我反汇编了 advapi32.dll 中的一个函数(特别是 RegOpenKeyEx)。我看到两个 FF 15 调用 IAT:
call dword [0x77dd13ec]
和
call dword [0x77dd15d4]
使用 dumpbin 我转储了 DLL 的导入,它说导入地址表从 77DD124C 开始。但是 0x77dd13ec 没有出现在日志中。 1A0 的相对地址也没有出现在其中的任何位置。显然,那里显示的地址与 IAT 中的地址完全无关。
是否可以在不编写和运行实际调用 API 的测试程序的情况下知道这些调用点链接到哪些函数?有什么方法可以查出来?
我相信链接器生成了这些 CALL 指令,这些指令必须知道它链接到哪个函数。
最佳答案
听起来你已经接近了。
使用 dumpbin 将为您提供模块导入的模块列表,并列出从这些模块导入的函数。针对每个导入的函数是一个十六进制数。看来您可能将此数字误认为是 IAT 开头的偏移地址,函数地址存储在该位置。实际上,它只是给 Windows 加载程序的一个提示编号。当 Windows 加载程序绑定(bind)函数时,它会使用二进制搜索在模块的导出表中查找函数名称。 dumpbin 输出中的这个数字只是关于从哪里开始寻找减少加载时间的提示。
现在我们已经弄清楚了,我们如何确定 0x77dd13ec 指向什么?
好吧,它看起来确实指向 IAT。我在这里看到的 advapi32.dll 版本的 IAT 大小为 0x668,因此 IAT 的偏移量 0x1A0 似乎是合理的。如果您查看存储在 0x77dd13ec 中的值,它将是一个指向将被调用的函数的地址。
既然知道了函数的地址,那我们怎么查出函数是什么?
要手动执行此操作,我们将查看哪个模块占用了内存中的空间。例如,0x77dd13ec 的值是 0x7D6103E4。我可以从 Process Explorer 或 Visual Studio(或您喜欢的任何工具)中看到 ntdll.dll 加载到 0x7D600000,并且大小为 0xF0000,因此它指向ntdll.dll。然后我可以减去模块的基地址以获得相对地址(0x7D6103E4 - 0x7D600000 = 0x103E4)。然后我可以查看 ntdll.dll 的导出表(我更喜欢 depends.exe),并看到 ntdll.dll 在 0x103E4 导出一个名为 _allmul 的函数 - 瞧!
一种更简单的方法是使用调试器(例如 OllyDbg)附加到进程,然后简单地转到地址 0x77dd13ec。它会为您执行上述操作。
将 OllyDbg 指向 advapi32.dll IAT 的示例输出(advapi32.dll IAT 在我的系统上从 0x7D1E1000 开始):
7D1E1000 >7D6103E4 ntdll._allmul
7D1E1004 >7D632AB1 ntdll.wcsncmp
7D1E1008 >7D62EA4C ntdll.RtlUnicodeStringToInteger
7D1E100C >7D6220DC ntdll.RtlAllocateHandle
7D1E1010 >7D622131 ntdll.RtlIsValidIndexHandle
7D1E1014 >7D6220A3 ntdll.RtlFreeHandle
7D1E1018 >7D61D2CA ntdll.ZwCompareTokens
7D1E101C >7D623653 ntdll.RtlEnumerateGenericTableWithoutSplaying
7D1E1020 >7D639E88 ntdll.RtlIsGenericTableEmpty
7D1E1024 >7D6295D3 ntdll.RtlExpandEnvironmentStrings_U
7D1E1028 >7D639D8D ntdll.RtlDuplicateUnicodeString
7D1E102C >7D62F24B ntdll.wcsstr
7D1E1030 >7D629EB3 ntdll.RtlCreateUnicodeString
7D1E1034 >7D61CA29 ntdll.ZwQueryInformationProcess
7D1E1038 >7D61C9E1 ntdll.ZwQueryKey
7D1E103C >7D6370C3 ntdll.RtlStringFromGUID
7D1E1040 >7D61CA89 ntdll.ZwCreateKey
7D1E1044 >7D61D0D2 ntdll.ZwSetValueKey
7D1E1048 >7D63A062 ntdll.RtlDeleteElementGenericTable
7D1E104C >7D63C644 ntdll.RtlInsertElementGenericTable
7D1E1050 >7D62F2B5 ntdll.RtlInitializeHandleTable
7D1E1054 >7D62F1FE ntdll.RtlDestroyHandleTable
7D1E1058 >7D62E9A6 ntdll.RtlIntegerToUnicodeString
7D1E105C >7D622B16 ntdll.RtlAppendUnicodeToString
7D1E1060 >7D623046 ntdll.RtlFormatCurrentUserKeyPath
7D1E1064 >7D61D582 ntdll.ZwDeleteKey
7D1E1068 >7D61CC81 ntdll.ZwEnumerateKey
7D1E106C >7D6217C3 ntdll._wcsicmp
