I am exploring the PE file format and have been coding a few asm programs to improve my understanding. However, I've run into a problem involving accessing the import section.

I have attached a small asm program that opens and reads through a PE file (calc.exe) and attempts to find the import section, for the purpose of listing the imported API's.

The program skips past the DOS header and PE header and locates the data directory at the end of the optional header. It skips the first entry in the data directory (export section) and addresses the second entry, which should hold the details of the import section.

However, the VA for the import section is beyond the file size. What am I doing wrong here ?

Thanks for you help,

P.S. I have also tried skipping past the data directory and directly accessing the section headers.
Posted on 2002-08-29 15:33:24 by JustanotherLostSoul
mov esi, [ edi ].VirtualAddress			; Get [color=red]VA[/color] of import section

this is actually an rva (=relative virtual address).

add esi, pointerToBuffer 				; Add image base to [color=red]VA to get RVA[/color] of import section

that's not correct. the imagebase is the memory location the image will be mapped to when executed (most compilers/linkers set it to 400000h).

to get the offset of the import data (which is what you want to do, since you're reading to file from disk), you need to loop through the object table and find the section containing the import data.
Posted on 2002-08-29 16:35:41 by Tola
Even then, the RVA will not be equal to its position in the file. First, retrieve the VA, then iterate through the sections and see inside which section the import table is. Then, use the IMAGE_SECTION_HEADER.PointerToRawData to actually find the location of the import table physically in the file.
Posted on 2002-08-30 00:11:52 by comrade

mov edx,[filebuffer]
mov esi,[edx.MZ_lfanew]
add esi,edx
movzx ecx,wo [esi+6] ;section count
add esi, 0f8h ;size of pe header
mov ebx,eax
sub ebx,[esi.SH_VirtualAddress]
jc @@isnt
cmp ebx,[esi.SH_VirtualSize]
jnb @@isnt
add ebx,[esi.SH_PointerToRawData]
add ebx,edx
jmp @@error
loop @@section_loop
sub ebx,ebx
mov [esp.Pushad_eax],ebx

call the routine with the RVA to convert in EAX.
in the variable you should have a pointer to the pe file in memory.

Posted on 2002-08-30 08:57:01 by ancev
Been a while since I have done this stuff but from memory its a lot easier to get the info you are after if you load the app in memory first as the offsets for the memory image are different to the disk image. Loading it in memory saves the stepped calculations to get the offsets.


Posted on 2002-08-30 10:10:33 by hutch--