// cccc.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include"memory.h"
#include "windows.h"
#include <stdio.h>
#include <conio.h>
#include "Dbghelp.h"
PIMAGE_SECTION_HEADER ImageRVA2Section(PIMAGE_NT_HEADERS pimage_nt_headers,DWORD dwRVA)
{
int i;
PIMAGE_SECTION_HEADER pimage_section_header=(PIMAGE_SECTION_HEADER)((PCHAR(pimage_nt_headers)) + sizeof(IMAGE_NT_HEADERS));
for(i=0;i<pimage_nt_headers->FileHeader.NumberOfSections;i++)
{
if((pimage_section_header->VirtualAddress) && (dwRVA<=(pimage_section_header->VirtualAddress+pimage_section_header->SizeOfRawData)))
{
return ((PIMAGE_SECTION_HEADER)pimage_section_header);
}
pimage_section_header++;
}
return(NULL);
}
DWORD RVA2Offset(PCHAR pImageBase,DWORD dwRVA)
{
DWORD _offset;
PIMAGE_SECTION_HEADER section;
PIMAGE_DOS_HEADER pimage_dos_header;
PIMAGE_NT_HEADERS pimage_nt_headers;
pimage_dos_header = PIMAGE_DOS_HEADER(pImageBase);
pimage_nt_headers = (PIMAGE_NT_HEADERS)(pImageBase+pimage_dos_header->e_lfanew);
section=ImageRVA2Section(pimage_nt_headers,dwRVA);
if(section==NULL)
{
return(0);
}
_offset=dwRVA+section->PointerToRawData-section->VirtualAddress;
return(_offset);
}
int func(int x)
{
int countx = 0;
while(x)
{
countx ++;
x = x&(x-1);
}
return countx;
}
int _tmain(int argc, _TCHAR* argv[])
{
// LoadLibrary(_T("Dbghelp.dll"));
DWORD dwFsize = 0;
PIMAGE_NT_HEADERS nt_header;//=new IMAGE_NT_HEADERS;
HANDLE hFile;
HANDLE hMapFile;
PCHAR pImageBase;
hFile=CreateFile(_T("1.exe"),GENERIC_READ|GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
printf("Could not open file (error %d)/n", GetLastError());
return 0;
}
hMapFile = CreateFileMapping(
hFile, // use paging file
NULL, // default security
PAGE_READWRITE, // read/write access
0, // max. object size
dwFsize, // buffer size
_T("Test")); // name of mapping object
if (hMapFile == NULL || hMapFile == INVALID_HANDLE_VALUE)
{
printf("Could not create file mapping object (%d)./n",
GetLastError());
return 0;
}
dwFsize=GetFileSize(hFile,0);
pImageBase=(PCHAR)MapViewOfFile(hMapFile, // handle to map object
FILE_MAP_ALL_ACCESS, // read/write permission
0,
0,
dwFsize);
if (pImageBase == NULL)
{
printf("Could not map view of file (%d)./n",
GetLastError());
return 0;
}
nt_header=ImageNtHeader(pImageBase);
DWORD it_voffset = nt_header->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
PIMAGE_DOS_HEADER pimage_dos_header = PIMAGE_DOS_HEADER(pImageBase);
PIMAGE_NT_HEADERS pimage_nt_headers = PIMAGE_NT_HEADERS(pImageBase + pimage_dos_header->e_lfanew);
it_voffset = pimage_nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
DWORD dwImportDirectory=RVA2Offset(pImageBase, pimage_nt_headers->OptionalHeader.
DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
PIMAGE_IMPORT_DESCRIPTOR pimage_import_descriptor= (PIMAGE_IMPORT_DESCRIPTOR)(pImageBase+dwImportDirectory);
PCHAR pThunk;
PCHAR pHintName;
DWORD dwAPIaddress;
PCHAR pDllName;
PCHAR pAPIName;
while(pimage_import_descriptor->Name!=0)
{
pThunk= pImageBase+pimage_import_descriptor->FirstThunk;
pHintName= pImageBase;
if(pimage_import_descriptor->OriginalFirstThunk!=0)
{
pHintName+= RVA2Offset(pImageBase, pimage_import_descriptor->OriginalFirstThunk);
}
else
{
pHintName+= RVA2Offset(pImageBase, pimage_import_descriptor->FirstThunk);
}
pDllName= pImageBase + RVA2Offset(pImageBase, pimage_import_descriptor->Name);
printf(" DLL Name: %s/r/n First Thunk: 0x%x/r/n", pDllName,
pimage_import_descriptor->FirstThunk);
PIMAGE_THUNK_DATA pimage_thunk_data= (PIMAGE_THUNK_DATA) pHintName;
while(pimage_thunk_data->u1.AddressOfData!=0)
{
dwAPIaddress= pimage_thunk_data->u1.AddressOfData;
if((dwAPIaddress&0x80000000)==0x80000000)
{
dwAPIaddress&= 0x7FFFFFFF;
printf(" Proccess: 0x%x/r/n", dwAPIaddress);
}
else
{
pAPIName= pImageBase+RVA2Offset(pImageBase, dwAPIaddress)+2;
printf(" Proccess: %s/r/n", pAPIName);
if (strcmp(pAPIName,"MessageBoxW")==0)
{
MessageBox(NULL,_T("get name"),0,0);
}
}
pThunk+= 4;
pHintName+= 4;
pimage_thunk_data++;
}
pimage_import_descriptor++;
}
UnmapViewOfFile(pImageBase);
getchar();
func(0xfffff);
return 0;
}