7D1E1070 >7D63A633 ntdll.RtlInitializeGenericTable
7D1E1074 >7D62F228 ntdll.RtlNumberGenericTableElements
7D1E1078 >7D639EB6 ntdll.RtlLookupElementGenericTable
7D1E107C >7D67407B ntdll.RtlQueryRegistryValues
7D1E1080 >7D63C67E ntdll.RtlGUIDFromString
7D1E1084 >7D61F825 ntdll.RtlUpcaseUnicodeChar
7D1E1088 >7D61CEAA ntdll.ZwQueryVolumeInformationFile
7D1E108C >7D622201 ntdll.RtlPrefixUnicodeString
7D1E1090 >7D61DCD2 ntdll.ZwQuerySymbolicLinkObject
7D1E1094 >7D61DA1A ntdll.ZwOpenSymbolicLinkObject
7D1E1098 >7D624493 ntdll.RtlDetermineDosPathNameType_U
7D1E109C >7D61C969 ntdll.ZwQueryInformationFile
7D1E10A0 >7D62488B ntdll.RtlGetFullPathName_U
7D1E10A4 >7D638D8D ntdll.RtlMakeSelfRelativeSD
7D1E10A8 >7D640A0B ntdll.mbstowcs
7D1E10AC >7D68E909 ntdll.EtwControlTraceW
7D1E10B0 >7D63EC19 ntdll.wcscmp
7D1E10B4 >7D610557 ntdll._aulldiv
7D1E10B8 >7D61025B ntdll._alldiv
7D1E10BC >7D61C921 ntdll.ZwSetEvent
7D1E10C0 >7D61CE92 ntdll.ZwCreateEvent
7D1E10C4 >7D6899B1 ntdll._vsnprintf
7D1E10C8 >7D6382AF ntdll.RtlDestroyHeap
7D1E10CC >7D62E099 ntdll.RtlCreateHeap
7D1E10D0 >7D61CA11 ntdll.ZwAllocateVirtualMemory
7D1E10D4 >7D678DA8 ntdll.RtlFlushSecureMemoryCache
7D1E10D8 >7D61CAA1 ntdll.ZwFreeVirtualMemory
7D1E10DC >7D68C846 ntdll.EtwControlTraceA
7D1E10E0 >7D68F0C1 ntdll.EtwNotificationRegistrationW
7D1E10E4 >7D61CC69 ntdll.ZwQueryPerformanceCounter
7D1E10E8 >7D61D05A ntdll.ZwWaitForMultipleObjects
7D1E10EC >7D68F25A ntdll.EtwpGetTraceBuffer
7D1E10F0 >7D61D0BA ntdll.ZwPowerInformation
7D1E10F4 >7D62E986 ntdll.EtwpSetHWConfigFunction
7D1E10F8 >7D620C55 ntdll.RtlInitAnsiStringEx
7D1E10FC >7D624DF3 ntdll.RtlUnicodeToMultiByteN
7D1E1100 >7D61D92A ntdll.ZwNotifyChangeKey
7D1E1104 >7D61D072 ntdll.ZwSetInformationObject
7D1E1108 >7D61CD71 ntdll.ZwDuplicateObject
7D1E110C >7D689576 ntdll._itow
7D1E1110 >7D61E032 ntdll.ZwSetInformationKey
7D1E1114 >7D61D5B2 ntdll.ZwDeleteValueKey
7D1E1118 >7D61C999 ntdll.ZwEnumerateValueKey
7D1E111C >7D610BF7 ntdll.memcpy
7D1E1120 >7D61127D ntdll.memset
7D1E1124 >7D63EC51 ntdll.RtlTimeToSecondsSince1970
7D1E1128 >7D62176A ntdll._stricmp
7D1E112C >7D62EE3E ntdll.RtlUnwind
7D1E1130 >7D61CB19 ntdll.ZwQueryVirtualMemory
7D1E1134 >7D627988 ntdll.RtlGetNtProductType
7D1E1138 >7D61D042 ntdll.ZwQuerySystemTime
7D1E113C >7D67BB16 ntdll.RtlRandom
7D1E1140 >7D623334 ntdll.RtlCompareUnicodeString
7D1E1144 >7D61F844 ntdll.RtlInitUnicodeStringEx
7D1E1148 >7D670B47 ntdll.RtlxUnicodeStringToOemSize
7D1E114C >7D6224B9 ntdll.RtlAppendUnicodeStringToString
7D1E1150 >7D61C831 ntdll.ZwWaitForSingleObject
7D1E1154 >7D611A29 ntdll.RtlCompareMemory
7D1E1158 >7D61C879 ntdll.ZwDeviceIoControlFile
7D1E115C >7D622ADD ntdll.wcsrchr
7D1E1160 >7D61C981 ntdll.ZwOpenKey
7D1E1164 >7D61C9F9 ntdll.ZwQueryValueKey
7D1E1168 >7D6225AD ntdll.RtlCopyLuid
7D1E116C >7D6218B0 ntdll.RtlImageNtHeader
7D1E1170 >7D637046 ntdll.swprintf
7D1E1174 >7D6895D1 ntdll._ultow
7D1E1178 >7D6A0098 OFFSET ntdll.NlsMbCodePageTag
7D1E117C >7D670B6C ntdll.RtlxOemStringToUnicodeSize
7D1E1180 >7D6209AC ntdll.RtlMultiByteToUnicodeN
7D1E1184 >7D61EF3A ntdll.strstr
7D1E1188 >7D61EFCF ntdll.strchr
7D1E118C >7D689922 ntdll.tolower
7D1E1190 >7D6288A8 ntdll._wcsnicmp
7D1E1194 >7D621A06 ntdll.wcsncpy
7D1E1198 >7D632433 ntdll.wcstoul
7D1E119C >7D63ED14 ntdll._wcstoui64
7D1E11A0 >7D62F5F9 ntdll.iswctype
7D1E11A4 >7D622D60 ntdll.RtlConvertSidToUnicodeString
7D1E11A8 >7D669ABF ntdll.DbgPrint
7D1E11AC >7D62E8E2 ntdll.RtlOpenCurrentUser
7D1E11B0 >7D61F96E ntdll.RtlFreeUnicodeString
7D1E11B4 >7D629251 ntdll.RtlCreateUnicodeStringFromAsciiz
7D1E11B8 >7D61CCE1 ntdll.ZwQuerySystemInformation
7D1E11BC >7D64098C ntdll.atol
7D1E11C0 >7D610418 ntdll._chkstk
7D1E11C4 >7D61CBF1 ntdll.ZwTerminateProcess
7D1E11C8 >7D66DBDF ntdll.RtlAdjustPrivilege
7D1E11CC >7D61CA71 ntdll.ZwSetInformationProcess
7D1E11D0 >7D621D5E ntdll.wcschr
7D1E11D4 >7D61169A ntdll.strncpy
7D1E11D8 >7D670C42 ntdll.RtlUpcaseUnicodeStringToOemString
7D1E11DC >7D61F18C ntdll.RtlEnterCriticalSection
7D1E11E0 >7D61F1D7 ntdll.RtlLeaveCriticalSection
7D1E11E4 >7D610045 ntdll.RtlInitString
7D1E11E8 >7D62A64E ntdll.RtlIsTextUnicode
7D1E11EC >7D66E883 ntdll.RtlSetSecurityDescriptorRMControl
7D1E11F0 >7D66E821 ntdll.RtlGetSecurityDescriptorRMControl
7D1E11F4 >7D66D905 ntdll.RtlSelfRelativeToAbsoluteSD2
7D1E11F8 >7D61D642 ntdll.ZwFilterToken
7D1E11FC >7D61D74A ntdll.ZwImpersonateAnonymousToken
7D1E1200 >7D610F3D ntdll.memmove
7D1E1204 >7D624F14 ntdll.RtlUnicodeStringToAnsiString
7D1E1208 >7D620CB7 ntdll.RtlUnicodeToMultiByteSize
7D1E120C >7D622FE1 ntdll.RtlCopyUnicodeString
7D1E1210 >7D61C909 ntdll.ZwSetInformationThread
7D1E1214 >7D66E018 ntdll.RtlImpersonateSelf
7D1E1218 >7D61CD29 ntdll.ZwFsControlFile
7D1E121C >7D61DCA2 ntdll.ZwQuerySecurityObject
7D1E1220 >7D639057 ntdll.RtlOemStringToUnicodeString
7D1E1224 >7D624938 ntdll.RtlDosPathNameToRelativeNtPathName_U
7D1E1228 >7D61CC99 ntdll.ZwOpenFile
7D1E122C >7D624473 ntdll.RtlReleaseRelativeName
7D1E1230 >7D61E0F2 ntdll.ZwSetSecurityObject
7D1E1234 >7D61C939 ntdll.ZwClose
7D1E1238 >7D66D984 ntdll.RtlSelfRelativeToAbsoluteSD
7D1E123C >7D638D66 ntdll.RtlAbsoluteToSelfRelativeSD
7D1E1240 >7D63DBA5 ntdll.RtlDeleteSecurityObject
7D1E1244 >7D660F20 ntdll.RtlQuerySecurityObject
7D1E1248 >7D660EF7 ntdll.RtlSetSecurityObjectEx
7D1E124C >7D660ECF ntdll.RtlSetSecurityObject
7D1E1250 >7D660E95 ntdll.RtlNewSecurityObjectWithMultipleInheritance
7D1E1254 >7D63D435 ntdll.RtlNewSecurityObjectEx
7D1E1258 >7D661730 ntdll.RtlConvertToAutoInheritSecurityObject
7D1E125C >7D660EA5 ntdll.RtlNewSecurityObject
7D1E1260 >7D6333BA ntdll.RtlGetGroupSecurityDescriptor
7D1E1264 >7D637A22 ntdll.RtlSetGroupSecurityDescriptor
7D1E1268 >7D6301B1 ntdll.RtlGetOwnerSecurityDescriptor
7D1E126C >7D6379D8 ntdll.RtlSetOwnerSecurityDescriptor
7D1E1270 >7D633385 ntdll.RtlGetSaclSecurityDescriptor
7D1E1274 >7D66DEBE ntdll.RtlSetSaclSecurityDescriptor
7D1E1278 >7D62B269 ntdll.RtlGetDaclSecurityDescriptor
7D1E127C >7D6375FF ntdll.RtlSetDaclSecurityDescriptor
7D1E1280 >7D66DE7F ntdll.RtlSetControlSecurityDescriptor
7D1E1284 >7D624CFD ntdll.RtlGetControlSecurityDescriptor
7D1E1288 >7D6332F1 ntdll.RtlLengthSecurityDescriptor
7D1E128C >7D633236 ntdll.RtlValidSecurityDescriptor
7D1E1290 >7D6375D1 ntdll.RtlCreateSecurityDescriptor
7D1E1294 >7D637515 ntdll.RtlFirstFreeAce
7D1E1298 >7D670405 ntdll.RtlAddAuditAccessObjectAce
7D1E129C >7D6703B7 ntdll.RtlAddAccessDeniedObjectAce
7D1E12A0 >7D67036A ntdll.RtlAddAccessAllowedObjectAce
7D1E12A4 >7D670332 ntdll.RtlAddAuditAccessAceEx
7D1E12A8 >7D6702FB ntdll.RtlAddAuditAccessAce
7D1E12AC >7D6702D7 ntdll.RtlAddAccessDeniedAceEx
7D1E12B0 >7D6702B4 ntdll.RtlAddAccessDeniedAce
7D1E12B4 >7D6390DF ntdll.RtlAddAccessAllowedAceEx
7D1E12B8 >7D637785 ntdll.RtlAddAccessAllowedAce
7D1E12BC >7D6301F3 ntdll.RtlGetAce
7D1E12C0 >7D64283B ntdll.RtlDeleteAce
7D1E12C4 >7D66FF8E ntdll.RtlAddAce
7D1E12C8 >7D66FE7A ntdll.RtlSetInformationAcl
7D1E12CC >7D66FF02 ntdll.RtlQueryInformationAcl
7D1E12D0 >7D637733 ntdll.RtlCreateAcl
7D1E12D4 >7D637550 ntdll.RtlValidAcl
7D1E12D8 >7D63D23D ntdll.RtlMapGenericMask
7D1E12DC >7D66DF40 ntdll.RtlAreAnyAccessesGranted
7D1E12E0 >7D66DF24 ntdll.RtlAreAllAccessesGranted
7D1E12E4 >7D628858 ntdll.RtlCopySid
7D1E12E8 >7D62888C ntdll.RtlLengthSid
7D1E12EC >7D62970C ntdll.RtlSubAuthorityCountSid
7D1E12F0 >7D621862 ntdll.RtlSubAuthoritySid
7D1E12F4 >7D66DC96 ntdll.RtlIdentifierAuthoritySid
7D1E12F8 >7D637A6C ntdll.RtlAllocateAndInitializeSid
7D1E12FC >7D6380CB ntdll.RtlFreeSid
7D1E1300 >7D621830 ntdll.RtlInitializeSid
7D1E1304 >7D6377A8 ntdll.RtlLengthRequiredSid
7D1E1308 >7D63D1ED ntdll.RtlEqualPrefixSid
7D1E130C >7D62187A ntdll.RtlEqualSid
7D1E1310 >7D622B95 ntdll.RtlValidSid
7D1E1314 >7D61DAAA ntdll.ZwPrivilegedServiceAuditAlarm
7D1E1318 >7D61D59A ntdll.ZwDeleteObjectAuditAlarm
7D1E131C >7D61CD59 ntdll.ZwCloseObjectAuditAlarm
7D1E1320 >7D61DA92 ntdll.ZwPrivilegeObjectAuditAlarm
7D1E1324 >7D61D9D2 ntdll.ZwOpenObjectAuditAlarm
7D1E1328 >7D61D192 ntdll.ZwAccessCheckByTypeResultListAndAuditAlarmByHandle
7D1E132C >7D61D17A ntdll.ZwAccessCheckByTypeResultListAndAuditAlarm
7D1E1330 >7D61D02A ntdll.ZwAccessCheckByTypeAndAuditAlarm
7D1E1334 >7D61CBA9 ntdll.ZwAccessCheckAndAuditAlarm
7D1E1338 >7D61DA7A ntdll.ZwPrivilegeCheck
7D1E133C >7D61D1DA ntdll.ZwAdjustGroupsToken
7D1E1340 >7D61CDE9 ntdll.ZwAdjustPrivilegesToken
7D1E1344 >7D61E04A ntdll.ZwSetInformationToken
7D1E1348 >7D61CAE9 ntdll.ZwQueryInformationToken
7D1E134C >7D61CB31 ntdll.ZwOpenThreadToken
7D1E1350 >7D61D9EA ntdll.ZwOpenProcessToken
7D1E1354 >7D61D162 ntdll.ZwAccessCheckByTypeResultList
7D1E1358 >7D61D14A ntdll.ZwAccessCheckByType
7D1E135C >7D61D132 ntdll.ZwAccessCheck
7D1E1360 >7D61D222 ntdll.ZwAllocateLocallyUniqueId
7D1E1364 >7D61CE01 ntdll.ZwDuplicateToken
7D1E1368 >7D6331AD ntdll._vsnwprintf
7D1E136C >7D61007D ntdll.RtlInitAnsiString
7D1E1370 >7D620B10 ntdll.RtlAnsiStringToUnicodeString
7D1E1374 >7D61F96E ntdll.RtlFreeUnicodeString
7D1E1378 >7D6100B5 ntdll.RtlInitUnicodeString
7D1E137C >7D624821 ntdll.RtlDosPathNameToNtPathName_U
7D1E1380 >7D61F4CB ntdll.RtlFreeHeap
7D1E1384 >7D61F7E6 ntdll.wcslen
7D1E1388 >7D61F686 ntdll.RtlAllocateHeap
7D1E138C >7D622AB9 ntdll.wcscpy
7D1E1390 >7D628909 ntdll.wcscat
7D1E1394 >7D6202F5 ntdll.RtlNtStatusToDosError
7D1E1398 >7D621199 ntdll.RtlDeleteCriticalSection
7D1E139C >7D68A275 ntdll.wcstombs
7D1E13A0 >7D621CAF ntdll.RtlInitializeCriticalSection
7D1E13A4 >7D621CC8 ntdll.RtlEqualUnicodeString
7D1E13A8 >7D620341 ntdll.RtlNtStatusToDosErrorNoTeb
7D1E13AC >7D61D672 ntdll.ZwFlushKey
7D1E13B0 >7D66E6D8 ntdll.RtlValidRelativeSecurityDescriptor
7D1E13B4 >7D61D7F2 ntdll.ZwLoadKey
7D1E13B8 >7D61E2EA ntdll.ZwUnloadKey
7D1E13BC >7D61DDC2 ntdll.ZwReplaceKey
7D1E13C0 >7D61D942 ntdll.ZwNotifyChangeMultipleKeys
7D1E13C4 >7D61DC12 ntdll.ZwQueryMultipleValueKey
7D1E13C8 >7D61DE6A ntdll.ZwRestoreKey
7D1E13CC >7D61DE9A ntdll.ZwSaveKey
7D1E13D0 >7D61DECA ntdll.ZwSaveMergedKeys
7D1E13D4 >7D61CFCA ntdll.ZwCreateFile
7D1E13D8 >7D61DEB2 ntdll.ZwSaveKeyEx
7D1E13DC >7D68D071 ntdll.EtwTraceEvent
7D1E13E0 >7D68E3B1 ntdll.EtwStartTraceW
7D1E13E4 >7D68F015 ntdll.EtwQueryTraceW
7D1E13E8 >7D627827 ntdll.RtlGetVersion
7D1E13EC >7D61CB49 ntdll.ZwQueryInformationThread
7D1E13F0 >7D61C861 ntdll.ZwReadFile
7D1E13F4 >7D61C891 ntdll.ZwWriteFile
7D1E13F8 >7D610418 ntdll._chkstk
7D1E13FC >7D62368B ntdll.RtlReAllocateHeap
7D1E1400 00000000
7D1E1404 >7D52A507 kernel32.OutputDebugStringW
7D1E1408 >7D4D9099 kernel32.LocalFree
7D1E140C >7D4D90FD kernel32.LocalAlloc
7D1E1410 >7D4E1F1C kernel32.LocalReAlloc
7D1E1414 >7D4D93AD kernel32.WideCharToMultiByte
7D1E1418 >7D4D8F75 kernel32.lstrlenW
7D1E141C >7D4D920B kernel32.MultiByteToWideChar
7D1E1420 >7D4E0DF9 kernel32.lstrlenA
7D1E1424 >7D4E3B5F kernel32.AreFileApisANSI
7D1E1428 >7D4D9179 kernel32.IsBadWritePtr
7D1E142C >7D4D8E1B kernel32.CloseHandle
7D1E1430 >7D61F4BC ntdll.RtlGetLastWin32Error
7D1E1434 >7D4DAC0B kernel32.GetProcAddress
7D1E1438 >7D4D0DC0 kernel32.LoadLibraryA
7D1E143C >7D4E456B kernel32.GetComputerNameW
7D1E1440 >7D4E2669 kernel32.OpenProcess
7D1E1444 >7D4E22E6 kernel32.ResumeThread
7D1E1448 >7D4D0845 kernel32.ReadFile
7D1E144C >7D4DA92D kernel32.WriteFile
7D1E1450 >7D4D8FB9 kernel32.GetCurrentProcessId
7D1E1454 >7D530BCD kernel32.WaitNamedPipeW
7D1E1458 >7D4D99C0 kernel32.CreateFileW
7D1E145C >7D4E257D kernel32.lstrcpynW
7D1E1460 >7D50629E kernel32.CopyFileW
7D1E1464 >7D4DE779 kernel32.FindFirstFileExW
7D1E1468 >7D4DC7A4 kernel32.FindNextFileW
7D1E146C >7D4DA41F kernel32.SetErrorMode
7D1E1470 >7D4D0B09 kernel32.LoadLibraryExW
7D1E1474 >7D4E24D7 kernel32.lstrcpyW
7D1E1478 >7D4E26C7 kernel32.GetFileTime
7D1E147C >7D4D0F40 kernel32.GetSystemTime
7D1E1480 >7D4DF884 kernel32.GetModuleFileNameW
7D1E1484 >7D504CEC kernel32.GetPrivateProfileIntW
7D1E1488 >7D4E28E9 kernel32.GetSystemWindowsDirectoryW
7D1E148C >7D4DDCD3 kernel32.GetUserDefaultUILanguage
7D1E1490 >7D4E2288 kernel32.RaiseException
7D1E1494 >7D4D1314 kernel32.ReadProcessMemory
7D1E1498 >7D4F501C kernel32.GetProfileIntA
7D1E149C >7D501563 kernel32.GetProfileStringA
7D1E14A0 >7D4F7CF0 kernel32.GetComputerNameA
7D1E14A4 >7D4DC623 kernel32.CreateMutexW
7D1E14A8 >7D4F8CCE kernel32.GetComputerNameExW
7D1E14AC >7D4DF56F kernel32.CreateThread
7D1E14B0 >7D504E16 kernel32.SetNamedPipeHandleState
7D1E14B4 >7D4E7B6E kernel32.IsWow64Process
7D1E14B8 >7D4E3C55 kernel32.OpenEventW
7D1E14BC >7D4EA383 kernel32.GetModuleHandleExW
7D1E14C0 >7D4E2A39 kernel32.GetSystemDirectoryW
7D1E14C4 >7D53182C kernel32.GetLogicalDriveStringsW
7D1E14C8 >7D4D961D kernel32.GetDriveTypeW
7D1E14CC >7D4F794C kernel32.GetDiskFreeSpaceW
7D1E14D0 >7D4F7A90 kernel32.GetDiskFreeSpaceExW
7D1E14D4 >7D4E099E kernel32.GetVolumeInformationW
7D1E14D8 >7D4EA660 kernel32.GlobalMemoryStatusEx
7D1E14DC >7D4E07D2 kernel32.GetSystemInfo
7D1E14E0 >7D54720F kernel32.EnumUILanguagesW
7D1E14E4 >7D4E2942 kernel32.GetWindowsDirectoryW
7D1E14E8 >7D4DEBA3 kernel32.FindFirstFileW
7D1E14EC >7D4DEA39 kernel32.FindClose
7D1E14F0 >7D4D91E9 kernel32.ResetEvent
7D1E14F4 >7D4D8EBE kernel32.SetEvent
7D1E14F8 >7D4D0A5C kernel32.CreateFileA
7D1E14FC >7D52CA61 kernel32.GetOverlappedResult
7D1E1500 >7D4F9D53 kernel32.GetVolumePathNameW
7D1E1504 >7D4E23C1 kernel32.FindResourceExW
7D1E1508 >7D4D1704 kernel32.ReleaseMutex
7D1E150C >7D4DA77B kernel32.CompareFileTime
7D1E1510 >7D4DCBAB kernel32.OpenMutexW
7D1E1514 >7D4D8BFB kernel32.WaitForSingleObject
7D1E1518 >7D4E408F kernel32.GetLongPathNameW
7D1E151C >7D4DA700 kernel32.GetFileSizeEx
7D1E1520 >7D4DA63A kernel32.CreateFileMappingW
7D1E1524 >7D4DFC37 kernel32.GetModuleHandleW
7D1E1528 >7D4E0974 kernel32.FormatMessageW
7D1E152C >7D4E1C74 kernel32.GetLocalTime
7D1E1530 >7D61F4A2 ntdll.RtlSetLastWin32Error
7D1E1534 >7D4DC8F9 kernel32.DeleteFileW
7D1E1538 >7D4E3768 kernel32.MoveFileW
7D1E153C >7D4E1471 kernel32.ExpandEnvironmentStringsW
7D1E1540 >7D4D14E0 kernel32.Sleep
7D1E1544 >7D4DA340 kernel32.lstrcmpW
7D1E1548 >7D4E7BAF kernel32.GetCommandLineW
7D1E154C >7D4E0EA8 kernel32.lstrcmpiW
7D1E1550 >7D621199 ntdll.RtlDeleteCriticalSection
7D1E1554 >7D4D067D kernel32.DeviceIoControl
7D1E1558 >7D4DFEC0 kernel32.GetVersionExA
7D1E155C >7D4D8834 kernel32.InterlockedExchange
7D1E1560 >7D4DA498 kernel32.CreateEventW
7D1E1564 >7D51249B kernel32.SetUnhandledExceptionFilter
7D1E1568 >7D535509 kernel32.UnhandledExceptionFilter
7D1E156C >7D4D1004 kernel32.TerminateProcess
7D1E1570 >7D4D0FBA kernel32.GetSystemTimeAsFileTime
7D1E1574 >7D4DC6E5 kernel32.QueryPerformanceCounter
7D1E1578 >7D4D8848 kernel32.InterlockedCompareExchange
7D1E157C >7D54D025 kernel32.DelayLoadFailureHook
7D1E1580 >7D4DD79D kernel32.GetCurrentProcess
7D1E1584 >7D53243F kernel32.GetPriorityClass
7D1E1588 >7D4D9586 kernel32.GetFileAttributesW
7D1E158C >7D4DA3DB kernel32.GetFullPathNameW
7D1E1590 >7D4D8D8B kernel32.GetCurrentThreadId
7D1E1594 >7D4D168E kernel32.GetTickCount
7D1E1598 >7D4D0E7C kernel32.SleepEx
7D1E159C >7D61F18C ntdll.RtlEnterCriticalSection
7D1E15A0 >7D4E2496 kernel32.LoadLibraryW
7D1E15A4 >7D61F1D7 ntdll.RtlLeaveCriticalSection
7D1E15A8 >7D4E2511 kernel32.FreeLibrary
7D1E15AC >7D4D8E09 kernel32.GetProcessHeap
7D1E15B0 >7D61F686 ntdll.RtlAllocateHeap
7D1E15B4 >7D61F4CB ntdll.RtlFreeHeap
7D1E15B8 >7D502818 kernel32.ExpandEnvironmentStringsA
7D1E15BC >7D4F62BD kernel32.OpenFile
7D1E15C0 >7D4DA73F kernel32.GetFileSize
7D1E15C4 >7D4E38B9 kernel32._lclose
7D1E15C8 >7D4E014E kernel32.SearchPathW
7D1E15CC >7D4E5F72 kernel32.GetFileAttributesExW
7D1E15D0 >7D4DA517 kernel32.CreateFileMappingA
7D1E15D4 >7D4DA5FE kernel32.MapViewOfFile
7D1E15D8 >7D4DA7BB kernel32.SetFilePointer
7D1E15DC >7D4DA5D2 kernel32.UnmapViewOfFile
7D1E15E0 >7D4E16E9 kernel32.FindResourceA
7D1E15E4 >7D4E0D9E kernel32.LoadResource
7D1E15E8 >7D4E1D19 kernel32.SizeofResource
7D1E15EC >7D4D8820 kernel32.InterlockedDecrement
7D1E15F0 >7D4D880C kernel32.InterlockedIncrement
7D1E15F4 >7D4DAC73 kernel32.GetModuleHandleA
7D1E15F8 >7D4EB4CA kernel32.CreateProcessInternalA
7D1E15FC >7D4D8DAC kernel32.GetCurrentThread
7D1E1600 >7D4ECE40 kernel32.CreateProcessInternalW
7D1E1604 00000000
7D1E1608 >7DA503A2 RPCRT4.UuidFromStringW
7D1E160C >7DA39929 RPCRT4.RpcStringFreeW
7D1E1610 >7DA79D70 RPCRT4.UuidToStringW
7D1E1614 >7DA44925 RPCRT4.RpcRaiseException
7D1E1618 >7DA722E5 RPCRT4.RpcBindingSetAuthInfoExA
7D1E161C >7DA35D48 RPCRT4.RpcBindingFree
7D1E1620 >7DA39EB4 RPCRT4.RpcBindingFromStringBindingW
7D1E1624 >7DA39CBD RPCRT4.RpcStringBindingComposeW
7D1E1628 >7DA43060 RPCRT4.RpcBindingSetAuthInfoExW
7D1E162C >7DAC0005 RPCRT4.NdrClientCall2
7D1E1630 >7DA7DE50 RPCRT4.RpcStringBindingParseW
7D1E1634 >7DA6F145 RPCRT4.I_RpcMapWin32Status
7D1E1638 >7DA6B28D RPCRT4.RpcBindingToStringBindingW
7D1E163C >7DA390D8 RPCRT4.NDRCContextBinding
7D1E1640 >7DA660AD RPCRT4.RpcRevertToSelf
7D1E1644 >7DA4CDF9 RPCRT4.RpcImpersonateClient
7D1E1648 >7DA660BA RPCRT4.I_RpcBindingIsClientLocal
7D1E164C >7DA44F23 RPCRT4.I_RpcExceptionFilter
7D1E1650 >7DA4285B RPCRT4.RpcSsDestroyClientContext
7D1E1654 >7DA66C54 RPCRT4.RpcBindingSetAuthInfoW
7D1E1658 >7DA726FB RPCRT4.RpcBindingSetAuthInfoA
7D1E165C >7DA66880 RPCRT4.RpcEpResolveBinding
7D1E1660 >7DA667AB RPCRT4.I_RpcSNCHOption
7D1E1664 00000000
我知道您发布问题已经几个月了,但我希望这仍然对您或搜索此问题的其他人有所帮助。这种信息很难得,我知道!
关于windows - 如何从调用导入地址表中找出函数名?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/25730526/