取PE文件的引入表和导出表

直接上代码（这里列出C++和Delphi的代码），Delphi代码中包含导入及导出文件和函数列表，PE结构可参阅资料，很多很详细，需要注意的是，本例中是映射到内存，不是通过PE装载器装入的，所以对于节的RVA地址需要转换成为文件偏移地址。

Delphi代码

unit Unit1;

interface

uses
  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
  Dialogs, StdCtrls, ComCtrls;

type
  //导入表元素结构
  TImageImportDiscriptor = packed record
    OriginalFirstThunk: DWORD;
    DataTimpStamp: DWORD;
    ForwardChain: DWORD;
    DLLName: DWORD;
    FirstThunk: DWORD;
  end;
  PImageImportDiscriptor = ^TImageImportDiscriptor;
  //导出表元素结构
  PImageExportDirectory = ^TImageExportDirectory;
  TImageExportDirectory = packed record
    Characteristics: DWORD;
    TimeDateStamp: DWORD;
    MajorVersion: WORD;
    MinorVersion: WORD;
    Name: DWORD;
    Base: DWORD;
    NumberOfFunctions: DWORD;
    NumberOfNames: DWORD;
    AddressOfFunctions: DWORD;
    AddressOfNames: DWORD;
    AddressOfNameOrdinals: DWORD;
  end;
  //函数名结构
  TImportByName = packed record
    proHint: Word;
    proName: array [0..1] of char;
  end;
  PImportByName = ^TImportByName;

  TForm1 = class(TForm)
    OpenDialog1: TOpenDialog;
    Button1: TButton;
    TreeView1: TTreeView;
    Label1: TLabel;
    procedure Button1Click(Sender: TObject);
  private
    { Private declarations }
    procedure GetList(filename:string);
    {导入列表}
    procedure GetImportList(pBaseAddress:Pointer;ntHeader:PImageNtHeaders);
    {导出列表}
    procedure GetExportList(pBaseAddress:Pointer;ntHeader:PImageNtHeaders);
  public
    { Public declarations }
  end;

var
  Form1: TForm1;

implementation

{$R *.dfm}

{ TForm1 }

procedure TForm1.GetList(filename: string);
var
  fileHandle:THandle;
  fileMap:THandle;
  pBaseAddress:Pointer;
  dosHeader: PImageDosHeader;
  ntHeader: PImageNtHeaders;
begin
  TreeView1.Items.Clear;
  try
    //打开文件
    fileHandle := CreateFile(PChar(filename),GENERIC_READ,FILE_SHARE_READ,nil,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
    if fileHandle = INVALID_HANDLE_VALUE then
    begin
      ShowMessage('文件打开失败！');
      Exit;
    end;
    //创建内存映射
    fileMap := CreateFileMapping(fileHandle,nil,PAGE_READONLY,0,0,nil);
    if fileMap = 0 then
    begin
      ShowMessage('创建内存映射失败！');
      Exit;
    end;
    //映射到当前进程，pBaseAddress是基址
    pBaseAddress := MapViewOfFile(fileMap,FILE_MAP_READ,0,0,0);
    if pBaseAddress = nil then
    begin
      ShowMessage('获取地址失败！');
      Exit;
    end;
    //获取Dos信息头部结构数据
    dosHeader := pImageDosHeader(LongInt(pBaseAddress));
    //判断Dos标识
    if dosHeader.e_magic <> IMAGE_DOS_SIGNATURE then
    begin
      ShowMessage('不可识别的文件格式！');
      Exit;
    end;
    //获取NT信息头部结构数据，IsBadReadPtr判断指针是否可读，ntHeader.Signature是NT标识
    ntHeader := pImageNtHeaders(LongInt(pBaseAddress)+dosHeader._lfanew);
    if (IsBadReadPtr(ntHeader,SizeOf(TImageNtHeaders))) or
       (ntHeader.Signature <> IMAGE_NT_SIGNATURE) then
    begin
       ShowMessage('不是有效地Win32程序！');
       Exit;
    end;
    GetImportList(pBaseAddress,ntHeader);
    GetExportList(pBaseAddress,ntHeader);
  finally
    UnmapViewOfFile(pBaseAddress);
    CloseHandle(fileMap);
    CloseHandle(fileHandle);
  end;
end;

procedure TForm1.Button1Click(Sender: TObject);
begin
  if OpenDialog1.Execute then
  begin
    Label1.Caption := '以下是'+OpenDialog1.FileName+'的导入及导出表';
    GetList(OpenDialog1.FileName);
  end;
end;


procedure TForm1.GetExportList(pBaseAddress: Pointer; ntHeader: PImageNtHeaders);
var
  imageEntry: PImageExportDirectory;
  sectionHeader: PImageSectionHeader;
  importbyname: PImportByName;
  proEntry:PDWORD;
  proTemp:PWORD;
  rva,frva: DWORD;
  dllname: string;
  i,j:integer;
  node:TTreeNode;
  s:string;
  pname:PChar;
begin
  rva := ntHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
  if rva = 0 then Exit;
  //定位到第一个节的地址
  sectionHeader := PImageSectionHeader(LongInt(ntHeader)+SizeOf(TImageNtHeaders));
  //ntHeader^.FileHeader.NumberOfSections为节的数量，此处循环，找到引入表的节
  for i := 0 to ntHeader^.FileHeader.NumberOfSections - 1 do
  begin
    //IMAGE_DIRECTORY_ENTRY_IMPORT，引入表，检查rva是否落在节内
    if ( rva >= LongInt(sectionHeader.VirtualAddress)) and (rva<LongInt(sectionHeader.VirtualAddress+sectionHeader.Misc.VirtualSize)) then
    begin
      Break;
    end;
    //没找到，那么增加SizeOf(TImageSectionHeader)字节数，指向下一个节
    Inc(sectionHeader);
  end;
  node := TreeView1.Items.Add(nil,'导出函数表');
  frva := sectionHeader.VirtualAddress - sectionHeader.PointerToRawData;
  //导出表入口
  imageEntry := PImageExportDirectory(LongInt(pBaseAddress)+rva-frva);
  proEntry := PDWord(LongInt(pBaseAddress)+imageEntry.AddressOfFunctions-frva);
  pname := PChar(LongInt(pBaseAddress)+imageEntry.Name-frva);
  for i := 0 to imageEntry.NumberOfFunctions - 1 do
  begin
    if proEntry^ = 0 then Continue;
    proTemp := PWORD(LongInt(pBaseAddress)+LongInt(imageEntry.AddressOfNameOrdinals)-frva);
    for j := 0 to imageEntry.NumberOfNames -  1 do
    begin
      if proTemp^ = i then
      begin
        s := '';
        while True do
        begin
          if pname^=#0 then Break;
          Inc(pname);
        end;
        while True do
        begin
          if (pname-1)^=#0 then
          begin
            s:=Format('%s', [pname]);
            Break;
          end;
          Inc(pname);
        end;
      end;
      Inc(proTemp);
    end;
    TreeView1.Items.AddChild(node,s);
    Inc(proEntry);
  end;
end;

procedure TForm1.GetImportList(pBaseAddress: Pointer; ntHeader: PImageNtHeaders);
var
  imageEntry: PImageImportDiscriptor;
  sectionHeader: PImageSectionHeader;
  importbyname: PImportByName;
  proEntry:PDWORD;
  rva,frva: DWORD;
  dllname: string;
  i:integer;
  node:TTreeNode;
begin
  rva := ntHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
  if rva = 0 then Exit;
  //定位到第一个节的地址
  sectionHeader := PImageSectionHeader(LongInt(ntHeader)+SizeOf(TImageNtHeaders));
  //ntHeader^.FileHeader.NumberOfSections为节的数量，此处循环，找到引入表的节
  for i := 0 to ntHeader^.FileHeader.NumberOfSections - 1 do
  begin
    //IMAGE_DIRECTORY_ENTRY_IMPORT，引入表，检查rva是否落在节内
    if ( rva >= LongInt(sectionHeader.VirtualAddress)) and (rva<LongInt(sectionHeader.VirtualAddress+sectionHeader.Misc.VirtualSize)) then
    begin
      Break;
    end;
    //没找到，那么增加SizeOf(TImageSectionHeader)字节数，指向下一个节
    Inc(sectionHeader);
  end;
  frva := sectionHeader.VirtualAddress - sectionHeader.PointerToRawData;
  TreeView1.Items.Add(nil,'导入函数表');
  //引入表入口
  imageEntry := PImageImportDiscriptor(LongInt(pBaseAddress)+rva-frva);
  //加载的DLL的名称，这里是RVA地址，需要转换成文件偏移地址，因为我们不是通过PE加载器加载，而是映射到内存
  while imageEntry.DLLName <> 0 do
  begin
    dllname := PChar(LongInt(pBaseAddress)+imageEntry.DLLName-frva);
    node := TreeView1.Items.AddChild(TreeView1.Items[0],dllname);
    if imageEntry.OriginalFirstThunk <> 0 then
      proEntry := PDWord(LongInt(pBaseAddress)+imageEntry.OriginalFirstThunk-frva)
    else
      proEntry := PDWord(LongInt(pBaseAddress)+imageEntry.FirstThunk-frva);
    while proEntry^ <> 0 do
    begin
      if (proEntry^ and $80000000) <> 0 then
        TreeView1.Items.AddChild(node,Format('函数编号：%-15d',[proEntry^ and $7FFFFFFF]))
      else
      begin
        importbyname := PImportByName(LongInt(pBaseAddress)+proEntry^-frva);
        TreeView1.Items.AddChild(node,Format('函数名称:%-15s',[importbyname.proName]));
      end;
      Inc(proEntry);
    end;
    //继续读取
    Inc(imageEntry);
  end;
end;

end.

C++代码

#include<string>
#include<windows.h>


void GetImportDllList(void)
{
    IMAGE_IMPORT_DESCRIPTOR* importEntry = 0;
    IMAGE_SECTION_HEADER* sectionHeader = 0;
    char* filename = "c://test.exe";
    //打开文件
    HANDLE hfile = CreateFileA(filename,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
    if (hfile == INVALID_HANDLE_VALUE)
    {
        printf("%s","文件打开失败！");
        return;
    }
    //创建内存映射
    HANDLE hmap = CreateFileMapping(hfile,NULL,PAGE_READONLY,0,0,NULL);
    if (hmap == 0)
    {
        printf("%s","创建内存映射失败！");
        return;
    }
    //映射到当前进程，pBaseAddress是基址
    HANDLE pBaseAddress = MapViewOfFile(hmap,FILE_MAP_READ,0,0,0);
    if (!pBaseAddress)
    {
        printf("%s","获取地址失败！");
        return;
    }
    //获取Dos信息头部结构数据
    IMAGE_DOS_HEADER* dosHeader = (IMAGE_DOS_HEADER*)pBaseAddress;
    //判断Dos标识
    if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE)
    {
        printf("%s","不可识别的文件格式！");
        return;
    }
    //获取NT信息头部结构数据，IsBadReadPtr判断指针是否可读，ntHeader->Signature是NT标识
    IMAGE_NT_HEADERS* ntHeader = (IMAGE_NT_HEADERS*)((DWORD)pBaseAddress+dosHeader->e_lfanew);
    if (ntHeader->Signature != IMAGE_NT_SIGNATURE)
    {
        printf("%s","不是有效地Win32程序！");
        return;
    }
    //定位到第一个节的地址
    sectionHeader = (IMAGE_SECTION_HEADER*)((DWORD)ntHeader+sizeof(IMAGE_NT_HEADERS));
    //ntHeader->FileHeader.NumberOfSections为节的数量，此处循环，找到引入表的节
    for (int i=0;i<ntHeader->FileHeader.NumberOfSections;i++)
    {
        //IMAGE_DIRECTORY_ENTRY_IMPORT，引入表
        if (sectionHeader->VirtualAddress == ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress)
        {
            break;
        }
        //没找到，那么增加SizeOf(IMAGE_SECTION_HEADER)字节数，指向下一个节
        sectionHeader++;
    }
    //引入表入口
    importEntry = (IMAGE_IMPORT_DESCRIPTOR*)((DWORD)pBaseAddress+sectionHeader->PointerToRawData);
    printf("下面是%s的引入文件/n",filename);
    //加载的DLL的名称，这里是RVA地址，需要转换成文件偏移地址，因为我们不是通过PE加载器加载，而是映射到内存
    while (importEntry->Name != 0)
    {
        DWORD offset = (DWORD)pBaseAddress+importEntry->Name-(sectionHeader->VirtualAddress - sectionHeader->PointerToRawData);
        char* s = (char*)offset;
        printf("%s/n",s);
        //继续读取
        importEntry++;
    }
    UnmapViewOfFile(pBaseAddress);
    CloseHandle(hmap);
    CloseHandle(hfile);
}

int main()
{
    GetImportDllList();
    return 0;
}

http://blog.csdn.net/bdmh/article/details/6100745