WINDOWS黑客基础(6):查看文件里面的导入表
int main(void) { HANDLE hFile = CreateFile("D:\\Shipyard.exe", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); HANDLE hFileMapping = CreateFileMapping(hFile,NULL,FILE_READ_ONLY,0,0,NULL); LPBYTE lpBaseAddress = (LPBYTE)MapViewOfFile(hFileMapping,FILE_MAP_READ,0,0,0); PIMAGE_DOS_HEADER pDostHeader = (PIMAGE_DOS_HEADER)lpBaseAddress; PIMAGE_NT_HEADERS pNtHeader = (PIMAGE_NT_HEADERS)(lpBaseAddress + pDostHeader->e_lfanew); DWORD rva_import_table = pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; PIMAGE_IMPORT_DESCRIPTOR pImport = (PIMAGE_IMPORT_DESCRIPTOR)ImageRvaToVa(pNtHeader, lpBaseAddress, rva_import_table, NULL); IMAGE_THUNK_DATA *data = NULL; while ( pImport->Name != NULL) { LPCTSTR szDllName = (LPCTSTR)ImageRvaToVa(pNtHeader,lpBaseAddress,pImport->Name,NULL); PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)ImageRvaToVa(pNtHeader, lpBaseAddress, pImport->OriginalFirstThunk, NULL); printf("%s\n",szDllName); while (pThunk->u1.Function) { if (pThunk->u1.AddressOfData & IMAGE_ORDINAL_FLAG32) { printf("序号:%d\n",pThunk->u1.AddressOfData & 0xffff); } else { PIMAGE_IMPORT_BY_NAME pFunName = (PIMAGE_IMPORT_BY_NAME)ImageRvaToVa( pNtHeader, lpBaseAddress, pThunk->u1.AddressOfData, NULL ); printf("%s\n",pFunName->Name); } pThunk++; } pImport ++; } }
这节也没什么难的,主要还是PE文件的解析,还要会运用ImageRvatoVa这个函数还取得对应的内存地址,就能解析出来了