.code GetImportTableAddr proc @lpMem:dword ;得到导入表地址 LOCAL @dwAddr:dword pushad invoke GetDataDirectoryAddr, @lpMem mov esi, eax assume esi:ptr IMAGE_DATA_DIRECTORY add esi, sizeof IMAGE_DATA_DIRECTORY ;第二项为导入表 mov @dwAddr, esi mov eax, [esi].VirtualAddress ;PrintHex eax mov eax, [esi].isize ;PrintHex eax assume esi:nothing popad mov eax, @dwAddr ret GetImportTableAddr endp GetDataDirectoryAddr proc @lpMem:dword LOCAL @dwAddr:dword pushad mov esi, @lpMem assume esi:ptr IMAGE_DOS_HEADER ;movzx eax, [esi].e_magic ;PrintHex eax add esi, [esi].e_lfanew assume esi:ptr IMAGE_NT_HEADERS ;mov eax, [esi].Signature ;PrintHex eax lea eax, [esi].OptionalHeader.DataDirectory mov @dwAddr, eax assume esi:nothing popad mov eax, @dwAddr ret GetDataDirectoryAddr endp GetSectionNumber proc @lpMem:dword LOCAL @dwNumber:dword pushad mov esi, @lpMem assume esi:ptr IMAGE_DOS_HEADER movzx eax, [esi].e_magic ;PrintHex eax add esi, [esi].e_lfanew assume esi:ptr IMAGE_NT_HEADERS mov eax, [esi].Signature ;PrintHex eax movzx eax, [esi].FileHeader.NumberOfSections mov @dwNumber, eax ;PrintHex eax assume esi:nothing popad mov eax, @dwNumber ret GetSectionNumber endp AnalysisImportTable proc @lpMem:dword pushad invoke GetImportTableAddr, @lpMem mov esi, eax assume esi:ptr IMAGE_DATA_DIRECTORY mov eax, [esi].VirtualAddress invoke RvaToOffset, @lpMem, eax mov esi, @lpMem add esi, eax assume esi:ptr IMAGE_IMPORT_DESCRIPTOR PrintHex esi .while [esi].OriginalFirstThunk || [esi].TimeDateStamp || [esi].ForwarderChain || [esi].Name1 || [esi].FirstThunk mov eax, [esi].Name1 invoke RvaToOffset, @lpMem, eax add eax, @lpMem PrintStringByAddr eax mov eax, [esi].OriginalFirstThunk invoke RvaToOffset, @lpMem, eax add eax, @lpMem invoke AnalysisOriginalThunk, @lpMem, eax add esi, sizeof IMAGE_IMPORT_DESCRIPTOR .endw _ret: assume esi:nothing popad ret AnalysisImportTable endp IsHitSection proc @lpMem:dword, @lpRvaMem:dword LOCAL @dwSectionNumber:dword LOCAL @dwHitNumber:dword pushad invoke GetSectionNumber, @lpMem mov @dwSectionNumber, eax invoke GetSectionTableAddr, @lpMem mov esi, eax assume esi:ptr IMAGE_SECTION_HEADER xor ebx, ebx mov edi, @lpRvaMem .while ebx < @dwSectionNumber lea eax, [esi].Name1 ;PrintStringByAddr eax mov eax, [esi].VirtualAddress ;PrintHex eax mov eax, [esi].VirtualAddress add eax, [esi].SizeOfRawData ;PrintHex eax .if ( edi >= [esi].VirtualAddress ) && ( edi < eax ) mov @dwHitNumber, ebx assume esi:nothing popad mov eax, @dwHitNumber ret .endif inc ebx add esi, sizeof IMAGE_SECTION_HEADER .endw assume esi:nothing popad xor eax, eax dec eax ret IsHitSection endp RvaToOffset proc @lpMem:dword, @lpRvaMem:dword LOCAL @dwSectionOffset:dword pushad invoke GetSectionNumber, @lpMem mov ecx, eax invoke GetSectionTableAddr, @lpMem mov esi, eax assume esi:ptr IMAGE_SECTION_HEADER ;PrintHex esi mov edi, @lpRvaMem .repeat mov eax, [esi].VirtualAddress add eax, [esi].Misc.VirtualSize ;PrintHex eax .if ( edi >= [esi].VirtualAddress ) && ( edi < eax ) sub edi, [esi].VirtualAddress mov eax, [esi].PointerToRawData add eax, edi mov @dwSectionOffset, eax assume esi:nothing popad mov eax, @dwSectionOffset ret .endif inc ebx add esi, sizeof IMAGE_SECTION_HEADER .untilcxz assume esi:nothing popad xor eax, eax dec eax ret RvaToOffset endp GetSectionTableAddr proc @lpMem:dword LOCAL @dwSectionAddr:dword pushad mov esi, @lpMem assume esi:ptr IMAGE_DOS_HEADER add esi, [esi].e_lfanew assume esi:ptr IMAGE_NT_HEADERS add esi, sizeof IMAGE_NT_HEADERS mov @dwSectionAddr, esi assume esi:nothing popad mov eax, @dwSectionAddr ret GetSectionTableAddr endp AnalysisOriginalThunk proc @lpMem:dword, @lpOffsetOriginalThunk:dword pushad mov esi, @lpOffsetOriginalThunk .while dword ptr[esi] .if dword ptr[esi] & 80000000h mov eax, [esi] PrintHex eax .else invoke RvaToOffset, @lpMem, dword ptr[esi] add eax, @lpMem mov edi, eax assume edi:ptr IMAGE_IMPORT_BY_NAME lea eax, [edi].Name1 PrintStringByAddr eax assume edi:nothing .endif add esi, sizeof IMAGE_THUNK_DATA .endw popad ret AnalysisOriginalThunk endp