?? lion-petut-c06.htm
字號:
</td>
</tr>
<tr>
<td align="center" bgcolor="#666600"><font
size="2" face="MS Sans Serif">...</font> </td>
</tr>
<tr>
<td align="center" bgcolor="#666600"><font
size="2" face="MS Sans Serif">IMAGE_THUNK_DATA</font>
</td>
</tr>
</table>
</td>
</tr>
</table>
<p><font size="2">現(xiàn)在您應(yīng)該明白我的意思。不要被</font><font
color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_THUNK_DATA</b></font><font
size="2">這個名字弄糊涂</font><font size="2"
face="MS Sans Serif">: </font><font size="2">它僅是指向 </font><font
color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_IMPORT_BY_NAME
</b></font><font size="2">結(jié)構(gòu)的</font><font size="2"
face="MS Sans Serif">RVA</font><font size="2">。 如果將 </font><font
color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_THUNK_DATA</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">字眼想象成</font><font
size="2" face="MS Sans Serif">RVA</font><font size="2">,就更容易明白了。</font><font
color="#FFFFCC" size="2" face="MS Sans Serif"><b>OriginalFirstThunk</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">和 </font><font
color="#FFFFCC" size="2" face="MS Sans Serif"><b>FirstThunk</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">所指向的這兩個數(shù)組大小取決于</font><font
size="2" face="MS Sans Serif">PE</font><font size="2">文件從</font><font
size="2" face="MS Sans Serif">DLL</font><font size="2">中引入函數(shù)的數(shù)目。比如,如果</font><font
size="2" face="MS Sans Serif">PE</font><font size="2">文件從</font><font
size="2" face="MS Sans Serif">kernel32.dll</font><font size="2">中引入</font><font
size="2" face="MS Sans Serif">10</font><font size="2">個函數(shù),那么</font><font
color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_IMPORT_DESCRIPTOR</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">結(jié)構(gòu)的 </font><font
color="#FFFFCC" size="2" face="MS Sans Serif"><b>Name1</b></font><font
size="2">域包含指向字符串</font><font size="2"
face="MS Sans Serif">"kernel32.dll"</font><font
size="2">的</font><font size="2" face="MS Sans Serif">RVA</font><font
size="2">,同時每個</font><font color="#CCFFCC" size="2"
face="MS Sans Serif"><b>IMAGE_THUNK_DATA</b></font><font size="2"
face="MS Sans Serif"> </font><font size="2">數(shù)組有</font><font
size="2" face="MS Sans Serif">10</font><font size="2">個元素。</font></p>
<p><font size="2">下一個問題是</font><font size="2"
face="MS Sans Serif">: </font><font size="2">為什么我們需要兩個完全相同的數(shù)組</font><font
size="2" face="MS Sans Serif">? </font><font size="2">為了回答該問題,我們需要了解當(dāng)</font><font
size="2" face="MS Sans Serif">PE</font><font size="2">文件被裝載到內(nèi)存時,</font><font
size="2" face="MS Sans Serif">PE</font><font size="2">裝載器將查找</font><font
color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_THUNK_DATA</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">和 </font><font
color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_IMPORT_BY_NAME</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">這些結(jié)構(gòu)數(shù)組,以此決定引入函數(shù)的地址。然后用引入函數(shù)真實地址來替代由</font><font
color="#FFFFCC" size="2" face="MS Sans Serif"><b>FirstThunk</b></font><font
size="2">指向的</font><font color="#CCFFCC" size="2"><b> </b></font><font
color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_THUNK_DATA</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">數(shù)組里的元素值。因此當(dāng)</font><font
size="2" face="MS Sans Serif">PE</font><font size="2">文件準備執(zhí)行時,上圖已轉(zhuǎn)換成</font><font
size="2" face="MS Sans Serif">:</font></p>
<table border="0" cellspacing="1">
<tr>
<th bgcolor="#006666"><font size="2" face="MS Sans Serif">OriginalFirstThunk</font></th>
<th> </th>
<th bgcolor="#006666"><font size="2" face="MS Sans Serif">IMAGE_IMPORT_BY_NAME</font></th>
<th> </th>
<th bgcolor="#006666"><font size="2" face="MS Sans Serif">FirstThunk</font></th>
</tr>
<tr>
<td align="center"><p align="center">| </p>
</td>
<td align="center"> </td>
<td align="center"> </td>
<td align="center"> </td>
<td align="center"><font size="2" face="MS Sans Serif">|</font>
</td>
</tr>
<tr>
<td align="center"><table border="1" cellpadding="2">
<tr>
<td align="center" bgcolor="#666600"><font
size="2" face="MS Sans Serif">IMAGE_THUNK_DATA</font>
</td>
</tr>
<tr>
<td align="center" bgcolor="#666600"><font
size="2" face="MS Sans Serif">IMAGE_THUNK_DATA</font>
</td>
</tr>
<tr>
<td align="center" bgcolor="#666600"><font
size="2" face="MS Sans Serif">IMAGE_THUNK_DATA</font>
</td>
</tr>
<tr>
<td align="center" bgcolor="#666600"><font
size="2" face="MS Sans Serif">IMAGE_THUNK_DATA</font>
</td>
</tr>
<tr>
<td align="center" bgcolor="#666600"><font
size="2" face="MS Sans Serif">...</font> </td>
</tr>
<tr>
<td align="center" bgcolor="#666600"><font
size="2" face="MS Sans Serif">IMAGE_THUNK_DATA</font>
</td>
</tr>
</table>
</td>
<td align="center"><table border="0" cellpadding="2">
<tr>
<td align="center" nowrap><font size="2"
face="MS Sans Serif">---></font></td>
</tr>
<tr>
<td align="center" nowrap><font size="2"
face="MS Sans Serif">---></font></td>
</tr>
<tr>
<td align="center" nowrap><font size="2"
face="MS Sans Serif">---></font></td>
</tr>
<tr>
<td align="center" nowrap><font size="2"
face="MS Sans Serif">---></font></td>
</tr>
<tr>
<td align="center" nowrap><font size="2"
face="MS Sans Serif">---></font></td>
</tr>
<tr>
<td align="center" nowrap><font size="2"
face="MS Sans Serif">---></font></td>
</tr>
</table>
</td>
<td align="center"><table border="1" cellpadding="2">
<tr>
<td align="center" bgcolor="#660066"><font
size="2" face="MS Sans Serif">Function 1</font> </td>
</tr>
<tr>
<td align="center" bgcolor="#660066"><font
size="2" face="MS Sans Serif">Function 2</font> </td>
</tr>
<tr>
<td align="center" bgcolor="#660066"><font
size="2" face="MS Sans Serif">Function 3</font> </td>
</tr>
<tr>
<td align="center" bgcolor="#660066"><font
size="2" face="MS Sans Serif">Function 4 </font></td>
</tr>
<tr>
<td align="center" bgcolor="#660066"><font
size="2" face="MS Sans Serif">...</font> </td>
</tr>
<tr>
<td align="center" bgcolor="#660066"><font
size="2" face="MS Sans Serif">Function n</font> </td>
</tr>
</table>
</td>
<td align="center"><table border="0" cellpadding="2">
<tr>
<td align="center" nowrap> </td>
</tr>
<tr>
<td align="center" nowrap> </td>
</tr>
<tr>
<td align="center" nowrap> </td>
</tr>
<tr>
<td align="center" nowrap> </td>
</tr>
<tr>
<td align="center" nowrap> </td>
</tr>
<tr>
<td align="center" nowrap> </td>
</tr>
</table>
</td>
<td align="center"><table border="1" cellpadding="2">
<tr>
<td align="center" bgcolor="#666600"><font
size="2" face="MS Sans Serif">Address of Function
