zoukankan      html  css  js  c++  java

  • C语言编程获取PE文件导出表内容

    #include <windows.h>
#include <stdio.h>
#include <tchar.h>

DWORD RvaToOffset(PIMAGE_NT_HEADERS pImageNtHeaders, DWORD dwRva);

int _tmain(int argc, TCHAR *argv[])
{
	PIMAGE_DOS_HEADER pImageDOSHeader;
	PIMAGE_NT_HEADERS pImageNTHeader;
	PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor;
	PIMAGE_IMPORT_BY_NAME pImageImportByName;
	PIMAGE_EXPORT_DIRECTORY pImageExportDirectory;
	DWORD dwCount;
	DWORD dwCount2;
	DWORD *Thunks;
	DWORD dwFileOffset;
	DWORD dwOrdinals;
	DWORD dwFunctions;
	char *szFunctionName;
	DWORD dwNames;
	PDWORD dwName;
	PDWORD dwFunction;
	PWORD dwOrdinal;
	HANDLE hFile;
	HANDLE hMapObject;
	PUCHAR uFileMap;
	
	if(argc<2)
		return -1;
	if(!(hFile=CreateFile(argv[1],GENERIC_READ,0,NULL,OPEN_EXISTING,0,0)))
		return -1;
	if (!(hMapObject = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL)))
		return (-1);
	if (!(uFileMap = MapViewOfFile(hMapObject, FILE_MAP_READ, 0, 0, 0)))
		return (-1);
	pImageDOSHeader=(PIMAGE_DOS_HEADER)uFileMap;
	if(pImageDOSHeader->e_magic != IMAGE_DOS_SIGNATURE)
		return -1;
	pImageNTHeader = (PIMAGE_NT_HEADERS)((PUCHAR)uFileMap + pImageDOSHeader->e_lfanew);
	if(pImageNTHeader->Signature != IMAGE_NT_SIGNATURE)
		return -1;
	if (!(pImageNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress))
	{
		printf("No export function!");
		return 0;
	}
	//导出表文件偏移
	dwFileOffset = RvaToOffset(pImageNTHeader,pImageNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
	pImageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((PUCHAR)uFileMap+dwFileOffset);
	dwCount = pImageExportDirectory->NumberOfFunctions;
	dwOrdinals = RvaToOffset(pImageNTHeader,pImageExportDirectory->AddressOfNameOrdinals);
	dwFunctions = RvaToOffset(pImageNTHeader,pImageExportDirectory->AddressOfFunctions);
	dwNames = RvaToOffset(pImageNTHeader,pImageExportDirectory->AddressOfNames);
	for (dwCount2=0;dwCount2<dwCount;dwCount2++)
	{
		dwOrdinal=(PWORD)((PUCHAR)uFileMap+dwOrdinals+dwCount2*2); // 地址
		dwFunction=(PDWORD)((PUCHAR)uFileMap+dwFunctions+dwCount2*4); // 地址
		dwName=(PDWORD)((PUCHAR)uFileMap+dwNames+dwCount2*4); //地址
		szFunctionName = ((PUCHAR)uFileMap+RvaToOffset(pImageNTHeader,*dwName));
		
		printf("Ordinal: 0x%04X ",*dwOrdinal);
		if(dwCount2 == *dwOrdinal)
		{
			printf("Name: %s ",szFunctionName);
		}
		printf("Address: 0x%04X
 ",*dwFunction);
		
	}
	UnmapViewOfFile(uFileMap);
	CloseHandle(hMapObject);
	CloseHandle(hFile);
	return 0;
}

DWORD RvaToOffset(PIMAGE_NT_HEADERS pImageNtHeaders, DWORD dwRva)
{
	PIMAGE_SECTION_HEADER pImageSectionHeader;
	DWORD dwCount;
	DWORD dwFileOffset;
	pImageSectionHeader = IMAGE_FIRST_SECTION(pImageNtHeaders);
	dwFileOffset = dwRva;
	for (dwCount=0;dwCount<pImageNtHeaders->FileHeader.NumberOfSections;dwCount++)
	{
		if(dwRva>=pImageSectionHeader[dwCount].VirtualAddress && dwRva<(pImageSectionHeader[dwCount].VirtualAddress+pImageSectionHeader[dwCount].SizeOfRawData))
		{
			dwFileOffset-=pImageSectionHeader[dwCount].VirtualAddress;
			dwFileOffset+=pImageSectionHeader[dwCount].PointerToRawData;
			return dwFileOffset;
		}
	}
	return 0;
}
  • 相关阅读:
    使用灰层覆盖UI时,有事发生
    通过自定义ISAPI Filter来禁止敏感文件的访问
    静态链接库LIB和动态链接库DLL的区别 创建和示例
    深入剖析C++中的string类
    .net c# 序列化和反序列
    ASP.NET 状态服务 及 session丢失问题解决方案总结
    IWAM_账号的用途以及如何同步密码
    COM 组件设计与应用(一)起源及复合文件
    两种古老的WEB编程技术 CGI和ISAPI之间的区别
    Send MSMQ Messages Securely Across the Internet with HTTP and SOAP
  • 原文地址:https://www.cnblogs.com/AlexanderZhao/p/12878954.html
Copyright © 2011-2022 走看看