-
-
[旧帖] [求助]获取32位程序 ip等地址错误 0.00雪花
-
发表于: 2012-8-17 15:46 1194
-
本程序原本是一个 获取32位程序 ip等地址的程序 我现在改成pe32+
中间取值可能有些问题
不过导出表函数我是找到了。
问题可能是在
if(strcmp(FunctionName, szFun) == 0)
{
WORD Ordinal=ppdwOrdin[i];
*pFunOffSet = ((DWORD*)ppdwAddr)[Ordinal];
return true;
}
不说了上代码
bool GetProcAddress64( LPCTSTR lpMemFile, char *FunctionName, DWORD *pFunOffSet)
{
PIMAGE_NT_HEADERS64 pinths64;
PIMAGE_DOS_HEADER pdih;
pdih=(PIMAGE_DOS_HEADER)lpMemFile;
pinths64=(PIMAGE_NT_HEADERS64)(lpMemFile+pdih->e_lfanew);
if(pinths64->Signature!=0x00004550)
{
MessageBox(NULL,"无效的PE文件!","1",NULL);
return false;
}
if(pinths64->OptionalHeader.Magic!=0x20b)
{
MessageBox(NULL,"不是PE32+格式的文件!","1",NULL);
return false;
}
PIMAGE_EXPORT_DIRECTORY pied;
pied=(PIMAGE_EXPORT_DIRECTORY)ImageRvaToVa((PIMAGE_NT_HEADERS)pinths64,pdih,pinths64->OptionalHeader.DataDirectory[0].VirtualAddress,NULL);
DWORD i = 0;
DWORD NumberOfNames = pied->NumberOfNames;
ULONGLONG **ppdwNames = (ULONGLONG **)pied->AddressOfNames;
ppdwNames = (PULONGLONG*)ImageRvaToVa((PIMAGE_NT_HEADERS)pinths64,pdih,(ULONG)ppdwNames,NULL);
ULONGLONG **ppdwAddr = (ULONGLONG **)pied->AddressOfFunctions;
ppdwAddr = (PULONGLONG*)ImageRvaToVa((PIMAGE_NT_HEADERS)pinths64,pdih,(DWORD)ppdwAddr,NULL);
ULONGLONG *ppdwOrdin=(ULONGLONG*)ImageRvaToVa((PIMAGE_NT_HEADERS)pinths64,pdih,(DWORD)pied->AddressOfNameOrdinals,NULL);
char* szFun=(PSTR)ImageRvaToVa((PIMAGE_NT_HEADERS)pinths64,pdih,(ULONG)*ppdwNames,NULL);
for(i=0; i<NumberOfNames; i++)
{
printf("%0.4x\t%0.8x\t%s\n",i+1,*ppdwAddr,szFun);
if(strcmp(FunctionName, szFun) == 0)
{
WORD Ordinal=ppdwOrdin[i];
*pFunOffSet = ((DWORD*)ppdwAddr)[Ordinal];
return true;
}
szFun=szFun + strlen(szFun)+1;
}
return false;
}
bool GetConfigInfo()
{
HANDLE hFile;
HANDLE hFileMapping;
LPVOID lpFileBase;
hFile = CreateFile(FilePath, GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE,
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
if(hFile == INVALID_HANDLE_VALUE)
{
return false;
}
hFileMapping = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL);
if(hFileMapping == 0)
{
CloseHandle(hFile);
return false;
}
lpFileBase = MapViewOfFile(hFileMapping, FILE_MAP_READ, 0, 0, 0);
if(lpFileBase == 0)
{
CloseHandle(hFileMapping);
CloseHandle(hFile);
return false;
}
///////////
char *pFun_szIP, *pFun_dllName;
int *pFun_Port;
BOOL *pFun_AutoDel;
DWORD szIPoffset, Portoffset, AutoDeloffset, dllNameoffset;
if(!GetProcAddress64((LPCTSTR)lpFileBase, "Port", &Portoffset))
{
sprintf(Temp, "选择的文件不正确。");
goto error;
}
pFun_Port = (int*)((BYTE*)lpFileBase + Portoffset);
sprintf(Temp, "%s", *pFun_Port);
MessageBox(NULL,Temp,"Port",NULL);
if(!GetProcAddress64((LPCTSTR)lpFileBase, "szIP", &szIPoffset))
{
sprintf(Temp, "选择的文件不正确。");
goto error;
}
if(!GetProcAddress64((LPCTSTR)lpFileBase, "AutoDel", &AutoDeloffset))
{
sprintf(Temp, "选择的文件不正确。");
goto error;
}
if(!GetProcAddress64((LPCTSTR)lpFileBase, "dllName", &dllNameoffset))
{
sprintf(Temp, "选择的文件不正确。");
goto error;
}
pFun_szIP = (char*)((BYTE*)lpFileBase + szIPoffset);
pFun_dllName = (char*)((BYTE*)lpFileBase + dllNameoffset);
pFun_Port = (int*)((BYTE*)lpFileBase + Portoffset);
pFun_AutoDel = (BOOL*)((BYTE*)lpFileBase + AutoDeloffset);
SetDlgItemText(Main.hWnd, IDC_PORT, Temp);
DoXOR(0x1985, Temp, 99);
SetDlgItemText(Main.hWnd, IDC_URL, Temp);
sprintf(Temp, "%s", DelSpace(pFun_dllName));
SetDlgItemText(Main.hWnd, IDC_DLLNAME, Temp);
while((BST_CHECKED == IsDlgButtonChecked(Main.hWnd, IDC_AUTODEL)) != (*pFun_AutoDel!=0))
{
SendDlgItemMessage(Main.hWnd, IDC_AUTODEL, BM_CLICK, 0, 0);
}
UnmapViewOfFile(lpFileBase);
CloseHandle(hFileMapping);
CloseHandle(hFile);
return true;
error:
UnmapViewOfFile(lpFileBase);
CloseHandle(hFileMapping);
CloseHandle(hFile);
return false;
}
中间取值可能有些问题
不过导出表函数我是找到了。
问题可能是在
if(strcmp(FunctionName, szFun) == 0)
{
WORD Ordinal=ppdwOrdin[i];
*pFunOffSet = ((DWORD*)ppdwAddr)[Ordinal];
return true;
}
不说了上代码
bool GetProcAddress64( LPCTSTR lpMemFile, char *FunctionName, DWORD *pFunOffSet)
{
PIMAGE_NT_HEADERS64 pinths64;
PIMAGE_DOS_HEADER pdih;
pdih=(PIMAGE_DOS_HEADER)lpMemFile;
pinths64=(PIMAGE_NT_HEADERS64)(lpMemFile+pdih->e_lfanew);
if(pinths64->Signature!=0x00004550)
{
MessageBox(NULL,"无效的PE文件!","1",NULL);
return false;
}
if(pinths64->OptionalHeader.Magic!=0x20b)
{
MessageBox(NULL,"不是PE32+格式的文件!","1",NULL);
return false;
}
PIMAGE_EXPORT_DIRECTORY pied;
pied=(PIMAGE_EXPORT_DIRECTORY)ImageRvaToVa((PIMAGE_NT_HEADERS)pinths64,pdih,pinths64->OptionalHeader.DataDirectory[0].VirtualAddress,NULL);
DWORD i = 0;
DWORD NumberOfNames = pied->NumberOfNames;
ULONGLONG **ppdwNames = (ULONGLONG **)pied->AddressOfNames;
ppdwNames = (PULONGLONG*)ImageRvaToVa((PIMAGE_NT_HEADERS)pinths64,pdih,(ULONG)ppdwNames,NULL);
ULONGLONG **ppdwAddr = (ULONGLONG **)pied->AddressOfFunctions;
ppdwAddr = (PULONGLONG*)ImageRvaToVa((PIMAGE_NT_HEADERS)pinths64,pdih,(DWORD)ppdwAddr,NULL);
ULONGLONG *ppdwOrdin=(ULONGLONG*)ImageRvaToVa((PIMAGE_NT_HEADERS)pinths64,pdih,(DWORD)pied->AddressOfNameOrdinals,NULL);
char* szFun=(PSTR)ImageRvaToVa((PIMAGE_NT_HEADERS)pinths64,pdih,(ULONG)*ppdwNames,NULL);
for(i=0; i<NumberOfNames; i++)
{
printf("%0.4x\t%0.8x\t%s\n",i+1,*ppdwAddr,szFun);
if(strcmp(FunctionName, szFun) == 0)
{
WORD Ordinal=ppdwOrdin[i];
*pFunOffSet = ((DWORD*)ppdwAddr)[Ordinal];
return true;
}
szFun=szFun + strlen(szFun)+1;
}
return false;
}
bool GetConfigInfo()
{
HANDLE hFile;
HANDLE hFileMapping;
LPVOID lpFileBase;
hFile = CreateFile(FilePath, GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE,
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
if(hFile == INVALID_HANDLE_VALUE)
{
return false;
}
hFileMapping = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL);
if(hFileMapping == 0)
{
CloseHandle(hFile);
return false;
}
lpFileBase = MapViewOfFile(hFileMapping, FILE_MAP_READ, 0, 0, 0);
if(lpFileBase == 0)
{
CloseHandle(hFileMapping);
CloseHandle(hFile);
return false;
}
///////////
char *pFun_szIP, *pFun_dllName;
int *pFun_Port;
BOOL *pFun_AutoDel;
DWORD szIPoffset, Portoffset, AutoDeloffset, dllNameoffset;
if(!GetProcAddress64((LPCTSTR)lpFileBase, "Port", &Portoffset))
{
sprintf(Temp, "选择的文件不正确。");
goto error;
}
pFun_Port = (int*)((BYTE*)lpFileBase + Portoffset);
sprintf(Temp, "%s", *pFun_Port);
MessageBox(NULL,Temp,"Port",NULL);
if(!GetProcAddress64((LPCTSTR)lpFileBase, "szIP", &szIPoffset))
{
sprintf(Temp, "选择的文件不正确。");
goto error;
}
if(!GetProcAddress64((LPCTSTR)lpFileBase, "AutoDel", &AutoDeloffset))
{
sprintf(Temp, "选择的文件不正确。");
goto error;
}
if(!GetProcAddress64((LPCTSTR)lpFileBase, "dllName", &dllNameoffset))
{
sprintf(Temp, "选择的文件不正确。");
goto error;
}
pFun_szIP = (char*)((BYTE*)lpFileBase + szIPoffset);
pFun_dllName = (char*)((BYTE*)lpFileBase + dllNameoffset);
pFun_Port = (int*)((BYTE*)lpFileBase + Portoffset);
pFun_AutoDel = (BOOL*)((BYTE*)lpFileBase + AutoDeloffset);
SetDlgItemText(Main.hWnd, IDC_PORT, Temp);
DoXOR(0x1985, Temp, 99);
SetDlgItemText(Main.hWnd, IDC_URL, Temp);
sprintf(Temp, "%s", DelSpace(pFun_dllName));
SetDlgItemText(Main.hWnd, IDC_DLLNAME, Temp);
while((BST_CHECKED == IsDlgButtonChecked(Main.hWnd, IDC_AUTODEL)) != (*pFun_AutoDel!=0))
{
SendDlgItemMessage(Main.hWnd, IDC_AUTODEL, BM_CLICK, 0, 0);
}
UnmapViewOfFile(lpFileBase);
CloseHandle(hFileMapping);
CloseHandle(hFile);
return true;
error:
UnmapViewOfFile(lpFileBase);
CloseHandle(hFileMapping);
CloseHandle(hFile);
return false;
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
他的文章
- [求助] 求一个关于外部堆栈自恢复的例子 2150
- [求助]软键盘记录 5683
- [求助]获取32位程序 ip等地址错误 1195
- [求助]木马64位系统下不上线 1124
- [求助]低价键盘钩子 1481
看原图
赞赏
雪币:
留言: