ring0-遍历IAT（特例NTOS）

时间：2015-09-26 08:08:23 阅读：198 评论：0 收藏：0 [点我收藏+]

标签：

http://blog.csdn.net/hgy413/article/details/7786530

x64:

其他的IAT遍历代码如下：

[cpp] view plain copy

NTSTATUS EnumIATTable(ULONG_PTR pBase)
{
PIMAGE_DOS_HEADER pDos = (PIMAGE_DOS_HEADER)pBase;
PIMAGE_NT_HEADERS pNt = NULL;
PIMAGE_IMPORT_DESCRIPTOR pImport = NULL;
PIMAGE_THUNK_DATA pThunk = NULL;
if (NULL == pDos
|| IMAGE_DOS_SIGNATURE != pDos->e_magic)
{
return STATUS_INVALID_IMAGE_FORMAT;
}
pNt = (PIMAGE_NT_HEADERS)((PUCHAR)pBase+pDos->e_lfanew);
if (IMAGE_NT_SIGNATURE != pNt->Signature)
{
return STATUS_INVALID_IMAGE_FORMAT;
}
pImport = (PIMAGE_IMPORT_DESCRIPTOR)((PUCHAR)pBase+pNt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
// 枚举打印
while (NULL !=pImport
&& MmIsAddressValid(pImport)
&&pImport->Name != 0)
{
pThunk = (PIMAGE_THUNK_DATA)((PUCHAR)pBase+pImport->FirstThunk);
while (NULL != pThunk
&& MmIsAddressValid(pThunk)
&& pThunk->u1.Function != 0)
{
KdPrint(("[EnumIATTable]-Import Module:%s-function:%p\r\n", (PUCHAR)pBase+pImport->Name, pThunk->u1.Function));
pThunk++;
}
pImport++;
}
return STATUS_SUCCESS;
}

标签：

原文地址：http://www.cnblogs.com/gamekk/p/4839939.html

踩

(0)

评论一句话评论（0）

分享档案

更多>

周排行