hi all,

I am working on a (win32-Pe) decompiler, and i already made it posible to decompile the command's, etc..
but now i want to be able to see what kind of api the program calls, (instead of: call , i want invoke GetModuleHandleA,op1)

but i cant find anything which tells me what section is the import section, the section where the window's exe-file loader puts the adresses of the api's the program call's.

i do know it mostly is the first RData-seg (atleast whit Masm32, it is, @ masm32 it always is the second section), but that aint the case in all program's, is there a flag in the section header, or something in the PE-header that points to the location of the imports?

Posted on 2004-08-04 05:13:26 by pyr0_mathic

is there a flag in the section header, or something in the PE-header that points to the location of the imports?

yes, go study the pe format or do a search, pe+78h i think it is, or very nearby to there
Posted on 2004-08-04 06:12:26 by evlncrn8
The following excerpt is to get the names table from a PE.

; eax points to the begining of buffer where file was loaded
add eax,[eax+IMAGE_DOS_HEADER.e_lfanew] ; PE header
movzx ecx,[eax+IMAGE_NT_HEADERS.FileHeader.NumberOfSections]
dec ecx
mov edx,[eax+IMAGE_NT_HEADERS.OptionalHeader.NumberOfDirectories]
lea esi,[eax+IMAGE_NT_HEADERS.OptionalHeader.DataDirectory+edx*IMAGE_DATA_DIRECTORY]
mov edx,[eax+IMAGE_NT_HEADERS.OptionalHeader.DataDirectory.VirtualAddress]
mov eax,[esi+IMAGE_SECTION_HEADER.VirtualAddress]
mov ebx,[esi+IMAGE_SECTION_HEADER.OffsetToRawData]
sub eax,ebx
mov [reloc],eax
mov eax,[esi+IMAGE_SECTION_HEADER.VirtualAddress]
cmp eax,edx
ja .reloc_ok
loop .calc_reloc
mov esi,[hlibrary]
add esi,edx
sub esi,[reloc]
mov eax,[esi+IMAGE_EXPORT_DIRECTORY.NumberOfNames]
mov [names],eax
mov eax,[hlibrary]
add eax,[esi+IMAGE_EXPORT_DIRECTORY.AddressOfNames]
sub eax,[reloc]
mov [ptr_names],eax
mov edx,[names]

You will need only the offsets and relocator, so the rest could be neglected. However, the full source is here: http://board.flatassembler.net/download.php?id=581
Posted on 2004-08-04 07:52:35 by pelaillo
check out iczelion's PE-tutorials :)

Posted on 2004-08-04 07:55:05 by diguin
Also check into http://msdn.microsoft.com/library/en-us/dndebug/html/msdn_peeringpe.asp

And Luevelsmeyer's PE file, last time I saw that thing I think I found it on Azrael's pages. (Search - Google)
Posted on 2004-08-04 08:08:56 by JimmyClif
Luevelsmeyer's pe.txt available from Iczelion's website:

Posted on 2004-08-04 11:34:41 by Vortex
Iirc there's a couple of errors in the Luevelsmeyer text - grab http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx
Posted on 2004-08-04 13:47:57 by f0dder
Posted on 2004-08-04 13:55:47 by donkey
And while we're at it - Windows 2000 PE loader stuff:
Posted on 2004-08-04 15:40:37 by f0dder