MB_OK+MB_ICONERROR <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;.endif
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; invoke
UnmapViewOfFile, pMapping <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;.else <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; invoke
MessageBox, 0, addr FileMappingError, addr AppName,
MB_OK+MB_ICONERROR <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;.endif <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;invoke CloseHandle,hMapping <br>
&nbsp;&nbsp;&nbsp;&nbsp;.else <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; invoke MessageBox, 0, addr
FileOpenMappingError, addr AppName, MB_OK+MB_ICONERROR <br>
&nbsp;&nbsp;&nbsp; .endif <br>
&nbsp;&nbsp;&nbsp; invoke CloseHandle, hFile <br>
&nbsp;&nbsp; .else <br>
&nbsp;&nbsp;&nbsp;invoke MessageBox, 0, addr FileOpenError, addr
AppName, MB_OK+MB_ICONERROR <br>
&nbsp;&nbsp; .endif <br>
&nbsp;.endif <br>
&nbsp;ret <br>
ShowImportFunctions endp <br>
<br>
AppendText proc hDlg:DWORD,pText:DWORD <br>
&nbsp;&nbsp; invoke
SendDlgItemMessage,hDlg,IDC_EDIT,EM_REPLACESEL,0,pText <br>
&nbsp;&nbsp; invoke
SendDlgItemMessage,hDlg,IDC_EDIT,EM_REPLACESEL,0,addr CRLF <br>
&nbsp;&nbsp; invoke
SendDlgItemMessage,hDlg,IDC_EDIT,EM_SETSEL,-1,0 <br>
&nbsp;&nbsp;&nbsp;ret <br>
AppendText endp <br>
<br>
RVAToOffset PROC uses edi esi edx ecx pFileMap:DWORD,RVA:DWORD <br>
&nbsp;&nbsp; mov esi,pFileMap <br>
&nbsp;&nbsp; assume esi:ptr IMAGE_DOS_HEADER <br>
&nbsp;&nbsp; add esi,[esi].e_lfanew <br>
&nbsp;&nbsp; assume esi:ptr IMAGE_NT_HEADERS <br>
&nbsp;&nbsp; mov edi,RVA ; edi == RVA <br>
&nbsp;&nbsp; mov edx,esi <br>
&nbsp;&nbsp; add edx,sizeof IMAGE_NT_HEADERS <br>
&nbsp;&nbsp; mov cx,[esi].FileHeader.NumberOfSections <br>
&nbsp;&nbsp; movzx ecx,cx <br>
&nbsp;&nbsp; assume edx:ptr IMAGE_SECTION_HEADER <br>
&nbsp;&nbsp; .while ecx&gt;0 ; check all sections <br>
&nbsp;&nbsp;&nbsp;&nbsp; .if edi&gt;=[edx].VirtualAddress <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov eax,[edx].VirtualAddress
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; add eax,[edx].SizeOfRawData <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .if edi&lt;eax ; The address
is in this section <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov
eax,[edx].VirtualAddress <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sub edi,eax<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov
eax,[edx].PointerToRawData <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; add eax,edi ;
eax == file offset <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ret <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .endif <br>
&nbsp;&nbsp;&nbsp;&nbsp; .endif <br>
&nbsp;&nbsp;&nbsp;&nbsp; add edx,sizeof IMAGE_SECTION_HEADER <br>
&nbsp;&nbsp;&nbsp;&nbsp; dec ecx <br>
&nbsp;&nbsp; .endw <br>
&nbsp;&nbsp; assume edx:nothing <br>
&nbsp;&nbsp; assume esi:nothing <br>
&nbsp;&nbsp; mov eax,edi <br>
&nbsp;&nbsp; ret <br>
RVAToOffset endp <br>
<br>
ShowTheFunctions proc uses esi ecx ebx hDlg:DWORD, pNTHdr:DWORD <br>
&nbsp;&nbsp; LOCAL temp[512]:BYTE <br>
&nbsp;&nbsp; invoke SetDlgItemText,hDlg,IDC_EDIT,0 <br>
&nbsp;&nbsp; invoke AppendText,hDlg,addr buffer <br>
&nbsp;&nbsp; mov edi,pNTHdr <br>
&nbsp;&nbsp; assume edi:ptr IMAGE_NT_HEADERS <br>
&nbsp;&nbsp; mov edi, [edi].OptionalHeader.DataDirectory[sizeof
IMAGE_DATA_DIRECTORY].VirtualAddress <br>
&nbsp;&nbsp; invoke RVAToOffset,pMapping,edi <br>
&nbsp;&nbsp; mov edi,eax <br>
&nbsp;&nbsp; add edi,pMapping <br>
&nbsp;&nbsp; assume edi:ptr IMAGE_IMPORT_DESCRIPTOR <br>
&nbsp;&nbsp; .while !([edi].OriginalFirstThunk==0 &amp;&amp;
[edi].TimeDateStamp==0 &amp;&amp; [edi].ForwarderChain==0
&amp;&amp; [edi].Name1==0 &amp;&amp; [edi].FirstThunk==0) <br>
&nbsp;&nbsp;&nbsp;&nbsp; invoke AppendText,hDlg,addr
ImportDescriptor <br>
&nbsp;&nbsp;&nbsp;&nbsp; invoke RVAToOffset,pMapping, [edi].Name1
<br>
&nbsp;&nbsp;&nbsp;&nbsp; mov edx,eax <br>
&nbsp;&nbsp;&nbsp;&nbsp; add edx,pMapping <br>
&nbsp;&nbsp;&nbsp;&nbsp; invoke wsprintf, addr temp, addr
IDTemplate, [edi].OriginalFirstThunk,[edi].TimeDateStamp,[edi].ForwarderChain,edx,[edi].FirstThunk
&nbsp;&nbsp;&nbsp;&nbsp; invoke AppendText,hDlg,addr temp <br>
&nbsp;&nbsp;&nbsp;&nbsp; .if [edi].OriginalFirstThunk==0 <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov
esi,[edi].FirstThunk <br>
&nbsp;&nbsp;&nbsp;&nbsp; .else <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov
esi,[edi].OriginalFirstThunk <br>
&nbsp;&nbsp;&nbsp;&nbsp; .endif <br>
&nbsp;&nbsp;&nbsp;&nbsp; invoke RVAToOffset,pMapping,esi <br>
&nbsp;&nbsp;&nbsp;&nbsp; add eax,pMapping <br>
&nbsp;&nbsp;&nbsp;&nbsp; mov esi,eax <br>
&nbsp;&nbsp;&nbsp;&nbsp; invoke AppendText,hDlg,addr NameHeader <br>
&nbsp;&nbsp;&nbsp;&nbsp; .while dword ptr [esi]!=0 <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; test dword ptr
[esi],IMAGE_ORDINAL_FLAG32 <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; jnz ImportByOrdinal <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; invoke
RVAToOffset,pMapping,dword ptr [esi] <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov edx,eax <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; add edx,pMapping <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; assume edx:ptr
IMAGE_IMPORT_BY_NAME <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov cx, [edx].Hint <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; movzx ecx,cx <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; invoke wsprintf,addr
temp,addr NameTemplate,ecx,addr [edx].Name1 <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; jmp ShowTheText <br>
ImportByOrdinal: <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov edx,dword ptr [esi] <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; and edx,0FFFFh <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; invoke wsprintf,addr
temp,addr OrdinalTemplate,edx <br>
ShowTheText: <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; invoke AppendText,hDlg,addr
temp <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; add esi,4 <br>
&nbsp;&nbsp;&nbsp; .endw <br>
&nbsp;&nbsp;&nbsp; add edi,sizeof IMAGE_IMPORT_DESCRIPTOR <br>
&nbsp; .endw <br>
&nbsp;&nbsp;ret <br>
ShowTheFunctions endp <br>
end start </font></p>

<h3>分析<font face="Arial, Helvetica, sans-serif">:</font></h3>

<p><font size="2">本例中，用戶點擊打開菜單顯示文件打開對話框，檢驗文件的</font><font
size="2" face="MS Sans Serif">PE</font><font size="2">有效性后調用
</font><font color="#CC9900" size="2" face="MS Sans Serif"><b>ShowTheFunctions</b></font><font
size="2">。</font></p>

<p><font face="Fixedsys">ShowTheFunctions proc uses esi ecx ebx
hDlg:DWORD, pNTHdr:DWORD <br>
&nbsp;&nbsp; LOCAL temp[512]:BYTE </font></p>

<p><font size="2">保留</font><font size="2"
face="MS Sans Serif">512</font><font size="2">字節堆棧空間用于字符串操作。</font></p>

<p><font face="Fixedsys">&nbsp;&nbsp; invoke
SetDlgItemText,hDlg,IDC_EDIT,0 </font></p>

<p><font size="2">清除編輯控件內容。</font></p>

<p><font face="Fixedsys">&nbsp;&nbsp; invoke AppendText,hDlg,addr
buffer </font></p>

<p><font size="2">將</font><font size="2" face="MS Sans Serif">PE</font><font
size="2">文件名插入編輯控件。 </font><font
color="#CC9900" size="2" face="MS Sans Serif"><b>AppendText </b></font><font
size="2">通過傳遞一個 </font><font color="#CCFFCC" size="2"
face="MS Sans Serif"><b>EM_REPLACESEL </b></font><font size="2">消息以通知向編輯控件添加文本。然后它又向編輯控件發送一個設置了
</font><font size="2" face="MS Sans Serif">wParam=-1</font><font
size="2">和</font><font size="2" face="MS Sans Serif">lParam=0</font><font
size="2">的</font><font color="#CCFFCC" size="2"
face="MS Sans Serif"><b>EM_SETSEL</b></font><font size="2"
face="MS Sans Serif"> </font><font size="2">消息，使光標定位到文本末。</font></p>

<p><font face="Fixedsys">&nbsp;&nbsp; mov edi,pNTHdr <br>
&nbsp;&nbsp; assume edi:ptr IMAGE_NT_HEADERS <br>
&nbsp;&nbsp; mov edi, [edi].OptionalHeader.DataDirectory[sizeof
IMAGE_DATA_DIRECTORY].VirtualAddress </font></p>

<p><font size="2">獲取</font><font size="2"
face="MS Sans Serif">import symbols</font><font size="2">的</font><font
size="2" face="MS Sans Serif">RVA</font><font size="2">。</font><font
size="2" face="MS Sans Serif">edi</font><font size="2">起初指向
</font><font size="2" face="MS Sans Serif">PE header</font><font
size="2">，以此我們可以定位到數據目錄數組的第二個數組元素來得到虛擬地址值。</font></p>

<p><font face="Fixedsys">&nbsp;&nbsp; invoke
RVAToOffset,pMapping,edi <br>
&nbsp;&nbsp; mov edi,eax <br>
&nbsp;&nbsp; add edi,pMapping </font></p>

<p><font size="2" face="MS Sans Serif">這兒對PE編程初學者來說可能有點困難。在PE文件中大多數地址多是RVAs 而 
  </font><font color="#FF6666" size="2"
face="MS Sans Serif"><b>RVAs</b></font><font color="#FF6666"
size="2"><b>只有當</b></font><font color="#FF6666" size="2"
face="MS Sans Serif"><b>PE</b></font><font color="#FF6666"
size="2"><b>文件被</b></font><font color="#FF6666" size="2"
face="MS Sans Serif"><b>PE</b></font><font color="#FF6666"
size="2"><b>裝載器裝入內存后才有意義。</b></font><font
size="2" face="MS Sans Serif"> 本例中，我們直接將文件映射到內存而不是通過PE裝載器載入，因此我們不能直接使用那些RVAs。必須先將那些RVAs轉換成文件偏移量，RVAToOffset函數就起到這個作用。 
  這里不準備詳細分析。指出的是，它還將給定的RVA和PE文件所有節的始末RVA作比較（檢驗RVA的有效性），然后通過</font><font
color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_SECTION_HEADER</b></font><font
size="2" face="MS Sans Serif"> 結構中的</font><font
color="#FFFFCC" size="2" face="MS Sans Serif"><b>PointerToRawData</b></font><font
size="2" face="MS Sans Serif">域（當然是所在節的那個</font><font
color="#FFFFCC" size="2" face="MS Sans Serif"><b>PointerToRawData</b></font><font
size="2" face="MS Sans Serif">域啦</font><font
size="2" face="MS Sans Serif">）將RVA轉換成文件偏移量。<br>
  函數使用需要傳遞兩個參數: 內存映射文件指針和所要轉換的RVA。eax里返回文件偏移量。上面代碼中，我們必須將文件偏移量加上內存映射文件指針以轉換成虛擬地址。是不是有點復雜? 
  :)</font></p>

