-
-
[求助]通过导出表获得指定函数的地址
-
发表于: 2009-12-14 18:39
-
为什么这个函数在Ring3下可以返回正确的地址,而在驱动程序中总是返回0哦
给点提示吧
//Get the function address
ULONG GetFuncAddress( ULONG hModule, char* FuncName )
{
ULONG PeHeaderVA;
ULONG ExportVA;
ULONG EntVA;
ULONG EntIndexVA;
ULONG EatVA;
ULONG EntCount;
ULONG IndexBase;
ULONG i;
ULONG FuncIndex;
ULONG FuncVA;
//Get the offset address of PEHeader
if( 'M' == *(PUCHAR)hModule && 'Z' == *(PUCHAR)(hModule +1) )
{
PeHeaderVA = hModule + *(PULONG)(hModule + 0x3C);
DbgPrint("PeHeaderVA: \n");
if( 'P' == *(PUCHAR)PeHeaderVA && 'E' == *(PUCHAR)(PeHeaderVA + 1) )
{
DbgPrint("Is Valid PE File \n");
//得到导出表的VA
ExportVA = hModule + *(PULONG)( PeHeaderVA + 0x78 );
//得到ENT的VA
EntVA = hModule + *(PULONG)(ExportVA + 0x20);
//函数序号表的VA
EntIndexVA = hModule + *(PULONG)(ExportVA + 0x24);
//EAT
EatVA = hModule + *(PULONG)(ExportVA + 0x1C);
//由函数名导出的函数的个数
EntCount = *(PULONG)( ExportVA + 0x18 );
//序号的基数
IndexBase = *(PULONG)( ExportVA + 0x10 );
for( i = 0; i < EntCount; i++ )
{
if( strstr( (char*)(*(PULONG)EntVA + hModule ), FuncName ) )
{
DbgPrint("Find The Function!\n");
//得到函数的序号
FuncIndex = (USHORT)(EntIndexVA + i*2) - IndexBase;
//通过序号得到地址
FuncVA = *(PULONG)(FuncIndex * 4 + EatVA);
return FuncVA;
}
EntVA += 4;
}
DbgPrint("Can't Find The Function!\n");
return 0;
}
else
{
DbgPrint("PEHeader Error!\n");
return 0;
}
}
else
{
DbgPrint("DosHeader Error!\n");
return 0;
}
}
给点提示吧
//Get the function address
ULONG GetFuncAddress( ULONG hModule, char* FuncName )
{
ULONG PeHeaderVA;
ULONG ExportVA;
ULONG EntVA;
ULONG EntIndexVA;
ULONG EatVA;
ULONG EntCount;
ULONG IndexBase;
ULONG i;
ULONG FuncIndex;
ULONG FuncVA;
//Get the offset address of PEHeader
if( 'M' == *(PUCHAR)hModule && 'Z' == *(PUCHAR)(hModule +1) )
{
PeHeaderVA = hModule + *(PULONG)(hModule + 0x3C);
DbgPrint("PeHeaderVA: \n");
if( 'P' == *(PUCHAR)PeHeaderVA && 'E' == *(PUCHAR)(PeHeaderVA + 1) )
{
DbgPrint("Is Valid PE File \n");
//得到导出表的VA
ExportVA = hModule + *(PULONG)( PeHeaderVA + 0x78 );
//得到ENT的VA
EntVA = hModule + *(PULONG)(ExportVA + 0x20);
//函数序号表的VA
EntIndexVA = hModule + *(PULONG)(ExportVA + 0x24);
//EAT
EatVA = hModule + *(PULONG)(ExportVA + 0x1C);
//由函数名导出的函数的个数
EntCount = *(PULONG)( ExportVA + 0x18 );
//序号的基数
IndexBase = *(PULONG)( ExportVA + 0x10 );
for( i = 0; i < EntCount; i++ )
{
if( strstr( (char*)(*(PULONG)EntVA + hModule ), FuncName ) )
{
DbgPrint("Find The Function!\n");
//得到函数的序号
FuncIndex = (USHORT)(EntIndexVA + i*2) - IndexBase;
//通过序号得到地址
FuncVA = *(PULONG)(FuncIndex * 4 + EatVA);
return FuncVA;
}
EntVA += 4;
}
DbgPrint("Can't Find The Function!\n");
return 0;
}
else
{
DbgPrint("PEHeader Error!\n");
return 0;
}
}
else
{
DbgPrint("DosHeader Error!\n");
return 0;
}
}
|
|
|---|---|
