PE总结9PE文件结构之解析导出表

// 导出表2.cpp : 定义控制台应用程序的入口点。
//#include "stdafx.h"
#include
#include
#include DWORD RVA2OffSet(DWORD dwRVA, PIMAGE_NT_HEADERS32 pNt)
{DWORD dwOffset &＃61; 0;//获取区段头表PIMAGE_SECTION_HEADER pSection &＃61; IMAGE_FIRST_SECTION(pNt);//获取区段的数量DWORD dwSize &＃61; pNt->FileHeader.NumberOfSections;//遍历找到dwRVA所在的区段for (DWORD i &＃61; 0; i &＃61;pSection[i].VirtualAddress &&dwRVA <(pSection[i].Misc.VirtualSize &＃43; pSection[i].VirtualAddress)){dwOffset &＃61; dwRVA - pSection[i].VirtualAddress &＃43; pSection[i].PointerToRawData;return dwOffset;}}return dwOffset;
}void ShowExport(PVOID lpImage, DWORD dwSize)
{//获取Dos头PIMAGE_DOS_HEADER pDos &＃61; (PIMAGE_DOS_HEADER)lpImage;if (IMAGE_DOS_SIGNATURE !&＃61; pDos->e_magic ){return;}//获取nt头PIMAGE_NT_HEADERS32 pNt &＃61; (PIMAGE_NT_HEADERS32)((DWORD)lpImage &＃43; pDos->e_lfanew);if (IMAGE_NT_SIGNATURE !&＃61; pNt->Signature){return;}//获取目录表PIMAGE_DATA_DIRECTORY pData &＃61; pNt->OptionalHeader.DataDirectory;//获取导出表RVApData &＃61; &(pData[IMAGE_DIRECTORY_ENTRY_EXPORT]);//获取导出表在文件中的偏移DWORD dwExtOffset &＃61; RVA2OffSet(pData->VirtualAddress, pNt);PIMAGE_EXPORT_DIRECTORY pExpt &＃61; (PIMAGE_EXPORT_DIRECTORY)((DWORD)lpImage &＃43; dwExtOffset);//获取数量DWORD dwFunCount &＃61; pExpt->NumberOfFunctions;DWORD dwNameCount &＃61; pExpt->NumberOfNames;DWORD dwModName &＃61; pExpt->Name;//获取地址表PDWORD pEAT &＃61; (PDWORD)((DWORD)lpImage &＃43; RVA2OffSet(pExpt->AddressOfFunctions, pNt));//获取名称表PDWORD pENT &＃61; (PDWORD)((DWORD)lpImage &＃43;RVA2OffSet(pExpt->AddressOfNames, pNt));//获取索引表-----这里要使用WORDPWORD pEIT &＃61; (PWORD)((DWORD)lpImage &＃43; RVA2OffSet(pExpt->AddressOfNameOrdinals, pNt));for (DWORD dwOrd &＃61; 0; dwOrd Base &＃43; dwOrd;//获取导出函数地址值DWORD dwFunOffset &＃61; RVA2OffSet(pEAT[dwOrd], pNt);printf("函数序号: %08d RVA:%p 函数偏移:%p ",dwID,pEAT[dwOrd],dwFunOffset);//获取函数名// 根据序号索引到函数名称表中的名字for (DWORD dwIndex &＃61; 0; dwIndex ------------序号表的值 对应着 地址表的下标
if (pEIT[dwIndex] &＃61;&＃61; dwOrd){// 根据序号索引到函数名称表中的名字DWORD dwNameOffset &＃61; RVA2OffSet(pENT[dwIndex], pNt);char* pFunName &＃61; (char*)((DWORD)lpImage &＃43; dwNameOffset);printf("函数名称: %s\n",pFunName);continue;}}printf("\n");}}int _tmain(int argc, _TCHAR* argv[])
{LPCTSTR path &＃61; L"C:\\Users\\Denny\\Desktop\\&＃xff08;手动查找导入导出表&＃xff09;\\&＃xff08;手动查找导入导出表&＃xff09;\\MFCLibrary1Dll.dll";HANDLE hFile &＃61; nullptr;if ( INVALID_HANDLE_VALUE &＃61;&＃61; (hFile &＃61; CreateFile(path, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL) )){return 0;}DWORD dwSize &＃61; 0;if ( INVALID_FILE_SIZE &＃61;&＃61; (dwSize &＃61; GetFileSize(hFile, NULL))){CloseHandle(hFile);return 0;}PVOID lpFileImage &＃61; nullptr;if (!(lpFileImage &＃61; VirtualAlloc(NULL, dwSize, MEM_COMMIT, PAGE_READWRITE))){CloseHandle(hFile);return 0;}DWORD dwRet &＃61; 0;//将文件内容读取到内容空间if (! ReadFile(hFile, lpFileImage, dwSize, &dwRet, NULL)){CloseHandle(hFile);VirtualFree(lpFileImage, dwSize, MEM_RELEASE);return 0;}ShowExport(lpFileImage, dwSize);system("pause");return 0;
}