您的位置:首页 > 其它

WINDOWS黑客基础(6):查看文件里面的导入表

2013-07-24 09:48 369 查看 
int main(void)
{
HANDLE hFile = CreateFile("D:\\Shipyard.exe",
GENERIC_READ,
FILE_SHARE_READ,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);

HANDLE hFileMapping = CreateFileMapping(hFile,NULL,FILE_READ_ONLY,0,0,NULL);

LPBYTE lpBaseAddress = (LPBYTE)MapViewOfFile(hFileMapping,FILE_MAP_READ,0,0,0);

PIMAGE_DOS_HEADER pDostHeader = (PIMAGE_DOS_HEADER)lpBaseAddress;

PIMAGE_NT_HEADERS pNtHeader = (PIMAGE_NT_HEADERS)(lpBaseAddress + pDostHeader->e_lfanew);

DWORD rva_import_table = pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;

PIMAGE_IMPORT_DESCRIPTOR pImport =
(PIMAGE_IMPORT_DESCRIPTOR)ImageRvaToVa(pNtHeader,
lpBaseAddress,
rva_import_table,
NULL);

IMAGE_THUNK_DATA *data = NULL;

while ( pImport->Name != NULL)
{
LPCTSTR szDllName = (LPCTSTR)ImageRvaToVa(pNtHeader,lpBaseAddress,pImport->Name,NULL);

PIMAGE_THUNK_DATA pThunk =
(PIMAGE_THUNK_DATA)ImageRvaToVa(pNtHeader,
lpBaseAddress,
pImport->OriginalFirstThunk,
NULL);

printf("%s\n",szDllName);

while (pThunk->u1.Function)
{
if (pThunk->u1.AddressOfData & IMAGE_ORDINAL_FLAG32)
{
printf("序号:%d\n",pThunk->u1.AddressOfData & 0xffff);
}
else
{
PIMAGE_IMPORT_BY_NAME pFunName =
(PIMAGE_IMPORT_BY_NAME)ImageRvaToVa(
pNtHeader,
lpBaseAddress,
pThunk->u1.AddressOfData,
NULL
);

printf("%s\n",pFunName->Name);
}
pThunk++;
}

pImport ++;
}
}


这节也没什么难的,主要还是PE文件的解析,还要会运用ImageRvatoVa这个函数还取得对应的内存地址,就能解析出来了
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签: 
相关文章推荐
新的分享
章节导航