-
-
[求助]在ntkrnlpa中如何寻找导入表,谢谢
-
发表于: 2013-5-10 11:03
-
走过路过的各位大侠,先谢谢了。
目的:在内核中找到导入函数 KdCom.dll 的导入信息。
双机调度环境,先lm
然后db 模块加载地址
根据PE格式,找到 导入表的信息
最后,我想显示一下 导入表的 IMAGE_IMPORT_DESCRIPTOR 结构
0: kd> db 804d8000+0020609c
为什么是0呢?哪个地方,我理解有错误。
0: kd> db 804d8000 L200
804d8000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
804d8010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
804d8020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
804d8030 00 00 00 00 00 00 00 00-00 00 00 00 d8 00 00 00 ................
804d8040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
804d8050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
804d8060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
804d8070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......
804d8080 fe 3c 69 99 ba 5d 07 ca-ba 5d 07 ca ba 5d 07 ca .<i..]...]...]..
804d8090 79 52 5a ca bd 5d 07 ca-ba 5d 06 ca ed 5d 07 ca yRZ..]...]...]..
804d80a0 79 52 08 ca ed 5d 07 ca-79 52 59 ca bb 5d 07 ca yR...]..yRY..]..
804d80b0 79 52 58 ca 3d 5f 07 ca-79 52 5b ca bb 5d 07 ca yRX.=_..yR[..]..
804d80c0 79 52 5d ca bb 5d 07 ca-52 69 63 68 ba 5d 07 ca yR]..]..Rich.]..
804d80d0 00 00 00 00 00 00 00 00-50 45 00 00 4c 01 15 00 ........PE..L...
804d80e0 e7 5d 02 48 00 00 00 00-00 00 00 00 e0 00 0e 01 .].H............
804d80f0 0b 01 07 0a 00 66 1c 00-00 4e 04 00 00 00 00 00 .....f...N......
804d8100 bf aa 1e 00 00 10 00 00-00 10 07 00 00 00 40 00 ..............@.
804d8110 00 10 00 00 00 02 00 00-05 00 01 00 05 00 01 00 ................
804d8120 05 00 01 00 00 00 00 00-00 80 22 00 00 06 00 00 ..........".....
804d8130 e7 93 21 00 01 00 00 00-00 00 04 00 00 10 00 00 ..!.............
804d8140 00 00 10 00 00 10 00 00-00 00 00 00 10 00 00 00 ................
804d8150 00 70 1b 00 a2 b5 00 00-9c 60 20 00 50 00 00 00 .p.......` .P...
804d8160 00 70 20 00 bc 05 01 00-00 00 00 00 00 00 00 00 .p .............
804d8170 00 00 00 00 00 00 00 00-00 80 21 00 8c fd 00 00 ..........!.....
804d8180 94 6a 07 00 38 00 00 00-00 00 00 00 00 00 00 00 .j..8...........
804d8190 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
804d81a0 80 86 05 00 40 00 00 00-00 00 00 00 00 00 00 00 ....@...........
804d81b0 00 10 00 00 68 01 00 00-00 00 00 00 00 00 00 00 ....h...........
804d81c0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
804d81d0 2e 74 65 78 74 00 00 00-f5 5a 07 00 00 10 00 00 .text....Z......
804d81e0 00 5c 07 00 00 06 00 00-00 00 00 00 00 00 00 00 .\..............
804d81f0 00 00 00 00 20 00 00 68-50 4f 4f 4c 4d 49 00 00 .... ..hPOOLMI..
0: kd> db 804d8000+0020609c
806de09c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
806de0ac 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
806de0bc 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
806de0cc 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
806de0dc 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
806de0ec 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
806de0fc 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
806de10c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
最后能解释一下这个"挂钩地址"吗?谢谢.
目的:在内核中找到导入函数 KdCom.dll 的导入信息。
双机调度环境,先lm
然后db 模块加载地址
根据PE格式,找到 导入表的信息
最后,我想显示一下 导入表的 IMAGE_IMPORT_DESCRIPTOR 结构
0: kd> db 804d8000+0020609c
为什么是0呢?哪个地方,我理解有错误。
0: kd> db 804d8000 L200
804d8000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
804d8010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
804d8020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
804d8030 00 00 00 00 00 00 00 00-00 00 00 00 d8 00 00 00 ................
804d8040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
804d8050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
804d8060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
804d8070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......
804d8080 fe 3c 69 99 ba 5d 07 ca-ba 5d 07 ca ba 5d 07 ca .<i..]...]...]..
804d8090 79 52 5a ca bd 5d 07 ca-ba 5d 06 ca ed 5d 07 ca yRZ..]...]...]..
804d80a0 79 52 08 ca ed 5d 07 ca-79 52 59 ca bb 5d 07 ca yR...]..yRY..]..
804d80b0 79 52 58 ca 3d 5f 07 ca-79 52 5b ca bb 5d 07 ca yRX.=_..yR[..]..
804d80c0 79 52 5d ca bb 5d 07 ca-52 69 63 68 ba 5d 07 ca yR]..]..Rich.]..
804d80d0 00 00 00 00 00 00 00 00-50 45 00 00 4c 01 15 00 ........PE..L...
804d80e0 e7 5d 02 48 00 00 00 00-00 00 00 00 e0 00 0e 01 .].H............
804d80f0 0b 01 07 0a 00 66 1c 00-00 4e 04 00 00 00 00 00 .....f...N......
804d8100 bf aa 1e 00 00 10 00 00-00 10 07 00 00 00 40 00 ..............@.
804d8110 00 10 00 00 00 02 00 00-05 00 01 00 05 00 01 00 ................
804d8120 05 00 01 00 00 00 00 00-00 80 22 00 00 06 00 00 ..........".....
804d8130 e7 93 21 00 01 00 00 00-00 00 04 00 00 10 00 00 ..!.............
804d8140 00 00 10 00 00 10 00 00-00 00 00 00 10 00 00 00 ................
804d8150 00 70 1b 00 a2 b5 00 00-9c 60 20 00 50 00 00 00 .p.......` .P...
804d8160 00 70 20 00 bc 05 01 00-00 00 00 00 00 00 00 00 .p .............
804d8170 00 00 00 00 00 00 00 00-00 80 21 00 8c fd 00 00 ..........!.....
804d8180 94 6a 07 00 38 00 00 00-00 00 00 00 00 00 00 00 .j..8...........
804d8190 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
804d81a0 80 86 05 00 40 00 00 00-00 00 00 00 00 00 00 00 ....@...........
804d81b0 00 10 00 00 68 01 00 00-00 00 00 00 00 00 00 00 ....h...........
804d81c0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
804d81d0 2e 74 65 78 74 00 00 00-f5 5a 07 00 00 10 00 00 .text....Z......
804d81e0 00 5c 07 00 00 06 00 00-00 00 00 00 00 00 00 00 .\..............
804d81f0 00 00 00 00 20 00 00 68-50 4f 4f 4c 4d 49 00 00 .... ..hPOOLMI..
0: kd> db 804d8000+0020609c
806de09c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
806de0ac 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
806de0bc 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
806de0cc 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
806de0dc 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
806de0ec 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
806de0fc 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
806de10c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
最后能解释一下这个"挂钩地址"吗?谢谢.
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
