无须多言,直接代码,原理看《加密与解密》第三版
View Code 
#pragma warning(disable:4786)
#include<windows.h>
#include<stdio.h>
#include<iostream>
#include<winnt.h>
#include<stdlib.h>
#include<imagehlp.h>
#include<cstring>
#include<string>
#include<vector>
#include<string.h>
using namespace std;
/////////////////////
#pragma comment(lib,"imagehlp.lib")
/////////////////////
vector<string>DLL;//使用的dll
vector<string>API;//api函数
vector<string>SEG;//段
typedef struct _MAP_FILE_STRUCT
{
HANDLE hFile;
HANDLE hMapping;
LPVOID ImageBase;
}MAP_FILE_STRUCT,*PMAP_FILE_STRUCT;
/////////////////////
#define GETTHUNK(pImportDesc) ((DWORD) \
( \
(PIMAGE_IMPORT_DESCRIPTOR)pImportDesc->OriginalFirstThunk ? \
(PIMAGE_IMPORT_DESCRIPTOR)pImportDesc->OriginalFirstThunk:(PIMAGE_IMPORT_DESCRIPTOR)pImportDesc->FirstThunk ) \
)
/////////////////////
bool load(LPTSTR lpFilename,PMAP_FILE_STRUCT &p)
{
HANDLE hFile=CreateFile(lpFilename,GENERIC_READ,FILE_SHARE_READ,NULL,
OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL,0);
if(!hFile)
{
cout<<"file open error"<<endl;
return false;
}
HANDLE hMapping=CreateFileMapping(hFile,NULL,PAGE_READONLY,0,0,NULL);
if(!hMapping)
{
cout<<"file map error"<<endl;
return false;
}
LPVOID ImageBase=MapViewOfFile(hMapping,FILE_MAP_READ,0,0,0);
if(!ImageBase)
{
cout<<"file load error"<<endl;
return false;
}
p->hFile=hFile;
p->hMapping=hMapping;
p->ImageBase=ImageBase;
return true;
}
/////////////////////////////
bool IsPE(LPVOID ImageBase)
{
PIMAGE_DOS_HEADER pdos=NULL;
PIMAGE_NT_HEADERS pnt=NULL;
pdos=(PIMAGE_DOS_HEADER)ImageBase;
if(pdos->e_magic!=IMAGE_DOS_SIGNATURE)
{
cout<<"not MZ"<<endl;
return false;
}
pnt=(PIMAGE_NT_HEADERS)((DWORD)pdos+pdos->e_lfanew);
if(pnt->Signature!=IMAGE_NT_SIGNATURE)
{
cout<<"not PE"<<endl;
return false;
}
return true;
}
/////////////////////////////
PIMAGE_NT_HEADERS GetNtHead(LPVOID ImageBase)
{
if(!IsPE(ImageBase))
{
return NULL;
}
PIMAGE_NT_HEADERS pnt;
PIMAGE_DOS_HEADER pdos;
pdos=(PIMAGE_DOS_HEADER)ImageBase;
pnt=(PIMAGE_NT_HEADERS)((DWORD)pdos+pdos->e_lfanew);
return pnt;
}
/////////////////////////////
PIMAGE_OPTIONAL_HEADER GetOptionalHead(LPVOID ImageBase)
{
PIMAGE_DOS_HEADER pdos=NULL;
PIMAGE_NT_HEADERS pnt=NULL;
PIMAGE_OPTIONAL_HEADER poptional=NULL;
pnt=GetNtHead(ImageBase);
poptional=&(pnt->OptionalHeader);
return poptional;
}
/////////////////////////////
LPVOID RvaToPtr(PIMAGE_NT_HEADERS pNtH,LPVOID ImageBase,DWORD dwRVA)
{
return ImageRvaToVa(pNtH,ImageBase,dwRVA,NULL);
}
/////////////////////////////
LPVOID GetDirectoryEntry(LPVOID ImageBase,USHORT DirectoryKind)
{
DWORD dataaddress;
PIMAGE_NT_HEADERS pnt=NULL;
PIMAGE_OPTIONAL_HEADER poptional=NULL;
pnt=GetNtHead(ImageBase);
poptional=GetOptionalHead(ImageBase);
dataaddress=poptional->DataDirectory[DirectoryKind].VirtualAddress;
LPVOID pdirdata=RvaToPtr(pnt,ImageBase,dataaddress);
if(!pdirdata)
{
cout<<"imagervatova() error"<<endl;
return NULL;
}
return pdirdata;
}
/////////////////////////////
PIMAGE_IMPORT_DESCRIPTOR GetFirstImportAddress(LPVOID ImageBase)
{
PIMAGE_IMPORT_DESCRIPTOR pimport=NULL;
pimport=(PIMAGE_IMPORT_DESCRIPTOR)GetDirectoryEntry(ImageBase,IMAGE_DIRECTORY_ENTRY_IMPORT);
if(!pimport)
{
cout<<"GetDirectoryEntry() error"<<endl;
return NULL;
}
return pimport;
}
/////////////////////////////
bool ShowImportDllInfo(LPVOID ImageBase)
{
char *szdllname;
PIMAGE_NT_HEADERS pnt=NULL;
PIMAGE_IMPORT_DESCRIPTOR pimport=NULL;
pnt=GetNtHead(ImageBase);
pimport=GetFirstImportAddress(ImageBase);
if(!pimport)
{
cout<<"GetFirstImportAddress() error"<<endl;
return 0;
}
//cout<<">>>====DLL INFO====<<<"<<endl;
while(pimport->FirstThunk)
{
szdllname=(char*)RvaToPtr(pnt,ImageBase,pimport->Name);
DLL.push_back(szdllname);
///////////////////difficult point////////////////////
pimport++;
}
return 1;
}
/////////////////////////////
bool GetImportFuncInfo(LPVOID ImageBase)
{
char* funcname;
PIMAGE_IMPORT_BY_NAME pbyname=NULL;
DWORD *pthunk=NULL;
DWORD dwthunk;
PIMAGE_IMPORT_DESCRIPTOR pstart=NULL;
PIMAGE_NT_HEADERS pnt=NULL;
pstart=GetFirstImportAddress(ImageBase);
dwthunk=GETTHUNK(pstart);
pnt=GetNtHead(ImageBase);
pthunk=(DWORD*)RvaToPtr(pnt,ImageBase,dwthunk);
if(!pthunk)
{
cout<<"RvaToVa() fail"<<endl;
return 0;
}
//cout<<endl<<">>>====FUNC INFO====<<<"<<endl;
while(*pthunk)//防止导入表被破坏造成死循环
{
if(HIWORD(*pthunk)==0x8000)
{
funcname=(char*)IMAGE_ORDINAL32(*pthunk);
}
else
{
pbyname=(PIMAGE_IMPORT_BY_NAME)RvaToPtr(pnt,ImageBase,(DWORD)(*pthunk));
if(pbyname)
{
funcname=(char*)pbyname->Name;
}
else
{
funcname=(char*)(DWORD*)(*pthunk);
}
}
API.push_back(funcname);
//if(API.size()>=80)break;
pthunk++;
}
return 1;
}
/////////////////////////////
bool GetSEG(LPVOID ImageBase)
{
//PIMAGE_DOS_HEADER pdos=NULL;
PIMAGE_NT_HEADERS pnh=NULL;
PIMAGE_FILE_HEADER pfh=NULL;
PIMAGE_SECTION_HEADER psh=NULL;
pnh=GetNtHead(ImageBase);
pfh=(PIMAGE_FILE_HEADER)&pnh->FileHeader;
int num=pfh->NumberOfSections;
psh=IMAGE_FIRST_SECTION(pnh);
int i,j;
for( i=0;i<num&&psh;i++,psh++)
{
//cout<<psh->Name<<endl;
string tmp;
for( j=0;j<8;j++)
{
char ch=psh->Name[j];
if(ch=='.'||(ch>='a'&&ch<='z')||(ch>='A'&&ch<='Z'))
{
tmp+=psh->Name[j];
}
}
SEG.push_back(tmp);
}
return 1;
}
bool GetAll(string s)
{
SEG.clear();
DLL.clear();
API.clear();
LPTSTR filename=(LPTSTR )s.c_str();
PMAP_FILE_STRUCT map;
map=(PMAP_FILE_STRUCT)malloc(sizeof(MAP_FILE_STRUCT));
if(!load(filename,map))
{
cout<<"load() error"<<endl;
return 0;
}
if(!IsPE(map->ImageBase))
{
cout<<"ispe() error"<<endl;
return 0;
}
if(!GetSEG(map->ImageBase))return 0;
if(!ShowImportDllInfo(map->ImageBase))return 0;
if(!GetImportFuncInfo(map->ImageBase))return 0;
return 1;
}
int main()
{
//freopen("a.txt","w",stdout);
string s;
printf("输入文件目录:");
while(cin>>s)
{
if(GetAll(s))
{
int i;
printf("API=%d\n",API.size());
for(i=0;i<API.size();i++)
{
printf("%s\n",API[i].c_str());
}printf("\n");
printf("SEG=%d\n",SEG.size());
for(i=0;i<SEG.size();i++)
{
printf("%s\n",SEG[i].c_str());
}printf("\n");
printf("DLL=%d\n",DLL.size());
for(i=0;i<DLL.size();i++)
{
printf("%s\n",DLL[i].c_str());
}printf("\n");
}
else
{
printf("fail!\n");
}
printf("输入文件目录:");
}
return 0;
}