].VirtualAddress,
RVAToFOA(pe,va),
pe.OPTIONAL_HEADER.DATA_DIRECTORY[index].Size
),end="")
if index == 0:
print("Export symbols")
if index == 1:
print("Import symbols")
if index == 2:
print("Resources")
if index == 3:
print("Exception")
if index == 4:
print("Security")
if index == 5:
print("Base relocation")
if index == 6:
print("Debug")
if index == 7:
print("Copyright string")
if index == 8:
print("Globalptr")
if index == 9:
print("Thread local storage (TLS)")
if index == 10:
print("Load configuration")
if index == 11:
print("Bound Import")
if index == 12:
print("Import Address Table")
if index == 13:
print("Delay Import")
if index == 14:
print("COM descriptor")
if index == 15:
print("NoUse")
if __name__ == "__main__":
pe = pefile.PE("d://lyshark.exe")
ScanOptional(pe)
21.1.7 解析导入导出表
导入表和导出表都是PE文件中的重要数据结构,分别记录着一个模块所导入和导出的函数和数据,如下所示则是使用PeFile模块实现对导入表与导出表的解析工作,对于导入表ScanImport的解析需要通过pe.DIRECTORY_ENTRY_IMPORT获取到完整的导入目录,并通过循环的方式输出x.imports中的数据即可,而对于导出表ScanExport则需要在pe.DIRECTORY_ENTRY_EXPORT.symbols导出符号中解析获取。
import pefile
# 输出所有导入表模块
def ScanImport(pe):
print("-" * 100)
try:
for x in pe.DIRECTORY_ENTRY_IMPORT:
for y in x.imports:
print("[*] 模块名称: %-20s 导入函数: %-14s" %((x.dll).decode("utf-8"),(y.name).decode("utf-8")))
except Exception:
pass
print("-" * 100)
# 输出所有导出表模块
def ScanExport(pe):
print("-" * 100)
try:
for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols:
print("[*] 导出序号: %-5s 模块地址: %-20s 模块名称: %-15s"
%(exp.ordinal,hex(pe.OPTIONAL_HEADER.ImageBase + exp.address),(exp.name).decode("utf-8")))
except:
pass
print("-" * 100)
if __name__ == "__main__":
pe = pefile.PE("d://lyshark.exe")
ScanImport(pe)
ScanExport(pe)
本文作者: 王瑞
本文链接: https://www.lyshark.com/post/92a3370c.html
版权声明: 本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!