?? pe-tut7.html
字號:
<br>
mov
ValidPE, TRUE <br>
.else <br>
mov
ValidPE, FALSE <br>
.endif <br>
.else <br>
mov ValidPE,FALSE
<br>
.endif <br>
FinalExit: <br>
push seh.PrevLink <br>
pop fs:[0] <br>
.if ValidPE==TRUE <br>
invoke ShowTheFunctions,
hDlg, edi <br>
.else <br>
invoke MessageBox,0,
addr NotValidPE, addr AppName, MB_OK+MB_ICONERROR<br>
</font><font face="Fixedsys">.endif
<br>
invoke UnmapViewOfFile, pMapping
<br>
.else <br>
invoke MessageBox, 0, addr
FileMappingError, addr AppName, MB_OK+MB_ICONERROR <br>
.endif <br>
invoke CloseHandle,hMapping <br>
.else <br>
invoke MessageBox, 0, addr FileOpenMappingError,
addr AppName, MB_OK+MB_ICONERROR <br>
.endif <br>
invoke CloseHandle, hFile <br>
.else <br>
invoke MessageBox, 0, addr FileOpenError, addr AppName,
MB_OK+MB_ICONERROR <br>
.endif <br>
.endif <br>
ret <br>
ShowExportFunctions endp <br>
<br>
AppendText proc hDlg:DWORD,pText:DWORD <br>
invoke SendDlgItemMessage,hDlg,IDC_EDIT,EM_REPLACESEL,0,pText <br>
invoke SendDlgItemMessage,hDlg,IDC_EDIT,EM_REPLACESEL,0,addr CRLF <br>
invoke SendDlgItemMessage,hDlg,IDC_EDIT,EM_SETSEL,-1,0 <br>
ret <br>
AppendText endp <br>
<br>
RVAToFileMap PROC uses edi esi edx ecx pFileMap:DWORD,RVA:DWORD <br>
mov esi,pFileMap <br>
assume esi:ptr IMAGE_DOS_HEADER <br>
add esi,[esi].e_lfanew <br>
assume esi:ptr IMAGE_NT_HEADERS <br>
mov edi,RVA ; edi == RVA <br>
mov edx,esi <br>
add edx,sizeof IMAGE_NT_HEADERS <br>
mov cx,[esi].FileHeader.NumberOfSections <br>
movzx ecx,cx <br>
assume edx:ptr IMAGE_SECTION_HEADER <br>
.while ecx>0<br>
.if edi>=[edx].VirtualAddress <br>
mov eax,[edx].VirtualAddress <br>
add eax,[edx].SizeOfRawData <br>
.if edi<eax ; The address is in this section
mov eax,[edx].VirtualAddress
sub edi,eax edi == difference between specified RVA and's eax,[edx].PointerToRawData
add eax,edi eax == file offset eax,pFileMap
ret
.endif edx,sizeof IMAGE_SECTION_HEADER
dec ecx
.endw
assume edx:nothing esi:nothing
RVAToFileMap endp
ShowTheFunctions proc uses esi ebx hDlg:DWORD, pNTHdr:DWORD
LOCAL temp[512]:BYTE NumberOfNames:DWORD Base:DWORD AddressOfFunctions:DWORD AddressOfNameOrdinals:DWORD edi,pNTHdr edi:ptr IMAGE_NT_HEADERS edi, [edi].OptionalHeader.DataDirectory.VirtualAddress
.if
invoke MessageBox,0, addr NoExportTable,addr AppName,MB_OK+MB_ICONERROR SetDlgItemText,hDlg,IDC_EDIT,0 AppendText,hDlg,addr buffer RVAToFileMap,pMapping,edi IMAGE_EXPORT_DIRECTORY eax,[edi].NumberOfFunctions RVAToFileMap, pMapping,[edi].nName wsprintf, temp,addr ExportTable,eax,[edi].nBase,[edi].NumberOfFunctions,[edi].NumberOfNames,[edi].AddressOfFunctions,[edi].AddressOfNames,[edi].AddressOfNameOrdinals temp
push [edi].NumberOfNames
pop NumberOfNames [edi].nBase Base [edi].AddressOfFunctions AddressOfFunctions RVAToFileMap,pMapping,AddressOfFunctions AddressOfFunctions,eax esi,[edi].AddressOfNames RVAToFileMap,pMapping,esi esi,eax ebx,[edi].AddressOfNameOrdinals RVAToFileMap,pMapping,ebx ebx,eax AddressOfNameOrdinals,ebx Header edi,AddressOfFunctions
.while><eax<br>
mov eax,[edx].VirtualAddress <br>
sub edi,eax<br>
mov eax,[edx].PointerToRawData <br>
add eax,edi<br>
add eax,pFileMap <br>
ret <br>
