网上搜到的都是用工具depends 或者 VS 命令去遍历exe所依赖的dll.
搜集整理的一下
PE结构
前三个部分是数据组织结构部分,节表数据才是PE真正的数据部分
下面是某人写的遍历PE结构获取exe依赖的方法:
所需头文件以及链接库
#include <winnt.h>
#include <dbghelp.h>
#pragma comment(lib, "dbghelp.lib")
void printDependsDlls(const TCHAR* filePath)
{
//通过PE的格式来找到引用的dll
HANDLE hFile = CreateFile(filePath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
printf("hFile create failed!!!");
return;
}
HANDLE hFileMap = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL);
if (hFileMap == NULL || hFileMap == INVALID_HANDLE_VALUE)
{
printf("create maping failed!!!");
return;
}
LPBYTE lpbaseAddress = (LPBYTE)MapViewOfFile(hFileMap, FILE_MAP_READ, 0, 0, 0);
if (lpbaseAddress == NULL)
{
printf("colud not map view of file");
return;
}
PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)lpbaseAddress;
PIMAGE_NT_HEADERS pNtHeaders = ImageNtHeader(lpbaseAddress);
DWORD rva_import_table = pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
if (rva_import_table == 0)
{
UnmapViewOfFile(lpbaseAddress);
CloseHandle(hFileMap);
CloseHandle(hFile);
return;
}
PIMAGE_IMPORT_DESCRIPTOR pImageTable = (PIMAGE_IMPORT_DESCRIPTOR)ImageRvaToVa(pNtHeaders,lpbaseAddress, rva_import_table, NULL);
IMAGE_IMPORT_DESCRIPTOR null_iid;
memset(&null_iid, 0, sizeof(IMAGE_IMPORT_DESCRIPTOR));
for (int i=0; memcmp(pImageTable+i, &null_iid, sizeof(null_iid)) != 0; ++i)
{
LPCSTR szDllName = (LPCSTR)ImageRvaToVa(pNtHeaders, lpbaseAddress, pImageTable[i].Name, NULL);
//此处为获取到的szDllName字符串存储到CStringlist列表
//CString strDll(szDllName);
//m_strDlllist.AddTail(strDll);
printf("szDllName%s", szDllName);
printf("\n");
}
UnmapViewOfFile(lpbaseAddress);
CloseHandle(hFileMap);
CloseHandle(hFile);
}
把获取的dll字符串存入 CStringlist列表;可以拿来检测过滤exe所依赖的dll是否缺失