我正在尝试计算PE调用每个IAT导入地址表的次数。就像这样:
counter=0
for entry in file.DIRECTORY_ENTRY_IMPORT:
print (entry.dll)
for imp in entry.imports:
print ('\t', hex(imp.address), imp.name)
counter=counter+1
print(entry.dll,":",counter)
输出有点像这样:
b'KERNEL32.dll'
0x180006000 b'GetProcAddress'
0x180006008 b'LoadLibraryA'
0x180006010 b'IsProcessorFeaturePresent'
0x180006018 b'GetStartupInfoW'
0x180006020 b'SetUnhandledExceptionFilter'
0x180006028 b'UnhandledExceptionFilter'
0x180006030 b'IsDebuggerPresent'
0x180006038 b'RtlVirtualUnwind'
0x180006040 b'RtlLookupFunctionEntry'
0x180006048 b'RtlCaptureContext'
0x180006050 b'InitializeSListHead'
0x180006058 b'DisableThreadLibraryCalls'
0x180006060 b'GetSystemTimeAsFileTime'
0x180006068 b'GetCurrentThreadId'
0x180006070 b'GetCurrentProcessId'
0x180006078 b'QueryPerformanceCounter'
0x180006080 b'GetModuleHandleW'
b'KERNEL32.dll':17
b'MSVCP140.dll'
0x180006090 b'?_Xout_of_range@std@@YAXPEBD@Z'
0x180006098 b'?_Xlength_error@std@@YAXPEBD@Z'
0x1800060a0 b'?_Xbad_alloc@std@@YAXXZ'
b'MSVCP140.dll':20
b'VCRUNTIME140.dll'
0x1800060b0 b'_purecall'
0x1800060b8 b'__std_terminate'
0x1800060c0 b'memmove'
0x1800060c8 b'_CxxThrowException'
0x1800060d0 b'__std_type_info_destroy_list'
0x1800060d8 b'__RTDynamicCast'
0x1800060e0 b'memcpy'
0x1800060e8 b'__C_specific_handler'
0x1800060f0 b'__std_exception_copy'
0x1800060f8 b'__std_exception_destroy'
0x180006100 b'__CxxFrameHandler3'
0x180006108 b'memset'
b'VCRUNTIME140.dll':32
但是它应该分别计算每个条目。例如,MSVCP140.dll应计为'3'而不是'20'。任何帮助将不胜感激。