.endif <br>
.endif <br>
add edx,sizeof IMAGE_SECTION_HEADER <br>
dec ecx <br>
.endw <br>
assume edx:nothing <br>
assume esi:nothing <br>
mov eax,edi <br>
ret <br>
RVAToFileMap endp <br>
<br>
ShowTheFunctions proc uses esi ecx ebx hDlg:DWORD, pNTHdr:DWORD <br>
LOCAL temp[512]:BYTE <br>
LOCAL NumberOfNames:DWORD <br>
LOCAL Base:DWORD <br>
<br>
mov edi,pNTHdr <br>
assume edi:ptr IMAGE_NT_HEADERS <br>
mov edi, [edi].OptionalHeader.DataDirectory.VirtualAddress <br>
.if edi==0 <br>
invoke MessageBox,0, addr NoExportTable,addr AppName,MB_OK+MB_ICONERROR
<br>
ret <br>
.endif <br>
invoke SetDlgItemText,hDlg,IDC_EDIT,0 <br>
invoke AppendText,hDlg,addr buffer <br>
invoke RVAToFileMap,pMapping,edi <br>
mov edi,eax <br>
assume edi:ptr IMAGE_EXPORT_DIRECTORY <br>
mov eax,[edi].NumberOfFunctions <br>
invoke RVAToFileMap, pMapping,[edi].nName <br>
invoke wsprintf, addr temp,addr ExportTable, eax, [edi].nBase, [edi].NumberOfFunctions,
[edi].NumberOfNames, [edi].AddressOfFunctions, [edi].AddressOfNames, [edi].AddressOfNameOrdinals
<br>
invoke AppendText,hDlg,addr temp<br>
invoke AppendText,hDlg,addr Header <br>
push [edi].NumberOfNames<br>
pop NumberOfNames</font><font face="Fixedsys"><br>
push [edi].nBase <br>
pop Base <br>
invoke RVAToFileMap,pMapping,[edi].AddressOfNames <br>
mov esi,eax <br>
invoke RVAToFileMap,pMapping,[edi].AddressOfNameOrdinals <br>
mov ebx,eax <br>
invoke RVAToFileMap,pMapping,[edi].AddressOfFunctions <br>
mov edi,eax<br>
.while NumberOfNames>0 <br>
</font><font face="Fixedsys">invoke RVAToFileMap,pMapping,dword
ptr [esi] <br>
mov dx,[ebx] <br>
movzx edx,dx <br>
mov ecx,edx <br>
shl edx,2 <br>
add edx,edi <br>
add ecx,Base <br>
invoke wsprintf, addr temp,addr template,dword ptr [edx],ecx,eax
<br>
invoke AppendText,hDlg,addr temp <br>
dec NumberOfNames <br>
add esi,4 <br>
add ebx,2 <br>
.endw <br>
ret <br>
ShowTheFunctions endp <br>
end start </font></p>
<h3><font face="Arial, Helvetica, sans-serif">Analysis:</font></h3>
<p><font face="Fixedsys">mov edi,pNTHdr <br>
assume edi:ptr IMAGE_NT_HEADERS <br>
mov edi, [edi].OptionalHeader.DataDirectory.VirtualAddress <br>
.if edi==0 <br>
invoke MessageBox,0, addr NoExportTable,addr AppName,MB_OK+MB_ICONERROR
<br>
ret <br>
.endif </font></p>
<p><font face="MS Sans Serif" size="-1">After the program verifies that the file
is a valid PE, it goes to the data directory and obtains the virtual address
of the export table. If the virtual address is zero, the file doesn't have any
exported symbol.</font></p>
<p><font face="Fixedsys">mov eax,[edi].NumberOfFunctions <br>
invoke RVAToFileMap, pMapping,[edi].nName <br>
invoke wsprintf, addr temp,addr ExportTable, eax, [edi].nBase, [edi].NumberOfFunctions,
[edi].NumberOfNames, [edi].AddressOfFunctions, [edi].AddressOfNames, [edi].AddressOfNameOrdinals
<br>
invoke AppendText,hDlg,addr temp </font></p>
<p><font face="MS Sans Serif" size="-1">We display the important information in
the<font color="#CCFFCC"><b> IMAGE_EXPORT_DIRECTORY</b></font> structure in
the edit control.</font></p>
<p><font face="Fixedsys">push [edi].NumberOfNames <br>
pop NumberOfNames <br>
push [edi].nBase <br>
pop Base </font></p>
