#include "stdafx.h" #include <tchar.h> #include <Windows.h> #include <iostream> using namespace std; #define PCTSTR const char * ULONG Rav2Raw(PVOID pFileData, ULONG rav) { PIMAGE_DOS_HEADER pDosH; PIMAGE_NT_HEADERS pNtH; PIMAGE_SECTION_HEADER pSectH; ULONG Index; pDosH = (PIMAGE_DOS_HEADER)pFileData; pNtH = (PIMAGE_NT_HEADERS)((ULONG)pFileData + pDosH->e_lfanew); pSectH = IMAGE_FIRST_SECTION(pNtH); if ( rav >= 0 && rav < pSectH->VirtualAddress ) return rav; for ( Index = 0; Index < pNtH->FileHeader.NumberOfSections; Index++ ) { if ( rav >= pSectH->VirtualAddress && rav < pSectH->VirtualAddress + pSectH->Misc.VirtualSize ) return rav - pSectH->VirtualAddress + pSectH->PointerToRawData; pSectH++; } return (ULONG)-1; } PVOID NTAPI GetImageDirEntry( IN ULONG ImageBase, IN ULONG DirIndex, OUT OPTIONAL PIMAGE_NT_HEADERS* ppNtH, OUT OPTIONAL PIMAGE_DATA_DIRECTORY* ppDataDir ) { PIMAGE_DOS_HEADER pDosH; PIMAGE_NT_HEADERS pNtH; PIMAGE_DATA_DIRECTORY pDataDir; pDosH = (PIMAGE_DOS_HEADER)ImageBase; if ( pDosH->e_magic != IMAGE_DOS_SIGNATURE ) { return NULL; } pNtH = (PIMAGE_NT_HEADERS)(ImageBase + pDosH->e_lfanew); if ( pNtH->Signature != IMAGE_NT_SIGNATURE ) { return NULL; } if ( ppNtH != NULL ) { *ppNtH = pNtH; } pDataDir = &pNtH->OptionalHeader.DataDirectory[DirIndex]; if ( pDataDir->VirtualAddress == 0 ) { return NULL; } if ( ppDataDir != NULL ) { *ppDataDir = pDataDir; } return (PVOID)(ImageBase + Rav2Raw((PVOID)ImageBase, pDataDir->VirtualAddress)); } BOOL ShowEAT() { HANDLE hFile, hFileMap; LPVOID pFileData; BOOL bResult; TCHAR szNtoskrnlPath[MAX_PATH]; GetSystemDirectory(szNtoskrnlPath, MAX_PATH); _tcscat(szNtoskrnlPath, _T("//ntoskrnl.exe")); // or ntkrnlpa.exe hFile = CreateFile(szNtoskrnlPath, GENERIC_READ, FILE_SHARE_WRITE | FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL); if ( hFile == INVALID_HANDLE_VALUE ) return FALSE; hFileMap = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0,0, NULL); CloseHandle(hFile); if ( hFileMap == NULL ) return FALSE; pFileData = MapViewOfFile(hFileMap, FILE_MAP_READ, 0, 0, 0); CloseHandle(hFileMap); if ( NULL == pFileData ) return FALSE; bResult = FALSE; __try { PIMAGE_DOS_HEADER pDosH; PIMAGE_NT_HEADERS pNtH; PIMAGE_EXPORT_DIRECTORY pExpDir; PULONG pFunName, pFunAddr; PUSHORT pFunNameOrd; ULONG Index; pDosH = (PIMAGE_DOS_HEADER)pFileData; pNtH = (PIMAGE_NT_HEADERS)((ULONG)pFileData + pDosH->e_lfanew); ULONG v = pNtH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; pExpDir = (PIMAGE_EXPORT_DIRECTORY)((ULONG)pFileData + Rav2Raw(pFileData, pNtH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress)); pFunName = (PULONG)((ULONG)pFileData + Rav2Raw(pFileData, pExpDir->AddressOfNames)); pFunNameOrd = (PUSHORT)((ULONG)pFileData + Rav2Raw(pFileData, pExpDir->AddressOfNameOrdinals)); pFunAddr = (PULONG)((ULONG)pFileData + Rav2Raw(pFileData, pExpDir->AddressOfFunctions)); for ( Index = 0; Index < pExpDir->NumberOfNames; Index++ ) { PCSTR pName = (PCSTR)((ULONG)pFileData + Rav2Raw(pFileData, pFunName[Index])); cout << pName << endl; } } __except ( EXCEPTION_EXECUTE_HANDLER ) { bResult = FALSE; } UnmapViewOfFile(pFileData); return bResult; } BOOL ShowIAT() { TCHAR szNtoskrnlPath[MAX_PATH]; GetSystemDirectory(szNtoskrnlPath, MAX_PATH); _tcscat(szNtoskrnlPath, _T("//ntoskrnl.exe")); // or ntkrnlpa.exe HANDLE hFile = CreateFile(szNtoskrnlPath,GENERIC_READ,FILE_SHARE_READ,NULL,3,0,NULL); if (!hFile) return FALSE; HANDLE hMap = CreateFileMapping(hFile,NULL,PAGE_READONLY,0,0,NULL); PVOID pBase = MapViewOfFile(hMap,FILE_MAP_READ,0,0,0),pAddr=NULL; PIMAGE_DOS_HEADER pDosHeader=(PIMAGE_DOS_HEADER)pBase; PIMAGE_NT_HEADERS pNtHeaders = (PIMAGE_NT_HEADERS)((ULONG)pBase + pDosHeader->e_lfanew); PIMAGE_IMPORT_DESCRIPTOR pImport = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG)pBase + Rav2Raw(pBase,pNtHeaders->OptionalHeader.DataDirectory[1].VirtualAddress)); while (pImport->Name!=0) { if (pImport->OriginalFirstThunk==0 && pImport->FirstThunk==0) break; printf("模块:%s/n",(ULONG)pBase + Rav2Raw(pBase,pImport->Name)); PIMAGE_THUNK_DATA pThunk=NULL; if (pImport->OriginalFirstThunk!=0) pThunk = (PIMAGE_THUNK_DATA)((ULONG)pBase +Rav2Raw(pBase,pImport->OriginalFirstThunk)); else pThunk = (PIMAGE_THUNK_DATA)((ULONG)pBase +Rav2Raw(pBase,pImport->FirstThunk)); do { if (pThunk->u1.AddressOfData==0) break; pAddr=(PVOID)((ULONG)pBase +Rav2Raw(pBase,(ULONG)pThunk->u1.AddressOfData->Name)); if (!pAddr) printf("/t函数:/n"); else printf("/t函数:%s/n",pAddr); pThunk++; } while (pThunk->u1.AddressOfData!=0); pImport++; }; CloseHandle(hMap); CloseHandle(hFile); UnmapViewOfFile(pBase); return TRUE; } int main() { ShowEAT(); ShowIAT(); system("pause"); return 0; }