导出表_eat_遍历_exe程序

#include <windows.h>#include <stdio.h>//列举导出表的函数，参数就是dll模块的地址BOOLEAN EunmEATTable(PVOID ulModuleBase){//这里大家都知道是变量的声明PIMAGE_DOS_HEADER pDosHeader; //dos头结构体PIMAGE_NT_HEADERS NtDllHeader;//nt结构体IMAGE_OPTIONAL_HEADER opthdr; //可选镜像头部ULONG_PTR* arrayOfFunctionAddresses;ULONG_PTR* arrayOfFunctionNames;WORD* arrayOfFunctionOrdinals;ULONG_PTR functionOrdinal;ULONG_PTR Base, x, functionAddress;IMAGE_EXPORT_DIRECTORY *pExportTable;char *functionName;__try{//得到dos头pDosHeader=(PIMAGE_DOS_HEADER)ulModuleBase;if (pDosHeader->e_magic!=IMAGE_DOS_SIGNATURE){printf("IMAGE_DOS_SIGNATURE failed\r\n");return FALSE;}//得到NT文件头 NT结构体NtDllHeader=(PIMAGE_NT_HEADERS)(ULONG_PTR)((ULONG_PTR)pDosHeader+pDosHeader->e_lfanew);if (NtDllHeader->Signature!=IMAGE_NT_SIGNATURE){printf("IMAGE_NT_SIGNATURE failed\r\n");return FALSE;}//得到可选镜像结构体opthdr = NtDllHeader->OptionalHeader;//得到内存的导出表结构pExportTable =(IMAGE_EXPORT_DIRECTORY*)((ULONG_PTR)ulModuleBase + opthdr.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress); //得到导出表//地址arrayOfFunctionAddresses = (ULONG_PTR*)((ULONG_PTR)ulModuleBase + pExportTable->AddressOfFunctions);  //地址表arrayOfFunctionNames = (ULONG_PTR*)((BYTE*)ulModuleBase + pExportTable->AddressOfNames);         //函数名表arrayOfFunctionOrdinals = (WORD*)( (BYTE*)ulModuleBase + pExportTable->AddressOfNameOrdinals);//得到导出表的起始地址Base = pExportTable->Base;//然后我们开始搜索整个导出表for(x = 0; x < pExportTable->NumberOfFunctions; x++) //在整个导出表里扫描{functionName = (char*)((BYTE*)ulModuleBase + arrayOfFunctionNames[x]);functionOrdinal = arrayOfFunctionOrdinals[x] + Base - 1; functionAddress = (ULONG_PTR)((BYTE*)ulModuleBase + arrayOfFunctionAddresses[functionOrdinal]);printf("%d %s:0x%08X\r\n",x,functionName,functionAddress);}}__except(EXCEPTION_EXECUTE_HANDLER){}return FALSE;}void main(){EunmEATTable(GetModuleHandle("kernel32.dll"));system("pause");return;}