📄 lion-petut-c06.htm
字号:
MB_OK+MB_ICONERROR <br>
.endif
<br>
invoke
UnmapViewOfFile, pMapping <br>
.else <br>
invoke
MessageBox, 0, addr FileMappingError, addr AppName,
MB_OK+MB_ICONERROR <br>
.endif <br>
invoke CloseHandle,hMapping <br>
.else <br>
invoke MessageBox, 0, addr
FileOpenMappingError, addr AppName, MB_OK+MB_ICONERROR <br>
.endif <br>
invoke CloseHandle, hFile <br>
.else <br>
invoke MessageBox, 0, addr FileOpenError, addr
AppName, MB_OK+MB_ICONERROR <br>
.endif <br>
.endif <br>
ret <br>
ShowImportFunctions endp <br>
<br>
AppendText proc hDlg:DWORD,pText:DWORD <br>
invoke
SendDlgItemMessage,hDlg,IDC_EDIT,EM_REPLACESEL,0,pText <br>
invoke
SendDlgItemMessage,hDlg,IDC_EDIT,EM_REPLACESEL,0,addr CRLF <br>
invoke
SendDlgItemMessage,hDlg,IDC_EDIT,EM_SETSEL,-1,0 <br>
ret <br>
AppendText endp <br>
<br>
RVAToOffset PROC uses edi esi edx ecx pFileMap:DWORD,RVA:DWORD <br>
mov esi,pFileMap <br>
assume esi:ptr IMAGE_DOS_HEADER <br>
add esi,[esi].e_lfanew <br>
assume esi:ptr IMAGE_NT_HEADERS <br>
mov edi,RVA ; edi == RVA <br>
mov edx,esi <br>
add edx,sizeof IMAGE_NT_HEADERS <br>
mov cx,[esi].FileHeader.NumberOfSections <br>
movzx ecx,cx <br>
assume edx:ptr IMAGE_SECTION_HEADER <br>
.while ecx>0 ; check all sections <br>
.if edi>=[edx].VirtualAddress <br>
mov eax,[edx].VirtualAddress
<br>
add eax,[edx].SizeOfRawData <br>
.if edi<eax ; The address
is in this section <br>
mov
eax,[edx].VirtualAddress <br>
sub edi,eax<br>
mov
eax,[edx].PointerToRawData <br>
add eax,edi ;
eax == file offset <br>
ret <br>
.endif <br>
.endif <br>
add edx,sizeof IMAGE_SECTION_HEADER <br>
dec ecx <br>
.endw <br>
assume edx:nothing <br>
assume esi:nothing <br>
mov eax,edi <br>
ret <br>
RVAToOffset endp <br>
<br>
ShowTheFunctions proc uses esi ecx ebx hDlg:DWORD, pNTHdr:DWORD <br>
LOCAL temp[512]:BYTE <br>
invoke SetDlgItemText,hDlg,IDC_EDIT,0 <br>
invoke AppendText,hDlg,addr buffer <br>
mov edi,pNTHdr <br>
assume edi:ptr IMAGE_NT_HEADERS <br>
mov edi, [edi].OptionalHeader.DataDirectory[sizeof
IMAGE_DATA_DIRECTORY].VirtualAddress <br>
invoke RVAToOffset,pMapping,edi <br>
mov edi,eax <br>
add edi,pMapping <br>
assume edi:ptr IMAGE_IMPORT_DESCRIPTOR <br>
.while !([edi].OriginalFirstThunk==0 &&
[edi].TimeDateStamp==0 && [edi].ForwarderChain==0
&& [edi].Name1==0 && [edi].FirstThunk==0) <br>
invoke AppendText,hDlg,addr
ImportDescriptor <br>
invoke RVAToOffset,pMapping, [edi].Name1
<br>
mov edx,eax <br>
add edx,pMapping <br>
invoke wsprintf, addr temp, addr
IDTemplate, [edi].OriginalFirstThunk,[edi].TimeDateStamp,[edi].ForwarderChain,edx,[edi].FirstThunk
invoke AppendText,hDlg,addr temp <br>
.if [edi].OriginalFirstThunk==0 <br>
mov
esi,[edi].FirstThunk <br>
.else <br>
mov
esi,[edi].OriginalFirstThunk <br>
.endif <br>
invoke RVAToOffset,pMapping,esi <br>
add eax,pMapping <br>
mov esi,eax <br>
invoke AppendText,hDlg,addr NameHeader <br>
.while dword ptr [esi]!=0 <br>
test dword ptr
[esi],IMAGE_ORDINAL_FLAG32 <br>
jnz ImportByOrdinal <br>
