windows - 如何从调用导入地址表中找出函数名？

Question

我反汇编了 advapi32.dll 中的一个函数(特别是 RegOpenKeyEx)。我看到两个 FF 15 调用 IAT:

call dword [0x77dd13ec]

和

call dword [0x77dd15d4]

使用 dumpbin 我转储了 DLL 的导入，它说导入地址表从 77DD124C 开始。但是 0x77dd13ec 没有出现在日志中。 1A0 的相对地址也没有出现在其中的任何位置。显然，那里显示的地址与 IAT 中的地址完全无关。

是否可以在不编写和运行实际调用 API 的测试程序的情况下知道这些调用点链接到哪些函数？有什么方法可以查出来？

我相信链接器生成了这些 CALL 指令，这些指令必须知道它链接到哪个函数。

Answer 1

听起来你已经接近了。

使用 dumpbin 将为您提供模块导入的模块列表，并列出从这些模块导入的函数。针对每个导入的函数是一个十六进制数。看来您可能将此数字误认为是 IAT 开头的偏移地址，函数地址存储在该位置。实际上，它只是给 Windows 加载程序的一个提示编号。当 Windows 加载程序绑定(bind)函数时，它会使用二进制搜索在模块的导出表中查找函数名称。 dumpbin 输出中的这个数字只是关于从哪里开始寻找减少加载时间的提示。

现在我们已经弄清楚了，我们如何确定 0x77dd13ec 指向什么？

好吧，它看起来确实指向 IAT。我在这里看到的 advapi32.dll 版本的 IAT 大小为 0x668，因此 IAT 的偏移量 0x1A0 似乎是合理的。如果您查看存储在 0x77dd13ec 中的值，它将是一个指向将被调用的函数的地址。

既然知道了函数的地址，那我们怎么查出函数是什么？

要手动执行此操作，我们将查看哪个模块占用了内存中的空间。例如，0x77dd13ec 的值是 0x7D6103E4。我可以从 Process Explorer 或 Visual Studio(或您喜欢的任何工具)中看到 ntdll.dll 加载到 0x7D600000，并且大小为 0xF0000，因此它指向ntdll.dll。然后我可以减去模块的基地址以获得相对地址(0x7D6103E4 - 0x7D600000 = 0x103E4)。然后我可以查看 ntdll.dll 的导出表(我更喜欢 depends.exe)，并看到 ntdll.dll 在 0x103E4 导出一个名为 _allmul 的函数 - 瞧!

一种更简单的方法是使用调试器(例如 OllyDbg)附加到进程，然后简单地转到地址 0x77dd13ec。它会为您执行上述操作。

将 OllyDbg 指向 advapi32.dll IAT 的示例输出(advapi32.dll IAT 在我的系统上从 0x7D1E1000 开始):

7D1E1000 >7D6103E4  ntdll._allmul
7D1E1004 >7D632AB1  ntdll.wcsncmp
7D1E1008 >7D62EA4C  ntdll.RtlUnicodeStringToInteger
7D1E100C >7D6220DC  ntdll.RtlAllocateHandle
7D1E1010 >7D622131  ntdll.RtlIsValidIndexHandle
7D1E1014 >7D6220A3  ntdll.RtlFreeHandle
7D1E1018 >7D61D2CA  ntdll.ZwCompareTokens
7D1E101C >7D623653  ntdll.RtlEnumerateGenericTableWithoutSplaying
7D1E1020 >7D639E88  ntdll.RtlIsGenericTableEmpty
7D1E1024 >7D6295D3  ntdll.RtlExpandEnvironmentStrings_U
7D1E1028 >7D639D8D  ntdll.RtlDuplicateUnicodeString
7D1E102C >7D62F24B  ntdll.wcsstr
7D1E1030 >7D629EB3  ntdll.RtlCreateUnicodeString
7D1E1034 >7D61CA29  ntdll.ZwQueryInformationProcess
7D1E1038 >7D61C9E1  ntdll.ZwQueryKey
7D1E103C >7D6370C3  ntdll.RtlStringFromGUID
7D1E1040 >7D61CA89  ntdll.ZwCreateKey
7D1E1044 >7D61D0D2  ntdll.ZwSetValueKey
7D1E1048 >7D63A062  ntdll.RtlDeleteElementGenericTable
7D1E104C >7D63C644  ntdll.RtlInsertElementGenericTable
7D1E1050 >7D62F2B5  ntdll.RtlInitializeHandleTable
7D1E1054 >7D62F1FE  ntdll.RtlDestroyHandleTable
7D1E1058 >7D62E9A6  ntdll.RtlIntegerToUnicodeString
7D1E105C >7D622B16  ntdll.RtlAppendUnicodeToString
7D1E1060 >7D623046  ntdll.RtlFormatCurrentUserKeyPath
7D1E1064 >7D61D582  ntdll.ZwDeleteKey
7D1E1068 >7D61CC81  ntdll.ZwEnumerateKey
7D1E106C >7D6217C3  ntdll._wcsicmp
7D1E1070 >7D63A633  ntdll.RtlInitializeGenericTable
7D1E1074 >7D62F228  ntdll.RtlNumberGenericTableElements
7D1E1078 >7D639EB6  ntdll.RtlLookupElementGenericTable
7D1E107C >7D67407B  ntdll.RtlQueryRegistryValues
7D1E1080 >7D63C67E  ntdll.RtlGUIDFromString
7D1E1084 >7D61F825  ntdll.RtlUpcaseUnicodeChar
7D1E1088 >7D61CEAA  ntdll.ZwQueryVolumeInformationFile
7D1E108C >7D622201  ntdll.RtlPrefixUnicodeString
7D1E1090 >7D61DCD2  ntdll.ZwQuerySymbolicLinkObject
7D1E1094 >7D61DA1A  ntdll.ZwOpenSymbolicLinkObject
7D1E1098 >7D624493  ntdll.RtlDetermineDosPathNameType_U
7D1E109C >7D61C969  ntdll.ZwQueryInformationFile
7D1E10A0 >7D62488B  ntdll.RtlGetFullPathName_U
7D1E10A4 >7D638D8D  ntdll.RtlMakeSelfRelativeSD
7D1E10A8 >7D640A0B  ntdll.mbstowcs
7D1E10AC >7D68E909  ntdll.EtwControlTraceW
7D1E10B0 >7D63EC19  ntdll.wcscmp
7D1E10B4 >7D610557  ntdll._aulldiv
7D1E10B8 >7D61025B  ntdll._alldiv
7D1E10BC >7D61C921  ntdll.ZwSetEvent
7D1E10C0 >7D61CE92  ntdll.ZwCreateEvent
7D1E10C4 >7D6899B1  ntdll._vsnprintf
7D1E10C8 >7D6382AF  ntdll.RtlDestroyHeap
7D1E10CC >7D62E099  ntdll.RtlCreateHeap
7D1E10D0 >7D61CA11  ntdll.ZwAllocateVirtualMemory
7D1E10D4 >7D678DA8  ntdll.RtlFlushSecureMemoryCache
7D1E10D8 >7D61CAA1  ntdll.ZwFreeVirtualMemory
7D1E10DC >7D68C846  ntdll.EtwControlTraceA
7D1E10E0 >7D68F0C1  ntdll.EtwNotificationRegistrationW
7D1E10E4 >7D61CC69  ntdll.ZwQueryPerformanceCounter
