WINDOWS黑客基础(6):查看文件里面的导入表

int main(void)

{

    HANDLE hFile = CreateFile("D:\\Shipyard.exe",

                               GENERIC_READ,

                               FILE_SHARE_READ,

                               NULL,

                               OPEN_EXISTING,

                               FILE_ATTRIBUTE_NORMAL,

                               NULL);



    HANDLE hFileMapping = CreateFileMapping(hFile,NULL,FILE_READ_ONLY,0,0,NULL);



    LPBYTE lpBaseAddress = (LPBYTE)MapViewOfFile(hFileMapping,FILE_MAP_READ,0,0,0);

    

    PIMAGE_DOS_HEADER pDostHeader = (PIMAGE_DOS_HEADER)lpBaseAddress;



    PIMAGE_NT_HEADERS pNtHeader = (PIMAGE_NT_HEADERS)(lpBaseAddress + pDostHeader->e_lfanew);

    

    DWORD rva_import_table = pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;



    PIMAGE_IMPORT_DESCRIPTOR pImport = 

        (PIMAGE_IMPORT_DESCRIPTOR)ImageRvaToVa(pNtHeader,

                                               lpBaseAddress,

                                               rva_import_table,

                                               NULL);



    IMAGE_THUNK_DATA *data = NULL;



    while ( pImport->Name != NULL)

    {

        LPCTSTR szDllName = (LPCTSTR)ImageRvaToVa(pNtHeader,lpBaseAddress,pImport->Name,NULL);

        

        PIMAGE_THUNK_DATA pThunk = 

            (PIMAGE_THUNK_DATA)ImageRvaToVa(pNtHeader,

                                            lpBaseAddress,

                                            pImport->OriginalFirstThunk,

                                            NULL);



        printf("%s\n",szDllName);



        while (pThunk->u1.Function)

        {

            if (pThunk->u1.AddressOfData & IMAGE_ORDINAL_FLAG32)

            {

                printf("序号:%d\n",pThunk->u1.AddressOfData & 0xffff);

            }

            else

            {

                PIMAGE_IMPORT_BY_NAME pFunName = 

                    (PIMAGE_IMPORT_BY_NAME)ImageRvaToVa(

                    pNtHeader,

                    lpBaseAddress,

                    pThunk->u1.AddressOfData,

                    NULL

                    );



                printf("%s\n",pFunName->Name);

            }

            pThunk++;

        }



        pImport ++;

    }

｝

这节也没什么难的，主要还是PE文件的解析，还要会运用ImageRvatoVa这个函数还取得对应的内存地址，就能解析出来了