-
-
[求助]打印ntoskrnl.exe的导入表,请弄过的帮看看那里错了。
-
发表于:
2015-11-27 17:09
3443
-
[求助]打印ntoskrnl.exe的导入表,请弄过的帮看看那里错了。
搞了两天了,始终找不出来错在哪里,请帮忙看看,多谢了!
IMAGE_IMPORT_DESCRIPTOR->Name应该是个RVA,可这个RVA我怎么搞读出来的都是0!
代码:
//参数就是模块基址
NTSTATUS EumeIATTable(ULONG_PTR Base)
{
//变量声明
PIMAGE_DOS_HEADER pDosHearder = (PIMAGE_DOS_HEADER)Base;
PIMAGE_NT_HEADERS32 pNtHeader32;
PIMAGE_NT_HEADERS64 pHeaders64;
BOOLEAN b64 = FALSE;
PIMAGE_IMPORT_DESCRIPTOR pIatDes;
USHORT MachineType;
//打印dll名用的变脸
IMAGE_EXPORT_DIRECTORY *pExportTable;
IMAGE_OPTIONAL_HEADER opthdr;
IMAGE_IMPORT_DESCRIPTOR *pImportTable;
//检查是否是一个有效的PE文件
if (pDosHearder->e_magic != IMAGE_DOS_SIGNATURE)
{
DbgPrint("IMAGE_DOS_SIGNATURE failed!\r\n");
return STATUS_INVALID_IMAGE_FORMAT;
}
pNtHeader32 = (PIMAGE_NT_HEADERS32)((PUCHAR)Base + ((PIMAGE_DOS_HEADER)Base)->e_lfanew);
//检查PE文件名称
opthdr = pNtHeader32->OptionalHeader;
pExportTable = (IMAGE_EXPORT_DIRECTORY*)((ULONG_PTR)Base + \
opthdr.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); //得到导出表
pImportTable = (IMAGE_IMPORT_DESCRIPTOR*)((ULONG_PTR)Base + \
opthdr.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); //得到导入表
//DLL Name is : ntoskrnl.exe 得到的PE模块是正确的
DbgPrint("DLL Name is : %s \r\n", (CHAR*)((PUCHAR)Base + pExportTable->Name));
//问题出在这里的Name得到的是0x0000 0000 用WinDBG查看这里也全部是0
//IMAGE_IMPORT_DESCRIPTOR->Name应该是个RVA,可这个RVA我怎么搞读出来的都是0
DbgPrint("pImportTable->Nameis : %s \r\n", (CHAR*)((PUCHAR)Base + pImportTable->Name));
//后面的代码应该跟主要问题无关了
//检查NT头
if (pNtHeader32->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64)
{
DbgPrint("This is a AMD64 Machine.\r\n");
b64 = TRUE;
pHeaders64 = (PIMAGE_NT_HEADERS64)((PUCHAR)Base + ((PIMAGE_DOS_HEADER)Base)->e_lfanew);
pIatDes = (PIMAGE_IMPORT_DESCRIPTOR)((PUCHAR)Base + \
pHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
}
else if (pNtHeader32->FileHeader.Machine == IMAGE_FILE_MACHINE_I386)
{
DbgPrint("This is a I386 Machine.\r\n");
pIatDes = (PIMAGE_IMPORT_DESCRIPTOR)((PUCHAR)Base + \
pNtHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
DbgPrint("DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress : 0x%08X\r\n", \
pNtHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
DbgPrint("Base is : 0x%08X\r\n", (PUCHAR)Base);
}
else
{
DbgPrint("This is a Unknown Machine.\r\n");
MachineType = (USHORT)(pNtHeader32->FileHeader.Machine);
DbgPrint("Machine Type is : 0x%04X\r\n", MachineType);
return STATUS_INVALID_IMAGE_FORMAT;
}
for ( ; pIatDes->Name; pIatDes++)
{
if (b64)
{
PIMAGE_THUNK_DATA64 pThunk64;
for (pThunk64 = (PIMAGE_THUNK_DATA64)((PUCHAR)Base + pIatDes->FirstThunk); pThunk64->u1.Function;pThunk64++)
DbgPrint("64bit-->Import Module %s[0x%08X]\r\n", \
(PCSTR)((PUCHAR)Base + pIatDes->Name), (ULONG_PTR)pThunk64->u1.Function);
}
else
{
PIMAGE_THUNK_DATA32 pThunk32;
DbgPrint("Start Print!\r\n");
for (pThunk32 = (PIMAGE_THUNK_DATA32)((PUCHAR)Base + pIatDes->FirstThunk); pThunk32->u1.Function; pThunk32++)
{
//如果我们编译的是32位程序,就会走到这里
DbgPrint("32bit-->Import Module %s[0x%08X]\r\n", (PCSTR)((PUCHAR)Base + pIatDes->Name), (ULONG_PTR)pThunk32->u1.Function);
}
}
}
return STATUS_SUCCESS;
}
WinDbg手动跟踪导入表居然都是0,我真是醉了,为啥啊?谁能帮解释下啊!