📄 chap8-1-6.htm.primary
字号:
<tr>
<td align="center" nowrap><font size="2"
face="MS Sans Serif"><---</font></td>
</tr>
<tr>
<td align="center" nowrap><font size="2"
face="MS Sans Serif"><---</font></td>
</tr>
<tr>
<td align="center" nowrap><font size="2"
face="MS Sans Serif"><---</font></td>
</tr>
<tr>
<td align="center" nowrap><font size="2"
face="MS Sans Serif"><---</font></td>
</tr>
</table>
</td>
<td align="center" width="152">
<table border="1"
cellpadding="2">
<tr>
<td align="center" bgcolor="#666600"><font size="2" face="MS Sans Serif" color="#FFFFFF">IMAGE_THUNK_DATA</font>
</td>
</tr>
<tr>
<td align="center" bgcolor="#666600"><font size="2" face="MS Sans Serif" color="#FFFFFF">IMAGE_THUNK_DATA</font>
</td>
</tr>
<tr>
<td align="center" bgcolor="#666600"><font size="2" face="MS Sans Serif" color="#FFFFFF">IMAGE_THUNK_DATA</font>
</td>
</tr>
<tr>
<td align="center" bgcolor="#666600"><font size="2" face="MS Sans Serif" color="#FFFFFF">IMAGE_THUNK_DATA</font>
</td>
</tr>
<tr>
<td align="center" bgcolor="#666600"><font size="2" face="MS Sans Serif" color="#FFFFFF">...</font>
</td>
</tr>
<tr>
<td align="center" bgcolor="#666600"><font size="2" face="MS Sans Serif" color="#FFFFFF">IMAGE_THUNK_DATA</font>
</td>
</tr>
</table>
</td>
</tr>
</table>
<p><font size="2" color="#000000">现在您应该明白我的意思。不要被</font><font color="#000000" size="2" face="MS Sans Serif"><b>IMAGE_THUNK_DATA</b></font><font size="2" color="#000000">这个名字弄糊涂</font><font size="2" face="MS Sans Serif" color="#000000">:
</font><font size="2" color="#000000">它仅是指向 </font><font color="#000000" size="2" face="MS Sans Serif"><b>IMAGE_IMPORT_BY_NAME
</b></font><font size="2" color="#000000">结构的</font><font size="2" face="MS Sans Serif" color="#000000">RVA</font><font size="2" color="#000000">。
如果将 </font><font color="#000000" size="2" face="MS Sans Serif"><b>IMAGE_THUNK_DATA</b>
</font><font size="2" color="#000000">字眼想象成</font><font size="2" face="MS Sans Serif" color="#000000">RVA</font><font size="2" color="#000000">,就更容易明白了。</font><font color="#000000" size="2" face="MS Sans Serif"><b>OriginalFirstThunk</b>
</font><font size="2" color="#000000">和 </font><font color="#000000" size="2" face="MS Sans Serif"><b>FirstThunk</b>
</font><font size="2" color="#000000">所指向的这两个数组大小取决于</font><font size="2" face="MS Sans Serif" color="#000000">PE</font><font size="2" color="#000000">文件从</font><font size="2" face="MS Sans Serif" color="#000000">DLL</font><font size="2" color="#000000">中引入函数的数目。比如,如果</font><font size="2" face="MS Sans Serif" color="#000000">PE</font><font size="2" color="#000000">文件从</font><font size="2" face="MS Sans Serif" color="#000000">kernel32.dll</font><font size="2" color="#000000">中引入</font><font size="2" face="MS Sans Serif" color="#000000">10</font><font size="2" color="#000000">个函数,那么</font><font color="#000000" size="2" face="MS Sans Serif"><b>IMAGE_IMPORT_DESCRIPTOR</b>
</font><font size="2" color="#000000">结构的 </font><font color="#000000" size="2" face="MS Sans Serif"><b>Name1</b></font><font size="2" color="#000000">域包含指向字符串</font><font size="2" face="MS Sans Serif" color="#000000">"kernel32.dll"</font><font size="2" color="#000000">的</font><font size="2" face="MS Sans Serif" color="#000000">RVA</font><font size="2" color="#000000">,同时每个</font><font color="#000000" size="2" face="MS Sans Serif"><b>IMAGE_THUNK_DATA</b>
</font><font size="2" color="#000000">数组有</font><font size="2" face="MS Sans Serif" color="#000000">10</font><font size="2" color="#000000">个元素。</font></p>
<p><font size="2" color="#000000">下一个问题是</font><font size="2" face="MS Sans Serif" color="#000000">:
</font><font size="2" color="#000000">为什么我们需要两个完全相同的数组</font><font size="2" face="MS Sans Serif" color="#000000">?
