PE文件格式分析系列(文章1)----一个PE文件导入表数据的分析(MFC工程调试版)
2012-06-23 22:05
706 查看
PE文件格式分析系列(文章1)
一个PE文件导入表数据的分析(MFC工程调试版)
一. 该PE文件使用了6个DLL
分别是:
1. mfc42d.dll
2. msvcrtd.dll
3. kernel32.dll
4. user32.dll
5. mfco42d.dll
6. msvcp60d.dll
故有6个 IMAGE_IMPORT_DESCRIPTOR (IMAGE_IMPORT_DESCRIPTOR结构大小是0x14)
在PE文件中, (IMAGE_DIRECTORY_ENTRY_IMPORT 数据目录)
第4个段 .idata 0x1B95(实际数据大小) 0x27000(文件中位置) 0x2000(文件对齐大小)
也就是说.idata段在0x27000---0x29000(0x27000---0x28B95是有用数据)
7个 IMAGE_IMPORT_DESCRIPTOR 结构数据
7个 0x14 * 7 = 0x8C(0x27000 -- 0x2708C) (第7个全0)
00027000 |+EC 70 02 00 00 00 00 00 | 1. mfc42d.dll
00027008 | 00 00 00 00 34 7A 02 00 |
00027010 | C0 75 02 00+74 74 02 00 | 2. msvcrtd.dll
00027018 | 00 00 00 00 00 00 00 00 |
00027020 | CC 7A 02 00 48 79 02 00 |
00027028 |+8C 70 02 00 00 00 00 00 | 3. kernel32.dll
00027030 | 00 00 00 00 6C 7C 02 00 |
00027038 | 60 75 02 00+30 75 02 00 | 4. user32.dll
00027040 | 00 00 00 00 00 00 00 00 |
00027048 | 8E 7C 02 00 04 7A 02 00 |
00027050 |+48 73 02 00 00 00 00 00 | 5. mfco42d.dll
00027058 | 00 00 00 00 9A 7C 02 00 |
00027060 | 1C 78 02 00+78 73 02 00| 6. msvcp60d.dll
00027068 | 00 00 00 00 00 00 00 00 |
00027070 | FE 88 02 00 4C 78 02 00 |
00027078 |+00 00 00 00 00 00 00 00 | 7. 空
00027080 | 00 00 00 00 00 00 00 00 |
00027088 | 00 00 00 00 ---------------- |
紧跟在0002708C 后面的, 就是
IMAGE_IMPORT_DESCRIPTOR.OriginalFirstThunk数据
3. kernel32.dll的IMAGE_IMPORT_DESCRIPTOR.OriginalFirstThunk数据
从 0002708C -- 000270C0 0x0C个 DWORD + 0x1个0的DWORD
0002708C | ----------- AA 7B 02 00 |
00027090 | CE 7B 02 00 DE 7B 02 00 |
00027098 | EC 7B 02 00 FC 7B 02 00 |
000270A0 | 10 7C 02 00 1E 7C 02 00 |
000270A8 | 34 7C 02 00 46 7C 02 00 |
000270B0 | 5A 7C 02 00 C0 7B 02 00 |
000270B8 | 6E 89 02 00 00 00 00 00 |
-------------------------------------------------------------
000270C0 | 00 00 00 00 00 00 00 00 |\
000270C8 | 00 00 00 00 00 00 00 00 | |
000270D0 | 00 00 00 00 00 00 00 00 | |这段数据为0
000270D8 | 00 00 00 00 00 00 00 00 | |
000270E0 | 00 00 00 00 00 00 00 00 | |
000270E8 | 00 00 00 00 ----------- |/
1. mfc42d.dll的IMAGE_IMPORT_DESCRIPTOR.OriginalFirstThunk数据
从 000270EC -- 000272C4 0x75个 DWORD + 0x1个0的DWORD
000270EC | ----------- 83 10 00 80 | 很明显, 0x80001083, 最高位
000270F0 | 85 10 00 80 38 08 00 80 | 是 1, 以序号的方式导入, 序号是
000270F8 | 26 0D 00 80 F2 0E 00 80 | 0x1083(其他的0x80001085,
省略...... 80000838,...等都是以序号方式导入)
000272A8 | 76 0E 00 80 D5 13 00 80 |
000272B0 | E0 0D 00 80 68 0F 00 80 |
000272B8 | DB 0E 00 80 4C 04 00 80 |
000272C0 | 00 00 00 00 ----------------- |
-------------------------------------------------------------
000272C4 | ---------------- 00 00 00 00 |\
000272C8 | 00 00 00 00 00 00 00 00 | |
000272D0 | 00 00 00 00 00 00 00 00 | |
省略...... |这段数据为0
00027330 | 00 00 00 00 00 00 00 00 | |
00027338 | 00 00 00 00 00 00 00 00 | |
00027340 | 00 00 00 00 00 00 00 00 |/
5. mfco42d.dll的IMAGE_IMPORT_DESCRIPTOR.OriginalFirstThunk数据
从 00027348 -- 00027350 0x1个 DWORD + 0x1个0的DWORD
00027348 | 1E 03 00 80 00 00 00 00 |
-------------------------------------------------------------
00027350 | 00 00 00 00 00 00 00 00 |\
00027358 | 00 00 00 00 00 00 00 00 | |
00027360 | 00 00 00 00 00 00 00 00 | |这段数据为0
00027368 | 00 00 00 00 00 00 00 00 | |
00027370 | 00 00 00 00 00 00 00 00 |/
6. msvcp60d.dll的IMAGE_IMPORT_DESCRIPTOR.OriginalFirstThunk数据
从 00027378 -- 00027430 0x2D个 DWORD + 0x1个0的DWORD
00027378 | 94 88 02 00 7A 88 02 00 |
00027380 | 26 88 02 00 CA 87 02 00 |
00027388 | 7A 87 02 00 30 87 02 00 |
省略......
00027418 | A4 7F 02 00 F6 7F 02 00 |
00027420 | 46 80 02 00 9C 80 02 00 |
00027428 | 18 89 02 00 00 00 00 00 |
-------------------------------------------------------------
00027430 | 00 00 00 00 00 00 00 00 |\
00027438 | 00 00 00 00 00 00 00 00 | |
00027440 | 00 00 00 00 00 00 00 00 | |
00027448 | 00 00 00 00 00 00 00 00 | |
00027450 | 00 00 00 00 00 00 00 00 | |这段数据为0
00027458 | 00 00 00 00 00 00 00 00 | |
00027460 | 00 00 00 00 00 00 00 00 | |
00027468 | 00 00 00 00 00 00 00 00 | |
00027470 | 00 00 00 00 ---------------- |/
2. msvcrtd.dll的IMAGE_IMPORT_DESCRIPTOR.OriginalFirstThunk数据
从 00027474 -- 000274F0 0x1E个 DWORD + 0x1个0的DWORD
00027474 | ---------------- 88 7B 02 00 | 2.1 很明显, 0x00027B88, 最高位是0, 说明是以
00027478 | 40 7A 02 00 5E 7A 02 00 | 函数名方式导入, 0x00027B88就是存储函
00027480 | 68 7A 02 00 70 7A 02 00 | 数名的地址(看下面0027B88的数据: E6 00 5F
00027488 | 78 7A 02 00 80 7A 02 00 | 65 78 63 65 70 74 5F 68 61 6E 64 6C 65 72
00027490 | 8A 7A 02 00 94 7A 02 00 | 33 00 00), 其中E6 00是序号(也就是0x00E6),
00027498 | 9E 7A 02 00 A8 7A 02 00 | 5F 65 78 ... 65 72 33 00 00 是函数名
000274A0 | B2 7A 02 00 BC 7A 02 00 | (_except_handler3), 最后一个00 是去偶数补的
000274A8 | C4 7A 02 00 9C 7B 02 00 | 2.2 再看第2个0x00027A40, 对比第1个(0x00027B88)
000274B0 | D8 7A 02 00 76 7B 02 00 | 0x00027A40小于0x00027B88, 本以为0x00027B88记录
000274B8 | 68 7B 02 00 58 7B 02 00 | 了该DLL中第1个导入函数的字符, 那第2个导入函数
000274C0 | 48 7B 02 00 34 7B 02 00 | 的字符应该紧跟在地1个导入函数的字符后面的, 但
000274C8 | 28 7B 02 00 18 7B 02 00 | 事实上不是.(至于连接器是以怎样的算法排列这些
000274D0 | 0E 7B 02 00 06 7B 02 00 | 字符的, 还不是很了解, 可能以那个必须偶数补齐
000274D8 | F8 7A 02 00 F0 7A 02 00 | 有关吧).但是这堆字符是放在一起的, 虽然每个DLL
000274E0 | E6 7A 02 00 0C 89 02 00 | 里的导出函数字符不一定紧跟在一起.
