StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
text
Body
copied!<p>I opened one my old project from the time as I like you examined the structure of import and export directories (<code>IMAGE_DIRECTORY_ENTRY_EXPORT</code>, <code>IMAGE_DIRECTORY_ENTRY_IMPORT</code>, <code>IMAGE_DIRECTORY_ENTRY_IAT</code> and <code>IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT</code>). I can in short explain the part where you have a problem. I mean the part how to find out the pointer to for example <code>IMAGE_EXPORT_DIRECTORY</code> inside of PE.</p> <p>First of all of cause it is possible to use Read/Write file operations to analyse a PE file, but it is much easier to use file mapping like following:</p> <pre><code>hSrcFile = CreateFile (pszSrcFilename, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL); hMapSrcFile = CreateFileMapping (hSrcFile, NULL, PAGE_READONLY, 0, 0, NULL); pSrcFile = (PBYTE) MapViewOfFile (hMapSrcFile, FILE_MAP_READ, 0, 0, 0); </code></pre> <p>after we have the pointer <code>pSrcFile</code> which point to the PE file contain we can find another important places inside of PE:</p> <pre><code>pDosHeader = (IMAGE_DOS_HEADER *)pSrcFile; IMAGE_NT_HEADERS32 *pNtHdr = (IMAGE_NT_HEADERS32 *) ((PBYTE)pDosHeader + pDosHeader->e_lfanew); IMAGE_SECTION_HEADER *pFirstSectionHeader = (IMAGE_SECTION_HEADER *) ((PBYTE)&pNtHdr->OptionalHeader + pNtHdr->FileHeader.SizeOfOptionalHeader); </code></pre> <p>Now we have all needed virtual address of any directory. For example,</p> <pre><code>pNtHdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress </code></pre> <p>is a virtual address of export directory. After that to convert the virtual address to the memory pointer, <strong>we should find out the section of PE which has this virtual address inside</strong>. To do this we can enumerate sections of PE and find an <code>i</code> grater or equal to <code>0</code> and less then <code>pNtHdr->FileHeader.NumberOfSection</code>s where</p> <pre><code>pFirstSectionHeader[i].VirtualAddress <= pNtHdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress </code></pre> <p>and at the same time </p> <pre><code>pNtHdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress < pFirstSectionHeader[i].VirtualAddress + pFirstSectionHeader[i].Misc.VirtualSize </code></pre> <p>then you should search for export data in the section <code>pFirstSectionHeader[i]</code>:</p> <pre><code>IMAGE_SECTION_HEADER *pSectionHeader = &pFirstSectionHeader[i]; IMAGE_EXPORT_DIRECTORY *pExportDirectory = (IMAGE_EXPORT_DIRECTORY *)((PBYTE)pbyFile + pSectionHeader->PointerToRawData + pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress - pSectionHeader->VirtualAddress); </code></pre> <p>The same procedure you should repeat to find <code>(IMAGE_IMPORT_DESCRIPTOR *)</code> which corresponds to <code>IMAGE_DIRECTORY_ENTRY_IMPORT</code> and <code>(IMAGE_BOUND_IMPORT_DESCRIPTOR *)</code> which corresponds to <code>IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT</code> to dump import information inclusive a binding information (if exist).</p> <p>To dump information from <code>IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT</code> (corresponds to <code>(ImgDelayDescr *)</code> defined in delayimp.h) you should use also information from the <code>IMAGE_DIRECTORY_ENTRY_IAT</code> (corresponds to <code>(IMAGE_THUNK_DATA32 *)</code>).</p> <p>For more information about PE I recommend you <a href="http://msdn.microsoft.com/en-us/magazine/cc301808.aspx" rel="noreferrer">http://msdn.microsoft.com/en-us/magazine/cc301808.aspx</a></p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload