如何正确获取DLL文件的内容进行PE解析? [英] How to properly get contents of DLL file for PE parsing?
问题描述
我试图在 kernel32.dll 中获取函数的RVA,这意味着我需要使用偏移量来找到文件中的不同结构,直到可以获得 IMAGE_EXPORT_DIRECTORY 结构。但是,我知道很多获取文件内容的方法和方法,解释和留下一些特定的字符和东西,这使得这几乎是不可能的任务。所以我想知道最好的方式去获取一个dll文件的内容复制到一个字符数组。
更新:对于任何有兴趣的人,我创建了一个函数映射dll到内存中。
$ h $ = CreateFile(path,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_READONLY,NULL);
if(hFile == INVALID_HANDLE_VALUE){return NULL;}
HANDLE file_map = CreateFileMapping(hFile,NULL,PAGE_READONLY | SEC_IMAGE,0,0,KernelMap);
if(file_map == INVALID_HANDLE_VALUE){return NULL;}
LPVOID file_image = MapViewOfFile(file_map,FILE_MAP_READ,0,0,0);
if(file_image == 0){return NULL;}
return file_image;
虽然没有那么多。
1.如果您正在尝试解析加载到内存中的系统加载文件,如 kernel32.dll 在系统启动时,可以直接使用 GetModuleHandle 来获取加载的基地址,并通过PE开始解析(假设您熟悉dll的PE结构和静态/延迟加载,它的出口)。
$ b 2.如果你试图解析的dll不是加载的系统之一,你可以使用 LoadLibrary ,这将返回你加载的基地址,从而使你解析PE。
3.您也可以做 CreatFileMapping / MapViewOfFile 将dll映射到自己的虚拟内存中进行解析。
$ b
@David Thomas建议的msdn文章将非常棒帮助:: PE内部对等
I'm trying to get the RVA of a function in kernel32.dll which means I need to use the offsets to find different structures in the file until I can get the IMAGE_EXPORT_DIRECTORY structure. However I know a lot of methods and ways of getting the contents of files interpret and leave certain characters and stuff out which would make this a nearly impossible task. So I want to know the best way to go about getting the contents of a dll file to copy into a character array.
Update: For anyone interested I created a function for mapping the dll into memory.
void* GetFileImage(char path[])
{
HANDLE hFile = CreateFile(path, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_READONLY, NULL);
if(hFile == INVALID_HANDLE_VALUE){return NULL;}
HANDLE file_map = CreateFileMapping(hFile, NULL, PAGE_READONLY|SEC_IMAGE, 0, 0, "KernelMap");
if(file_map == INVALID_HANDLE_VALUE){return NULL;}
LPVOID file_image = MapViewOfFile(file_map, FILE_MAP_READ, 0, 0, 0);
if(file_image == 0){return NULL;}
return file_image;
}
There are multiple ways. Not that many multiple, though.
1.If you are trying to parse a system loaded file such as kernel32.dll which are loaded into memory on system startup, you can directly use GetModuleHandle to grab the loaded base address and start parsing through PE (assuming you are familiar with the PE structure and static/delay loading of dlls and its exports).
2.If the dll you are trying to parse is not one of the system loaded, you can load them using LoadLibrary, which will return you the loaded base address, thus enabling you to parse the PE.
3.You can also do CreatFileMapping/MapViewOfFile to map the dll in your own virtual memory to parse.
The msdn article suggested by @David Thomas will be of great help:: Peering Inside the PE
这篇关于如何正确获取DLL文件的内容进行PE解析?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
