今天逆向破解firefox浏览器中保存的账号及密码,因为firefox对账号的信息不断的提高安全性,所以之前破解中需要用到的一个导出函数不知被封装到那个dll中了,但firefox安装目录下又有许多的dll,一个一个的使用loadPe工具去查找太麻烦了,于是就编写了一个小程序去遍历文件夹下所有的dll的导出表中的函数名称并打印出来。
头文件:
#include <Windows.h>
#include <stdio.h>
#include <imagehlp.h>
#pragma comment(lib, "imagehlp.lib ")
实现函数:
void ShowExportFuncsInfo( char* szName )
{
HANDLE hFile;
HANDLE hMapping;
LPVOID ImageBase;
DWORD dwDataStartRVA;
PIMAGE_DOS_HEADER pDH;
PIMAGE_NT_HEADERS pNtH= NULL;
PIMAGE_OPTIONAL_HEADER pOH= NULL;
PIMAGE_EXPORT_DIRECTORY pExportDir= NULL;
PDWORD pdwRvas, pdwNames;
PWORD pwOrds;
UINT iNumOfName=0;
char *szFuncName;
BOOL bIsByName=FALSE;;
hFile=CreateFile(szName,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,0);
if (!hFile)
return ;
hMapping=CreateFileMapping(hFile,NULL,PAGE_READONLY,0,0,NULL);
if(!hMapping)
{
CloseHandle(hFile);
return ;
}
ImageBase=MapViewOfFile(hMapping,FILE_MAP_READ,0,0,0);
if(!ImageBase)
{
CloseHandle(hMapping);
CloseHandle(hFile);
return ;
}
pDH=(PIMAGE_DOS_HEADER)ImageBase;
if(pDH->e_magic!=IMAGE_DOS_SIGNATURE)
return ;
pNtH=(PIMAGE_NT_HEADERS32)((DWORD)pDH+pDH->e_lfanew);
if (pNtH->Signature != IMAGE_NT_SIGNATURE )
return ;
pOH=&pNtH->OptionalHeader;
if(!pOH)
return ;
dwDataStartRVA=pOH->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
if(!dwDataStartRVA)
return ;
pExportDir=(PIMAGE_EXPORT_DIRECTORY)ImageRvaToVa(pNtH,ImageBase,dwDataStartRVA, NULL);
if(!pExportDir)
return ;
pwOrds = (PWORD)ImageRvaToVa(pNtH, ImageBase,pExportDir->AddressOfNameOrdinals, NULL);
pdwRvas = (PDWORD)ImageRvaToVa(pNtH, ImageBase,pExportDir->AddressOfFunctions, NULL);
pdwNames = (PDWORD)ImageRvaToVa(pNtH, ImageBase,pExportDir->AddressOfNames, NULL);
iNumOfName=pExportDir->NumberOfNames;
for(int i=0;i<pExportDir->NumberOfFunctions;i++)
{
if(*pdwRvas)
{
for(int j=0;j<iNumOfName;j++)
{
if(i==pwOrds[j])
{
bIsByName=TRUE;
szFuncName=(char*)ImageRvaToVa(pNtH,ImageBase,pdwNames[j], NULL);
break;
}
bIsByName=FALSE;
}
printf("%04lX\t%08lX\t%s\n", (UINT)(pExportDir->Base+i), (*pdwRvas), szFuncName);
}
++pdwRvas;
}
if(ImageBase)
UnmapViewOfFile(ImageBase);
if(hMapping)
CloseHandle(hMapping);
if(hFile)
CloseHandle(hFile);
}
调用函数:
int main()
{
WIN32_FIND_DATA FindData;
HANDLE hFind;
char FilePathName[MAX_PATH];
char FullPathName[MAX_PATH];
if (__argc !=2)
{
return 0;
}
strcpy(FilePathName, __argv[1]);
strcat(FilePathName, "\\*.dll");
hFind = FindFirstFile(FilePathName, &FindData);
if (hFind == INVALID_HANDLE_VALUE)
{
return 0;
}
while(::FindNextFile(hFind, &FindData))
{
if (strcmp(FindData.cFileName, ".") == 0
|| strcmp(FindData.cFileName, "..") == 0 )
{
continue;
}
if (FindData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
{
continue;
}
sprintf(FullPathName, "%s\\%s", __argv[1],FindData.cFileName);
printf("\n%s\n", FullPathName);
ShowExportFuncsInfo(FullPathName);
}
getchar();
return 0;
}