导入表结构

typedef struct _IMAGE_IMPORT_DESCRIPTOR {

    union {

        DWORD   Characteristics;

        DWORD   OriginalFirstThunk;         						//RVA 指向IMAGE_THUNK_DATA结构数组

    };

    DWORD   TimeDateStamp;               						//时间戳

    DWORD   ForwarderChain;

    DWORD   Name;						//RVA,指向dll名字,该名字已0结尾

    DWORD   FirstThunk;                 						//RVA,指向IMAGE_THUNK_DATA结构数组

} IMAGE_IMPORT_DESCRIPTOR;

typedef IMAGE_IMPORT_DESCRIPTOR UNALIGNED *PIMAGE_IMPORT_DESCRIPTOR;

PE文件加载前:

PE文件加载后:

typedef struct _IMAGE_THUNK_DATA32 {

    union {

        PBYTE  ForwarderString;

        PDWORD Function;

        DWORD Ordinal;						//序号

        PIMAGE_IMPORT_BY_NAME  AddressOfData;						//指向IMAGE_IMPORT_BY_NAME

    } u1;

} IMAGE_THUNK_DATA32;

typedef IMAGE_THUNK_DATA32 * PIMAGE_THUNK_DATA32;												

typedef struct _IMAGE_IMPORT_BY_NAME {

    WORD    Hint;						//可能为空,编译器决定 如果不为空 是函数在导出表中的索引

    BYTE    Name[1];						//函数名称,以0结尾

} IMAGE_IMPORT_BY_NAME, *PIMAGE_IMPORT_BY_NAME;

打印导入表的过程:

1.定位导入表:

目录项目的第2个结构就是导入表

typedef struct _IMAGE_DATA_DIRECTORY {

    DWORD   VirtualAddress;					//RVA 指向导入表结构

    DWORD   Size;

} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;

	将RVA转换成FOA

typedef struct _IMAGE_IMPORT_DESCRIPTOR {

    union {

        DWORD   Characteristics;

        DWORD   OriginalFirstThunk;

    };

    DWORD   TimeDateStamp;

    DWORD   ForwarderChain;

    DWORD   Name;

    DWORD   FirstThunk;

} IMAGE_IMPORT_DESCRIPTOR;

typedef IMAGE_IMPORT_DESCRIPTOR UNALIGNED *PIMAGE_IMPORT_DESCRIPTOR;

......

typedef struct _IMAGE_IMPORT_DESCRIPTOR {

    union {

        DWORD   Characteristics;

        DWORD   OriginalFirstThunk;

    };

    DWORD   TimeDateStamp;

    DWORD   ForwarderChain;

    DWORD   Name;

    DWORD   FirstThunk;

} IMAGE_IMPORT_DESCRIPTOR;

typedef IMAGE_IMPORT_DESCRIPTOR UNALIGNED *PIMAGE_IMPORT_DESCRIPTOR;

sizeOf(IMAGE_IMPORT_DESCRIPTOR) 个 0  代表导入表结束

2.输出DLL名字

typedef struct _IMAGE_IMPORT_DESCRIPTOR {

    union {

        DWORD   Characteristics;

        DWORD   OriginalFirstThunk;

    };

    DWORD   TimeDateStamp;

    DWORD   ForwarderChain;

    DWORD   Name;				 RVA 指向一个以0结尾的字符串  是DLL的名字

    DWORD   FirstThunk;

} IMAGE_IMPORT_DESCRIPTOR;

typedef IMAGE_IMPORT_DESCRIPTOR UNALIGNED *PIMAGE_IMPORT_DESCRIPTOR;

3.遍历OriginalFirstThunk

4.遍历FirstThunk

最新文章

  1. C++中使用初始化列表的情况
  2. Android drawable微技巧
  3. 线程的2个ID
  4. JAVA构造函数(方法)与方法是啥意思
  5. apply和call
  6. 10. Software, Software Engineering, water fall (瀑布模型),Code Complete等名词的来源
  7. Pigs and chickens
  8. BZOJ2154: Crash的数字表格
  9. 卸载系统自带的JDK的脚本并再次安装
  10. java 数组注意点
  11. 移动端Web开发如何处理横竖屏
  12. JDK1.5新特性随手记
  13. spring4之依赖注入的三种方式
  14. POJ2195 Going Home 【最小费用流】+【最佳匹配图二部】
  15. 阿里云OSS存储
  16. 表连接查询(2-n)
  17. 201521123109《java程序设计》第五周学习总结
  18. suds库使用说明官方文档
  19. Python连接webstocker获取消息
  20. IDEA报错Error:Module 'shop-common' production: java.lang.IndexOutOfBoundsException

热门文章

  1. linux——boot空间不足
  2. zk 09之:Curator之二:Path Cache监控zookeeper的node和path的状态
  3. 12 Vue学习 项目技术栈
  4. 排名Top 16的Java实用类库
  5. Entity Framework5学习笔记
  6. JSP+JavaBean+Servlet工作原理实例…
  7. metasploit msfconsole 命令
  8. js学习笔记3:with语句的使用
  9. Java负数的位运算
  10. zookeeper原理与实践(一)----zookeeper的基本功能