通过解析PE头。读取dll模块和 dll模块函数

win32

int main()
{
//001e1000
::MessageBox(NULL, TEXT("111"), TEXT("222"), 0);
HMODULE vHmodule = GetModuleHandle(NULL);

printf("vHmodule = 0x%08X ", vHmodule);

IMAGE_DOS_HEADER *vImageDosHeader = (IMAGE_DOS_HEADER *)vHmodule;
//printf("%08X ", vImageDosHeader);
printf("vImageDosHeader->e_lfanew = %08X ", vImageDosHeader->e_lfanew);

//DWORD *vTemp = (DWORD *)((DWORD)vHmodule + vImageDosHeader->e_lfanew);
//printf("vTemp=%08X ", vTemp);
IMAGE_NT_HEADERS *vImageNtHeaders = (IMAGE_NT_HEADERS *)((DWORD)vHmodule + vImageDosHeader->e_lfanew);

//printf("vImageNtHeaders[0]=%X ", vTemp[0]);
//printf("vImageNtHeaders[2]=%X ", vTemp[2]);
//printf("vImageNtHeaders[3]=%X ", vTemp[3]);
//printf("*vImageDosHeader->e_lfanew=0x%08X ", vImageDosHeader->e_lfanew);

//printf("%08X ", vImageNtHeaders);
IMAGE_OPTIONAL_HEADER32 vImageOptionalHeader32 = vImageNtHeaders->OptionalHeader;
IMAGE_DATA_DIRECTORY vImageDataDirectory = vImageOptionalHeader32.DataDirectory[1];
printf("*vImageDataDirectory.VirtualAddress=0x%08X ", vImageDataDirectory.VirtualAddress);

IMAGE_IMPORT_DESCRIPTOR *vImageImportDescriptor = (IMAGE_IMPORT_DESCRIPTOR *)((DWORD)vHmodule + vImageDataDirectory.VirtualAddress);
IMAGE_THUNK_DATA *vImageThunkData;
IMAGE_IMPORT_BY_NAME *vImageImportByName;
printf(" ");
while (true)
{
if (vImageImportDescriptor->OriginalFirstThunk == NULL)
break;
printf("vImageImportDescriptor->Name=%s ", ((DWORD)vHmodule + vImageImportDescriptor->Name));
vImageThunkData = (IMAGE_THUNK_DATA *)((DWORD)vHmodule + vImageImportDescriptor->OriginalFirstThunk);
while (true)
{
if (vImageThunkData->u1.AddressOfData == NULL)
break;
vImageImportByName = (IMAGE_IMPORT_BY_NAME *)((DWORD)vHmodule + vImageThunkData->u1.AddressOfData);
printf("vImageImportByName->Name=%s ", vImageImportByName->Name);
vImageThunkData++;
}
printf(" ");
vImageImportDescriptor++;
}
system("pause");
return EXIT_SUCCESS;
}

MFC

#include <atlconv.h>

VOID

WINAPI
ReWriteSleep(_In_ DWORD p)
{
::MessageBox(NULL, TEXT("改写Sleep"), TEXT("改写Sleep"), 0);
return;
}

void function dd()

{

USES_CONVERSION;

CString str;
// TODO: 在此添加控件通知处理程序代码
HMODULE vHmodule = GetModuleHandle(NULL);

str.Format(TEXT("vHmodule = 0x%08X "), vHmodule);
::OutputDebugString(str);

IMAGE_DOS_HEADER *vImageDosHeader = (IMAGE_DOS_HEADER *)vHmodule;
//printf("%08X ", vImageDosHeader);
str.Format(TEXT("vImageDosHeader->e_lfanew = %08X "), vImageDosHeader->e_lfanew);
::OutputDebugString(str);

//printf("vImageNtHeaders[0]=%X ", vTemp[0]);
//printf("vImageNtHeaders[2]=%X ", vTemp[2]);
//printf("vImageNtHeaders[3]=%X ", vTemp[3]);
//printf("*vImageDosHeader->e_lfanew=0x%08X ", vImageDosHeader->e_lfanew);

str.Format(TEXT("*vImageDataDirectory.VirtualAddress=0x%08X "), vImageDataDirectory.VirtualAddress);
::OutputDebugString(str);

