📄 chap8-1-6.htm.primary
字号:
mov hMapping, eax <br>
invoke MapViewOfFile,hMapping,FILE_MAP_READ,0,0,0
<br>
.if eax!=NULL <br>
mov pMapping,eax <br>
assume fs:nothing <br>
push fs:[0] <br>
pop seh.PrevLink <br>
mov seh.CurrentHandler,offset
SEHHandler <br>
mov seh.SafeOffset,offset
FinalExit <br>
lea eax,seh <br>
mov fs:[0], eax <br>
mov seh.PrevEsp,esp <br>
mov seh.PrevEbp,ebp <br>
mov edi, pMapping <br>
assume edi:ptr IMAGE_DOS_HEADER
<br>
.if [edi].e_magic==IMAGE_DOS_SIGNATURE
<br>
add edi,
[edi].e_lfanew <br>
assume edi:ptr
IMAGE_NT_HEADERS <br>
.if [edi].Signature==IMAGE_NT_SIGNATURE
<br>
mov
ValidPE, TRUE <br>
.else
<br>
mov ValidPE, FALSE <br>
.endif <br>
.else <br>
mov ValidPE,FALSE
<br>
.endif <br>
FinalExit: <br>
push seh.PrevLink <br>
pop fs:[0] <br>
.if ValidPE==TRUE <br>
invoke ShowTheFunctions,
hDlg, edi <br>
.else <br>
invoke MessageBox,0,
addr NotValidPE, addr AppName, MB_OK+MB_ICONERROR <br>
.endif <br>
invoke UnmapViewOfFile,
pMapping <br>
.else <br>
invoke MessageBox, 0,
addr FileMappingError, addr AppName, MB_OK+MB_ICONERROR <br>
.endif <br>
invoke CloseHandle,hMapping <br>
.else <br>
invoke MessageBox, 0, addr FileOpenMappingError,
addr AppName, MB_OK+MB_ICONERROR <br>
.endif <br>
invoke CloseHandle, hFile <br>
.else <br>
invoke MessageBox, 0, addr FileOpenError, addr AppName, MB_OK+MB_ICONERROR
<br>
.endif <br>
.endif <br>
ret <br>
ShowImportFunctions endp <br>
<br>
AppendText proc hDlg:DWORD,pText:DWORD <br>
invoke SendDlgItemMessage,hDlg,IDC_EDIT,EM_REPLACESEL,0,pText <br>
invoke SendDlgItemMessage,hDlg,IDC_EDIT,EM_REPLACESEL,0,addr CRLF
<br>
invoke SendDlgItemMessage,hDlg,IDC_EDIT,EM_SETSEL,-1,0 <br>
ret <br>
AppendText endp <br>
<br>
RVAToOffset PROC uses edi esi edx ecx pFileMap:DWORD,RVA:DWORD <br>
mov esi,pFileMap <br>
assume esi:ptr IMAGE_DOS_HEADER <br>
add esi,[esi].e_lfanew <br>
assume esi:ptr IMAGE_NT_HEADERS <br>
mov edi,RVA ; edi == RVA <br>
mov edx,esi <br>
add edx,sizeof IMAGE_NT_HEADERS <br>
mov cx,[esi].FileHeader.NumberOfSections <br>
movzx ecx,cx <br>
assume edx:ptr IMAGE_SECTION_HEADER <br>
.while ecx>0 ; check all sections <br>
.if edi>=[edx].VirtualAddress <br>
mov eax,[edx].VirtualAddress <br>
add eax,[edx].SizeOfRawData <br>
.if edi<eax ; The address is in this
section <br>
mov eax,[edx].VirtualAddress
<br>
sub edi,eax<br>
mov eax,[edx].PointerToRawData
<br>
add eax,edi ; eax == file offset
<br>
ret <br>
.endif <br>
.endif <br>
add edx,sizeof IMAGE_SECTION_HEADER <br>
dec ecx <br>
.endw <br>
assume edx:nothing <br>
assume esi:nothing <br>
mov eax,edi <br>
ret <br>
RVAToOffset endp <br>
<br>
ShowTheFunctions proc uses esi ecx ebx hDlg:DWORD, pNTHdr:DWORD <br>
LOCAL temp[512]:BYTE <br>
invoke SetDlgItemText,hDlg,IDC_EDIT,0 <br>
invoke AppendText,hDlg,addr buffer <br>
mov edi,pNTHdr <br>
assume edi:ptr IMAGE_NT_HEADERS <br>
mov edi, [edi].OptionalHeader.DataDirectory[sizeof IMAGE_DATA_DIRECTORY].VirtualAddress
<br>
invoke RVAToOffset,pMapping,edi <br>
mov edi,eax <br>
add edi,pMapping <br>
assume edi:ptr IMAGE_IMPORT_DESCRIPTOR <br>
.while !([edi].OriginalFirstThunk==0 && [edi].TimeDateStamp==0
&& [edi].ForwarderChain==0 && [edi].Name1==0 && [edi].FirstThunk==0)
<br>
invoke AppendText,hDlg,addr ImportDescriptor <br>
invoke RVAToOffset,pMapping, [edi].Name1 <br>
mov edx,eax <br>
add edx,pMapping <br>
