导入地址表中的Thunk表? [英] Thunk table in import address table?
问题描述
这个thunk表只是一个表格,而在EXE文件中用来导入外部DLL中的函数的导入地址表是什么?包含Thunks到其他功能?
Thunks是导入表的部分 code> IMAGE_DIRECTORY_ENTRY_IMPORT )和延迟导入表( IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT
)。它们被描述为 http://msdn.microsoft.com/en-us/library /ms809762.aspx 。
我将看看我的旧源代码,并将稍后发布一个转储这两个表包含绑定信息的工作代码。 / p>
更新:
这是一个我喜欢的旧代码程序。它只支持32位PE,但可以轻松修改为64位。顺便说一句,你可以看到,它也转储绑定信息。要测试这个绑定你想要转储的PE相对于bind.exe(例如,使用 bind.exe -u -v Test .dll
)。
代码约有1000行,所以我不能在这里发布。我收到一条错误信息
糟糕!您的编辑无法提交,因为:
- 正文限于30000个字符;你输入55095
所以我把它放在这里: http://www.ok-soft-gmbh.com/ForStackOverflow/PEInfo.c 。我希望这段代码可以帮助你更好地描述一下。
更新2 :我看到我的旧答案不适合搜索引擎。所以我包括代码的部分代码 PEInfo.c
(函数 DumpImports
和 DumpExports
)
void MakeIdent(UINT nOffset)
{
for(; nOffset; nOffset--)
printf(); // 4 blanks
}
void DumpDword(UINT nOffset,LPCSTR pszPrefix,DWORD dw)
{
MakeIdent(nOffset);
if(dw< 100)
printf(%s:%d\\\
,pszPrefix,dw);
else if(dw%(256 * 256)== 0)
printf(%s:0x%X\\\
,pszPrefix,dw);
else
printf(%s:%d(0x%X)\\\
,pszPrefix,dw,dw);
}
void DumpTimeDateStamp(UINT nOffset,LPCSTR pszTimeDateStampPrefix,DWORD dwTimeDateStamp)
{
// struct tm tmTime; // = localtime_s((time_t *)& ; dwTimeDateStamp);
// errno_t err = localtime_s(& tmTime,((time_t *)& dwTimeDateStamp));
struct tm * ptmTime = _localtime32((__time32_t *)& dwTimeDateStamp);
SYSTEMTIME stSystemTime;
static CHAR szString [128];
stSystemTime.wYear =(WORD)(1900 + ptmTime-> tm_year);
stSystemTime.wMonth =(WORD)(ptmTime-> tm_mon + 1);
stSystemTime.wDay =(WORD)ptmTime-> tm_mday;
stSystemTime.wDayOfWeek =(WORD)(ptmTime-> tm_wday + 1);
stSystemTime.wHour =(WORD)ptmTime-> tm_hour;
stSystemTime.wMinute =(WORD)ptmTime-> tm_min;
stSystemTime.wSecond =(WORD)ptmTime-> tm_sec;
stSystemTime.wMilliseconds = 0;
MakeIdent(nOffset);
printf(%s:0x%8X(,pszTimeDateStampPrefix,dwTimeDateStamp);
if(GetDateFormatA(LOCALE_USER_DEFAULT,0,& stSystemTime,NULL,
szString,sizeof (szString)/ sizeof(TCHAR))!= 0){
printf(szString);
}
if(GetTimeFormatA(LOCALE_USER_DEFAULT,0,& stSystemTime,
szString,sizeof(szString)/ sizeof(TCHAR))!= 0){
if(szString [0]!= 0)
printf();
printf (szString);
}
printf()\\\
);
}
void DumpImports(UINT nOffset,IMAGE_OPTIONAL_HEADER32 * pOptionalHeader,PBYTE pbyFile,
IMAGE_SECTION_HEADER * pSectionHeader,IMAGE_NT_HEADERS32 * pNtHeader)//该部分的标题,其中包含导出部分
{
IMAGE_IMPORT_DESCRIPTOR * pImportDescriptor =(IMAGE_IMPORT_DESCRIPTOR *)((PBYTE)pbyFile + pSectionHeader-> PointerToRawData +
pOptionalHeader-> DataDirectory [IMAGE_DIRECTORY_ENTRY_IMPORT] .VirtualAddress - pSectionHeader-> VirtualAddress);
DWORD dwBoundImportVA = pOptionalHeader-> DataDirectory [IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT] .VirtualAddress;
IMAGE_BOUND_IMPORT_DESCRIPTOR * pFirstBoundImportDescriptor = NULL,* pBoundImportDescriptor;
// DumpDword(nOffset,TEXT(特征),pImportDescriptor->特征);
if(dwBoundImportVA){
UINT i;
IMAGE_SECTION_HEADER * pFirstSectionHeader =(IMAGE_SECTION_HEADER *)((PBYTE)pOptionalHeader + // sizeof(IMAGE_OPTIONAL_HEADER32));
pNtHeader-> FileHeader.SizeOfOptionalHeader);
for(i = 0; i< pNtHeader-> FileHeader.NumberOfSections; i ++){
if(pFirstSectionHeader [i] .VirtualAddress< = dwBoundImportVA&&
dwBoundImportVA< pFirstSectionHeader [i] .VirtualAddress + pFirstSectionHeader [i] .Misc.VirtualSize){
pFirstBoundImportDescriptor =(IMAGE_BOUND_IMPORT_DESCRIPTOR *)((PBYTE)pbyFile + pFirstSectionHeader [i] .PointerToRawData +
dwBoundImportVA - pFirstSectionHeader [i] .VirtualAddress);
break;
}
}
if(i> = pNtHeader-> FileHeader.NumberOfSections)
pFirstBoundImportDescriptor =(IMAGE_BOUND_IMPORT_DESCRIPTOR *)((PBYTE)pbyFile + dwBoundImportVA);
for(; pImportDescriptor->特征; pImportDescriptor ++){
IMAGE_THUNK_DATA * pOriginalFirstThunk =(IMAGE_THUNK_DATA *)((PBYTE)pbyFile + pSectionHeader-> PointerToRawData +
pImportDescriptor-> OriginalFirstThunk - pSectionHeader-> VirtualAddress);
IMAGE_THUNK_DATA * pFirstThunk =(IMAGE_THUNK_DATA *)((PBYTE)pbyFile + pSectionHeader-> PointerToRawData +
pImportDescriptor-> FirstThunk - pSectionHeader-> VirtualAddress);
IMAGE_THUNK_DATA * pOriginalThunk,* pThunk;
MakeIdent(nOffset);
printf(%s,pbyFile + pSectionHeader-> PointerToRawData + pImportDescriptor-> Name - pSectionHeader-> VirtualAddress);
// DumpDword(nOffset,TEXT(Ordinal Base),pExportDirectory-> Base);
if(pImportDescriptor-> TimeDateStamp == 0){
// MakeIdent(nOffset);
printf((DLL未绑定)\\\
);
}
else if(pImportDescriptor-> TimeDateStamp == -1){
// if bound,and real date\time stamp
// // in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT新BIND)
// MakeIdent(nOffset);
printf((DLL绑定新的BIND)\\\
);
}
else {
// MakeIdent(nOffset);
printf((DLL绑定到旧BIND));
DumpTimeDateStamp(nOffset,TimeDateStamp,pImportDescriptor-> TimeDateStamp);
}
MakeIdent(nOffset + 1);
if(pImportDescriptor-> TimeDateStamp)// if bound
printf(TEXT(Ordinal hint BoundAddrs Name\\\
));
else
printf(TEXT(Ordinal hint Name\\\
));
for(pOriginalThunk = pOriginalFirstThunk,pThunk = pFirstThunk; pOriginalThunk-> u1.AddressOfData; pOriginalThunk ++,pThunk ++){
if(IMAGE_SNAP_BY_ORDINAL32(pOriginalThunk-> u1.Ordinal)){
MakeIdent(nOffset + 1);
// Ordinal
if(pImportDescriptor-> TimeDateStamp)
printf(TEXT(%4u(0x%04X)0x%08X\\\
),
pOriginalThunk- > u1.Ordinal&〜IMAGE_ORDINAL_FLAG32,
pOriginalThunk-> u1.Ordinal ^ IMAGE_ORDINAL_FLAG32,
pThunk-> u1.AddressOfData);
else
// pThunk-> u1.AddressOfData == pOriginalThunk-> u1.Ordinal所以不要打印
printf(TEXT(%4u(0x%04X)\\ \\ n),
pOriginalThunk-> u1.Ordinal&〜IMAGE_ORDINAL_FLAG32,
pOriginalThunk-> u1.Ordinal ^ IMAGE_ORDINAL_FLAG32);
}
else {
IMAGE_IMPORT_BY_NAME * pImportByName =(IMAGE_IMPORT_BY_NAME *)(pOriginalThunk-> u1.AddressOfData +
(PBYTE)pbyFile + pSectionHeader-> PointerToRawData - pSectionHeader-> ;其VirtualAddress);
MakeIdent(nOffset + 1);
//提示 - 导出名称指针表中的索引。首先尝试使用此值进行匹配。
//如果失败,对DLL的导出名称指针表执行二进制搜索。
if(pImportDescriptor-> TimeDateStamp)// if bound
printf(TEXT(%18u(0x%04X)0x%08X%hs\\\
),pImportByName-> Hint,pImportByName - > Hint,pThunk-> u1.AddressOfData,
pImportByName-> Name);
else
printf(TEXT(%18u(0x%04X)%hs\\\
),pImportByName-> Hint,pImportByName-> Hint,pImportByName-> Name);
}
}
}
if(pFirstBoundImportDescriptor){
MakeIdent(nOffset);
printf(PE头包含以下绑定的导入信息:\\\
); (pBoundImportDescriptor = pFirstBoundImportDescriptor; pBoundImportDescriptor-> TimeDateStamp;
pBoundImportDescriptor =(IMAGE_BOUND_IMPORT_DESCRIPTOR *)((PBYTE)(pBoundImportDescriptor + 1)+ pBoundImportDescriptor-> NumberOfModuleForwarderRefs * sizeof(IMAGE_BOUND_FORWARDER_REF)
)){
PSTR pszDllName =(PSTR)((DWORD)pFirstBoundImportDescriptor + pBoundImportDescriptor-> OffsetModuleName);
IMAGE_BOUND_FORWARDER_REF * pRef =(IMAGE_BOUND_FORWARDER_REF *)(pBoundImportDescriptor + 1);
MakeIdent(nOffset + 1);
printf(绑定到%hs,pszDllName);
DumpTimeDateStamp(0,,pBoundImportDescriptor-> TimeDateStamp);
if(pBoundImportDescriptor-> NumberOfModuleForwarderRefs){
UINT i; (i = 0; i< pBoundImportDescriptor-> NumberOfModuleForwarderRefs; i ++){
PSTR pszDllName =(PSTR)((DWORD)pFirstBoundImportDescriptor + pRef-> OffsetModuleName);
MakeIdent(nOffset + 2);
printf(包含绑定到%hs的转发器,pszDllName);
DumpTimeDateStamp(0,,pRef-> TimeDateStamp);
}
}
}
}
}
void DumpExports(UINT nOffset,IMAGE_OPTIONAL_HEADER32 * pOptionalHeader,PBYTE pbyFile,
IMAGE_SECTION_HEADER * pSectionHeader)//该部分的标题,其中包含导出部分
{
UINT i;
UINT iNames;
PDWORD pdwAddressOfFunction;
文件pwOrdinals;
PDWORD pdwNameRVA;
IMAGE_EXPORT_DIRECTORY * pExportDirectory =(IMAGE_EXPORT_DIRECTORY *)((PBYTE)pbyFile + pSectionHeader-> PointerToRawData +
pOptionalHeader-> DataDirectory [IMAGE_DIRECTORY_ENTRY_EXPORT] .VirtualAddress - pSectionHeader-> VirtualAddress);
DWORD dwVAExportStart = pOptionalHeader-> DataDirectory [IMAGE_DIRECTORY_ENTRY_EXPORT] .VirtualAddress;
DWORD dwVAExportEnd = pOptionalHeader-> DataDirectory [IMAGE_DIRECTORY_ENTRY_EXPORT] .VirtualAddress +
pOptionalHeader-> DataDirectory [IMAGE_DIRECTORY_ENTRY_EXPORT] .Size;
DumpDword(nOffset,TEXT(特征),pExportDirectory->特征);
DumpTimeDateStamp(nOffset,TimeDateStamp,pExportDirectory-> TimeDateStamp);
MakeIdent(nOffset);
printf(DllName:%s\\\
,pbyFile + pSectionHeader-> PointerToRawData + pExportDirectory-> Name - pSectionHeader-> VirtualAddress);
DumpDword(nOffset,TEXT(Ordinal Base),pExportDirectory-> Base);
MakeIdent(nOffset);
printf(TEXT(Version:%d。%d\\\
),pExportDirectory-> MajorVersion,pExportDirectory-> MinorVersion);
DumpDword(nOffset,TEXT(导出函数数),pExportDirectory-> NumberOfFunctions);
DumpDword(nOffset,TEXT(按名称导出的函数数),pExportDirectory-> NumberOfNames);
MakeIdent(nOffset + 1);
printf(TEXT(Ordn hint RVA Name\\\
));
pdwAddressOfFunctions =(PDWORD)(pbyFile + pSectionHeader-> PointerToRawData + pExportDirectory-> AddressOfFunction - pSectionHeader-> VirtualAddress);
pwOrdinals =(PWORD)(pbyFile + pSectionHeader-> PointerToRawData + pExportDirectory-> AddressOfNameOrdinals - pSectionHeader-> VirtualAddress);
pdwNameRVA =(PDWORD)(pbyFile + pSectionHeader-> PointerToRawData + pExportDirectory-> AddressOfNames - pSectionHeader-> VirtualAddress); (iNames = 0; iNames< pExportDirectory-> NumberOfNames; iNames ++){
MakeIdent(nOffset + 1);
// AddressOfFunction必须是导出目录的ouf。如果不是这样,它是一个转发条目
if(pdwAddressOfFunctions [pwOrdinals [iNames]]< dwVAExportStart ||
pdwAddressOfFunctions [pwOrdinals [iNames]]> dwVAExportEnd)
// AddressOfFunction在.text部分中是正常的,并导出.edata或.rdata部分的表,所以
// AddressOfFunction必须不在Export Directory
printf(%4u%4u%08X%s\\\
,
pwOrdinals [iNames] + pExportDirectory-> Base,iNames,pdwAddressOfFunctions [pwOrdinals [iNames]],
(pbyFile + pSectionHeader-> PointerToRawData + pdwNameRVA [iNames] - pSectionHeader-> VirtualAddress ));
else
printf(%4u%4u%s(转发到%s)\\\
,
pwOrdinals [iNames] + pExportDirectory-> Base,iNames,
(pbyFile + pSectionHeader-> PointerToRawData + pdwNameRVA [iNames] - pSectionHeader-> VirtualAddress),
(PSTR)(pbyFile + pSectionHeader-> PointerToRawData + pdwAddressOfFunctions [pwOrdinals [iNames]] - pSectionHeader-> VirtualAddress ));
}
//由ordinal
导出的打印函数(i = 0; i< pExportDirectory-> NumberOfFunctions; i ++){
if(pdwAddressOfFunctions [ i]!= 0){
//如果DEF-file中的EXPORTS看起来像
//
// EXPORTS
// Message1 @ 100
// Message2 @ 200
// Message3 @ 300
// Message4 @ 400
// Message5 @ 500
//将在导出部分401(500-100 + 1)中添加条目。 5从那里没有0地址,其余
//空条目与0
//我们将只转储不空条目
UINT iNames;
WORD wOrdinal =(WORD)(i + pExportDirectory-> Base);
//尝试在(iNames = 0; iNames< pExportDirectory-> NumberOfNames; iNames ++){$ p $ $ rd rd of of to to to to to to to $ $ $ $ $ $ $ $ $ $
if(pdwAddressOfFunctions [pwOrdinals [iNames]] == pdwAddressOfFunctions [i])
break;
}
if(iNames> = pExportDirectory-> NumberOfNames){
//如果没有找到,通过名字导出,在这里打印
MakeIdent(nOffset 1);
if(pdwAddressOfFunctions [i]< pSectionHeader-> VirtualAddress ||
pdwAddressOfFunctions [i]> pSectionHeader-> VirtualAddress + pSectionHeader-> Misc.VirtualSize)
printf( %4u%08X [NONAME] \\\
,wOrdinal,pdwAddressOfFunctions [i]);
else
printf(%4u [NONAME](转发到%s)\\\
,
wOrdinal,(PSTR)(pbyFile + pSectionHeader-> PointerToRawData + pdwAddressOfFunctions [i] - pSectionHeader-> VirtualAddress));
}
}
}
}
What is a thunk table in relation to the import address table that's used in EXE files to import functions used in external DLLs?
Is this thunk table just a table containing 'Thunks' to other functions?
Thunks are a part of the Import table (IMAGE_DIRECTORY_ENTRY_IMPORT
) and Delay Import Table (IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT
). They are described http://msdn.microsoft.com/en-us/library/ms809762.aspx.
I'll look at my old source code and will post later a working code which dump both this tables inclusive binding information.
UPDATED:
Here is a code which I fond in one of my old program. It support only 32-bit PE, but can be easy modified to 64-bit. By the way you can see, that it dump also binding information.To test this bind the PE which you want to dump with respect of bind.exe (use for example, bind.exe -u -v Test.dll
).
The code consist from about 1000 lines, so I could not post it here. I receive an error message
Oops! Your edit couldn't be submitted because:
- body is limited to 30000 characters; you entered 55095
So I placed it here: http://www.ok-soft-gmbh.com/ForStackOverflow/PEInfo.c. I hope the code will help you better as a long description.
UPDATED 2: I see that my old answer is not good for searching engine. So I includes the part of the code of PEInfo.c
(the functions DumpImports
and DumpExports
) below:
void MakeIdent (UINT nOffset)
{
for (; nOffset; nOffset--)
printf (" "); // 4 blanks
}
void DumpDword (UINT nOffset, LPCSTR pszPrefix, DWORD dw)
{
MakeIdent(nOffset);
if (dw < 100)
printf ("%s: %d\n", pszPrefix, dw);
else if (dw%(256*256) == 0)
printf ("%s: 0x%X\n", pszPrefix, dw);
else
printf ("%s: %d (0x%X)\n", pszPrefix, dw, dw);
}
void DumpTimeDateStamp (UINT nOffset, LPCSTR pszTimeDateStampPrefix, DWORD dwTimeDateStamp)
{
//struct tm tmTime;//= localtime_s ((time_t *)&dwTimeDateStamp);
//errno_t err = localtime_s (&tmTime, ((time_t *)&dwTimeDateStamp));
struct tm *ptmTime = _localtime32 ((__time32_t *)&dwTimeDateStamp);
SYSTEMTIME stSystemTime;
static CHAR szString[128];
stSystemTime.wYear = (WORD)(1900 + ptmTime->tm_year);
stSystemTime.wMonth = (WORD)(ptmTime->tm_mon + 1);
stSystemTime.wDay = (WORD)ptmTime->tm_mday;
stSystemTime.wDayOfWeek = (WORD)(ptmTime->tm_wday + 1);
stSystemTime.wHour = (WORD)ptmTime->tm_hour;
stSystemTime.wMinute = (WORD)ptmTime->tm_min;
stSystemTime.wSecond = (WORD)ptmTime->tm_sec;
stSystemTime.wMilliseconds = 0;
MakeIdent(nOffset);
printf ("%s: 0x%8X (", pszTimeDateStampPrefix, dwTimeDateStamp);
if (GetDateFormatA (LOCALE_USER_DEFAULT, 0, &stSystemTime, NULL,
szString, sizeof(szString)/sizeof(TCHAR)) != 0) {
printf (szString);
}
if (GetTimeFormatA (LOCALE_USER_DEFAULT, 0, &stSystemTime, NULL,
szString, sizeof(szString)/sizeof(TCHAR)) != 0) {
if (szString[0] != 0)
printf (" ");
printf (szString);
}
printf (")\n");
}
void DumpImports (UINT nOffset, IMAGE_OPTIONAL_HEADER32 *pOptionalHeader, PBYTE pbyFile,
IMAGE_SECTION_HEADER *pSectionHeader, IMAGE_NT_HEADERS32 *pNtHeader) // header of the section, which contains export section
{
IMAGE_IMPORT_DESCRIPTOR *pImportDescriptor = (IMAGE_IMPORT_DESCRIPTOR *)((PBYTE)pbyFile + pSectionHeader->PointerToRawData +
pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress - pSectionHeader->VirtualAddress);
DWORD dwBoundImportVA = pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress;
IMAGE_BOUND_IMPORT_DESCRIPTOR *pFirstBoundImportDescriptor = NULL, *pBoundImportDescriptor;
//DumpDword (nOffset, TEXT("Characteristics"), pImportDescriptor->Characteristics);
if (dwBoundImportVA) {
UINT i;
IMAGE_SECTION_HEADER *pFirstSectionHeader = (IMAGE_SECTION_HEADER *)((PBYTE)pOptionalHeader + //sizeof(IMAGE_OPTIONAL_HEADER32));
pNtHeader->FileHeader.SizeOfOptionalHeader);
for (i=0; i<pNtHeader->FileHeader.NumberOfSections; i++) {
if (pFirstSectionHeader[i].VirtualAddress <= dwBoundImportVA &&
dwBoundImportVA < pFirstSectionHeader[i].VirtualAddress + pFirstSectionHeader[i].Misc.VirtualSize) {
pFirstBoundImportDescriptor = (IMAGE_BOUND_IMPORT_DESCRIPTOR *)((PBYTE)pbyFile + pFirstSectionHeader[i].PointerToRawData +
dwBoundImportVA - pFirstSectionHeader[i].VirtualAddress);
break;
}
}
if (i >= pNtHeader->FileHeader.NumberOfSections)
pFirstBoundImportDescriptor = (IMAGE_BOUND_IMPORT_DESCRIPTOR *)((PBYTE)pbyFile + dwBoundImportVA);
}
for (;pImportDescriptor->Characteristics; pImportDescriptor++) {
IMAGE_THUNK_DATA *pOriginalFirstThunk = (IMAGE_THUNK_DATA *)((PBYTE)pbyFile + pSectionHeader->PointerToRawData +
pImportDescriptor->OriginalFirstThunk - pSectionHeader->VirtualAddress);
IMAGE_THUNK_DATA *pFirstThunk = (IMAGE_THUNK_DATA *)((PBYTE)pbyFile + pSectionHeader->PointerToRawData +
pImportDescriptor->FirstThunk - pSectionHeader->VirtualAddress);
IMAGE_THUNK_DATA *pOriginalThunk, *pThunk;
MakeIdent(nOffset);
printf ("%s ", pbyFile + pSectionHeader->PointerToRawData + pImportDescriptor->Name - pSectionHeader->VirtualAddress);
//DumpDword (nOffset, TEXT("Ordinal Base"), pExportDirectory->Base);
if (pImportDescriptor->TimeDateStamp == 0) {
//MakeIdent(nOffset);
printf ("(DLL is Not bound)\n");
}
else if (pImportDescriptor->TimeDateStamp == -1) {
//if bound, and real date\time stamp
// // in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
//MakeIdent(nOffset);
printf ("(DLL bound with New BIND)\n");
}
else {
//MakeIdent(nOffset);
printf ("(DLL bound with Old BIND) ");
DumpTimeDateStamp (nOffset, "TimeDateStamp", pImportDescriptor->TimeDateStamp);
}
MakeIdent(nOffset+1);
if (pImportDescriptor->TimeDateStamp) // if bound
printf (TEXT(" Ordinal hint BoundAddrs Name\n"));
else
printf (TEXT(" Ordinal hint Name\n"));
for (pOriginalThunk=pOriginalFirstThunk, pThunk=pFirstThunk; pOriginalThunk->u1.AddressOfData; pOriginalThunk++, pThunk++) {
if (IMAGE_SNAP_BY_ORDINAL32(pOriginalThunk->u1.Ordinal)) {
MakeIdent(nOffset+1);
// Ordinal
if (pImportDescriptor->TimeDateStamp)
printf (TEXT("%4u (0x%04X) 0x%08X\n"),
pOriginalThunk->u1.Ordinal & ~IMAGE_ORDINAL_FLAG32,
pOriginalThunk->u1.Ordinal^IMAGE_ORDINAL_FLAG32,
pThunk->u1.AddressOfData);
else
// pThunk->u1.AddressOfData == pOriginalThunk->u1.Ordinal so don't print it
printf (TEXT("%4u (0x%04X)\n"),
pOriginalThunk->u1.Ordinal & ~IMAGE_ORDINAL_FLAG32,
pOriginalThunk->u1.Ordinal^IMAGE_ORDINAL_FLAG32);
}
else {
IMAGE_IMPORT_BY_NAME *pImportByName = (IMAGE_IMPORT_BY_NAME *) (pOriginalThunk->u1.AddressOfData +
(PBYTE)pbyFile + pSectionHeader->PointerToRawData - pSectionHeader->VirtualAddress);
MakeIdent(nOffset+1);
// Hint - Index into the Export Name Pointer Table. A match is attempted first with this value.
// If it fails, a binary search is performed on the DLL’s Export Name Pointer Table.
if (pImportDescriptor->TimeDateStamp) // if bound
printf (TEXT("%18u (0x%04X) 0x%08X %hs\n"), pImportByName->Hint, pImportByName->Hint, pThunk->u1.AddressOfData,
pImportByName->Name);
else
printf (TEXT("%18u (0x%04X) %hs\n"), pImportByName->Hint, pImportByName->Hint, pImportByName->Name);
}
}
}
if (pFirstBoundImportDescriptor) {
MakeIdent(nOffset);
printf ("PE Header contains the following bound import information:\n");
for (pBoundImportDescriptor=pFirstBoundImportDescriptor; pBoundImportDescriptor->TimeDateStamp;
pBoundImportDescriptor = (IMAGE_BOUND_IMPORT_DESCRIPTOR *)((PBYTE)(pBoundImportDescriptor+1) + pBoundImportDescriptor->NumberOfModuleForwarderRefs*sizeof(IMAGE_BOUND_FORWARDER_REF))) {
PSTR pszDllName = (PSTR) ((DWORD)pFirstBoundImportDescriptor + pBoundImportDescriptor->OffsetModuleName);
IMAGE_BOUND_FORWARDER_REF *pRef = (IMAGE_BOUND_FORWARDER_REF *)(pBoundImportDescriptor+1);
MakeIdent(nOffset+1);
printf ("Bound to %hs", pszDllName);
DumpTimeDateStamp (0, "", pBoundImportDescriptor->TimeDateStamp);
if (pBoundImportDescriptor->NumberOfModuleForwarderRefs) {
UINT i;
for (i=0;i<pBoundImportDescriptor->NumberOfModuleForwarderRefs;i++) {
PSTR pszDllName = (PSTR) ((DWORD)pFirstBoundImportDescriptor + pRef->OffsetModuleName);
MakeIdent(nOffset+2);
printf ("Contained forwarders bound to %hs", pszDllName);
DumpTimeDateStamp (0, "", pRef->TimeDateStamp);
}
}
}
}
}
void DumpExports (UINT nOffset, IMAGE_OPTIONAL_HEADER32 *pOptionalHeader, PBYTE pbyFile,
IMAGE_SECTION_HEADER *pSectionHeader) // header of the section, which contains export section
{
UINT i;
UINT iNames;
PDWORD pdwAddressOfFunctions;
PWORD pwOrdinals;
PDWORD pdwNameRVA;
IMAGE_EXPORT_DIRECTORY *pExportDirectory = (IMAGE_EXPORT_DIRECTORY *)((PBYTE)pbyFile + pSectionHeader->PointerToRawData +
pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress - pSectionHeader->VirtualAddress);
DWORD dwVAExportStart = pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
DWORD dwVAExportEnd = pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress +
pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
DumpDword (nOffset, TEXT("Characteristics"), pExportDirectory->Characteristics);
DumpTimeDateStamp (nOffset, "TimeDateStamp", pExportDirectory->TimeDateStamp);
MakeIdent(nOffset);
printf ("DllName: %s\n", pbyFile + pSectionHeader->PointerToRawData + pExportDirectory->Name - pSectionHeader->VirtualAddress);
DumpDword (nOffset, TEXT("Ordinal Base"), pExportDirectory->Base);
MakeIdent(nOffset);
printf (TEXT("Version: %d.%d\n"), pExportDirectory->MajorVersion, pExportDirectory->MinorVersion);
DumpDword (nOffset, TEXT("Number of exported functions"), pExportDirectory->NumberOfFunctions);
DumpDword (nOffset, TEXT("Number of functions exported by name"), pExportDirectory->NumberOfNames);
MakeIdent(nOffset+1);
printf (TEXT("Ordn hint RVA Name\n"));
pdwAddressOfFunctions = (PDWORD)(pbyFile + pSectionHeader->PointerToRawData + pExportDirectory->AddressOfFunctions - pSectionHeader->VirtualAddress);
pwOrdinals = (PWORD)(pbyFile + pSectionHeader->PointerToRawData + pExportDirectory->AddressOfNameOrdinals - pSectionHeader->VirtualAddress);
pdwNameRVA = (PDWORD)(pbyFile + pSectionHeader->PointerToRawData + pExportDirectory->AddressOfNames - pSectionHeader->VirtualAddress);
for (iNames = 0; iNames < pExportDirectory->NumberOfNames; iNames++) {
MakeIdent(nOffset+1);
// AddressOfFunctions MUST be ouf of Export Directory. If it is not so, it is a Forwarding entry
if (pdwAddressOfFunctions[pwOrdinals[iNames]] < dwVAExportStart ||
pdwAddressOfFunctions[pwOrdinals[iNames]] > dwVAExportEnd)
// AddressOfFunctions is normaly in .text section and export table in .edata or .rdata section, so
// AddressOfFunctions must be not in Export Directory
printf("%4u %4u %08X %s\n",
pwOrdinals[iNames] + pExportDirectory->Base, iNames, pdwAddressOfFunctions[pwOrdinals[iNames]],
(pbyFile + pSectionHeader->PointerToRawData + pdwNameRVA[iNames] - pSectionHeader->VirtualAddress));
else
printf("%4u %4u %s (forwarded to %s)\n",
pwOrdinals[iNames] + pExportDirectory->Base, iNames,
(pbyFile + pSectionHeader->PointerToRawData + pdwNameRVA[iNames] - pSectionHeader->VirtualAddress),
(PSTR)(pbyFile + pSectionHeader->PointerToRawData + pdwAddressOfFunctions[pwOrdinals[iNames]] - pSectionHeader->VirtualAddress));
}
// print functions exported by ordinal
for (i = 0; i < pExportDirectory->NumberOfFunctions; i++) {
if (pdwAddressOfFunctions[i] != 0) {
// if EXPORTS in DEF-file look like
//
// EXPORTS
// Message1 @100
// Message2 @200
// Message3 @300
// Message4 @400
// Message5 @500
// it will be added in export section 401 (500-100+1) entries. 5 from there with not 0 address and the rest
// empty entries with 0
// we will dump only not empty entries
UINT iNames;
WORD wOrdinal = (WORD)(i + pExportDirectory->Base);
// try to find (i + pExportDirectory->Base) ordinal in the list of pwOrdinals
for (iNames = 0; iNames<pExportDirectory->NumberOfNames; iNames++) {
if (pdwAddressOfFunctions[pwOrdinals[iNames]] == pdwAddressOfFunctions[i])
break;
}
if (iNames >= pExportDirectory->NumberOfNames) {
// if not found as exported by name, print it here
MakeIdent(nOffset+1);
if (pdwAddressOfFunctions[i] < pSectionHeader->VirtualAddress ||
pdwAddressOfFunctions[i] > pSectionHeader->VirtualAddress + pSectionHeader->Misc.VirtualSize)
printf("%4u %08X [NONAME]\n", wOrdinal, pdwAddressOfFunctions[i]);
else
printf("%4u [NONAME] (forwarded to %s)\n",
wOrdinal, (PSTR)(pbyFile + pSectionHeader->PointerToRawData + pdwAddressOfFunctions[i] - pSectionHeader->VirtualAddress));
}
}
}
}
这篇关于导入地址表中的Thunk表?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!