IMAGE_IMPORT_DESCRIPTOR *vImageImportDescriptor = (IMAGE_IMPORT_DESCRIPTOR *)((DWORD)vHmodule + vImageDataDirectory.VirtualAddress);
IMAGE_THUNK_DATA *vImageThunkData;
IMAGE_THUNK_DATA *vImageThunkData2;
IMAGE_IMPORT_BY_NAME *vImageImportByName;
DWORD vFunAddress;
::OutputDebugString(TEXT(" "));
::OutputDebugString(TEXT(" "));
CString str2;
CString str3 = TEXT("Sleep");
DWORD *p;
MEMORY_BASIC_INFORMATION pInfo;
DWORD pInfoOldProtect;
while (true)
{
if (vImageImportDescriptor->OriginalFirstThunk == NULL)
break;

vImageThunkData = (IMAGE_THUNK_DATA *)((DWORD)vHmodule + vImageImportDescriptor->OriginalFirstThunk);
vImageThunkData2 = (IMAGE_THUNK_DATA *)((DWORD)vHmodule + vImageImportDescriptor->FirstThunk);

if ((DWORD)vImageThunkData->u1.AddressOfData < (DWORD)vHmodule)
{
str.Format(TEXT("vImageImportDescriptor->Name=%S "), ((DWORD)vHmodule + vImageImportDescriptor->Name));
::OutputDebugString(str);

//vImageThunkData = (IMAGE_THUNK_DATA *)((DWORD)vHmodule + vImageImportDescriptor->OriginalFirstThunk);
//str.Format(TEXT("vImageThunkData=%08X "), (vImageThunkData));
//::OutputDebugString(str);

str.Format(TEXT("vImageThunkData->u1.AddressOfData=%08X "), (vImageThunkData->u1.AddressOfData));
::OutputDebugString(str);

while (true)
{
vImageImportByName = (IMAGE_IMPORT_BY_NAME *)((DWORD)vHmodule + vImageThunkData->u1.AddressOfData);

if (vImageThunkData->u1.AddressOfData == NULL)
break;

str2 = vImageImportByName->Name;
if (str2 == str3)
{
::OutputDebugString(TEXT(" "));
::OutputDebugString(TEXT(" "));
::OutputDebugString(TEXT(" "));
::OutputDebugString(TEXT(" "));

//vImageThunkData2->u1.Function = (DWORD)ReWriteSleep;
str.Format(TEXT("重写Sleep函数地址是=%08X, DWORD ReWriteSleep=%08X "), ReWriteSleep, (DWORD)ReWriteSleep);
::OutputDebugString(str);

str.Format(TEXT("找到了Sleep函数地址是=%08X "), vImageThunkData2->u1.Function);
::OutputDebugString(str);

p = &vImageThunkData2->u1.Function;
str.Format(TEXT("u1.Function地址=%08X "), p);
::OutputDebugString(str);

str.Format(TEXT("p地址=%08X "), p);
::OutputDebugString(str);

::MessageBox(NULL, TEXT("333333"), TEXT("55555"), 0);

::VirtualQuery(p, &pInfo, sizeof(pInfo));
::VirtualProtect(p, sizeof(p), PAGE_EXECUTE_READWRITE, &pInfoOldProtect);
*p = (DWORD)ReWriteSleep;
::VirtualProtect(p, sizeof(p), pInfoOldProtect, &pInfoOldProtect);
//::VirtualQuery(p, &pInfo, sizeof(pInfo));
/*__asm
{
PUSH EBX
PUSH ECX
MOV EBX, DWORD PTR p
MOV ECX, DWORD PTR ReWriteSleep
MOV DWORD PTR[EBX], ECX
POP ECX
POP EBX
}*/

//vImageThunkData2->u1.Function = (DWORD)ReWriteSleep;
//WriteProcessMemory(GetCurrentProcess(), &vImageThunkData2->u1.Function, ReWriteSleep, 4, NULL);

::OutputDebugString(TEXT(" "));
::OutputDebugString(TEXT(" "));
::OutputDebugString(TEXT(" "));
::OutputDebugString(TEXT(" "));
}

//sprintf_s(str3, "vImageImportByName->Name=%s ", vImageImportByName->Name);
str.Format(TEXT("vImageImportByName->Name=%ws "), str2);
::OutputDebugString(str);

str.Format(TEXT("vImageThunkData2->u1.Function=%08X "), vImageThunkData2->u1.Function);
::OutputDebugString(str);

vImageThunkData++;
vImageThunkData2++;
}
}
::OutputDebugString(TEXT(" "));
::OutputDebugString(TEXT(" "));
vImageImportDescriptor++;
}

}

通过解析PE头。读取dll模块 和 dll模块函数

通过解析PE头。读取dll模块和 dll模块函数