导入地址表为导入名称生成不正确的 RVA
我在使用 Win32 NT 标头时遇到问题,它为我提供了奇怪的 RVA 导入名称。以下是给我带来问题的相关代码:
//Get a pointer to the import table
PIMAGE_IMPORT_DESCRIPTOR piidImportTableAddr;
piidImportTableAddr = (PIMAGE_IMPORT_DESCRIPTOR)(pImgNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (DWORD)pMemFile);
while(piidImportTableAddr->Name != 0)
{
//Itterate over every IMAGE_IMPORT_DESCRIPTOR structure, extracting the names of the DLLs to import
char* name = (char*)((DWORD)piidImportTableAddr->Name + (DWORD)pMemFile);
//Do nothing for now
piidImportTableAddr++;
}
但是,piidImportTableAddr 结构的成员包含错误指针的地址,这里是成员表:
Characteristics 0x42746553
OriginalFirstThunk 0x42746553
TimeDateStamp 0x646f4d6b
ForwarderChain 0x02260065
Name 0x54746547
FirstThunk 0x4d747865
这些都是错误的 RVA 和内存位置。通过这种方法查找 DLL 名称时我做错了什么吗?我将导入表的RVA与PE Lord中显示的RVA进行了比较,它们是相同的,所以我不确定为什么IMAGE_IMPORT_DESCRIPTORs不正确。
以下是完整源代码的链接:http://pastebin.com/32MBEvWU
I'm having trouble with the Win32 NT headers giving me odd RVA's for import names. Here is the relevant code that is giving me the problem:
//Get a pointer to the import table
PIMAGE_IMPORT_DESCRIPTOR piidImportTableAddr;
piidImportTableAddr = (PIMAGE_IMPORT_DESCRIPTOR)(pImgNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (DWORD)pMemFile);
while(piidImportTableAddr->Name != 0)
{
//Itterate over every IMAGE_IMPORT_DESCRIPTOR structure, extracting the names of the DLLs to import
char* name = (char*)((DWORD)piidImportTableAddr->Name + (DWORD)pMemFile);
//Do nothing for now
piidImportTableAddr++;
}
However, the piidImportTableAddr structure's members contain addresses that are bad pointers, here is a table of the members:
Characteristics 0x42746553
OriginalFirstThunk 0x42746553
TimeDateStamp 0x646f4d6b
ForwarderChain 0x02260065
Name 0x54746547
FirstThunk 0x4d747865
These are all bad RVA's and memory locations. Is there something I'm doing wrong when looking up the DLL name by this method? I have compared the RVA of the import table to the one that is shown in PE Lord, they are the same, so I am not sure why the IMAGE_IMPORT_DESCRIPTORs are incorrect.
Here is a link to the source code in it's entirety: http://pastebin.com/32MBEvWU
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您拥有导入表的 RVA,但由于尚未加载模块,因此这些部分仍位于其物理位置。导入部分的物理偏移量通常与 RVA 不同。您必须遍历节标题 (_IMAGE_SECTION_HEADER),并使用
VirtualAddress和VirtualSize值查找包含导入表的节。然后从PointerToRawData获取该部分的物理地址。所以你想要的实际地址是这样的:
You have the RVA of the import table, but since the module hasn't been loaded the sections are still in their physical locations. The physical offset of the import section is usually different from the RVA. You will have to iterate through the section headers (_IMAGE_SECTION_HEADER), and using the
VirtualAddressandVirtualSizevalues find the section that contains the import table. Then get the physical address of that section fromPointerToRawData.So the actual address you want is something like this:
您的代码给人的印象是您正在检查已虚拟化(加载到内存中)的模块的 IAT,这意味着 IAT 将不包含 RVA,但地址将由 Windows 加载程序调整为所需的动态偏移量。
然而,话虽这么说,LordPE 报告的数据是可疑的,如果二进制模块实际上有效(即:Windows 可以加载它并运行),那么您可能正在处理一个混淆的文件,否则二进制文件已损坏或不是 win32 PE 文件。
Your code gives the impression that your are inspecting the IAT of a module thats already been virtualized (loaded into memory), which means the IAT will not contain RVA's, but instead the addresses will have been adjusted by the windows loader to the required dynamic offsets.
However, with that being said, the data reported by LordPE is suspect, if the binary module is actually valid (ie: windows can load it and it runs), then you might be dealing with an obfuscated file, else the binary is corrupt or not a win32 PE file.