網(wǎng)站流量怎么查看精準(zhǔn)引流客源的方法可靠嗎
1. 導(dǎo)入表
2. 顯示導(dǎo)入表信息的例子
; 作用: 將RVA地址轉(zhuǎn)成FOA即文件偏移
; 參數(shù): _pFileHdr 指向讀到內(nèi)存中文件的基址指針
; _dwRVA 目標(biāo)RVA地址
; 返回: 目標(biāo)RVA轉(zhuǎn)成文件偏移的值
RVA2FOA PROC USES esi edi edx, _pFileHdr:PTR BYTE, _dwRVA:DWORDmov esi, _pFileHdr assume esi:ptr IMAGE_DOS_HEADER; 獲取PE頭mov edi, [esi].e_lfanewassume esi:nothingadd edi, esi assume edi:ptr IMAGE_NT_HEADERS32; 獲取節(jié)數(shù)movzx ecx, [edi].FileHeader.NumberOfSectionsassume edi:nothing; 獲取節(jié)表地址add edi, SIZEOF IMAGE_NT_HEADERS32assume edi:ptr IMAGE_SECTION_HEADER
L0:mov edx, _dwRVAcmp edx, [edi].VirtualAddressjb @Fmov eax, [edi].VirtualAddressadd eax, [edi].SizeOfRawDatacmp edx, eaxjae @Fsub edx, [edi].VirtualAddressadd edx, [edi].PointerToRawDatamov eax, edxjmp Ending
@@:add edi, SIZEOF IMAGE_SECTION_HEADERloop L0xor eax, eax
Ending:retRVA2FOA ENDP.data
Crlf BYTE 0dh, 0ah, 0
szDllName BYTE "導(dǎo)出表: %s", 0dh, 0ah, 0
szSep BYTE "---------------------------", 0dh, 0ah, 0
szINTRVA BYTE "OriginalFirstThunk: 0x%08X", 0dh, 0ah, 0
szTimeStmp BYTE "TimeDateStamp: 0x%08X", 0dh, 0ah, 0
szForwarderChain BYTE "ForwarderChain: 0x%08X", 0dh, 0ah, 0
szNameRVA BYTE "Name: 0x%08X", 0dh, 0ah, 0
szFirstThunk BYTE "FirstThunk: 0x%08X", 0dh, 0ah, 0dh, 0ah, 0
szFnInfo BYTE "%hd %s", 0dh, 0ah, 0szBuf BYTE 64 DUP(0).code
; 作用: 打印輸出導(dǎo)入表信息
; 參數(shù): _pFileHdr 指向讀到內(nèi)存中文件的基址指針
; 返回: 無
_getImportTblInfo PROC _pFileHdr:PTR BYTEpushad mov esi, _pFileHdrassume esi:PTR IMAGE_DOS_HEADERadd esi, [esi].e_lfanew assume esi:PTR IMAGE_NT_HEADERS32 mov esi, [esi].OptionalHeader.DataDirectory[8].VirtualAddresspush esimov eax, _pFileHdrpush eax call RVA2FOAmov esi, eax add esi, _pFileHdr assume esi:PTR IMAGE_IMPORT_DESCRIPTOR L0:; 確定導(dǎo)入表是否結(jié)束mov edx, [esi].Name1test edx, edx jnz @F jmp Ending
@@:mov edx, [esi].OriginalFirstThunktest edx, edx jnz @F jmp Ending
@@:mov edx, [esi].TimeDateStamptest edx, edx jnz @F jmp Ending
@@:mov edx, [esi].ForwarderChaintest edx, edx jnz @F jmp Ending
@@:mov edx, [esi].FirstThunktest edx, edx jnz @F jmp Ending
@@:; 進(jìn)行IAT顯示mov edx, [esi].Name1 push edx push _pFileHdr call RVA2FOA add eax, _pFileHdr; 顯示dll名稱invoke wsprintf, OFFSET szBuf, OFFSET szDllName, eax invoke crt_printf, OFFSET szBuf invoke crt_printf, OFFSET szSep; 顯示OriginalFirstThunk的RVA地址invoke wsprintf, OFFSET szBuf, OFFSET szINTRVA, [esi].OriginalFirstThunk invoke crt_printf, OFFSET szBuf; 顯示時(shí)間戳invoke wsprintf, OFFSET szBuf, OFFSET szTimeStmp, [esi].TimeDateStamp invoke crt_printf, OFFSET szBuf; 顯示ForwarderChaininvoke wsprintf, OFFSET szBuf, OFFSET szForwarderChain, [esi].ForwarderChain invoke crt_printf, OFFSET szBuf; 顯示Name的RVA地址invoke wsprintf, OFFSET szBuf, OFFSET szNameRVA, [esi].Name1 invoke crt_printf, OFFSET szBuf; 顯示FirstThunk的RVA地址invoke wsprintf, OFFSET szBuf, OFFSET szFirstThunk, [esi].FirstThunk invoke crt_printf, OFFSET szBuf; 打印具體函數(shù)信息; 獲取INT的RVA地址, 把VA轉(zhuǎn)成FOApush [esi].OriginalFirstThunkpush _pFileHdr call RVA2FOAadd eax, _pFileHdr
L1:assume eax:PTR IMAGE_THUNK_DATA mov ebx, [eax].u1.Functiontest ebx, ebx jz NextDescpush eax mov eax, [eax].u1.Functiontest eax, 80000000hjnz BySeqpush eax push _pFileHdrcall RVA2FOAadd eax, _pFileHdrassume eax:PTR IMAGE_IMPORT_BY_NAME movzx edx, WORD PTR [eax].Hintlea ebx, [eax].Name1 invoke wsprintf, OFFSET szBuf, OFFSET szFnInfo, edx, ebxinvoke crt_printf, OFFSET szBufpop eax add eax, SIZEOF IMAGE_THUNK_DATAjmp @F
BySeq:@@:jmp L1
NextDesc:push OFFSET Crlfcall crt_printfpush OFFSET Crlfcall crt_printfadd esi, SIZEOF IMAGE_IMPORT_DESCRIPTORjmp L0
Ending:popad ret _getImportTblInfo ENDP
運(yùn)行的部分截圖:
3. 導(dǎo)入表圖
(完)