流沙团
绑定导入表的使用
2017-11-19 流沙团


测试代码的效果,



只适用于 win自带的 程序



 




void TestPrintBindImportDirectory(LPSTR lpszFile)

{

	LPVOID pFileBuffer = NULL;

	pFileBuffer= ReadPEFile(lpszFile);

	if(!pFileBuffer)

	{

		printf("文件读取失败\n");

		return;

	}

	

	PIMAGE_DOS_HEADER pDosHeader = NULL;

	PIMAGE_NT_HEADERS pNTHeader = NULL;

	PIMAGE_FILE_HEADER pPEHeader = NULL;

	PIMAGE_OPTIONAL_HEADER32 pOptionHeader = NULL;

	PIMAGE_SECTION_HEADER pSectionHeader = NULL;

	PIMAGE_SECTION_HEADER pSectionHeader_ADD = NULL;

	PIMAGE_DATA_DIRECTORY pDataDirectory = NULL;

	//Header信息

	pDosHeader = (PIMAGE_DOS_HEADER)pFileBuffer;

	pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pFileBuffer+pDosHeader->e_lfanew);

	pPEHeader = (PIMAGE_FILE_HEADER)(((DWORD)pNTHeader)+4);

	pOptionHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)pPEHeader+IMAGE_SIZEOF_FILE_HEADER);

	pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader+pPEHeader->SizeOfOptionalHeader);

	pDataDirectory = pOptionHeader->DataDirectory;



	//IMAGE_DIRECTORY_ENTRY_IMPORT 

	/*

		#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG    10   // Load Configuration Directory

		#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT   11   // Bound Import Directory in headers

	*/

	

	//确定导入表

	//pImportDirectory = NULL;

	IMAGE_DATA_DIRECTORY pBindImportDirectory = pDataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT];

	

	DWORD BindImportVirtualAddress = pBindImportDirectory.VirtualAddress;

	DWORD BindImportFoa = BindImportVirtualAddress;



	/*

	printf("BindImportVirtualAddress: %x \n",BindImportVirtualAddress);

	printf("Size: %x \n",pBindImportDirectory.Size);

	printf("BindImportFoa: %x \n",BindImportFoa);

	*/

	PIMAGE_BOUND_IMPORT_DESCRIPTOR pBindImport = (PIMAGE_BOUND_IMPORT_DESCRIPTOR)((DWORD)pFileBuffer + BindImportFoa);



	while(pBindImport->TimeDateStamp !=0x0)

	{

		//输出第一个绑定

		DWORD bindTime = pBindImport->TimeDateStamp;

		WORD ModuleName = pBindImport->OffsetModuleName;

		WORD numberModule = pBindImport->NumberOfModuleForwarderRefs;

		

		//输出名字

		PSTR pModuleName = (PSTR)((DWORD)pFileBuffer+(DWORD)BindImportVirtualAddress+ModuleName);

		printf("ModuleName:%s \n",pModuleName);

		printf("--numberModule:%x \n",numberModule);



		for(int i=0;i<numberModule;i++)

		{

			PIMAGE_BOUND_FORWARDER_REF pBoundRef = (PIMAGE_BOUND_FORWARDER_REF)((DWORD)pBindImport+i*8);

			pBindImport =  (PIMAGE_BOUND_IMPORT_DESCRIPTOR)((DWORD)pBindImport+i*8);



			//输出名字

			DWORD refTime = pBoundRef->TimeDateStamp;

			WORD refName = pBoundRef->OffsetModuleName;

			PSTR pRefName = (PSTR)((DWORD)pFileBuffer+(DWORD)BindImportVirtualAddress+refName);	

			printf("        RefName:%s \n",pRefName);

		}



		pBindImport =  (PIMAGE_BOUND_IMPORT_DESCRIPTOR)((DWORD)pBindImport+8);

	}

}


 

发表评论:
昵称

邮件地址 (选填)

个人主页 (选填)

内容