零基础逆向工程22_PE结构06_导入表

导入表结构

typedef struct _IMAGE_IMPORT_DESCRIPTOR {									
    union {									
        DWORD   Characteristics;           									
        DWORD   OriginalFirstThunk;         						//RVA 指向IMAGE_THUNK_DATA结构数组			
    };									
    DWORD   TimeDateStamp;               						//时间戳			
    DWORD   ForwarderChain;              									
    DWORD   Name;						//RVA,指向dll名字,该名字已0结尾			
    DWORD   FirstThunk;                 						//RVA,指向IMAGE_THUNK_DATA结构数组			
} IMAGE_IMPORT_DESCRIPTOR;									
typedef IMAGE_IMPORT_DESCRIPTOR UNALIGNED *PIMAGE_IMPORT_DESCRIPTOR;

PE文件加载前:

PE文件加载后:

typedef struct _IMAGE_THUNK_DATA32 {												
    union {												
        PBYTE  ForwarderString;												
        PDWORD Function;												
        DWORD Ordinal;						//序号						
        PIMAGE_IMPORT_BY_NAME  AddressOfData;						//指向IMAGE_IMPORT_BY_NAME						
    } u1;												
} IMAGE_THUNK_DATA32;												
typedef IMAGE_THUNK_DATA32 * PIMAGE_THUNK_DATA32;												

typedef struct _IMAGE_IMPORT_BY_NAME {												
    WORD    Hint;						//可能为空,编译器决定 如果不为空 是函数在导出表中的索引						
    BYTE    Name[1];						//函数名称,以0结尾						
} IMAGE_IMPORT_BY_NAME, *PIMAGE_IMPORT_BY_NAME;		

打印导入表的过程:

1.定位导入表:

目录项目的第2个结构就是导入表

typedef struct _IMAGE_DATA_DIRECTORY {
    DWORD   VirtualAddress;					//RVA 指向导入表结构
    DWORD   Size;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;

	将RVA转换成FOA

typedef struct _IMAGE_IMPORT_DESCRIPTOR {
    union {
        DWORD   Characteristics;
        DWORD   OriginalFirstThunk;
    };
    DWORD   TimeDateStamp;
    DWORD   ForwarderChain;
    DWORD   Name;
    DWORD   FirstThunk;
} IMAGE_IMPORT_DESCRIPTOR;
typedef IMAGE_IMPORT_DESCRIPTOR UNALIGNED *PIMAGE_IMPORT_DESCRIPTOR;

......

typedef struct _IMAGE_IMPORT_DESCRIPTOR {
    union {
        DWORD   Characteristics;
        DWORD   OriginalFirstThunk;
    };
    DWORD   TimeDateStamp;
    DWORD   ForwarderChain;
    DWORD   Name;
    DWORD   FirstThunk;
} IMAGE_IMPORT_DESCRIPTOR;
typedef IMAGE_IMPORT_DESCRIPTOR UNALIGNED *PIMAGE_IMPORT_DESCRIPTOR;


sizeOf(IMAGE_IMPORT_DESCRIPTOR) 个 0  代表导入表结束

2.输出DLL名字

typedef struct _IMAGE_IMPORT_DESCRIPTOR {
    union {
        DWORD   Characteristics;
        DWORD   OriginalFirstThunk;
    };
    DWORD   TimeDateStamp;
    DWORD   ForwarderChain;
    DWORD   Name;				 RVA 指向一个以0结尾的字符串  是DLL的名字
    DWORD   FirstThunk;
} IMAGE_IMPORT_DESCRIPTOR;
typedef IMAGE_IMPORT_DESCRIPTOR UNALIGNED *PIMAGE_IMPORT_DESCRIPTOR;

3.遍历OriginalFirstThunk

4.遍历FirstThunk

posted @ 2017-10-04 23:23  flatcc  阅读(528)  评论(0编辑  收藏  举报