如何在C语言中读取导入目录表

How to read Import Directory Table in C

本文关键字:导入 读取 语言      更新时间:2023-10-16

我试图在c++中构建一个PE查看器,如果我试图在导入目录表中输出库的名称,它似乎会崩溃。似乎我没有得到程序使用的dll的正确指针。

HANDLE handle = CreateFile("messagebox.exe",GENERIC_READ,0,0,OPEN_EXISTING,
                              FILE_ATTRIBUTE_NORMAL,0);
DWORD size = GetFileSize(handle,NULL);
PVOID virtualpointer = VirtualAlloc(NULL,size,MEM_COMMIT,PAGE_READWRITE);
state = ReadFile(handle,virtualpointer,size,&byteread,NULL);
CloseHandle(handle);
PIMAGE_NT_HEADERS ntheaders = PIMAGE_NT_HEADERS(PCHAR(vpointer) + 
                                     PIMAGE_DOS_HEADER(vpointer)->e_lfanew);
handle = GetCurrentProcess();
DWORD EntryAddr = ntheaders->OptionalHeader.ImageBase + 
                       ntheaders->OptionalHeader.AddressOfEntryPoint;
DWORD importdir = 
       (DWORD) &(ntheaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]);
DWORD va = (DWORD)(ntheaders->OptionalHeader.ImageBase) + 
                     ((PIMAGE_DATA_DIRECTORY)dwValueB)->VirtualAddress;
LPSTR libname[128];
int i =0;
while(((PIMAGE_IMPORT_DESCRIPTOR)dwValueC)->Name)
{
       // get DLL name
       libname[i] = (LPSTR)(nt->OptionalHeader.ImageBase + 
                         ((PIMAGE_IMPORT_DESCRIPTOR)dwValueC)->Name);
       i++;
}

要读取导入目录表中库的名称,您可以执行以下操作:

  1. 获取文件的内存映射基址。
    2. 获取指向IMAGE_NT_HEADERS结构的指针。

  2. 获取指向IMAGE_SECTION_HEADER结构的指针。

  3. DataDirectory是OptionalHeader的最后128字节,而OptionalHeader又是PE头IMAGE_NT_HEADERS的最后一个成员。该结构有2个成员,包含数据结构的位置和大小。
    如果您想查找有关dll名称的信息,您首先从Data Directory中找到Import Directory的RVA(相对虚拟地址),在原始部分数据中找到该地址,现在您有一个IMAGE_IMPORT_DESCRIPTOR数组。

    4. 通过检查Name字段所指向的字符串来获取与映射图像相关的数组成员。

我不会描述可移植可执行文件格式的结构,但您可以查看以下链接:
窥视PE内部
Microsoft Systems Journal

你的代码中的一些变量没有声明,这是令人困惑的,但坚持你的框架代码,我写它,以便它满足你的问题。

DWORD Rva2Offset(DWORD rva,PIMAGE_SECTION_HEADER psh,PIMAGE_NT_HEADERS pnt);
int _tmain(int argc, _TCHAR* argv[])
{
LPCWSTR fNmae=L"C:\Windows\system32\notepad.exe";
HANDLE handle=CreateFile(fNmae/*"messagebox.exe"*/, GENERIC_READ, 0, 0, OPEN_EXISTING,  FILE_ATTRIBUTE_NORMAL, 0);
DWORD byteread,size=GetFileSize(handle, NULL);
PVOID virtualpointer=VirtualAlloc(NULL, size, MEM_COMMIT, PAGE_READWRITE);
ReadFile(handle, virtualpointer, size, &byteread, NULL);
CloseHandle(handle);
// Get pointer to NT header
PIMAGE_NT_HEADERS           ntheaders=(PIMAGE_NT_HEADERS)(PCHAR(virtualpointer) + PIMAGE_DOS_HEADER(virtualpointer)-> e_lfanew);   
PIMAGE_SECTION_HEADER       pSech=IMAGE_FIRST_SECTION(ntheaders);//Pointer to first section header
PIMAGE_IMPORT_DESCRIPTOR    pImportDescriptor; //Pointer to import descriptor 
__try
{
    if(ntheaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size != 0)/*if size of the table is 0 - Import Table does not exist */
    {
        pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD_PTR)virtualpointer +
                            Rva2Offset(ntheaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress,pSech,ntheaders));
        LPSTR libname[256];
        size_t i=0;
        // Walk until you reached an empty IMAGE_IMPORT_DESCRIPTOR
        while(pImportDescriptor->Name != NULL)
        {
            printf("Library Name   :");
            //Get the name of each DLL
            libname[i]=(PCHAR)((DWORD_PTR)virtualpointer + Rva2Offset(pImportDescriptor->Name,pSech,ntheaders));
            printf("%sn", libname[i]);
            pImportDescriptor++; //advance to next IMAGE_IMPORT_DESCRIPTOR
            i++;
        }
    }
    else
    {
        printf("No Import Table!n");
        return 1;
    }
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
    if(EXCEPTION_ACCESS_VIOLATION == GetExceptionCode())
    {
        printf("Exception: EXCEPTION_ACCESS_VIOLATIONn");
        return 1;
    }
}
if(virtualpointer)
    VirtualFree(virtualpointer, size, MEM_DECOMMIT);
return 0;
}
 /*Convert Virtual Address to File Offset */
DWORD Rva2Offset(DWORD rva,PIMAGE_SECTION_HEADER psh,PIMAGE_NT_HEADERS pnt)
{
    size_t i = 0;
    PIMAGE_SECTION_HEADER pSeh;
    if(rva == 0)
    {
            return (rva);
    }
    pSeh = psh;
    for(i = 0; i < pnt->FileHeader.NumberOfSections; i++)
    {
            if(rva >= pSeh->VirtualAddress && rva < pSeh->VirtualAddress +
               pSeh->Misc.VirtualSize)
            {
                    break;
            }
            pSeh++;
    }
    return (rva - pSeh->VirtualAddress + pSeh->PointerToRawData);
}
相关文章: