(ZT)PE导入表的判断流程
2016-08-04 13:19
169 查看
前言
找到一个资料,对引入表和IAT表2表合一的判断流程说的挺清楚地.如果要做DumpFile之后的引入表修复, 看这个流程就行了.
original url from : http://win32assembly.programminghorizon.com/pe-tut6.html
引入表判断流程
The array of RVAs pointed to by OriginalFirstThunk remains unchanged so that if the need arises to find the names of import functions, the PE loader can still find them.There is a little twist on this straightforward scheme. Some functions are exported by ordinal only. It means you don’t call the functions by their names: you call them by their positions. In this case, there will be no IMAGE_IMPORT_BY_NAME structure for that function in the caller’s module. Instead, the IMAGE_THUNK_DATA for that function will contain the ordinal of the function in the low word and the most significant bit (MSB) of IMAGE_THUNK_DATA set to 1. For example, if a function is exported by ordinal only and its ordinal is 1234h, the IMAGE_THUNK_DATA for that function will be 80001234h. Microsoft provides a handy constant for testing the MSB of a dword, IMAGE_ORDINAL_FLAG32. It has the value of 80000000h.
Suppose that we want to list the names of ALL import functions of a PE file, we need to follow the steps below:
Verify that the file is a valid PE
From the DOS header, go to the PE header
Obtain the address of the data directory in OptionalHeader
Go to the 2nd member of the data directory. Extract the value of VirtualAddress
Use that value to go to the first IMAGE_IMPORT_DESCRIPTOR structure
Check the value of OriginalFirstThunk. If it’s not zero, follow the RVA in OriginalFirstThunk to the RVA array. If OriginalFirstThunk is zero, use the value in FirstThunk instead. Some linkers generate PE files with 0 in OriginalFirstThunk. This is considered a bug. Just to be on the safe side, we check the value in OriginalFirstThunk first.
For each member in the array, we check the value of the member against IMAGE_ORDINAL_FLAG32. If the most significant bit of the member is 1, then the function is exported by ordinal and we can extract the ordinal number from the low word of the member.
If the most significant bit of the member is 0, use the value in the member as the RVA into the IMAGE_IMPORT_BY_NAME, skip Hint, and you’re at the name of the function.
Skip to the next array member, and retrieve the names until the end of the array is reached (it’s null -terminated). Now we are done extracting the names of the functions imported from a DLL. We go to the next DLL.
Skip to the next IMAGE_IMPORT_DESCRIPTOR and process it. Do that until the end of the array is reached (IMAGE_IMPORT_DESCRIPTOR array is terminated by a member with all zeroes in its fields).
相关文章推荐
- [zt](MS SQL Server)SQL语句导入导出大全
- TWebBrowser流程讲解及如何判断下载网页成功
- [导入]曼哈顿纵横供应链软件市场 (ZT)
- [导入]判断输入是否为中文的函数
- [导入]硬盘启动Vista PE
- C#判断一个string是否为数字 --zt
- [导入]曼哈顿纵横供应链软件市场 (ZT)
- [导入]实现删除主表数据时, 判断与之关联的外键表是否有数据引用, 有标志, 无则删除
- 使用汇编取得PE文件导入的DLL名称和函数名称
- [导入]带闰年判断的正则表达式
- [导入]用连接池提高Servlet访问数据库的效率(zt)
- [导入]判断键盘动作
- [导入]警惕消费的陷阱--透析雅迪尔厨柜990和1380现象(ZT
- [导入]61条面向对象设计的经验原则[ZT]
- Shark api 应用:判断流程进行到了哪个活动
- 拿不到高薪的IT人! (有没有道理,看客自己判断。) [ZT]
- 判断操作系统[zt]
- 判断函数的执行效率,考验你对基本流程的执行效率的理解
- [导入]C#中判断空字符串的3种方法性能分析【月儿原创】
- [导入]网站项目建设流程概述