DWORD GetFunctionAddrByName(IN PVOID pFileBuffer,IN DWORD NameOfFunction)
{
PIMAGE_DOS_HEADER pDosHeader = NULL;
PIMAGE_NT_HEADERS pNTHeader = NULL;
PIMAGE_FILE_HEADER pPEHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 pOptionHeader = NULL;
PIMAGE_SECTION_HEADER pSectionHeader = NULL;
PIMAGE_DATA_DIRECTORY pDataDirectory = NULL;
if(!pFileBuffer)
{
printf("文件無效\n");
free(pFileBuffer);
return 0;
}
if(*(PDWORD)((DWORD)pFileBuffer) != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的PE文件\n");
free(pFileBuffer);
return 0;
}
pDosHeader = (PIMAGE_DOS_HEADER)pFileBuffer;
pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pDosHeader + pDosHeader->e_lfanew);
pPEHeader = (PIMAGE_FILE_HEADER)((DWORD)pNTHeader + 4);
pOptionHeader = (PIMAGE_OPTIONAL_HEADER)((DWORD)pPEHeader + IMAGE_SIZEOF_FILE_HEADER);
pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader + pPEHeader->SizeOfOptionalHeader);
//定位數據目錄
pDataDirectory = pOptionHeader->DataDirectory;
//定位導出表
DWORD RVAOfDataDirectoryExportAddr = 0;
DWORD dataDirectoryExportSize = 0;
RVAOfDataDirectoryExportAddr = pDataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
dataDirectoryExportSize = pDataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
//用導出表指針取導出表大小,獲得導出表
DWORD FOAOfDataDirectoryExportAddr = 0;
FOAOfDataDirectoryExportAddr = RVA2FOA (pFileBuffer,RVAOfDataDirectoryExportAddr);
IMAGE_EXPORT_DIRECTORY dataDirectoryExport = *(PIMAGE_EXPORT_DIRECTORY)(FOAOfDataDirectoryExportAddr + dataDirectoryExportSize);
//獲取3個表的FOA
PDWORD FOAOfAddressOfFunctions = NULL;
PDWORD FOAOfAddressOfNames = NULL;
PDWORD FOAOfddressOfNameOrdinals = NULL;
FOAOfAddressOfFunctions = (PDWORD)RVA2FOA (pFileBuffer,dataDirectoryExport.AddressOfFunctions);
FOAOfAddressOfNames= (PDWORD)RVA2FOA (pFileBuffer,dataDirectoryExport.AddressOfNames);
FOAOfddressOfNameOrdinals= (PDWORD)RVA2FOA (pFileBuffer,dataDirectoryExport.AddressOfNameOrdinals);
//通過3個表的FOA找到3個表,但表中存儲的都是RVA,取出來後也要轉換
PDWORD FOAOfNames = NULL;
PDWORD FOAOfNmaeOrdinals =NULL;
PDWORD FOAOfFunctions = NULL;
DWORD AddrOfFunction = 0;
for(int i=0;i<dataDirectoryExport.NumberOfNames;i++)
{
FOAOfNames = (PDWORD)RVA2FOA (pFileBuffer,*(PWORD)FOAOfAddressOfNames[i]);
if(strcmp(NameOfFunction,*(FOAOfNames)))
{
AddrOfFunction = RVA2FOA (pFileBuffer,FOAOfFunctions[FOAOfNmaeOrdinals[i]]);
free(pFileBuffer);
return AddrOfFunction;
}
}
}
1.(AddressOfNameOrdinals)導出序號表中的的值 = 發佈的導出序號 - Base(發佈的最小導出序號),
反之發佈的導出序號 =AddressOfNameOrdinals值 + Base(發佈的最小導出序號)
2.如果用發佈序號找函數地址,直接:發佈序號- BASE = 直接拿到AddressOfFunctions的序號,
和AddressOfNameOrdinals中值的算法一樣,但(AddressOfNameOrdinals)導出序號表中沒有存儲
總之,無論1.AddressOfNameOrdinals中的值,還是2.直接發佈序號-Base,都是所對應函數的地址表的下標,算法一樣
3.不要搞混淆序號表中的值和函數地址表數量:NumberOfFunctions的數量 = 發佈序號的最大值 - 最小值 + 1,比如發佈序號0,0-0 + 1 = 1, 故在AddressOfFunctions中對應從1開始分配位置,0就不用了,
所以AddressOfNameOrdinals中不可能存有0的情況;
或者比如發佈序號爲1,2 3 4 5,5 - 1 + 1 = 5,會在AddressOfFunctions表中分配5個,有一個是多餘的,也就是0