?? pe-tut6.html
字號:
<td>
<div align="center"><font face="MS Sans Serif" size="-1">IMAGE_THUNK_DATA</font></div>
</td>
</tr>
<tr bgcolor="#666600">
<td>
<div align="center"><font face="MS Sans Serif" size="-1">IMAGE_THUNK_DATA</font></div>
</td>
</tr>
<tr bgcolor="#666600">
<td>
<div align="center"><font face="MS Sans Serif" size="-1">...</font></div>
</td>
</tr>
<tr bgcolor="#666600">
<td>
<div align="center"><font face="MS Sans Serif" size="-1">IMAGE_THUNK_DATA</font></div>
</td>
</tr>
</table>
</td>
<td width="58">
<table border="0" cellspacing="2" cellpadding="2" align="center">
<tr>
<td nowrap><font face="MS Sans Serif" size="-1">---></font></td>
</tr>
<tr>
<td nowrap><font face="MS Sans Serif" size="-1">---></font></td>
</tr>
<tr>
<td nowrap><font face="MS Sans Serif" size="-1">---></font></td>
</tr>
<tr>
<td nowrap><font face="MS Sans Serif" size="-1">---></font></td>
</tr>
<tr>
<td nowrap><font face="MS Sans Serif" size="-1">---></font></td>
</tr>
<tr>
<td nowrap><font face="MS Sans Serif" size="-1">---></font></td>
</tr>
</table>
</td>
<td width="183">
<table border="1" cellspacing="2" cellpadding="2" align="center">
<tr bgcolor="#660066">
<td>
<div align="center"><font face="MS Sans Serif" size="-1">Function
1</font></div>
</td>
</tr>
<tr bgcolor="#660066">
<td>
<div align="center"><font face="MS Sans Serif" size="-1">Function
2</font></div>
</td>
</tr>
<tr bgcolor="#660066">
<td>
<div align="center"><font face="MS Sans Serif" size="-1">Function
3</font></div>
</td>
</tr>
<tr bgcolor="#660066">
<td>
<div align="center"><font face="MS Sans Serif" size="-1">Function
4 </font></div>
</td>
</tr>
<tr bgcolor="#660066">
<td>
<div align="center"><font face="MS Sans Serif" size="-1">...</font></div>
</td>
</tr>
<tr bgcolor="#660066">
<td>
<div align="center"><font face="MS Sans Serif" size="-1">Function
n</font></div>
</td>
</tr>
</table>
</td>
<td align="center" valign="middle" width="27">
<table border="0" cellspacing="2" cellpadding="2" align="center">
<tr>
<td nowrap><font face="MS Sans Serif" size="-1"><---</font></td>
</tr>
<tr>
<td nowrap><font face="MS Sans Serif" size="-1"><---</font></td>
</tr>
<tr>
<td nowrap><font face="MS Sans Serif" size="-1"><---</font></td>
</tr>
<tr>
<td nowrap><font face="MS Sans Serif" size="-1"><---</font></td>
</tr>
<tr>
<td nowrap><font face="MS Sans Serif" size="-1"><---</font></td>
</tr>
<tr>
<td nowrap><font face="MS Sans Serif" size="-1"><---</font></td>
</tr>
</table>
</td>
<td width="152">
<table border="1" cellspacing="2" cellpadding="2" align="center">
<tr bgcolor="#666600">
<td>
<div align="center"><font face="MS Sans Serif" size="-1">IMAGE_THUNK_DATA</font></div>
</td>
</tr>
<tr bgcolor="#666600">
<td>
<div align="center"><font face="MS Sans Serif" size="-1">IMAGE_THUNK_DATA</font></div>
</td>
</tr>
<tr bgcolor="#666600">
<td>
<div align="center"><font face="MS Sans Serif" size="-1">IMAGE_THUNK_DATA</font></div>
</td>
</tr>
<tr bgcolor="#666600">
<td>
<div align="center"><font face="MS Sans Serif" size="-1">IMAGE_THUNK_DATA</font></div>
</td>
</tr>
<tr bgcolor="#666600">
<td>
<div align="center"><font face="MS Sans Serif" size="-1">...</font></div>
</td>
</tr>
<tr bgcolor="#666600">
<td>
<div align="center"><font face="MS Sans Serif" size="-1">IMAGE_THUNK_DATA</font></div>
</td>
</tr>
</table>
</td>
</tr>
</table>
<p><font face="MS Sans Serif" size="-1">Now you should be able to understand what
I mean. Don't be confused by the name <font color="#CCFFCC"><b>IMAGE_THUNK_DATA</b></font>:
it's only an RVA into <font color="#CCFFCC"><b>IMAGE_IMPORT_BY_NAME</b></font>
structure. If you replace the word <font color="#CCFFCC"><b>IMAGE_THUNK_DATA</b></font>
with RVA in your mind, you'll perhaps see it more clearly. The number of array
elements in<font color="#FFFFCC"><b> OriginalFirstThunk</b></font> and <font color="#FFFFCC"><b>FirstThunk</b></font>
array depends on the functions the PE file imports from the DLL. For example,
