这代码值一千块钱

红毛樱木 · 发表于 2025-11-5 23:36:11

本帖最后由红毛樱木于 2025-11-5 23:46 编辑

红毛樱木发表于 2025-11-5 16:19
这代码应该还有地方有偏移地址计算错的。 ENVI &&IMAGE_DIRECTORY_ENTRY_RESOURCE=0 才可以，实际看源 ...

更正后的代码。
C++源码你自己改吧....

//LOGS * %&CurDir%\log.log
ENVI^ ENVIMODE=1
// PECMD2012 内部本身就是宽字符Unicode。路径\\可以直接写真实路径\，自动转义。
ENVI &exePath=D:\软件\Photoshop\Photoshop.exe
CALL GetFirstIconGroupID "%&exePath%" &iconId
MESS. 第一个图标ID: %&iconId%@
_SUB GetFirstIconGroupID
ENVI-ret %~2=0
ENVI &&exePath=%~1
ENVI &&GENERIC_READ=0x80000000
ENVI &&FILE_SHARE_READ=0x00000001
ENVI &&OPEN_EXISTING=3
ENVI &&INVALID_HANDLE_VALUE=-1
CALL$--qd --ret:&&hFile Kernel32.dll,CreateFileW,$%&exePath%,#%&GENERIC_READ%,#%&FILE_SHARE_READ%,#0,#%&OPEN_EXISTING%,#0,#0 // C中的NULL就是0，在PECMD中用数值 #0
IFEX #%&hFile%=%&INVALID_HANDLE_VALUE%,
{*
ENVI-ret %~2=0
EXIT _SUB
}
CALL$--qd --ret:&&fileSize Kernel32.dll,GetFileSize,#%&hFile%,#0
ENVI &&PAGE_READONLY=0x02
CALL$--qd --ret:&&hMap Kernel32.dll,CreateFileMappingW,#%&hFile%,#0,#%&PAGE_READONLY%,#0,#%&fileSize%,0 //CreateFileMapping 要用实际的 CreateFileMappingW
ENVI &&FILE_MAP_READ=0x0004
CALL$--qd --16 --ret:&&pBase Kernel32.dll,MapViewOfFile,#%&hMap%,#%&FILE_MAP_READ%,#0,#0,#0
//MESS. %&pBase%@&pBase
IFEX #%&pBase%=0,
{*
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hMap%
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hFile%
ENVI-ret %~2=0
EXIT _SUB
}
// PIMAGE_DOS_HEADER 的结构体 IMAGE_DOS_HEADER 64字节
//SET$# &dos=*64 0
SET-mkfixdummy &dos=%&pBase%@0;*64
SET?longs dos=&&dos.e_lfanew:60
//MESS. %&dos.e_lfanew%@&dos.e_lfanew
// PIMAGE_NT_HEADERS 的结构体(64位为 IMAGE_NT_HEADERS64 大小 264字节)(32位为 IMAGE_NT_HEADERS32 大小 248字节)
IFEX #0, //判断错误，应该直接判断PE文件头是32位还是64位。
{*
IFEX #%&bX64%=3,
{*
//SET$# &nt=*264 0
SET-mkfixdummy &nt=(%&pBase%+%&dos.e_lfanew%)@0;*264
}!
{*
//SET$# &nt=*248 0
SET-mkfixdummy &nt=(%&pBase%+%&dos.e_lfanew%)@0;*248
}
}
ENVI &&IMAGE_NT_OPTIONAL_HDR32_MAGIC=0x10b //32位
ENVI &&IMAGE_NT_OPTIONAL_HDR64_MAGIC=0x20b //64位
SET?short (%&pBase%+%&dos.e_lfanew%)=&&nt.OptionalHeader.Magic:24
//MESS. %&nt.OptionalHeader.Magic%@&nt.OptionalHeader.Magic
IFEX #%&nt.OptionalHeader.Magic%=%&IMAGE_NT_OPTIONAL_HDR32_MAGIC%,
{*
SET-mkfixdummy &nt=(%&pBase%+%&dos.e_lfanew%)@0;*248
}!
{*
IFEX #%&nt.OptionalHeader.Magic%=%&IMAGE_NT_OPTIONAL_HDR64_MAGIC%,
{*
SET-mkfixdummy &nt=(%&pBase%+%&dos.e_lfanew%)@0;*264
}!
{*
CALL$--qd --bool --ret:&&UnmapViewOfFileRet Kernel32.dll,UnmapViewOfFile,#%&pBase%;
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hMap%
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hFile%
ENVI-ret %~2=0
EXIT _SUB
}
}
//GETF &nt,0#*,&&nt_Hex
//MESS. %&nt_Hex%@&nt_Hex
SET?long nt=&&nt.Signature:0
//MESS. %&nt.Signature%@&nt.Signature
ENVI &&IMAGE_NT_SIGNATURE=0x00004550 // PE00
IFEX #%&nt.Signature%<>%&IMAGE_NT_SIGNATURE%,
{*
CALL$--qd --bool --ret:&&UnmapViewOfFileRet Kernel32.dll,UnmapViewOfFile,#%&pBase%;
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hMap%
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hFile%
ENVI-ret %~2=0
EXIT _SUB
}
// 定位资源目录
// auto& resDir = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE];
ENVI &&IMAGE_DIRECTORY_ENTRY_RESOURCE=2 // Resource Directory
//ENVI &&IMAGE_DIRECTORY_ENTRY_RESOURCE=0 // 测试
IFEX #0,
{*
IFEX #%&bX64%=3,
{*
SET-mkfixdummy &resDir=&nt@(4+20+112+(8*%&IMAGE_DIRECTORY_ENTRY_RESOURCE%));*8
}!
{*
SET-mkfixdummy &resDir=&nt@(4+20+96+(8*%&IMAGE_DIRECTORY_ENTRY_RESOURCE%));*8
}
}
IFEX #%&nt.OptionalHeader.Magic%=%&IMAGE_NT_OPTIONAL_HDR32_MAGIC%,
{*
SET-mkfixdummy &resDir=&nt@(4+20+96+(8*%&IMAGE_DIRECTORY_ENTRY_RESOURCE%));*8
}!
{*
IFEX #%&nt.OptionalHeader.Magic%=%&IMAGE_NT_OPTIONAL_HDR64_MAGIC%,
{*
SET-mkfixdummy &resDir=&nt@(4+20+112+(8*%&IMAGE_DIRECTORY_ENTRY_RESOURCE%));*8
}!
{*
CALL$--qd --bool --ret:&&UnmapViewOfFileRet Kernel32.dll,UnmapViewOfFile,#%&pBase%;
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hMap%
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hFile%
ENVI-ret %~2=0
EXIT _SUB
}
}
//GETF &resDir,0#*,&&resDir_Hex
//MESS. %&resDir_Hex%@&resDir_Hex
SET?long resDir=&&resDir.VirtualAddress:0
//MESS. %&resDir.VirtualAddress%@&resDir.VirtualAddress
// 定位资源节（.rsrc）
ENVI &&i=0
SET?shorts nt=&&nt.FileHeader.NumberOfSections:(4+2) //WORD 2 字节，用short和wchar都可以
//MESS. %&nt.FileHeader.NumberOfSections%@&nt.FileHeader.NumberOfSections
SET?shorts nt=&&nt.FileHeader.SizeOfOptionalHeader:(4+2+2+4+4+4)
//MESS. %&nt.FileHeader.SizeOfOptionalHeader%@&nt.FileHeader.SizeOfOptionalHeader
//SET-mkfixdummy &section=&nt
LOOP #%&i%<%&nt.FileHeader.NumberOfSections%,
{*
//#define IMAGE_FIRST_SECTION( ntheader ) ((PIMAGE_SECTION_HEADER) ((ULONG_PTR)(ntheader) + FIELD_OFFSET( IMAGE_NT_HEADERS, OptionalHeader ) + ((ntheader))->FileHeader.SizeOfOptionalHeader ))
SET-mkfixdummy &section=(%&pBase%+%&dos.e_lfanew%+(4+20+%&nt.FileHeader.SizeOfOptionalHeader%))@(40*%&i%);*40 // 相当于 section++
//GETF &section,0#40,&&section_Hex
//MESS. %&section_Hex%@&section_Hex
SET?long section=&&section.VirtualAddress:12
//MESS. &section.VirtualAddress:%&section.VirtualAddress%@%&i%
SET?long section=&&section.Misc.VirtualSize:8
//MESS. IFEX #[ ( %&resDir.VirtualAddress% >= %&section.VirtualAddress% ) & ( %&resDir.VirtualAddress% < ( %&section.VirtualAddress% + %&section.Misc.VirtualSize% ) ) ],@%&i%
//IFEX #[ ( %&resDir.VirtualAddress% >= %&section.VirtualAddress% ) & ( %&resDir.VirtualAddress% < ( %&section.VirtualAddress% + %&section.Misc.VirtualSize% ) ) ], // IFEX 存在BUG，不能这样嵌套使用，先算出来吧。
IFEX #%&resDir.VirtualAddress% >= %&section.VirtualAddress%,
{*
CALC &&Fix=%&section.VirtualAddress% + %&section.Misc.VirtualSize%
IFEX #%&resDir.VirtualAddress% < %&Fix%,
{*
EXIT LOOP
}
}
CALC #&i=%&i% + 1
}
// 计算资源目录在文件中的实际偏移
SET?long section=&&section.PointerToRawData:20
CALC #&&resOffset=%&resDir.VirtualAddress% - %&section.VirtualAddress% + %&section.PointerToRawData%
//MESS. %&resOffset%<&i:%&i%><CALC #&&resOffset=%&resDir.VirtualAddress% - %&section.VirtualAddress% + %&section.PointerToRawData%>@&resOffset
SET-mkfixdummy &rootDir=(%&pBase%+%&resOffset%)@0;*16
SET?short rootDir=&&rootDir.NumberOfIdEntries:(4+4+2+2+2)
//MESS. %&rootDir.NumberOfIdEntries%@&rootDir.NumberOfIdEntries
// 遍历资源类型，找到 RT_GROUP_ICON（ID=14）
//SET-mkfixdummy &typeEntry=(%&pBase%+%&resOffset%)@16;*8
//GETF &typeEntry,0#8,&&typeEntry_Hex
//MESS. %&typeEntry_Hex%@&typeEntry_Hex
ENVI &&i=0
LOOP #%&i%<%&rootDir.NumberOfIdEntries%,
{*
SET-mkfixdummy &typeEntry=(%&pBase%+%&resOffset%)@(16+(8*%&i%));*8
SET?short typeEntry=&&typeEntry.Id:0
//MESS. %&typeEntry.Id%@%&i%
IFEX #%&typeEntry.Id%=14, // RT_GROUP_ICON = 14
{*
// 获取第一个图标ID（进入ID目录的第一个条目）
SET?long typeEntry=&&typeEntry.OffsetToDirectory:4
