当前位置:网站首页>Import address table analysis (calculated according to the library file name: number of imported functions, function serial number and function name)
Import address table analysis (calculated according to the library file name: number of imported functions, function serial number and function name)
2022-04-23 15:45:00 【Hardworking666】
List of articles
Import address table (Import Address Table,IAT) Used to record what programs are using DLL Which functions in .
Import name table (Import Name Table,INT)
One 、 Find the file name and RVAsec and RAWsec
Through analysis PE head , Available notepad.exe The range of each section head of the is shown in table 4-12 Shown . And analyze the table 4-13.
Two 、 analysis INT and IAT, Get the number of imported functions
Further analysis below notepad.exe Of documents INT and IAT.
With KERNEL32.dll
For example , The DLL Corresponding INT Array and IAT Array in PE Medium RAW The offsets are 6B58H and 48CH.
PE The offset range of the file 6B58H~6C3FH
Space preservation of INT, among IMAGE_THUNK_DATA32 The number of structures is 57.
here :57=14 That's ok ×4+1, This is Number of imported functions
PE The offset range of the file 48CH~573H
Space preservation of IAT, among IMAGE_THUNK_DATA32 The number of structures is also 57.
INT and IAT The contents are shown in the figure 4-4(a) Sum graph 4-4(b) Shown .
3、 ... and 、 Function sequence number 、 The name of the function
Then analyze INT First of all (00008024H) The point is IMAGE_IMPORT_BY_NAME The content of the structure ,
The content is in PE The offset of the file 8024H-1000H+ 400H=7424H Location .
notes : Here is 8024, the reason being that 2480 Small end storage . Can pass LordPE Work out .
The content of this structure is shown in Figure 4-5 Shown .
among Hint Field Serial number value by 013EH, And the imported function Name The field is analyzed by the hexadecimal editor as "GetCurrentThreadId”.
It can also be analyzed in a similar way KERNEL32.dl1 All of them are notepad.exe Of the imported function Serial number and Function name .
First function serial number ( The small end ):013E
First function name :GetCurrentThreadId
Function sequence number 、 The function name can be through HXD Right click to select the range and then enter the offset obtain :
版权声明
本文为[Hardworking666]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/04/202204231531417833.html
边栏推荐
- [backtrader source code analysis 18] Yahoo Py code comments and analysis (boring, interested in the code, you can refer to)
- Temporal model: long-term and short-term memory network (LSTM)
- C#,贝尔数(Bell Number)的计算方法与源程序
- Neodynamic Barcode Professional for WPF V11.0
- Go并发和通道
- 编译,连接 -- 笔记
- WPS品牌再升级专注国内,另两款国产软件低调出国门,却遭禁令
- Cap theorem
- What role does the software performance test report play? How much is the third-party test report charged?
- API IX JWT auth plug-in has an error. Risk announcement of information disclosure in response (cve-2022-29266)
猜你喜欢
APISIX jwt-auth 插件存在错误响应中泄露信息的风险公告(CVE-2022-29266)
C#,贝尔数(Bell Number)的计算方法与源程序
Cookie&Session
Today's sleep quality record 76 points
One brush 314 sword finger offer 09 Implement queue (E) with two stacks
Multi level cache usage
MySQL Cluster Mode and application scenario
C language --- string + memory function
Special analysis of China's digital technology in 2022
Recommended search common evaluation indicators
随机推荐
mysql乐观锁解决并发冲突
JVM-第2章-类加载子系统(Class Loader Subsystem)
Pgpool II 4.3 Chinese Manual - introductory tutorial
大型互联网为什么禁止ip直连
使用 Bitnami PostgreSQL Docker 镜像快速设置流复制集群
Temporal model: long-term and short-term memory network (LSTM)
Large factory technology implementation | industry solution series tutorials
CVPR 2022 quality paper sharing
Basic concepts of website construction and management
Modèle de Cluster MySQL et scénario d'application
utils.DeprecatedIn35 因升级可能取消,该如何办
Node.js ODBC连接PostgreSQL
C#,贝尔数(Bell Number)的计算方法与源程序
API IX JWT auth plug-in has an error. Risk announcement of information disclosure in response (cve-2022-29266)
时序模型:门控循环单元网络(GRU)
Neodynamic Barcode Professional for WPF V11. 0
北京某信护网蓝队面试题目
【开源工具分享】单片机调试助手(示波/改值/日志) - LinkScope
s16. One click installation of containerd script based on image warehouse
Why disable foreign key constraints