<p><font face="Fixedsys">&nbsp;&nbsp; assume edi:ptr
IMAGE_IMPORT_DESCRIPTOR <br>
&nbsp;&nbsp; .while !([edi].OriginalFirstThunk==0 &amp;&amp;
[edi].TimeDateStamp==0 &amp;&amp; [edi].ForwarderChain==0
&amp;&amp; [edi].Name1==0 &amp;&amp; [edi].FirstThunk==0) </font></p>

<p><font size="2" face="MS Sans Serif">edi</font><font size="2">現在指向第一個
</font><font color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_IMPORT_DESCRIPTOR</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">結構。接下來我們遍歷整個結構數組直到遇上一個全</font><font
size="2" face="MS Sans Serif">0</font><font size="2">結構，這就是數組末尾了。</font></p>

<p><font face="Fixedsys">&nbsp;&nbsp;&nbsp;&nbsp; invoke
AppendText,hDlg,addr ImportDescriptor<br>
&nbsp;&nbsp;&nbsp;&nbsp; invoke RVAToOffset,pMapping, [edi].Name1
<br>
&nbsp;&nbsp;&nbsp;&nbsp; mov edx,eax <br>
&nbsp;&nbsp;&nbsp;&nbsp; add edx,pMapping </font></p>

<p><font size="2">我們要顯示當前 </font><font
color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_IMPORT_DESCRIPTOR</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">結構的值。</font><font
size="2" face="MS Sans Serif">Name1 </font><font size="2">不同于其他結構成員，它含有指向相關</font><font
size="2" face="MS Sans Serif">dll</font><font size="2">名的</font><font
size="2" face="MS Sans Serif">RVA</font><font size="2">。因此必須先將其轉換成虛擬地址。</font></p>

<p><font face="Fixedsys">&nbsp;&nbsp;&nbsp;&nbsp; invoke
wsprintf, addr temp, addr IDTemplate, [edi].OriginalFirstThunk,[edi].TimeDateStamp,[edi].ForwarderChain,edx,[edi].FirstThunk
&nbsp;&nbsp;&nbsp;&nbsp; invoke AppendText,hDlg,addr temp </font></p>

<p><font size="2">顯示當前 </font><font color="#CCFFCC"
size="2" face="MS Sans Serif"><b>IMAGE_IMPORT_DESCRIPTOR</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">結構的值。</font></p>

<p><font face="Fixedsys">&nbsp;&nbsp;&nbsp;&nbsp; .if
[edi].OriginalFirstThunk==0 <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov
esi,[edi].FirstThunk <br>
&nbsp;&nbsp;&nbsp;&nbsp; .else <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov
esi,[edi].OriginalFirstThunk <br>
&nbsp;&nbsp;&nbsp;&nbsp; .endif </font></p>

<p><font size="2">接下來準備遍歷 </font><font
color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_THUNK_DATA</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">數組。通常我們會選擇</font><font
color="#FFFFCC" size="2" face="MS Sans Serif"><b>OriginalFirstThunk</b></font><font
size="2">指向的那個數組，不過，如果某些連接器錯誤地將</font><font
co