7D1E10E8 >7D61D05A  ntdll.ZwWaitForMultipleObjects
7D1E10EC >7D68F25A  ntdll.EtwpGetTraceBuffer
7D1E10F0 >7D61D0BA  ntdll.ZwPowerInformation
7D1E10F4 >7D62E986  ntdll.EtwpSetHWConfigFunction
7D1E10F8 >7D620C55  ntdll.RtlInitAnsiStringEx
7D1E10FC >7D624DF3  ntdll.RtlUnicodeToMultiByteN
7D1E1100 >7D61D92A  ntdll.ZwNotifyChangeKey
7D1E1104 >7D61D072  ntdll.ZwSetInformationObject
7D1E1108 >7D61CD71  ntdll.ZwDuplicateObject
7D1E110C >7D689576  ntdll._itow
7D1E1110 >7D61E032  ntdll.ZwSetInformationKey
7D1E1114 >7D61D5B2  ntdll.ZwDeleteValueKey
7D1E1118 >7D61C999  ntdll.ZwEnumerateValueKey
7D1E111C >7D610BF7  ntdll.memcpy
7D1E1120 >7D61127D  ntdll.memset
7D1E1124 >7D63EC51  ntdll.RtlTimeToSecondsSince1970
7D1E1128 >7D62176A  ntdll._stricmp
7D1E112C >7D62EE3E  ntdll.RtlUnwind
7D1E1130 >7D61CB19  ntdll.ZwQueryVirtualMemory
7D1E1134 >7D627988  ntdll.RtlGetNtProductType
7D1E1138 >7D61D042  ntdll.ZwQuerySystemTime
7D1E113C >7D67BB16  ntdll.RtlRandom
7D1E1140 >7D623334  ntdll.RtlCompareUnicodeString
7D1E1144 >7D61F844  ntdll.RtlInitUnicodeStringEx
7D1E1148 >7D670B47  ntdll.RtlxUnicodeStringToOemSize
7D1E114C >7D6224B9  ntdll.RtlAppendUnicodeStringToString
7D1E1150 >7D61C831  ntdll.ZwWaitForSingleObject
7D1E1154 >7D611A29  ntdll.RtlCompareMemory
7D1E1158 >7D61C879  ntdll.ZwDeviceIoControlFile
7D1E115C >7D622ADD  ntdll.wcsrchr
7D1E1160 >7D61C981  ntdll.ZwOpenKey
7D1E1164 >7D61C9F9  ntdll.ZwQueryValueKey
7D1E1168 >7D6225AD  ntdll.RtlCopyLuid
7D1E116C >7D6218B0  ntdll.RtlImageNtHeader
7D1E1170 >7D637046  ntdll.swprintf
7D1E1174 >7D6895D1  ntdll._ultow
7D1E1178 >7D6A0098  OFFSET ntdll.NlsMbCodePageTag
7D1E117C >7D670B6C  ntdll.RtlxOemStringToUnicodeSize
7D1E1180 >7D6209AC  ntdll.RtlMultiByteToUnicodeN
7D1E1184 >7D61EF3A  ntdll.strstr
7D1E1188 >7D61EFCF  ntdll.strchr
7D1E118C >7D689922  ntdll.tolower
7D1E1190 >7D6288A8  ntdll._wcsnicmp
7D1E1194 >7D621A06  ntdll.wcsncpy
7D1E1198 >7D632433  ntdll.wcstoul
7D1E119C >7D63ED14  ntdll._wcstoui64
7D1E11A0 >7D62F5F9  ntdll.iswctype
7D1E11A4 >7D622D60  ntdll.RtlConvertSidToUnicodeString
7D1E11A8 >7D669ABF  ntdll.DbgPrint
7D1E11AC >7D62E8E2  ntdll.RtlOpenCurrentUser
7D1E11B0 >7D61F96E  ntdll.RtlFreeUnicodeString
7D1E11B4 >7D629251  ntdll.RtlCreateUnicodeStringFromAsciiz
7D1E11B8 >7D61CCE1  ntdll.ZwQuerySystemInformation
7D1E11BC >7D64098C  ntdll.atol
7D1E11C0 >7D610418  ntdll._chkstk
7D1E11C4 >7D61CBF1  ntdll.ZwTerminateProcess
7D1E11C8 >7D66DBDF  ntdll.RtlAdjustPrivilege
7D1E11CC >7D61CA71  ntdll.ZwSetInformationProcess
7D1E11D0 >7D621D5E  ntdll.wcschr
7D1E11D4 >7D61169A  ntdll.strncpy
7D1E11D8 >7D670C42  ntdll.RtlUpcaseUnicodeStringToOemString
7D1E11DC >7D61F18C  ntdll.RtlEnterCriticalSection
7D1E11E0 >7D61F1D7  ntdll.RtlLeaveCriticalSection
7D1E11E4 >7D610045  ntdll.RtlInitString
7D1E11E8 >7D62A64E  ntdll.RtlIsTextUnicode
7D1E11EC >7D66E883  ntdll.RtlSetSecurityDescriptorRMControl
7D1E11F0 >7D66E821  ntdll.RtlGetSecurityDescriptorRMControl
7D1E11F4 >7D66D905  ntdll.RtlSelfRelativeToAbsoluteSD2
7D1E11F8 >7D61D642  ntdll.ZwFilterToken
7D1E11FC >7D61D74A  ntdll.ZwImpersonateAnonymousToken
7D1E1200 >7D610F3D  ntdll.memmove
7D1E1204 >7D624F14  ntdll.RtlUnicodeStringToAnsiString
7D1E1208 >7D620CB7  ntdll.RtlUnicodeToMultiByteSize
7D1E120C >7D622FE1  ntdll.RtlCopyUnicodeString
7D1E1210 >7D61C909  ntdll.ZwSetInformationThread
7D1E1214 >7D66E018  ntdll.RtlImpersonateSelf
7D1E1218 >7D61CD29  ntdll.ZwFsControlFile
7D1E121C >7D61DCA2  ntdll.ZwQuerySecurityObject
7D1E1220 >7D639057  ntdll.RtlOemStringToUnicodeString
7D1E1224 >7D624938  ntdll.RtlDosPathNameToRelativeNtPathName_U
7D1E1228 >7D61CC99  ntdll.ZwOpenFile
7D1E122C >7D624473  ntdll.RtlReleaseRelativeName
7D1E1230 >7D61E0F2  ntdll.ZwSetSecurityObject
7D1E1234 >7D61C939  ntdll.ZwClose
7D1E1238 >7D66D984  ntdll.RtlSelfRelativeToAbsoluteSD
7D1E123C >7D638D66  ntdll.RtlAbsoluteToSelfRelativeSD
7D1E1240 >7D63DBA5  ntdll.RtlDeleteSecurityObject
7D1E1244 >7D660F20  ntdll.RtlQuerySecurityObject
7D1E1248 >7D660EF7  ntdll.RtlSetSecurityObjectEx
7D1E124C >7D660ECF  ntdll.RtlSetSecurityObject
7D1E1250 >7D660E95  ntdll.RtlNewSecurityObjectWithMultipleInheritance
7D1E1254 >7D63D435  ntdll.RtlNewSecurityObjectEx
7D1E1258 >7D661730  ntdll.RtlConvertToAutoInheritSecurityObject
7D1E125C >7D660EA5  ntdll.RtlNewSecurityObject
7D1E1260 >7D6333BA  ntdll.RtlGetGroupSecurityDescriptor
7D1E1264 >7D637A22  ntdll.RtlSetGroupSecurityDescriptor
7D1E1268 >7D6301B1  ntdll.RtlGetOwnerSecurityDescriptor
7D1E126C >7D6379D8  ntdll.RtlSetOwnerSecurityDescriptor
7D1E1270 >7D633385  ntdll.RtlGetSaclSecurityDescriptor
7D1E1274 >7D66DEBE  ntdll.RtlSetSaclSecurityDescriptor
7D1E1278 >7D62B269  ntdll.RtlGetDaclSecurityDescriptor
7D1E127C >7D6375FF  ntdll.RtlSetDaclSecurityDescriptor
7D1E1280 >7D66DE7F  ntdll.RtlSetControlSecurityDescriptor
7D1E1284 >7D624CFD  ntdll.RtlGetControlSecurityDescriptor
7D1E1288 >7D6332F1  ntdll.RtlLengthSecurityDescriptor
7D1E128C >7D633236  ntdll.RtlValidSecurityDescriptor
7D1E1290 >7D6375D1  ntdll.RtlCreateSecurityDescriptor
7D1E1294 >7D637515  ntdll.RtlFirstFreeAce
7D1E1298 >7D670405  ntdll.RtlAddAuditAccessObjectAce
7D1E129C >7D6703B7  ntdll.RtlAddAccessDeniedObjectAce
7D1E12A0 >7D67036A  ntdll.RtlAddAccessAllowedObjectAce
7D1E12A4 >7D670332  ntdll.RtlAddAuditAccessAceEx
7D1E12A8 >7D6702FB  ntdll.RtlAddAuditAccessAce
7D1E12AC >7D6702D7  ntdll.RtlAddAccessDeniedAceEx
7D1E12B0 >7D6702B4  ntdll.RtlAddAccessDeniedAce