000274E8 | 4A 7A 02 00 00 00 00 00 |
-------------------------------------------------------------
000274F0 | 00 00 00 00 00 00 00 00 |\
000274F8 | 00 00 00 00 00 00 00 00 | |
00027500 | 00 00 00 00 00 00 00 00 | |
00027508 | 00 00 00 00 00 00 00 00 | |这段数据为0
00027510 | 00 00 00 00 00 00 00 00 | |
00027518 | 00 00 00 00 00 00 00 00 | |
00027520 | 00 00 00 00 00 00 00 00 | |
00027528 | 00 00 00 00 00 00 00 00 |/
4. user32.dll的IMAGE_IMPORT_DESCRIPTOR.OriginalFirstThunk数据
从 00027530 -- 00027538 0x1个 DWORD + 0x1个0的DWORD
00027530 | 7A 7C 02 00 00 00 00 00 |
-------------------------------------------------------------
00027538 | 00 00 00 00 00 00 00 00 |\
00027540 | 00 00 00 00 00 00 00 00 | |
00027548 | 00 00 00 00 00 00 00 00 | |这段数据为0
00027550 | 00 00 00 00 00 00 00 00 | |
00027558 | 00 00 00 00 00 00 00 00 |/
二. 这里就是IAT数据
00027560 | AA 7B 02 00 CE 7B 02 00 | 00027560 --- 00027A34这段数据(IAT)
00027568 | DE 7B 02 00 EC 7B 02 00 | 与上面的0002708C --- 00027560这段数据
00027570 | FC 7B 02 00 10 7C 02 00 | (导入表的Thunk数据)是一模一样的
省略......
00027A18 | 00 00 00 00 00 00 00 00 | ........ | ....
00027A20 | 00 00 00 00 00 00 00 00 | ........ | ....
00027A28 | 00 00 00 00 00 00 00 00 | ........ | ....
00027A30 | 00 00 00 00 | .... | ..
这里的字符如果包括结束符在内字节数为奇数, 则需要补足为偶数
(例如MFC42D.DLL\0 包括结束符共11个字节, 要补足为偶数, 也就是12字节)
1. mfc42d.dll的IMAGE_IMPORT_DESCRIPTOR.Name值(00027A34)
00027A34 | ---------------- 4D 46 43 34 32 44 2E 44 4C 4C 00 00 | ....MFC42D.DLL..|
00027A40 | C8 00 5F 63 68 6B 65 73 70 00 5E 00 5F 5F 43 78 | ._chkesp.^.__Cx |--
00027A50 | 78 46 72 61 6D 65 48 61 6E 64 6C 65 72 00 E4 02 | xFrameHandler.. |
省略......
00027AA0 | 73 74 72 6C 65 6E 00 00 D9 02 73 74 72 63 6D 70 | strlen...strcmp |
00027AB0 | 00 00 B7 02 6D 65 6D 63 6D 70 00 00 5E 02 61 74 | ...memcmp..^.at |
00027AC0 | 6F 69 00 00 5D 02 61 74 6F 66 00 00 ----------------- | oi..].atof.. |
2. msvcrtd.dll的IMAGE_IMPORT_DESCRIPTOR.Name值(00027ACC)
00027ACC | ----------------------------------- 4D 53 56 43 | MSVC|
00027AD0 | 52 54 44 2E 64 6C 6C 00 6A 00 5F 5F 64 6C 6C 6F | RTD.dll.j.__dllo|
省略......
00027B70 | 6D 6F 64 65 00 00 99 00 5F 5F 73 65 74 5F 61 70 | mode...__set_ap |
00027B80 | 70 5F 74 79 70 65 00 00 E6 00 5F 65 78 63 65 70 | p_type..._excep |--
00027B90 | 74 5F 68 61 6E 64 6C 65 72 33 00 00 D0 00 5F 63 | t_handler3..._c |--
00027BA0 | 6F 6E 74 72 6F 6C 66 70 00 00 73 01 47 65 74 4D | ontrolfp..s.GetM|--
00027BB0 | 6F 64 75 6C 65 46 69 6C 65 4E 61 6D 65 41 00 00 | oduleFileNameA..|--
00027BC0 | 31 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 68 01 | 1.CloseHandle.h.|--
00027BD0 | 47 65 74 4C 61 73 74 45 72 72 6F 72 00 00 4F 00 | GetLastError..O.|
省略......
00027C50 | 65 48 61 6E 64 6C 65 41 00 00 AC 01 47 65 74 53 | eHandleA...GetS |
00027C60 | 74 61 72 74 75 70 49 6E 66 6F 41 00 ----------- | tartupInfoA. |
3. kernel32.dll的IMAGE_IMPORT_DESCRIPTOR.Name值(00027C6C)
00027C6C | ---------------------------------------------------4B 45 52 4E | KERN|
00027C70 | 45 4C 33 32 2E 64 6C 6C 00 00 5D 01 47 65 74 53 | EL32.dll..].GetS|
00027C80 | 79 73 74 65 6D 4D 65 74 72 69 63 73 00 00 ----- | ystemMetrics.. |
4. user32.dll的IMAGE_IMPORT_DESCRIPTOR.Name值(00027C8E)
00027C8E | -------------------------------------------------------- 55 53 | US|
00027C90 | 45 52 33 32 2E 64 6C 6C 00 00 ---------------------- | ER32.dll.. |
5. mfco42d.dll的IMAGE_IMPORT_DESCRIPTOR.Name值(00027C8E)
00027C9A | --------------------------------------- 4D 46 43 4F 34 32 | MFCO42|
00027CA0 | 44 2E 44 4C 4C 00 9E 00 3F 3F 30 49 6E 69 74 40 | D.DLL..??0Init@ |
00027CB0 | 69 6F 73 5F 62 61 73 65 40 73 74 64 40 40 51 41 | ios_base@std@@QA|
省略......
000288D0 | 3F 24 63 68 61 72 5F 74 72 61 69 74 73 40 44 40 | ?$char_traits@D@|
000288E0 | 73 74 64 40 40 56 3F 24 61 6C 6C 6F 63 61 74 6F | std@@V?$allocato|
000288F0 | 72 40 44 40 32 40 40 30 40 30 40 5A 00 00 ----- | r@D@2@@0@0@Z.. |
6. msvcp60d.dll的IMAGE_IMPORT_DESCRIPTOR.Name值(000288FE)
000288FE | ----------------------------------------- 4D 53 | MS|
00028900 | 56 43 50 36 30 44 2E 64 6C 6C 00 00 CB 01 5F 73 | VCP60D.dll..._s |
00028910 | 65 74 6D 62 63 70 00 00 17 02 3F 3F 48 73 74 64 | etmbcp....??Hstd|
省略......
00028960 | 40 41 42 56 31 30 40 50 42 44 40 5A 00 00 5D 02 | @ABV10@PBD@Z..].|
00028970 | 4D 6F 76 65 46 69 6C 65 41 00 00 00 00 00 00 00 | MoveFileA.......|
00028980 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................|
00028990 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................|
省略......
00028FE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................|
00028FD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................|
00028FE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................|
00028FF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................|
在这个PE中idata段就只要导入表数据和IAT数据, 好像没有其他的数据了
三.总结
idata中的数据排列顺序:
1. 首先是N + 1个IMAGE_IMPORT_DESCRIPTOR数据(最后一个全0)
2. 紧跟后面的是各个IMAGE_IMPORT_DESCRIPTOR的OriginalFirstThunk
(这里OriginalFirstThunk只是一个首地址, 也是以0为结束).
3. 紧跟后面的是IAT数据, 也就是IMAGE_IMPORT_DESCRIPTOR的FirstThunk数据
(这堆数据与2的数据是一模一样的)
4. 紧跟后面的就是字符数据了.
就是这么一些数据了, 当然, 这4中数据之间会插许多00, 不知有什么用? 对齐用?
不对齐可以吗? 后面会验证一下.
注意的细节:
1. Thunk数据最高位是0的话, 该函数以序号导入, 低位数据就是序号了.
最高位是1的话, 该函数以函数名导入, 低位数据就是指向
函数名字符数据的地址(是RVA来的).
2. 函数名字符数据中, 前两个Byte就是函数的序号(小尾对齐), 同时整个数据要偶数对齐.
了解一下导入表的导入过程.