if the PE file imports 10 functions from kernel32.dll, <font color="#FFFFCC"><b>Name1</b></font>
in the<font color="#CCFFCC"><b> IMAGE_IMPORT_DESCRIPTOR</b></font> structure
will contain the RVA of the string "kernel32.dll" and there will be
10<font color="#CCFFCC"><b> IMAGE_THUNK_DATA</b></font>s in each array. <br>
The next question is: why do we need two arrays that are exactly the same? To
answer that question, we need to know that when the PE file is loaded into memory,
the PE loader will look at the <font color="#CCFFCC"><b>IMAGE_THUNK_DATA</b></font>s
and <font color="#CCFFCC"><b>IMAGE_IMPORT_BY_NAME</b></font>s and determine
the addresses of the import functions. Then it replaces the <font color="#CCFFCC"><b>IMAGE_THUNK_DATA</b></font>s
in the array pointed to by <font color="#FFFFCC"><b>FirstThunk</b></font> with
the real addresses of the functions. Thus when the PE file is ready to run,
the above picture is changed to:</font></p>
<table border="0" cellspacing="1" cellpadding="1" align="center">
<tr>
<th bgcolor="#006666"><font face="MS Sans Serif" size="-1">OriginalFirstThunk</font></th>
<th> </th>
<th bgcolor="#006666"><font face="MS Sans Serif" size="-1">IMAGE_IMPORT_BY_NAME</font></th>
<th> </th>
<th bgcolor="#006666"><font face="MS Sans Serif" size="-1">FirstThunk</font></th>
</tr>
<tr>
<td>
<p align="center"> | </p>
</td>
<td> </td>
<td>
<div align="center"></div>
</td>
<td> </td>
<td>
<div align="center"><font face="MS Sans Serif" size="-1">|</font></div>
</td>
</tr>
<tr>
<td>
<table border="1" cellspacing="2" cellpadding="2" align="center">
<tr bgcolor="#666600">
<td>
<div align="center"><font face="MS Sans Serif" size="-1">IMAGE_THUNK_DATA</font></div>
</td>
</tr>
<tr bgcolor="#666600">
<td>
<div align="center"><font face="MS Sans Serif" size="-1">IMAGE_THUNK_DATA</font></div>
</td>
</tr>
<tr bgcolor="#666600">
<td>
<div align="center"><font face="MS Sans Serif" size="-1">IMAGE_THUNK_DATA</font></div>
</td>
</tr>
<tr bgcolor="#666600">
<td>
<div align="center"><font face="MS Sans Serif" size="-1">IMAGE_THUNK_DATA</font></div>
</td>
</tr>
<tr bgcolor="#666600">
<td>
<div align="center"><font face="MS Sans Serif" size="-1">...</font></div>
</td>
</tr>
<tr bgcolor="#666600">
<td>
<div align="center"><font face="MS Sans Serif" size="-1">IMAGE_THUNK_DATA</font></div>
</td>
</tr>
</table>
</td>
<td>
<table border="0" cellspacing="2" cellpadding="2" align="center">
<tr>
<td nowrap><font face="MS Sans Serif" size="-1">---></font></td>
</tr>
<tr>
<td nowrap><font face="MS Sans Serif" size="-1">---></font></td>
</tr>
<tr>
<td nowrap><font face="MS Sans Serif" size="-1">---></font></td>
</tr>
<tr>
<td nowrap><font face="MS Sans Serif" size="-1">---></font></td>
</tr>
<tr>
<td nowrap><font face="MS Sans Serif" size="-1">---></font></td>
</tr>
<tr>
<td nowrap><font face="MS Sans Serif" size="-1">---></font></td>
</tr>
</table>
</td>
<td>
<table border="1" cellspacing="2" cellpadding="2" align="center">
<tr bgcolor="#660066">
<td>
<div align="center"><font face="MS Sans Serif" size="-1">Function
1</font></div>
</td>
</tr>
<tr bgcolor="#660066">
<td>
<div align="center"><font face="MS Sans Serif" size="-1">Function
2</font></div>
</td>
</tr>
<tr bgcolor="#660066">
<td>
<div align="center"><font face="MS Sans Serif" size="-1">Function
3</font></div>
</td>
</tr>
<tr bgcolor="#660066">
<td>
<div align="center"><font face="MS Sans Serif" size="-1">Function
4 </font></div>
</td>
</tr>
<tr bgcolor="#660066">
<td>
<div align="center"><font face="MS Sans Serif" size="-1">...</font></div>
</td>
</tr>
<tr bgcolor="#660066">
<td>
<div align="center"><font face="MS Sans Serif" size="-1">Function
n</font></div>
</td>
</tr>
</table>
</td>
<td align="center" valign="middle">
<table border="0" cellspacing="2" cellpadding="2" align="center">
<tr>
<td nowrap> </td>
</tr>
<tr>
<td nowrap> </td>
</tr>
<tr>
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -