Portable Executable import table

[qWord]

you are using ml version 10! (->visual studio 2010)
All you need are the structure definitions which can be obtained through the masm32-package or japhet's WinInc-project.

[dedndave]

others111,

what are you trying to do ? - what is the goal of this project ?
why are you limited to that version of MASM, rather than using the Masm32 package ?
why are you limited to using only kernel32.lib and msvcrt.lib ?

wsprintf is in user32.lib   :P
although, it can probably be avoided

we can help you if we have the required information

[others111]

The goal of this project: for every DLL which my file ex:vlc.exe imports functions, display the name of the DLL and the name of the function imported

requirements:win32 functions (CreateFile, ReadFile, CloseHandle..the ones I used above)

I have to use this old version of masm because my teacher from assembly language laboratory requested this old program for work.

[dedndave]

ok - very good
however, that version of MASM is quite new
i understand what you are trying to do

qWord's program is very cool   :U
i have modified his code to use no INC files or Masm32 library - and it is working
all that's left is to eliminate the wsprintf call and format the output
give me a little time...

[others111]

:)

[dedndave]

give this a try...

notice that msvcrt.lib is not needed   :P

you can delete this line:

Code Select Expand

        INCLUDELIB msvcrt.lib

[qWord]

just to make it clear: my example pars the PE after the loader has modified it. Donkey's or Iczelion's examples show how to pars a unmodified image.

[dedndave]

very nice, qWord   :U

that would make a great error reporting routine   :bg

[others111]

When I launch the program I receive what I attached to this post.The code appears to be complicated to me,but I was told to use the RVA function to move around,which it is written in the COEFF file.I used libview program to view the functions from  kernel32.lib which have @name at the end

.386
.model flat, stdcall

includelib msvcrt.lib
includelib kernel32.lib

extern printf             :proc
extern scanf            :proc
extern CreateFileA@28                  :proc
extern CreateFileMappingA@24                 :proc
extern MapViewOfFile@20      :proc
extern CloseHandle@4                   :proc
extern SetFilePointer@16                           :proc
extern ReadFile@20         :proc
extern exit                     :proc

public start

.data
FileName db "c:\vlc.exe"                                         ;address for the file to be mapped               
hFile dword ?                              ;handle  CreateFile
hFileMapping dword ?                                            ;handle  CreateFileMapping
namee  db  "vlc"                                                   ;name for the mapped file
position dword 0   
 
format db "%x", 0
 
.code
start:

        push 0                                                                  ;Handle to template file with Generic_Read access right 
        push 0                                                                  ;Attributes 80h --> FILE_ATTRIBUTE_NORMAL
        push 3                                     ; 3->create new if it does not exist
        push 0                                   ;Security:NULL
        push 1h                                          ;dwShareMode
        push 80000000h OR 40000000h                     ;ACCESS   --> GENERIC_READ OR GENERIC_WRITE 
        push offset FileName                         ;address for the file to be created
        call CreateFileA@28   
        mov  hFile,eax   
                       
      push offset namee
      push 0
      push 0                           
      push 2             ;4 --> ReadWrite | 2 --> ReadOnly
      push 0
      push hFile
      call CreateFileMappingA@24
      mov  hFileMapping,eax
     
      push 0
      push 0                             
      push 0
      push 4
      push hFileMapping
      call MapViewOfFile@20   

      xor  ebx,ebx                     
     
      mov  bx,word ptr [eax+220h]
      mov  position,ebx
     
      push position
      push offset format
      call printf
     
      ;push 0
      ;push 0
      ;push position
      ;push hFile
      ;call SetFilePointer@16
      ;mov memptr,eax
     
       
   ;call exit function
   push 0
   call exit
end start

When I added 220h to eax I am at the .idata position. Now somehow I have to see what  is in that .idata I think using the RVA function, this is at what I am stuck and I can`t get further.

I can tell that I am at that position cause I use a hex editor.

[baltoro]

About a year ago, I wrote a program to display a huge amount of information about a selected Portable Executable, and, I based it on the description found in this article: 
Peering Inside the PE: A Tour of the Win32 Portable Executable File Format, Matt Pietrek, MSDN, 1994

[others111]

I started to look deeply into the PE doc from MSDN to build the program myself.However I have a question how do I find the raw offset of something in the PE ? I need to calculate the file offset which has this equation : file offset= RVA-virtual offset + raw data

[clive]

I started to look deeply into the PE doc from MSDN to build the program myself.However I have a question how do I find the raw offset of something in the PE ? I need to calculate the file offset which has this equation : file offset= RVA-virtual offset + raw data

You have to traverse the sections, the Section Table provides the data to translate a virtual address into a file offset. Some addresses will fall outside that physically backed by data on the media. Some sections may be devoid of any data.

[others111]

thank you

How can I traverse the PE file? can I use SetFilePointer function to do this?

[others111]

                        push 0
      push 0
      push 5045h
      push hFile
      call SetFilePointer@16   

if I write this,is the pointer going to be set at the PE location in hex ? 

[clive]

Huh? What would be at 5045h ('PE')?

You have a mapped view of the file in memory, would you not just index through the data structures in memory directly? Sure, if you are working with a file you can move the file pointer around and use ReadFile() to pull in various chunks of data. To do so however you need to understand where they are situated, and how large they are.

The more basic problem here is that you don't seem to understand the file/data structures. If the complexity here comes from the use of assembly, then try to implement this in a language you are familiar with first.

To find the PE header you need to examine the DOS 'MZ' EXE header, pulling an offset from 0x3C. Once you have the offset to the PE header you can extract information about it's size, and details about the sections and directories it contains.