CALC #&typeEntry.OffsetToDirectory=%&typeEntry.OffsetToDirectory% & 0x7FFFFFFF
SET-mkfixdummy &iconDir=(%&pBase%+%&resOffset%)@%&typeEntry.OffsetToDirectory%;*16
SET-mkfixdummy &iconIdEntry=(%&pBase%+%&resOffset%)@(%&typeEntry.OffsetToDirectory%+16);*8
SET?short iconIdEntry=&&iconIdEntry.Id:0
CALC &&firstIconId=%&iconIdEntry.Id% // 不知道源码这里为什么用DWORD计算WORD
//MESS. %&firstIconId%@
CALL$--qd --bool --ret:&&UnmapViewOfFileRet Kernel32.dll,UnmapViewOfFile,#%&pBase%;
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hMap%
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hFile%
ENVI-ret~ %~2=&firstIconId
EXIT _SUB
}
CALC #&i=%&i% + 1
}
CALL$--qd --bool --ret:&&UnmapViewOfFileRet Kernel32.dll,UnmapViewOfFile,#%&pBase%;
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hMap%
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hFile%
ENVI-ret %~2=0
_END
EXIT FILE
typedef struct _IMAGE_RESOURCE_DIRECTORY_ENTRY {
union {
struct {
DWORD NameOffset:31;
DWORD NameIsString:1;
} DUMMYSTRUCTNAME;
DWORD Name;
WORD Id;
} DUMMYUNIONNAME;
union {
DWORD OffsetToData;
struct {
DWORD OffsetToDirectory:31;
DWORD DataIsDirectory:1;
} DUMMYSTRUCTNAME2;
} DUMMYUNIONNAME2;
} IMAGE_RESOURCE_DIRECTORY_ENTRY, *PIMAGE_RESOURCE_DIRECTORY_ENTRY; //8b
typedef struct _IMAGE_RESOURCE_DIRECTORY {
DWORD Characteristics;
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
WORD NumberOfNamedEntries;
WORD NumberOfIdEntries;
// IMAGE_RESOURCE_DIRECTORY_ENTRY DirectoryEntries[];
} IMAGE_RESOURCE_DIRECTORY, *PIMAGE_RESOURCE_DIRECTORY; /16b
typedef struct _IMAGE_SECTION_HEADER {
BYTE Name[IMAGE_SIZEOF_SHORT_NAME];
union {
DWORD PhysicalAddress;
DWORD VirtualSize;
} Misc;
DWORD VirtualAddress;
DWORD SizeOfRawData;
DWORD PointerToRawData;
DWORD PointerToRelocations;
DWORD PointerToLinenumbers;
WORD NumberOfRelocations;
WORD NumberOfLinenumbers;
DWORD Characteristics;
} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER; //40b
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
WORD e_magic; // Magic number
WORD e_cblp; // Bytes on last page of file
WORD e_cp; // Pages in file
WORD e_crlc; // Relocations
WORD e_cparhdr; // Size of header in paragraphs
WORD e_minalloc; // Minimum extra paragraphs needed
WORD e_maxalloc; // Maximum extra paragraphs needed
WORD e_ss; // Initial (relative) SS value
WORD e_sp; // Initial SP value
WORD e_csum; // Checksum
WORD e_ip; // Initial IP value
WORD e_cs; // Initial (relative) CS value
WORD e_lfarlc; // File address of relocation table
WORD e_ovno; // Overlay number
WORD e_res[4]; // Reserved words
WORD e_oemid; // OEM identifier (for e_oeminfo)
WORD e_oeminfo; // OEM information; e_oemid specific
WORD e_res2[10]; // Reserved words
LONG e_lfanew; // File address of new exe header
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER; //64b
typedef struct _IMAGE_FILE_HEADER {
WORD Machine;
WORD NumberOfSections;
DWORD TimeDateStamp;
DWORD PointerToSymbolTable;
DWORD NumberOfSymbols;
WORD SizeOfOptionalHeader;
WORD Characteristics;
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER; //20b
typedef struct _IMAGE_DATA_DIRECTORY {
DWORD VirtualAddress;
DWORD Size;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY; //8b
typedef struct _IMAGE_OPTIONAL_HEADER {
//
// Standard fields.
//
WORD Magic;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
DWORD BaseOfData;
//
// NT additional fields.
//
DWORD ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
DWORD SizeOfStackReserve;
DWORD SizeOfStackCommit;
DWORD SizeOfHeapReserve;
DWORD SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; //偏移地址 96b
} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
typedef struct _IMAGE_OPTIONAL_HEADER64 {
WORD Magic;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
ULONGLONG ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
ULONGLONG SizeOfStackReserve;
ULONGLONG SizeOfStackCommit;
ULONGLONG SizeOfHeapReserve;
ULONGLONG SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; //偏移地址 112b
} IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64;
typedef struct _IMAGE_NT_HEADERS64 {
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER64 OptionalHeader;
} IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64;
typedef struct _IMAGE_NT_HEADERS {
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
#include <windows.h>
#include <stdio.h>
DWORD GetFirstIconGroupID(LPCWSTR exePath) {
HANDLE hFile = CreateFileW(exePath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE) return 0;
DWORD fileSize = GetFileSize(hFile, NULL);
HANDLE hMap = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, fileSize, NULL);
LPVOID pBase = MapViewOfFile(hMap, FILE_MAP_READ, 0, 0, 0);
if (!pBase) { CloseHandle(hMap); CloseHandle(hFile); return 0; }
PIMAGE_DOS_HEADER dos = (PIMAGE_DOS_HEADER)pBase;
PIMAGE_NT_HEADERS nt = (PIMAGE_NT_HEADERS)((BYTE*)pBase + dos->e_lfanew);
if (nt->Signature != IMAGE_NT_SIGNATURE) { UnmapViewOfFile(pBase); CloseHandle(hMap); CloseHandle(hFile); return 0; }
// 定位资源目录
auto& resDir = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE];
if (resDir.VirtualAddress == 0) { UnmapViewOfFile(pBase); CloseHandle(hMap); CloseHandle(hFile); return 0; }
// 定位资源节（.rsrc）
PIMAGE_SECTION_HEADER section = IMAGE_FIRST_SECTION(nt);
for (int i = 0; i < nt->FileHeader.NumberOfSections; i++, section++) {
if (resDir.VirtualAddress >= section->VirtualAddress &&
resDir.VirtualAddress < section->VirtualAddress + section->Misc.VirtualSize) break;
}
// 计算资源目录在文件中的实际偏移
DWORD resOffset = resDir.VirtualAddress - section->VirtualAddress + section->PointerToRawData;
PIMAGE_RESOURCE_DIRECTORY rootDir = (PIMAGE_RESOURCE_DIRECTORY)((BYTE*)pBase + resOffset);
// 遍历资源类型，找到 RT_GROUP_ICON（ID=14）
PIMAGE_RESOURCE_DIRECTORY_ENTRY typeEntry = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)(rootDir + 1);
for (DWORD i = 0; i < rootDir->NumberOfIdEntries; i++, typeEntry++) {
if (typeEntry->Id == 14) { // RT_GROUP_ICON = 14
// 获取第一个图标ID（进入ID目录的第一个条目）
PIMAGE_RESOURCE_DIRECTORY iconDir = (PIMAGE_RESOURCE_DIRECTORY)((BYTE*)rootDir + typeEntry->OffsetToDirectory);
PIMAGE_RESOURCE_DIRECTORY_ENTRY iconIdEntry = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)(iconDir + 1);
DWORD firstIconId = iconIdEntry->Id;
UnmapViewOfFile(pBase);
CloseHandle(hMap);
CloseHandle(hFile);
return firstIconId;
}
}
UnmapViewOfFile(pBase);
CloseHandle(hMap);
CloseHandle(hFile);
return 0;
}
// 调用示例：获取 Photoshop.exe 的第一个图标ID
int main() {
LPCWSTR exePath = L"D:\\软件\\Photoshop\\Photoshop.exe";
DWORD iconId = GetFirstIconGroupID(exePath);
printf("第一个图标ID: %u\n", iconId); // 输出：1000 或 1 等
return 0;
}

复制代码

Zap · 发表于 2025-11-6 00:40:11

红毛樱木发表于 2025-11-5 23:36
更正后的代码。
C++源码你自己改吧....

是哦以C:\Windows\explorer.exe为例第一个是名称ICO_MYCOMPUTER 应该转换为字符

Zap · 发表于 2025-11-6 09:45:02

红毛樱木发表于 2025-11-5 23:36
更正后的代码。
C++源码你自己改吧....

搞不定

//LOGS * %&CurDir%\log.log
ENVI^ ENVIMODE=1
ENVI &exePath=C:\Windows\explorer.exe
CALL GetFirstIconGroupID "%&exePath%" &iconId
MESS. 第一个图标ID: %&iconId%@
exit
_SUB GetFirstIconGroupID
ENVI-ret %~2=0
ENVI &&exePath=%~1
ENVI &&GENERIC_READ=0x80000000
ENVI &&FILE_SHARE_READ=0x00000001
ENVI &&OPEN_EXISTING=3
ENVI &&INVALID_HANDLE_VALUE=-1
CALL$--qd --ret:&&hFile Kernel32.dll,CreateFileW,$%&exePath%,#%&GENERIC_READ%,#%&FILE_SHARE_READ%,#0,#%&OPEN_EXISTING%,#0,#0
IFEX #%&hFile%=%&INVALID_HANDLE_VALUE%,
{*
ENVI-ret %~2=0
EXIT _SUB
}
CALL$--qd --ret:&&fileSize Kernel32.dll,GetFileSize,#%&hFile%,#0
ENVI &&PAGE_READONLY=0x02
CALL$--qd --ret:&&hMap Kernel32.dll,CreateFileMappingW,#%&hFile%,#0,#%&PAGE_READONLY%,#0,#%&fileSize%,0
ENVI &&FILE_MAP_READ=0x0004
CALL$--qd --16 --ret:&&pBase Kernel32.dll,MapViewOfFile,#%&hMap%,#%&FILE_MAP_READ%,#0,#0,#0
IFEX #%&pBase%=0,
{*
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hMap%
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hFile%
ENVI-ret %~2=0
EXIT _SUB
}
SET-mkfixdummy &dos=%&pBase%@0;*64
SET?longs dos=&&dos.e_lfanew:60
ENVI &&IMAGE_NT_OPTIONAL_HDR32_MAGIC=0x10b
ENVI &&IMAGE_NT_OPTIONAL_HDR64_MAGIC=0x20b
SET?short (%&pBase%+%&dos.e_lfanew%)=&&nt.OptionalHeader.Magic:24
IFEX #%&nt.OptionalHeader.Magic%=%&IMAGE_NT_OPTIONAL_HDR32_MAGIC%,
{*
SET-mkfixdummy &nt=(%&pBase%+%&dos.e_lfanew%)@0;*248
}!
{*
IFEX #%&nt.OptionalHeader.Magic%=%&IMAGE_NT_OPTIONAL_HDR64_MAGIC%,
{*
SET-mkfixdummy &nt=(%&pBase%+%&dos.e_lfanew%)@0;*264
}!
{*
CALL$--qd --bool --ret:&&UnmapViewOfFileRet Kernel32.dll,UnmapViewOfFile,#%&pBase%;
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hMap%
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hFile%
ENVI-ret %~2=0
EXIT _SUB
}
}
SET?long nt=&&nt.Signature:0
ENVI &&IMAGE_NT_SIGNATURE=0x00004550
IFEX #%&nt.Signature%<>%&IMAGE_NT_SIGNATURE%,
{*
CALL$--qd --bool --ret:&&UnmapViewOfFileRet Kernel32.dll,UnmapViewOfFile,#%&pBase%;
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hMap%
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hFile%
ENVI-ret %~2=0
EXIT _SUB
}
ENVI &&IMAGE_DIRECTORY_ENTRY_RESOURCE=2
IFEX #%&nt.OptionalHeader.Magic%=%&IMAGE_NT_OPTIONAL_HDR32_MAGIC%,
{*
SET-mkfixdummy &resDir=&nt@(4+20+96+(8*%&IMAGE_DIRECTORY_ENTRY_RESOURCE%));*8
}!
{*
SET-mkfixdummy &resDir=&nt@(4+20+112+(8*%&IMAGE_DIRECTORY_ENTRY_RESOURCE%));*8
}
SET?long resDir=&&resDir.VirtualAddress:0
ENVI &&i=0
SET?shorts nt=&&nt.FileHeader.NumberOfSections:(4+2)
SET?shorts nt=&&nt.FileHeader.SizeOfOptionalHeader:(4+2+2+4+4+4)
LOOP #%&i%<%&nt.FileHeader.NumberOfSections%,
{*
SET-mkfixdummy &section=(%&pBase%+%&dos.e_lfanew%+(4+20+%&nt.FileHeader.SizeOfOptionalHeader%))@(40*%&i%);*40
SET?long section=&&section.VirtualAddress:12
SET?long section=&&section.Misc.VirtualSize:8
IFEX #%&resDir.VirtualAddress% >= %&section.VirtualAddress%,
{*
CALC &&Fix=%&section.VirtualAddress% + %&section.Misc.VirtualSize%
IFEX #%&resDir.VirtualAddress% < %&Fix%,
{*
EXIT LOOP
}
}
CALC #&i=%&i% + 1
}
SET?long section=&&section.PointerToRawData:20
CALC #&&resOffset=%&resDir.VirtualAddress% - %&section.VirtualAddress% + %&section.PointerToRawData%
SET-mkfixdummy &rootDir=(%&pBase%+%&resOffset%)@0;*16
SET?short rootDir=&&rootDir.NumberOfIdEntries:(4+4+2+2+2)
ENVI &&i=0
LOOP #%&i%<%&rootDir.NumberOfIdEntries%,
{*
SET-mkfixdummy &typeEntry=(%&pBase%+%&resOffset%)@(16+(8*%&i%));*8
SET?short typeEntry=&&typeEntry.Id:0
IFEX #%&typeEntry.Id%=14, // RT_GROUP_ICON
{*
SET?long typeEntry=&&typeEntry.OffsetToDirectory:4
CALC #&typeEntry.OffsetToDirectory=%&typeEntry.OffsetToDirectory% & 0x7FFFFFFF
SET-mkfixdummy &iconDir=(%&pBase%+%&resOffset%)@%&typeEntry.OffsetToDirectory%;*16
// 获取第一个条目（可能是命名或ID条目）
SET-mkfixdummy &iconIdEntry=(%&pBase%+%&resOffset%+%&typeEntry.OffsetToDirectory%+16)@0;*8
SET?short iconIdEntry=&&iconIdEntry.Id:0
// 判断条目类型 (高位为1表示命名条目)
IFEX #%&iconIdEntry.Id% >= 0x8000,
{*
// 命名条目处理
CALC #&&nameOffset=%&iconIdEntry.Id% & 0x7FFF
SET-mkfixdummy &nameHeader=(%&pBase%+%&resOffset%+%&nameOffset%)@0;*2
SET?short nameHeader=&&nameHeader.Length:0
// 读取Unicode字符串
SET $ &buffer=0
CALC #&strAddr=%&pBase% + %&resOffset% + %&nameOffset% + 2
CALL $--ret:&buffer --wid %&strAddr%, %&nameHeader.Length%
ENVI-ret~ %~2=%&buffer%
}!
{*
// ID条目处理
ENVI-ret~ %~2=%&iconIdEntry.Id%
}
CALL$--qd --bool --ret:&&UnmapViewOfFileRet Kernel32.dll,UnmapViewOfFile,#%&pBase%;
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hMap%
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hFile%
EXIT _SUB
}
CALC #&i=%&i% + 1
}
CALL$--qd --bool --ret:&&UnmapViewOfFileRet Kernel32.dll,UnmapViewOfFile,#%&pBase%;
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hMap%
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hFile%
ENVI-ret %~2=0
_END

复制代码

Zap · 发表于 2025-11-6 10:53:54

又不行了

//LOGS * %&CurDir%\log.log
ENVI^ ENVIMODE=1
ENVI &exePath=D:\软件\BCompare\BCompare.exe //C:\Windows\explorer.exe //C:\Windows\System32\calc.exe
CALL GetFirstIconGroupID "%&exePath%" &iconId
MESS. 第一个图标ID:%&iconId%@
exit
_SUB GetFirstIconGroupID
ENVI-ret %~2=0
ENVI &&exePath=%~1
ENVI &&GENERIC_READ=0x80000000
ENVI &&FILE_SHARE_READ=0x00000001
ENVI &&OPEN_EXISTING=3
ENVI &&INVALID_HANDLE_VALUE=-1
CALL$--qd --ret:&&hFile Kernel32.dll,CreateFileW,$%&exePath%,#%&GENERIC_READ%,#%&FILE_SHARE_READ%,#0,#%&OPEN_EXISTING%,#0,#0 // C中的NULL就是0，在PECMD中用数值 #0
IFEX #%&hFile%=%&INVALID_HANDLE_VALUE%,
{*
ENVI-ret %~2=0
EXIT _SUB
}
CALL$--qd --ret:&&fileSize Kernel32.dll,GetFileSize,#%&hFile%,#0
ENVI &&PAGE_READONLY=0x02
CALL$--qd --ret:&&hMap Kernel32.dll,CreateFileMappingW,#%&hFile%,#0,#%&PAGE_READONLY%,#0,#%&fileSize%,0 //CreateFileMapping 要用实际的 CreateFileMappingW
ENVI &&FILE_MAP_READ=0x0004
CALL$--qd --16 --ret:&&pBase Kernel32.dll,MapViewOfFile,#%&hMap%,#%&FILE_MAP_READ%,#0,#0,#0
IFEX #%&pBase%=0,
{*
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hMap%
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hFile%
ENVI-ret %~2=0
EXIT _SUB
}
// PIMAGE_DOS_HEADER 的结构体 IMAGE_DOS_HEADER 64字节
//SET$# &dos=*64 0
SET-mkfixdummy &dos=%&pBase%@0;*64
SET?longs dos=&&dos.e_lfanew:60
//MESS. %&dos.e_lfanew%@&dos.e_lfanew
// PIMAGE_NT_HEADERS 的结构体(64位为 IMAGE_NT_HEADERS64 大小 264字节)(32位为 IMAGE_NT_HEADERS32 大小 248字节)
IFEX #0, //判断错误，应该直接判断PE文件头是32位还是64位。
{*
IFEX #%&bX64%=3,
{*
//SET$# &nt=*264 0
SET-mkfixdummy &nt=(%&pBase%+%&dos.e_lfanew%)@0;*264
}!
{*
//SET$# &nt=*248 0
SET-mkfixdummy &nt=(%&pBase%+%&dos.e_lfanew%)@0;*248
}
}
ENVI &&IMAGE_NT_OPTIONAL_HDR32_MAGIC=0x10b //32位
ENVI &&IMAGE_NT_OPTIONAL_HDR64_MAGIC=0x20b //64位
SET?short (%&pBase%+%&dos.e_lfanew%)=&&nt.OptionalHeader.Magic:24
//MESS. %&nt.OptionalHeader.Magic%@&nt.OptionalHeader.Magic
IFEX #%&nt.OptionalHeader.Magic%=%&IMAGE_NT_OPTIONAL_HDR32_MAGIC%,
{*
SET-mkfixdummy &nt=(%&pBase%+%&dos.e_lfanew%)@0;*248
}!
{*
IFEX #%&nt.OptionalHeader.Magic%=%&IMAGE_NT_OPTIONAL_HDR64_MAGIC%,
{*
SET-mkfixdummy &nt=(%&pBase%+%&dos.e_lfanew%)@0;*264
}!
{*
CALL$--qd --bool --ret:&&UnmapViewOfFileRet Kernel32.dll,UnmapViewOfFile,#%&pBase%;
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hMap%
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hFile%
ENVI-ret %~2=0
EXIT _SUB
}
}
//GETF &nt,0#*,&&nt_Hex
//MESS. %&nt_Hex%@&nt_Hex
SET?long nt=&&nt.Signature:0
//MESS. %&nt.Signature%@&nt.Signature
ENVI &&IMAGE_NT_SIGNATURE=0x00004550 // PE00
IFEX #%&nt.Signature%<>%&IMAGE_NT_SIGNATURE%,
{*
CALL$--qd --bool --ret:&&UnmapViewOfFileRet Kernel32.dll,UnmapViewOfFile,#%&pBase%;
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hMap%
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hFile%
ENVI-ret %~2=0
EXIT _SUB
}
// 定位资源目录
// auto& resDir = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE];
ENVI &&IMAGE_DIRECTORY_ENTRY_RESOURCE=2 // Resource Directory
//ENVI &&IMAGE_DIRECTORY_ENTRY_RESOURCE=0 // 测试
IFEX #0,
{*
IFEX #%&bX64%=3,
{*
SET-mkfixdummy &resDir=&nt@(4+20+112+(8*%&IMAGE_DIRECTORY_ENTRY_RESOURCE%));*8
}!
{*
SET-mkfixdummy &resDir=&nt@(4+20+96+(8*%&IMAGE_DIRECTORY_ENTRY_RESOURCE%));*8
}
}
IFEX #%&nt.OptionalHeader.Magic%=%&IMAGE_NT_OPTIONAL_HDR32_MAGIC%,
{*
SET-mkfixdummy &resDir=&nt@(4+20+96+(8*%&IMAGE_DIRECTORY_ENTRY_RESOURCE%));*8
}!
{*
IFEX #%&nt.OptionalHeader.Magic%=%&IMAGE_NT_OPTIONAL_HDR64_MAGIC%,
{*
SET-mkfixdummy &resDir=&nt@(4+20+112+(8*%&IMAGE_DIRECTORY_ENTRY_RESOURCE%));*8
}!
{*
CALL$--qd --bool --ret:&&UnmapViewOfFileRet Kernel32.dll,UnmapViewOfFile,#%&pBase%;
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hMap%
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hFile%
ENVI-ret %~2=0
EXIT _SUB
}
//GETF &resDir,0#*,&&resDir_Hex
//MESS. %&resDir_Hex%@&resDir_Hex
SET?long resDir=&&resDir.VirtualAddress:0
//MESS. %&resDir.VirtualAddress%@&resDir.VirtualAddress
// 定位资源节（.rsrc）
ENVI &&i=0
SET?shorts nt=&&nt.FileHeader.NumberOfSections:(4+2) //WORD 2 字节，用short和wchar都可以
//MESS. %&nt.FileHeader.NumberOfSections%@&nt.FileHeader.NumberOfSections
SET?shorts nt=&&nt.FileHeader.SizeOfOptionalHeader:(4+2+2+4+4+4)
//MESS. %&nt.FileHeader.SizeOfOptionalHeader%@&nt.FileHeader.SizeOfOptionalHeader
//SET-mkfixdummy &section=&nt
LOOP #%&i%<%&nt.FileHeader.NumberOfSections%,
{*
//#define IMAGE_FIRST_SECTION( ntheader ) ((PIMAGE_SECTION_HEADER) ((ULONG_PTR)(ntheader) + FIELD_OFFSET( IMAGE_NT_HEADERS, OptionalHeader ) + ((ntheader))->FileHeader.SizeOfOptionalHeader ))
SET-mkfixdummy &section=(%&pBase%+%&dos.e_lfanew%+(4+20+%&nt.FileHeader.SizeOfOptionalHeader%))@(40*%&i%);*40 // 相当于 section++
//GETF &section,0#40,&&section_Hex
//MESS. %&section_Hex%@&section_Hex
SET?long section=&&section.VirtualAddress:12
//MESS. &section.VirtualAddress:%&section.VirtualAddress%@%&i%
SET?long section=&&section.Misc.VirtualSize:8
//MESS. IFEX #[ ( %&resDir.VirtualAddress% >= %&section.VirtualAddress% ) & ( %&resDir.VirtualAddress% < ( %&section.VirtualAddress% + %&section.Misc.VirtualSize% ) ) ],@%&i%
//IFEX #[ ( %&resDir.VirtualAddress% >= %&section.VirtualAddress% ) & ( %&resDir.VirtualAddress% < ( %&section.VirtualAddress% + %&section.Misc.VirtualSize% ) ) ], // IFEX 存在BUG，不能这样嵌套使用，先算出来吧。
IFEX #%&resDir.VirtualAddress% >= %&section.VirtualAddress%,
{*
CALC &&Fix=%&section.VirtualAddress% + %&section.Misc.VirtualSize%
IFEX #%&resDir.VirtualAddress% < %&Fix%,
{*
EXIT LOOP
}
}
CALC #&i=%&i% + 1
}
// 计算资源目录在文件中的实际偏移
SET?long section=&&section.PointerToRawData:20
CALC #&&resOffset=%&resDir.VirtualAddress% - %&section.VirtualAddress% + %&section.PointerToRawData%
//MESS. %&resOffset%<&i:%&i%><CALC #&&resOffset=%&resDir.VirtualAddress% - %&section.VirtualAddress% + %&section.PointerToRawData%>@&resOffset
SET-mkfixdummy &rootDir=(%&pBase%+%&resOffset%)@0;*16
SET?short rootDir=&&rootDir.NumberOfIdEntries:(4+4+2+2+2)
//MESS. %&rootDir.NumberOfIdEntries%@&rootDir.NumberOfIdEntries
// 遍历资源类型，找到 RT_GROUP_ICON（ID=14）
//SET-mkfixdummy &typeEntry=(%&pBase%+%&resOffset%)@16;*8
//GETF &typeEntry,0#8,&&typeEntry_Hex
//MESS. %&typeEntry_Hex%@&typeEntry_Hex
ENVI &&i=0
LOOP #%&i%<%&rootDir.NumberOfIdEntries%,
{*
SET-mkfixdummy &typeEntry=(%&pBase%+%&resOffset%)@(16+(8*%&i%));*8
SET?short typeEntry=&&typeEntry.Id:0
//MESS. %&typeEntry.Id%@%&i%
IFEX #%&typeEntry.Id%=14, // RT_GROUP_ICON = 14
{*
// 获取第一个图标ID（进入ID目录的第一个条目）
SET?long typeEntry=&&typeEntry.OffsetToDirectory:4
CALC #&typeEntry.OffsetToDirectory=%&typeEntry.OffsetToDirectory% & 0x7FFFFFFF
SET-mkfixdummy &iconDir=(%&pBase%+%&resOffset%)@%&typeEntry.OffsetToDirectory%;*16
SET-mkfixdummy &iconIdEntry=(%&pBase%+%&resOffset%)@(%&typeEntry.OffsetToDirectory%+16);*8
SET?short iconIdEntry=&&iconIdEntry.Id:0
// 判断条目类型 (高位为1表示命名条目)
IFEX #%&iconIdEntry.Id% >= 0x0,
{*
// 命名条目处理
CALC #&&nameOffset=%&iconIdEntry.Id% & 0x7FFF
SET-mkfixdummy &nameHeader=(%&pBase%+%&resOffset%+%&nameOffset%)@0;*2
SET?short nameHeader=&&nameHeader.Length:0
// 读取Unicode字符串
CALC #&strAddr=%&resOffset% + %&nameOffset% + 2
GETF "%&exePath%",%&strAddr%#(%&nameHeader.Length%+14),&buffer
SET#% a=%&buffer%
CODE *,%a%,**-UNICODE,UNI
mess %&pBase% + %&resOffset% + %&nameOffset% + 2\n%&strAddr% %&nameHeader.Length%\n%UNI%
ENVI-ret~ %~2=UNI
}!
{*
// ID条目处理
ENVI-ret~ %~2=%&iconIdEntry.Id%
}
CALL$--qd --bool --ret:&&UnmapViewOfFileRet Kernel32.dll,UnmapViewOfFile,#%&pBase%;
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hMap%
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hFile%
EXIT _SUB
}
CALC #&i=%&i% + 1
}
CALL$--qd --bool --ret:&&UnmapViewOfFileRet Kernel32.dll,UnmapViewOfFile,#%&pBase%;
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hMap%
CALL$--qd --bool --ret:&&CloseHandleRet Kernel32.dll,CloseHandle,#%&hFile%
ENVI-ret %~2=0
_END

复制代码

Zap · 发表于 2025-11-6 11:00:52

红毛樱木发表于 2025-11-5 23:36
更正后的代码。
C++源码你自己改吧....

换个程序就不行了

		自动登录	找回密码
密码			注册

[更新376#2825]PECMD2012.1.80.13_Win32_64.多窗口多线程.裸机系统2.3.3.1+18M酷M...

点评

点评

点评

点评

点评

浏览过的版块