1. 导入表
2. 显示导入表信息的例子
; 作用: 将RVA地址转成FOA即文件偏移
; 参数: _pFileHdr 指向读到内存中文件的基址指针
; _dwRVA 目标RVA地址
; 返回: 目标RVA转成文件偏移的值
RVA2FOA PROC USES esi edi edx, _pFileHdr:PTR BYTE, _dwRVA:DWORDmov esi, _pFileHdr assume esi:ptr IMAGE_DOS_HEADER; 获取PE头mov edi, [esi].e_lfanewassume esi:nothingadd edi, esi assume edi:ptr IMAGE_NT_HEADERS32; 获取节数movzx ecx, [edi].FileHeader.NumberOfSectionsassume edi:nothing; 获取节表地址add edi, SIZEOF IMAGE_NT_HEADERS32assume edi:ptr IMAGE_SECTION_HEADER
L0:mov edx, _dwRVAcmp edx, [edi].VirtualAddressjb @Fmov eax, [edi].VirtualAddressadd eax, [edi].SizeOfRawDatacmp edx, eaxjae @Fsub edx, [edi].VirtualAddressadd edx, [edi].PointerToRawDatamov eax, edxjmp Ending
@@:add edi, SIZEOF IMAGE_SECTION_HEADERloop L0xor eax, eax
Ending:retRVA2FOA ENDP.data
Crlf BYTE 0dh, 0ah, 0
szDllName BYTE "导出表: %s", 0dh, 0ah, 0
szSep BYTE "---------------------------", 0dh, 0ah, 0
szINTRVA BYTE "OriginalFirstThunk: 0x%08X", 0dh, 0ah, 0
szTimeStmp BYTE "TimeDateStamp: 0x%08X", 0dh, 0ah, 0
szForwarderChain BYTE "ForwarderChain: 0x%08X", 0dh, 0ah, 0
szNameRVA BYTE "Name: 0x%08X", 0dh, 0ah, 0
szFirstThunk BYTE "FirstThunk: 0x%08X", 0dh, 0ah, 0dh, 0ah, 0
szFnInfo BYTE "%hd %s", 0dh, 0ah, 0szBuf BYTE 64 DUP(0).code
; 作用: 打印输出导入表信息
; 参数: _pFileHdr 指向读到内存中文件的基址指针
; 返回: 无
_getImportTblInfo PROC _pFileHdr:PTR BYTEpushad mov esi, _pFileHdrassume esi:PTR IMAGE_DOS_HEADERadd esi, [esi].e_lfanew assume esi:PTR IMAGE_NT_HEADERS32 mov esi, [esi].OptionalHeader.DataDirectory[8].VirtualAddresspush esimov eax, _pFileHdrpush eax call RVA2FOAmov esi, eax add esi, _pFileHdr assume esi:PTR IMAGE_IMPORT_DESCRIPTOR L0:; 确定导入表是否结束mov edx, [esi].Name1test edx, edx jnz @F jmp Ending
@@:mov edx, [esi].OriginalFirstThunktest edx, edx jnz @F jmp Ending
@@:mov edx, [esi].TimeDateStamptest edx, edx jnz @F jmp Ending
@@:mov edx, [esi].ForwarderChaintest edx, edx jnz @F jmp Ending
@@:mov edx, [esi].FirstThunktest edx, edx jnz @F jmp Ending
@@:; 进行IAT显示mov edx, [esi].Name1 push edx push _pFileHdr call RVA2FOA add eax, _pFileHdr; 显示dll名称invoke wsprintf, OFFSET szBuf, OFFSET szDllName, eax invoke crt_printf, OFFSET szBuf invoke crt_printf, OFFSET szSep; 显示OriginalFirstThunk的RVA地址invoke wsprintf, OFFSET szBuf, OFFSET szINTRVA, [esi].OriginalFirstThunk invoke crt_printf, OFFSET szBuf; 显示时间戳invoke wsprintf, OFFSET szBuf, OFFSET szTimeStmp, [esi].TimeDateStamp invoke crt_printf, OFFSET szBuf; 显示ForwarderChaininvoke wsprintf, OFFSET szBuf, OFFSET szForwarderChain, [esi].ForwarderChain invoke crt_printf, OFFSET szBuf; 显示Name的RVA地址invoke wsprintf, OFFSET szBuf, OFFSET szNameRVA, [esi].Name1 invoke crt_printf, OFFSET szBuf; 显示FirstThunk的RVA地址invoke wsprintf, OFFSET szBuf, OFFSET szFirstThunk, [esi].FirstThunk invoke crt_printf, OFFSET szBuf; 打印具体函数信息; 获取INT的RVA地址, 把VA转成FOApush [esi].OriginalFirstThunkpush _pFileHdr call RVA2FOAadd eax, _pFileHdr
L1:assume eax:PTR IMAGE_THUNK_DATA mov ebx, [eax].u1.Functiontest ebx, ebx jz NextDescpush eax mov eax, [eax].u1.Functiontest eax, 80000000hjnz BySeqpush eax push _pFileHdrcall RVA2FOAadd eax, _pFileHdrassume eax:PTR IMAGE_IMPORT_BY_NAME movzx edx, WORD PTR [eax].Hintlea ebx, [eax].Name1 invoke wsprintf, OFFSET szBuf, OFFSET szFnInfo, edx, ebxinvoke crt_printf, OFFSET szBufpop eax add eax, SIZEOF IMAGE_THUNK_DATAjmp @F
BySeq:@@:jmp L1
NextDesc:push OFFSET Crlfcall crt_printfpush OFFSET Crlfcall crt_printfadd esi, SIZEOF IMAGE_IMPORT_DESCRIPTORjmp L0
Ending:popad ret _getImportTblInfo ENDP
运行的部分截图:
3. 导入表图
(完)
