如何列出一个可执行档里输出的函数

#include <windows.h>
#include <winbase.h>
#include <stdio.h>
#include <tchar.h>
#include <imagehlp.h>

void PrintUsage(char * msg)
{
 printf("|---------------------------------------------------------|/n");
 printf("|   CreateDate: 2000-02-15                                |/n");
 printf("|   Usage: <Path>//GetFunction[.exe] <Exe file|DLL file>   |/n");
 printf("|---------------------------------------------------------|/n");
 return;
}

BOOL CheckFunction(PCHAR pf)
{
 int iCount=strlen(pf);

 for(int i=0;i<iCount;i++)
 {
  if ((pf[i]<'0')||(pf[i]>'z')) return FALSE;
 }
 return TRUE;
}

int main(int argc,char **argv)
{
 PIMAGE_NT_HEADERS nt_headers;
 PIMAGE_EXPORT_DIRECTORY export_data;
 DWORD export_data_size;
 PDWORD FunctionsNames,FunctionsPtrs;
 PWORD NameOrdinals;
 HANDLE hFile,hFileMap;
 DWORD file_attributes;
 PVOID mod_base,func_ptr=0,image_base;
 char file_path[MAX_PATH];
 char * func_name;
 LPWIN32_FIND_DATA lpwfd_first=new WIN32_FIND_DATA;
 DWORD i,dwretcode;
 char * lpTmp=new char[MAX_PATH];
 BOOLEAN bcp=FALSE;

 if (argc<2)
 {
  PrintUsage (argv[0]);
  return 0;
 }

// GetFullPathName (argv[1],MAX_PATH,file_path ,NULL);
 sprintf(file_path,argv[1]);

 if (FindFirstFile (file_path,lpwfd_first)==NULL)
 {
  //file_attributes=0;
  PrintUsage(argv[0]);
  return 0;
 }
 else
 {
  file_attributes=lpwfd_first->dwFileAttributes ;
 }
goto_continue:
 hFile=CreateFile(file_path,GENERIC_READ,
  0,0,OPEN_EXISTING,
  file_attributes,0);
 if (hFile==INVALID_HANDLE_VALUE)
 {
  dwretcode=GetLastError();
  if (dwretcode==32)
  {
   bcp =TRUE;
   sprintf(lpTmp,argv[0]);
   lpTmp[(strrchr(argv[0],92) - argv[0])+1]=NULL;
   sprintf(lpTmp+strlen(lpTmp),lpwfd_first->cFileName) ;
   CopyFile(argv[1],lpTmp,TRUE);
   sprintf(file_path,lpTmp);
   delete lpTmp;
   goto goto_continue;
  }
  else return 0;
 }

 delete lpwfd_first;

 hFileMap=CreateFileMapping(hFile,0,PAGE_READONLY,0,0,0);
 if (hFileMap==NULL)
 {
  printf("Create File Map Error!/n");
  CloseHandle(hFile);
  return 0;
 }
 mod_base =MapViewOfFile(hFileMap,FILE_MAP_READ,0,0,0);
 if (mod_base==NULL)
 {
  printf("Create MapView of file error!/n");
  CloseHandle(hFileMap);
  CloseHandle(hFile);
  return 0;
 }
 nt_headers =ImageNtHeader (mod_base);
 image_base=(PVOID)nt_headers->OptionalHeader .ImageBase ;

 export_data =(PIMAGE_EXPORT_DIRECTORY )ImageDirectoryEntryToData (mod_base,
  FALSE,IMAGE_DIRECTORY_ENTRY_EXPORT,&export_data_size);
 if (export_data==NULL)
 {
  DWORD dwError = GetLastError();
  printf("ImageDirectoryEntryToData Error!(Errorcode:%d)/n",dwError);
  return 0;
 }
 FunctionsNames =(PDWORD)ImageRvaToVa (nt_headers,mod_base,
  (DWORD)export_data->AddressOfNames ,0);
 FunctionsPtrs = (PDWORD)ImageRvaToVa(nt_headers,mod_base,
  (DWORD)export_data->AddressOfFunctions ,0);
 NameOrdinals =(PWORD)ImageRvaToVa(nt_headers,mod_base,
  (DWORD)export_data->AddressOfNameOrdinals ,0);

 printf("Order            FunctionName                     FunctionAddress/n");
 for (i=0;i<export_data->NumberOfFunctions ;i++)
 {
  func_name = (PCHAR)ImageRvaToVa(nt_headers,mod_base,(DWORD)FunctionsNames[i],0);
  if (IsBadReadPtr (func_name,1)) continue;
  if ((!IsCharAlpha (func_name[0]))&&(!IsCharAlphaNumeric (func_name[0]))) continue;
  if (IsBadCodePtr ((FARPROC)func_name)) continue;
  if (!CheckFunction (func_name)) continue;
  if (strlen(func_name)>32) continue;
 // func_ptr=NULL;
//  if (IsBadReadPtr(&FunctionsPtrs[NameOrdinals[i]],1)) continue;
//  if (NameOrdinals[i]>10000) continue;
  
  func_ptr = (PVOID) FunctionsPtrs [NameOrdinals [i]];
  printf("%d",i);
  char * temp=new char[10];
  sprintf(temp,"%d",i);
  for(int w=0;w<(18 - (int)strlen(temp));w++)
   printf(" ");
  printf("%s",func_name);
  for (int j=0;j<(50 - (int)strlen(func_name));j++)
   printf(" ");
  printf("%d/n",func_ptr);
 }
 
 UnmapViewOfFile (mod_base);
 CloseHandle(hFileMap);
 CloseHandle(hFile);
 if (bcp )
  DeleteFile(file_path);
 return 0;
}

 

 

例如运行：

GetFunction.exe c:/windows/system32/ntdll.dll

则输出如下结果：

Order            FunctionName                         FunctionAddress
0                 CsrAllocateCaptureBuffer                          125863
1                 CsrAllocateMessagePointer                         125960
2                 CsrCaptureMessageBuffer                           160625
4                 CsrCaptureMessageString                           132870
5                 CsrCaptureTimeout                                 329170
6                 CsrClientCallServer                               78497
7                 CsrClientConnectToServer                          137105
8                 CsrFreeCaptureBuffer                              125775
9                 CsrGetProcessId                                   329159
.

.

.

1312              wcstol                                            233171
1313              wcstombs                                          461117
1314              wcstoul                                           219472