驱动中dump PE　导入表的问题。

本人写了个模块dump　ＰＥ导入表。在驱动的DriverEntry中调用。
我将驱动本身的模块地址提供给DumpPEModule。

#define IMAGE_ORDINAL(Ordinal) (Ordinal & 0xffff)

BOOLEAN DumpPEModule(
void* hModule
)
{
BOOLEAN bResult = FALSE;

PIMAGE_IMPORT_DESCRIPTOR pImportDesc = 0;
ULONG ulSize;
PSTR pszModName=0;
PIMAGE_THUNK_DATA pThunk = 0;
PIMAGE_IMPORT_BY_NAME pByName=0;
BOOLEAN bNotImportByName=FALSE;

__try
{
// Get the address of the module\'s import section
pImportDesc =
(PIMAGE_IMPORT_DESCRIPTOR)RtlImageDirectoryEntryToDataEx(
hModule,
TRUE,
IMAGE_DIRECTORY_ENTRY_IMPORT,
&ulSize
);
// Does this module has import section ?
if (pImportDesc == NULL)
__leave;  

// Loop through all descriptors and
// find the import descriptor containing references to callee\'s functions
while (pImportDesc->Characteristics)
{
pszModName = (PSTR)((PBYTE) hModule + pImportDesc->Name);

DbgPrint(
\"DumpPEModule pszModName:%s OriginalFirstThunk:0x%x FirstThunk:0x%x\"
\" ForwarderChain:0x%x TimeDateStamp:0x%x\",
pszModName,
pImportDesc->OriginalFirstThunk,
pImportDesc->FirstThunk,
pImportDesc->ForwarderChain,
pImportDesc->TimeDateStamp
);

// Get caller\'s IAT
pThunk = (PIMAGE_THUNK_DATA)( (PBYTE) hModule +
pImportDesc->OriginalFirstThunk );

// Replace current function address with new one
while (pThunk->u1.Function)
{
// Get the address of the function address
PROC* ppfn = (PROC*) &pThunk->u1.Function;

bNotImportByName =((pThunk->u1.Ordinal & IMAGE_ORDINAL_FLAG) != 0);

if (bNotImportByName)
{
//import by ordinal
DbgPrint(\"\\t ppfn:0x%x *ppfn:0x%x Ordinal:0x%x\",
ppfn,
*ppfn,
IMAGE_ORDINAL(pThunk->u1.Ordinal)
);
}
else
{
//import by name

// Look get the name of this imported function.
pByName = (PIMAGE_IMPORT_BY_NAME)((DWORD)hModule+(DWORD)(pThunk->u1.AddressOfData));

DbgPrint(\"\\t ppfn:0x%x *ppfn:0x%x Hint:0x%x Name:%s\",
ppfn,
*ppfn,
pByName->Hint,
(char*)pByName->Name
);
}

pThunk++;
} // while

pImportDesc++;
} // while
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
DbgPrint(\"DumpPEModule: exception encounter\");
}

// This function is not in the caller\'s import section
return bResult;
}


部分输出如下：
00000026 10:56:18 ---------------DumpSystemModules  begin
00000027 10:56:18 [0x80400000] \\WINNT\\System32\\ntoskrnl.exe
00000028 10:56:18 [0x80062000] \\WINNT\\System32\\hal.dll
00000029 10:56:18 [0xed410000] \\WINNT\\System32\\BOOTVID.DLL
00000030 10:56:18 [0xbffd8000] ACPI.sys
00000031 10:56:18 [0xed5c8000] \\WINNT\\System32\\DRIVERS\\WMILIB.SYS
00000032 10:56:18 [0xed000000] pci.sys
00000033 10:56:18 [0xed010000] isapnp.sys
00000034 10:56:18 [0xed5c9000] pciide.sys
00000035 10:56:18 [0xed280000] \\WINNT\\System32\\DRIVERS\\PCIIDEX.SYS
00000036 10:56:18 [0xed500000] intelide.sys
00000037 10:56:18 [0xed288000] MountMgr.sys
00000038 10:56:18 [0xbffbb000] ftdisk.sys
00000039 10:56:18 [0xed502000] Diskperf.sys
00000040 10:56:18 [0xed504000] dmload.sys
00000041 10:56:18 [0xbff99000] dmio.sys
00000042 10:56:18 [0xed414000] PartMgr.sys
00000043 10:56:18 [0xed418000] IdeBusDr.sys
00000044 10:56:18 [0xbff83000] atapi.sys
00000045 10:56:18 [0xbff6b000] IdeChnDr.sys
00000046 10:56:18 [0xed290000] disk.sys
00000047 10:56:18 [0xed020000] \\WINNT\\System32\\DRIVERS\\CLASSPNP.SYS
00000048 10:56:18 [0xed298000] PxHelp20.sys
00000049 10:56:18 [0xed030000] CnsMinKP.sys
00000050 10:56:18 [0xbff48000] Fastfat.sys
00000051 10:56:18 [0xbff36000] KSecDD.sys
00000052 10:56:18 [0xbff0c000] NDIS.sys
00000053 10:56:18 [0xbfef6000] Mup.sys
00000054 10:56:18 [0xed2a0000] agp440.sys
00000055 10:56:18 [0xed060000] \\SystemRoot\\system32\\DRIVERS\\VIDEOPRT.SYS
00000056 10:56:18 [0xbfd07000] \\SystemRoot\\system32\\DRIVERS\\nv4_mini.sys
00000057 10:56:18 [0xed3b8000] \\SystemRoot\\System32\\DRIVERS\\USBD.SYS
00000058 10:56:18 [0xed3a0000] \\SystemRoot\\System32\\DRIVERS\\uhcd.sys
00000059 10:56:18 [0xbfce5000] \\SystemRoot\\System32\\DRIVERS\\USBPORT.SYS
00000060 10:56:18 [0xed3c8000] \\SystemRoot\\System32\\DRIVERS\\usbehci.sys
00000061 10:56:18 [0xed3f8000] \\SystemRoot\\System32\\DRIVERS\\RTL8139.SYS
00000062 10:56:18 [0xed070000] \\SystemRoot\\System32\\DRIVERS\\i8042prt.sys
00000063 10:56:18 [0xed2a8000] \\SystemRoot\\System32\\DRIVERS\\mouclass.sys
00000064 10:56:18 [0xed2b8000] \\SystemRoot\\System32\\DRIVERS\\kbdclass.sys
00000065 10:56:18 [0xbfc3a000] \\SystemRoot\\system32\\drivers\\KS.SYS
00000066 10:56:18 [0xbfc5a000] \\SystemRoot\\system32\\drivers\\portcls.sys
00000067 10:56:18 [0xbfc7f000] \\SystemRoot\\system32\\drivers\\cmuda.sys
00000068 10:56:18 [0xed400000] \\SystemRoot\\System32\\DRIVERS\\fdc.sys
00000069 10:56:18 [0xed080000] \\SystemRoot\\System32\\DRIVERS\\serial.sys
00000070 10:56:18 [0xed484000] \\SystemRoot\\System32\\DRIVERS\\serenum.sys
00000071 10:56:18 [0xed2c8000] \\SystemRoot\\System32\\DRIVERS\\parport.sys
00000072 10:56:18 [0xed48c000] \\SystemRoot\\System32\\DRIVERS\\gameenum.sys
00000073 10:56:18 [0xed494000] \\SystemRoot\\System32\\DRIVERS\\fsvga.sys
00000074 10:56:18 [0xed5eb000] \\SystemRoot\\System32\\DRIVERS\\audstub.sys
00000075 10:56:18 [0xed090000] \\SystemRoot\\System32\\DRIVERS\\rasl2tp.sys
00000076 10:56:18 [0xed49c000] \\SystemRoot\\System32\\DRIVERS\\ndistapi.sys
00000077 10:56:18 [0xbfc23000] \\SystemRoot\\System32\\DRIVERS\\ndiswan.sys
00000078 10:56:18 [0xed4ac000] \\SystemRoot\\System32\\DRIVERS\\TDI.SYS
00000079 10:56:18 [0xed0a0000] \\SystemRoot\\System32\\DRIVERS\\raspptp.sys
00000080 10:56:18 [0xed308000] \\SystemRoot\\System32\\DRIVERS\\ptilink.sys
00000081 10:56:18 [0xed318000] \\SystemRoot\\System32\\DRIVERS\\raspti.sys
00000082 10:56:18 [0xed0b0000] \\SystemRoot\\System32\\DRIVERS\\parallel.sys
00000083 10:56:18 [0xed5f5000] \\SystemRoot\\System32\\DRIVERS\\swenum.sys
00000084 10:56:18 [0xbfbd0000] \\SystemRoot\\System32\\DRIVERS\\update.sys
00000085 10:56:18 [0xed0c0000] \\SystemRoot\\System32\\DRIVERS\\usbhub.sys
00000086 10:56:18 [0xed0d0000] \\SystemRoot\\System32\\DRIVERS\\usbhub20.sys
00000087 10:56:18 [0xed1b0000] \\SystemRoot\\System32\\Drivers\\NDProxy.SYS
00000088 10:56:18 [0xed1d0000] \\SystemRoot\\System32\\Drivers\\Cdr4_2K.SYS
00000089 10:56:18 [0xed3d0000] \\SystemRoot\\System32\\Drivers\\Cdralw2k.SYS
00000090 10:56:18 [0xed51a000] \\SystemRoot\\System32\\Drivers\\Fs_Rec.SYS
00000091 10:56:18 [0xed603000] \\SystemRoot\\System32\\Drivers\\Null.SYS
00000092 10:56:18 [0xed605000] \\SystemRoot\\System32\\Drivers\\Beep.SYS
00000093 10:56:18 [0xed4d0000] \\SystemRoot\\System32\\drivers\\vga.sys
00000094 10:56:18 [0xed608000] \\SystemRoot\\System32\\Drivers\\mnmdd.SYS
00000095 10:56:18 [0xed3e0000] \\SystemRoot\\System32\\Drivers\\Msfs.SYS
00000096 10:56:18 [0xed1e0000] \\SystemRoot\\System32\\Drivers\\Npfs.SYS
00000097 10:56:18 [0xed522000] \\SystemRoot\\System32\\DRIVERS\\rasacd.sys
00000098 10:56:18 [0xbeb5e000] \\SystemRoot\\System32\\DRIVERS\\tcpip.sys
00000099 10:56:18 [0xed1f0000] \\SystemRoot\\System32\\DRIVERS\\msgpc.sys
00000100 10:56:18 [0xed328000] \\SystemRoot\\System32\\DRIVERS\\wanarp.sys
00000101 10:56:18 [0xbeb36000] \\SystemRoot\\System32\\DRIVERS\\netbt.sys
00000102 10:56:18 [0xed200000] \\SystemRoot\\System32\\DRIVERS\\netbios.sys
00000103 10:56:18 [0xbea43000] \\SystemRoot\\System32\\DRIVERS\\rdbss.sys
00000104 10:56:18 [0xbe9ca000] \\SystemRoot\\System32\\DRIVERS\\mrxsmb.sys
00000105 10:56:18 [0xbe947000] \\SystemRoot\\System32\\Drivers\\Ntfs.SYS
00000106 10:56:18 [0xed2e0000] \\SystemRoot\\System32\\Drivers\\EFS.SYS
00000107 10:56:18 [0xbe92f000] \\SystemRoot\\System32\\Drivers\\dump_IdeChnDr.sys
00000108 10:56:18 [0xa0000000] \\??\\C:\\WINNT\\system32\\win32k.sys
00000109 10:56:18 [0xbd3f7000] \\SystemRoot\\System32\\nv4_disp.dll
00000110 10:56:18 [0xbd1c1000] \\SystemRoot\\System32\\drivers\\afd.sys
00000111 10:56:18 [0xed560000] \\SystemRoot\\System32\\Drivers\\ParVdm.SYS
00000112 10:56:18 [0xbd2bf000] \\SystemRoot\\System32\\Drivers\\Fips.SYS
00000113 10:56:18 [0xbd160000] \\??\\C:\\Program Files\\Symantec_Client_Security\\Symantec AntiVirus\\NAVAPEL.SYS
00000114 10:56:18 [0xbd05c000] \\SystemRoot\\System32\\DRIVERS\\srv.sys
00000115 10:56:18 [0xbcf5a000] \\SystemRoot\\system32\\drivers\\wdmaud.sys
00000116 10:56:18 [0xbd25f000] \\SystemRoot\\system32\\drivers\\sysaudio.sys
00000117 10:56:18 [0xbcee2000] \\SystemRoot\\System32\\DRIVERS\\ipsec.sys
00000118 10:56:18 [0xbce0c000] \\??\\C:\\Program Files\\Symantec\\SYMEVENT.SYS
00000119 10:56:18 [0xbcdcf000] \\??\\C:\\Program Files\\Symantec_Client_Security\\Symantec AntiVirus\\NAVAP.sys
00000120 10:56:18 [0xbcd36000] \\??\\C:\\PROGRA~1\\COMMON~1\\SYMANT~1\\VIRUSD~1\\20050302.008\\NAVEX15.sys
00000121 10:56:18 [0xbcd25000] \\??\\C:\\PROGRA~1\\COMMON~1\\SYMANT~1\\VIRUSD~1\\20050302.008\\NAVENG.sys
00000122 10:56:18 [0xbc4a2000] \\SystemRoot\\system32\\drivers\\kmixer.sys
00000123 10:56:18 [0xed50e000] \\??\\C:\\WINNT\\system32\\Drivers\\Dbgv.sys
00000124 10:56:18 [0xbc3d2000] \\??\\C:\\NVIDIA\\pcm\\PCMKernel.sys
00000125 10:56:18 [0x77f80000] \\WINNT\\System32\\ntdll.dll
00000126 10:56:18 ---------------DumpSystemModules  end
00000127 10:56:18 hModNTOSKRNL:0x80400000 hModNTDLL:0x77f80000 hModCurrent:0xbc3d2000 PsGetCurrentProcess:0x8189d8a0 PsGetCurrentProcessId:8
00000128 10:56:18 KiUserExceptionDispatcher--KMGetExportedProcAddress:0x77f9ff60
00000129 10:56:18 GetImportedFunctionOffset pszModName:ntoskrnl.exe OriginalFirstThunk:0xab90 FirstThunk:0x702c ForwarderChain:0x0 TimeDateStamp:0x0
00000130 10:56:18 ZwQueryInformationProcess--KMGetImportedProcAddress:0x0
00000131 10:56:18 DumpCurrentProcess
00000132 10:56:18 DumpPEModule pszModName:ntoskrnl.exe OriginalFirstThunk:0xab90 FirstThunk:0x702c ForwarderChain:0x0 TimeDateStamp:0x0
00000133 10:56:18  ppfn:0xbc3dcb90 *ppfn:0xbc3dcce6 Ordinal:0xcce6
00000134 10:56:18  ppfn:0xbc3dcb94 *ppfn:0xbc3dcd0c Ordinal:0xcd0c
00000135 10:56:18  ppfn:0xbc3dcb98 *ppfn:0xbc3dcd24 Ordinal:0xcd24
00000136 10:56:18  ppfn:0xbc3dcb9c *ppfn:0xbc3dcd3c Ordinal:0xcd3c
00000137 10:56:18  ppfn:0xbc3dcba0 *ppfn:0xbc3dcd5c Ordinal:0xcd5c
00000138 10:56:18  ppfn:0xbc3dcba4 *ppfn:0xbc3dcd78 Ordinal:0xcd78

为什么总是告诉我Ordinal输出呢？而且即使我强制用字符串输出的话，总是告诉我异常？为什么？

    急需帮助！  
   email iamwuge@163.com



[编辑 -  3/5/05 by  iamwuge]

 bNotImportByName =((pThunk->u1.Ordinal & IMAGE_ORDINAL_FLAG) != 0);
改成
 bNotImportByName =((pThunk->u1.Ordinal & IMAGE_ORDINAL_FLAG) != IMAGE_ORDINAL_FLAG);