-
-
[求助]64位win10读取导出函数
-
发表于: 2016-4-21 08:48
-
刚开始学习PE结构,在32位xp、win7,64位win8下读取导出表都正常,64位win10能正常遍历导出函数名,但拿到的函数地址不对,下面贴出源码:
代码打印拷贝指令
OD查看内存API指令
百思不得其解
,虚心向各位大神请教~
#include "stdafx.h"
#include <windows.h>
#include <iostream>
#include <string>
#include <DbgHelp.h>
using namespace std;
int _tmain(int argc, _TCHAR* argv[])
{
string strErr;
HANDLE hFileMapping;
LPBYTE lpFileBase;
PIMAGE_NT_HEADERS pNtHeaders;
PIMAGE_DOS_HEADER pDosHeader;
PIMAGE_SECTION_HEADER pFirstSection;
PIMAGE_SECTION_HEADER pSection;
PIMAGE_EXPORT_DIRECTORY pExportTable;
PDWORD pFunctions;
PWORD pOrdinals;
PDWORD pNames;
BOOL hasNames;
const char* szFuncName;
unsigned char* szCode;
char szLog[4096]={0};
string strDebug;
HANDLE hFile = CreateFile("C:\\Windows\\System32\\ntdll.dll",
GENERIC_READ,
FILE_SHARE_READ,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
strErr = GetLastError();
OutputDebugStringA(strErr.c_str());
return -1;
}
hFileMapping = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL);
if (hFileMapping == NULL || hFileMapping == INVALID_HANDLE_VALUE)
{
strErr = GetLastError();
OutputDebugStringA(strErr.c_str());
CloseHandle(hFile);
return -1;
}
lpFileBase = (LPBYTE)MapViewOfFile(hFileMapping, FILE_MAP_READ, 0, 0, 0);
if (lpFileBase == NULL)
{
strErr = GetLastError();
CloseHandle(hFile);
CloseHandle(hFileMapping);
return -1;
}
pDosHeader=(PIMAGE_DOS_HEADER)lpFileBase;
pNtHeaders=(PIMAGE_NT_HEADERS)(lpFileBase+pDosHeader->e_lfanew);
pFirstSection=IMAGE_FIRST_SECTION(pNtHeaders);
for(int i=0; i<pNtHeaders->FileHeader.NumberOfSections; i++)
{
if(pFirstSection[i].VirtualAddress<=pNtHeaders->OptionalHeader.DataDirectory[0].VirtualAddress&&
(pNtHeaders->OptionalHeader.DataDirectory[0].VirtualAddress<pFirstSection[i].VirtualAddress+pFirstSection[i].Misc.VirtualSize))
{
pSection=&pFirstSection[i];
//break;
}
}
pExportTable=(PIMAGE_EXPORT_DIRECTORY)(lpFileBase+pSection->PointerToRawData+pNtHeaders->OptionalHeader.DataDirectory[0].VirtualAddress-pSection->VirtualAddress);
pFunctions = (PDWORD)(lpFileBase+pExportTable->AddressOfFunctions+pSection->PointerToRawData-pSection->VirtualAddress);
pOrdinals = (PWORD)(lpFileBase+pExportTable->AddressOfNameOrdinals+pSection->PointerToRawData-pSection->VirtualAddress);
pNames = (PDWORD)(lpFileBase+pExportTable->AddressOfNames+pSection->PointerToRawData-pSection->VirtualAddress);
//pExportTable=(PIMAGE_EXPORT_DIRECTORY)ImageRvaToVa(pNtHeaders, lpFileBase, pNtHeaders->OptionalHeader.DataDirectory[0].VirtualAddress, NULL);
//pFunctions = (PDWORD)ImageRvaToVa(pNtHeaders, lpFileBase, pExportTable->AddressOfFunctions, NULL);
//pOrdinals = (PWORD)ImageRvaToVa(pNtHeaders, lpFileBase, pExportTable->AddressOfNameOrdinals, NULL);
//pNames = (PDWORD)ImageRvaToVa(pNtHeaders, lpFileBase, pExportTable->AddressOfNames, NULL);//(lpFileBase+pExportTable->AddressOfNames);
hasNames = (pExportTable->AddressOfNames !=0);
for(int i=0; i<pExportTable->NumberOfNames; i++)
{
//szFuncName=(const char*)ImageRvaToVa(pNtHeaders, lpFileBase, pNames[i], NULL);
szFuncName=(const char*)(lpFileBase+pNames[i]+pSection->PointerToRawData-pSection->VirtualAddress);
if(!_stricmp(szFuncName, "ZwQuerySystemInformation"))
{
DWORD res=pOrdinals[i]+pExportTable->Base-1;
szCode = (unsigned char*)(lpFileBase+pFunctions[res]+pSection->PointerToRawData-pSection->VirtualAddress);
for(int i=0; i<15; i++)
{
sprintf(szLog, "%02X ", szCode[i]);
strDebug+=szLog;
if(i&&((i+1)%5==0))
{
strDebug+="\r\n";
OutputDebugStringA(strDebug.c_str());
strDebug="";
}
}
}
}
return 0;
}
代码打印拷贝指令
OD查看内存API指令
百思不得其解
,虚心向各位大神请教~
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
这个是计算导出表在哪个节表内,SEC_IMAGE果然好用,非常感谢!
|
