一、 导入(出)表
导入表在扩展PE头_IMAGE_DATA_DIRECTORY DataDirectory[16]中,每个结构体都是8个字节
二、导入表
IMAGE_DIRECTORY_ENTRY_IMPORT
struct _IMAGE_DATA_DIRECTORY {
0x00 DWORD VirtualAddress; //导入表的地址
0x04 DWORD Size; //大小
};
三、导入表结构(20个字节)
typedef struct _IMAGE_IMPORT_DESCRIPTOR {
union {
DWORD Characteristics;
DWORD OriginalFirstThunk; //RVA 指向IMAGE_THUNK_DATA结构数组
};
DWORD TimeDateStamp; //时间戳
DWORD ForwarderChain;
DWORD Name; //RVA,指向dll名字,该名字已0结尾
DWORD FirstThunk; //RVA,指向IMAGE_THUNK_DATA结构数组
} IMAGE_IMPORT_DESCRIPTOR;
四、导入表名字
DWORD VirtualAddress; //导入表的地址 80 CE 01 00
DWORD Size; //大小 DC 00 00 00
有20个0导入表结束 ,每个导入表20个字节
DWORD Name; //RVA,指向dll名字,该名字已0结尾
D8 D5 01 00
五、导入名称表(导入地址表)
导入名称表(4字节)
typedef struct _IMAGE_THUNK_DATA32 {
union {
PBYTE ForwarderString;
PDWORD Function;
DWORD Ordinal; //序号
PIMAGE_IMPORT_BY_NAME AddressOfData; //指向IMAGE_IMPORT_BY_NAME
} u1;
} IMAGE_THUNK_DATA32;
一直找到4个字节都是0结束
IMAGE_IMPORT_BY_NAME:
typedef struct _IMAGE_IMPORT_BY_NAME {
WORD Hint; //可能为空,编译器决定 如果不为空 是函数在导出表中的索引
BYTE Name[1]; //函数名称,以0结尾
} IMAGE_IMPORT_BY_NAME, *PIMAGE_IMPORT_BY_NAME;