如何获取特定地址处符号的名称/导出索引(GetProcAddress 逆)
假设我有一个导出一些函数的 DLL,并且我知道该 DLL 中的地址。 如果该地址引用此类函数内的位置,那么,假设导出表按函数条目排序,以下内容将在导出中找到该函数的索引table:
IMAGE_DOS_HEADER* dosHeader;
dosHeader = (IMAGE_DOS_HEADER*)m_handle;
unsigned int count;
if(dosHeader->e_magic != IMAGE_DOS_SIGNATURE)
{return __MODULE_ADDRESS_NOT_FOUND;}
IMAGE_NT_HEADERS* ntHeaders = (IMAGE_NT_HEADERS*)(((BYTE*)dosHeader) + dosHeader->e_lfanew);
if(ntHeaders->Signature != 0x00004550)
{return __MODULE_ADDRESS_NOT_FOUND;}
IMAGE_OPTIONAL_HEADER* optionalHeader = &ntHeaders->OptionalHeader;
if(optionalHeader->NumberOfRvaAndSizes<IMAGE_DIRECTORY_ENTRY_EXPORT)
{return __MODULE_ADDRESS_NOT_FOUND;}
if(optionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size==0)
{return __MODULE_ADDRESS_NOT_FOUND;}
IMAGE_DATA_DIRECTORY* dataDirectory = &optionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
IMAGE_EXPORT_DIRECTORY* Exp;
Exp = (IMAGE_EXPORT_DIRECTORY*)((DWORD)dosHeader + dataDirectory->VirtualAddress);
ULONG* addressoffunctions=(ULONG*)((BYTE*) m_handle + Exp->AddressOfFunctions);
if(Exp->NumberOfNames==1)
{
if(addressoffunctions[0] + (BYTE*)m_handle < address)
{return 0;}
return __MODULE_ADDRESS_NOT_FOUND;
}
for(count = 1; count < Exp->NumberOfNames; count++)
{
if(addressoffunctions[count-1] + (BYTE*)m_handle >= address
&& addressoffunctions[count] + (BYTE*)m_handle < address)
{return count-1;}
}
,但是如何断言该地址确实引用导出函数中的位置。
Suppose I have a DLL that exports some functions and I know an address within that DLL. If that address refers to an location within such a function, then, assuming the export table is sorted by function entry, the following would find the index of this function in the export table:
IMAGE_DOS_HEADER* dosHeader;
dosHeader = (IMAGE_DOS_HEADER*)m_handle;
unsigned int count;
if(dosHeader->e_magic != IMAGE_DOS_SIGNATURE)
{return __MODULE_ADDRESS_NOT_FOUND;}
IMAGE_NT_HEADERS* ntHeaders = (IMAGE_NT_HEADERS*)(((BYTE*)dosHeader) + dosHeader->e_lfanew);
if(ntHeaders->Signature != 0x00004550)
{return __MODULE_ADDRESS_NOT_FOUND;}
IMAGE_OPTIONAL_HEADER* optionalHeader = &ntHeaders->OptionalHeader;
if(optionalHeader->NumberOfRvaAndSizes<IMAGE_DIRECTORY_ENTRY_EXPORT)
{return __MODULE_ADDRESS_NOT_FOUND;}
if(optionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size==0)
{return __MODULE_ADDRESS_NOT_FOUND;}
IMAGE_DATA_DIRECTORY* dataDirectory = &optionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
IMAGE_EXPORT_DIRECTORY* Exp;
Exp = (IMAGE_EXPORT_DIRECTORY*)((DWORD)dosHeader + dataDirectory->VirtualAddress);
ULONG* addressoffunctions=(ULONG*)((BYTE*) m_handle + Exp->AddressOfFunctions);
if(Exp->NumberOfNames==1)
{
if(addressoffunctions[0] + (BYTE*)m_handle < address)
{return 0;}
return __MODULE_ADDRESS_NOT_FOUND;
}
for(count = 1; count < Exp->NumberOfNames; count++)
{
if(addressoffunctions[count-1] + (BYTE*)m_handle >= address
&& addressoffunctions[count] + (BYTE*)m_handle < address)
{return count-1;}
}
, but how do I assert that the address really refers to an location within an exported function.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
在一般情况下,你不能。您应该反汇编整个函数指令图以获取其所有指令的地址。
在一些小情况下,您可以搜索
ret指令,但它并不可靠。如果可以进行静态分析,就可以使用IDA来获取函数边界。
In common case, you can't. You should disassemble whole function instructions graph to get addresses of all its instructions.
In some trivial cases, you can search for
retinstruction, but it's not reliable.If you can perform static analysis, you can use IDA to get function boundaries.