DLL – 导入地址表中的Thunk表?
发布时间:2020-12-13 20:35:41 所属栏目:Windows 来源:网络整理
导读:什么是与EXE文件中用于导入外部DLL中使用的函数的导入地址表相关的thunk表? 这个thunk表只是一个包含“Thunks”到其他函数的表吗? Thunk是Import表(IMAGE_DIRECTORY_ENTRY_IMPORT)和Delay Import Table(IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT)的一部分.它们
|
什么是与EXE文件中用于导入外部DLL中使用的函数的导入地址表相关的thunk表?
这个thunk表只是一个包含“Thunks”到其他函数的表吗?
Thunk是Import表(IMAGE_DIRECTORY_ENTRY_IMPORT)和Delay Import Table(IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT)的一部分.它们被描述为
http://msdn.microsoft.com/en-us/library/ms809762.aspx.
我将查看我的旧源代码,稍后将发布一个工作代码,该代码将这些表转储包含绑定信息. 更新: 这是我喜欢的一个旧程序中的代码.它仅支持32位PE,但可以轻松修改为64位.顺便说一句,你可以看到,它还转储绑定信息.要测试这个绑定要转储的PE与bind.exe(例如,使用bind.exe -u -v Test.dll). 代码由大约1000行组成,因此我无法在此处发布.我收到一条错误消息 哎呀!无法提交您的修改,因为: 所以我把它放在这里:http://www.ok-soft-gmbh.com/ForStackOverflow/PEInfo.c.我希望代码能够更好地帮助你作为一个长篇描述. 更新2:我看到我的旧答案不适合搜索引擎.所以我在下面包含了PEInfo.c的代码部分(函数DumpImports和DumpExports): void MakeIdent (UINT nOffset)
{
for (; nOffset; nOffset--)
printf (" "); // 4 blanks
}
void DumpDword (UINT nOffset,LPCSTR pszPrefix,DWORD dw)
{
MakeIdent(nOffset);
if (dw < 100)
printf ("%s: %dn",pszPrefix,dw);
else if (dw%(256*256) == 0)
printf ("%s: 0x%Xn",dw);
else
printf ("%s: %d (0x%X)n",dw,dw);
}
void DumpTimeDateStamp (UINT nOffset,LPCSTR pszTimeDateStampPrefix,DWORD dwTimeDateStamp)
{
//struct tm tmTime;//= localtime_s ((time_t *)&dwTimeDateStamp);
//errno_t err = localtime_s (&tmTime,((time_t *)&dwTimeDateStamp));
struct tm *ptmTime = _localtime32 ((__time32_t *)&dwTimeDateStamp);
SYSTEMTIME stSystemTime;
static CHAR szString[128];
stSystemTime.wYear = (WORD)(1900 + ptmTime->tm_year);
stSystemTime.wMonth = (WORD)(ptmTime->tm_mon + 1);
stSystemTime.wDay = (WORD)ptmTime->tm_mday;
stSystemTime.wDayOfWeek = (WORD)(ptmTime->tm_wday + 1);
stSystemTime.wHour = (WORD)ptmTime->tm_hour;
stSystemTime.wMinute = (WORD)ptmTime->tm_min;
stSystemTime.wSecond = (WORD)ptmTime->tm_sec;
stSystemTime.wMilliseconds = 0;
MakeIdent(nOffset);
printf ("%s: 0x%8X (",pszTimeDateStampPrefix,dwTimeDateStamp);
if (GetDateFormatA (LOCALE_USER_DEFAULT,&stSystemTime,NULL,szString,sizeof(szString)/sizeof(TCHAR)) != 0) {
printf (szString);
}
if (GetTimeFormatA (LOCALE_USER_DEFAULT,sizeof(szString)/sizeof(TCHAR)) != 0) {
if (szString[0] != 0)
printf (" ");
printf (szString);
}
printf (")n");
}
void DumpImports (UINT nOffset,IMAGE_OPTIONAL_HEADER32 *pOptionalHeader,PBYTE pbyFile,IMAGE_SECTION_HEADER *pSectionHeader,IMAGE_NT_HEADERS32 *pNtHeader) // header of the section,which contains export section
{
IMAGE_IMPORT_DESCRIPTOR *pImportDescriptor = (IMAGE_IMPORT_DESCRIPTOR *)((PBYTE)pbyFile + pSectionHeader->PointerToRawData +
pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress - pSectionHeader->VirtualAddress);
DWORD dwBoundImportVA = pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress;
IMAGE_BOUND_IMPORT_DESCRIPTOR *pFirstBoundImportDescriptor = NULL,*pBoundImportDescriptor;
//DumpDword (nOffset,TEXT("Characteristics"),pImportDescriptor->Characteristics);
