Firstthunk与 OriginalFirstThunk区 别 OriginaFirstthunk IMAGE IMPORT BY FirstThunk NAME IMAGE THUNK DATA Function 1 IMAGE THUNK DATA IMAGE THUNK DATA Function 2 IMAGE THUNK DATA IMAGE THUNK DATA---> Function 3 IMAGE THUNK DATA IMAGE THUNK DATA Function 4 <-- IMAGE THUNK DATA IMAGE THUNK DATA Function n IMAGE THUNK DATA PE文件执行前
FirstThunk与OriginalFirstThunk区 别 OriginalFirstThunk IMAGE_IMPORT_BY_ NAME FirstThunk | | IMAGE_THUNK_DATA ---> Function 1 <--- IMAGE_THUNK_DATA IMAGE_THUNK_DATA ---> Function 2 <--- IMAGE_THUNK_DATA IMAGE_THUNK_DATA ---> Function 3 <--- IMAGE_THUNK_DATA IMAGE_THUNK_DATA ---> Function 4 <--- IMAGE_THUNK_DATA ... ---> ... <--- ... IMAGE_THUNK_DATA ---> Function n <--- IMAGE_THUNK_DATA PE文件执行前
IMAGE IMPORT DESCRIPTOR OriginalfirstThunk TimeDatesta Forwardercha in Name Kerne 132 d11 First Thunk IMAGE IMPORT BY NAME IMAGE THUNK DATA D2F6 ExitProcessk+IMAGE_THUNK_DATA IMAGE THUNK DATA IMAGE_THUNK DATA 002B Writefile IMAGE THUNK_DATA 80000010H(strcmp) 30000010H(strcmp 0(结束符) 匚0(结束符)
OriginalFirstThunk TimeDateStamp ForwarderChain Name FirstThunk IMAGE_THUNK_DATA IMAGE_THUNK_DATA IMAGE_THUNK_DATA 80000010H(strcmp) 0(结束符) IMAGE_THUNK_DATA IMAGE_THUNK_DATA IMAGE_THUNK_DATA 80000010H(strcmp) 0(结束符) 02F6 ExitProcess 0111 ReadFile 002B WriteFile IMAGE_IMPORT_DESCRIPTOR IMAGE_IMPORT_BY_NAME Kernel32.dll
OriginalFirstthunk IMAGE IMPORT BY NA Firstthunk ME IMAGE THUNK DATA Function 1 Address of function 1 IMAGE THUNK DATA Function 2 Address of function 2 IMAGE THUNK DATA Function 3 Address of function 3 IMAGE THUNK DATA Function 4 Address of function 4 IMAGE THUNK DATA Function n Address of function n PE文件执行时
PE文件执行时 OriginalFirstThunk IMAGE_IMPORT_BY_NA ME FirstThunk | | IMAGE_THUNK_DATA ---> Function 1 Address of Function 1 IMAGE_THUNK_DATA ---> Function 2 Address of Function 2 IMAGE_THUNK_DATA ---> Function 3 Address of Function 3 IMAGE_THUNK_DATA ---> Function 4 Address of Function 4 ... ---> ... ... IMAGE_THUNK_DATA ---> Function n Address of Function n
IMAGE MPORT DESCR IPTOR Kernel 32. d11 Originalfirst Thunk TimeDatestamp ForwarderChain Name jmp dword prt [ol FirstThunk jmp dword prt [1] dword prt [21 jmp dword prt [3] IMAGE IMPORT BY NAME IMAGE THUNK DATA 02F6 XitProcess ExitProcess的入口地址 IMAGE_THUNK DATAL o111 Readfile Readfile的入口地址 IMAGE_ THUNK_ DATAH00 B Writefile k WriteFile的入口地址 80000010H(strcmp) strcmp的入口地址 0(结束符) 0(结束符)
OriginalFirstThunk TimeDateStamp ForwarderChain Name FirstThunk IMAGE_THUNK_DATA IMAGE_THUNK_DATA IMAGE_THUNK_DATA 80000010H(strcmp) 0(结束符) ExitProcess的入口地址 ReadFile的入口地址 WriteFile的入口地址 strcmp的入口地址 0(结束符) 02F6 ExitProcess 0111 ReadFile 002B WriteFile IMAGE_IMPORT_DESCRIPTOR IMAGE_IMPORT_BY_NAME Kernel32.dll jmp dword prt [0] jmp dword prt [1] jmp dword prt [2] jmp dword prt [3]
用函数名调用: IMAGE IMPORT BY NAME 用序号调用:| MAGE THUNK DATA值的 低位字指示函数序数,而最高二进制位 MSB)设为1 例如,如果一个函数只由序数引出且其序数是 1234H,那么对应该函数的 IMAGE THUNK DATA值是80001234H
• 用函数名调用: IMAGE_IMPORT_BY_NAME • 用序号调用:IMAGE_THUNK_DATA值的 低位字指示函数序数,而最高二进制位 (MSB)设为1 。 – 例如,如果一个函数只由序数引出且其序数是 1234H,那么对应该函数的 IMAGE_THUNK_DATA值是80001234H