(ZT)PE导入表的判断流程

前言

找到一个资料,对引入表和IAT表2表合一的判断流程说的挺清楚地.
如果要做DumpFile之后的引入表修复, 看这个流程就行了.
original url from : http://win32assembly.programminghorizon.com/pe-tut6.html

引入表判断流程

The array of RVAs pointed to by OriginalFirstThunk remains unchanged so that if the need arises to find the names of import functions, the PE loader can still find them.
There is a little twist on this straightforward scheme. Some functions are exported by ordinal only. It means you don’t call the functions by their names: you call them by their positions. In this case, there will be no IMAGE_IMPORT_BY_NAME structure for that function in the caller’s module. Instead, the IMAGE_THUNK_DATA for that function will contain the ordinal of the function in the low word and the most significant bit (MSB) of IMAGE_THUNK_DATA set to 1. For example, if a function is exported by ordinal only and its ordinal is 1234h, the IMAGE_THUNK_DATA for that function will be 80001234h. Microsoft provides a handy constant for testing the MSB of a dword, IMAGE_ORDINAL_FLAG32. It has the value of 80000000h.
Suppose that we want to list the names of ALL import functions of a PE file, we need to follow the steps below:

Verify that the file is a valid PE

From the DOS header, go to the PE header

Obtain the address of the data directory in OptionalHeader

Go to the 2nd member of the data directory. Extract the value of VirtualAddress

Use that value to go to the first IMAGE_IMPORT_DESCRIPTOR structure

Check the value of OriginalFirstThunk. If it’s not zero, follow the RVA in OriginalFirstThunk to the RVA array. If OriginalFirstThunk is zero, use the value in FirstThunk instead. Some linkers generate PE files with 0 in OriginalFirstThunk. This is considered a bug. Just to be on the safe side, we check the value in OriginalFirstThunk first.

For each member in the array, we check the value of the member against IMAGE_ORDINAL_FLAG32. If the most significant bit of the member is 1, then the function is exported by ordinal and we can extract the ordinal number from the low word of the member.

If the most significant bit of the member is 0, use the value in the member as the RVA into the IMAGE_IMPORT_BY_NAME, skip Hint, and you’re at the name of the function.

Skip to the next array member, and retrieve the names until the end of the array is reached (it’s null -terminated). Now we are done extracting the names of the functions imported from a DLL. We go to the next DLL.

Skip to the next IMAGE_IMPORT_DESCRIPTOR and process it. Do that until the end of the array is reached (IMAGE_IMPORT_DESCRIPTOR array is terminated by a member with all zeroes in its fields).