RVA

RVA

关注
发信
关注(28)粉丝(399)

c++ - PIMAGE_EXPORT_DIRECTORY-内存访问错误

我正在尝试在kernel32.dll中找到用于loadlibrary的RVA。我已经阅读了几个解析PE header 的文档,但似乎无法找出指向导出目录的指针为何无效的原因。

hFile = CreateFile(fileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
    if (hFile == INVALID_HANDLE_VALUE)
    {
        err = GetLastError();
        return err;
    }

    hFileMapping = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL);
    if (hFileMapping == 0)
    {
        err = GetLastError();
        CloseHandle(fileName);
        return err;
    }

    lpFileBase = MapViewOfFile(hFileMapping, FILE_MAP_READ, 0, 0, 0);
    if (lpFileBase == 0)
    {
        err = GetLastError();
        CloseHandle(fileName);
        CloseHandle(hFileMapping);
        return err;
    }

    dosHeader = (PIMAGE_DOS_HEADER)lpFileBase;
    pNTHeader = (PIMAGE_NT_HEADERS)((BYTE*)dosHeader + dosHeader->e_lfanew);
    base = (DWORD64)dosHeader;

在这里打开文件,当我在这里运行调试器时,一切似乎都很好。
    exportsStartRVA = pNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
    exportsEndRVA = exportsStartRVA + pNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;

在这里,我成功访问了DataDirectory以获取VirtualAddress和导出目录的大小。
PIMAGE_SECTION_HEADER section = IMAGE_FIRST_SECTION(pNTHeader);
unsigned i;
for (i = 0; i < pNTHeader->FileHeader.NumberOfSections; i++, section++)
{
    // Is the RVA within this section?
    if ((exportsStartRVA >= section->VirtualAddress) &&
        (exportsStartRVA < (section->VirtualAddress + section->Misc.VirtualSize)))
        break;
}

我遍历所有节,直到获得包含exportsStartRVA的节标题。现在,“section”指针指向导出目录的“Section Header”。
exportDir = (PIMAGE_EXPORT_DIRECTORY)((PBYTE)base + exportsStartRVA + section->PointerToRawData - section->VirtualAddress);

在这里,我得到了指向导出目录的指针。
PDWORD pfunctions = (PDWORD)((PBYTE)base + (DWORD64)exportDir->AddressOfFunctions + header->PointerToRawData - header->VirtualAddress);
PDWORD ordinals = (PDWORD)((PBYTE)base + (DWORD64)exportDir->AddressOfNameOrdinals + header->PointerToRawData - header->VirtualAddress);
PSTR* name = (PSTR*)((PBYTE)base + (DWORD64)exportDir->AddressOfNames + header->PointerToRawData - header->VirtualAddress);
PSTR funcName;

for (unsigned i = 0; i < (DWORD64)exportDir->NumberOfNames; i++)
{
    funcName = name[i];
}

编辑:问题在于我的取消引用,我认为,funcName实际上没有给我除内存访问错误以外的任何东西。

最佳答案

AddressOfNames是指向字符串名称的RVA列表的RVA,而不是指向字符串列表的RVA。

关于c++ - PIMAGE_EXPORT_DIRECTORY-内存访问错误,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/26616379/

10-08 21:32
Powered by LMLPHP ©2024 RVA 0.031911