if (dwBoundImportVA) {
UINT i;
IMAGE_SECTION_HEADER *pFirstSectionHeader = (IMAGE_SECTION_HEADER *)((PBYTE)pOptionalHeader + //sizeof(IMAGE_OPTIONAL_HEADER32));
pNtHeader->FileHeader.SizeOfOptionalHeader);
for (i=0; i<pNtHeader->FileHeader.NumberOfSections; i++) {
if (pFirstSectionHeader[i].VirtualAddress <= dwBoundImportVA &&
dwBoundImportVA < pFirstSectionHeader[i].VirtualAddress + pFirstSectionHeader[i].Misc.VirtualSize) {
pFirstBoundImportDescriptor = (IMAGE_BOUND_IMPORT_DESCRIPTOR *)((PBYTE)pbyFile + pFirstSectionHeader[i].PointerToRawData +
dwBoundImportVA - pFirstSectionHeader[i].VirtualAddress);
break;
}
}
if (i >= pNtHeader->FileHeader.NumberOfSections)
pFirstBoundImportDescriptor = (IMAGE_BOUND_IMPORT_DESCRIPTOR *)((PBYTE)pbyFile + dwBoundImportVA);
}
for (;pImportDescriptor->Characteristics; pImportDescriptor++) {
IMAGE_THUNK_DATA *pOriginalFirstThunk = (IMAGE_THUNK_DATA *)((PBYTE)pbyFile + pSectionHeader->PointerToRawData +
pImportDescriptor->OriginalFirstThunk - pSectionHeader->VirtualAddress);
IMAGE_THUNK_DATA *pFirstThunk = (IMAGE_THUNK_DATA *)((PBYTE)pbyFile + pSectionHeader->PointerToRawData +
pImportDescriptor->FirstThunk - pSectionHeader->VirtualAddress);
IMAGE_THUNK_DATA *pOriginalThunk,*pThunk;
MakeIdent(nOffset);
printf ("%s ",pbyFile + pSectionHeader->PointerToRawData + pImportDescriptor->Name - pSectionHeader->VirtualAddress);
//DumpDword (nOffset,TEXT("Ordinal Base"),pExportDirectory->Base);
if (pImportDescriptor->TimeDateStamp == 0) {
//MakeIdent(nOffset);
printf ("(DLL is Not bound)n");
}
else if (pImportDescriptor->TimeDateStamp == -1) {
//if bound,and real datetime stamp
// // in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
//MakeIdent(nOffset);
printf ("(DLL bound with New BIND)n");
}
else {
//MakeIdent(nOffset);
printf ("(DLL bound with Old BIND) ");
DumpTimeDateStamp (nOffset,"TimeDateStamp",pImportDescriptor->TimeDateStamp);
}
MakeIdent(nOffset+1);
if (pImportDescriptor->TimeDateStamp) // if bound
printf (TEXT(" Ordinal hint BoundAddrs Namen"));
else
printf (TEXT(" Ordinal hint Namen"));
for (pOriginalThunk=pOriginalFirstThunk,pThunk=pFirstThunk; pOriginalThunk->u1.AddressOfData; pOriginalThunk++,pThunk++) {
if (IMAGE_SNAP_BY_ORDINAL32(pOriginalThunk->u1.Ordinal)) {
MakeIdent(nOffset+1);
// Ordinal
if (pImportDescriptor->TimeDateStamp)
printf (TEXT("%4u (0x%04X) 0x%08Xn"),pOriginalThunk->u1.Ordinal & ~IMAGE_ORDINAL_FLAG32,pOriginalThunk->u1.Ordinal^IMAGE_ORDINAL_FLAG32,pThunk->u1.AddressOfData);
else
// pThunk->u1.AddressOfData == pOriginalThunk->u1.Ordinal so don't print it
printf (TEXT("%4u (0x%04X)n"),pOriginalThunk->u1.Ordinal^IMAGE_ORDINAL_FLAG32);
}
else {
IMAGE_IMPORT_BY_NAME *pImportByName = (IMAGE_IMPORT_BY_NAME *) (pOriginalThunk->u1.AddressOfData +
(PBYTE)pbyFile + pSectionHeader->PointerToRawData - pSectionHeader->VirtualAddress);
MakeIdent(nOffset+1);
// Hint - Index into the Export Name Pointer Table. A match is attempted first with this value.
