下面这段代码从加载的句柄解析函数名和地址可是对ws2_32.dll无效高分求助和getprocaddress的返回值不同
============================================================================
DWORD GetFunctionAddress( HMODULE phModule,char* pProcName,int* pod )
{
MODULEENTRY32 me = {0};
HANDLE hSnapshot = NULL;
int num = 0;
bool bRet = false;
DWORD apiaddr = 0;
INT totfuns =0;
int totdll =0;
FILE* file = fopen(dllfile,"a+");
if(file ==0) ::MessageBox(0,0,"err",0) ;
try{
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, 0); // zero indicate the current process
if (hSnapshot == INVALID_HANDLE_VALUE)
{
MessageBox(NULL, "CreateToolhelp32Snapshot INVALID_HANDLE_VALUE", "err", MB_OK);
return 0;
}
IMAGE_DATA_DIRECTORY* pIMAGE_DATA_DIRECTORY;
me.dwSize = sizeof(MODULEENTRY32);
if (Module32First(hSnapshot, &me))
{
do
{
// me.hModule:指向当前被挂钩进程的每一个模块 // if(me.hModule==(HMODULE) getCurDll()) continue;
//if (ReplaceApiAddress(me.hModule,"MessageBoxA","user32.dll",(DWORD *)&oldMessageBoxA,(DWORD)MyMessageBoxA,type))
//num++;
HMODULE phModule =me.hModule ;
int moduleintot =0;
fprintf(file,"\n=====================================\n%s %s GlblcntUsage->%d th32ModuleID :%d %x ",me.szExePath,me.szModule ,me.GlblcntUsage,me.th32ModuleID,me.hModule);
if(strstr(me.szExePath,"WS2_32.dll")){
moduleintot =moduleintot ;
}
PIMAGE_DOS_HEADER pimDH = (PIMAGE_DOS_HEADER)phModule;
PIMAGE_NT_HEADERS pimNH = (PIMAGE_NT_HEADERS)((char*)phModule+pimDH->e_lfanew);
pIMAGE_DATA_DIRECTORY = pimNH->OptionalHeader.DataDirectory; DWORD pExportSize = pIMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
PIMAGE_EXPORT_DIRECTORY pexportSectionheader = (PIMAGE_EXPORT_DIRECTORY)((DWORD)phModule+pIMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
DWORD* pFuntionAddr =(DWORD*)((DWORD)phModule+(DWORD)(pexportSectionheader->AddressOfFunctions));
DWORD* pName =(DWORD*)((DWORD)phModule+(DWORD)(pexportSectionheader->AddressOfNames));
int NumberOfFunction = pexportSectionheader->NumberOfFunctions;
int i;
for(i=0;i<NumberOfFunction;i++){
totfuns++;moduleintot++;
{
proc[i] = (DWORD)pFuntionAddr[i]+(DWORD)phModule;
name[i] = (DWORD)(char*)((DWORD)phModule+(DWORD)pName[i]);
}
}
//sort((DWORD*)proc,NumberOfFunction,(DWORD*)name);
for(i=0;i<NumberOfFunction;i++){
ULONG psize = (ULONG)phModule+(ULONG)me.modBaseSize;
if(((ULONG)name[i]<psize)&&((ULONG)name[i]>(ULONG)(ULONG)pimNH)){
int j;
char* p = (char*)name[i];
for(j=0;j<300;j++){
if(p[j]==0) break;
}
if(j<300){
if(Isstring(p,j))
fprintf(file,"%x %s \n",proc[i],(char*)name[i]);
else
fprintf(file,"%x %s \n",proc[i],(char*)"<noname>");
}
else{
fprintf(file,"%x %s \n",proc[i],(char*)"<toolongname>");
}
}else{
//fprintf(file,"%x %s \n",proc[i],(char*)"unnmae");
}
}
//return NumberOfFunction;
totdll++;
}
while (Module32Next(hSnapshot, &me));
if (num)
bRet = true;
}
CloseHandle(hSnapshot);
}
catch(...){
MessageBox(0,0,"k",0);
fclose(file);
}
// test
// Logs("Module with hooked API total numbers", num);
printf("%d %d",totdll,totfuns);
return totfuns;
}这个是结果C:\WINDOWS\system32\WS2_32.dll WS2_32.dll GlblcntUsage->65535 th32ModuleID :1 71a20000 71a31040 FreeAddrInfoW
71a24480 GetAddrInfoW
71a23e2b GetNameInfoW
71a24a07 WEP
71a30b68 WPUCompleteOverlappedRequest
71a23d10 WSAAccept
71a246ea WSAAddressToStringA
71a22ead WSAAddressToStringW
71a22e53 WSAAsyncGetHostByAddr
71a23f50 WSAAsyncGetHostByName
71a22ee1 WSAAsyncGetProtoByName
71a245c1 WSAAsyncGetProtoByNumber
71a28cd3 WSAAsyncGetServByName
。71a2e867 listen
71a2e347 ntohl
71a2d4ac ntohs
71a2d508 recv 。。而在别的软件getprocaddress返回是1:53:56 734 terminal.exe ntohl---> ws2_32.dll 71a22ead
1:53:56 734 terminal.exe ntohs---> ws2_32.dll 71a22e53
1:53:56 734 terminal.exe recv---> ws2_32.dll 71a2676f =======================================================================
1:53:56 734 terminal.exe recvfrom---> ws2_32.dll 71a22ff7 =======================================================================
1:53:56 734 terminal.exe select---> ws2_32.dll 71a230a8
1:53:56 750 terminal.exe send---> ws2_32.dll 71a24c27
发现可能是错位了各位帮我分析为什么71a22ead WSAAsyncGetServByPort
============================================================================
DWORD GetFunctionAddress( HMODULE phModule,char* pProcName,int* pod )
{
MODULEENTRY32 me = {0};
HANDLE hSnapshot = NULL;
int num = 0;
bool bRet = false;
DWORD apiaddr = 0;
INT totfuns =0;
int totdll =0;
FILE* file = fopen(dllfile,"a+");
if(file ==0) ::MessageBox(0,0,"err",0) ;
try{
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, 0); // zero indicate the current process
if (hSnapshot == INVALID_HANDLE_VALUE)
{
MessageBox(NULL, "CreateToolhelp32Snapshot INVALID_HANDLE_VALUE", "err", MB_OK);
return 0;
}
IMAGE_DATA_DIRECTORY* pIMAGE_DATA_DIRECTORY;
me.dwSize = sizeof(MODULEENTRY32);
if (Module32First(hSnapshot, &me))
{
do
{
// me.hModule:指向当前被挂钩进程的每一个模块 // if(me.hModule==(HMODULE) getCurDll()) continue;
//if (ReplaceApiAddress(me.hModule,"MessageBoxA","user32.dll",(DWORD *)&oldMessageBoxA,(DWORD)MyMessageBoxA,type))
//num++;
HMODULE phModule =me.hModule ;
int moduleintot =0;
fprintf(file,"\n=====================================\n%s %s GlblcntUsage->%d th32ModuleID :%d %x ",me.szExePath,me.szModule ,me.GlblcntUsage,me.th32ModuleID,me.hModule);
if(strstr(me.szExePath,"WS2_32.dll")){
moduleintot =moduleintot ;
}
PIMAGE_DOS_HEADER pimDH = (PIMAGE_DOS_HEADER)phModule;
PIMAGE_NT_HEADERS pimNH = (PIMAGE_NT_HEADERS)((char*)phModule+pimDH->e_lfanew);
pIMAGE_DATA_DIRECTORY = pimNH->OptionalHeader.DataDirectory; DWORD pExportSize = pIMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
PIMAGE_EXPORT_DIRECTORY pexportSectionheader = (PIMAGE_EXPORT_DIRECTORY)((DWORD)phModule+pIMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
DWORD* pFuntionAddr =(DWORD*)((DWORD)phModule+(DWORD)(pexportSectionheader->AddressOfFunctions));
DWORD* pName =(DWORD*)((DWORD)phModule+(DWORD)(pexportSectionheader->AddressOfNames));
int NumberOfFunction = pexportSectionheader->NumberOfFunctions;
int i;
for(i=0;i<NumberOfFunction;i++){
totfuns++;moduleintot++;
{
proc[i] = (DWORD)pFuntionAddr[i]+(DWORD)phModule;
name[i] = (DWORD)(char*)((DWORD)phModule+(DWORD)pName[i]);
}
}
//sort((DWORD*)proc,NumberOfFunction,(DWORD*)name);
for(i=0;i<NumberOfFunction;i++){
ULONG psize = (ULONG)phModule+(ULONG)me.modBaseSize;
if(((ULONG)name[i]<psize)&&((ULONG)name[i]>(ULONG)(ULONG)pimNH)){
int j;
char* p = (char*)name[i];
for(j=0;j<300;j++){
if(p[j]==0) break;
}
if(j<300){
if(Isstring(p,j))
fprintf(file,"%x %s \n",proc[i],(char*)name[i]);
else
fprintf(file,"%x %s \n",proc[i],(char*)"<noname>");
}
else{
fprintf(file,"%x %s \n",proc[i],(char*)"<toolongname>");
}
}else{
//fprintf(file,"%x %s \n",proc[i],(char*)"unnmae");
}
}
//return NumberOfFunction;
totdll++;
}
while (Module32Next(hSnapshot, &me));
if (num)
bRet = true;
}
CloseHandle(hSnapshot);
}
catch(...){
MessageBox(0,0,"k",0);
fclose(file);
}
// test
// Logs("Module with hooked API total numbers", num);
printf("%d %d",totdll,totfuns);
return totfuns;
}这个是结果C:\WINDOWS\system32\WS2_32.dll WS2_32.dll GlblcntUsage->65535 th32ModuleID :1 71a20000 71a31040 FreeAddrInfoW
71a24480 GetAddrInfoW
71a23e2b GetNameInfoW
71a24a07 WEP
71a30b68 WPUCompleteOverlappedRequest
71a23d10 WSAAccept
71a246ea WSAAddressToStringA
71a22ead WSAAddressToStringW
71a22e53 WSAAsyncGetHostByAddr
71a23f50 WSAAsyncGetHostByName
71a22ee1 WSAAsyncGetProtoByName
71a245c1 WSAAsyncGetProtoByNumber
71a28cd3 WSAAsyncGetServByName
。71a2e867 listen
71a2e347 ntohl
71a2d4ac ntohs
71a2d508 recv 。。而在别的软件getprocaddress返回是1:53:56 734 terminal.exe ntohl---> ws2_32.dll 71a22ead
1:53:56 734 terminal.exe ntohs---> ws2_32.dll 71a22e53
1:53:56 734 terminal.exe recv---> ws2_32.dll 71a2676f =======================================================================
1:53:56 734 terminal.exe recvfrom---> ws2_32.dll 71a22ff7 =======================================================================
1:53:56 734 terminal.exe select---> ws2_32.dll 71a230a8
1:53:56 750 terminal.exe send---> ws2_32.dll 71a24c27
发现可能是错位了各位帮我分析为什么71a22ead WSAAsyncGetServByPort
解决方案 »
- 准备做一个通讯软件遇到的问题
- WebBrowser2控件打开https网页出现安全警告
- 关于评分系统,谁能给点建议
- 用来记录几个网站。。。
- ----------------------请教网络高手如何解释这种现象?非常感谢?----------------------
- 关于点击Tree中选项,进行响应的问题!(难度系数:80%)
- 怎样使用第三方的DLL
- 如何实现类似于文件或文件夹拷贝时系统提示的替换对话框,包含"全是"或"全否"按钮?
- 提问:使用htmlview的问题,高手请进来!!
- 一个关于传递指针的简单问题
- win32程序中使用自己设计的类出错!!!
- 北京诚聘 VC、C#软件工程师(工资不高,谢绝高手)
对大部分dll是对的
ws2_32.dll可能是用户自己加载所以结果不对
不知道是否只这个原因