PVOID MyGetProcAddress(PVOID ImageBase, LPCSTR ApiName)
{
//得到区块表数量
WORD NumberOfSections = PIMAGE_NT_HEADERS64((ULONG64)ImageBase + ((PIMAGE_DOS_HEADER)ImageBase)->e_lfanew)->FileHeader.NumberOfSections;
//得到区块对齐
DWORD SectionAlignment = PIMAGE_NT_HEADERS64((ULONG64)ImageBase + ((PIMAGE_DOS_HEADER)ImageBase)->e_lfanew)->OptionalHeader.SectionAlignment;
//得到文件对齐
DWORD FileAignment = PIMAGE_NT_HEADERS64((ULONG64)ImageBase + ((PIMAGE_DOS_HEADER)ImageBase)->e_lfanew)->OptionalHeader.FileAlignment;
//得到导出表RVA
DWORD ExceptionVirtualAddress = PIMAGE_NT_HEADERS64((ULONG64)ImageBase + ((PIMAGE_DOS_HEADER)ImageBase)->e_lfanew)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
//得到导出表大小
DWORD ExceptionSize = PIMAGE_NT_HEADERS64((ULONG64)ImageBase + ((PIMAGE_DOS_HEADER)ImageBase)->e_lfanew)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
PIMAGE_EXPORT_DIRECTORY ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((ULONG64)ImageBase + ExceptionVirtualAddress);
//获取导出表数量
DWORD NumberOfFunctions = ExportDirectory->NumberOfFunctions;
//获取导出表名称数量
DWORD NumberOfNames = ExportDirectory->NumberOfNames;
//获取起始序号
DWORD Base = ExportDirectory->Base;
PVOID NameStrPrAddr = (PVOID)(ExportDirectory->AddressOfNames + (ULONG64)ImageBase);
PVOID FunlstPrAddr = (PVOID)(ExportDirectory->AddressOfFunctions + (ULONG64)ImageBase);
PVOID OrdinallstPrAddr = (PVOID)(ExportDirectory->AddressOfNameOrdinals + (ULONG64)ImageBase);
WORD OrdinallstPrAddrtrPr = 0;
PVOID NameStrPr = NULL;
for (DWORD I = 0; I < NumberOfNames; I++)
{
//取得序号
OrdinallstPrAddrtrPr = *(PWORD)OrdinallstPrAddr;
//取导出的名字
NameStrPr = (PVOID)(*(PDWORD)NameStrPrAddr + (ULONG64)ImageBase);
if (strcmp((LPCSTR)NameStrPr, ApiName) == 0)
{
//这里不需要 + Base,如果输出序号则需要加
PVOID FunAddress = (PVOID)((ULONG64)FunlstPrAddr + (sizeof(DWORD) * (OrdinallstPrAddrtrPr)));
DWORD FindFuncRetrun = (DWORD)(*(PULONG64)(FunAddress));
return (PVOID)((ULONG64)ImageBase + FindFuncRetrun);
}
//移动Name指针
NameStrPrAddr = (PVOID)((ULONG64)NameStrPrAddr + sizeof(DWORD));
//移动序号指针
OrdinallstPrAddr = (PVOID)((ULONG64)OrdinallstPrAddr + sizeof(WORD));
}
}
本文来源于
Lonely Blog -全球网络安全资讯平台, 转载请注明出处:
https://blog.wuhao13.xin/1700.html
