PECode

最新推荐文章于 2022-09-30 11:38:58 发布

zhaowei1334

最新推荐文章于 2022-09-30 11:38:58 发布

阅读量606

点赞数 2

文章标签： image descriptor header import dos null

本文链接：https://blog.csdn.net/zhaowei1334/article/details/6496751

版权

#include <windows.h>
#include <stdio.h>

DWORD RAVOffset(char* lpBaseAddress,DWORD VirtualAddress);

void main()
{

char FileName[256] = {0};

GetCurrentDirectory(256,FileName);

strcat(FileName,"//fenglei.exe");

HANDLE hOpenFile = CreateFile(FileName,GENERIC_READ,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);

HANDLE hMapping = NULL;

hMapping = CreateFileMapping(hOpenFile,NULL,PAGE_READONLY,0,0,0);

if (hMapping == NULL)
{
  printf("Mapping File Error/n");

  return;
}

LPVOID lpMappingAddress = MapViewOfFile(hMapping,FILE_MAP_READ,0,0,0);

if (lpMappingAddress == NULL)
{
  printf("View Mapping Error/n");

  return;
}

char* lpBaseAddress = (char*)lpMappingAddress;

PIMAGE_DOS_HEADER p_image_dos_header = (PIMAGE_DOS_HEADER)(lpBaseAddress);

if (p_image_dos_header->e_magic == IMAGE_DOS_SIGNATURE)
{
printf("finded The NT Header/n");
}

PIMAGE_NT_HEADERS p_image_NT_header = (PIMAGE_NT_HEADERS)((char*)lpBaseAddress+p_image_dos_header->e_lfanew);

if (p_image_NT_header->Signature == IMAGE_NT_SIGNATURE)
{
printf("Finde The PE Header/n");

}

PIMAGE_IMPORT_DESCRIPTOR p_image_import_descriptory = (PIMAGE_IMPORT_DESCRIPTOR)((char*)lpBaseAddress+p_image_NT_header->OptionalHeader.DataDirectory[1].VirtualAddress);

while (p_image_import_descriptory->FirstThunk)
{
char* ModuName = lpBaseAddress + p_image_import_descriptory->Name;

printf(" the module Name is :%s/n",ModuName);

PIMAGE_IMPORT_DESCRIPTOR pRaw_import_descriptoy = (PIMAGE_IMPORT_DESCRIPTOR)((char*)lpBaseAddress+RAVOffset(lpBaseAddress,p_image_NT_header->OptionalHeader.DataDirectory[1].VirtualAddress));

PIMAGE_THUNK_DATA p_image_thunk_data = (PIMAGE_THUNK_DATA)((char*)lpBaseAddress+RAVOffset(lpBaseAddress,p_image_import_descriptory->OriginalFirstThunk));

  while (p_image_thunk_data->u1.Function)
  {
    PIMAGE_IMPORT_BY_NAME p_image_import_by_name = (PIMAGE_IMPORT_BY_NAME)((char*)lpBaseAddress+RAVOffset(lpBaseAddress,(DWORD)p_image_thunk_data->u1.AddressOfData));

printf("The Function Name Is: %s/n",p_image_import_by_name->Name);

p_image_thunk_data++;
}

p_image_import_descriptory++;
}
}
DWORD RAVOffset(char* lpBaseAddress,DWORD VirtualAddress)
{
PIMAGE_DOS_HEADER p_image_dos_header = NULL;
PIMAGE_NT_HEADERS p_image_NT_header = NULL;
PIMAGE_SECTION_HEADER p_image_section_header = NULL;

p_image_dos_header = (PIMAGE_DOS_HEADER)(lpBaseAddress);

p_image_NT_header = (PIMAGE_NT_HEADERS)(lpBaseAddress+p_image_dos_header->e_lfanew);

DWORD NumberOfSection = p_image_NT_header->FileHeader.NumberOfSections;

DWORD index = 0;

for (index = 0; index<NumberOfSection; index++)
{

  p_image_section_header = (PIMAGE_SECTION_HEADER)((char*)lpBaseAddress+p_image_dos_header->e_lfanew+sizeof(IMAGE_NT_HEADERS))+index;

  if (VirtualAddress>=p_image_section_header->VirtualAddress&&VirtualAddress < p_image_section_header->VirtualAddress+p_image_section_header->SizeOfRawData)
  {
   DWORD RAV = VirtualAddress - p_image_section_header->VirtualAddress;

DWORD Offset = p_image_section_header->PointerToRawData +RAV;

return Offset;
}
}
return 0;

}