📄 importtable.pas
字号:
{******************************************************************************}
{Copyright(C) 2007,Pefine Security Lab }
{All rights reserved. }
{ }
{Abstract:View Win32 PE file information. }
{ }
{Version:1.01 }
{Author:WindRand }
{Date:2007-01-20 }
{******************************************************************************}
unit ImportTable;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, ComCtrls, JwaWinNT, StdCtrls;
type
ThunkList=record
tDll:String;
tRVA:Cardinal;
tValue:Cardinal;
tHint:WORD;
tName:String;
end;
type
TImportTableFrm = class(TForm)
dListView: TListView;
fListView: TListView;
procedure FormShow(Sender: TObject);
procedure FormCreate(Sender: TObject);
procedure dListViewClick(Sender: TObject);
private
procedure FreeHandle(hFile,mFile:Thandle);
function GetSectionHeader(tRVA:DWORD;ImageNTHeaders:PImageNtHeaders):PImageSectionHeader;
public
{ Public declarations }
end;
var
ImportTableFrm: TImportTableFrm;
tList:array of ThunkList;
implementation
uses Main;
{$R *.dfm}
procedure TImportTableFrm.FormShow(Sender: TObject);
begin
With ImportTableFrm do
begin
Left:=(Screen.Width div 2)-(Width div 2);
Top:=(Screen.Height div 2)-(Height div 2);
end;
end;
procedure TImportTableFrm.FreeHandle(hFile,mFile:Thandle);
begin
CloseHandle(hFile);
CloseHandle(mFile);
end;
function TImportTableFrm.GetSectionHeader(tRVA:DWORD;ImageNTHeaders:PImageNtHeaders):PImageSectionHeader;
var
ImageSection:PImageSectionHeader;
i:integer;
begin
ImageSection:=pImageSectionHeader(longword(ImageNTHeaders)+sizeof(TImageNtHeaders));
for i:=0 to ImageNTHeaders.FileHeader.NumberOfSections-1 do
begin
if (tRVA>=LongWord(ImageSection.VirtualAddress)) and
(tRVA<LongWord(ImageSection.VirtualAddress + ImageSection.Misc.VirtualSize)) then
begin
Result:=ImageSection;
Exit;
end;
Inc(ImageSection);
end;
Result:=nil;
end;
procedure TImportTableFrm.FormCreate(Sender: TObject);
var
ImageDosHeader:PIMAGEDOSHEADER;
ImageNTHeaders:PIMAGENTHEADERS;
ImageSectionHeader:PIMAGESECTIONHEADER;
ImageImport:PImageImportDecriptor;
vByName:PImageImportByName;
hFile,mFile:THandle;
hView:Pointer;
vBase,vImport:LongWord;
tRVA,i,j:Integer;
vThunk:PImageThunkData;
FunctionName:String;
DllName:String;
Item:TListItem;
begin
i:=0;j:=0;
hFile:=CreateFile(PChar(MainFrm.PublicFileNameStr),GENERIC_READ,FILE_SHARE_READ,nil,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
if hFile=INVALID_HANDLE_VALUE then
begin
MessageBox(Handle,'Open file error!','Information',MB_OK+MB_ICONERROR);
CloseHandle(hFile);
Exit;
end;
mFile:=CreateFileMapping(hFile,nil,PAGE_READONLY,0,0,nil);
if mFile=0 then
begin
MessageBox(Handle,'Cannot open the file for memory mapping!','Information',MB_OK+MB_ICONERROR);
CloseHandle(hFile);
Exit;
end;
hView:=MapViewOfFile(mFile,FILE_MAP_READ,0,0,0);
if hView=nil then
begin
MessageBox(Handle,'Cannot map the file into memory!','Information',MB_OK+MB_ICONERROR);
FreeHandle(hFile,mFile);
Exit;
end;
ImageDosHeader:=PImageDosHeader(hView);
if ImageDosHeader.e_magic<>IMAGE_DOS_SIGNATURE then
begin
MessageBox(Handle,'This file is not a valid PE!','Information',MB_OK+MB_ICONERROR);
FreeHandle(hFile,mFile);
Exit;
end;
vBase:=LongWord(ImageDosHeader);
ImageNTHeaders:=PIMAGENTHEADERS(vBase+LongWord(ImageDosHeader.e_lfanew));
if ImageNTHeaders.Signature<>IMAGE_NT_SIGNATURE then
begin
MessageBox(Handle,'This file is not a valid PE。','Information',MB_OK+MB_ICONINFORMATION);
FreeHandle(hFile,mFile);
Exit;
end;
vImport:=ImageNTHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
if vImport=0 then
begin
FreeHandle(hFile,mFile);
Exit;
end;
ImageSectionHeader:=GetSectionHeader(vImport,ImageNTHeaders);
if ImageSectionHeader=nil then
begin
FreeHandle(hFile,mFile);
Exit;
end;
//Calculate dll
tRVA:=Integer(ImageSectionHeader.VirtualAddress-ImageSectionHeader.PointerToRawData);
ImageImport:=PImageImportDecriptor(PChar(vImport)-tRVA+vBase);
while ImageImport.Name<>0 do
begin
if ImageImport.Union.OriginalFirstThunk<>0 then
vThunk:=PImageThunkData(ImageImport.Union.OriginalFirstThunk)
else
vThunk:=PImageThunkData(ImageImport.FirstThunk);
vThunk:=PImageThunkData(Pchar(vThunk)-tRVA+vBase);
while vThunk.AddressOfData<>0 do
begin
i:=i+1;
Inc(vThunk);
end;
Inc(ImageImport);
end;
//Read all functions
tRVA:=Integer(ImageSectionHeader.VirtualAddress-ImageSectionHeader.PointerToRawData);
ImageImport:=PImageImportDecriptor(PChar(vImport)-tRVA+vBase);
SetLength(tList,i);
//Read import table
while ImageImport.Name<>0 do
begin
DllName:=Format('%s',[PChar(ImageImport.Name)-tRVA+vBase]);
if ImageImport.Union.OriginalFirstThunk<>0 then
vThunk:=PImageThunkData(ImageImport.Union.OriginalFirstThunk)
else
vThunk:=PImageThunkData(ImageImport.FirstThunk);
vThunk:=PImageThunkData(Pchar(vThunk)-tRVA+vBase);
//Read Dll list
Item:=dListView.Items.Insert(dListView.Items.Count);
Item.Caption:=DllName;
Item.SubItems.Add(IntToHex(ImageImport.Union.OriginalFirstThunk,8));
Item.SubItems.Add(IntToHex(ImageImport.TimeDateStamp,8));
Item.SubItems.Add(IntToHex(ImageImport.ForwarderChain,8));
Item.SubItems.Add(IntToHex(ImageImport.Name,8));
Item.SubItems.Add(IntToHex(ImageImport.FirstThunk,8));
//继续读取此Dll直到为空
while vThunk.AddressOfData<>0 do
begin
//如果高位为1时是按序号的方式导入
if (vThunk.Ordinal and $80000000)<>0 then
begin
tList[j].tDll:=DllName;
tList[j].tRVA:=DWORD(vThunk)+tRVA-vBase;
tList[j].tValue:=vThunk.AddressOfData;
tList[j].tHint:=0;
tList[j].tName:=Format('%-4d',[vThunk.AddressOfData and $7FFFFFFF]);
end
else
begin
//如果高位为0时是按函数名的方式导入
vByName:=pImageImportByName(vThunk.AddressOfData);
vByName:=pImageImportByName(PChar(vByName)-tRVA+vBase);
FunctionName:=PChar(@vByname.Name);
tList[j].tDll:=DllName;
tList[j].tRVA:=DWORD(vThunk)+tRVA-vBase;
tList[j].tValue:=vThunk.AddressOfData;
tList[j].tHint:=vByName.Hint;
tList[j].tName:=FunctionName;
end;
Inc(vThunk);
j:=j+1;
end;
Inc(ImageImport);
end;
UnmapViewOfFile(hView);
FreeHandle(hFile,mFile);
end;
procedure TImportTableFrm.dListViewClick(Sender: TObject);
var
fName:String;
Item:TListItem;
i:Integer;
begin
if dListView.ItemIndex<0 then
Exit;
fListView.Items.Clear;
fName:=dListView.Selected.Caption;
for i:=0 to Length(tList)-1 do
begin
if fName=tList[i].tDll then
begin
Item:=fListView.Items.Insert(fListView.Items.Count);
Item.Caption:=IntToHex(tList[i].tRVA,8);
Item.SubItems.Add(IntToHex(tList[i].tValue,8));
Item.SubItems.Add(IntToHex(tList[i].tHint,4));
Item.SubItems.Add(tList[i].tName);
end;
end;
end;
end.
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -