#include<iostream>
#include<Windows.h>
char* LoadFile(const char* szbuffer)
{
HANDLE ret = CreateFileA(szbuffer, GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (ret == INVALID_HANDLE_VALUE)
{
return 0;
}
DWORD fs = GetFileSize(ret, NULL);
char* tempbuff = new char[fs];
memset(tempbuff, 0, fs);
DWORD filenum = 0;
if (ReadFile(ret, tempbuff, fs, &filenum, NULL))
{
return tempbuff;
}
return 0;
}
DWORD RvaToFoa(DWORD dwRva, char* szbuffer)
{
PIMAGE_DOS_HEADER pDos = (PIMAGE_DOS_HEADER)szbuffer;
PIMAGE_NT_HEADERS pNt = (PIMAGE_NT_HEADERS)((DWORD)pDos + pDos->e_lfanew);
PIMAGE_SECTION_HEADER pSh = (PIMAGE_SECTION_HEADER)((DWORD)pNt + sizeof(IMAGE_NT_HEADERS));
if (dwRva < pSh->VirtualAddress)
{
return dwRva;
}
for (size_t i = 0; i < pNt->FileHeader.NumberOfSections; i++)
{
if (pSh[i].VirtualAddress <= dwRva && dwRva <= pSh[i].Misc.VirtualSize + pSh[i].VirtualAddress)
{
return dwRva - pSh[i].VirtualAddress + pSh[i].PointerToRawData;
}
}
return 0;
}
BOOL ExportTable(char* szbuffer)
{
PIMAGE_DOS_HEADER pDos = (PIMAGE_DOS_HEADER)szbuffer;
PIMAGE_NT_HEADERS pNt = (PIMAGE_NT_HEADERS)((DWORD)pDos + pDos->e_lfanew);
DWORD mExport = pNt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
PIMAGE_EXPORT_DIRECTORY pEd = (PIMAGE_EXPORT_DIRECTORY)(RvaToFoa(mExport, szbuffer) + szbuffer);
char* name = (char*)(RvaToFoa(pEd->Name, szbuffer) + szbuffer);
printf("Dll名称:%s\n", name);
printf("名称RVA:%08X\n", pEd->Name);
printf("导出表RVA:%08X\n", RvaToFoa(mExport, szbuffer));
printf("基数:%08X\n", pEd->Base);
printf("特征值:%08X\n", pEd->Characteristics);
printf("函数数量:%d\n", pEd->NumberOfFunctions);
printf("函数名数量:%d\n", pEd->NumberOfNames);
printf("函数导入表地址:%08X\n", pEd->AddressOfFunctions);
printf("函数名称地址:%08X\n", pEd->AddressOfNames);
printf("函数名称序号地址:%08X\n\n", pEd->AddressOfNameOrdinals);
DWORD* dwFab = (DWORD*)(RvaToFoa(pEd->AddressOfFunctions, szbuffer) + szbuffer);
DWORD* dwNab = (DWORD*)(RvaToFoa(pEd->AddressOfNames, szbuffer) + szbuffer);
WORD* dwNoab = (WORD*)(RvaToFoa(pEd->AddressOfNameOrdinals, szbuffer) + szbuffer);
//函数地址表的是个数组,数组每一个元素里面存放的函数的地址(RVA),既然是数组,那么每个元素就有下标,只是说有的元素里面没有地址,但他的下一元素又有地址,是生成dll时,人为修改的
//上面说了函数地址表的是数组,数组有下标,而这个函数名称序号表(2字节的数组)又存放了函数地址表的下标,而函数名称序号表自身也有下标,这个下标又与函数名称表的下标一 一对应
for (size_t i = 0; i < pEd->NumberOfFunctions; i++)
{
//因为pEd->NumberOfFunctions,是不准确的,pEd->NumberOfFunctions = 最大导出序号 — pEd->Base + 1
if (dwFab[i] == 0)//过滤函数地址是0的数组元素,跳过它遍历下一个元素
{
continue;
}
size_t j = 0;
for (; j < pEd->NumberOfNames; j++)
{ //因为函数名称序号表里面存放的是地址表的数组下标
if (dwNoab[j] == i)//在函数名称序号表里面 找 当前函数地址(i),有没有存放在函数名称序号表里面
{
break;
}
}
//没有找到名称
if (j == pEd->NumberOfNames)//如果在函数名称序号表里面找到了,j永远是小于pEd->NumberOfNames,
{
DWORD Foa = RvaToFoa(dwFab[i], szbuffer);
printf("序号:%04x 函数地址RVA:%08X 函数文件偏移:%08X 函数名称[—]\n", pEd->Base + i, dwFab[i], Foa);
}
else
{
DWORD Foa = RvaToFoa(dwFab[i], szbuffer);
char* name = (char*)(RvaToFoa(dwNab[j], szbuffer) + szbuffer);
printf("序号:%04x 函数地址RVA:%08X 函数文件偏移:%08X 函数名称[%s]\n", pEd->Base + i, dwFab[i], Foa, name);
}
}
return true;
}
int main()
{
char* szbuffer = LoadFile("C:\\Users\\Administrator\\Desktop/Dll1.dll");
ExportTable(szbuffer);
system("pause");
return 0;
}
PE文件结构—导出表解析
于 2024-05-11 17:18:41 首次发布