难以理解按序数解析函数名称的 C++ 函数
difficulty in understanding c++ function that resolves function names by ordinals
我正在学习恶意软件分析课程。我遇到了这段令我感到困惑的代码。前两部分是有道理的,但是 if 语句开始的部分对我来说很难理解。这个“if”语句应该按序号解析函数名称。我已经在评论中提出我的问题了。
FARPROC WINAPI myGetProcAddress(HMODULE hMod, char * sProcName) {
char * pBaseAddress = (char *) hMod;
// get pointers to main headers/structures
IMAGE_DOS_HEADER * pDosHdr = (IMAGE_DOS_HEADER *) pBaseAddress;
IMAGE_NT_HEADERS * pNTHdr = (IMAGE_NT_HEADERS *) (pBaseAddress + pDosHdr->e_lfanew);
IMAGE_OPTIONAL_HEADER * pOptionalHdr = &pNTHdr->OptionalHeader;
IMAGE_DATA_DIRECTORY * pDataDir = (IMAGE_DATA_DIRECTORY *) (&pOptionalHdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]);
IMAGE_EXPORT_DIRECTORY * pExportDirAddr = (IMAGE_EXPORT_DIRECTORY *) (pBaseAddress + pDataDir->VirtualAddress);
// resolve addresses to Export Address Table, table of function names and "table of ordinals"
DWORD * pEAT = (DWORD *) (pBaseAddress + pExportDirAddr->AddressOfFunctions);
DWORD * pFuncNameTbl = (DWORD *) (pBaseAddress + pExportDirAddr->AddressOfNames);
WORD * pHintsTbl = (WORD *) (pBaseAddress + pExportDirAddr->AddressOfNameOrdinals);
// function address we're looking for
void *pProcAddr = NULL;
// resolve function by ordinal
if (((DWORD_PTR)sProcName >> 16) == 0) { // why shift by 16
WORD ordinal = (WORD) sProcName & 0xFFFF; // why & 0xFFFF
DWORD Base = pExportDirAddr->Base;
if (ordinal < Base || ordinal >= Base + pExportDirAddr->NumberOfFunctions)
return NULL;
// not sure what this part does
pProcAddr = (FARPROC) (pBaseAddress + (DWORD_PTR) pEAT[ordinal - Base]);
}
...
...
...
}
非常感谢一些解释。
这允许您使用位操作将数字(此处为双字或双字)分成两部分,例如:
0x12345678 >> 16 = 0x1234 (hi order word)
0x12345678 & 0xFFFF = 0x5678 (lo order word)
为什么代码会那样做?它记录在 GetProcAddress 的 lpProcName 参数中:
The function or variable name, or the function's ordinal value. If
this parameter is an ordinal value, it must be in the low-order word;
the high-order word must be zero.
我正在学习恶意软件分析课程。我遇到了这段令我感到困惑的代码。前两部分是有道理的,但是 if 语句开始的部分对我来说很难理解。这个“if”语句应该按序号解析函数名称。我已经在评论中提出我的问题了。
FARPROC WINAPI myGetProcAddress(HMODULE hMod, char * sProcName) {
char * pBaseAddress = (char *) hMod;
// get pointers to main headers/structures
IMAGE_DOS_HEADER * pDosHdr = (IMAGE_DOS_HEADER *) pBaseAddress;
IMAGE_NT_HEADERS * pNTHdr = (IMAGE_NT_HEADERS *) (pBaseAddress + pDosHdr->e_lfanew);
IMAGE_OPTIONAL_HEADER * pOptionalHdr = &pNTHdr->OptionalHeader;
IMAGE_DATA_DIRECTORY * pDataDir = (IMAGE_DATA_DIRECTORY *) (&pOptionalHdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]);
IMAGE_EXPORT_DIRECTORY * pExportDirAddr = (IMAGE_EXPORT_DIRECTORY *) (pBaseAddress + pDataDir->VirtualAddress);
// resolve addresses to Export Address Table, table of function names and "table of ordinals"
DWORD * pEAT = (DWORD *) (pBaseAddress + pExportDirAddr->AddressOfFunctions);
DWORD * pFuncNameTbl = (DWORD *) (pBaseAddress + pExportDirAddr->AddressOfNames);
WORD * pHintsTbl = (WORD *) (pBaseAddress + pExportDirAddr->AddressOfNameOrdinals);
// function address we're looking for
void *pProcAddr = NULL;
// resolve function by ordinal
if (((DWORD_PTR)sProcName >> 16) == 0) { // why shift by 16
WORD ordinal = (WORD) sProcName & 0xFFFF; // why & 0xFFFF
DWORD Base = pExportDirAddr->Base;
if (ordinal < Base || ordinal >= Base + pExportDirAddr->NumberOfFunctions)
return NULL;
// not sure what this part does
pProcAddr = (FARPROC) (pBaseAddress + (DWORD_PTR) pEAT[ordinal - Base]);
}
...
...
...
}
非常感谢一些解释。
这允许您使用位操作将数字(此处为双字或双字)分成两部分,例如:
0x12345678 >> 16 = 0x1234 (hi order word)
0x12345678 & 0xFFFF = 0x5678 (lo order word)
为什么代码会那样做?它记录在 GetProcAddress 的 lpProcName 参数中:
The function or variable name, or the function's ordinal value. If this parameter is an ordinal value, it must be in the low-order word; the high-order word must be zero.