[VB6] IAT Dumper
exe 프로그램이 로딩하는 dll 및 임포트 하는 함수들(+주소)을 표시해주는 프로그램입니다.
이걸로 PE구조체 공부는 마쳐야겠네요..
--------------------소스------------------------
Public Function DumpIAT(szPath As String, CList As ListBox) As Boolean
On Error Goto CloseFile
CList.Clear
Dim FF As Integer
FF = FreeFile
Open szPath For Binary Access Read As #FF
Dim IDH As IMAGE_DOS_HEADER, InH As IMAGE_NT_HEADERS, IID As IMAGE_IMPORT_DESCRIPTOR, ISH() As IMAGE_SECTION_HEADER
Get #FF, , IDH
'### MZ 체크
If IDH.e_magic <> IMAGE_DOS_SIGNATURE Then Goto CloseFile
Seek #FF, IDH.e_lfanew + 1
Get #FF, , InH
'### PE 체크
If INH.Signature <> IMAGE_NT_SIGNATURE Then Goto CloseFile
'### 섹션의 개수만큼 IMAGE_SECTION_HEADER을 만든다.
Dim NumberOfSection As Integer
NumberOfSection = INH.FileHeader.NumberOfSections
ReDim ISH(NumberOfSection - 1)
Seek #FF, IDH.e_lfanew + LenB(INH) + 1
Get #FF, , IsH
'### IMAGE_IMPORT_DESCRIPTOR을 순회하기 위한 작업
Dim VirtualIID As Long
VirtualIID = INH.OptionalHeader.DataDirectory(IMAGE_DIRECTORY_ENTRY_IMPORT).VirtualAddress
VirtualIID = RVA2RAW(VirtualIID, ISH)
Seek #FF, VirtualIID + 1
Get #FF, , IID
Dim szDllName(63) As Byte, szFuncName(63) As Byte
Dim FuncNameArray As Long, FuncPointer As Long, i As Long, t As Long
Do
If IID.lpName = 0 Then Exit Do
Get #FF, RVA2RAW(IID.lpName, ISH) + 1, szDllName
'### DLL 이름을 더하고
CList.AddItem Ansi2Unicode(szDllName)
i = IID.lpImportByName
t = IID.lpFirstThunk
'### 함수 이름의 포인터 및 함수 포인터를 구한다.
Get #FF, RVA2RAW(i, ISH) + 1, FuncNameArray
Get #FF, RVA2RAW(t, ISH) + 1, FuncPointer
Do
If FuncNameArray = 0 Then Exit Do
Get #FF, RVA2RAW(FuncNameArray + 2, ISH) + 1, szFuncName
'### 함수 이름을 더한다
CList.AddItem Space(4) & Ansi2Unicode(szFuncName) & "(" & Hex$(FuncPointer) & ")"
'### 다음 함수 이름의 포인터를 구한다.
i = i + 4
t = t + 4
Get #FF, RVA2RAW(i, ISH) + 1, FuncNameArray
Get #FF, RVA2RAW(t, ISH) + 1, FuncPointer
Loop
VirtualIID = VirtualIID + LenB(IID)
Seek #FF, VirtualIID + 1
Get #FF, , IID
CList.AddItem ""
Loop
Close #FF
DumpIAT = True
Exit Function
CloseFile:
Close #FF
End Function
