在便携式可执行文件中从.idata节中打印出隐式链接的dll的名称 [英] Printing out the names of implicitly linked dll's from .idata section in a portable executable

问题描述

我正在尝试编写一个代码，该代码应该通过使用exe的.idata部分中IMAGE_IMPORT_DESCRIPTOR结构的名称"字段来打印exe中所有导入的dll的名称，但是该程序似乎陷入无限循环.有人可以告诉我如何正确打印姓名吗?

I am trying to write a code which is supposed to print out the names of all the imported dll's in the exe by using the 'name' field of the IMAGE_IMPORT_DESCRIPTOR structure in the .idata section of the exe, but the program seems to be getting stuck in an infinite loop. Can someone please tell me how to get the names printed out correctly...

    #include<iostream>
    #include<Windows.h>
    #include<stdio.h>
    #include<WinNT.h>

    int main()
    {
        FILE *fp; 
        int i;

        if((fp = fopen("c:\\Linked List.exe","rb"))==NULL)
            std::cout<<"unable to open";


        IMAGE_DOS_HEADER imdh;
        fread(&imdh,sizeof(imdh),1,fp);
        fseek(fp,imdh.e_lfanew,0);

        IMAGE_NT_HEADERS imnth;
        fread(&imnth,sizeof(imnth),1,fp);

        IMAGE_SECTION_HEADER *pimsh;
        pimsh = (IMAGE_SECTION_HEADER *)malloc(sizeof(IMAGE_SECTION_HEADER) * imnth.FileHeader.NumberOfSections);

        long t;

        fread(pimsh,sizeof(IMAGE_SECTION_HEADER),imnth.FileHeader.NumberOfSections,fp);

        for(i=0;i<imnth.FileHeader.NumberOfSections;i++)
        {
            if(!strcmp((char *)pimsh->Name,".idata"))
                t = pimsh->PointerToRawData;
            pimsh++;
        }

        fseek(fp,t,0);

        IMAGE_IMPORT_DESCRIPTOR iid;
        char c;

        while(1)
        {
            fread(&iid,sizeof(iid),1,fp);

            if(iid.Characteristics == NULL)
                break;

            t = ftell(fp);

            fseek(fp,(long)iid.Name,0);

            while(c=fgetc(fp))
                printf("%c",c);
            printf("\n");

            fseek(fp,t,0);

        }
    }

推荐答案

有几个问题.

• 您不能假定导入部分称为".idata".您应该使用IMAGE_OPTIONAL_HEADER.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]找到导入.

PE文件中的大多数偏移是相对虚拟地址(RVA)，而不是文件偏移.要将RVA转换为偏移量，您需要确定虚拟地址所在的部分，然后根据该部分在文件中的位置计算偏移量.具体来说，IMAGE_IMPORT_DESCRIPTOR.Name字段包含RVA，而不是文件偏移.

Most offsets within a PE file are Relative Virtual Addresses (RVAs), not file offsets. To convert an RVA to an offset you need to determine which section the virtual address is in, then calculate an offset based on where the section is in the file. Specifically, the IMAGE_IMPORT_DESCRIPTOR.Name field contains an RVA, not a file offset.

如果您使用内存映射文件而不是文件I/O，您的代码将更加简单(快捷).

Your code will be much simpler (and quicker) if you use a memory-mapped file rather than file I/O.

此MSDN文章解释了RVA，数据目录等.它还包括pedump，该应用程序具有用于转储PE文件的完整源代码，这是一个有用的参考.

This MSDN article explains RVAs, the data directory, etc. It also includes pedump, an application with full source code for dumping PE files, which is a useful reference.

这篇关于在便携式可执行文件中从.idata节中打印出隐式链接的dll的名称的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！