1</font> </td>
</tr>
<tr>
<td align="center" bgcolor="#666600"><font
size="2" face="MS Sans Serif">Address of Function
2</font> </td>
</tr>
<tr>
<td align="center" bgcolor="#666600"><font
size="2" face="MS Sans Serif">Address of Function
3</font> </td>
</tr>
<tr>
<td align="center" bgcolor="#666600"><font
size="2" face="MS Sans Serif">Address of Function
4</font> </td>
</tr>
<tr>
<td align="center" bgcolor="#666600"><font
size="2" face="MS Sans Serif">...</font> </td>
</tr>
<tr>
<td align="center" bgcolor="#666600"><font
size="2" face="MS Sans Serif">Address of Function
n </font></td>
</tr>
</table>
</td>
</tr>
</table>
<p><font size="2">由</font><font color="#FFFFCC" size="2"
face="MS Sans Serif"><b>OriginalFirstThunk</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">指向的</font><font
size="2" face="MS Sans Serif">RVA</font><font size="2">數(shù)組始終不會改變,所以若還反過頭來查找引入函數(shù)名,</font><font
size="2" face="MS Sans Serif">PE</font><font size="2">裝載器還能找尋到。<br>
</font><font size="2" face="MS Sans Serif">當(dāng)然再簡單的事物都有其復(fù)雜的一面。</font><font size="2">有些情況下一些函數(shù)僅由序數(shù)引出,也就是說您不能用函數(shù)名來調(diào)用它們</font><font
size="2" face="MS Sans Serif">: </font><font size="2">您只能用它們的位置來調(diào)用。此時,調(diào)用者模塊中就不存在該函數(shù)的</font><font
color="#CCFFCC" size="2"><b> </b></font><font color="#CCFFCC"
size="2" face="MS Sans Serif"><b>IMAGE_IMPORT_BY_NAME</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">結(jié)構(gòu)。不同的,對應(yīng)該函數(shù)的 </font><font color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_THUNK_DATA</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">值的低位字指示函數(shù)序數(shù),而最高二進位 </font><font size="2" face="MS Sans Serif">(MSB)</font><font
size="2">設(shè)為</font><font size="2" face="MS Sans Serif">1</font><font
size="2">。例如,如果一個函數(shù)只由序數(shù)引出且其序數(shù)是</font><font
size="2" face="MS Sans Serif">1234h</font><font size="2">,那么對應(yīng)該函數(shù)的 </font><font color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_THUNK_DATA</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">值是</font><font
size="2" face="MS Sans Serif">80001234h</font><font size="2">。</font><font
size="2" face="MS Sans Serif">Microsoft</font><font size="2">提供了一個方便的常量來測試</font><font
size="2" face="MS Sans Serif">dword</font><font size="2">值的</font><font
size="2" face="MS Sans Serif">MSB</font><font size="2">位,就是 </font><font color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_ORDINAL_FLAG32</b></font><font
size="2">,其值為</font><font size="2" face="MS Sans Serif">80000000h</font><font
size="2">。<br>
假設(shè)我們要列出某個</font><font size="2"
face="MS Sans Serif">PE</font><font size="2">文件的所有引入函數(shù),可以照著下面步驟走</font><font
size="2" face="MS Sans Serif">:</font></p>
<ol>
<li><font size="2">校驗文件是否是有效的</font><font
size="2" face="MS Sans Serif">PE</font><font size="2">。</font></li>
<li><font size="2">從 </font><font size="2"
face="MS Sans Serif">DOS header </font><font size="2">定位到
</font><font size="2" face="MS Sans Serif">PE header</font><font
size="2">。</font></li>
<li><font size="2">獲取位于 </font><font color="#FFFFCC"
size="2" face="MS Sans Serif"><b>OptionalHeader </b></font><font
size="2">數(shù)據(jù)目錄地址。</font></li>
?? 快捷鍵說明
復(fù)制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -