获取任意一个程序的输入表

// testPE.cpp : 定义控制台应用程序的入口点。
//

#include "stdafx.h"
#include <windows.h>
/************************************************************************/
/* 函数名:RVAToOffset
/* 函数功能:根据RVA计算出磁盘文件偏移
/* 函数参数:
lpBase:磁盘文件映射到内存后的起始地址
VirtualAddress:RVA地址
/* 函数返回值:成功返回磁盘文件偏移.否则返回0
/************************************************************************/
DWORD RVAToOffset(LPVOID lpBase,DWORD VirtualAddress)
{
IMAGE_DOS_HEADER *dosHeader;
IMAGE_NT_HEADERS *ntHeader;
IMAGE_SECTION_HEADER *SectionHeader;
int NumOfSections;
dosHeader=(IMAGE_DOS_HEADER*)lpBase;
ntHeader=(IMAGE_NT_HEADERS*)((BYTE*)lpBase+dosHeader->e_lfanew);
NumOfSections=ntHeader->FileHeader.NumberOfSections;
for (int i=0;i<NumOfSections;i++)
{
SectionHeader=(IMAGE_SECTION_HEADER*)((BYTE*)lpBase+dosHeader->e_lfanew+sizeof(IMAGE_NT_HEADERS))+i;
if(VirtualAddress>SectionHeader->VirtualAddress&&VirtualAddress<SectionHeader->VirtualAddress+SectionHeader->SizeOfRawData)
{
DWORD AposRAV=VirtualAddress-SectionHeader->VirtualAddress;
DWORD Offset=SectionHeader->PointerToRawData+AposRAV;
return Offset;
}
}
return 0;
}
int _tmain(int argc, _TCHAR* argv[])
{
HANDLE					  hFile;
HANDLE					  hMap;
LPVOID					  lpBuffer= NULL;
IMAGE_DOS_HEADER		* lpDosHeader;
IMAGE_NT_HEADERS		* lpNTHeader;
IMAGE_IMPORT_DESCRIPTOR * lpImportDesc;
IMAGE_THUNK_DATA		* lpThunkData;
IMAGE_IMPORT_BY_NAME    * lpImportByName;
//获取文件句柄
hFile=CreateFile(//L"d://notepad.exe",
argv[1],
GENERIC_ALL,
FILE_SHARE_READ|FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_NORMAL,
NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
printf("open file error !%d",GetLastError());
return 0;
}
//创建文件映射内核对象
hMap=CreateFileMapping(hFile,NULL,PAGE_READWRITE,NULL,NULL,NULL);
if(hMap == INVALID_HANDLE_VALUE)
{
printf("open map error !");
CloseHandle(hFile);
return 0;
}
//将一个文件映射对象映射到当前应用程序的地址空间
lpBuffer=MapViewOfFile(hMap,FILE_MAP_ALL_ACCESS,NULL,NULL,NULL);
if (lpBuffer == NULL)
{
printf("MapViewOfFile error ! %d",GetLastError());
CloseHandle(hMap);
CloseHandle(hFile);
return 0;
}
//获取PE DOS 头
lpDosHeader = (IMAGE_DOS_HEADER*)lpBuffer;
if(lpDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
{
printf("this file not pe file !");
CloseHandle(hMap);
CloseHandle(hFile);
UnmapViewOfFile(lpBuffer);
return 0;
}
//获取NT头部
lpNTHeader  = (IMAGE_NT_HEADERS*)((BYTE *)lpBuffer+lpDosHeader->e_lfanew);
if (lpNTHeader->Signature != IMAGE_NT_SIGNATURE)
{
printf("this file not pe file !");
CloseHandle(hMap);
CloseHandle(hFile);
UnmapViewOfFile(lpBuffer);
return 0;
}
//获取导入表
lpImportDesc=(IMAGE_IMPORT_DESCRIPTOR *)((BYTE*)lpBuffer+RVAToOffset(lpBuffer,lpNTHeader->OptionalHeader.DataDirectory[1].VirtualAddress));
while (lpImportDesc->FirstThunk)
{
char* DllName = (char*)((BYTE*)lpBuffer + RVAToOffset(lpBuffer,lpImportDesc->Name));
lpThunkData = (IMAGE_THUNK_DATA*)((BYTE*)lpBuffer + RVAToOffset(lpBuffer,lpImportDesc->OriginalFirstThunk));
while (lpThunkData->u1.Function)
{
if (((lpThunkData->u1.Ordinal & IMAGE_ORDINAL_FLAG32) == 1))
{
printf("从%s模块导出的函数序号为%x\n",DllName,lpThunkData->u1.Ordinal&0xFFFF);
}
else
{
lpImportByName = (IMAGE_IMPORT_BY_NAME*)((BYTE*)lpBuffer + RVAToOffset(lpBuffer,lpThunkData->u1.AddressOfData));
printf("从%s模块导出的函数为:%s\n",DllName,lpImportByName->Name);
}
lpThunkData++;
}
lpImportDesc++;
}
UnmapViewOfFile(lpBuffer);
CloseHandle(hFile);
CloseHandle(hMap);
system("pause");
return 0;
}