取PE文件的引入表和导出表

直接上代码(这里列出C++和Delphi的代码),Delphi代码中包含导入及导出文件和函数列表,PE结构可参阅资料,很多很详细,需要注意的是,本例中是映射到内存,不是通过PE装载器装入的,所以对于节的RVA地址需要转换成为文件偏移地址。

 

Delphi代码

 unit Unit1; interface uses Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms, Dialogs, StdCtrls, ComCtrls; type //导入表元素结构 TImageImportDiscriptor = packed record OriginalFirstThunk: DWORD; DataTimpStamp: DWORD; ForwardChain: DWORD; DLLName: DWORD; FirstThunk: DWORD; end; PImageImportDiscriptor = ^TImageImportDiscriptor; //导出表元素结构 PImageExportDirectory = ^TImageExportDirectory; TImageExportDirectory = packed record Characteristics: DWORD; TimeDateStamp: DWORD; MajorVersion: WORD; MinorVersion: WORD; Name: DWORD; Base: DWORD; NumberOfFunctions: DWORD; NumberOfNames: DWORD; AddressOfFunctions: DWORD; AddressOfNames: DWORD; AddressOfNameOrdinals: DWORD; end; //函数名结构 TImportByName = packed record proHint: Word; proName: array [0..1] of char; end; PImportByName = ^TImportByName; TForm1 = class(TForm) OpenDialog1: TOpenDialog; Button1: TButton; TreeView1: TTreeView; Label1: TLabel; procedure Button1Click(Sender: TObject); private { Private declarations } procedure GetList(filename:string); {导入列表} procedure GetImportList(pBaseAddress:Pointer;ntHeader:PImageNtHeaders); {导出列表} procedure GetExportList(pBaseAddress:Pointer;ntHeader:PImageNtHeaders); public { Public declarations } end; var Form1: TForm1; implementation {$R *.dfm} { TForm1 } procedure TForm1.GetList(filename: string); var fileHandle:THandle; fileMap:THandle; pBaseAddress:Pointer; dosHeader: PImageDosHeader; ntHeader: PImageNtHeaders; begin TreeView1.Items.Clear; try //打开文件 fileHandle := CreateFile(PChar(filename),GENERIC_READ,FILE_SHARE_READ,nil,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0); if fileHandle = INVALID_HANDLE_VALUE then begin ShowMessage('文件打开失败!'); Exit; end; //创建内存映射 fileMap := CreateFileMapping(fileHandle,nil,PAGE_READONLY,0,0,nil); if fileMap = 0 then begin ShowMessage('创建内存映射失败!'); Exit; end; //映射到当前进程,pBaseAddress是基址 pBaseAddress := MapViewOfFile(fileMap,FILE_MAP_READ,0,0,0); if pBaseAddress = nil then begin ShowMessage('获取地址失败!'); Exit; end; //获取Dos信息头部结构数据 dosHeader := pImageDosHeader(LongInt(pBaseAddress)); //判断Dos标识 if dosHeader.e_magic <> IMAGE_DOS_SIGNATURE then begin ShowMessage('不可识别的文件格式!'); Exit; end; //获取NT信息头部结构数据,IsBadReadPtr判断指针是否可读,ntHeader.Signature是NT标识 ntHeader := pImageNtHeaders(LongInt(pBaseAddress)+dosHeader._lfanew); if (IsBadReadPtr(ntHeader,SizeOf(TImageNtHeaders))) or (ntHeader.Signature <> IMAGE_NT_SIGNATURE) then begin ShowMessage('不是有效地Win32程序!'); Exit; end; GetImportList(pBaseAddress,ntHeader); GetExportList(pBaseAddress,ntHeader); finally UnmapViewOfFile(pBaseAddress); CloseHandle(fileMap); CloseHandle(fileHandle); end; end; procedure TForm1.Button1Click(Sender: TObject); begin if OpenDialog1.Execute then begin Label1.Caption := '以下是'+OpenDialog1.FileName+'的导入及导出表'; GetList(OpenDialog1.FileName); end; end; procedure TForm1.GetExportList(pBaseAddress: Pointer; ntHeader: PImageNtHeaders); var imageEntry: PImageExportDirectory; sectionHeader: PImageSectionHeader; importbyname: PImportByName; proEntry:PDWORD; proTemp:PWORD; rva,frva: DWORD; dllname: string; i,j:integer; node:TTreeNode; s:string; pname:PChar; begin rva := ntHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; if rva = 0 then Exit; //定位到第一个节的地址 sectionHeader := PImageSectionHeader(LongInt(ntHeader)+SizeOf(TImageNtHeaders)); //ntHeader^.FileHeader.NumberOfSections为节的数量,此处循环,找到引入表的节 for i := 0 to ntHeader^.FileHeader.NumberOfSections - 1 do begin //IMAGE_DIRECTORY_ENTRY_IMPORT,引入表,检查rva是否落在节内 if ( rva >= LongInt(sectionHeader.VirtualAddress)) and (rva<LongInt(sectionHeader.VirtualAddress+sectionHeader.Misc.VirtualSize)) then begin Break; end; //没找到,那么增加SizeOf(TImageSectionHeader)字节数,指向下一个节 Inc(sectionHeader); end; node := TreeView1.Items.Add(nil,'导出函数表'); frva := sectionHeader.VirtualAddress - sectionHeader.PointerToRawData; //导出表入口 imageEntry := PImageExportDirectory(LongInt(pBaseAddress)+rva-frva); proEntry := PDWord(LongInt(pBaseAddress)+imageEntry.AddressOfFunctions-frva); pname := PChar(LongInt(pBaseAddress)+imageEntry.Name-frva); for i := 0 to imageEntry.NumberOfFunctions - 1 do begin if proEntry^ = 0 then Continue; proTemp := PWORD(LongInt(pBaseAddress)+LongInt(imageEntry.AddressOfNameOrdinals)-frva); for j := 0 to imageEntry.NumberOfNames - 1 do begin if proTemp^ = i then begin s := ''; while True do begin if pname^=#0 then Break; Inc(pname); end; while True do begin if (pname-1)^=#0 then begin s:=Format('%s', [pname]); Break; end; Inc(pname); end; end; Inc(proTemp); end; TreeView1.Items.AddChild(node,s); Inc(proEntry); end; end; procedure TForm1.GetImportList(pBaseAddress: Pointer; ntHeader: PImageNtHeaders); var imageEntry: PImageImportDiscriptor; sectionHeader: PImageSectionHeader; importbyname: PImportByName; proEntry:PDWORD; rva,frva: DWORD; dllname: string; i:integer; node:TTreeNode; begin rva := ntHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; if rva = 0 then Exit; //定位到第一个节的地址 sectionHeader := PImageSectionHeader(LongInt(ntHeader)+SizeOf(TImageNtHeaders)); //ntHeader^.FileHeader.NumberOfSections为节的数量,此处循环,找到引入表的节 for i := 0 to ntHeader^.FileHeader.NumberOfSections - 1 do begin //IMAGE_DIRECTORY_ENTRY_IMPORT,引入表,检查rva是否落在节内 if ( rva >= LongInt(sectionHeader.VirtualAddress)) and (rva<LongInt(sectionHeader.VirtualAddress+sectionHeader.Misc.VirtualSize)) then begin Break; end; //没找到,那么增加SizeOf(TImageSectionHeader)字节数,指向下一个节 Inc(sectionHeader); end; frva := sectionHeader.VirtualAddress - sectionHeader.PointerToRawData; TreeView1.Items.Add(nil,'导入函数表'); //引入表入口 imageEntry := PImageImportDiscriptor(LongInt(pBaseAddress)+rva-frva); //加载的DLL的名称,这里是RVA地址,需要转换成文件偏移地址,因为我们不是通过PE加载器加载,而是映射到内存 while imageEntry.DLLName <> 0 do begin dllname := PChar(LongInt(pBaseAddress)+imageEntry.DLLName-frva); node := TreeView1.Items.AddChild(TreeView1.Items[0],dllname); if imageEntry.OriginalFirstThunk <> 0 then proEntry := PDWord(LongInt(pBaseAddress)+imageEntry.OriginalFirstThunk-frva) else proEntry := PDWord(LongInt(pBaseAddress)+imageEntry.FirstThunk-frva); while proEntry^ <> 0 do begin if (proEntry^ and $80000000) <> 0 then TreeView1.Items.AddChild(node,Format('函数编号:%-15d',[proEntry^ and $7FFFFFFF])) else begin importbyname := PImportByName(LongInt(pBaseAddress)+proEntry^-frva); TreeView1.Items.AddChild(node,Format('函数名称:%-15s',[importbyname.proName])); end; Inc(proEntry); end; //继续读取 Inc(imageEntry); end; end; end.

 

C++代码

 #include<string> #include<windows.h> void GetImportDllList(void) { IMAGE_IMPORT_DESCRIPTOR* importEntry = 0; IMAGE_SECTION_HEADER* sectionHeader = 0; char* filename = "c://test.exe"; //打开文件 HANDLE hfile = CreateFileA(filename,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0); if (hfile == INVALID_HANDLE_VALUE) { printf("%s","文件打开失败!"); return; } //创建内存映射 HANDLE hmap = CreateFileMapping(hfile,NULL,PAGE_READONLY,0,0,NULL); if (hmap == 0) { printf("%s","创建内存映射失败!"); return; } //映射到当前进程,pBaseAddress是基址 HANDLE pBaseAddress = MapViewOfFile(hmap,FILE_MAP_READ,0,0,0); if (!pBaseAddress) { printf("%s","获取地址失败!"); return; } //获取Dos信息头部结构数据 IMAGE_DOS_HEADER* dosHeader = (IMAGE_DOS_HEADER*)pBaseAddress; //判断Dos标识 if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE) { printf("%s","不可识别的文件格式!"); return; } //获取NT信息头部结构数据,IsBadReadPtr判断指针是否可读,ntHeader->Signature是NT标识 IMAGE_NT_HEADERS* ntHeader = (IMAGE_NT_HEADERS*)((DWORD)pBaseAddress+dosHeader->e_lfanew); if (ntHeader->Signature != IMAGE_NT_SIGNATURE) { printf("%s","不是有效地Win32程序!"); return; } //定位到第一个节的地址 sectionHeader = (IMAGE_SECTION_HEADER*)((DWORD)ntHeader+sizeof(IMAGE_NT_HEADERS)); //ntHeader->FileHeader.NumberOfSections为节的数量,此处循环,找到引入表的节 for (int i=0;i<ntHeader->FileHeader.NumberOfSections;i++) { //IMAGE_DIRECTORY_ENTRY_IMPORT,引入表 if (sectionHeader->VirtualAddress == ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress) { break; } //没找到,那么增加SizeOf(IMAGE_SECTION_HEADER)字节数,指向下一个节 sectionHeader++; } //引入表入口 importEntry = (IMAGE_IMPORT_DESCRIPTOR*)((DWORD)pBaseAddress+sectionHeader->PointerToRawData); printf("下面是%s的引入文件/n",filename); //加载的DLL的名称,这里是RVA地址,需要转换成文件偏移地址,因为我们不是通过PE加载器加载,而是映射到内存 while (importEntry->Name != 0) { DWORD offset = (DWORD)pBaseAddress+importEntry->Name-(sectionHeader->VirtualAddress - sectionHeader->PointerToRawData); char* s = (char*)offset; printf("%s/n",s); //继续读取 importEntry++; } UnmapViewOfFile(pBaseAddress); CloseHandle(hmap); CloseHandle(hfile); } int main() { GetImportDllList(); return 0; } 

 

取PE文件的引入表和导出表_第1张图片

你可能感兴趣的:(image,dos,header,import,Delphi,Descriptor)