Windows
Load된 dll에서 함수주소까지(TEB->DLL)
dool2ly
2015. 10. 25. 17:45
FS:[18] |
|
*TEB |
TEB |
+0x30 |
*PEB (FS:[30]) |
PEB |
+0x0C |
*LDR |
LDR |
+0x14 |
*InMemoryOrderModuleList |
+0x1c | *InInitializationOrderModuleList | |
InMemoryOrderModuleList |
|
NextEntryLink |
|
+0x10 |
ImageBaseAddress |
|
+0x28 |
*BaseDllName |
| InInitializationOrderModuleList | NextEntryLink | |
| +0x08 | ImageBaseAddress | |
| +0x20 | *BaseDllName | |
IMAGE_DOS_HEADER |
+0x3C |
Offset to IMAGE_NT_HEADERS |
IMAGE_NT_HEADERS |
+0x78 |
Export Table RVA |
IMAGE_EXPORT_DIRECTORY |
+0x1C |
Address Table RVA |
| +0x20 | Name Pointer Table RVA | |
| +0x24 | Ordinal Table RVA |
IMAGE_EXPORT_DIRECTORY를 베이스로 Name pointer table에서 찾는 함수이름 offset 카운트
->Ordinal Table에서 카운트*2(Ordinal Number크기가 2byte)
-> Address Table에서 Ordinal Number * 4(Address RVA크기가 4byte)
-> ImageBaseAddress + RVA = 원하는 함수!