没什么难度,不过我找测试的dll太太费劲了,一般用这个提升启动速度的都是老东西了,我翻了半天才翻出来1998的老宝贝才翻出来带有ref的绑定导出表
不过值得一提的是ref表里有一个保留位,我觉得那是一个跟绑定导入表对齐,方便计算所以故意留的保留位,如果要解析小表只用绑定导入表的指针+1就行了
VOID PrintBoundImportTable(PVOID fileName) {
PVOID pFileBuffer = FileToFileBuffer(fileName);
//定位导入表
PIMAGE_DOS_HEADER pDosHeader = pFileBuffer;
PIMAGE_NT_HEADERS pNTHeader = (DWORD)pDosHeader + pDosHeader->e_lfanew;
if (pNTHeader->Signature != IMAGE_NT_SIGNATURE) {
printf("File is not PE\n");
free(pFileBuffer);
return FALSE;
}
PIMAGE_FILE_HEADER pFileHeader = &pNTHeader->FileHeader;
PIMAGE_OPTIONAL_HEADER pOptHeader = (DWORD)pFileHeader + sizeof(IMAGE_FILE_HEADER);
PIMAGE_SECTION_HEADER pSecHeader = (DWORD)pOptHeader + pFileHeader->SizeOfOptionalHeader;
if (!pOptHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress) {
printf("no bound import table\n");
}
PIMAGE_BOUND_IMPORT_DESCRIPTOR pBoundImport = VAToFOA(
pOptHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress, pFileBuffer
);
DWORD count = 0;
while ((pBoundImport + count)->TimeDateStamp) {
printf("TimeDateStamp:%x\n", (pBoundImport + count)->TimeDateStamp);
PBYTE moduleName = (PBYTE)pBoundImport + (pBoundImport + count)->OffsetModuleName;
printf("ModuleName:%s\n", moduleName);
for (size_t i = 0; i < (pBoundImport + count)->NumberOfModuleForwarderRefs; i++) {
printf(" TimeDateStamp:%x\n", (pBoundImport + count)->TimeDateStamp);
moduleName = (PBYTE)pBoundImport + (pBoundImport + count)->OffsetModuleName;
printf(" ModuleName:%s\n", moduleName);
count++;
}
count++;
}
}
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
