根据导出表实现:GetProcAddress 注意:如果最后出现得函数地址>模块基址+导入表.VirtualAddress得话 则该地址是个字符串 字符串里面有dll和函数名 因为他是个转发地址 需要再调用GetProcAddress去进行获取
GetProcAddress(模块,序号-Base) 1.DWORD dwAddress=(DWORD)AddressOfFunctions[序号]+模块基址;
GetProcAddress(模块,名称) 1.遍历(!strcmp(AddressOfName[i],名称))相等后取出i的下标 2.WORD wOrdinals=AddressOfNameOrdinals[i]; 3…DWORD dwAddress=(DWORD)AddressOfFunctions[wOrdinals]+模块基址;
#include <windows.h> #include using namespace std;
IMAGE_DOS_HEADER DOS; IMAGE_FILE_HEADER PE; IMAGE_OPTIONAL_HEADER OPTIONAL1; IMAGE_SECTION_HEADER SECTIONS[96]; IMAGE_IMPORT_DESCRIPTOR DESCRIPTOR; IMAGE_EXPORT_DIRECTORY ExPort;
int Mystrcmp(char* szBuff1, char* szBuff2)
{
int nCount1 = 0;
int nCount2 = 0;
char* r1 = szBuff1;
char* r2 = szBuff2;
while (*r2 != 0)
{
if (*r1 == 0)
{
r2++;
nCount2++;
continue;
}
if (*r1 > *r2)
{
nCount1++;
}
else if (*r2 > *r1)
{
nCount2++;
}
else
{
nCount1++ ;
nCount2++;
}
r1++;
r2++;
}
if (nCount1 == nCount2)
{
return 0;
}
{
return 1;
}
else
{
return -1;
}
}
FARPROC MyGetProcAddress(
HMODULE hModule,
LPCSTR lpProcName
)
{
if (hModule == NULL)
{
return 0;
}
DWORD Offset = (DWORD)hModule;
memcpy(&DOS, (char*)Offset,sizeof(IMAGE_DOS_HEADER));
Offset = (DWORD)hModule + DOS.e_lfanew + 0x4;
memcpy(&PE,(char*)Offset, sizeof(IMAGE_FILE_HEADER));
Offset = (DWORD)hModule + DOS.e_lfanew + 0x18;
memcpy(&OPTIONAL1, (char*)Offset, sizeof(IMAGE_OPTIONAL_HEADER));
Offset = (DWORD)hModule + DOS.e_lfanew + 0x18 + PE.SizeOfOptionalHeader;
memcpy(SECTIONS, (char*)Offset, sizeof(IMAGE_SECTION_HEADER) * PE.NumberOfSections);
Offset = (DWORD)hModule + OPTIONAL1.DataDirectory[0].VirtualAddress;
memcpy(&ExPort, (char*)Offset, sizeof(IMAGE_EXPORT_DIRECTORY));
DWORD dwAddressOfNames = ExPort.AddressOfNames + (DWORD)hModule;
int nIndex =-1;
for (int i = 0; i < ExPort.NumberOfNames; i++)
{
DWORD dwpAddressApiName = (DWORD)hModule + (*(DWORD*)(dwAddressOfNames + i * 4));
if (dwpAddressApiName == NULL)
{
continue;
}
if (!Mystrcmp((char*)lpProcName, (char*)dwpAddressApiName))
{
nIndex = i;
break;
}
}
if (nIndex == -1)
{
return NULL;
}
DWORD dwAddreessOfNameOrdinals= ExPort.AddressOfNameOrdinals + (DWORD)hModule;
WORD wOrdinals = (*(WORD*)(dwAddreessOfNameOrdinals + nIndex * 2));
DWORD dwApiAddress= ExPort.AddressOfFunctions + (DWORD)hModule;
dwApiAddress = *(DWORD*)(dwApiAddress + (wOrdinals) * 4)+ (DWORD)hModule;
DWORD dwMaxAddress = OPTIONAL1.DataDirectory[0].VirtualAddress + (DWORD)hModule;
if (dwApiAddress > dwMaxAddress)
{
char szDllName[64] = { 0 };
char szApiName[64] = { 0 };
char* r = (char*)dwApiAddress;
int nDllCount = 0;
while (*r != '.')
{
szDllName[nDllCount] = *r;
r++;
nDllCount++;
}
r++;
strcpy(szApiName, r);
dwApiAddress=(DWORD)MyGetProcAddress(GetModuleHandleA(szDllName), szApiName);
}
return (FARPROC)dwApiAddress;
}
FARPROC MyGetProcAddress(
HMODULE hModule,
WORD Ordinals
)
{
if (hModule == NULL)
{
return 0;
}
DWORD Offset = (DWORD)hModule;
memcpy(&DOS, (char*)Offset, sizeof(IMAGE_DOS_HEADER));
Offset = (DWORD)hModule + DOS.e_lfanew + 0x4;
memcpy(&PE, (char*)Offset, sizeof(IMAGE_FILE_HEADER));
Offset = (DWORD)hModule + DOS.e_lfanew + 0x18;
memcpy(&OPTIONAL1, (char*)Offset, sizeof(IMAGE_OPTIONAL_HEADER));
Offset = (DWORD)hModule + DOS.e_lfanew + 0x18 + PE.SizeOfOptionalHeader;
memcpy(SECTIONS, (char*)Offset, sizeof(IMAGE_SECTION_HEADER) * PE.NumberOfSections);
Offset = (DWORD)hModule + OPTIONAL1.DataDirectory[0].VirtualAddress;
memcpy(&ExPort, (char*)Offset, sizeof(IMAGE_EXPORT_DIRECTORY));
DWORD dwApiAddress = ExPort.AddressOfFunctions + (DWORD)hModule;
dwApiAddress = *(DWORD*)(dwApiAddress + (Ordinals- ExPort.Base) * 4) + (DWORD)hModule;
DWORD dwMaxAddress = OPTIONAL1.DataDirectory[0].VirtualAddress + (DWORD)hModule;
if (dwApiAddress > dwMaxAddress)
{
char szDllName[64] = { 0 };
char szApiName[64] = { 0 };
char* r = (char*)dwApiAddress;
int nDllCount = 0;
while (*r != '.')
{
szDllName[nDllCount] = *r;
r++;
nDllCount++;
}
r++;
strcpy(szApiName, r);
dwApiAddress = (DWORD)MyGetProcAddress(GetModuleHandleA(szDllName), szApiName);
}
return (FARPROC)dwApiAddress;
}
|