I posted a question last week about finding the address of the import section in a PE file. I got quite a few answers (thanks to all who replied) and have modified my test program accordingly.

The program now reads the VA address from the second entry in the data directory and then cyles through the section headers looking for a match. The section whose VA matches that from the data directory should be the import section. However, none of the VA's from the section headers seem to match the VA's from the data directory.

I have no idea what I'm doing wrong here.

Thanks for your help, again.
justAnotherLostSoul
Posted on 2002-09-08 10:35:41 by JustanotherLostSoul
first of all, why do you push/pop cx in the loop? that's not necessary and your program's stack will be modified if you jump to 'foundimport'.
now, most linkers put the import table in a separate section with section.rva == import_table.rva. this is no necessity, though. the import table might reside inside a section as well.
Posted on 2002-09-08 14:47:49 by Tola
The program now reads the VA address from the second entry in the data directory and then cyles through the section headers looking for a match.


The member VirtualAddress of IMAGE_DATA_DIRECTORY structure is actually RelativeVirtualAddress. If you have found it you have relative pointer to first IMAGE_IMPORT_DESCRIPTOR. And you don't have look for something.
Posted on 2002-09-09 04:07:48 by Four-F