unit Unit1;interfaceuses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls;type
TForm1 = class(TForm)
Button1: TButton;
Edit1: TEdit;
procedure Button1Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
PImageImportDescriptor = ^TImageImportDescriptor;
TImageImportDescriptor = packed record
OriginalFirstThunk: DWord;
TimeDateStamp : DWord;
ForwarderChain : DWord;
DLLName : DWord;
FirstThunk : DWord;
end;var
Form1: TForm1;
HFile:THandle;
Base:Pointer;
VirtualAddres:DwORD;
implementation{$R *.dfm}function RVAToOffset(Base:Pointer;VirtualAddress:DWord):DWord ;
var
dos_header:PImageDosHeader;
nt_header:PImagentHeaders;
SectionHeade:PImageSectionHeader;
NumOfSection:integer;
i:integer;
begin
dos_header:=PImageDosHeader(base);
nt_header:=PImagentHeaders(integer(dos_header)+dos_header._lfanew);
NumOfSection:=nt_header.FileHeader.NumberOfSections;
SectionHeade:=PImageSectionHeader(integer(Base)+dos_header._lfanew+
sizeof(IMAGE_NT_HEADERS));
for i := 0 to NumOfSection-1 do
begin
inc(SectionHeade,i);
if ((VirtualAddress>SectionHeade.VirtualAddress) and (VirtualAddress<
SectionHeade.VirtualAddress+SectionHeade.SizeOfRawData)) then
result:=VirtualAddress-SectionHeade.VirtualAddress+SectionHeade.PointerToRawData;
end;
end;
procedure TForm1.Button1Click(Sender: TObject);
var
Hmaping:THandle;
dos_header:PImageDosHeader;
nt_header:PImagentHeaders;
Pimport:PImageimportDescriptor;
A:pchar;
begin
if HFile=0 then
HFile:=CreateFile('c:\1.exe',GENERIC_READ or GENERIC_WRITE,FILE_SHARE_WRITE,nil,
OPEN_EXISTING,FILE_FLAG_SEQUENTIAL_SCAN,0);
if HFile=INVALID_HANDLE_VALUE then
showmessage('打开文件失败');
Hmaping:=CreateFileMapping(HFile,nil,PAGE_READWRITE,0,0,nil);
if Hmaping<>0 then
Base:=MapViewOfFile(Hmaping,FILE_MAP_ALL_ACCESS,0,0,0);
dos_header:=PImageDosHeader(base);
if dos_header.e_magic<>IMAGE_DOS_SIGNATURE then
showmessage('错误');
nt_header:=PImagentHeaders(dword(dos_header)+dos_header._lfanew);
if nt_header.Signature<>IMAGE_NT_SIGNATURE then
showmessage('错误');
VirtualAddres:=nt_header.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
Pimport:=PImageimportDescriptor(dword(Base)+RVAToOffset(Base,VirtualAddres));
EDIT1.Text:=inttostr(dword(Base)+RVAToOffset(Base,Pimport.DLLNAME));end;end.
最后得到的是 第一个引入模块的地址,怎么才能得到它的名字的 ?就是引入的dll 名字 ~
高手解释下 谢谢!!
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls;type
TForm1 = class(TForm)
Button1: TButton;
Edit1: TEdit;
procedure Button1Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
PImageImportDescriptor = ^TImageImportDescriptor;
TImageImportDescriptor = packed record
OriginalFirstThunk: DWord;
TimeDateStamp : DWord;
ForwarderChain : DWord;
DLLName : DWord;
FirstThunk : DWord;
end;var
Form1: TForm1;
HFile:THandle;
Base:Pointer;
VirtualAddres:DwORD;
implementation{$R *.dfm}function RVAToOffset(Base:Pointer;VirtualAddress:DWord):DWord ;
var
dos_header:PImageDosHeader;
nt_header:PImagentHeaders;
SectionHeade:PImageSectionHeader;
NumOfSection:integer;
i:integer;
begin
dos_header:=PImageDosHeader(base);
nt_header:=PImagentHeaders(integer(dos_header)+dos_header._lfanew);
NumOfSection:=nt_header.FileHeader.NumberOfSections;
SectionHeade:=PImageSectionHeader(integer(Base)+dos_header._lfanew+
sizeof(IMAGE_NT_HEADERS));
for i := 0 to NumOfSection-1 do
begin
inc(SectionHeade,i);
if ((VirtualAddress>SectionHeade.VirtualAddress) and (VirtualAddress<
SectionHeade.VirtualAddress+SectionHeade.SizeOfRawData)) then
result:=VirtualAddress-SectionHeade.VirtualAddress+SectionHeade.PointerToRawData;
end;
end;
procedure TForm1.Button1Click(Sender: TObject);
var
Hmaping:THandle;
dos_header:PImageDosHeader;
nt_header:PImagentHeaders;
Pimport:PImageimportDescriptor;
A:pchar;
begin
if HFile=0 then
HFile:=CreateFile('c:\1.exe',GENERIC_READ or GENERIC_WRITE,FILE_SHARE_WRITE,nil,
OPEN_EXISTING,FILE_FLAG_SEQUENTIAL_SCAN,0);
if HFile=INVALID_HANDLE_VALUE then
showmessage('打开文件失败');
Hmaping:=CreateFileMapping(HFile,nil,PAGE_READWRITE,0,0,nil);
if Hmaping<>0 then
Base:=MapViewOfFile(Hmaping,FILE_MAP_ALL_ACCESS,0,0,0);
dos_header:=PImageDosHeader(base);
if dos_header.e_magic<>IMAGE_DOS_SIGNATURE then
showmessage('错误');
nt_header:=PImagentHeaders(dword(dos_header)+dos_header._lfanew);
if nt_header.Signature<>IMAGE_NT_SIGNATURE then
showmessage('错误');
VirtualAddres:=nt_header.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
Pimport:=PImageimportDescriptor(dword(Base)+RVAToOffset(Base,VirtualAddres));
EDIT1.Text:=inttostr(dword(Base)+RVAToOffset(Base,Pimport.DLLNAME));end;end.
最后得到的是 第一个引入模块的地址,怎么才能得到它的名字的 ?就是引入的dll 名字 ~
高手解释下 谢谢!!
具体可以参考《Delphi下深入windows核心编程》