一个PE文件导入表数据的分析(MFC工程调试版)
一. 该PE文件使用了6个DLL
分别是:
1. mfc42d.dll
2. msvcrtd.dll
3. kernel32.dll
4. user32.dll
5. mfco42d.dll
6. msvcp60d.dll
故有6个 IMAGE_IMPORT_DESCRIPTOR (IMAGE_IMPORT_DESCRIPTOR结构大小是0x14)
在PE文件中, (IMAGE_DIRECTORY_ENTRY_IMPORT 数据目录)
第4个段 .idata 0x1B95(实际数据大小) 0x27000(文件中位置) 0x2000(文件对齐大小)
也就是说.idata段在0x27000---0x29000(0x27000---0x28B95是有用数据)
7个 IMAGE_IMPORT_DESCRIPTOR 结构数据
7个 0x14 * 7 = 0x8C(0x27000 -- 0x2708C) (第7个全0)
00027000 |+EC 70 02 00 00 00 00 00 | 1. mfc42d.dll
00027008 | 00 00 00 00 34 7A 02 00 |
00027010 | C0 75 02 00+74 74 02 00 | 2. msvcrtd.dll
00027018 | 00 00 00 00 00 00 00 00 |
00027020 | CC 7A 02 00 48 79 02 00 |
00027028 |+8C 70 02 00 00 00 00 00 | 3. kernel32.dll
00027030 | 00 00 00 00 6C 7C 02 00 |
00027038 | 60 75 02 00+30 75 02 00 | 4. user32.dll
00027040 | 00 00 00 00 00 00 00 00 |
00027048 | 8E 7C 02 00 04 7A 02 00 |
00027050 |+48 73 02 00 00 00 00 00 | 5. mfco42d.dll
00027058 | 00 00 00 00 9A 7C 02 00 |
00027060 | 1C 78 02 00+78 73 02 00| 6. msvcp60d.dll
00027068 | 00 00 00 00 00 00 00 00 |
00027070 | FE 88 02 00 4C 78 02 00 |
00027078 |+00 00 00 00 00 00 00 00 | 7. 空
00027080 | 00 00 00 00 00 00 00 00 |
00027088 | 00 00 00 00 ---------------- |
紧跟在0002708C 后面的, 就是
IMAGE_IMPORT_DESCRIPTOR.OriginalFirstThunk数据
3. kernel32.dll的IMAGE_IMPORT_DESCRIPTOR.OriginalFirstThunk数据
从 0002708C -- 000270C0 0x0C个 DWORD + 0x1个0的DWORD
0002708C | ----------- AA 7B 02 00 |
00027090 | CE 7B 02 00 DE 7B 02 00 |
00027098 | EC 7B 02 00 FC 7B 02 00 |
000270A0 | 10 7C 02 00 1E 7C 02 00 |
000270A8 | 34 7C 02 00 46 7C 02 00 |
000270B0 | 5A 7C 02 00 C0 7B 02 00 |
000270B8 | 6E 89 02 00 00 00 00 00 |
-------------------------------------------------------------
000270C0 | 00 00 00 00 00 00 00 00 |\
000270C8 | 00 00 00 00 00 00 00 00 | |
000270D0 | 00 00 00 00 00 00 00 00 | |这段数据为0
000270D8 | 00 00 00 00 00 00 00 00 | |
000270E0 | 00 00 00 00 00 00 00 00 | |
000270E8 | 00 00 00 00 ----------- |/
1. mfc42d.dll的IMAGE_IMPORT_DESCRIPTOR.OriginalFirstThunk数据
从 000270EC -- 000272C4 0x75个 DWORD + 0x1个0的DWORD
000270EC | ----------- 83 10 00 80 | 很明显, 0x80001083, 最高位
000270F0 | 85 10 00 80 38 08 00 80 | 是 1, 以序号的方式导入, 序号是
000270F8 | 26 0D 00 80 F2 0E 00 80 | 0x1083(其他的0x80001085,
省略...... 80000838,...等都是以序号方式导入)
000272A8 | 76 0E 00 80 D5 13 00 80 |
000272B0 | E0 0D 00 80 68 0F 00 80 |
000272B8 | DB 0E 00 80 4C 04 00 80 |
000272C0 | 00 00 00 00 ----------------- |
-------------------------------------------------------------
000272C4 | ---------------- 00 00 00 00 |\
000272C8 | 00 00 00 00 00 00 00 00 | |
000272D0 | 00 00 00 00 00 00 00 00 | |
省略...... |这段数据为0
00027330 | 00 00 00 00 00 00 00 00 | |
00027338 | 00 00 00 00 00 00 00 00 | |
00027340 | 00 00 00 00 00 00 00 00 |/
5. mfco42d.dll的IMAGE_IMPORT_DESCRIPTOR.OriginalFirstThunk数据
从 00027348 -- 00027350 0x1个 DWORD + 0x1个0的DWORD
00027348 | 1E 03 00 80 00 00 00 00 |
-------------------------------------------------------------
00027350 | 00 00 00 00 00 00 00 00 |\
00027358 | 00 00 00 00 00 00 00 00 | |
00027360 | 00 00 00 00 00 00 00 00 | |这段数据为0
00027368 | 00 00 00 00 00 00 00 00 | |
00027370 | 00 00 00 00 00 00 00 00 |/
6. msvcp60d.dll的IMAGE_IMPORT_DESCRIPTOR.OriginalFirstThunk数据
从 00027378 -- 00027430 0x2D个 DWORD + 0x1个0的DWORD
00027378 | 94 88 02 00 7A 88 02 00 |
00027380 | 26 88 02 00 CA 87 02 00 |
00027388 | 7A 87 02 00 30 87 02 00 |
省略......
