setupldr!BlLoadImage32Ex函数分析认识.edata节以kdcom.dll为例--非常重要
第一部分:
加载第4个节
kd> dt IMAGE_section_header 0x800130f8+e0+28*3 -r
setupldr!IMAGE_SECTION_HEADER
+0x000 Name : [8] ".edata"
+0x008 Misc : __unnamed
+0x000 PhysicalAddress : 0xfa
+0x000 VirtualSize : 0xfa
+0x00c VirtualAddress : 0x4000
+0x010 SizeOfRawData : 0x200
+0x014 PointerToRawData : 0x1800
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics : 0x40000040
kd> t
eax=00060b64 ebx=80013264 ecx=00000000 edx=00002200 esi=000000fa edi=000000fa
eip=00315eae esp=000605f8 ebp=00060b9c iopl=0 nv up di ng nz na pe nc
cs=0008 ss=0010 ds=0010 es=0010 fs=0030 gs=0000 efl=00000086
setupldr!BlImageRead:
00315eae 55 push ebp
kd> dv
pCache = 0x00060b64
FileId = 0
Buffer = 0x80017000
Length = 0xfa
pCount = 0x00060b90
kd> db 0x80017000
80017000 00 00 00 00 37 9d e5 66-00 00 00 00 78 40 00 00 ....7..f....x@..
80017010 01 00 00 00 08 00 00 00-08 00 00 00 28 40 00 00 ............(@..
80017020 48 40 00 00 68 40 00 00-b8 10 00 00 b8 10 00 00 H@..h@..........
80017030 d8 10 00 00 80 11 00 00-4e 31 00 00 94 11 00 00 ........N1......
80017040 8a 11 00 00 b4 33 00 00-82 40 00 00 91 40 00 00 .....3...@...@..
80017050 a0 40 00 00 b6 40 00 00-cc 40 00 00 dc 40 00 00 .@...@...@...@..
80017060 e6 40 00 00 ed 40 00 00-00 00 01 00 02 00 03 00 .@...@..........
80017070 04 00 05 00 06 00 07 00-4b 44 43 4f 4d 2e 64 6c ........KDCOM.dl
kd> db 0x80017000+80
80017080 6c 00 4b 64 44 30 54 72-61 6e 73 69 74 69 6f 6e l.KdD0Transition
80017090 00 4b 64 44 33 54 72 61-6e 73 69 74 69 6f 6e 00 .KdD3Transition.
800170a0 4b 64 44 65 62 75 67 67-65 72 49 6e 69 74 69 61 KdDebuggerInitia
800170b0 6c 69 7a 65 30 00 4b 64-44 65 62 75 67 67 65 72 lize0.KdDebugger
800170c0 49 6e 69 74 69 61 6c 69-7a 65 31 00 4b 64 52 65 Initialize1.KdRe
800170d0 63 65 69 76 65 50 61 63-6b 65 74 00 4b 64 52 65 ceivePacket.KdRe
800170e0 73 74 6f 72 65 00 4b 64-53 61 76 65 00 4b 64 53 store.KdSave.KdS
800170f0 65 6e 64 50 61 63 6b 65-74 00 7e 03 e9 a1 00 c4 endPacket.~.....
第二部分:
D:\BIN>DUMPBIN.EXE /all kdcom.dll >kdcom.txt
D:\BIN>
SECTION HEADER #4
.edata name
FA virtual size
4000 virtual address
200 size of raw data
1800 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40000040 flags
Initialized Data
Read Only
RAW DATA #4
80014000: 00 00 00 00 37 9D E5 66 00 00 00 00 78 40 00 00 ....7..f....x@..
80014010: 01 00 00 00 08 00 00 00 08 00 00 00 28 40 00 00 ............(@..
80014020: 48 40 00 00 68 40 00 00 B8 10 00 00 B8 10 00 00 H@..h@..........
80014030: D8 10 00 00 80 11 00 00 4E 31 00 00 94 11 00 00 ........N1......
80014040: 8A 11 00 00 B4 33 00 00 82 40 00 00 91 40 00 00 .....3...@...@..
80014050: A0 40 00 00 B6 40 00 00 CC 40 00 00 DC 40 00 00 .@...@...@...@..
80014060: E6 40 00 00 ED 40 00 00 00 00 01 00 02 00 03 00 .@...@..........
80014070: 04 00 05 00 06 00 07 00 4B 44 43 4F 4D 2E 64 6C ........KDCOM.dl
80014080: 6C 00 4B 64 44 30 54 72 61 6E 73 69 74 69 6F 6E l.KdD0Transition
80014090: 00 4B 64 44 33 54 72 61 6E 73 69 74 69 6F 6E 00 .KdD3Transition.
800140A0: 4B 64 44 65 62 75 67 67 65 72 49 6E 69 74 69 61 KdDebuggerInitia
800140B0: 6C 69 7A 65 30 00 4B 64 44 65 62 75 67 67 65 72 lize0.KdDebugger
800140C0: 49 6E 69 74 69 61 6C 69 7A 65 31 00 4B 64 52 65 Initialize1.KdRe
800140D0: 63 65 69 76 65 50 61 63 6B 65 74 00 4B 64 52 65 ceivePacket.KdRe
800140E0: 73 74 6F 72 65 00 4B 64 53 61 76 65 00 4B 64 53 store.KdSave.KdS
800140F0: 65 6E 64 50 61 63 6B 65 74 00 endPacket.
Section contains the following exports for KDCOM.dll
0 characteristics
66E59D37 time date stamp Sat Sep 14 22:27:03 2024
0.00 version
1 ordinal base
8 number of functions
8 number of names
ordinal hint RVA name
1 0 000010B8 KdD0Transition
2 1 000010B8 KdD3Transition
3 2 000010D8 KdDebuggerInitialize0
4 3 00001180 KdDebuggerInitialize1
5 4 0000314E KdReceivePacket
6 5 00001194 KdRestore
7 6 0000118A KdSave
8 7 000033B4 KdSendPacket