function ImageDirectoryEntryToData(Base:Pointer;MappedAsImage:ByteBool;DirectoryEntry:Word;var Size:ULONG):PIMAGE_IMPORT_DESCRIPTOR;stdcall;external 'IMAGEHLP.DLL';
procedure TForm1.ErgodicIat ;
var
pImportDir:PIMAGE_IMPORT_DESCRIPTOR;//IID数组 结束符号为NULL
pITD:PIMAGE_THUNK_DATA32 ;
pIIBN:PIMAGE_IMPORT_BY_NAME ;
Hand:Cardinal ;
Size:Cardinal ;
IatName:^PAnsiChar ;
L:Cardinal ;
B:Byte ;
begin
Hand:=GetModuleHandle(PChar('ws2_32.dll'));
if Hand=0 then
begin
Hand:=Loadlibrary(PChar('ws2_32.dll')) ;
if Hand=0 then
begin
Memo1.Lines.Add('获取模块句柄失败...') ;
Exit ;
end;
end;
pImportDir:=ImageDirectoryEntryToData(Pointer(Hand),True,IMAGE_DIRECTORY_ENTRY_IMPORT,Size);
if pImportDir^.FirstThunk=0 then
begin
Memo1.Lines.Add('获取导入表失败...') ;
Exit ;
end;
while pImportDir^.FirstThunk<>0 do
begin
L:=Hand+pImportDir^.Name ;
IatName:=@L ;
Memo1.Lines.Add(Format('RVA %X %10S FirstThunk%15X,Name %s',[pImportDir^.FirstThunk,'',L,IatName^])) ;
///---------------------------------------------------上面的代码是正确的
///
///
///
pITD:=Pointer(Hand+pImportDir^.FirstThunk) ;
while pITD^.ForwarderString<>0 do
begin
//为什么这里得到就信息就不对那? 我是看书上说的应该是这样的啊,加解密第三版上上的用改是这样写吧
Memo1.Lines.Add(Format('Ord%10X,%20X,%20X',[pITD^.Ordinal,pITD^._Function,pITD^.AddressOfData])) ;
Inc(pITD);
end;
Inc(pImportDir);
end;
end;
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课