今天学习了PE的导出表,写了一个GetProcAddress来做练习,发出来跟大家分享
DWORD GetProcAddress(HMODULE hModule, PCSTR pProcName)
{
if(hModule == NULL || pProcName == NULL)
{
return 0;
}
// 验证hModule是否有效
PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)hModule;
if(pDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
{
return 0;
}
PIMAGE_NT_HEADERS pNtHeaders = (PIMAGE_NT_HEADERS)((PBYTE)hModule + pDosHeader->e_lfanew);
if(pNtHeaders->Signature != IMAGE_NT_SIGNATURE)
{
return 0;
}
// 判断导出表是否存在
IMAGE_DATA_DIRECTORY DataDirectory = pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
if(DataDirectory.VirtualAddress == 0 || DataDirectory.Size == 0)
{
return 0;
}
IMAGE_EXPORT_DIRECTORY* pExportDirectory = (IMAGE_EXPORT_DIRECTORY*)((PBYTE)hModule + DataDirectory.VirtualAddress);
PDWORD pAddressOfNames = (PDWORD)((PBYTE)hModule + pExportDirectory->AddressOfNames);
PWORD pAddressOfNameOrdinals = (PWORD)((PBYTE)hModule + pExportDirectory->AddressOfNameOrdinals);
PDWORD pAddressOfFunctions = (PDWORD)((PBYTE)hModule + pExportDirectory->AddressOfFunctions);
if((DWORD)pProcName <= 0xFFFF)
{
// 按索引查找函数地址
DWORD nIndex = (DWORD)pProcName - pExportDirectory->Base;
if(nIndex >= pExportDirectory->NumberOfFunctions)
{
return 0;
}
return pAddressOfFunctions[nIndex];
}
else
{
// 按函数名查找函数地址
for(unsigned i = 0; i < pExportDirectory->NumberOfNames; i++)
{
PCTSTR pszName = (PCSTR)((PBYTE)hModule + pAddressOfNames[i]);
WORD nIndex = pAddressOfNameOrdinals[i];
if(strcmp(pProcName, pszName) == 0)
{
return pAddressOfFunctions[nIndex];
}
}
}
return 0;
}
[课程]FART 脱壳王!加量不加价!FART作者讲授!