获取任意一个程序的输入表

来源：互联网发布：银行家算法代码java 编辑：程序博客网时间：2024/06/13 04:41
// testPE.cpp : 定义控制台应用程序的入口点。//#include "stdafx.h"#include <windows.h>/************************************************************************//* 函数名:RVAToOffset/* 函数功能:根据RVA计算出磁盘文件偏移/* 函数参数:lpBase:磁盘文件映射到内存后的起始地址VirtualAddress:RVA地址/* 函数返回值:成功返回磁盘文件偏移.否则返回0/************************************************************************/DWORD RVAToOffset(LPVOID lpBase,DWORD VirtualAddress){IMAGE_DOS_HEADER *dosHeader;IMAGE_NT_HEADERS *ntHeader;IMAGE_SECTION_HEADER *SectionHeader;int NumOfSections;dosHeader=(IMAGE_DOS_HEADER*)lpBase;ntHeader=(IMAGE_NT_HEADERS*)((BYTE*)lpBase+dosHeader->e_lfanew);NumOfSections=ntHeader->FileHeader.NumberOfSections;for (int i=0;i<NumOfSections;i++){SectionHeader=(IMAGE_SECTION_HEADER*)((BYTE*)lpBase+dosHeader->e_lfanew+sizeof(IMAGE_NT_HEADERS))+i;if(VirtualAddress>SectionHeader->VirtualAddress&&VirtualAddress<SectionHeader->VirtualAddress+SectionHeader->SizeOfRawData){DWORD AposRAV=VirtualAddress-SectionHeader->VirtualAddress;DWORD Offset=SectionHeader->PointerToRawData+AposRAV;return Offset;}}return 0;}int _tmain(int argc, _TCHAR* argv[]){HANDLE  hFile;HANDLE  hMap;LPVOID  lpBuffer= NULL;IMAGE_DOS_HEADER* lpDosHeader;IMAGE_NT_HEADERS* lpNTHeader;IMAGE_IMPORT_DESCRIPTOR * lpImportDesc;IMAGE_THUNK_DATA* lpThunkData;IMAGE_IMPORT_BY_NAME    * lpImportByName;//获取文件句柄hFile=CreateFile(//L"d://notepad.exe", argv[1], GENERIC_ALL, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_NORMAL, NULL);if (hFile == INVALID_HANDLE_VALUE){printf("open file error !%d",GetLastError());return 0;}//创建文件映射内核对象hMap=CreateFileMapping(hFile,NULL,PAGE_READWRITE,NULL,NULL,NULL);if(hMap == INVALID_HANDLE_VALUE){printf("open map error !");CloseHandle(hFile);return 0;}//将一个文件映射对象映射到当前应用程序的地址空间lpBuffer=MapViewOfFile(hMap,FILE_MAP_ALL_ACCESS,NULL,NULL,NULL);if (lpBuffer == NULL){printf("MapViewOfFile error ! %d",GetLastError());CloseHandle(hMap);CloseHandle(hFile);return 0;}//获取PE DOS 头lpDosHeader = (IMAGE_DOS_HEADER*)lpBuffer;if(lpDosHeader->e_magic != IMAGE_DOS_SIGNATURE){printf("this file not pe file !");CloseHandle(hMap);CloseHandle(hFile);UnmapViewOfFile(lpBuffer);return 0;}//获取NT头部lpNTHeader  = (IMAGE_NT_HEADERS*)((BYTE *)lpBuffer+lpDosHeader->e_lfanew);if (lpNTHeader->Signature != IMAGE_NT_SIGNATURE){printf("this file not pe file !");CloseHandle(hMap);CloseHandle(hFile);UnmapViewOfFile(lpBuffer);return 0;}//获取导入表lpImportDesc=(IMAGE_IMPORT_DESCRIPTOR *)((BYTE*)lpBuffer+RVAToOffset(lpBuffer,lpNTHeader->OptionalHeader.DataDirectory[1].VirtualAddress));while (lpImportDesc->FirstThunk){char* DllName = (char*)((BYTE*)lpBuffer + RVAToOffset(lpBuffer,lpImportDesc->Name));lpThunkData = (IMAGE_THUNK_DATA*)((BYTE*)lpBuffer + RVAToOffset(lpBuffer,lpImportDesc->OriginalFirstThunk));while (lpThunkData->u1.Function){if (((lpThunkData->u1.Ordinal & IMAGE_ORDINAL_FLAG32) == 1)){printf("从%s模块导出的函数序号为%x\n",DllName,lpThunkData->u1.Ordinal&0xFFFF);}else{lpImportByName = (IMAGE_IMPORT_BY_NAME*)((BYTE*)lpBuffer + RVAToOffset(lpBuffer,lpThunkData->u1.AddressOfData));printf("从%s模块导出的函数为:%s\n",DllName,lpImportByName->Name);}lpThunkData++;}lpImportDesc++;}UnmapViewOfFile(lpBuffer);CloseHandle(hFile);CloseHandle(hMap);system("pause");return 0;}
0 0