apisetschema.dll 导入表中的dll映射关系解析
程序员文章站
2022-06-17 14:38:59
...
#include"stdafx.h"
#include <windows.h>
#include <stdio.h>
#include <vector>
#define uint16_t USHORT
#define uint32_t DWORD
typedef struct _UNICODE_STRING
{
uint16_t Length;
uint16_t MaximumLength;
_Field_size_bytes_part_(MaximumLength, Length) wchar_t* Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef struct _API_SET_NAMESPACE
{
uint32_t Version;
uint32_t Size;
uint32_t Flags;
uint32_t Count;
uint32_t EntryOffset;
uint32_t HashOffset;
uint32_t HashFactor;
} API_SET_NAMESPACE, *PAPI_SET_NAMESPACE;
typedef struct _API_SET_HASH_ENTRY
{
uint32_t Hash;
uint32_t Index;
} API_SET_HASH_ENTRY, *PAPI_SET_HASH_ENTRY;
typedef struct _API_SET_NAMESPACE_ENTRY
{
uint32_t Flags;
uint32_t NameOffset;
uint32_t NameLength;
uint32_t HashedLength;
uint32_t ValueOffset;
uint32_t ValueCount;
} API_SET_NAMESPACE_ENTRY, *PAPI_SET_NAMESPACE_ENTRY;
typedef struct _API_SET_VALUE_ENTRY
{
uint32_t Flags;
uint32_t NameOffset;
uint32_t NameLength;
uint32_t ValueOffset;
uint32_t ValueLength;
} API_SET_VALUE_ENTRY, *PAPI_SET_VALUE_ENTRY;
int main()
{
HMODULE hMod = ::LoadLibrary(L"apisetschema.dll");
IMAGE_DOS_HEADER* pDosHeader = (IMAGE_DOS_HEADER*)hMod;
PIMAGE_NT_HEADERS pNtHeader = (PIMAGE_NT_HEADERS)((BYTE*)hMod + pDosHeader->e_lfanew);
PIMAGE_SECTION_HEADER pImg = (PIMAGE_SECTION_HEADER)(pNtHeader + 1);
while (memcmp(pImg->Name, ".apiset", strlen(".apiset")) != 0)
{
pImg++;
}
PUCHAR pApiSet = (PUCHAR)pDosHeader + pImg->VirtualAddress;
PAPI_SET_NAMESPACE pnamespace = (PAPI_SET_NAMESPACE)pApiSet;
UINT_PTR namespace_addr = (UINT_PTR)pnamespace;
PAPI_SET_NAMESPACE_ENTRY pnamespace_entry = (PAPI_SET_NAMESPACE_ENTRY)(namespace_addr + pnamespace->EntryOffset);
uint32_t i = 0, j = 0;
UNICODE_STRING origin_name, forward_name;
for (i = 0; i < pnamespace->Count; i++)
{
origin_name.Buffer = (wchar_t*)(namespace_addr + pnamespace_entry->NameOffset);
origin_name.Length = pnamespace_entry->NameLength;
origin_name.MaximumLength = pnamespace_entry->NameLength;
printf("%wZ.dll -> ", &origin_name);
PAPI_SET_VALUE_ENTRY pvalue_entry = (PAPI_SET_VALUE_ENTRY)(namespace_addr + pnamespace_entry->ValueOffset);
for (j = 0; j < pnamespace_entry->ValueCount; j++)
{
forward_name.Buffer = (wchar_t*)(namespace_addr + pvalue_entry->ValueOffset);
forward_name.Length = pvalue_entry->ValueLength;
forward_name.MaximumLength = pvalue_entry->ValueLength;
printf("%wZ", &forward_name);
if ((j + 1) != pnamespace_entry->ValueCount)
{
printf(", ");
}
if (pvalue_entry->NameLength != 0)
{
origin_name.Buffer = (wchar_t*)(namespace_addr + pvalue_entry->NameOffset);
origin_name.Length = pvalue_entry->NameLength;
origin_name.MaximumLength = pvalue_entry->NameLength;
printf(" [%wZ]", &origin_name);
}
pvalue_entry++;
}
printf("\n");
pnamespace_entry++;
}
getchar();
return 0;
}
上一篇: VS2015编译zlib库