PE目录项-导出表(二)以USER32.dll为例

于 2020-02-14 20:48:00 发布
阅读量644 收藏
点赞数
分类专栏: 软件调试 PE
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/sankernel/article/details/104307811
版权

USER32.dll IMAGE_EXPORT_DIRECTORY
在这里插入图片描述

0:001> lmDvmUSER32
Browse full module list
start    end        module name
77970000 77ab7000   USER32     (deferred)             
    Image path: X:\windows\SysWOW64\USER32.dll
    Image name: USER32.dll
    Browse all global symbols  functions  data
    Timestamp:        Thu Sep 14 15:00:31 2017 (59BA290F)
    CheckSum:         00149687
    ImageSize:        00147000
    File version:     10.0.10586.1176
    Product version:  10.0.10586.1176
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    Information from resource tables:
        CompanyName:      Microsoft Corporation
        ProductName:      Microsoft® Windows® Operating System
        InternalName:     user32
        OriginalFilename: user32
        ProductVersion:   10.0.10586.1176
        FileVersion:      10.0.10586.1176 (th2_release_sec.170913-1848)
        FileDescription:  Multi-User Windows USER API Client DLL
        LegalCopyright:   © Microsoft Corporation. All rights reserved.

0:001> !dh -f 77970000 

File Type: DLL
FILE HEADER VALUES
     14C machine (i386)
       6 number of sections
59BA290F time date stamp Thu Sep 14 15:00:31 2017

       0 file pointer to symbol table
       0 number of symbols
      E0 size of optional header
    2102 characteristics
            Executable
            32 bit word machine
            DLL

OPTIONAL HEADER VALUES
     10B magic #
   12.10 linker version
   99400 size of code
   A8E00 size of initialized data
       0 size of uninitialized data
   11D00 address of entry point
    1000 base of code
         ----- new -----
77970000 image base
    1000 section alignment
     200 file alignment
       2 subsystem (Windows GUI)
   10.00 operating system version
   10.00 image version
   10.00 subsystem version
  147000 size of image
     400 size of headers
  149687 checksum
00040000 size of stack reserve
00001000 size of stack commit
00100000 size of heap reserve
00001000 size of heap commit
    4140  DLL characteristics
            Dynamic base
            NX compatible
            Guard
   93890 [    6AA8] address [size] of Export Directory
   9D6E4 [     2D0] address [size] of Import Directory
   A2000 [   9E3C0] address [size] of Resource Directory
       0 [       0] address [size] of Exception Directory
  141800 [    4F98] address [size] of Security Directory
  141000 [    5E8C] address [size] of Base Relocation Directory
    3B60 [      38] address [size] of Debug Directory
       0 [       0] address [size] of Description Directory
       0 [       0] address [size] of Special Directory
       0 [       0] address [size] of Thread Storage Directory
    3BB8 [      68] address [size] of Load Configuration Directory
       0 [       0] address [size] of Bound Import Directory
   9D000 [     6E0] address [size] of Import Address Table Directory
   93584 [      C0] address [size] of Delay Import Directory
       0 [       0] address [size] of COR20 Header Directory
       0 [       0] address [size] of Reserved Directory

0:001> dd 77970000+93890 L6AA8
77a03890  00000000 59ba06b0 00000000 0009615a
77a038a0  000005de 000004b1 000003a5 000938b8
77a038b0  00094b7c 00095a10 000610c0 00039ad0
77a038c0  0003bd30 0002f200 0002f240 0008b020
77a038d0  0005b880 00034b20 00028f00 00087860
77a038e0  00089040 0005eda0 0005b8c0 000397b0
...
77a1e310  00000000 00000000 00000000 00000000
77a1e320  00000000 00000000 00000000 00000000

0:001> dt -n (IMAGE_EXPORT_DIRECTORY)77970000+93890
MyApp!IMAGE_EXPORT_DIRECTORY
   +0x000 Characteristics  : 0
   +0x004 TimeDateStamp    : 0x59ba06b0
   +0x008 MajorVersion     : 0
   +0x00a MinorVersion     : 0
   +0x00c Name             : 0x9615a
   +0x010 Base             : 0x5de
   +0x014 NumberOfFunctions : 0x4b1
   +0x018 NumberOfNames    : 0x3a5
   +0x01c AddressOfFunctions : 0x938b8
   +0x020 AddressOfNames   : 0x94b7c
   +0x024 AddressOfNameOrdinals : 0x95a10


```cpp
0:001> ? 0x5de
Evaluate expression: 1502 = 000005de

0:001> db 77970000+0x9615a
77a0615a  55 53 45 52 33 32 2e 64-6c 6c 00 41 63 74 69 76  USER32.dll.Activ
77a0616a  61 74 65 4b 65 79 62 6f-61 72 64 4c 61 79 6f 75  ateKeyboardLayou
77a0617a  74 00 41 64 64 43 6c 69-70 62 6f 61 72 64 46 6f  t.AddClipboardFo
77a0618a  72 6d 61 74 4c 69 73 74-65 6e 65 72 00 41 64 6a  rmatListener.Adj
77a0619a  75 73 74 57 69 6e 64 6f-77 52 65 63 74 00 41 64  ustWindowRect.Ad
77a061aa  6a 75 73 74 57 69 6e 64-6f 77 52 65 63 74 45 78  justWindowRectEx
77a061ba  00 41 6c 69 67 6e 52 65-63 74 73 00 41 6c 6c 6f  .AlignRects.Allo
77a061ca  77 46 6f 72 65 67 72 6f-75 6e 64 41 63 74 69 76  wForegroundActiv

AddressOfNameOrdinals
0:001> dw 77970000+0x95a10 L0x3a5
77a05a10  0001 0002 0003 0004 0005 0006 0007 0008
77a05a20  0009 000a 000b 000c 000d 000e 000f 0010
77a05a30  0011 0012 0013 0014 0015 0016 0017 0018
77a05a40  0019 001a 001b 001c 001d 001e 001f 0020
77a05a50  0021 0022 0023 0024 0025 0026 0027 0028
77a05a60  0029 002a 002b 002c 002d 002e 002f 0035
77a05a70  0036 0037 0038 0039 003a 003b 003c 003d
77a05a80  003e 003f 0040 0041 0042 0043 0044 0045
...
77a06130  0399 039a 039b 039c 039d 039e 039f 03a0
77a06140  03a1 03a2 03a3 03a4 03a5 03a6 03a7 03a8
77a06150  03a9 03aa 03ab 03ac 03ad

AddressOfNameOrdinals <--> AddressOfNames 数组顺序对齐
0:001> dd 77970000+0x94b7c L0x3a5
77a04b7c  00096165 0009617c 00096197 000961a8
77a04b8c  000961bb 000961c6 000961e0 000961f9
77a04b9c  00096207 00096210 0009621c 00096228
77a04bac  0009623d 0009624f 00096263 0009626e
77a04bbc  00096279 0009628a 000962a1 000962b9
77a04bcc  000962d3 000962ed 00096305 00096316
77a04bdc  00096322 0009633f 0009634d 0009635c
77a04bec  0009636b 0009637a 0009638a 0009639a
...
77a059ec  0009a2ba 0009a2d7 0009a2e3 0009a2f6
77a059fc  0009a302 0009a30e 0009a318 0009a322
77a05a0c  0009a32d

ActivateKeyboardLayout
0:001> db 77970000+00096165 
77a06165  41 63 74 69 76 61 74 65-4b 65 79 62 6f 61 72 64  ActivateKeyboard
77a06175  4c 61 79 6f 75 74 00 41-64 64 43 6c 69 70 62 6f  Layout.AddClipbo
77a06185  61 72 64 46 6f 72 6d 61-74 4c 69 73 74 65 6e 65  ardFormatListene
77a06195  72 00 41 64 6a 75 73 74-57 69 6e 64 6f 77 52 65  r.AdjustWindowRe
77a061a5  63 74 00 41 64 6a 75 73-74 57 69 6e 64 6f 77 52  ct.AdjustWindowR
77a061b5  65 63 74 45 78 00 41 6c-69 67 6e 52 65 63 74 73  ectEx.AlignRects
77a061c5  00 41 6c 6c 6f 77 46 6f-72 65 67 72 6f 75 6e 64  .AllowForeground
77a061d5  41 63 74 69 76 61 74 69-6f 6e 00 41 6c 6c 6f 77  Activation.Allow

AddClipboardFormatListener
0:001> db 77970000+0009617c 
77a0617c  41 64 64 43 6c 69 70 62-6f 61 72 64 46 6f 72 6d  AddClipboardForm
77a0618c  61 74 4c 69 73 74 65 6e-65 72 00 41 64 6a 75 73  atListener.Adjus
77a0619c  74 57 69 6e 64 6f 77 52-65 63 74 00 41 64 6a 75  tWindowRect.Adju
77a061ac  73 74 57 69 6e 64 6f 77-52 65 63 74 45 78 00 41  stWindowRectEx.A
77a061bc  6c 69 67 6e 52 65 63 74-73 00 41 6c 6c 6f 77 46  lignRects.AllowF
77a061cc  6f 72 65 67 72 6f 75 6e-64 41 63 74 69 76 61 74  oregroundActivat
77a061dc  69 6f 6e 00 41 6c 6c 6f-77 53 65 74 46 6f 72 65  ion.AllowSetFore
77a061ec  67 72 6f 75 6e 64 57 69-6e 64 6f 77 00 41 6e 69  groundWindow.Ani

0:001> db 77970000+00096197 
77a06197  41 64 6a 75 73 74 57 69-6e 64 6f 77 52 65 63 74  AdjustWindowRect
77a061a7  00 41 64 6a 75 73 74 57-69 6e 64 6f 77 52 65 63  .AdjustWindowRec
77a061b7  74 45 78 00 41 6c 69 67-6e 52 65 63 74 73 00 41  tEx.AlignRects.A
77a061c7  6c 6c 6f 77 46 6f 72 65-67 72 6f 75 6e 64 41 63  llowForegroundAc
77a061d7  74 69 76 61 74 69 6f 6e-00 41 6c 6c 6f 77 53 65  tivation.AllowSe
77a061e7  74 46 6f 72 65 67 72 6f-75 6e 64 57 69 6e 64 6f  tForegroundWindo
77a061f7  77 00 41 6e 69 6d 61 74-65 57 69 6e 64 6f 77 00  w.AnimateWindow.
77a06207  41 6e 79 50 6f 70 75 70-00 41 70 70 65 6e 64 4d  AnyPopup.AppendM

0:001> db 77970000+000961a8
77a061a8  41 64 6a 75 73 74 57 69-6e 64 6f 77 52 65 63 74  AdjustWindowRect
77a061b8  45 78 00 41 6c 69 67 6e-52 65 63 74 73 00 41 6c  Ex.AlignRects.Al
77a061c8  6c 6f 77 46 6f 72 65 67-72 6f 75 6e 64 41 63 74  lowForegroundAct
77a061d8  69 76 61 74 69 6f 6e 00-41 6c 6c 6f 77 53 65 74  ivation.AllowSet
77a061e8  46 6f 72 65 67 72 6f 75-6e 64 57 69 6e 64 6f 77  ForegroundWindow
77a061f8  00 41 6e 69 6d 61 74 65-57 69 6e 64 6f 77 00 41  .AnimateWindow.A
77a06208  6e 79 50 6f 70 75 70 00-41 70 70 65 6e 64 4d 65  nyPopup.AppendMe
77a06218  6e 75 41 00 41 70 70 65-6e 64 4d 65 6e 75 57 00  nuA.AppendMenuW.

AddressOfFunctions
根据AddressOfNameOrdinals内容 1/2/3/... -> 00039ad0/0003bd30/...
0:001> dd 77970000+0x938b8 L0x4b1
77a038b8  000610c0 00039ad0 0003bd30 0002f200
77a038c8  0002f240 0008b020 0005b880 00034b20
77a038d8  00028f00 00087860 00089040 0005eda0
77a038e8  0005b8c0 000397b0 00032870 00038a70
77a038f8  0003bd70 00033b30 00089090 00089090
77a03908  000890c0 0005edf0 0005ee20 00083b60
77a03918  00039260 0003bda0 000895d0 000895d0
77a03928  00029d60 00013560 0002dc70 00016940
77a03938  00069030 0005b8e0 0007cc20 00039a80
77a03948  000898f0 00089920 00068de0 00068f20
...
77a04b68  00000000 00000000 0005c840 00000000
77a04b78  0007dde0

0:001> ln 77970000+000610c0
Browse module
Set bu breakpoint

(779d10c0)   USER32!SendTouchFrame   |  (779d1189)   USER32!TransferTouchInput
Exact matches:

0:001> ln 77970000+00039ad0
Browse module
Set bu breakpoint

(779a9ad0)   USER32!NtUserActivateKeyboardLayout   |  (779a9ae0)   USER32!NtBindCompositionSurface
Exact matches:

0:001> ln 77970000+0003bd30
Browse module
Set bu breakpoint

(779abd30)   USER32!NtUserAddClipboardFormatListener   |  (779abd40)   USER32!NtUserAssociateInputContext
Exact matches:

0:001> ln 0002f200
Browse module
Set bu breakpoint

0:001> ln 77970000+0002f240
Browse module
Set bu breakpoint

(7799f240)   USER32!AdjustWindowRectEx   |  (7799f27b)   USER32!_AdjustWindowRectEx
Exact matches:
    USER32!AdjustWindowRectEx (void)

0:001> ln 77970000+0008b020
Browse module
Set bu breakpoint

(779fb020)   USER32!AlignRects   |  (779fb184)   USER32!CenterRectangles
Exact matches:

0:001> ln 77970000+0005b880
Browse module
Set bu breakpoint

(779cb880)   USER32!AllowForegroundActivation   |  (779cb88d)   USER32!AreTimerProcExceptionsSuppressed
Exact matches:

depends.exe

N/A
ActivateKeyboardLayout
AddClipboardFormatListener-
AdjustWindowRect
AdjustWindowRectEx
AlignRects
AllowForegroundActivation
AllowSetForegroundWindow
AnimateWindow
AnyPopup
AppendMenuA
AppendMenuW
ArrangeIconicWindows
AttachThreadInput
BeginDeferWindowPos
BeginPaint
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值