7D1E12B4 >7D6390DF  ntdll.RtlAddAccessAllowedAceEx
7D1E12B8 >7D637785  ntdll.RtlAddAccessAllowedAce
7D1E12BC >7D6301F3  ntdll.RtlGetAce
7D1E12C0 >7D64283B  ntdll.RtlDeleteAce
7D1E12C4 >7D66FF8E  ntdll.RtlAddAce
7D1E12C8 >7D66FE7A  ntdll.RtlSetInformationAcl
7D1E12CC >7D66FF02  ntdll.RtlQueryInformationAcl
7D1E12D0 >7D637733  ntdll.RtlCreateAcl
7D1E12D4 >7D637550  ntdll.RtlValidAcl
7D1E12D8 >7D63D23D  ntdll.RtlMapGenericMask
7D1E12DC >7D66DF40  ntdll.RtlAreAnyAccessesGranted
7D1E12E0 >7D66DF24  ntdll.RtlAreAllAccessesGranted
7D1E12E4 >7D628858  ntdll.RtlCopySid
7D1E12E8 >7D62888C  ntdll.RtlLengthSid
7D1E12EC >7D62970C  ntdll.RtlSubAuthorityCountSid
7D1E12F0 >7D621862  ntdll.RtlSubAuthoritySid
7D1E12F4 >7D66DC96  ntdll.RtlIdentifierAuthoritySid
7D1E12F8 >7D637A6C  ntdll.RtlAllocateAndInitializeSid
7D1E12FC >7D6380CB  ntdll.RtlFreeSid
7D1E1300 >7D621830  ntdll.RtlInitializeSid
7D1E1304 >7D6377A8  ntdll.RtlLengthRequiredSid
7D1E1308 >7D63D1ED  ntdll.RtlEqualPrefixSid
7D1E130C >7D62187A  ntdll.RtlEqualSid
7D1E1310 >7D622B95  ntdll.RtlValidSid
7D1E1314 >7D61DAAA  ntdll.ZwPrivilegedServiceAuditAlarm
7D1E1318 >7D61D59A  ntdll.ZwDeleteObjectAuditAlarm
7D1E131C >7D61CD59  ntdll.ZwCloseObjectAuditAlarm
7D1E1320 >7D61DA92  ntdll.ZwPrivilegeObjectAuditAlarm
7D1E1324 >7D61D9D2  ntdll.ZwOpenObjectAuditAlarm
7D1E1328 >7D61D192  ntdll.ZwAccessCheckByTypeResultListAndAuditAlarmByHandle
7D1E132C >7D61D17A  ntdll.ZwAccessCheckByTypeResultListAndAuditAlarm
7D1E1330 >7D61D02A  ntdll.ZwAccessCheckByTypeAndAuditAlarm
7D1E1334 >7D61CBA9  ntdll.ZwAccessCheckAndAuditAlarm
7D1E1338 >7D61DA7A  ntdll.ZwPrivilegeCheck
7D1E133C >7D61D1DA  ntdll.ZwAdjustGroupsToken
7D1E1340 >7D61CDE9  ntdll.ZwAdjustPrivilegesToken
7D1E1344 >7D61E04A  ntdll.ZwSetInformationToken
7D1E1348 >7D61CAE9  ntdll.ZwQueryInformationToken
7D1E134C >7D61CB31  ntdll.ZwOpenThreadToken
7D1E1350 >7D61D9EA  ntdll.ZwOpenProcessToken
7D1E1354 >7D61D162  ntdll.ZwAccessCheckByTypeResultList
7D1E1358 >7D61D14A  ntdll.ZwAccessCheckByType
7D1E135C >7D61D132  ntdll.ZwAccessCheck
7D1E1360 >7D61D222  ntdll.ZwAllocateLocallyUniqueId
7D1E1364 >7D61CE01  ntdll.ZwDuplicateToken
7D1E1368 >7D6331AD  ntdll._vsnwprintf
7D1E136C >7D61007D  ntdll.RtlInitAnsiString
7D1E1370 >7D620B10  ntdll.RtlAnsiStringToUnicodeString
7D1E1374 >7D61F96E  ntdll.RtlFreeUnicodeString
7D1E1378 >7D6100B5  ntdll.RtlInitUnicodeString
7D1E137C >7D624821  ntdll.RtlDosPathNameToNtPathName_U
7D1E1380 >7D61F4CB  ntdll.RtlFreeHeap
7D1E1384 >7D61F7E6  ntdll.wcslen
7D1E1388 >7D61F686  ntdll.RtlAllocateHeap
7D1E138C >7D622AB9  ntdll.wcscpy
7D1E1390 >7D628909  ntdll.wcscat
7D1E1394 >7D6202F5  ntdll.RtlNtStatusToDosError
7D1E1398 >7D621199  ntdll.RtlDeleteCriticalSection
7D1E139C >7D68A275  ntdll.wcstombs
7D1E13A0 >7D621CAF  ntdll.RtlInitializeCriticalSection
7D1E13A4 >7D621CC8  ntdll.RtlEqualUnicodeString
7D1E13A8 >7D620341  ntdll.RtlNtStatusToDosErrorNoTeb
7D1E13AC >7D61D672  ntdll.ZwFlushKey
7D1E13B0 >7D66E6D8  ntdll.RtlValidRelativeSecurityDescriptor
7D1E13B4 >7D61D7F2  ntdll.ZwLoadKey
7D1E13B8 >7D61E2EA  ntdll.ZwUnloadKey
7D1E13BC >7D61DDC2  ntdll.ZwReplaceKey
7D1E13C0 >7D61D942  ntdll.ZwNotifyChangeMultipleKeys
7D1E13C4 >7D61DC12  ntdll.ZwQueryMultipleValueKey
7D1E13C8 >7D61DE6A  ntdll.ZwRestoreKey
7D1E13CC >7D61DE9A  ntdll.ZwSaveKey
7D1E13D0 >7D61DECA  ntdll.ZwSaveMergedKeys
7D1E13D4 >7D61CFCA  ntdll.ZwCreateFile
7D1E13D8 >7D61DEB2  ntdll.ZwSaveKeyEx
7D1E13DC >7D68D071  ntdll.EtwTraceEvent
7D1E13E0 >7D68E3B1  ntdll.EtwStartTraceW
7D1E13E4 >7D68F015  ntdll.EtwQueryTraceW
7D1E13E8 >7D627827  ntdll.RtlGetVersion
7D1E13EC >7D61CB49  ntdll.ZwQueryInformationThread
7D1E13F0 >7D61C861  ntdll.ZwReadFile
7D1E13F4 >7D61C891  ntdll.ZwWriteFile
7D1E13F8 >7D610418  ntdll._chkstk
7D1E13FC >7D62368B  ntdll.RtlReAllocateHeap
7D1E1400  00000000
7D1E1404 >7D52A507  kernel32.OutputDebugStringW
7D1E1408 >7D4D9099  kernel32.LocalFree
7D1E140C >7D4D90FD  kernel32.LocalAlloc
7D1E1410 >7D4E1F1C  kernel32.LocalReAlloc
7D1E1414 >7D4D93AD  kernel32.WideCharToMultiByte
7D1E1418 >7D4D8F75  kernel32.lstrlenW
7D1E141C >7D4D920B  kernel32.MultiByteToWideChar
7D1E1420 >7D4E0DF9  kernel32.lstrlenA
7D1E1424 >7D4E3B5F  kernel32.AreFileApisANSI
7D1E1428 >7D4D9179  kernel32.IsBadWritePtr
7D1E142C >7D4D8E1B  kernel32.CloseHandle
7D1E1430 >7D61F4BC  ntdll.RtlGetLastWin32Error
7D1E1434 >7D4DAC0B  kernel32.GetProcAddress
7D1E1438 >7D4D0DC0  kernel32.LoadLibraryA
7D1E143C >7D4E456B  kernel32.GetComputerNameW
7D1E1440 >7D4E2669  kernel32.OpenProcess
7D1E1444 >7D4E22E6  kernel32.ResumeThread
7D1E1448 >7D4D0845  kernel32.ReadFile
7D1E144C >7D4DA92D  kernel32.WriteFile
7D1E1450 >7D4D8FB9  kernel32.GetCurrentProcessId
7D1E1454 >7D530BCD  kernel32.WaitNamedPipeW
7D1E1458 >7D4D99C0  kernel32.CreateFileW
7D1E145C >7D4E257D  kernel32.lstrcpynW
7D1E1460 >7D50629E  kernel32.CopyFileW
7D1E1464 >7D4DE779  kernel32.FindFirstFileExW
7D1E1468 >7D4DC7A4  kernel32.FindNextFileW
7D1E146C >7D4DA41F  kernel32.SetErrorMode
7D1E1470 >7D4D0B09  kernel32.LoadLibraryExW
7D1E1474 >7D4E24D7  kernel32.lstrcpyW
7D1E1478 >7D4E26C7  kernel32.GetFileTime
7D1E147C >7D4D0F40  kernel32.GetSystemTime
7D1E1480 >7D4DF884  kernel32.GetModuleFileNameW
7D1E1484 >7D504CEC  kernel32.GetPrivateProfileIntW
7D1E1488 >7D4E28E9  kernel32.GetSystemWindowsDirectoryW
7D1E148C >7D4DDCD3  kernel32.GetUserDefaultUILanguage
7D1E1490 >7D4E2288  kernel32.RaiseException