</font><font size="2" color="#000000">为了回答该问题,我们需要了解当</font><font size="2" face="MS Sans Serif" color="#000000">PE</font><font size="2" color="#000000">文件被装载到内存时,</font><font size="2" face="MS Sans Serif" color="#000000">PE</font><font size="2" color="#000000">装载器将查找</font><font color="#000000" size="2" face="MS Sans Serif"><b>IMAGE_THUNK_DATA</b>
</font><font size="2" color="#000000">和 </font><font color="#000000" size="2" face="MS Sans Serif"><b>IMAGE_IMPORT_BY_NAME</b>
</font><font size="2" color="#000000">这些结构数组,以此决定引入函数的地址。然后用引入函数真实地址来替代由</font><font color="#000000" size="2" face="MS Sans Serif"><b>FirstThunk</b></font><font size="2" color="#000000">指向的<b>
</b></font><font color="#000000" size="2" face="MS Sans Serif"><b>IMAGE_THUNK_DATA</b>
</font><font size="2" color="#000000">数组里的元素值。因此当</font><font size="2" face="MS Sans Serif" color="#000000">PE</font><font size="2" color="#000000">文件准备执行时,上图已转换成</font><font size="2" face="MS Sans Serif" color="#000000">:</font></p>
<table border="0" cellspacing="1">
<tr>
<th bgcolor="#006666"><font size="2" face="MS Sans Serif" color="#FFFFFF">OriginalFirstThunk</font></th>
<th><font color="#FFFFFF"> </font></th>
<th bgcolor="#006666"><font size="2" face="MS Sans Serif" color="#FFFFFF">IMAGE_IMPORT_BY_NAME</font></th>
<th><font color="#FFFFFF"> </font></th>
<th bgcolor="#006666"><font size="2" face="MS Sans Serif" color="#FFFFFF">FirstThunk</font></th>
</tr>
<tr>
<td align="center">
<p align="center">| </p>
</td>
<td align="center"> </td>
<td align="center"> </td>
<td align="center"> </td>
<td align="center"><font size="2" face="MS Sans Serif">|</font> </td>
</tr>
<tr>
<td align="center">
<table border="1" cellpadding="2">
<tr>
<td align="center" bgcolor="#666600"><font size="2" face="MS Sans Serif" color="#FFFFFF">IMAGE_THUNK_DATA</font>
</td>
</tr>
<tr>
<td align="center" bgcolor="#666600"><font size="2" face="MS Sans Serif" color="#FFFFFF">IMAGE_THUNK_DATA</font>
</td>
</tr>
<tr>
<td align="center" bgcolor="#666600"><font size="2" face="MS Sans Serif" color="#FFFFFF">IMAGE_THUNK_DATA</font>
</td>
</tr>
<tr>
<td align="center" bgcolor="#666600"><font size="2" face="MS Sans Serif" color="#FFFFFF">IMAGE_THUNK_DATA</font>
</td>
</tr>
<tr>
<td align="center" bgcolor="#666600"><font size="2" face="MS Sans Serif" color="#FFFFFF">...</font>
</td>
</tr>
<tr>
<td align="center" bgcolor="#666600"><font size="2" face="MS Sans Serif" color="#FFFFFF">IMAGE_THUNK_DATA</font>
</td>
</tr>
</table>
</td>
<td align="center">
<table border="0" cellpadding="2">
<tr>
<td align="center" nowrap><font size="2"
face="MS Sans Serif">---></font></td>
</tr>
<tr>
<td align="center" nowrap><font size="2"
face="MS Sans Serif">---></font></td>
</tr>
<tr>
<td align="center" nowrap><font size="2"
face="MS Sans Serif">---></font></td>
</tr>
<tr>
<td align="center" nowrap><font size="2"
face="MS Sans Serif">---></font></td>
</tr>
<tr>
<td align="center" nowrap><font size="2"
face="MS Sans Serif">---></font></td>
</tr>
<tr>
<td align="center" nowrap><font size="2"
face="MS Sans Serif">---></font></td>
</tr>
</table>
</td>
<td align="center">
<table border="1" cellpadding="2">
<tr>
<td align="center" bgcolor="#660066"><font size="2" face="MS Sans Serif" color="#FFFFFF">Function
1</font> </td>
</tr>
<tr>
<td align="center" bgcolor="#660066"><font size="2" face="MS Sans Serif" color="#FFFFFF">Function
2</font> </td>
</tr>
<tr>
<td align="center" bgcolor="#660066"><font size="2" face="MS Sans Serif" color="#FFFFFF">Function
3</font> </td>
</tr>
<tr>
<td align="center" bgcolor="#660066"><font size="2" face="MS Sans Serif" color="#FFFFFF">Function
4 </font></td>
</tr>
<tr>
<td align="center" bgcolor="#660066"><font size="2" face="MS Sans Serif" color="#FFFFFF">...</font>
</td>
</tr>
<tr>
<td align="center" bgcolor="#660066"><font size="2" face="MS Sans Serif" color="#FFFFFF">Function
n</font> </td>
</tr>
</table>
</td>
<td align="center">
<table border="0" cellpadding="2">
<tr>
<td align="center" nowrap> </td>
</tr>
<tr>
<td align="center" nowrap> </td>
</tr>
<tr>
<td align="center" nowrap> </td>
</tr>
<tr>
<td align="center" nowrap> </td>
</tr>
<tr>
<td align="center" nowrap> </td>
</tr>
<tr>
<td align="center" nowrap> </td>
</tr>
</table>
</td>
<td align="center">
<table border="1" cellpadding="2">
<tr>
<td align="center" bgcolor="#666600"><font size="2" face="MS Sans Serif" color="#FFFFFF">Address
of Function 1</font> </td>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -