typedef struct _IMAGE_DELAYLOAD_DESCRIPTOR { union { DWORD AllAttributes; struct { DWORD RvaBased : 1; // Delay load version 2 DWORD ReservedAttributes : 31; } DUMMYSTRUCTNAME; } Attributes; DWORD DllNameRVA; // RVA to the name of the target library (NULL-terminate ASCII string) DWORD ModuleHandleRVA; // RVA to the HMODULE caching location (PHMODULE) DWORD ImportAddressTableRVA; // RVA to the start of the IAT (PIMAGE_THUNK_DATA) DWORD ImportNameTableRVA; // RVA to the start of the name table (PIMAGE_THUNK_DATA::AddressOfData) DWORD BoundImportAddressTableRVA; // RVA to an optional bound IAT DWORD UnloadInformationTableRVA; // RVA to an optional unload info table DWORD TimeDateStamp; // 0 if not bound, // Otherwise, date/time of the target DLL } IMAGE_DELAYLOAD_DESCRIPTOR, *PIMAGE_DELAYLOAD_DESCRIPTOR;
a00+b0=ab0
name=4020a0 虚拟地址
4020a0-400000基地址-2000延迟地址+延迟物理地址=0aa0 name物理地址
后面就是
data e00+12c=f2c 文件位置 存放dll 句柄
下一个位置计算是 f24
ImportNameTableRVA 的name
绑定的延迟导入表 地址表 rva 就在它后面一个