导入表在文件与内存的分析
typedef struct _IMAGE_IMPORT_DESCRIPTOR {
union {
DWORD Characteristics; // 0 for terminating null import descriptor
DWORD OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA)
};
DWORD TimeDateStamp; // 0 if not bound,
// -1 if bound, and real date\time stamp
// in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
// O.W. date/time stamp of DLL bound to (Old BIND)
DWORD ForwarderChain; // -1 if no forwarders
DWORD Name;
DWORD FirstThunk; // RVA to IAT (if bound this IAT has actual addresses)
} IMAGE_IMPORT_DESCRIPTOR;
typedef IMAGE_IMPORT_DESCRIPTOR UNALIGNED *PIMAGE_IMPORT_DESCRIPTOR;
ImportTableAddr(RVA: 2010 | FA : 0610)
|-----------------------------------------|
| OriginalFirstThunk | TimeDateStamp | ForwarderChain | Name | FirstThunk |
|-----------------------------------------|
| 4c 20 00 00 | 00 00 00 00 | 00 00 00 00 | 6a 20 00 00 | 00 20 00 00 |
| 54 20 00 00 | 00 00 00 00 | 00 00 00 00 | 86 20 00 00 | 08 20 00 00 |
|-----------------------------------------|
| 00 00 06 4c | 00 00 00 00 | 00 00 00 00 | 00 00 06 6a | 00 00 06 00 |
| 00 00 06 54 | 00 00 00 00 | 00 00 00 00 | 00 00 06 86 | 00 00 06 08 |
|-----------------------------------------|
FA:导入表在文件中的存放形式
[
OriginalFirstThunk: 5c 20 00 00 (FA:00 00 06 5C | 80 00 ExitProcess)
Name: kernel32.dll
FirstThunk: 5c 20 00 00 (FA:00 00 06 5C | 80 00 ExitProcess)
OriginalFirstThunk: 78 20 00 00 (FA:00 00 06 78 | 9D 01 MessageBoxA)
Name: user32.dll
FirstThunk: 78 20 00 00 (FA:00 00 06 78 | 9D 01 MessageBoxA)
]
VA(ImageBase:00 40 00 00)导入表在内存中的存放形式
[
OriginalFirstThunk: 5C 20 40 00 (VA:00 40 20 5c | 80 00 ExitProcess)
Name: kernel32.dll (00 40 20 6a)
FirstThunk: 0a d2 8a 7c
(0a d2 81 7c) OriginalFirstThunk: 78 20 00 00 (VA:00 40 20 78 | 9d 01 MessageBoxA)
Name: user32.dll (00 40 20 68)
FirstThunk: ea 07 d5 77
]
在文件中时FirstThunk和OriginalFirstThunk指向相同的位置。
在内存中时FristThunk和OriginalFirstThunk指向不同的位置,FirstThunk中保存了API函数的地址。