00027418 | A4 7F 02 00 F6 7F 02 00 |
00027420 | 46 80 02 00 9C 80 02 00 |
00027428 | 18 89 02 00 00 00 00 00 |
-------------------------------------------------------------
00027430 | 00 00 00 00 00 00 00 00 |\
00027438 | 00 00 00 00 00 00 00 00 | |
00027440 | 00 00 00 00 00 00 00 00 | |
00027448 | 00 00 00 00 00 00 00 00 | |
00027450 | 00 00 00 00 00 00 00 00 | |这段数据为0
00027458 | 00 00 00 00 00 00 00 00 | |
00027460 | 00 00 00 00 00 00 00 00 | |
00027468 | 00 00 00 00 00 00 00 00 | |
00027470 | 00 00 00 00 ---------------- |/
2. msvcrtd.dll的IMAGE_IMPORT_DESCRIPTOR.OriginalFirstThunk数据
从 00027474 -- 000274F0 0x1E个 DWORD + 0x1个0的DWORD
00027474 | ---------------- 88 7B 02 00 | 2.1 很明显, 0x00027B88, 最高位是0, 说明是以
00027478 | 40 7A 02 00 5E 7A 02 00 | 函数名方式导入, 0x00027B88就是存储函
00027480 | 68 7A 02 00 70 7A 02 00 | 数名的地址(看下面0027B88的数据: E6 00 5F
00027488 | 78 7A 02 00 80 7A 02 00 | 65 78 63 65 70 74 5F 68 61 6E 64 6C 65 72
00027490 | 8A 7A 02 00 94 7A 02 00 | 33 00 00), 其中E6 00是序号(也就是0x00E6),
00027498 | 9E 7A 02 00 A8 7A 02 00 | 5F 65 78 ... 65 72 33 00 00 是函数名
000274A0 | B2 7A 02 00 BC 7A 02 00 | (_except_handler3), 最后一个00 是去偶数补的
000274A8 | C4 7A 02 00 9C 7B 02 00 | 2.2 再看第2个0x00027A40, 对比第1个(0x00027B88)
000274B0 | D8 7A 02 00 76 7B 02 00 | 0x00027A40小于0x00027B88, 本以为0x00027B88记录
000274B8 | 68 7B 02 00 58 7B 02 00 | 了该DLL中第1个导入函数的字符, 那第2个导入函数
000274C0 | 48 7B 02 00 34 7B 02 00 | 的字符应该紧跟在地1个导入函数的字符后面的, 但
000274C8 | 28 7B 02 00 18 7B 02 00 | 事实上不是.(至于连接器是以怎样的算法排列这些
000274D0 | 0E 7B 02 00 06 7B 02 00 | 字符的, 还不是很了解, 可能以那个必须偶数补齐
000274D8 | F8 7A 02 00 F0 7A 02 00 | 有关吧).但是这堆字符是放在一起的, 虽然每个DLL
000274E0 | E6 7A 02 00 0C 89 02 00 | 里的导出函数字符不一定紧跟在一起.
000274E8 | 4A 7A 02 00 00 00 00 00 |
-------------------------------------------------------------
000274F0 | 00 00 00 00 00 00 00 00 |\
000274F8 | 00 00 00 00 00 00 00 00 | |
00027500 | 00 00 00 00 00 00 00 00 | |
00027508 | 00 00 00 00 00 00 00 00 | |这段数据为0
00027510 | 00 00 00 00 00 00 00 00 | |
00027518 | 00 00 00 00 00 00 00 00 | |
00027520 | 00 00 00 00 00 00 00 00 | |
00027528 | 00 00 00 00 00 00 00 00 |/
4. user32.dll的IMAGE_IMPORT_DESCRIPTOR.OriginalFirstThunk数据
从 00027530 -- 00027538 0x1个 DWORD + 0x1个0的DWORD
00027530 | 7A 7C 02 00 00 00 00 00 |
-------------------------------------------------------------
00027538 | 00 00 00 00 00 00 00 00 |\
00027540 | 00 00 00 00 00 00 00 00 | |
00027548 | 00 00 00 00 00 00 00 00 | |这段数据为0
00027550 | 00 00 00 00 00 00 00 00 | |
00027558 | 00 00 00 00 00 00 00 00 |/
二. 这里就是IAT数据
00027560 | AA 7B 02 00 CE 7B 02 00 | 00027560 --- 00027A34这段数据(IAT)
00027568 | DE 7B 02 00 EC 7B 02 00 | 与上面的0002708C --- 00027560这段数据
00027570 | FC 7B 02 00 10 7C 02 00 | (导入表的Thunk数据)是一模一样的
省略......
00027A18 | 00 00 00 00 00 00 00 00 | ........ | ....
00027A20 | 00 00 00 00 00 00 00 00 | ........ | ....
00027A28 | 00 00 00 00 00 00 00 00 | ........ | ....
00027A30 | 00 00 00 00 | .... | ..
这里的字符如果包括结束符在内字节数为奇数, 则需要补足为偶数
(例如MFC42D.DLL\0 包括结束符共11个字节, 要补足为偶数, 也就是12字节)
1. mfc42d.dll的IMAGE_IMPORT_DESCRIPTOR.Name值(00027A34)
00027A34 | ---------------- 4D 46 43 34 32 44 2E 44 4C 4C 00 00 | ....MFC42D.DLL..|
00027A40 | C8 00 5F 63 68 6B 65 73 70 00 5E 00 5F 5F 43 78 | ._chkesp.^.__Cx |--
00027A50 | 78 46 72 61 6D 65 48 61 6E 64 6C 65 72 00 E4 02 | xFrameHandler.. |
省略......
00027AA0 | 73 74 72 6C 65 6E 00 00 D9 02 73 74 72 63 6D 70 | strlen...strcmp |
00027AB0 | 00 00 B7 02 6D 65 6D 63 6D 70 00 00 5E 02 61 74 | ...memcmp..^.at |
00027AC0 | 6F 69 00 00 5D 02 61 74 6F 66 00 00 ----------------- | oi..].atof.. |
2. msvcrtd.dll的IMAGE_IMPORT_DESCRIPTOR.Name值(00027ACC)
00027ACC | ----------------------------------- 4D 53 56 43 | MSVC|
00027AD0 | 52 54 44 2E 64 6C 6C 00 6A 00 5F 5F 64 6C 6C 6F | RTD.dll.j.__dllo|
省略......
00027B70 | 6D 6F 64 65 00 00 99 00 5F 5F 73 65 74 5F 61 70 | mode...__set_ap |
00027B80 | 70 5F 74 79 70 65 00 00 E6 00 5F 65 78 63 65 70 | p_type..._excep |--
00027B90 | 74 5F 68 61 6E 64 6C 65 72 33 00 00 D0 00 5F 63 | t_handler3..._c |--
00027BA0 | 6F 6E 74 72 6F 6C 66 70 00 00 73 01 47 65 74 4D | ontrolfp..s.GetM|--
00027BB0 | 6F 64 75 6C 65 46 69 6C 65 4E 61 6D 65 41 00 00 | oduleFileNameA..|--
00027BC0 | 31 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 68 01 | 1.CloseHandle.h.|--
00027BD0 | 47 65 74 4C 61 73 74 45 72 72 6F 72 00 00 4F 00 | GetLastError..O.|
省略......
00027C50 | 65 48 61 6E 64 6C 65 41 00 00 AC 01 47 65 74 53 | eHandleA...GetS |
00027C60 | 74 61 72 74 75 70 49 6E 66 6F 41 00 ----------- | tartupInfoA. |
3. kernel32.dll的IMAGE_IMPORT_DESCRIPTOR.Name值(00027C6C)
00027C6C | ---------------------------------------------------4B 45 52 4E | KERN|
00027C70 | 45 4C 33 32 2E 64 6C 6C 00 00 5D 01 47 65 74 53 | EL32.dll..].GetS|
00027C80 | 79 73 74 65 6D 4D 65 74 72 69 63 73 00 00 ----- | ystemMetrics.. |
4. user32.dll的IMAGE_IMPORT_DESCRIPTOR.Name值(00027C8E)
00027C8E | -------------------------------------------------------- 55 53 | US|
00027C90 | 45 52 33 32 2E 64 6C 6C 00 00 ---------------------- | ER32.dll.. |
5. mfco42d.dll的IMAGE_IMPORT_DESCRIPTOR.Name值(00027C8E)
00027C9A | --------------------------------------- 4D 46 43 4F 34 32 | MFCO42|
00027CA0 | 44 2E 44 4C 4C 00 9E 00 3F 3F 30 49 6E 69 74 40 | D.DLL..??0Init@ |
00027CB0 | 69 6F 73 5F 62 61 73 65 40 73 74 64 40 40 51 41 | ios_base@std@@QA|
省略......
000288D0 | 3F 24 63 68 61 72 5F 74 72 61 69 74 73 40 44 40 | ?$char_traits@D@|
000288E0 | 73 74 64 40 40 56 3F 24 61 6C 6C 6F 63 61 74 6F | std@@V?$allocato|
000288F0 | 72 40 44 40 32 40 40 30 40 30 40 5A 00 00 ----- | r@D@2@@0@0@Z.. |
6. msvcp60d.dll的IMAGE_IMPORT_DESCRIPTOR.Name值(000288FE)
000288FE | ----------------------------------------- 4D 53 | MS|
00028900 | 56 43 50 36 30 44 2E 64 6C 6C 00 00 CB 01 5F 73 | VCP60D.dll..._s |
00028910 | 65 74 6D 62 63 70 00 00 17 02 3F 3F 48 73 74 64 | etmbcp....??Hstd|
省略......
00028960 | 40 41 42 56 31 30 40 50 42 44 40 5A 00 00 5D 02 | @ABV10@PBD@Z..].|
00028970 | 4D 6F 76 65 46 69 6C 65 41 00 00 00 00 00 00 00 | MoveFileA.......|
00028980 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................|
00028990 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................|
省略......
00028FE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................|
00028FD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................|
00028FE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................|
00028FF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................|
在这个PE中idata段就只要导入表数据和IAT数据, 好像没有其他的数据了
三.总结
idata中的数据排列顺序:
1. 首先是N + 1个IMAGE_IMPORT_DESCRIPTOR数据(最后一个全0)
2. 紧跟后面的是各个IMAGE_IMPORT_DESCRIPTOR的OriginalFirstThunk
(这里OriginalFirstThunk只是一个首地址, 也是以0为结束).
3. 紧跟后面的是IAT数据, 也就是IMAGE_IMPORT_DESCRIPTOR的FirstThunk数据
(这堆数据与2的数据是一模一样的)
4. 紧跟后面的就是字符数据了.
就是这么一些数据了, 当然, 这4中数据之间会插许多00, 不知有什么用? 对齐用?
不对齐可以吗? 后面会验证一下.
注意的细节:
1. Thunk数据最高位是0的话, 该函数以序号导入, 低位数据就是序号了.
最高位是1的话, 该函数以函数名导入, 低位数据就是指向
函数名字符数据的地址(是RVA来的).
2. 函数名字符数据中, 前两个Byte就是函数的序号(小尾对齐), 同时整个数据要偶数对齐.
了解一下导入表的导入过程.
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- PE文件格式分析系列(文章2)----一个PE文件rdata段的分析(Win32工程Release版)(一)
- PE文件格式分析系列(文章3)----一个PE文件rdata段的分析(Win32工程Release版)(二)
- vs2010调试新建的一个MFC工程出现系统找不到指定文件
- 大数据自助分析平台系列文章(深入讲解由零开始设计一个大数据自助分析平台)
- SQL : 一个存储过程,用于向指定的MS SQL Table中导入CSV 格式的文件数据
- PE文件学习系列二 DOS头分析
- matlab如何导入csv文件及matlab支持的数据格式,相应函数
- MySQL(Navicat)运行.sql文件时报错:[Err] 2006 - MySQL server has gone away 的解决方法 背景: 今天导入一个数据量很大的.sql文件时,
- WAVE 文件格式分析及声音数据格式
- 【转】VS2008环境使用MFC导入Excel文件中的数据
- [Ext4] Ext4文件系统分析系列文章
- Linux C++ 调试神技--如何将Linux C++ 可执行文件逆向工程到Intel格式汇编
- 【VS系列】开启工程MAP文件调试方法。。
- JPA hibernate spring repository pgsql java 工程(二):sql文件导入数据,测试数据
- SQLServer 常用格式数据文件导入导出之一
- 代码分析windows下PE文件格式结构,并附带PE文件格式详细图解
- 一个PE文件的逆向分析
- 关于如何在MFC工程中输入不同的数据进行调试
- 流水账笔记:PE文件格式(导入表注入---手动)
- 从数据库得到数据导出指定格式的xml文件,上传到NC接口,返回回执到本地一个xml文件(接上篇补充)