-
-
[旧帖] 关于引入表的实践 0.00雪花
-
发表于: 2007-12-7 15:00 2688
-
IMAGE_DOS_HEADER:
e_magic: 5A4D
e_cblp: 0090
e_cp: 0003
e_crlc: 0000
e_cparhdr: 0004
e_minalloc: 0000
e_maxalloc: FFFF
e_ss: 0000
e_sp: 00B8
e_csum: 0000
e_ip: 0000
e_cs: 0000
e_lfarlc: 0040
e_ovno: 0000
e_res[0]: 0000
e_res[1]: 0000
e_res[2]: 0000
e_res[3]: 0000
e_oemid: 0000
e_oeminfo: 0000
e_res2[0]: 0000
e_res2[1]: 0000
e_res2[2]: 0000
e_res2[3]: 0000
e_res2[4]: 0000
e_res2[5]: 0000
e_res2[6]: 0000
e_res2[7]: 0000
e_res2[8]: 0000
e_res2[9]: 0000
e_lfanew: 000000D8
IMAGE_FILE_HEADER:
Machine: 014C
NumberOfSections: 0003
TimeDateStamp: 47560ED2
PointerToSymbolTable: 00000000
NumberOfSymbols: 00000000
SizeOfOptionalHeader: 00E0
Characteristics: 010F
IMAGE_OPTIONAL_HEADER:
Magic: 010B
MajorLinkerVersion: 6
MinorLinkerVersion: 0
SizeOfCode: 00004A00
SizeOfInitializedData: 00004A00
SizeOfUninitializedData: 00000000
AddressOfEntryPoint: 00001050
BaseOfCode: 00001000
BaseOfData: 00006000
ImageBase: 00400000
SectionAlignment: 00001000
FileAlignment: 00000200
MajorOperatingSystemVersion: 0004
MinorOperatingSystemVersion: 0000
MajorImageVersion: 0000
MinorImageVersion: 0000
MajorSubsystemVersion: 0004
MinorSubsystemVersion: 0000
Win32VersionValue: 00000000
SizeOfImage: 0000B000
SizeOfHeaders: 00000400
+40h CheckSum: 00000000
+44h Subsystem: 0003
+46h DllCharacteristics: 0000
+48h SizeOfStackReserve: 00100000
+4Ch SizeOfStackCommit: 00001000
+50h SizeOfHeapReserve: 00100000
+54h SizeOfHeapCommit: 00001000
+58h LoaderFlags: 00000000
+5Ch NumberOfRvaAndSizes: 00000010
IMAGE_DATA_DIRECTORY:
IMAGE_DIRECTORY_ENTRY_EXPORT
VirtualAddress: 00000000
Size: 00000000
IMAGE_DIRECTORY_ENTRY_IMPORT
VirtualAddress: 000064C4
Size: 0000003C
IMAGE_DIRECTORY_ENTRY_RESOURCE
VirtualAddress: 00000000
Size: 00000000
IMAGE_DIRECTORY_ENTRY_EXCEPTION
VirtualAddress: 00000000
Size: 00000000
IMAGE_DIRECTORY_ENTRY_SECURITY
VirtualAddress: 00000000
Size: 00000000
IMAGE_DIRECTORY_ENTRY_BASERELOC
VirtualAddress: 00000000
Size: 00000000
IMAGE_DIRECTORY_ENTRY_DEBUG
VirtualAddress: 00000000
Size: 00000000
IMAGE_DIRECTORY_ENTRY_ARCHITECTURE
VirtualAddress: 00000000
Size: 00000000
IMAGE_DIRECTORY_ENTRY_GLOBALPTR
VirtualAddress: 00000000
Size: 00000000
IMAGE_DIRECTORY_ENTRY_TLS
VirtualAddress: 00000000
Size: 00000000
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
VirtualAddress: 00000000
Size: 00000000
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT
VirtualAddress: 00000000
Size: 00000000
IMAGE_DIRECTORY_ENTRY_IAT
VirtualAddress: 00006000
Size: 000000B8
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT
VirtualAddress: 00000000
Size: 00000000
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
VirtualAddress: 00000000
Size: 00000000
Reserved
VirtualAddress: 00000000
Size: 00000000
IMAGE_SECTION_HEADER:
Name: .text
VirtualSize: 4918
VirtualAddress: 00001000
SizeOfRawData: 00004A00
PointerToRawData: 00000400
PointerToRelocations: 00000000
PointerToLinenumbers: 00000000
NumberOfRelocations: 0000
NumberOfLinenumbers: 0000
Characteristics: 60000020
Name: .rdata
VirtualSize: 08CE
VirtualAddress: 00006000
SizeOfRawData: 00000A00
PointerToRawData: 00004E00
PointerToRelocations: 00000000
PointerToLinenumbers: 00000000
NumberOfRelocations: 0000
NumberOfLinenumbers: 0000
Characteristics: 40000040
Name: .data
VirtualSize: 3E28
VirtualAddress: 00007000
SizeOfRawData: 00002A00
PointerToRawData: 00005800
PointerToRelocations: 00000000
PointerToLinenumbers: 00000000
NumberOfRelocations: 0000
NumberOfLinenumbers: 0000
Characteristics: C0000040
IMAGE_IMPORT_DESCRIPTOR: RVA: 000064C4 File Offset: 000052C4 Section: .rdata
Name: USER32.dll
TimeDateStamp: 00000000
ForwarderChain: 00000000
OriginalFirstThunk: 000065B0 File Offset: 000053B0
FirstThunk: 000060B0 File Offset: 00004EB0
IMAGE_THUNK_DATA: RVA: 000065B0 File Offset: 000053B0
1 446 MessageBoxA (IAT:000065B8) File Offset: 000053B8
Name: KERNEL32.dll
TimeDateStamp: 00000000
ForwarderChain: 00000000
OriginalFirstThunk: 00006500 File Offset: 00005300
FirstThunk: 00006000 File Offset: 00004E00
IMAGE_THUNK_DATA: RVA: 00006500 File Offset: 00005300
1 703 VirtualFree (IAT:00006772) File Offset: 00005572
2 27 CloseHandle (IAT:000068B2) File Offset: 000056B2
3 202 GetCommandLineA (IAT:000065D2) File Offset: 000053D2
4 372 GetVersion (IAT:000065E4) File Offset: 000053E4
5 125 ExitProcess (IAT:000065F2) File Offset: 000053F2
6 670 TerminateProcess (IAT:00006600) File Offset: 00005400
7 247 GetCurrentProcess (IAT:00006614) File Offset: 00005414
8 685 UnhandledExceptionFilter (IAT:00006628) File Offset: 00005428
9 292 GetModuleFileNameA (IAT:00006644) File Offset: 00005444
A 178 FreeEnvironmentStringsA (IAT:0000665A) File Offset: 0000545A
B 179 FreeEnvironmentStringsW (IAT:00006674) File Offset: 00005474
C 722 WideCharToMultiByte (IAT:0000668E) File Offset: 0000548E
D 262 GetEnvironmentStrings (IAT:000066A4) File Offset: 000054A4
E 264 GetEnvironmentStringsW (IAT:000066BC) File Offset: 000054BC
F 621 SetHandleCount (IAT:000066D6) File Offset: 000054D6
10 338 GetStdHandle (IAT:000066E8) File Offset: 000054E8
11 277 GetFileType (IAT:000066F8) File Offset: 000054F8
12 336 GetStartupInfoA (IAT:00006706) File Offset: 00005506
13 294 GetModuleHandleA (IAT:00006718) File Offset: 00005518
14 265 GetEnvironmentVariableA (IAT:0000672C) File Offset: 0000552C
15 373 GetVersionExA (IAT:00006746) File Offset: 00005546
16 413 HeapDestroy (IAT:00006756) File Offset: 00005556
17 411 HeapCreate (IAT:00006764) File Offset: 00005564
18 415 HeapFree (IAT:00006780) File Offset: 00005580
19 559 RtlUnwind (IAT:0000678C) File Offset: 0000558C
1A 735 WriteFile (IAT:00006798) File Offset: 00005598
1B 409 HeapAlloc (IAT:000067A4) File Offset: 000055A4
1C 191 GetCPInfo (IAT:000067B0) File Offset: 000055B0
1D 185 00GetACP (IAT:000067BC) File Offset: 000055BC
1E 305 GetOEMCP (IAT:000067C6) File Offset: 000055C6
1F 699 VirtualAlloc (IAT:000067D2) File Offset: 000055D2
20 418 HeapReAlloc (IAT:000067E2) File Offset: 000055E2
21 318 GetProcAddress (IAT:000067F0) File Offset: 000055F0
22 450 LoadLibraryA (IAT:00006802) File Offset: 00005602
23 282 GetLastError (IAT:00006812) File Offset: 00005612
24 170 FlushFileBuffers (IAT:00006822) File Offset: 00005622
25 618 SetFilePointer (IAT:00006836) File Offset: 00005636
26 484 MultiByteToWideChar (IAT:00006848) File Offset: 00005648
27 447 LCMapStringA (IAT:0000685E) File Offset: 0000565E
28 448 LCMapStringW (IAT:0000686E) File Offset: 0000566E
29 339 GetStringTypeA (IAT:0000687E) File Offset: 0000567E
2A 342 GetStringTypeW (IAT:00006890) File Offset: 00005690
2B 636 SetStdHandle (IAT:000068A2) File Offset: 000056A2
图1
从上面可以看出,程序的引入表从File Offset:000052C4[RVA:000064C4]开始
然后经过两个dll的IMAGE_IMPORT_DESCRIPTOR的数据,每个IMAGE_IMPORT_DESCRIPTOR占用
20个字节,然后再加上最后一个全0 的IMAGE_IMPORT_DESCRIPTOR,就是总共60个字节=0X3C
那么000052C4 +0000003C = 00005300
所以00005300就是我们的IMAGE_THUNK_DATA的开始,如图2所示
图2
然后我们看到Kernel32.dll里面总共有43个输入函数,每个占用4个字节,再加上最后一个00000000,这样就是176个字节=0XB0,那么下面的User32.dll的OriginalFirstThunk的File Offset:就必须是00005300 + 000000B0
=000053B0.
我必须说明一个格式:
//--------------------------------------------------------------------------
WORD String
HINT号 函数名
……
……
模块名
HINT号 函数名
……
……
模块名
……
//---------------------------------------------------------------------------
关系如下
PIMAGE_IMPORT_DESCRIPTOR
PIMAGE_THUNK_DATA
PIMAGE_IMPORT_BY_NAME
e_magic: 5A4D
e_cblp: 0090
e_cp: 0003
e_crlc: 0000
e_cparhdr: 0004
e_minalloc: 0000
e_maxalloc: FFFF
e_ss: 0000
e_sp: 00B8
e_csum: 0000
e_ip: 0000
e_cs: 0000
e_lfarlc: 0040
e_ovno: 0000
e_res[0]: 0000
e_res[1]: 0000
e_res[2]: 0000
e_res[3]: 0000
e_oemid: 0000
e_oeminfo: 0000
e_res2[0]: 0000
e_res2[1]: 0000
e_res2[2]: 0000
e_res2[3]: 0000
e_res2[4]: 0000
e_res2[5]: 0000
e_res2[6]: 0000
e_res2[7]: 0000
e_res2[8]: 0000
e_res2[9]: 0000
e_lfanew: 000000D8
IMAGE_FILE_HEADER:
Machine: 014C
NumberOfSections: 0003
TimeDateStamp: 47560ED2
PointerToSymbolTable: 00000000
NumberOfSymbols: 00000000
SizeOfOptionalHeader: 00E0
Characteristics: 010F
IMAGE_OPTIONAL_HEADER:
Magic: 010B
MajorLinkerVersion: 6
MinorLinkerVersion: 0
SizeOfCode: 00004A00
SizeOfInitializedData: 00004A00
SizeOfUninitializedData: 00000000
AddressOfEntryPoint: 00001050
BaseOfCode: 00001000
BaseOfData: 00006000
ImageBase: 00400000
SectionAlignment: 00001000
FileAlignment: 00000200
MajorOperatingSystemVersion: 0004
MinorOperatingSystemVersion: 0000
MajorImageVersion: 0000
MinorImageVersion: 0000
MajorSubsystemVersion: 0004
MinorSubsystemVersion: 0000
Win32VersionValue: 00000000
SizeOfImage: 0000B000
SizeOfHeaders: 00000400
+40h CheckSum: 00000000
+44h Subsystem: 0003
+46h DllCharacteristics: 0000
+48h SizeOfStackReserve: 00100000
+4Ch SizeOfStackCommit: 00001000
+50h SizeOfHeapReserve: 00100000
+54h SizeOfHeapCommit: 00001000
+58h LoaderFlags: 00000000
+5Ch NumberOfRvaAndSizes: 00000010
IMAGE_DATA_DIRECTORY:
IMAGE_DIRECTORY_ENTRY_EXPORT
VirtualAddress: 00000000
Size: 00000000
IMAGE_DIRECTORY_ENTRY_IMPORT
VirtualAddress: 000064C4
Size: 0000003C
IMAGE_DIRECTORY_ENTRY_RESOURCE
VirtualAddress: 00000000
Size: 00000000
IMAGE_DIRECTORY_ENTRY_EXCEPTION
VirtualAddress: 00000000
Size: 00000000
IMAGE_DIRECTORY_ENTRY_SECURITY
VirtualAddress: 00000000
Size: 00000000
IMAGE_DIRECTORY_ENTRY_BASERELOC
VirtualAddress: 00000000
Size: 00000000
IMAGE_DIRECTORY_ENTRY_DEBUG
VirtualAddress: 00000000
Size: 00000000
IMAGE_DIRECTORY_ENTRY_ARCHITECTURE
VirtualAddress: 00000000
Size: 00000000
IMAGE_DIRECTORY_ENTRY_GLOBALPTR
VirtualAddress: 00000000
Size: 00000000
IMAGE_DIRECTORY_ENTRY_TLS
VirtualAddress: 00000000
Size: 00000000
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
VirtualAddress: 00000000
Size: 00000000
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT
VirtualAddress: 00000000
Size: 00000000
IMAGE_DIRECTORY_ENTRY_IAT
VirtualAddress: 00006000
Size: 000000B8
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT
VirtualAddress: 00000000
Size: 00000000
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
VirtualAddress: 00000000
Size: 00000000
Reserved
VirtualAddress: 00000000
Size: 00000000
IMAGE_SECTION_HEADER:
Name: .text
VirtualSize: 4918
VirtualAddress: 00001000
SizeOfRawData: 00004A00
PointerToRawData: 00000400
PointerToRelocations: 00000000
PointerToLinenumbers: 00000000
NumberOfRelocations: 0000
NumberOfLinenumbers: 0000
Characteristics: 60000020
Name: .rdata
VirtualSize: 08CE
VirtualAddress: 00006000
SizeOfRawData: 00000A00
PointerToRawData: 00004E00
PointerToRelocations: 00000000
PointerToLinenumbers: 00000000
NumberOfRelocations: 0000
NumberOfLinenumbers: 0000
Characteristics: 40000040
Name: .data
VirtualSize: 3E28
VirtualAddress: 00007000
SizeOfRawData: 00002A00
PointerToRawData: 00005800
PointerToRelocations: 00000000
PointerToLinenumbers: 00000000
NumberOfRelocations: 0000
NumberOfLinenumbers: 0000
Characteristics: C0000040
IMAGE_IMPORT_DESCRIPTOR: RVA: 000064C4 File Offset: 000052C4 Section: .rdata
Name: USER32.dll
TimeDateStamp: 00000000
ForwarderChain: 00000000
OriginalFirstThunk: 000065B0 File Offset: 000053B0
FirstThunk: 000060B0 File Offset: 00004EB0
IMAGE_THUNK_DATA: RVA: 000065B0 File Offset: 000053B0
1 446 MessageBoxA (IAT:000065B8) File Offset: 000053B8
Name: KERNEL32.dll
TimeDateStamp: 00000000
ForwarderChain: 00000000
OriginalFirstThunk: 00006500 File Offset: 00005300
FirstThunk: 00006000 File Offset: 00004E00
IMAGE_THUNK_DATA: RVA: 00006500 File Offset: 00005300
1 703 VirtualFree (IAT:00006772) File Offset: 00005572
2 27 CloseHandle (IAT:000068B2) File Offset: 000056B2
3 202 GetCommandLineA (IAT:000065D2) File Offset: 000053D2
4 372 GetVersion (IAT:000065E4) File Offset: 000053E4
5 125 ExitProcess (IAT:000065F2) File Offset: 000053F2
6 670 TerminateProcess (IAT:00006600) File Offset: 00005400
7 247 GetCurrentProcess (IAT:00006614) File Offset: 00005414
8 685 UnhandledExceptionFilter (IAT:00006628) File Offset: 00005428
9 292 GetModuleFileNameA (IAT:00006644) File Offset: 00005444
A 178 FreeEnvironmentStringsA (IAT:0000665A) File Offset: 0000545A
B 179 FreeEnvironmentStringsW (IAT:00006674) File Offset: 00005474
C 722 WideCharToMultiByte (IAT:0000668E) File Offset: 0000548E
D 262 GetEnvironmentStrings (IAT:000066A4) File Offset: 000054A4
E 264 GetEnvironmentStringsW (IAT:000066BC) File Offset: 000054BC
F 621 SetHandleCount (IAT:000066D6) File Offset: 000054D6
10 338 GetStdHandle (IAT:000066E8) File Offset: 000054E8
11 277 GetFileType (IAT:000066F8) File Offset: 000054F8
12 336 GetStartupInfoA (IAT:00006706) File Offset: 00005506
13 294 GetModuleHandleA (IAT:00006718) File Offset: 00005518
14 265 GetEnvironmentVariableA (IAT:0000672C) File Offset: 0000552C
15 373 GetVersionExA (IAT:00006746) File Offset: 00005546
16 413 HeapDestroy (IAT:00006756) File Offset: 00005556
17 411 HeapCreate (IAT:00006764) File Offset: 00005564
18 415 HeapFree (IAT:00006780) File Offset: 00005580
19 559 RtlUnwind (IAT:0000678C) File Offset: 0000558C
1A 735 WriteFile (IAT:00006798) File Offset: 00005598
1B 409 HeapAlloc (IAT:000067A4) File Offset: 000055A4
1C 191 GetCPInfo (IAT:000067B0) File Offset: 000055B0
1D 185 00GetACP (IAT:000067BC) File Offset: 000055BC
1E 305 GetOEMCP (IAT:000067C6) File Offset: 000055C6
1F 699 VirtualAlloc (IAT:000067D2) File Offset: 000055D2
20 418 HeapReAlloc (IAT:000067E2) File Offset: 000055E2
21 318 GetProcAddress (IAT:000067F0) File Offset: 000055F0
22 450 LoadLibraryA (IAT:00006802) File Offset: 00005602
23 282 GetLastError (IAT:00006812) File Offset: 00005612
24 170 FlushFileBuffers (IAT:00006822) File Offset: 00005622
25 618 SetFilePointer (IAT:00006836) File Offset: 00005636
26 484 MultiByteToWideChar (IAT:00006848) File Offset: 00005648
27 447 LCMapStringA (IAT:0000685E) File Offset: 0000565E
28 448 LCMapStringW (IAT:0000686E) File Offset: 0000566E
29 339 GetStringTypeA (IAT:0000687E) File Offset: 0000567E
2A 342 GetStringTypeW (IAT:00006890) File Offset: 00005690
2B 636 SetStdHandle (IAT:000068A2) File Offset: 000056A2
图1
从上面可以看出,程序的引入表从File Offset:000052C4[RVA:000064C4]开始
然后经过两个dll的IMAGE_IMPORT_DESCRIPTOR的数据,每个IMAGE_IMPORT_DESCRIPTOR占用
20个字节,然后再加上最后一个全0 的IMAGE_IMPORT_DESCRIPTOR,就是总共60个字节=0X3C
那么000052C4 +0000003C = 00005300
所以00005300就是我们的IMAGE_THUNK_DATA的开始,如图2所示
图2
然后我们看到Kernel32.dll里面总共有43个输入函数,每个占用4个字节,再加上最后一个00000000,这样就是176个字节=0XB0,那么下面的User32.dll的OriginalFirstThunk的File Offset:就必须是00005300 + 000000B0
=000053B0.
我必须说明一个格式:
//--------------------------------------------------------------------------
WORD String
HINT号 函数名
……
……
模块名
HINT号 函数名
……
……
模块名
……
//---------------------------------------------------------------------------
关系如下
PIMAGE_IMPORT_DESCRIPTOR
PIMAGE_THUNK_DATA
PIMAGE_IMPORT_BY_NAME
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
赞赏
|
|
|---|---|
|
|
赞赏
雪币:
留言:
