void ImPortD() {
DWORD dwDataStartRVA;//輸入表的RVA
PIMAGE_IMPORT_DESCRIPTOR pImportDesc;//指向輸入表的指標
//IMAGE_DIRECTORY_ENTRY_IMPORT=1
dwDataStartRVA = ycOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
if (!dwDataStartRVA)
return;
//RVA轉VA,注意VA是打開的PE檔案在本行程空間中映射的VA
pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)ImageRvaToVa(ycNTHeader, ImageBase, dwDataStartRVA, NULL);
//分析IID陣列成員,直到成員為0
while (pImportDesc->FirstThunk){ // while(pImportDesc-> OriginalFirstThunk
//當前IID陣列成員的取值:
pImportDesc->OriginalFirstThunk; //INT RVA
pImportDesc->TimeDateStamp;
pImportDesc->ForwarderChain;
pImportDesc->Name; //Name RVA
pImportDesc->FirstThunk; //IAT RVA
pImportDesc++; //指標++,下1個陣列成員
}//end while
//分析某個.dll對應的INT或IAT陣列成員
char cOrd[30], cMemAddr[30], * FuncName; //函式序號,地址,函式名
DWORD dwThunk; //OriginalFirstThunk或FirstThunk值
DWORD* pdwRVA = NULL; //OriginalFirstThunk或FirstThunk RVA指標
DWORD* pdwThunk = NULL; //IMAGE_THUNK_DATA的指標
PIMAGE_IMPORT_BY_NAME pByName = NULL; // BY_NAME的指標
//獲取第一個IID
pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)ImageRvaToVa(ycNTHeader, ImageBase, dwDataStartRVA, NULL);
while (pImportDesc->FirstThunk) { //pImportDesc->OriginalFirstThun
//取OriginalFirstThunk或FirstThunk 32位取值
dwThunk = pImportDesc->OriginalFirstThunk;
//取OriginalFirstThunk或FirstThunk RVA值
pdwRVA = (DWORD*)dwThunk;
//IMAGE_THUNK_DATA的VA
pdwThunk = (DWORD*)ImageRvaToVa(ycNTHeader, ImageBase, dwThunk, NULL);
if (!pdwThunk)
return;
while (*pdwThunk)//指向INT或IAT陣列
{
if (HIWORD(*pdwThunk) == 0x8000) {//判斷ThunkValue最高位的取值0?1
//printf("序號");
}//是序號
else { //是函式名
//回圈處理下一個函式
++pdwRVA; //OriginalFirstThunk或FirstThunk RVA值++
++pdwThunk; //IMAGE_THUNK_DATA的指標
}//end while
}
pImportDesc++;//回圈,下1個.dll的匯入函式
}//end while
printf("IID=%X\n", (int)pImportDesc-(int)ImageBase);
printf("name=%X\n", (char*)ImageRvaToVa(ycNTHeader, ImageBase, pImportDesc->Name, NULL));
轉載請註明出處,本文鏈接:https://www.uj5u.com/caozuo/163776.html
標籤:安全技術/病毒
上一篇:centos8 設定靜態IP