// If it fails,a binary search is performed on the DLL’s Export Name Pointer Table.
if (pImportDescriptor->TimeDateStamp) // if bound
printf (TEXT("%18u (0x%04X) 0x%08X %hsn"),pImportByName->Hint,pThunk->u1.AddressOfData,pImportByName->Name);
else
printf (TEXT("%18u (0x%04X) %hsn"),pImportByName->Name);
}
}
}
if (pFirstBoundImportDescriptor) {
MakeIdent(nOffset);
printf ("PE Header contains the following bound import information:n");
for (pBoundImportDescriptor=pFirstBoundImportDescriptor; pBoundImportDescriptor->TimeDateStamp;
pBoundImportDescriptor = (IMAGE_BOUND_IMPORT_DESCRIPTOR *)((PBYTE)(pBoundImportDescriptor+1) + pBoundImportDescriptor->NumberOfModuleForwarderRefs*sizeof(IMAGE_BOUND_FORWARDER_REF))) {
PSTR pszDllName = (PSTR) ((DWORD)pFirstBoundImportDescriptor + pBoundImportDescriptor->OffsetModuleName);
IMAGE_BOUND_FORWARDER_REF *pRef = (IMAGE_BOUND_FORWARDER_REF *)(pBoundImportDescriptor+1);
MakeIdent(nOffset+1);
printf ("Bound to %hs",pszDllName);
DumpTimeDateStamp (0,"",pBoundImportDescriptor->TimeDateStamp);
if (pBoundImportDescriptor->NumberOfModuleForwarderRefs) {
UINT i;
for (i=0;i<pBoundImportDescriptor->NumberOfModuleForwarderRefs;i++) {
PSTR pszDllName = (PSTR) ((DWORD)pFirstBoundImportDescriptor + pRef->OffsetModuleName);
MakeIdent(nOffset+2);
printf ("Contained forwarders bound to %hs",pszDllName);
DumpTimeDateStamp (0,pRef->TimeDateStamp);
}
}
}
}
}
void DumpExports (UINT nOffset,IMAGE_SECTION_HEADER *pSectionHeader) // header of the section,which contains export section
{
UINT i;
UINT iNames;
PDWORD pdwAddressOfFunctions;
PWORD pwOrdinals;
PDWORD pdwNameRVA;
IMAGE_EXPORT_DIRECTORY *pExportDirectory = (IMAGE_EXPORT_DIRECTORY *)((PBYTE)pbyFile + pSectionHeader->PointerToRawData +
pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress - pSectionHeader->VirtualAddress);
DWORD dwVAExportStart = pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
DWORD dwVAExportEnd = pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress +
pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
DumpDword (nOffset,pExportDirectory->Characteristics);
DumpTimeDateStamp (nOffset,pExportDirectory->TimeDateStamp);
MakeIdent(nOffset);
printf ("DllName: %sn",pbyFile + pSectionHeader->PointerToRawData + pExportDirectory->Name - pSectionHeader->VirtualAddress);
DumpDword (nOffset,pExportDirectory->Base);
MakeIdent(nOffset);
printf (TEXT("Version: %d.%dn"),pExportDirectory->MajorVersion,pExportDirectory->MinorVersion);
DumpDword (nOffset,TEXT("Number of exported functions"),pExportDirectory->NumberOfFunctions);
DumpDword (nOffset,TEXT("Number of functions exported by name"),pExportDirectory->NumberOfNames);
MakeIdent(nOffset+1);
printf (TEXT("Ordn hint RVA Namen"));
pdwAddressOfFunctions = (PDWORD)(pbyFile + pSectionHeader->PointerToRawData + pExportDirectory->AddressOfFunctions - pSectionHeader->VirtualAddress);
pwOrdinals = (PWORD)(pbyFile + pSectionHeader->PointerToRawData + pExportDirectory->AddressOfNameOrdinals - pSectionHeader->VirtualAddress);
pdwNameRVA = (PDWORD)(pbyFile + pSectionHeader->PointerToRawData + pExportDirectory->AddressOfNames - pSectionHeader->VirtualAddress);
for (iNames = 0; iNames < pExportDirectory->NumberOfNames; iNames++) {
MakeIdent(nOffset+1);
// AddressOfFunctions MUST be ouf of Export Directory. If it is not so,it is a Forwarding entry
if (pdwAddressOfFunctions[pwOrdinals[iNames]] < dwVAExportStart ||
pdwAddressOfFunctions[pwOrdinals[iNames]] > dwVAExportEnd)
// AddressOfFunctions is normaly in .text section and export table in .edata or .rdata section,so
// AddressOfFunctions must be not in Export Directory
printf("%4u %4u %08X %sn",pwOrdinals[iNames] + pExportDirectory->Base,iNames,pdwAddressOfFunctions[pwOrdinals[iNames]],(pbyFile + pSectionHeader->PointerToRawData + pdwNameRVA[iNames] - pSectionHeader->VirtualAddress));
else
printf("%4u %4u %s (forwarded to %s)n",(pbyFile + pSectionHeader->PointerToRawData + pdwNameRVA[iNames] - pSectionHeader->VirtualAddress),(PSTR)(pbyFile + pSectionHeader->PointerToRawData + pdwAddressOfFunctions[pwOrdinals[iNames]] - pSectionHeader->VirtualAddress));
}
// print functions exported by ordinal
for (i = 0; i < pExportDirectory->NumberOfFunctions; i++) {
if (pdwAddressOfFunctions[i] != 0) {
// if EXPORTS in DEF-file look like
//
// EXPORTS
// Message1 @100
// Message2 @200
// Message3 @300
// Message4 @400
// Message5 @500
// it will be added in export section 401 (500-100+1) entries. 5 from there with not 0 address and the rest
// empty entries with 0
// we will dump only not empty entries
UINT iNames;
WORD wOrdinal = (WORD)(i + pExportDirectory->Base);
// try to find (i + pExportDirectory->Base) ordinal in the list of pwOrdinals
for (iNames = 0; iNames<pExportDirectory->NumberOfNames; iNames++) {
if (pdwAddressOfFunctions[pwOrdinals[iNames]] == pdwAddressOfFunctions[i])
break;
}
if (iNames >= pExportDirectory->NumberOfNames) {
// if not found as exported by name,print it here
MakeIdent(nOffset+1);
if (pdwAddressOfFunctions[i] < pSectionHeader->VirtualAddress ||
pdwAddressOfFunctions[i] > pSectionHeader->VirtualAddress + pSectionHeader->Misc.VirtualSize)
printf("%4u %08X [NONAME]n",wOrdinal,pdwAddressOfFunctions[i]);
else
printf("%4u [NONAME] (forwarded to %s)n",(PSTR)(pbyFile + pSectionHeader->PointerToRawData + pdwAddressOfFunctions[i] - pSectionHeader->VirtualAddress));
}
}
}
}
(编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |
相关内容
- windows-7 – 为什么我的项目图标在Windows 7中看起来如此可
- windows-7 – 如何查看端口是否打开?
- win10安装mxnet cuda9.0-gpu版
- 为公共用户使用Windows Azure Active Directory
- 获取与Windows Vista上的C#.Net连接的无线网络的SSID
- 窗口 – 如何保护软件免受系统日期更改?
- windows – 是否可以列出我无权访问的所有权限
- windows-phone – 适用于Windows Phone 8.1的独立浏览器工具
- windows下安装memcached,报错:Failed to ignore SIGHUP R
- windows – 解决托管和本机堆栈跟踪 – 要使用哪个API?
推荐文章
站长推荐
- windows-7 – 为什么NTOSKRNL.exe IMAGE_MACHINE
- windows下zendframework项目环境搭建(通过命令行
- 这几天折腾win10访问deepin共享的历程
- 运行exe碰到了DEP数据执行保护
- 为Windows Mobile,Android和iPhone开发C#应用程序
- active-directory – 是否有一种更简单的方法可以
- win7系统关闭445端口
- windows – SysAllocString / SysFreeString COM
- 如何在Windows上将Bitbucket项目导入Github
- windows-server-2008-r2 – Server 2008 R2 WMI问
热点阅读