绑定导入表的使用

A- A+
流沙团 网络安全 5052View 0

测试代码的效果,

只适用于 win自带的 程序

  

void TestPrintBindImportDirectory(LPSTR lpszFile)
{
	LPVOID pFileBuffer = NULL;
	pFileBuffer= ReadPEFile(lpszFile);
	if(!pFileBuffer)
	{
		printf("文件读取失败\n");
		return;
	}
	
	PIMAGE_DOS_HEADER pDosHeader = NULL;
	PIMAGE_NT_HEADERS pNTHeader = NULL;
	PIMAGE_FILE_HEADER pPEHeader = NULL;
	PIMAGE_OPTIONAL_HEADER32 pOptionHeader = NULL;
	PIMAGE_SECTION_HEADER pSectionHeader = NULL;
	PIMAGE_SECTION_HEADER pSectionHeader_ADD = NULL;
	PIMAGE_DATA_DIRECTORY pDataDirectory = NULL;
	//Header信息
	pDosHeader = (PIMAGE_DOS_HEADER)pFileBuffer;
	pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pFileBuffer+pDosHeader->e_lfanew);
	pPEHeader = (PIMAGE_FILE_HEADER)(((DWORD)pNTHeader)+4);
	pOptionHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)pPEHeader+IMAGE_SIZEOF_FILE_HEADER);
	pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader+pPEHeader->SizeOfOptionalHeader);
	pDataDirectory = pOptionHeader->DataDirectory;

	//IMAGE_DIRECTORY_ENTRY_IMPORT 
	/*
		#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG    10   // Load Configuration Directory
		#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT   11   // Bound Import Directory in headers
	*/
	
	//确定导入表
	//pImportDirectory = NULL;
	IMAGE_DATA_DIRECTORY pBindImportDirectory = pDataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT];
	
	DWORD BindImportVirtualAddress = pBindImportDirectory.VirtualAddress;
	DWORD BindImportFoa = BindImportVirtualAddress;

	/*
	printf("BindImportVirtualAddress: %x \n",BindImportVirtualAddress);
	printf("Size: %x \n",pBindImportDirectory.Size);
	printf("BindImportFoa: %x \n",BindImportFoa);
	*/
	PIMAGE_BOUND_IMPORT_DESCRIPTOR pBindImport = (PIMAGE_BOUND_IMPORT_DESCRIPTOR)((DWORD)pFileBuffer + BindImportFoa);

	while(pBindImport->TimeDateStamp !=0x0)
	{
		//输出第一个绑定
		DWORD bindTime = pBindImport->TimeDateStamp;
		WORD ModuleName = pBindImport->OffsetModuleName;
		WORD numberModule = pBindImport->NumberOfModuleForwarderRefs;
		
		//输出名字
		PSTR pModuleName = (PSTR)((DWORD)pFileBuffer+(DWORD)BindImportVirtualAddress+ModuleName);
		printf("ModuleName:%s \n",pModuleName);
		printf("--numberModule:%x \n",numberModule);

		for(int i=0;i<numberModule;i++)
		{
			PIMAGE_BOUND_FORWARDER_REF pBoundRef = (PIMAGE_BOUND_FORWARDER_REF)((DWORD)pBindImport+i*8);
			pBindImport =  (PIMAGE_BOUND_IMPORT_DESCRIPTOR)((DWORD)pBindImport+i*8);

			//输出名字
			DWORD refTime = pBoundRef->TimeDateStamp;
			WORD refName = pBoundRef->OffsetModuleName;
			PSTR pRefName = (PSTR)((DWORD)pFileBuffer+(DWORD)BindImportVirtualAddress+refName);	
			printf("        RefName:%s \n",pRefName);
		}

		pBindImport =  (PIMAGE_BOUND_IMPORT_DESCRIPTOR)((DWORD)pBindImport+8);
	}
}

 

原文链接: 绑定导入表的使用 版权所有,转载时请注明出处,违者必究。
注明出处格式:流沙团 ( https://gyarmy.com/post-315.html )

发表评论

0则评论给“绑定导入表的使用”