导入表

void* importTableResolve(void* fileBuffer){
	PE pe = resolvePE(fileBuffer);
	//导入表是数据目录的第二项
	int importTableFOA = VA2FA(fileBuffer, pe.dataDir[1].value);
	IMAGE_IMPORT_DESCRIPTOR* pImportTable = (IMAGE_IMPORT_DESCRIPTOR*)(importTableFOA + (int)fileBuffer);
	char* name;
    //遍历导入表
	while (pImportTable->Name !=NULL)
	{
		name = (char*)(VA2FA(fileBuffer, pImportTable->Name) + (int)fileBuffer);
		printf(name);
		printf("\n == == == == == == == INT == == == == == == == == == = ");
		DWORD* INTTable =  (DWORD*)(VA2FA(fileBuffer, pImportTable->OriginalFirstThunk) + (int)fileBuffer);
		char* funName;
		while (*INTTable)
		{
            //*INTTable 需要判断它的最高位是不是0,是0的话是按名称导入,1的话是按序号导入
            if(*INTTable & IMAGE_ORDINAL_FLAG ){
                printf(ord);
            }else{
                funName = (char*)(VA2FA(fileBuffer, *INTTable) + (int)fileBuffer);
			    printf(funName);
            }

			printf("\n");
			INTTable++;
		}
		printf("==============IAT===================");
		DWORD* IATTable = (DWORD*)(VA2FA(fileBuffer, pImportTable->FirstThunk) + (int)fileBuffer);
		while (*IATTable)
		{
            if(*IATTable & IMAGE_ORDINAL_FLAG ){
                printf(ord);
            }else{
                funName = (char*)(VA2FA(fileBuffer, *IATTable) + (int)fileBuffer);
			    printf(funName);
            }
			printf("\n");
			IATTable++;
		}

		pImportTable++;
	}

	return NULL;
}

IAT 和 INT 在文件中的内容是一致的,都是执行函数名称或则放这函数序号

但是在加载成功后IAT表会将里面的内容修改为函数真实地址,在程序里 间接call call的就是IAT表里面的地址