以下代码是否表明在exe中,节标题位于节本身之后,或者我是否遗漏了某些内容? 此外,lpFileBase的值与pimnth-> OptionalHeader.ImageBase中保存的值不同。他们不应该是一样的吗?
#include<iostream>
#include<Windows.h>
#include<stdio.h>
#include<WinNT.h>
int main()
{
HANDLE hFile,hFileMapping;
LPVOID lpFileBase;
LPVOID lp;
long offset;
if((hFile = CreateFile(TEXT("c:\\linked list.exe"),GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0)) == INVALID_HANDLE_VALUE)
std::cout<<"unable to open";
if((hFileMapping = CreateFileMapping(hFile,NULL,PAGE_READONLY,0,0,NULL)) == 0)
{
CloseHandle(hFile);
std::cout<<"unable to open for mapping";
}
if((lpFileBase = MapViewOfFile(hFileMapping,FILE_MAP_READ,0,0,0))== 0)
{
CloseHandle(hFile);
CloseHandle(hFileMapping);
std::cout<<"couldn't map view of file";
}
PIMAGE_DOS_HEADER pimdh;
pimdh = (PIMAGE_DOS_HEADER)lpFileBase;
PIMAGE_NT_HEADERS pimnth;
pimnth = (PIMAGE_NT_HEADERS)(pimdh->e_lfanew + (char *)lpFileBase);
PIMAGE_SECTION_HEADER pimsh;
pimsh = (PIMAGE_SECTION_HEADER)(pimnth + 1);
printf("Address of section header:%x\n",pimsh);
for(int i = 0; i<pimnth->FileHeader.NumberOfSections; i++)
{
if(!strcmp((char *)pimsh->Name,".text"))
{
printf("Virtual Address:%x\n\n\n",pimsh->VirtualAddress);
}
pimsh++;
}
}
答案 0 :(得分:0)
OptionalHeader.ImageBase字段中包含的值(地址)由编译器/链接器放置。链接器需要此预定义地址,以便能够在调用变量和函数时计算跳转和偏移量。加载器的第一个任务之一是验证此预定义地址是否已在内存中占用(这通常是DLL的情况)。如果地址没有被占用,那么你的lpFileBase将与OptionalHeader.ImageBase相同。