📄 lion-petut-c06.htm

📁 在DOS下编程因为实模式的限制
💻 HTM
📖 第 1 页 / 共 5 页
字号:
    <li><font size="2">转至数据目录的第二个成员提取其</font><font
        color="#FFFFCC" size="2" face="MS Sans Serif"><b>VirtualAddress</b></font><font
        size="2">值。</font></li>
    <li><font size="2">利用上值定位第一个 </font><font
        color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_IMPORT_DESCRIPTOR</b></font><font
        size="2" face="MS Sans Serif"> </font><font size="2">结构。</font></li>
    <li><font size="2">检查 </font><font color="#FFFFCC"
        size="2" face="MS Sans Serif"><b>OriginalFirstThunk</b></font><font
        size="2">值。若不为</font><font size="2"
        face="MS Sans Serif">0</font><font size="2">，顺着 </font><font
        color="#FFFFCC" size="2" face="MS Sans Serif"><b>OriginalFirstThunk</b></font><font
        size="2" face="MS Sans Serif"> </font><font size="2">里的</font><font
        size="2" face="MS Sans Serif">RVA</font><font size="2">值转入那个</font><font
        size="2" face="MS Sans Serif">RVA</font><font size="2">数组。若
        </font><font color="#FFFFCC" size="2"
        face="MS Sans Serif"><b>OriginalFirstThunk</b></font><font
        size="2" face="MS Sans Serif"> </font><font size="2">为</font><font
        size="2" face="MS Sans Serif">0</font><font size="2">，就改用</font><font
        color="#FFFFCC" size="2" face="MS Sans Serif"><b>FirstThunk</b></font><font
        size="2">值。有些连接器生成</font><font size="2"
        face="MS Sans Serif">PE</font><font size="2">文件时会置</font><font
        color="#FFFFCC" size="2" face="MS Sans Serif"><b>OriginalFirstThunk</b></font><font
        size="2">值为</font><font size="2" face="MS Sans Serif">0</font><font
        size="2">，这应该算是个</font><font size="2"
        face="MS Sans Serif">bug</font><font size="2">。不过为了安全起见，我们还是检查
        </font><font color="#FFFFCC" size="2"
        face="MS Sans Serif"><b>OriginalFirstThunk</b></font><font
        size="2">值先。</font></li>
    <li><font size="2">对于每个数组元素，我们比对元素值是否等于</font><font
        color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_ORDINAL_FLAG32</b></font><font
        color="#CCFFCC" size="2"><b>。</b></font><font size="2">如果该元素值的最高二进位为</font><font
        size="2" face="MS Sans Serif">1</font><font size="2">，
        那么函数是由序数引入的，可以从该值的低字节提取序数。</font></li>
    <li><font size="2">如果元素值的最高二进位为</font><font
        size="2" face="MS Sans Serif">0</font><font size="2">，就可将该值作为</font><font
        size="2" face="MS Sans Serif">RVA</font><font size="2">转入
        </font><font color="#CCFFCC" size="2"
        face="MS Sans Serif"><b>IMAGE_IMPORT_BY_NAME</b></font><font
        size="2"> 数组，跳过 </font><font color="#FFFFCC"
        size="2" face="MS Sans Serif"><b>Hint</b></font><font
        size="2" face="MS Sans Serif"> </font><font size="2">就是函数名字了。</font></li>
    <li><font size="2">再跳至下一个数组元素提取函数名一直到数组底部</font><font
        size="2" face="MS Sans Serif">(</font><font size="2">它以</font><font
        size="2" face="MS Sans Serif">null</font><font size="2">结尾</font><font
        size="2" face="MS Sans Serif">)</font><font size="2">。现在我们已遍历完一个</font><font
        size="2" face="MS Sans Serif">DLL</font><font size="2">的引入函数，接下去处理下一个</font><font
        size="2" face="MS Sans Serif">DLL</font><font size="2">。</font></li>
    <li><font size="2">即跳转到下一个 </font><font
        color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_IMPORT_DESCRIPTOR</b></font><font
        size="2" face="MS Sans Serif"> </font><font size="2">并处理之，如此这般循环直到数组见底。</font><font
        size="2" face="MS Sans Serif">(</font><font
        color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_IMPORT_DESCRIPTOR</b></font><font
        size="2" face="MS Sans Serif"> </font><font size="2">数组以一个全</font><font
        size="2" face="MS Sans Serif">0</font><font size="2">域元素结尾</font><font
        size="2" face="MS Sans Serif">)</font><font size="2">。</font></li>
</ol>

