15.windbg-dds、dps、dqs、PE文件解析

来源：互联网发布：木吉他录音软件编辑：程序博客网时间：2024/05/18 02:39

以下默认windbg加载calc程序

**d*s**

dds、dps和dqs命令显示给定范围内存的内容,它们是把内存区域转储出来，并把内存中每个元素都视为一个符号对其进行解析，dds是四字节视为一个符号，dqs是每8字节视为一个符号，dps是根据当前处理器架构来选择最合适的长度

比如要看看当前stack 中保存了哪些函数地址，就可以检查ebp 指向的内存

0:000> dds ebp0007fdfc  0007ff1c0007fe00  010021b0 calc!WinMain+0x25f0007fe04  0007fee80007fe08  000000000007fe0c  000000000007fe10  000000000007fe14  7c80b741 kernel32!GetModuleHandleA0007fe18  000a232f0007fe1c  00000000

由于 COM Interface 和C++ Vtable 里面的成员函数都是顺序排列的，所以这个命令可以方便地找到虚函数表中具体的函数地址。比如用下面的命令可以找到OpaqueDataInfo 类型中虚函数对应的实际函数地址:

0:002> x ole32!OpaqueData*76aa6a41 ole32!OpaqueDataInfo::GetOpaqueData = <no type information>76aa6b3b ole32!OpaqueDataInfo::UnSerialize = <no type information>76aa6c16 ole32!OpaqueDataInfo::SerializableQueryInterface = <no type information>76aa5748 ole32!OpaqueDataInfo::QueryInterface = <no type information>76aa6393 ole32!OpaqueDataInfo::CopyOpaqueData = <no type information>76aa5757 ole32!OpaqueDataInfo::AddRef = <no type information>76a57107 ole32!OpaqueDataInfo::UnSerializeCallBack = <no type information>76aa5766 ole32!OpaqueDataInfo::Release = <no type information>769a697c ole32!OpaqueDataInfo::`vftable' = <no type information>76aa69cb ole32!OpaqueDataInfo::AddOpaqueData = <no type information>769bfae2 ole32!OpaqueDataInfo::GetOpaqueDataCount = <no type information>76aa6b24 ole32!OpaqueDataInfo::Serialize = <no type information>769c9df3 ole32!OpaqueDataInfo::AddRef = <no type information>769c9ebc ole32!OpaqueDataInfo::Release = <no type information>76aa6a97 ole32!OpaqueDataInfo::DeleteOpaqueData = <no type information>76aa6bc9 ole32!OpaqueDataInfo::GetCLSID = <no type information>76aa57c0 ole32!OpaqueDataInfo::OpaqueDataInfo = <no type information>769c1cb0 ole32!OpaqueDataInfo::GetAllOpaqueData = <no type information>76aa54b9 ole32!OpaqueDataInfo::~OpaqueDataInfo = <no type information>76aa6be9 ole32!OpaqueDataInfo::SetParent = <no type information>76aa5693 ole32!OpaqueDataInfo::`scalar deleting destructor' = <no type information>76aa6b78 ole32!OpaqueDataInfo::GetSize = <no type information>76aa6540 ole32!OpaqueDataInfo::QueryInterface = <no type information>769a69a0 ole32!OpaqueDataInfo::`vftable' = <no type information>0:002> dds 769a69a0 769a69a0  76aa6540 ole32!OpaqueDataInfo::QueryInterface769a69a4  769c9df3 ole32!InstanceInfo::AddRef769a69a8  769c9ebc ole32!InstantiationInfo::Release769a69ac  76aa69cb ole32!OpaqueDataInfo::AddOpaqueData769a69b0  76aa6a41 ole32!OpaqueDataInfo::GetOpaqueData769a69b4  76aa6a97 ole32!OpaqueDataInfo::DeleteOpaqueData769a69b8  769bfae2 ole32!ServerLocationInfo::GetRemoteServerName769a69bc  769c1cb0 ole32!CComProcessInfo::GetProcessName769a69c0  76a57107 ole32!InstanceInfo::UnSerializeCallBack769a69c4  00000021769a69c8  76a2d73d ole32!CClassMoniker::QueryInterface769a69cc  76a339fb ole32!CErrorObject::AddRef769a69d0  76a0679a ole32!CClassMoniker::Release769a69d4  76a06a39 ole32!CClassMoniker::GetUnmarshalClass769a69d8  76a06a56 ole32!CClassMoniker::GetMarshalSizeMax769a69dc  76a06a99 ole32!CClassMoniker::MarshalInterface769a69e0  76a2d2b9 ole32!CClassMoniker::UnmarshalInterface769a69e4  76a07099 ole32!CClassMoniker::ReleaseMarshalData769a69e8  769e288e ole32!CDdeObject::COleItemContainerImpl::IsRunning769a69ec  76a2d72e ole32!CClassMoniker::QueryInterface769a69f0  76a339dd ole32!CErrorObject::AddRef769a69f4  76a06ab8 ole32!CClassMoniker::Release769a69f8  76a069d1 ole32!CClassMoniker::GetComparisonData769a69fc  90909090769a6a00  76a066c9 ole32!CClassMoniker::QueryInterface769a6a04  76a05efd ole32!CSCMergedEnum<IEnumCATEGORYINFO,tagCATEGORYINFO>::AddRef769a6a08  76a067a6 ole32!CClassMoniker::Release769a6a0c  76a068f3 ole32!CClassMoniker::GetClassID769a6a10  769acee9 ole32!CDdeServerCallMgr::AddRef769a6a14  76a2d7f2 ole32!CClassMoniker::Load769a6a18  76a06931 ole32!CClassMoniker::Save769a6a1c  76a07055 ole32!CClassMoniker::GetSizeMax

PE文件解析

start    end        module name01230000 0124b000   test1    C (private pdb symbols)

1.dos头：

0:001> dt IMAGE_DOS_HEADER 01230000 test1!IMAGE_DOS_HEADER   +0x000 e_magic          : 0x5a4d   +0x002 e_cblp           : 0x90   +0x004 e_cp             : 3   +0x006 e_crlc           : 0   +0x008 e_cparhdr        : 4   +0x00a e_minalloc       : 0   +0x00c e_maxalloc       : 0xffff   +0x00e e_ss             : 0   +0x010 e_sp             : 0xb8   +0x012 e_csum           : 0   +0x014 e_ip             : 0   +0x016 e_cs             : 0   +0x018 e_lfarlc         : 0x40   +0x01a e_ovno           : 0   +0x01c e_res            : [4] 0   +0x024 e_oemid          : 0   +0x026 e_oeminfo        : 0   +0x028 e_res2           : [10] 0   +0x03c e_lfanew         : 224

来确认下这个是PE文件:

0:001> da 01230000 +001230000  "MZ."

2.nt头

e_lfanew定义了真正的PE文件头的相对偏移量RVA

0:001> da 01230000 +0n224012300e0  "PE"0:001> dt IMAGE_NT_HEADERS 01230000 +0n224test1!IMAGE_NT_HEADERS   +0x000 Signature        : 0x4550   +0x004 FileHeader       : _IMAGE_FILE_HEADER   +0x018 OptionalHeader   : _IMAGE_OPTIONAL_HEADER

3.文件头

0:001> dt IMAGE_FILE_HEADER 01230000 +0n224+0x4test1!IMAGE_FILE_HEADER   +0x000 Machine          : 0x14c   +0x002 NumberOfSections : 7   +0x004 TimeDateStamp    : 0x55cae429   +0x008 PointerToSymbolTable : 0   +0x00c NumberOfSymbols  : 0   +0x010 SizeOfOptionalHeader : 0xe0   +0x012 Characteristics  : 0x102

由Characteristics : 0x102可以得出这是个#define IMAGE_FILE_EXECUTABLE_IMAGE 0x0002 // 文件可执行#define IMAGE_FILE_32BIT_MACHINE 0x0100 // 32位机器

4.扩展文件头

0:001> dt _IMAGE_OPTIONAL_HEADER 01230000 +0n224+0x18test1!_IMAGE_OPTIONAL_HEADER   +0x000 Magic            : 0x10b   +0x002 MajorLinkerVersion : 0x9 ''   +0x003 MinorLinkerVersion : 0 ''   +0x004 SizeOfCode       : 0x3600   +0x008 SizeOfInitializedData : 0x4200   +0x00c SizeOfUninitializedData : 0   +0x010 AddressOfEntryPoint : 0x1107d   +0x014 BaseOfCode       : 0x1000   +0x018 BaseOfData       : 0x1000   +0x01c ImageBase        : 0x1230000   +0x020 SectionAlignment : 0x1000   +0x024 FileAlignment    : 0x200   +0x028 MajorOperatingSystemVersion : 5   +0x02a MinorOperatingSystemVersion : 0   +0x02c MajorImageVersion : 0   +0x02e MinorImageVersion : 0   +0x030 MajorSubsystemVersion : 5   +0x032 MinorSubsystemVersion : 0   +0x034 Win32VersionValue : 0   +0x038 SizeOfImage      : 0x1b000   +0x03c SizeOfHeaders    : 0x400   +0x040 CheckSum         : 0   +0x044 Subsystem        : 3   +0x046 DllCharacteristics : 0x8140   +0x048 SizeOfStackReserve : 0x100000   +0x04c SizeOfStackCommit : 0x1000   +0x050 SizeOfHeapReserve : 0x100000   +0x054 SizeOfHeapCommit : 0x1000   +0x058 LoaderFlags      : 0   +0x05c NumberOfRvaAndSizes : 0x10   +0x060 DataDirectory    : [16] _IMAGE_DATA_DIRECTORY

5.区块表

紧接着IMAGE_NT_HEADERS后的是区块表

0:001> ?? sizeof(IMAGE_NT_HEADERS)unsigned int 0xf80:001> ? 01230000 +0n224 + 0xf8Evaluate expression: 19071448 = 012301d8

这是起始地址

注意查找结构体时使用dt，不要使用x

0:001> dt *!*IMAGE_SECTION*          test1!IMAGE_SECTION_HEADER          test1!PIMAGE_SECTION_HEADER          test1!_IMAGE_SECTION_HEADER          test1!_IMAGE_SECTION_HEADER          test1!_IMAGE_SECTION_HEADER::<unnamed-type-Misc>          MSVCR90D!IMAGE_SECTION_HEADER          MSVCR90D!PIMAGE_SECTION_HEADER          MSVCR90D!_IMAGE_SECTION_HEADER

0:001> dt IMAGE_SECTION_HEADER 012301d8test1!IMAGE_SECTION_HEADER   +0x000 Name             : [8]  ".textbss"   +0x008 Misc             : _IMAGE_SECTION_HEADER::<unnamed-type-Misc>   +0x00c VirtualAddress   : 0x1000   +0x010 SizeOfRawData    : 0   +0x014 PointerToRawData : 0   +0x018 PointerToRelocations : 0   +0x01c PointerToLinenumbers : 0   +0x020 NumberOfRelocations : 0   +0x022 NumberOfLinenumbers : 0   +0x024 Characteristics  : 0xe00000a00:001> ?? sizeof(IMAGE_SECTION_HEADER)unsigned int 0x280:001> dt IMAGE_SECTION_HEADER 012301d8+0x28test1!IMAGE_SECTION_HEADER   +0x000 Name             : [8]  ".text"   +0x008 Misc             : _IMAGE_SECTION_HEADER::<unnamed-type-Misc>   +0x00c VirtualAddress   : 0x11000   +0x010 SizeOfRawData    : 0x3600   +0x014 PointerToRawData : 0x400   +0x018 PointerToRelocations : 0   +0x01c PointerToLinenumbers : 0   +0x020 NumberOfRelocations : 0   +0x022 NumberOfLinenumbers : 0   +0x024 Characteristics  : 0x600000200:001> dt IMAGE_SECTION_HEADER 012301d8+0x28*2test1!IMAGE_SECTION_HEADER   +0x000 Name             : [8]  ".rdata"   +0x008 Misc             : _IMAGE_SECTION_HEADER::<unnamed-type-Misc>   +0x00c VirtualAddress   : 0x15000   +0x010 SizeOfRawData    : 0x1e00   +0x014 PointerToRawData : 0x3a00   +0x018 PointerToRelocations : 0   +0x01c PointerToLinenumbers : 0   +0x020 NumberOfRelocations : 0   +0x022 NumberOfLinenumbers : 0   +0x024 Characteristics  : 0x400000400:001> dt IMAGE_SECTION_HEADER 012301d8+0x28*3test1!IMAGE_SECTION_HEADER   +0x000 Name             : [8]  ".data"   +0x008 Misc             : _IMAGE_SECTION_HEADER::<unnamed-type-Misc>   +0x00c VirtualAddress   : 0x17000   +0x010 SizeOfRawData    : 0x200   +0x014 PointerToRawData : 0x5800   +0x018 PointerToRelocations : 0   +0x01c PointerToLinenumbers : 0   +0x020 NumberOfRelocations : 0   +0x022 NumberOfLinenumbers : 0   +0x024 Characteristics  : 0xc00000400:001> dt IMAGE_SECTION_HEADER 012301d8+0x28*4test1!IMAGE_SECTION_HEADER   +0x000 Name             : [8]  ".idata"   +0x008 Misc             : _IMAGE_SECTION_HEADER::<unnamed-type-Misc>   +0x00c VirtualAddress   : 0x18000   +0x010 SizeOfRawData    : 0xa00   +0x014 PointerToRawData : 0x5a00   +0x018 PointerToRelocations : 0   +0x01c PointerToLinenumbers : 0   +0x020 NumberOfRelocations : 0   +0x022 NumberOfLinenumbers : 0   +0x024 Characteristics  : 0xc00000400:001> dt IMAGE_SECTION_HEADER 012301d8+0x28*5test1!IMAGE_SECTION_HEADER   +0x000 Name             : [8]  ".rsrc"   +0x008 Misc             : _IMAGE_SECTION_HEADER::<unnamed-type-Misc>   +0x00c VirtualAddress   : 0x19000   +0x010 SizeOfRawData    : 0xe00   +0x014 PointerToRawData : 0x6400   +0x018 PointerToRelocations : 0   +0x01c PointerToLinenumbers : 0   +0x020 NumberOfRelocations : 0   +0x022 NumberOfLinenumbers : 0   +0x024 Characteristics  : 0x400000400:001> dt IMAGE_SECTION_HEADER 012301d8+0x28*6test1!IMAGE_SECTION_HEADER   +0x000 Name             : [8]  ".reloc"   +0x008 Misc             : _IMAGE_SECTION_HEADER::<unnamed-type-Misc>   +0x00c VirtualAddress   : 0x1a000   +0x010 SizeOfRawData    : 0x600   +0x014 PointerToRawData : 0x7200   +0x018 PointerToRelocations : 0   +0x01c PointerToLinenumbers : 0   +0x020 NumberOfRelocations : 0   +0x022 NumberOfLinenumbers : 0   +0x024 Characteristics  : 0x420000400:001> dt IMAGE_SECTION_HEADER 012301d8+0x28*7test1!IMAGE_SECTION_HEADER   +0x000 Name             : [8]  ""   +0x008 Misc             : _IMAGE_SECTION_HEADER::<unnamed-type-Misc>   +0x00c VirtualAddress   : 0   +0x010 SizeOfRawData    : 0   +0x014 PointerToRawData : 0   +0x018 PointerToRelocations : 0   +0x01c PointerToLinenumbers : 0   +0x020 NumberOfRelocations : 0   +0x022 NumberOfLinenumbers : 0   +0x024 Characteristics  : 0

5.导入表:

导入表的入口在_IMAGE_DATA_DIRECTORY[1]中，所以取得地址

0:001> dt _IMAGE_OPTIONAL_HEADER 01230000 +0n224+0x18 test1!_IMAGE_OPTIONAL_HEADER   +0x058 LoaderFlags      : 0   +0x05c NumberOfRvaAndSizes : 0x10   +0x060 DataDirectory    : [16] _IMAGE_DATA_DIRECTORY0:001> ?? sizeof(_IMAGE_DATA_DIRECTORY)unsigned int 80:001> dt _IMAGE_DATA_DIRECTORY 01230000 +0n224+0x18+0x68 test1!_IMAGE_DATA_DIRECTORY   +0x000 VirtualAddress   : 0x18000   +0x004 Size             : 0x3c

发现IMAGE_IMPORT_DESCRIPTOR dt不到

typedef struct _IMAGE_IMPORT_DESCRIPTOR {    union {        DWORD   Characteristics;            // 0 for terminating null import descriptor        DWORD   OriginalFirstThunk;         // RVA to original unbound IAT (PIMAGE_THUNK_DATA)    };    DWORD   TimeDateStamp;                  // 0 if not bound,                                            // -1 if bound, and real date\time stamp                                            //     in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)                                            // O.W. date/time stamp of DLL bound to (Old BIND)    DWORD   ForwarderChain;                 // -1 if no forwarders    DWORD   Name;    DWORD   FirstThunk;                     // RVA to IAT (if bound this IAT has actual addresses)} IMAGE_IMPORT_DESCRIPTOR;

大小明显是20，那么我们用dd来划分吧：

0:001> dd 01230000 +0x18000 L501248000  0001803c 00000000 00000000 0001832401248010  000181a80:001> da 00018324+01230000 01248324  "KERNEL32.dll"0:001> dd 01230000 +0x18000+0n20 L501248014  000180e8 00000000 00000000 0001834601248024  000182540:001> da 00018346+0123000001248346  "MSVCR90D.dll"0:001> dd 01230000 +0x18000+0n20*2 L501248028  00000000 00000000 00000000 0000000001248038  00000000

Name为0表示没有其他导入表了

6.查找导入函数

这是在运行中的PE文件，所以使用FirstThunk

0:001> dds 0x181a8+0x1230000012481a8  76b63485 kernel32!CreateThread012481ac  76b617e9 kernel32!GetCurrentProcess012481b0  76b7d7d2 kernel32!TerminateProcess012481b4  76b63478 kernel32!FreeLibrary012481b8  76b64412 kernel32!VirtualQuery012481bc  76b64908 kernel32!GetModuleFileNameW012481c0  76b614c9 kernel32!GetProcessHeap012481c4  77dfe046 ntdll!RtlAllocateHeap012481c8  76b614a9 kernel32!HeapFree012481cc  76b634b9 kernel32!GetSystemTimeAsFileTime012481d0  76b611f8 kernel32!GetCurrentProcessId012481d4  76b61430 kernel32!GetCurrentThreadId012481d8  76b6110c kernel32!GetTickCount012481dc  76b61705 kernel32!QueryPerformanceCounter012481e0  76b68781 kernel32!SetUnhandledExceptionFilter012481e4  76b6498f kernel32!LoadLibraryA012481e8  76b61222 kernel32!GetProcAddress012481ec  76b65a03 kernel32!lstrlen012481f0  76b6190e kernel32!MultiByteToWideChar012481f4  76b616ed kernel32!WideCharToMultiByte012481f8  76be4755 kernel32!DebugBreak012481fc  76b6585e kernel32!RaiseException01248200  76b64a15 kernel32!IsDebuggerPresent01248204  76b61464 kernel32!InterlockedCompareExchange01248208  76b610ff kernel32!Sleep0124820c  76b61442 kernel32!InterlockedExchange01248210  76b876f7 kernel32!UnhandledExceptionFilter01248214  00000000

0:001> dds 00018254+0x123000001248254  6a4df8d0 MSVCR90D!__dllonexit [f:\dd\vctools\crt_bld\self_x86\crt\src\onexit.c @ 267]01248258  6a44d430 MSVCR90D!_lock [f:\dd\vctools\crt_bld\self_x86\crt\src\mlock.c @ 333]0124825c  6a44d480 MSVCR90D!_unlock [f:\dd\vctools\crt_bld\self_x86\crt\src\mlock.c @ 371]01248260  6a44e170 MSVCR90D!_decode_pointer [f:\dd\vctools\crt_bld\self_x86\crt\src\tidtable.c @ 161]01248264  6a4eca80 MSVCR90D!_except_handler4_common01248268  6a4ec880 MSVCR90D!_crt_debugger_hook [f:\dd\vctools\crt_bld\self_x86\crt\src\dbghook.c @ 62]0124826c  6a4df460 MSVCR90D!_invoke_watson [f:\dd\vctools\crt_bld\self_x86\crt\src\invarg.c @ 137]01248270  6a4fbc20 MSVCR90D!_controlfp_s01248274  6a4c0280 MSVCR90D!terminate [f:\dd\vctools\crt_bld\self_x86\crt\prebuild\eh\hooks.cpp @ 95]01248278  6a44c040 MSVCR90D!_initterm_e [f:\dd\vctools\crt_bld\self_x86\crt\src\crt0dat.c @ 938]0124827c  6a44c010 MSVCR90D!_initterm [f:\dd\vctools\crt_bld\self_x86\crt\src\crt0dat.c @ 889]01248280  6a4de7b0 MSVCR90D!_CrtDbgReportW [f:\dd\vctools\crt_bld\self_x86\crt\src\dbgrpt.c @ 252]01248284  6a4e3010 MSVCR90D!_CrtSetCheckCount [f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c @ 3241]01248288  6a525768 MSVCR90D!__winitenv0124828c  6a44b9d0 MSVCR90D!exit [f:\dd\vctools\crt_bld\self_x86\crt\src\crt0dat.c @ 411]01248290  6a44ba10 MSVCR90D!_cexit [f:\dd\vctools\crt_bld\self_x86\crt\src\crt0dat.c @ 426]01248294  6a4e32e0 MSVCR90D!_XcptFilter [f:\dd\vctools\crt_bld\self_x86\crt\src\winxfltr.c @ 206]01248298  6a44b9f0 MSVCR90D!_exit [f:\dd\vctools\crt_bld\self_x86\crt\src\crt0dat.c @ 419]0124829c  6a44c600 MSVCR90D!__wgetmainargs [f:\dd\vctools\crt_bld\self_x86\crt\src\crtlib.c @ 98]012482a0  6a44ba50 MSVCR90D!_amsg_exit [f:\dd\vctools\crt_bld\self_x86\crt\src\crt0dat.c @ 460]012482a4  6a44ad60 MSVCR90D!__set_app_type [f:\dd\vctools\crt_bld\self_x86\crt\src\errmode.c @ 87]012482a8  6a44e070 MSVCR90D!_encode_pointer [f:\dd\vctools\crt_bld\self_x86\crt\src\tidtable.c @ 86]012482ac  6a44cf90 MSVCR90D!__p__fmode [f:\dd\vctools\crt_bld\self_x86\crt\src\crtlib.c @ 748]012482b0  6a44cef0 MSVCR90D!__p__commode [f:\dd\vctools\crt_bld\self_x86\crt\src\crtlib.c @ 714]012482b4  6a5266cc MSVCR90D!_adjust_fdiv012482b8  6a44ada0 MSVCR90D!__setusermatherr012482bc  6a4e6d80 MSVCR90D!_configthreadlocale [f:\dd\vctools\crt_bld\self_x86\crt\src\setlocal.c @ 420]012482c0  6a4eb420 MSVCR90D!_CRT_RTC_INITW012482c4  6a462450 MSVCR90D!getchar [f:\dd\vctools\crt_bld\self_x86\crt\src\fgetchar.c @ 45]012482c8  6a46abb0 MSVCR90D!printf [f:\dd\vctools\crt_bld\self_x86\crt\src\printf.c @ 49]012482cc  6a4df660 MSVCR90D!_onexit [f:\dd\vctools\crt_bld\self_x86\crt\src\onexit.c @ 85]012482d0  6a4cd680 MSVCR90D!operator new [f:\dd\vctools\crt_bld\self_x86\crt\src\new.cpp @ 57]

也可以通过

OriginalFirstThunk

来查找，先找到列表：1803c为Kernel32项第一个DWORD

typedef struct _IMAGE_THUNK_DATA32 {    union {        DWORD ForwarderString;      // PBYTE 指向一个转向者字符串的RVA        DWORD Function;             // PDWORD被输入函数的内存地址        DWORD Ordinal;              // 被输入的API序数号         DWORD AddressOfData;        // PIMAGE_IMPORT_BY_NAME    } u1;} IMAGE_THUNK_DATA32;

这个函数同样在我的exe上没有找到，但很明显，这是一个4字节的数组

0:001> dd 0x1803c+0x12300000124803c  00018314 000186e4 000186d0 000186c20124804c  000186b2 0001869c 0001868a 0001867e0124805c  00018672 00018658 00018642 0001862c0124806c  0001861c 00018602 000185e4 000185d40124807c  000185c2 000185b6 000185a0 0001858a0124808c  0001857c 0001856a 00018556 000185380124809c  00018530 0001851a 000186f8 00000000012480ac  00000000 00000000 00000000 00000000

然后这里面的内存又指向以下结构

typedef struct _IMAGE_IMPORT_BY_NAME {    WORD    Hint;    BYTE    Name[1];} IMAGE_IMPORT_BY_NAME, *PIMAGE_IMPORT_BY_NAME;

所以有：

0:001> da 00018314+0x1230000+201248316  "CreateThread"0:001> da 000186e4+0x1230000+2012486e6  "GetCurrentProcess"............................................................