WindowsPE 延迟加载导入表 

typedef struct _IMAGE_DELAYLOAD_DESCRIPTOR {
    union {
        DWORD AllAttributes;
        struct {
            DWORD RvaBased : 1;             // Delay load version 2
            DWORD ReservedAttributes : 31;
        } DUMMYSTRUCTNAME;
    } Attributes;

    DWORD DllNameRVA;                       // RVA to the name of the target library (NULL-terminate ASCII string)
    DWORD ModuleHandleRVA;                  // RVA to the HMODULE caching location (PHMODULE)
    DWORD ImportAddressTableRVA;            // RVA to the start of the IAT (PIMAGE_THUNK_DATA)
    DWORD ImportNameTableRVA;               // RVA to the start of the name table (PIMAGE_THUNK_DATA::AddressOfData)
    DWORD BoundImportAddressTableRVA;       // RVA to an optional bound IAT
    DWORD UnloadInformationTableRVA;        // RVA to an optional unload info table
    DWORD TimeDateStamp;                    // 0 if not bound,
                                            // Otherwise, date/time of the target DLL

} IMAGE_DELAYLOAD_DESCRIPTOR, *PIMAGE_DELAYLOAD_DESCRIPTOR;

 

 

 

 

 

 a00+b0=ab0

 

 name=4020a0 虚拟地址

4020a0-400000基地址-2000延迟地址+延迟物理地址=0aa0 name物理地址

 

 后面就是

 

 

data e00+12c=f2c 文件位置 存放dll 句柄

 

 

下一个位置计算是 f24 

ImportNameTableRVA 的name

 

 绑定的延迟导入表 地址表 rva  就在它后面一个

 

posted @ 2021-07-31 23:02  紅人  阅读(207)  评论(0编辑  收藏  举报