<h3>示例<font face="Arial, Helvetica, sans-serif">:</font></h3>

<p><font size="2">本例程打开一</font><font size="2"
face="MS Sans Serif">PE</font><font size="2">文件，将所有引入函数名读入一编辑控件，同时显示
</font><font color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_IMPORT_DESCRIPTOR</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">结构各域值。</font></p>

<p><font face="Fixedsys">.386 <br>
.model flat,stdcall <br>
option casemap:none <br>
include \masm32\include\windows.inc <br>
include \masm32\include\kernel32.inc <br>
include \masm32\include\comdlg32.inc <br>
include \masm32\include\user32.inc <br>
includelib \masm32\lib\user32.lib <br>
includelib \masm32\lib\kernel32.lib <br>
includelib \masm32\lib\comdlg32.lib <br>
<br>
IDD_MAINDLG equ 101 <br>
IDC_EDIT equ 1000 <br>
IDM_OPEN equ 40001 <br>
IDM_EXIT equ 40003 <br>
<br>
DlgProc proto :DWORD,:DWORD,:DWORD,:DWORD <br>
ShowImportFunctions proto :DWORD <br>
ShowTheFunctions proto :DWORD,:DWORD <br>
AppendText proto :DWORD,:DWORD <br>
<br>
SEH struct <br>
PrevLink dd ? ; the address of the previous seh structure <br>
CurrentHandler dd ? ; the address of the new exception handler <br>
SafeOffset dd ? ; The offset where it's safe to continue
execution <br>
PrevEsp dd ? ; the old value in esp <br>
PrevEbp dd ? ; The old value in ebp <br>
SEH ends <br>
<br>
.data <br>
AppName db &quot;PE tutorial no.6&quot;,0 <br>
ofn OPENFILENAME <> <br>
FilterString db &quot;Executable Files (*.exe,
*.dll)&quot;,0,&quot;*.exe;*.dll&quot;,0 <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
db &quot;All Files&quot;,0,&quot;*.*&quot;,0,0 <br>
FileOpenError db &quot;Cannot open the file for reading&quot;,0 <br>
FileOpenMappingError db &quot;Cannot open the file for memory
mapping&quot;,0 <br>
FileMappingError db &quot;Cannot map the file into memory&quot;,0
<br>
NotValidPE db &quot;This file is not a valid PE&quot;,0 <br>
CRLF db 0Dh,0Ah,0 <br>
ImportDescriptor db 0Dh,0Ah,&quot;================[
IMAGE_IMPORT_DESCRIPTOR ]=============&quot;,0 <br>
IDTemplate db &quot;OriginalFirstThunk = %lX&quot;,0Dh,0Ah <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; db
&quot;TimeDateStamp = %lX&quot;,0Dh,0Ah <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; db
&quot;ForwarderChain = %lX&quot;,0Dh,0Ah <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; db
&quot;Name = %s&quot;,0Dh,0Ah <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; db
&quot;FirstThunk = %lX&quot;,0 <br>
NameHeader db 0Dh,0Ah,&quot;Hint Function&quot;,0Dh,0Ah <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; db
&quot;-----------------------------------------&quot;,0 <br>
NameTemplate db &quot;%u %s&quot;,0 <br>
OrdinalTemplate db &quot;%u (ord.)&quot;,0 <br>
<br>
.data? <br>
buffer db 512 dup(?) <br>
hFile dd ? <br>
hMapping dd ? <br>
pMapping dd ? <br>
ValidPE dd ? <br>
<br>
.code <br>
start: <br>
invoke GetModuleHandle,NULL <br>
invoke DialogBoxParam, eax, IDD_MAINDLG,NULL,addr DlgProc, 0 <br>
invoke ExitProcess, 0 <br>
<br>
DlgProc proc hDlg:DWORD, uMsg:DWORD, wParam:DWORD, lParam:DWORD <br>
.if uMsg==WM_INITDIALOG <br>
&nbsp; invoke
SendDlgItemMessage,hDlg,IDC_EDIT,EM_SETLIMITTEXT,0,0 <br>
.elseif uMsg==WM_CLOSE <br>
&nbsp; invoke EndDialog,hDlg,0 <br>
.elseif uMsg==WM_COMMAND <br>
&nbsp; .if lParam==0 <br>
&nbsp;&nbsp;&nbsp; mov eax,wParam <br>
&nbsp;&nbsp;&nbsp; .if ax==IDM_OPEN <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; invoke ShowImportFunctions,hDlg <br>
&nbsp;&nbsp;&nbsp; .else ; IDM_EXIT <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; invoke
SendMessage,hDlg,WM_CLOSE,0,0 <br>
&nbsp;&nbsp;&nbsp; .endif <br>
&nbsp;&nbsp;.endif <br>
.else <br>
&nbsp; mov eax,FALSE <br>
&nbsp;&nbsp;ret <br>
.endif <br>
mov eax,TRUE <br>
ret <br>
DlgProc endp <br>
<br>
SEHHandler proc uses edx pExcept:DWORD, pFrame:DWORD,
pContext:DWORD, pDispatch:DWORD <br>
&nbsp;&nbsp;mov edx,pFrame <br>
&nbsp;&nbsp;assume edx:ptr SEH <br>
&nbsp;&nbsp;mov eax,pContext <br>
&nbsp;&nbsp;assume eax:ptr CONTEXT <br>
&nbsp;&nbsp;push [edx].SafeOffset <br>
&nbsp;&nbsp;pop [eax].regEip <br>
&nbsp;&nbsp;push [edx].PrevEsp <br>
&nbsp;&nbsp;pop [eax].regEsp <br>
&nbsp;&nbsp;push [edx].PrevEbp <br>
&nbsp;&nbsp;pop [eax].regEbp <br>
&nbsp;&nbsp;mov ValidPE, FALSE <br>
&nbsp;&nbsp;mov eax,ExceptionContinueExecution <br>
&nbsp;&nbsp;ret <br>
SEHHandler endp <br>
<br>
ShowImportFunctions proc uses edi hDlg:DWORD <br>
&nbsp;&nbsp;LOCAL seh:SEH <br>
&nbsp;&nbsp;mov ofn.lStructSize,SIZEOF <br>
&nbsp; ofn mov ofn.lpstrFilter, OFFSET FilterString <br>
&nbsp; mov ofn.lpstrFile, OFFSET buffer <br>
&nbsp; mov ofn.nMaxFile,512 <br>
&nbsp; mov ofn.Flags, OFN_FILEMUSTEXIST or OFN_PATHMUSTEXIST or
OFN_LONGNAMES or OFN_EXPLORER or OFN_HIDEREADONLY <br>
&nbsp;&nbsp;invoke GetOpenFileName, ADDR ofn <br>
&nbsp; .if eax==TRUE <br>
&nbsp;&nbsp;&nbsp; invoke CreateFile, addr buffer, GENERIC_READ,
FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL
<br>
&nbsp;&nbsp;&nbsp; .if eax!=INVALID_HANDLE_VALUE <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov hFile, eax <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; invoke CreateFileMapping, hFile,
NULL, PAGE_READONLY,0,0,0 <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .if eax!=NULL <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov hMapping, eax <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; invoke
MapViewOfFile,hMapping,FILE_MAP_READ,0,0,0 <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .if eax!=NULL <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov
pMapping,eax <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; assume
fs:nothing <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push
fs:[0] <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; pop
seh.PrevLink <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov
seh.CurrentHandler,offset SEHHandler <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov
seh.SafeOffset,offset FinalExit <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; lea
eax,seh <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov
fs:[0], eax <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov
seh.PrevEsp,esp <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov
seh.PrevEbp,ebp <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov edi,
pMapping <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; assume
edi:ptr IMAGE_DOS_HEADER <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .if
[edi].e_magic==IMAGE_DOS_SIGNATURE <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
add edi, [edi].e_lfanew <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
assume edi:ptr IMAGE_NT_HEADERS <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
.if [edi].Signature==IMAGE_NT_SIGNATURE <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov
ValidPE, TRUE <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;.else
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov ValidPE, FALSE <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
.endif <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .else <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov ValidPE,FALSE <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .endif <br>
FinalExit: <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push
seh.PrevLink <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; pop fs:[0]
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .if
ValidPE==TRUE <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
invoke ShowTheFunctions, hDlg, edi <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .else <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
invoke MessageBox,0, addr NotValidPE, addr AppName,
💿 文件大小 76 K
👤 上传用户 shangranc
📂 所属分类文章/文档
🏷️ 相关标签

#DOS #编程 #实模式
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -