我如何读到内存中加载的模块的PE头？ [英] How do I read the PE header of a module loaded in memory?

问题描述

我尝试用.NET中的内存访问。目前，我有一个管理程序，启动一个非托管工艺，并检索 BaseAddress 其加载的模块之一（一个DLL）中。我想要做的就是以某种方式读取加载的模块的PE头，这样我以后可以检索其出口的地址。

I'm experimenting with memory access in .NET. At the moment, I have a managed program that starts an unmanaged process and retrieves the BaseAddress of one of its loaded modules (a DLL). What I would like to do is somehow read the PE header of the loaded module so that I can later retrieve the addresses of its exports.

不幸的是，我找不到这方面有任何良好的信息。任何想法？

Unfortunately, I can't find any good information about this. Any ideas?

推荐答案

这是一个良好的起点，PE文件格式。

This is a good starting point for the PE file format.

您可以P / Invoke ReadProcessMemory 从你的头文件复制到你的过程中，基址。你需要分析你阅读到不同的PE头的内存。第一个标题是 IMAGE_DOS_HEADER ，这将指向你到的IMAGE_NT_HEADERS 的。然后，您可以使用<一个href="http://pinvoke.net/default.aspx/Structures.IMAGE%5FOPTIONAL%5FHEADER32">IMAGE_OPTIONAL_HEADER在IMAGE_NT_HEADERS找到的<一个位置href="http://pinvoke.net/default.aspx/Structures.IMAGE%5FEXPORT%5FDIRECTORY">IMAGE_EXPORT_DIRECTORY在二进制。

You can P/Invoke ReadProcessMemory from the base address you have to copy the headers into your process. You'll need to parse the memory you read into the various PE headers. The first header is the IMAGE_DOS_HEADER, which will point you to the IMAGE_NT_HEADERS. You can then use the IMAGE_OPTIONAL_HEADER in the IMAGE_NT_HEADERS to find the location of the IMAGE_EXPORT_DIRECTORY in the binary.

这篇关于我如何读到内存中加载的模块的PE头？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！