调用自实现MyGetProcAddress获得CreateFileA函数并调用创建写入文件

写文件如下

#include <iostream>
#include <Windows.h>typedef HANDLE(WINAPI* CreateFileAFunc)(LPCSTR, DWORD, DWORD, LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE);DWORD MyGetProcAddress(_In_ HMODULE hModule,_In_ LPCSTR lpProcName
){PIMAGE_DOS_HEADER pIMAGE_DOS_HEADER = (PIMAGE_DOS_HEADER)hModule;PIMAGE_NT_HEADERS pIMAGE_NT_HEADERS = (PIMAGE_NT_HEADERS)(pIMAGE_DOS_HEADER->e_lfanew + (DWORD)hModule);   //NT头PIMAGE_EXPORT_DIRECTORY pIMAGE_EXPORT_DIRECTORYRVA = (PIMAGE_EXPORT_DIRECTORY)(pIMAGE_NT_HEADERS->OptionalHeader.DataDirectory[0].VirtualAddress);  //导出表项，获得RVA  RVA并不是真正的导出表项需要转VA，转VA需要加上image_base(也就是加载地址）PIMAGE_EXPORT_DIRECTORY pIMAGE_EXPORT_DIRECTORY = (PIMAGE_EXPORT_DIRECTORY)((DWORD)pIMAGE_EXPORT_DIRECTORYRVA + (DWORD)hModule);  //这个才是真正的VA，真正的导出表项，因为RVA在内存中是没有的DWORD ModuleName = pIMAGE_EXPORT_DIRECTORY->Name + (DWORD)hModule;//可以看到底下地址都需要写成指针形式DWORD* pAddressOfFunction = (DWORD*)(pIMAGE_EXPORT_DIRECTORY->AddressOfFunctions + (DWORD)hModule);//printf("%s", ModuleName);DWORD* NameAddress = (DWORD*)(pIMAGE_EXPORT_DIRECTORY->AddressOfNames + (DWORD)hModule);WORD* pAddressOfNameOrdinals = (WORD*)(pIMAGE_EXPORT_DIRECTORY->AddressOfNameOrdinals + (DWORD)hModule);for (size_t i = 0; i < pIMAGE_EXPORT_DIRECTORY->NumberOfNames; i++){DWORD FunNameRVA = NameAddress[i];char* FunName = (char*)(FunNameRVA + (DWORD)hModule);if (strcmp(lpProcName, FunName) == 0){return (pAddressOfFunction[pAddressOfNameOrdinals[i]] + (DWORD)hModule);}printf("%s\n", FunName);}printf("%s\n", ModuleName);return NULL;
}
int main()
{std::cout << "Hello World!\n";// 加载 Kernel32.dllHMODULE hModule = LoadLibraryA("Kernel32.dll");if (hModule == NULL) {printf("Failed to load Kernel32.dll\n");return 1;}// 获取 CreateFileA 函数地址DWORD p1 = MyGetProcAddress(hModule, "CreateFileA");if (p1 == 0) {printf("Failed to get address of CreateFileA\n");return 1;}// 创建函数指针CreateFileAFunc pCreateFileA = (CreateFileAFunc)p1;DWORD dwBytesWritten;const char* lpFileName = "E:\\myfile.txt";const char* lpData = "Hello, World!";DWORD dwDataSize = strlen(lpData);// 调用 CreateFileA 函数HANDLE hFile = pCreateFileA(lpFileName, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);if (hFile != INVALID_HANDLE_VALUE) {// 写入文件内容if (WriteFile(hFile, lpData, dwDataSize, &dwBytesWritten, NULL)) {printf("文件写入成功！\n");}else {printf("写入文件时发生错误！\n");}// 关闭文件句柄CloseHandle(hFile);}else{printf("创建文件时发生错误！\n");}return 0;
}

读文件如下

#include <iostream>
#include <Windows.h>typedef HANDLE(WINAPI* CreateFileAFunc)(LPCSTR, DWORD, DWORD, LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE);DWORD MyGetProcAddress(_In_ HMODULE hModule,_In_ LPCSTR lpProcName
){PIMAGE_DOS_HEADER pIMAGE_DOS_HEADER = (PIMAGE_DOS_HEADER)hModule;PIMAGE_NT_HEADERS pIMAGE_NT_HEADERS = (PIMAGE_NT_HEADERS)(pIMAGE_DOS_HEADER->e_lfanew + (DWORD)hModule);   //NT头PIMAGE_EXPORT_DIRECTORY pIMAGE_EXPORT_DIRECTORYRVA = (PIMAGE_EXPORT_DIRECTORY)(pIMAGE_NT_HEADERS->OptionalHeader.DataDirectory[0].VirtualAddress);  //导出表项，获得RVA  RVA并不是真正的导出表项需要转VA，转VA需要加上image_base(也就是加载地址）PIMAGE_EXPORT_DIRECTORY pIMAGE_EXPORT_DIRECTORY = (PIMAGE_EXPORT_DIRECTORY)((DWORD)pIMAGE_EXPORT_DIRECTORYRVA + (DWORD)hModule);  //这个才是真正的VA，真正的导出表项，因为RVA在内存中是没有的DWORD ModuleName = pIMAGE_EXPORT_DIRECTORY->Name + (DWORD)hModule;//可以看到底下地址都需要写成指针形式DWORD* pAddressOfFunction = (DWORD*)(pIMAGE_EXPORT_DIRECTORY->AddressOfFunctions + (DWORD)hModule);//printf("%s", ModuleName);DWORD* NameAddress = (DWORD*)(pIMAGE_EXPORT_DIRECTORY->AddressOfNames + (DWORD)hModule);WORD* pAddressOfNameOrdinals = (WORD*)(pIMAGE_EXPORT_DIRECTORY->AddressOfNameOrdinals + (DWORD)hModule);for (size_t i = 0; i < pIMAGE_EXPORT_DIRECTORY->NumberOfNames; i++){DWORD FunNameRVA = NameAddress[i];char* FunName = (char*)(FunNameRVA + (DWORD)hModule);if (strcmp(lpProcName, FunName) == 0){return (pAddressOfFunction[pAddressOfNameOrdinals[i]] + (DWORD)hModule);}printf("%s\n", FunName);}printf("%s\n", ModuleName);return NULL;
}
int main()
{std::cout << "Hello World!\n";// 加载 Kernel32.dllHMODULE hModule = LoadLibraryA("Kernel32.dll");if (hModule == NULL) {printf("Failed to load Kernel32.dll\n");return 1;}// 获取 CreateFileA 函数地址DWORD p1 = MyGetProcAddress(hModule, "CreateFileA");if (p1 == 0) {printf("Failed to get address of CreateFileA\n");return 1;}// 创建函数指针CreateFileAFunc pCreateFileA = (CreateFileAFunc)p1;DWORD dwBytesRead;const char* lpFileName = "E:\\myfile.txt";const int BUFFER_SIZE = 1024;char buffer[BUFFER_SIZE];// 调用 CreateFileA 函数HANDLE hFile = pCreateFileA(lpFileName, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);if (hFile != INVALID_HANDLE_VALUE) {// 读取文件内容if (ReadFile(hFile, buffer, BUFFER_SIZE - 1, &dwBytesRead, NULL)) {buffer[dwBytesRead] = '\0';  // 添加字符串结束符printf("文件内容：\n%s\n", buffer);}else {printf("写入文件时发生错误！\n");}// 关闭文件句柄CloseHandle(hFile);}else{printf("创建文件时发生错误！\n");}return 0;
}