<p><font face="MS Sans Serif" size="-1">Since we want to enumerate all function
names, we need to know how many names there are in the export table. <font color="#FFFFCC"><b>nBase</b></font>
is used when we want to convert the indexes into the <font color="#FFFFCC"><b>AddressOfFunctions</b></font>
array into ordinals. </font></p>
<p><font face="Fixedsys">invoke RVAToFileMap,pMapping,[edi].AddressOfNames <br>
mov esi,eax <br>
invoke RVAToFileMap,pMapping,[edi].AddressOfNameOrdinals <br>
mov ebx,eax <br>
invoke RVAToFileMap,pMapping,[edi].AddressOfFunctions <br>
mov edi,eax</font></p>
<p><font face="MS Sans Serif" size="-1">The addresses of the three arrays are
stored in esi, ebx, and edi, ready to be accessed.</font></p>
<p><font face="Fixedsys">.while NumberOfNames>0 </font></p>
<p><font face="MS Sans Serif" size="-1">Continue until all names are processed.</font></p>
<p><font face="Fixedsys"> invoke RVAToFileMap,pMapping,dword ptr
[esi] </font></p>
<p><font face="MS Sans Serif" size="-1">Since esi points to an array of RVAs of
the exported names, dereference it will give the RVA of the current name. We
convert it to the virtual address, to be used in wsprintf later.</font></p>
<p><font face="Fixedsys"> mov dx,[ebx] <br>
movzx edx,dx <br>
mov ecx,edx<br>
add ecx,Base <br>
</font><font face="Fixedsys"></font><font face="Fixedsys"> </font></p>
<p><font face="MS Sans Serif" size="-1">ebx points to the array of ordinals. Its
array elements are word-size. Thus we need to convert the value into a dword
first. edx and ecx contain the index into the <font color="#FFFFCC"><b>AddressOfFunctions</b></font>
array. We will use edx as the pointer into the <font color="#FFFFCC"><b>AddressOfFunctions</b></font>
array. We add the value of nBase to ecx to obtain the ordinal number of the
function. </font></p>
<p><font face="Fixedsys"> </font><font face="Fixedsys"> shl edx,2
<br>
add edx,edi </font></p>
<p><font face="MS Sans Serif" size="-1">We multiply the index by 4 (each element
in the <font color="#FFFFCC"><b>AddressOfFunctions</b></font> array is 4 bytes
in size) and then add the address of the <font color="#FFFFCC"><b>AddressOfFunctions</b></font>
array to it. Thus edx points to the RVA of the function.</font></p>
<p><font face="Fixedsys"> invoke wsprintf, addr temp,addr template,dword
ptr [edx],ecx,eax <br>
invoke AppendText,hDlg,addr temp </font></p>
<p><font face="MS Sans Serif" size="-1">We display the RVA, ordinal, and the name
of the function in the edit control.</font></p>
<p><font face="Fixedsys"> dec NumberOfNames <br>
add esi,4 <br>
add ebx,2 <br>
.endw </font></p>
<p><font face="MS Sans Serif" size="-1">Update the counter and the addresses of
the current elements in <font color="#FFFFCC"><b>AddressOfNames</b></font> and
<font color="#FFFFCC"> <b>AddressOfNameOrdinals</b></font> arrays. Continue
until all names are processed.</font></p>
<hr>
<p align="center"><font face="MS Sans Serif" size="-1"><b>[<a href="http://win32asm.cjb.net">Iczelion's
Win32 Assembly Homepage</a>]</b></font></p>
<p> </p>
</body>
</html>
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -