通过解析PE头。读取dll模块和dll模块函数

2024年3月22日发(作者：)

通过解析PE头。读取dll模块和dll模块函数

win32

int main()

{

//001e1000

::MessageBox(NULL, TEXT("111"), TEXT("222"), 0);

HMODULE vHmodule = GetModuleHandle(NULL);

printf("vHmodule = 0x%08Xn", vHmodule);

IMAGE_DOS_HEADER *vImageDosHeader = (IMAGE_DOS_HEADER *)vHmodule;

//printf("%08Xn", vImageDosHeader);

printf("vImageDosHeader->e_lfanew = %08Xn", vImageDosHeader->e_lfanew);

//DWORD *vTemp = (DWORD *)((DWORD)vHmodule + vImageDosHeader->e_lfanew);

//printf("vTemp=%08Xn", vTemp);

IMAGE_NT_HEADERS *vImageNtHeaders = (IMAGE_NT_HEADERS *)((DWORD)vHmodule + vImageDosHeader->e_lfanew);

//printf("vImageNtHeaders[0]=%Xn", vTemp[0]);

//printf("vImageNtHeaders[2]=%Xn", vTemp[2]);

//printf("vImageNtHeaders[3]=%Xn", vTemp[3]);

//printf("*vImageDosHeader->e_lfanew=0x%08Xn", vImageDosHeader->e_lfanew);

//printf("%08Xn", vImageNtHeaders);

IMAGE_OPTIONAL_HEADER32 vImageOptionalHeader32 = vImageNtHeaders->OptionalHeader;

IMAGE_DATA_DIRECTORY vImageDataDirectory = rectory[1];

printf("*lAddress=0x%08Xn", lAddress);

IMAGE_IMPORT_DESCRIPTOR *vImageImportDescriptor = (IMAGE_IMPORT_DESCRIPTOR *)((DWORD)vHmodule +

lAddress);

IMAGE_THUNK_DATA *vImageThunkData;

IMAGE_IMPORT_BY_NAME *vImageImportByName;

printf("nnn");

while (true)

{

if (vImageImportDescriptor->OriginalFirstThunk == NULL)

break;

printf("vImageImportDescriptor->Name=%sn", ((DWORD)vHmodule + vImageImportDescriptor->Name));

vImageThunkData = (IMAGE_THUNK_DATA *)((DWORD)vHmodule + vImageImportDescriptor->OriginalFirstThunk);

while (true)

{

if (vImageThunkData->sOfData == NULL)

break;

vImageImportByName = (IMAGE_IMPORT_BY_NAME *)((DWORD)vHmodule + vImageThunkData->sOfData);

printf("vImageImportByName->Name=%sn", vImageImportByName->Name);

vImageThunkData++;

}

printf("nnn");

vImageImportDescriptor++;

}

system("pause");

return EXIT_SUCCESS;

}

MFC

#include

VOID

WINAPI

ReWriteSleep(_In_ DWORD p)

{

::MessageBox(NULL, TEXT("改写Sleep"), TEXT("改写Sleep"), 0);

return;

}

void function dd()

{

USES_CONVERSION;

CString str;

// TODO: 在此添加控件通知处理程序代码

HMODULE vHmodule = GetModuleHandle(NULL);

(TEXT("vHmodule = 0x%08Xn"), vHmodule);

::OutputDebugString(str);

IMAGE_DOS_HEADER *vImageDosHeader = (IMAGE_DOS_HEADER *)vHmodule;

//printf("%08Xn", vImageDosHeader);

(TEXT("vImageDosHeader->e_lfanew = %08Xn"), vImageDosHeader->e_lfanew);

::OutputDebugString(str);

//DWORD *vTemp = (DWORD *)((DWORD)vHmodule + vImageDosHeader->e_lfanew);

//printf("vTemp=%08Xn", vTemp);

IMAGE_NT_HEADERS *vImageNtHeaders = (IMAGE_NT_HEADERS *)((DWORD)vHmodule + vImageDosHeader->e_lfanew);

//printf("vImageNtHeaders[0]=%Xn", vTemp[0]);

//printf("vImageNtHeaders[2]=%Xn", vTemp[2]);

//printf("vImageNtHeaders[3]=%Xn", vTemp[3]);

//printf("*vImageDosHeader->e_lfanew=0x%08Xn", vImageDosHeader->e_lfanew);

//printf("%08Xn", vImageNtHeaders);

IMAGE_OPTIONAL_HEADER32 vImageOptionalHeader32 = vImageNtHeaders->OptionalHeader;

IMAGE_DATA_DIRECTORY vImageDataDirectory = rectory[1];

(TEXT("*lAddress=0x%08Xn"), lAddress);

::OutputDebugString(str);

IMAGE_IMPORT_DESCRIPTOR *vImageImportDescriptor = (IMAGE_IMPORT_DESCRIPTOR *)((DWORD)vHmodule +

lAddress);

IMAGE_THUNK_DATA *vImageThunkData;

IMAGE_THUNK_DATA *vImageThunkData2;

IMAGE_IMPORT_BY_NAME *vImageImportByName;

DWORD vFunAddress;

::OutputDebugString(TEXT("n"));

::OutputDebugString(TEXT("n"));

CString str2;

CString str3 = TEXT("Sleep");

DWORD *p;

MEMORY_BASIC_INFORMATION pInfo;

DWORD pInfoOldProtect;

while (true)

{

if (vImageImportDescriptor->OriginalFirstThunk == NULL)

break;

vImageThunkData = (IMAGE_THUNK_DATA *)((DWORD)vHmodule + vImageImportDescriptor->OriginalFirstThunk);

vImageThunkData2 = (IMAGE_THUNK_DATA *)((DWORD)vHmodule + vImageImportDescriptor->FirstThunk);

if ((DWORD)vImageThunkData->sOfData < (DWORD)vHmodule)

{

(TEXT("vImageImportDescriptor->Name=%Sn"), ((DWORD)vHmodule + vImageImportDescriptor->Name));

::OutputDebugString(str);

//vImageThunkData = (IMAGE_THUNK_DATA *)((DWORD)vHmodule + vImageImportDescriptor->OriginalFirstThunk);

//(TEXT("vImageThunkData=%08Xn"), (vImageThunkData));

//::OutputDebugString(str);

(TEXT("vImageThunkData->sOfData=%08Xn"), (vImageThunkData->sOfData));

::OutputDebugString(str);

while (true)

{

vImageImportByName = (IMAGE_IMPORT_BY_NAME *)((DWORD)vHmodule + vImageThunkData->sOfData);

if (vImageThunkData->sOfData == NULL)

break;

str2 = vImageImportByName->Name;

if (str2 == str3)

{

::OutputDebugString(TEXT("n"));

::OutputDebugString(TEXT("n"));

::OutputDebugString(TEXT("n"));

::OutputDebugString(TEXT("n"));

//vImageThunkData2->on = (DWORD)ReWriteSleep;

(TEXT("重写Sleep函数地址是=%08X, DWORD ReWriteSleep=%08Xn"), ReWriteSleep, (DWORD)ReWriteSleep);

::OutputDebugString(str);

(TEXT("找到了Sleep函数地址是=%08Xn"), vImageThunkData2->on);

::OutputDebugString(str);

p = &vImageThunkData2->on;

(TEXT("on地址=%08Xn"), p);

::OutputDebugString(str);

(TEXT("p地址=%08Xn"), p);

::OutputDebugString(str);

::MessageBox(NULL, TEXT("333333"), TEXT("55555"), 0);

::VirtualQuery(p, &pInfo, sizeof(pInfo));

::VirtualProtect(p, sizeof(p), PAGE_EXECUTE_READWRITE, &pInfoOldProtect);

*p = (DWORD)ReWriteSleep;

::VirtualProtect(p, sizeof(p), pInfoOldProtect, &pInfoOldProtect);

//::VirtualQuery(p, &pInfo, sizeof(pInfo));

/*__asm

{

PUSH EBX

PUSH ECX

MOV EBX, DWORD PTR p

MOV ECX, DWORD PTR ReWriteSleep

MOV DWORD PTR[EBX], ECX

POP ECX

POP EBX

}*/

//vImageThunkData2->on = (DWORD)ReWriteSleep;

//WriteProcessMemory(GetCurrentProcess(), &vImageThunkData2->on, ReWriteSleep, 4, NULL);

::OutputDebugString(TEXT("n"));

::OutputDebugString(TEXT("n"));

::OutputDebugString(TEXT("n"));

::OutputDebugString(TEXT("n"));

}

//sprintf_s(str3, "vImageImportByName->Name=%sn", vImageImportByName->Name);

(TEXT("vImageImportByName->Name=%wsn"), str2);

::OutputDebugString(str);

(TEXT("vImageThunkData2->on=%08Xn"), vImageThunkData2->on);

::OutputDebugString(str);

vImageThunkData++;

vImageThunkData2++;

}

}

::OutputDebugString(TEXT("n"));

::OutputDebugString(TEXT("n"));

vImageImportDescriptor++;

}

}