7D1E1494 >7D4D1314  kernel32.ReadProcessMemory
7D1E1498 >7D4F501C  kernel32.GetProfileIntA
7D1E149C >7D501563  kernel32.GetProfileStringA
7D1E14A0 >7D4F7CF0  kernel32.GetComputerNameA
7D1E14A4 >7D4DC623  kernel32.CreateMutexW
7D1E14A8 >7D4F8CCE  kernel32.GetComputerNameExW
7D1E14AC >7D4DF56F  kernel32.CreateThread
7D1E14B0 >7D504E16  kernel32.SetNamedPipeHandleState
7D1E14B4 >7D4E7B6E  kernel32.IsWow64Process
7D1E14B8 >7D4E3C55  kernel32.OpenEventW
7D1E14BC >7D4EA383  kernel32.GetModuleHandleExW
7D1E14C0 >7D4E2A39  kernel32.GetSystemDirectoryW
7D1E14C4 >7D53182C  kernel32.GetLogicalDriveStringsW
7D1E14C8 >7D4D961D  kernel32.GetDriveTypeW
7D1E14CC >7D4F794C  kernel32.GetDiskFreeSpaceW
7D1E14D0 >7D4F7A90  kernel32.GetDiskFreeSpaceExW
7D1E14D4 >7D4E099E  kernel32.GetVolumeInformationW
7D1E14D8 >7D4EA660  kernel32.GlobalMemoryStatusEx
7D1E14DC >7D4E07D2  kernel32.GetSystemInfo
7D1E14E0 >7D54720F  kernel32.EnumUILanguagesW
7D1E14E4 >7D4E2942  kernel32.GetWindowsDirectoryW
7D1E14E8 >7D4DEBA3  kernel32.FindFirstFileW
7D1E14EC >7D4DEA39  kernel32.FindClose
7D1E14F0 >7D4D91E9  kernel32.ResetEvent
7D1E14F4 >7D4D8EBE  kernel32.SetEvent
7D1E14F8 >7D4D0A5C  kernel32.CreateFileA
7D1E14FC >7D52CA61  kernel32.GetOverlappedResult
7D1E1500 >7D4F9D53  kernel32.GetVolumePathNameW
7D1E1504 >7D4E23C1  kernel32.FindResourceExW
7D1E1508 >7D4D1704  kernel32.ReleaseMutex
7D1E150C >7D4DA77B  kernel32.CompareFileTime
7D1E1510 >7D4DCBAB  kernel32.OpenMutexW
7D1E1514 >7D4D8BFB  kernel32.WaitForSingleObject
7D1E1518 >7D4E408F  kernel32.GetLongPathNameW
7D1E151C >7D4DA700  kernel32.GetFileSizeEx
7D1E1520 >7D4DA63A  kernel32.CreateFileMappingW
7D1E1524 >7D4DFC37  kernel32.GetModuleHandleW
7D1E1528 >7D4E0974  kernel32.FormatMessageW
7D1E152C >7D4E1C74  kernel32.GetLocalTime
7D1E1530 >7D61F4A2  ntdll.RtlSetLastWin32Error
7D1E1534 >7D4DC8F9  kernel32.DeleteFileW
7D1E1538 >7D4E3768  kernel32.MoveFileW
7D1E153C >7D4E1471  kernel32.ExpandEnvironmentStringsW
7D1E1540 >7D4D14E0  kernel32.Sleep
7D1E1544 >7D4DA340  kernel32.lstrcmpW
7D1E1548 >7D4E7BAF  kernel32.GetCommandLineW
7D1E154C >7D4E0EA8  kernel32.lstrcmpiW
7D1E1550 >7D621199  ntdll.RtlDeleteCriticalSection
7D1E1554 >7D4D067D  kernel32.DeviceIoControl
7D1E1558 >7D4DFEC0  kernel32.GetVersionExA
7D1E155C >7D4D8834  kernel32.InterlockedExchange
7D1E1560 >7D4DA498  kernel32.CreateEventW
7D1E1564 >7D51249B  kernel32.SetUnhandledExceptionFilter
7D1E1568 >7D535509  kernel32.UnhandledExceptionFilter
7D1E156C >7D4D1004  kernel32.TerminateProcess
7D1E1570 >7D4D0FBA  kernel32.GetSystemTimeAsFileTime
7D1E1574 >7D4DC6E5  kernel32.QueryPerformanceCounter
7D1E1578 >7D4D8848  kernel32.InterlockedCompareExchange
7D1E157C >7D54D025  kernel32.DelayLoadFailureHook
7D1E1580 >7D4DD79D  kernel32.GetCurrentProcess
7D1E1584 >7D53243F  kernel32.GetPriorityClass
7D1E1588 >7D4D9586  kernel32.GetFileAttributesW
7D1E158C >7D4DA3DB  kernel32.GetFullPathNameW
7D1E1590 >7D4D8D8B  kernel32.GetCurrentThreadId
7D1E1594 >7D4D168E  kernel32.GetTickCount
7D1E1598 >7D4D0E7C  kernel32.SleepEx
7D1E159C >7D61F18C  ntdll.RtlEnterCriticalSection
7D1E15A0 >7D4E2496  kernel32.LoadLibraryW
7D1E15A4 >7D61F1D7  ntdll.RtlLeaveCriticalSection
7D1E15A8 >7D4E2511  kernel32.FreeLibrary
7D1E15AC >7D4D8E09  kernel32.GetProcessHeap
7D1E15B0 >7D61F686  ntdll.RtlAllocateHeap
7D1E15B4 >7D61F4CB  ntdll.RtlFreeHeap
7D1E15B8 >7D502818  kernel32.ExpandEnvironmentStringsA
7D1E15BC >7D4F62BD  kernel32.OpenFile
7D1E15C0 >7D4DA73F  kernel32.GetFileSize
7D1E15C4 >7D4E38B9  kernel32._lclose
7D1E15C8 >7D4E014E  kernel32.SearchPathW
7D1E15CC >7D4E5F72  kernel32.GetFileAttributesExW
7D1E15D0 >7D4DA517  kernel32.CreateFileMappingA
7D1E15D4 >7D4DA5FE  kernel32.MapViewOfFile
7D1E15D8 >7D4DA7BB  kernel32.SetFilePointer
7D1E15DC >7D4DA5D2  kernel32.UnmapViewOfFile
7D1E15E0 >7D4E16E9  kernel32.FindResourceA
7D1E15E4 >7D4E0D9E  kernel32.LoadResource
7D1E15E8 >7D4E1D19  kernel32.SizeofResource
7D1E15EC >7D4D8820  kernel32.InterlockedDecrement
7D1E15F0 >7D4D880C  kernel32.InterlockedIncrement
7D1E15F4 >7D4DAC73  kernel32.GetModuleHandleA
7D1E15F8 >7D4EB4CA  kernel32.CreateProcessInternalA
7D1E15FC >7D4D8DAC  kernel32.GetCurrentThread
7D1E1600 >7D4ECE40  kernel32.CreateProcessInternalW
7D1E1604  00000000
7D1E1608 >7DA503A2  RPCRT4.UuidFromStringW
7D1E160C >7DA39929  RPCRT4.RpcStringFreeW
7D1E1610 >7DA79D70  RPCRT4.UuidToStringW
7D1E1614 >7DA44925  RPCRT4.RpcRaiseException
7D1E1618 >7DA722E5  RPCRT4.RpcBindingSetAuthInfoExA
7D1E161C >7DA35D48  RPCRT4.RpcBindingFree
7D1E1620 >7DA39EB4  RPCRT4.RpcBindingFromStringBindingW
7D1E1624 >7DA39CBD  RPCRT4.RpcStringBindingComposeW
7D1E1628 >7DA43060  RPCRT4.RpcBindingSetAuthInfoExW
7D1E162C >7DAC0005  RPCRT4.NdrClientCall2
7D1E1630 >7DA7DE50  RPCRT4.RpcStringBindingParseW
7D1E1634 >7DA6F145  RPCRT4.I_RpcMapWin32Status
7D1E1638 >7DA6B28D  RPCRT4.RpcBindingToStringBindingW
7D1E163C >7DA390D8  RPCRT4.NDRCContextBinding
7D1E1640 >7DA660AD  RPCRT4.RpcRevertToSelf
7D1E1644 >7DA4CDF9  RPCRT4.RpcImpersonateClient
7D1E1648 >7DA660BA  RPCRT4.I_RpcBindingIsClientLocal
7D1E164C >7DA44F23  RPCRT4.I_RpcExceptionFilter
7D1E1650 >7DA4285B  RPCRT4.RpcSsDestroyClientContext
7D1E1654 >7DA66C54  RPCRT4.RpcBindingSetAuthInfoW
7D1E1658 >7DA726FB  RPCRT4.RpcBindingSetAuthInfoA
7D1E165C >7DA66880  RPCRT4.RpcEpResolveBinding
7D1E1660 >7DA667AB  RPCRT4.I_RpcSNCHOption
7D1E1664  00000000

我知道您发布问题已经几个月了，但我希望这仍然对您或搜索此问题的其他人有所帮助。这种信息很难得，我知道!