📄 lion-petut-c06.htm
字号:
<p><font size="2">结构第一项是一个</font><font size="2"
face="MS Sans Serif">union</font><font size="2">子结构。
事实上,这个</font><font size="2" face="MS Sans Serif">union</font><font
size="2">子结构只是给 </font><font color="#FFFFCC" size="2"
face="MS Sans Serif"><b>OriginalFirstThunk</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">增添了个别名,您也可以称其为</font><font
size="2" face="MS Sans Serif">"Characteristics"</font><font
size="2">。 该成员项含有指向一个 </font><font
color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_THUNK_DATA</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">结构数组的</font><font
size="2" face="MS Sans Serif">RVA</font><font size="2">。<br>
什么是 </font><font color="#CCFFCC" size="2"
face="MS Sans Serif"><b>IMAGE_THUNK_DATA</b></font><font size="2"
face="MS Sans Serif">? </font><font size="2">这是一个</font><font
size="2" face="MS Sans Serif">dword</font><font size="2">类型的集合。通常我们将其解释为指向一个</font><font
color="#FFFFCC" size="2"> </font><font color="#CCFFCC" size="2"
face="MS Sans Serif"><b>IMAGE_IMPORT_BY_NAME</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">结构的指针。注意
</font><font color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_THUNK_DATA</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">包含了指向一个
</font><font color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_IMPORT_BY_NAME</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">结构的指针</font><font
size="2" face="MS Sans Serif">: </font><font size="2">而不是结构本身。<br>
请看这里</font><font size="2" face="MS Sans Serif">: </font><font
size="2">现有几个 </font><font color="#CCFFCC" size="2"
face="MS Sans Serif"><b>IMAGE_IMPORT_BY_NAME</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">结构,我们收集起这些结构的</font><font
size="2" face="MS Sans Serif">RVA (</font><font color="#CCFFCC"
size="2" face="MS Sans Serif"><b>IMAGE_THUNK_DATAs</b></font><font
size="2" face="MS Sans Serif">)</font><font size="2">组成一个数组,并以</font><font
size="2" face="MS Sans Serif">0</font><font size="2">结尾,然后再将数组的</font><font
size="2" face="MS Sans Serif">RVA</font><font size="2">放入 </font><font
color="#FFFFCC" size="2" face="MS Sans Serif"><b>OriginalFirstThunk</b></font><font
size="2">。<br>
此 </font><font color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_IMPORT_BY_NAME</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">结构存有一个引入函数的相关信息。再来研究
</font><font color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_IMPORT_BY_NAME</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">结构到底是什么样子的呢</font><font
size="2" face="MS Sans Serif">:</font></p>
<p><font face="Fixedsys">IMAGE_IMPORT_BY_NAME STRUCT <br>
Hint dw ? <br>
Name1 db ? <br>
IMAGE_IMPORT_BY_NAME ENDS </font></p>
<p><font color="#FFFFCC" size="2" face="MS Sans Serif"><b>Hint </b></font><font
size="2">指示本函数在其所驻留</font><font size="2"
face="MS Sans Serif">DLL</font><font size="2">的引出表中的索引号。该域被</font><font
size="2" face="MS Sans Serif">PE</font><font size="2">装载器用来在</font><font
size="2" face="MS Sans Serif">DLL</font><font size="2">的引出表里快速查询函数。该值不是必须的,一些连接器将此值设为</font><font
size="2" face="MS Sans Serif">0</font><font size="2">。<br>
</font><font color="#FFFFCC" size="2" face="MS Sans Serif"><b>Name1</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">含有引入函数的函数名。函数名是一个</font><font
size="2" face="MS Sans Serif">ASCIIZ</font><font size="2">字符串。注意这里虽然将</font><font
size="2" face="MS Sans Serif">Name1</font><font size="2">的大小定义成字节,其实它是可变尺寸域,只不过我们没有更好方法来表示结构中的可变尺寸域。</font><font
size="2" face="MS Sans Serif">The structure is provided so that
you can refer to the data structure with descriptive names.<br>
</font></p>
<p><font color="#FFFFCC" size="2" face="MS Sans Serif"><b>TimeDateStamp</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">和 </font><font
color="#FFFFCC" size="2" face="MS Sans Serif"><b>ForwarderChain</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">可是高级东东</font><font
size="2" face="MS Sans Serif">: </font><font size="2">让我们精通其他成员后再来讨论它们吧。</font></p>
<p><font color="#FFFFCC" size="2" face="MS Sans Serif"><b>Name1</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">含有指向</font><font
size="2" face="MS Sans Serif">DLL</font><font size="2">名字的</font><font
size="2" face="MS Sans Serif">RVA</font><font size="2">,即指向</font><font
size="2" face="MS Sans Serif">DLL</font><font size="2">名字的指针,也是一个</font><font
size="2" face="MS Sans Serif">ASCIIZ</font><font size="2">字符串。</font></p>
<p><font color="#FFFFCC" size="2" face="MS Sans Serif"><b>FirstThunk</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">与 </font><font
color="#FFFFCC" size="2" face="MS Sans Serif"><b>OriginalFirstThunk</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">非常相似,它也包含指向一个
</font><font color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_THUNK_DATA</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">结构数组的</font><font
size="2" face="MS Sans Serif">RVA(</font><font size="2">当然这是另外一个</font><font
color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_THUNK_DATA</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">结构数组</font><font
size="2" face="MS Sans Serif">)</font><font size="2">。 <br>
好了,如果您还在犯糊涂,就朝这边看过来</font><font
size="2" face="MS Sans Serif">: </font><font size="2">现在有几个
</font><font color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_IMPORT_BY_NAME
</b></font><font size="2">结构,同时您又创建了两个结构数组,并同样寸入指向那些
</font><font color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_IMPORT_BY_NAME</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">结构的</font><font
size="2" face="MS Sans Serif">RVAs</font><font size="2">,这样两个数组就包含相同数值了</font><font
size="2" face="MS Sans Serif">(</font><font size="2">可谓相当精确的复制啊</font><font
size="2" face="MS Sans Serif">)</font><font size="2">。
最后您决定将第一个数组的</font><font size="2"
face="MS Sans Serif">RVA</font><font size="2">赋给 </font><font
color="#FFFFCC" size="2" face="MS Sans Serif"><b>OriginalFirstThunk</b></font><font
color="#FFFFCC" size="2"><b>,</b></font><font size="2">第二个数组的</font><font
size="2" face="MS Sans Serif">RVA</font><font size="2">赋给 </font><font
color="#FFFFCC" size="2" face="MS Sans Serif"><b>FirstThunk</b></font><font
size="2">,这样一切都很清楚了。</font></p>
<table border="0" cellspacing="1">
<tr>
<th width="152" bgcolor="#006666"><font size="2"
face="MS Sans Serif">OriginalFirstThunk</font></th>
<th width="58"> </th>
<th width="183" bgcolor="#006666"><font size="2"
face="MS Sans Serif">IMAGE_IMPORT_BY_NAME</font></th>
<th width="27"> </th>
<th width="152" bgcolor="#006666"><font size="2"
face="MS Sans Serif">FirstThunk</font></th>
</tr>
<tr>
<td align="center" width="152"><p align="center">| </p>
</td>
<td align="center" width="58"> </td>
<td align="center" width="183"> </td>
<td align="center" width="27"> </td>
<td align="center" width="152"><font size="2"
face="MS Sans Serif">|</font> </td>
</tr>
<tr>
<td align="center" width="152"><table border="1"
cellpadding="2">
<tr>
<td align="center" bgcolor="#666600"><font
size="2" face="MS Sans Serif">IMAGE_THUNK_DATA</font>
</td>
</tr>
<tr>
<td align="center" bgcolor="#666600"><font
size="2" face="MS Sans Serif">IMAGE_THUNK_DATA</font>
</td>
</tr>
<tr>
<td align="center" bgcolor="#666600"><font
size="2" face="MS Sans Serif">IMAGE_THUNK_DATA</font>
</td>
</tr>
<tr>
<td align="center" bgcolor="#666600"><font
size="2" face="MS Sans Serif">IMAGE_THUNK_DATA</font>
</td>
</tr>
<tr>
<td align="center" bgcolor="#666600"><font
size="2" face="MS Sans Serif">...</font> </td>
</tr>
<tr>
<td align="center" bgcolor="#666600"><font
size="2" face="MS Sans Serif">IMAGE_THUNK_DATA</font>
</td>
</tr>
</table>
</td>
<td align="center" width="58"><table border="0"
cellpadding="2">
<tr>
<td align="center" nowrap><font size="2"
face="MS Sans Serif">---></font></td>
</tr>
<tr>
<td align="center" nowrap><font size="2"
face="MS Sans Serif">---></font></td>
</tr>
<tr>
<td align="center" nowrap><font size="2"
face="MS Sans Serif">---></font></td>
</tr>
<tr>
<td align="center" nowrap><font size="2"
face="MS Sans Serif">---></font></td>
</tr>
<tr>
<td align="center" nowrap><font size="2"
face="MS Sans Serif">---></font></td>
</tr>
<tr>
<td align="center" nowrap><font size="2"
face="MS Sans Serif">---></font></td>
</tr>
</table>
</td>
<td align="center" width="183"><table border="1"
cellpadding="2">
<tr>
<td align="center" bgcolor="#660066"><font
size="2" face="MS Sans Serif">Function 1</font> </td>
</tr>
<tr>
<td align="center" bgcolor="#660066"><font
size="2" face="MS Sans Serif">Function 2</font> </td>
</tr>
<tr>
<td align="center" bgcolor="#660066"><font
size="2" face="MS Sans Serif">Function 3</font> </td>
</tr>
<tr>
<td align="center" bgcolor="#660066"><font
size="2" face="MS Sans Serif">Function 4 </font></td>
</tr>
<tr>
<td align="center" bgcolor="#660066"><font
size="2" face="MS Sans Serif">...</font> </td>
</tr>
<tr>
<td align="center" bgcolor="#660066"><font
size="2" face="MS Sans Serif">Function n</font> </td>
</tr>
</table>
</td>
<td align="center" width="27"><table border="0"
cellpadding="2">
<tr>
<td align="center" nowrap><font size="2"
face="MS Sans Serif"><---</font></td>
</tr>
<tr>
<td align="center" nowrap><font size="2"
face="MS Sans Serif"><---</font></td>
</tr>
<tr>
<td align="center" nowrap><font size="2"
face="MS Sans Serif"><---</font></td>
</tr>
<tr>
<td align="center" nowrap><font size="2"
face="MS Sans Serif"><---</font></td>
</tr>
<tr>
<td align="center" nowrap><font size="2"
face="MS Sans Serif"><---</font></td>
</tr>
<tr>
<td align="center" nowrap><font size="2"
face="MS Sans Serif"><---</font></td>
</tr>
</table>
</td>
<td align="center" width="152"><table border="1"
cellpadding="2">
<tr>
<td align="center" bgcolor="#666600"><font
size="2" face="MS Sans Serif">IMAGE_THUNK_DATA</font>
</td>
</tr>
<tr>
<td align="center" bgcolor="#666600"><font
size="2" face="MS Sans Serif">IMAGE_THUNK_DATA</font>
</td>
</tr>
<tr>
<td align="center" bgcolor="#666600"><font
size="2" face="MS Sans Serif">IMAGE_THUNK_DATA</font>
</td>
</tr>
<tr>
<td align="center" bgcolor="#666600"><font
size="2" face="MS Sans Serif">IMAGE_THUNK_DATA</font>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -