首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 软件逆向
    3. 发新帖
[原创]PE导出表地址不同问题
发表于: 2023-3-13 14:16 5076

[原创]PE导出表地址不同问题

一只小菜鸡Y 活跃值
2023-3-13 14:16
5076

先上源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
VOID PERead::ReadExportTable()
{
    PIMAGE_DATA_DIRECTORY pData = this->pOp->DataDirectory;
    DWORD x = pData->VirtualAddress; //相对虚拟地址 RVA
 
    DWORD foaExportTableAddress = RvaToFoa(pData->VirtualAddress);
 
    if (foaExportTableAddress == 0) {
        cout << "当前程序没有导出表" << endl;
        cout << endl;
        return VOID();
    }
 
    PCHAR directoryExport = ((PCHAR)this->pDos) + foaExportTableAddress;
 
    PIMAGE_EXPORT_DIRECTORY pEd = (PIMAGE_EXPORT_DIRECTORY)directoryExport;
 
    DWORD foaAddressOfFunctions = RvaToFoa(pEd->AddressOfFunctions);
    DWORD foaAddressOfNameOrdinals = RvaToFoa(pEd->AddressOfNameOrdinals);
    DWORD foaAddressOfNames = RvaToFoa(pEd->AddressOfNames);
    PCHAR foaName = (PCHAR)this->pDos + RvaToFoa(pEd->Name);
 
    cout << hex << "导出表Characteristics: \t\t" << pEd->Characteristics << endl;
    cout << hex << "导出表TimeDateStamp: \t\t" << pEd->TimeDateStamp << endl;
    cout << hex << "导出表MajorVersion: \t\t" << pEd->MajorVersion << endl;
    cout << hex << "导出表MinorVersion: \t\t" << pEd->MinorVersion << endl;
    cout << "导出表名称: \t\t\t" << foaName << endl;
    cout << hex << "导出表Base: \t\t\t" << pEd->Base << endl;
    cout << hex << "导出表NumberOfFunctions: \t" << pEd->NumberOfFunctions << endl;
    cout << hex << "导出表NumberOfNames: \t\t" << pEd->NumberOfNames << endl;
    cout << hex << "导出表AddressOfFunctions: \t" << pEd->AddressOfFunctions << "\tfoa: " << foaAddressOfFunctions << endl;
    cout << hex << "导出表AddressOfNames: \t" << pEd->AddressOfNames << "\tfoa: " << foaAddressOfNames << endl;
    cout << hex << "导出表AddressOfNameOrdinals: \t" << pEd->AddressOfNameOrdinals << "\tfoa: " << foaAddressOfNameOrdinals << endl;
    cout << endl;
 
    PCHAR nameAddress = (PCHAR)this->pDos + foaAddressOfNames;
    PCHAR tempNameAddress = (PCHAR)this->pDos + foaAddressOfNames;
    PCHAR tempFoaAddressOfNameOrdinals = (PCHAR)this->pDos + foaAddressOfNameOrdinals;
 
    PDWORD pFoaFunction = (PDWORD)((PCHAR)this->pDos + foaAddressOfFunctions);
    PWORD pFoaOrdinals = (PWORD)((PCHAR)this->pDos + foaAddressOfNameOrdinals);
    PWORD pTempFoaOrdinals = pFoaOrdinals;
    PDWORD pFoaNames = (PDWORD)((PCHAR)this->pDos + foaAddressOfNames);
 
    //根据导出函数地址 来进行遍历并打印出所有的导出函数信息
    for (size_t i = 0; i < pEd->NumberOfFunctions; i++)
    {
        pTempFoaOrdinals = pFoaOrdinals;
 
        //打印函数地址 并获取到函数序号 从序号表中找到对应的序号 再找到对应函数的名称 没有名称的则写空
        if (*pFoaFunction == 0) {
            pFoaFunction++;
            continue;
        }
 
        //1.获取到文件中当前函数所在的地址
        cout << dec << "第" << i + 1 << "个RVA函数地址为:";
        cout << hex << *pFoaFunction;
        cout << "\tFOA函数地址为:" << RvaToFoa(*pFoaFunction);
 
        //2.找到序号
        int ordinal = 0;
        for (size_t j = 0; j < pEd->NumberOfNames; j++)
        {
            if (*pTempFoaOrdinals == i) {
                ordinal = j;
                break;
            }
            if (j == pEd->NumberOfNames - 1 && ordinal == 0 && j != 0) {
                ordinal = -1;
                break;
            }
            pTempFoaOrdinals++;
        }
 
        //3.找到名称
        if (ordinal == -1) {
            //当前函数不是以函数名称进行导出的
            cout << dec << "\t\t导出序号为:" << i + pEd->Base << "\t\t导出名称为:N/A" << endl;
        }
        else {
            PDWORD name = pFoaNames + ordinal;
            cout << dec << "\t\t导出序号为:" << i + pEd->Base << "\t\t导出名称为:" << (PCHAR)(((DWORD)this->pDos) + RvaToFoa(*name)) << endl;
        }
 
        pFoaFunction++;
    }
 
    return VOID();
}

原本以为这样打印出来没有问题,但是通过Dependencies和vs2019工具dumpbin.exe 打印的结果都和我的不同不知道我这样解析是有什么问题吗?有那个大佬能指点一二吗

以下是我的部分打印结果

图片描述

这里是Dependencies的

我的打印结果

这里是dumpbin.exe的

我的打印结果

 

我的打印结果从导出序号为2的函数SysAllocString来看 地址是不一样的 但是我使用lordPe查看的时候 就和我的结果是一样的,难道这个是因为我使用的两个工具都是加载到内存中的原因吗?求大佬解答一下疑惑.谢谢


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (1)
一只小菜鸡Y
雪    币: 197
活跃值: (209)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
第一次发帖分不清 板块如有发错请提醒一下 谢谢
2023-3-13 14:17
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//