flat assembler
Message board for the users of flat assembler.

Index > Projects and Ideas > Is it worth it to do a PE import table dumper?

Author
Thread Post new topic Reply to topic
FlierMate7



Joined: 06 Sep 2023
Posts: 12
FlierMate7 29 Sep 2023, 08:53
Now I slowly understand the import table in PE file crafted by hand, I know 32-bit and 64-bit PE is different.
Code:
section '.idata' import data readable writeable

  dd 0,0,0,rva kernel_name,rva kernel_table
  dd 0,0,0,0,0

  kernel_table:
    ExitProcess dd rva _ExitProcess
    CreateFile dd rva _CreateFileA
    ReadFile dd rva _ReadFile
    WriteFile dd rva _WriteFile
    CloseHandle dd rva _CloseHandle
    SetFilePointer dd rva _SetFilePointer
    GetCommandLine dd rva _GetCommandLineA
    GetEnvironmentVariable dd rva _GetEnvironmentVariable
    GetStdHandle dd rva _GetStdHandle
    VirtualAlloc dd rva _VirtualAlloc
    VirtualFree dd rva _VirtualFree
    GetTickCount dd rva _GetTickCount
    GetSystemTime dd rva _GetSystemTime
    GlobalMemoryStatus dd rva _GlobalMemoryStatus
    dd 0

  kernel_name db 'KERNEL32.DLL',0

  _ExitProcess dw 0
    db 'ExitProcess',0
  _CreateFileA dw 0
    db 'CreateFileA',0
  _ReadFile dw 0
    db 'ReadFile',0
  _WriteFile dw 0
    db 'WriteFile',0
  _CloseHandle dw 0
    db 'CloseHandle',0
  _SetFilePointer dw 0
    db 'SetFilePointer',0
  _GetCommandLineA dw 0
    db 'GetCommandLineA',0
  _GetEnvironmentVariable dw 0
    db 'GetEnvironmentVariableA',0
  _GetStdHandle dw 0
    db 'GetStdHandle',0
  _VirtualAlloc dw 0
    db 'VirtualAlloc',0
  _VirtualFree dw 0
    db 'VirtualFree',0
  _GetTickCount dw 0
    db 'GetTickCount',0
  _GetSystemTime dw 0
    db 'GetSystemTime',0
  _GlobalMemoryStatus dw 0
    db 'GlobalMemoryStatus',0          


There is similar program out there, for example, this importsort Python program :

Quote:
importsort
This is a tool that I use to group imports from Windows binaries. Sometimes, you have a gigantic folder full of executables, and you want to figure out what you should look at first. importsort will iterate over all of the files in a directory, and create a list containing the DLL name, the function imported, and the file that imported that function. You can use it to analyze possible behavior, such as network functionality or registry key manipulation etc.

The initial version of this tool used radare2 or rizin for parsing PE files. The new version relies on the pefile library. Install with python3 -m pip install pefile. This newer version is much faster, and less error prone than the previous version.


His is using pefile library, I plan to read the import table byte by byte myself, it is similar to a PEDump program, just that this project is only focus on import table.

I know can read Data Directories in Optional Header for Import Table RVA (the address of import table), so theorectically it can be done.

But the question is, is it worth my effort? Will anyone use this program (PE import table dumper).
I can make use of my existing EXE parser.
Post 29 Sep 2023, 08:53
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20363
Location: In your JS exploiting you and your system
revolution 29 Sep 2023, 08:58
Make it for you. No one else matters.

If other people use it also then that is good.

If your only purpose in making it is for others then I think you are doing-it-wrong™.
Post 29 Sep 2023, 08:58
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.