導出表是數(shù)據(jù)目錄中的第一張表，要注意 VirtualAddress 是內(nèi)存偏移。導出表中的三張表地址也是內(nèi)存偏移。

代碼

// 打印導出表 VOID PrintExportTable(LPVOID pFileBuffer) {PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)pFileBuffer;PIMAGE_FILE_HEADER pPEHeader = (PIMAGE_FILE_HEADER)(pDosHeader->e_lfanew + (DWORD)pFileBuffer + 4);PIMAGE_OPTIONAL_HEADER32 pOptionHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)pPEHeader + sizeof(IMAGE_FILE_HEADER));PIMAGE_SECTION_HEADER pSectionHeader = \(PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader + pPEHeader->SizeOfOptionalHeader);PIMAGE_EXPORT_DIRECTORY pExportDirectory = \(PIMAGE_EXPORT_DIRECTORY)((DWORD)pFileBuffer + RvaToFoa(pFileBuffer, pOptionHeader->DataDirectory[0].VirtualAddress));printf("Base = %x\n", pExportDirectory->Base);printf("NumberOfFunctions = %x\n", pExportDirectory->NumberOfFunctions);printf("NumberOfNames = %x\n", pExportDirectory->NumberOfNames);printf("----AddressOfFunctions----\n");PDWORD AddressOfFunctions = (PDWORD)((DWORD)pFileBuffer + RvaToFoa(pFileBuffer, pExportDirectory->AddressOfFunctions));for (int i = 0; i < pExportDirectory->NumberOfFunctions; i++){printf("AddressOfFunctions[%d] = %x\n", i, AddressOfFunctions[i]);}printf("----AddressOfNames & AddressOfNameOridinals----\n");PDWORD AddressOfNames = (PDWORD)((DWORD)pFileBuffer + RvaToFoa(pFileBuffer, pExportDirectory->AddressOfNames));PWORD AddressOfNameOridinals = (PWORD)((DWORD)pFileBuffer + RvaToFoa(pFileBuffer, pExportDirectory->AddressOfNameOrdinals));for (i = 0; i < pExportDirectory->NumberOfNames; i++){printf("AddressOfNames[%d] = %s, AddressOfOrdinals[%d] = %d\n", i, (char*)((DWORD)pFileBuffer + RvaToFoa(pFileBuffer, AddressOfNames[i])), i, AddressOfNameOridinals[i]);} }VOID TestPrintExportTable(LPSTR lpszFile) {LPVOID pFileBuffer = NULL;if (!ReadPEFile(lpszFile, &pFileBuffer)){printf("讀取文件失敗");return;}PrintExportTable(pFileBuffer);free(pFileBuffer); }// 內(nèi)存偏移RVA轉(zhuǎn)成文件偏移FOA // 返回轉(zhuǎn)換后FOA的值，找不到則返回0 DWORD RvaToFoa(IN LPVOID pFileBuffer,IN DWORD dwRva) {PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)pFileBuffer;PIMAGE_FILE_HEADER pPEHeader = (PIMAGE_FILE_HEADER)(pDosHeader->e_lfanew + (DWORD)pFileBuffer + 4);PIMAGE_OPTIONAL_HEADER32 pOptionHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)pPEHeader + sizeof(IMAGE_FILE_HEADER));PIMAGE_SECTION_HEADER pSectionHeader = \(PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader + pPEHeader->SizeOfOptionalHeader);// RVA在文件頭中或者文件對齊==內(nèi)存對齊時，RVA==FOAif (dwRva < pOptionHeader->SizeOfHeaders || \pOptionHeader->SectionAlignment == pOptionHeader->FileAlignment){return dwRva;}// 遍歷節(jié)表，確定偏移屬于哪一個節(jié) for (int i = 0; i < pPEHeader->NumberOfSections; i++){ if (dwRva >= pSectionHeader[i].VirtualAddress && \dwRva < pSectionHeader[i].VirtualAddress + pSectionHeader[i].Misc.VirtualSize){int offset = dwRva - pSectionHeader[i].VirtualAddress;return pSectionHeader[i].PointerToRawData + offset;} }printf("找不到RVA %x 對應的 FOA，轉(zhuǎn)換失敗\n", dwRva);return 0; }

運行結(jié)果

用 DEPENDENCY WALKER 驗證，解析正確。

附DLL的def導出文件

總結(jié)

以上是生活随笔為你收集整理的打印导出表信息的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。