invoke
RVAToOffset,pMapping,dword ptr [esi] <br>
mov edx,eax <br>
add edx,pMapping <br>
assume edx:ptr
IMAGE_IMPORT_BY_NAME <br>
mov cx, [edx].Hint <br>
movzx ecx,cx <br>
invoke wsprintf,addr
temp,addr NameTemplate,ecx,addr [edx].Name1 <br>
jmp ShowTheText <br>
ImportByOrdinal: <br>
mov edx,dword ptr [esi] <br>
and edx,0FFFFh <br>
invoke wsprintf,addr
temp,addr OrdinalTemplate,edx <br>
ShowTheText: <br>
invoke AppendText,hDlg,addr
temp <br>
add esi,4 <br>
.endw <br>
add edi,sizeof IMAGE_IMPORT_DESCRIPTOR <br>
.endw <br>
ret <br>
ShowTheFunctions endp <br>
end start </font></p>
<h3>分析<font face="Arial, Helvetica, sans-serif">:</font></h3>
<p><font size="2">本例中,用户点击打开菜单显示文件打开对话框,检验文件的</font><font
size="2" face="MS Sans Serif">PE</font><font size="2">有效性后调用
</font><font color="#CC9900" size="2" face="MS Sans Serif"><b>ShowTheFunctions</b></font><font
size="2">。</font></p>
<p><font face="Fixedsys">ShowTheFunctions proc uses esi ecx ebx
hDlg:DWORD, pNTHdr:DWORD <br>
LOCAL temp[512]:BYTE </font></p>
<p><font size="2">保留</font><font size="2"
face="MS Sans Serif">512</font><font size="2">字节堆栈空间用于字符串操作。</font></p>
<p><font face="Fixedsys"> invoke
SetDlgItemText,hDlg,IDC_EDIT,0 </font></p>
<p><font size="2">清除编辑控件内容。</font></p>
<p><font face="Fixedsys"> invoke AppendText,hDlg,addr
buffer </font></p>
<p><font size="2">将</font><font size="2" face="MS Sans Serif">PE</font><font
size="2">文件名插入编辑控件。 </font><font
color="#CC9900" size="2" face="MS Sans Serif"><b>AppendText </b></font><font
size="2">通过传递一个 </font><font color="#CCFFCC" size="2"
face="MS Sans Serif"><b>EM_REPLACESEL </b></font><font size="2">消息以通知向编辑控件添加文本。然后它又向编辑控件发送一个设置了
</font><font size="2" face="MS Sans Serif">wParam=-1</font><font
size="2">和</font><font size="2" face="MS Sans Serif">lParam=0</font><font
size="2">的</font><font color="#CCFFCC" size="2"
face="MS Sans Serif"><b>EM_SETSEL</b></font><font size="2"
face="MS Sans Serif"> </font><font size="2">消息,使光标定位到文本末。</font></p>
<p><font face="Fixedsys"> mov edi,pNTHdr <br>
assume edi:ptr IMAGE_NT_HEADERS <br>
mov edi, [edi].OptionalHeader.DataDirectory[sizeof
IMAGE_DATA_DIRECTORY].VirtualAddress </font></p>
<p><font size="2">获取</font><font size="2"
face="MS Sans Serif">import symbols</font><font size="2">的</font><font
size="2" face="MS Sans Serif">RVA</font><font size="2">。</font><font
size="2" face="MS Sans Serif">edi</font><font size="2">起初指向
</font><font size="2" face="MS Sans Serif">PE header</font><font
size="2">,以此我们可以定位到数据目录数组的第二个数组元素来得到虚拟地址值。</font></p>
<p><font face="Fixedsys"> invoke
RVAToOffset,pMapping,edi <br>
mov edi,eax <br>
add edi,pMapping </font></p>
<p><font size="2" face="MS Sans Serif">这儿对PE编程初学者来说可能有点困难。在PE文件中大多数地址多是RVAs 而
</font><font color="#FF6666" size="2"
face="MS Sans Serif"><b>RVAs</b></font><font color="#FF6666"
size="2"><b>只有当</b></font><font color="#FF6666" size="2"
face="MS Sans Serif"><b>PE</b></font><font color="#FF6666"
size="2"><b>文件被</b></font><font color="#FF6666" size="2"
face="MS Sans Serif"><b>PE</b></font><font color="#FF6666"
size="2"><b>装载器装入内存后才有意义。</b></font><font
size="2" face="MS Sans Serif"> 本例中,我们直接将文件映射到内存而不是通过PE装载器载入,因此我们不能直接使用那些RVAs。必须先将那些RVAs转换成文件偏移量,RVAToOffset函数就起到这个作用。
这里不准备详细分析。指出的是,它还将给定的RVA和PE文件所有节的始末RVA作比较(检验RVA的有效性),然后通过</font><font
color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_SECTION_HEADER</b></font><font
size="2" face="MS Sans Serif"> 结构中的</font><font
color="#FFFFCC" size="2" face="MS Sans Serif"><b>PointerToRawData</b></font><font
size="2" face="MS Sans Serif">域(当然是所在节的那个</font><font
color="#FFFFCC" size="2" face="MS Sans Serif"><b>PointerToRawData</b></font><font
size="2" face="MS Sans Serif">域啦</font><font
size="2" face="MS Sans Serif">)将RVA转换成文件偏移量。<br>
函数使用需要传递两个参数: 内存映射文件指针和所要转换的RVA。eax里返回文件偏移量。上面代码中,我们必须将文件偏移量加上内存映射文件指针以转换成虚拟地址。是不是有点复杂?
:)</font></p>
<p><font face="Fixedsys"> assume edi:ptr
IMAGE_IMPORT_DESCRIPTOR <br>
.while !([edi].OriginalFirstThunk==0 &&
[edi].TimeDateStamp==0 && [edi].ForwarderChain==0
&& [edi].Name1==0 && [edi].FirstThunk==0) </font></p>
<p><font size="2" face="MS Sans Serif">edi</font><font size="2">现在指向第一个
</font><font color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_IMPORT_DESCRIPTOR</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">结构。接下来我们遍历整个结构数组直到遇上一个全</font><font
size="2" face="MS Sans Serif">0</font><font size="2">结构,这就是数组末尾了。</font></p>
<p><font face="Fixedsys"> invoke
AppendText,hDlg,addr ImportDescriptor<br>
invoke RVAToOffset,pMapping, [edi].Name1
<br>
mov edx,eax <br>
add edx,pMapping </font></p>
<p><font size="2">我们要显示当前 </font><font
color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_IMPORT_DESCRIPTOR</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">结构的值。</font><font
size="2" face="MS Sans Serif">Name1 </font><font size="2">不同于其他结构成员,它含有指向相关</font><font
size="2" face="MS Sans Serif">dll</font><font size="2">名的</font><font
size="2" face="MS Sans Serif">RVA</font><font size="2">。因此必须先将其转换成虚拟地址。</font></p>
<p><font face="Fixedsys"> invoke
wsprintf, addr temp, addr IDTemplate, [edi].OriginalFirstThunk,[edi].TimeDateStamp,[edi].ForwarderChain,edx,[edi].FirstThunk
invoke AppendText,hDlg,addr temp </font></p>
<p><font size="2">显示当前 </font><font color="#CCFFCC"
size="2" face="MS Sans Serif"><b>IMAGE_IMPORT_DESCRIPTOR</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">结构的值。</font></p>
<p><font face="Fixedsys"> .if
[edi].OriginalFirstThunk==0 <br>
mov
esi,[edi].FirstThunk <br>
.else <br>
mov
esi,[edi].OriginalFirstThunk <br>
.endif </font></p>
<p><font size="2">接下来准备遍历 </font><font
color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_THUNK_DATA</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">数组。通常我们会选择</font><font
color="#FFFFCC" size="2" face="MS Sans Serif"><b>OriginalFirstThunk</b></font><font
size="2">指向的那个数组,不过,如果某些连接器错误地将</font><font
co⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -