一、導(dǎo)出表位置

在數(shù)據(jù)目錄的的第0項(xiàng)，即IMAGE_NT_HEADERS.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]項(xiàng)

二、導(dǎo)出表結(jié)構(gòu)

IMAGE_EXPORT_DESCRIPTRO struc

+00h? Characteristics????????? dd

+04h? TimeDateStamp????????dd

+08h? MajorVersion??????????? dw

+0ah? MinorVersion???????????? dw?

+0ch? nName????????????????????? dd????????????????????? ;RVA指向編譯時(shí)的模塊名

+10h? nBase?????????????????????? dd????????????????????? ;起始序號(hào)

+14h? NumberOfFunctions??? dd????????????????????? ;導(dǎo)出函數(shù)總數(shù)

+18h? NumberOfNames????????dd????????????????????? ;已名字導(dǎo)出的函數(shù)數(shù)量

+1ch? AddressOfFunctions??? dd????????????????????? ;RVA指向?qū)С龊瘮?shù)地址列表

+20h? AddressOfNames????????dd????????????????????? ;RVA指向函數(shù)名稱(chēng)地址列表，注意該列表項(xiàng)是指向函數(shù)名稱(chēng)的RVA

+24h? AddressOfNameOrdinal? dd??????????????????? ;RVA指向序號(hào)列表，列表項(xiàng)為word型，是聯(lián)系函數(shù)名稱(chēng)與函數(shù)地址的橋梁

IMAGE_EXPORT_DESCRIPTOR ends

三、加載器加載過(guò)程

?1、根據(jù)名稱(chēng)查找函數(shù)地址

（1）定位導(dǎo)出模塊的IMAGE_EXPORT_DESCRIPTOR

（2)以NumberOfNames為循環(huán)次數(shù)，循環(huán)比較AddressOfNames指向的地址項(xiàng)所對(duì)應(yīng)的函數(shù)名字符串，如果沒(méi)找到匹配的名稱(chēng)字符串，則找不到所對(duì)應(yīng)的函數(shù)。

（3）如果找到匹配的函數(shù)名字符串，則以此為索引號(hào)，取出AddressOfNameOrdinal所指向的序號(hào)。

（4）取出的序號(hào)-nBase=函數(shù)地址索引號(hào)

（5）以此為索引號(hào)，取出AddressOfFunctions指向的函數(shù)地址。

2、根據(jù)序號(hào)查找函數(shù)地址

（1）定位導(dǎo)出模塊的IMAGE_EXPORT_DESCRIPTOR

（2）序號(hào)-nBase=函數(shù)地址索引號(hào)

（3）以此為索引號(hào)，取出AddressOfFunctions指向的函數(shù)地址。

四、示例

?processpefile_export.asm

;======================
;pe文件導(dǎo)出表
;by 紫陌
;======================
;======================
;數(shù)據(jù)段
;======================
.const
szExportTable????db '導(dǎo)出表IMAGE_EXPORT_DIRECTORY(%08X)', 0dh, 0ah
????????db 'nName????????????????? (%08X):%s', 0dh, 0ah
????????db 'nBase????????????????? (%08X):%08X', 0dh, 0ah
????????db 'NumberOfFunctions????? (%08X):%08X', 0dh, 0ah
????????db 'NumberOfNames????????? (%08X):%08X', 0dh, 0ah
????????db 'AddressOfFunction????? (%08X):%08X', 0dh, 0ah
????????db 'AddressOfNames???????? (%08X):%08X', 0dh, 0ah
????????db 'AddressOfNameOrdinal?? (%08X):%08X', 0dh, 0ah, 0
szTitleAddressOfFunctions??db '=========AddressOfFunctions=========', 0dh, 0ah, 0
szAddressOfFunctions????db '(索引號(hào)%04X)(%08X):%08X', 0dh, 0ah, 0
szTitleAddressOfNames???db '=========AddressOfNames=========', 0dh, 0ah, 0
szAddressOfNames?????db '(索引號(hào)%04X)(%08X):%08X->%s', 0dh, 0ah, 0
szTitleAddressOfNameOrdinal?db '=========AddressOfNameOrdinal=========', 0dh, 0ah, 0
szAddressOfNameOrdinal???db '(索引號(hào)%04X)(%08X):%04X', 0dh, 0ah, 0

;======================
;代碼段
;======================
.code
_ProcessPeFile_Export proc _lpImageBase
?local @szBuf[400h]:BYTE
?local @nName
?local @NumberOfFunctions
?local @NumberOfNames
?local @nIndex
?local @nIndexOfAddress
?
?pushad
?
?mov edi, _lpImageBase
?assume edi:ptr IMAGE_DOS_HEADER
?add edi, [edi].e_lfanew
?assume edi:ptr IMAGE_NT_HEADERS
?mov eax, [edi].OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT * sizeof IMAGE_DATA_DIRECTORY].VirtualAddress
?.if !eax
??jmp _overpos
?.endif
?invoke _RvaToOffset, _lpImageBase, eax
?mov edi, eax
?add edi, _lpImageBase
?assume edi:ptr IMAGE_EXPORT_DIRECTORY
?;************************
?;導(dǎo)出表IMAGE_EXPORT_DIRECTORY
?;************************
?invoke _RvaToOffset, _lpImageBase, [edi].nName
?add eax, _lpImageBase
?mov @nName, eax
?invoke wsprintf, addr @szBuf, addr szExportTable, \
??edi, \
??addr [edi].nName, @nName, \
??addr [edi].nBase, [edi].nBase, \
??addr [edi].NumberOfFunctions, [edi].NumberOfFunctions, \
??addr [edi].NumberOfNames, [edi].NumberOfNames, \
??addr [edi].AddressOfFunctions, [edi].AddressOfFunctions, \
??addr [edi].AddressOfNames, [edi].AddressOfNames, \
??addr [edi].AddressOfNameOrdinals, [edi].AddressOfNameOrdinals
?invoke lstrcpy, addr szShowMsg, addr @szBuf
?invoke SetWindowText, hRichEdit, addr szShowMsg
?;***********************
?;導(dǎo)出函數(shù)地址表
?;***********************
?invoke lstrcat, addr szShowMsg, addr szTitleAddressOfFunctions
?mov ecx, [edi].AddressOfFunctions
?invoke _RvaToOffset, _lpImageBase, ecx
?add eax, _lpImageBase
?mov esi, eax
?mov ecx, [edi].NumberOfFunctions
?mov @NumberOfFunctions, ecx
?xor eax, eax
?mov @nIndex, eax
?.while ecx
??mov @NumberOfFunctions, ecx
??invoke wsprintf, addr @szBuf, addr szAddressOfFunctions, \
???@nIndex, \
???esi, \
???DWORD ptr [esi]
??invoke lstrcat, addr szShowMsg, addr @szBuf
??mov ecx, @nIndex
??inc ecx
??mov @nIndex, ecx
??mov ecx, @NumberOfFunctions
??dec ecx
??add esi, 4
?.endw
?invoke SetWindowText, hRichEdit, addr szShowMsg
?;**************************
?;導(dǎo)出函數(shù)名稱(chēng)
?;**************************
?invoke lstrcat, addr szShowMsg, addr szTitleAddressOfNames
?mov ecx, [edi].AddressOfNames
?invoke _RvaToOffset, _lpImageBase, ecx
?add eax, _lpImageBase
?mov esi, eax
?mov ecx, [edi].NumberOfNames
?mov @NumberOfNames, ecx
?xor eax, eax
?mov @nIndex, eax
?.while ecx
??mov @NumberOfNames, ecx
??mov ecx, [esi]
??invoke _RvaToOffset, _lpImageBase, ecx
??add eax, _lpImageBase
??invoke wsprintf, addr @szBuf, addr szAddressOfNames, \
???@nIndex, \
???esi, \
???DWORD ptr [esi], \
???eax
??invoke lstrcat, addr szShowMsg, addr @szBuf
??mov ecx, @nIndex
??inc ecx
??mov @nIndex, ecx
??mov ecx, @NumberOfNames
??dec ecx
??add esi, 4
?.endw
?invoke SetWindowText, hRichEdit, addr szShowMsg
?;**************************
?;導(dǎo)出函數(shù)名稱(chēng)地址索引表
?;**************************
?invoke lstrcat, addr szShowMsg, addr szTitleAddressOfNameOrdinal
?mov ecx, [edi].AddressOfNameOrdinals
?invoke _RvaToOffset, _lpImageBase, ecx
?add eax, _lpImageBase
?mov esi, eax
?mov ecx, [edi].NumberOfNames
?mov @NumberOfNames, ecx
?xor eax, eax
?mov @nIndex, eax
?.while ecx
??mov @NumberOfNames, ecx
??movzx ecx, WORD ptr [esi]
??mov @nIndexOfAddress, ecx
??invoke wsprintf, addr @szBuf, addr szAddressOfNameOrdinal, \
???@nIndex, \
???esi, \
???@nIndexOfAddress
??invoke lstrcat, addr szShowMsg, addr @szBuf
??mov ecx, @nIndex
??inc ecx
??mov @nIndex, ecx
??mov ecx, @NumberOfNames
??dec ecx
??add esi, 4
?.endw
?invoke SetWindowText, hRichEdit, addr szShowMsg
_overpos:?
?assume edi:nothing
?popad
?ret
_ProcessPeFile_Export endp

?

轉(zhuǎn)載于:https://www.cnblogs.com/guanlaiy/archive/2012/05/03/2479985.html

總結(jié)

以上是生活随笔為你收集整理的PE文件格式--------------导出表的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問(wèn)題。

如果覺(jué)得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。