滴水三期PE文件结构之打印导出表信息

指尖

2020 年 09 月 04 日

1722 次浏览

暂无评论

2633字数

逆向 PE文件

代码中用到了Rva和Foa的转换之前应该写过了，所以这里没有包含，具体见上一篇文章

#include<stdio.h>
#include<windows.h>
#include<string.h>
#pragma warning(disable:4996)
WORD ExportTable(PVOID PFileBuffer)
{
    PIMAGE_DOS_HEADER  PDos_Header = NULL;
    PIMAGE_NT_HEADERS PNT_Header = NULL;
    PIMAGE_FILE_HEADER PFile_Header = NULL;
    PIMAGE_OPTIONAL_HEADER POptional_Header = NULL;
    PIMAGE_SECTION_HEADER PSection_Header = NULL;
    PIMAGE_DATA_DIRECTORY PData_Directory = NULL;
    PIMAGE_EXPORT_DIRECTORY PExport_Directory = NULL;
    if (!PFileBuffer)
    {
        printf("读取文件失败\n");
        return 0;
    }
    if (*((PWORD)PFileBuffer) != IMAGE_DOS_SIGNATURE)
    {
        printf("不是有效的MZ文件\n");
        return 0;
    }
    PDos_Header = (PIMAGE_DOS_HEADER)PFileBuffer;
    if (*((PWORD)((DWORD)PFileBuffer + PDos_Header->e_lfanew)) != IMAGE_NT_SIGNATURE)
    {
        printf("不是有效的PE文件\n");
        return 0;
    }
    PNT_Header = (PIMAGE_NT_HEADERS)((DWORD)PFileBuffer + PDos_Header->e_lfanew);
    PFile_Header = (PIMAGE_FILE_HEADER)((DWORD)PNT_Header+ 4);
    POptional_Header = (PIMAGE_OPTIONAL_HEADER)((DWORD)PFile_Header+ IMAGE_SIZEOF_FILE_HEADER);
    PSection_Header = (PIMAGE_SECTION_HEADER)((DWORD)POptional_Header + PFile_Header->SizeOfOptionalHeader);
    PData_Directory = (PIMAGE_DATA_DIRECTORY)(POptional_Header->DataDirectory);
    if (!PData_Directory->VirtualAddress)
    {
        printf("这个程序没有导出表\n");
        return 0;
    }
    printf("导出表的Rva%x\n", PData_Directory->VirtualAddress);
    DWORD Foa_Export = RvaToFoa(PData_Directory->VirtualAddress, PFileBuffer);
    printf("导出表Foa%x\n", Foa_Export);
    PExport_Directory = (PIMAGE_EXPORT_DIRECTORY)((DWORD)PFileBuffer + Foa_Export);
    printf("Characteristics:%x\n",PExport_Directory->Characteristics);
    printf("TimeDateStamp:%x\n",PExport_Directory->TimeDateStamp);
    printf("MajorVersion:%x\n",PExport_Directory->MajorVersion);
    printf("MinorVersion:%x\n",PExport_Directory->MinorVersion);
    printf("Name:%x\n",PExport_Directory->Name);
    printf("Base:%x\n",PExport_Directory->Base);
    printf("NumberOfFunctions:%x\n",PExport_Directory->NumberOfFunctions);
    printf("NumberOfNames:%x\n",PExport_Directory->NumberOfNames);
    printf("AddressOfFunctions:%x\n",PExport_Directory->AddressOfFunctions);
    printf("AddressOfNames:%x\n",PExport_Directory->AddressOfNames);
    printf("AddressOfNameOrfinats:%x\n",PExport_Directory->AddressOfNameOrdinals);
    return 0;
}

滴水三期PE文件结构之打印导出表信息