invoke wsprintf, addr temp, addr IDTemplate, [edi].OriginalFirstThunk,[edi].TimeDateStamp,[edi].ForwarderChain,edx,[edi].FirstThunk
invoke AppendText,hDlg,addr temp <br>
.if [edi].OriginalFirstThunk==0 <br>
mov esi,[edi].FirstThunk <br>
.else <br>
mov esi,[edi].OriginalFirstThunk
<br>
.endif <br>
invoke RVAToOffset,pMapping,esi <br>
add eax,pMapping <br>
mov esi,eax <br>
invoke AppendText,hDlg,addr NameHeader <br>
.while dword ptr [esi]!=0 <br>
test dword ptr [esi],IMAGE_ORDINAL_FLAG32
<br>
jnz ImportByOrdinal <br>
invoke RVAToOffset,pMapping,dword ptr [esi]
<br>
mov edx,eax <br>
add edx,pMapping <br>
assume edx:ptr IMAGE_IMPORT_BY_NAME <br>
mov cx, [edx].Hint <br>
movzx ecx,cx <br>
invoke wsprintf,addr temp,addr NameTemplate,ecx,addr
[edx].Name1 <br>
jmp ShowTheText <br>
ImportByOrdinal: <br>
mov edx,dword ptr [esi] <br>
and edx,0FFFFh <br>
invoke wsprintf,addr temp,addr OrdinalTemplate,edx
<br>
ShowTheText: <br>
invoke AppendText,hDlg,addr temp <br>
add esi,4 <br>
.endw <br>
add edi,sizeof IMAGE_IMPORT_DESCRIPTOR <br>
.endw <br>
ret <br>
ShowTheFunctions endp <br>
end start </font></p>
<h3><font color="#000000">分析<font face="Arial, Helvetica, sans-serif">:</font></font></h3>
<p><font size="2" color="#000000">本例中,用户点击打开菜单显示文件打开对话框,检验文件的</font><font size="2" face="MS Sans Serif" color="#000000">PE</font><font size="2" color="#000000">有效性后调用
</font><font color="#000000" size="2" face="MS Sans Serif"><b>ShowTheFunctions</b></font><font size="2" color="#000000">。</font></p>
<p><font face="Fixedsys" color="#000000">ShowTheFunctions proc uses esi ecx ebx
hDlg:DWORD, pNTHdr:DWORD <br>
LOCAL temp[512]:BYTE </font></p>
<p><font size="2" color="#000000">保留</font><font size="2" face="MS Sans Serif" color="#000000">512</font><font size="2" color="#000000">字节堆栈空间用于字符串操作。</font></p>
<p><font face="Fixedsys" color="#000000"> invoke SetDlgItemText,hDlg,IDC_EDIT,0
</font></p>
<p><font size="2" color="#000000">清除编辑控件内容。</font></p>
<p><font face="Fixedsys" color="#000000"> invoke AppendText,hDlg,addr
buffer </font></p>
<p><font size="2" color="#000000">将</font><font size="2" face="MS Sans Serif" color="#000000">PE</font><font size="2" color="#000000">文件名插入编辑控件。
</font><font color="#000000" size="2" face="MS Sans Serif"><b>AppendText </b></font><font size="2" color="#000000">通过传递一个
</font><font color="#000000" size="2" face="MS Sans Serif"><b>EM_REPLACESEL
</b></font><font size="2" color="#000000">消息以通知向编辑控件添加文本。然后它又向编辑控件发送一个设置了 </font><font size="2" face="MS Sans Serif" color="#000000">wParam=-1</font><font size="2" color="#000000">和</font><font size="2" face="MS Sans Serif" color="#000000">lParam=0</font><font size="2" color="#000000">的</font><font color="#000000" size="2" face="MS Sans Serif"><b>EM_SETSEL</b>
</font><font size="2" color="#000000">消息,使光标定位到文本末。</font></p>
<p><font face="Fixedsys" color="#000000"> mov edi,pNTHdr <br>
assume edi:ptr IMAGE_NT_HEADERS <br>
mov edi, [edi].OptionalHeader.DataDirectory[sizeof IMAGE_DATA_DIRECTORY].VirtualAddress
</font></p>
<p><font size="2" color="#000000">获取</font><font size="2" face="MS Sans Serif" color="#000000">import
symbols</font><font size="2" color="#000000">的</font><font size="2" face="MS Sans Serif" color="#000000">RVA</font><font size="2" color="#⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -