Now I slowly understand the import table in PE file crafted by hand, I know 32-bit and 64-bit PE is different.
section '.idata' import data readable writeable
dd 0,0,0,rva kernel_name,rva kernel_table
dd 0,0,0,0,0
kernel_table:
ExitProcess dd rva _ExitProcess
CreateFile dd rva _CreateFileA
ReadFile dd rva _ReadFile
WriteFile dd rva _WriteFile
CloseHandle dd rva _CloseHandle
SetFilePointer dd rva _SetFilePointer
GetCommandLine dd rva _GetCommandLineA
GetEnvironmentVariable dd rva _GetEnvironmentVariable
GetStdHandle dd rva _GetStdHandle
VirtualAlloc dd rva _VirtualAlloc
VirtualFree dd rva _VirtualFree
GetTickCount dd rva _GetTickCount
GetSystemTime dd rva _GetSystemTime
GlobalMemoryStatus dd rva _GlobalMemoryStatus
dd 0
kernel_name db 'KERNEL32.DLL',0
_ExitProcess dw 0
db 'ExitProcess',0
_CreateFileA dw 0
db 'CreateFileA',0
_ReadFile dw 0
db 'ReadFile',0
_WriteFile dw 0
db 'WriteFile',0
_CloseHandle dw 0
db 'CloseHandle',0
_SetFilePointer dw 0
db 'SetFilePointer',0
_GetCommandLineA dw 0
db 'GetCommandLineA',0
_GetEnvironmentVariable dw 0
db 'GetEnvironmentVariableA',0
_GetStdHandle dw 0
db 'GetStdHandle',0
_VirtualAlloc dw 0
db 'VirtualAlloc',0
_VirtualFree dw 0
db 'VirtualFree',0
_GetTickCount dw 0
db 'GetTickCount',0
_GetSystemTime dw 0
db 'GetSystemTime',0
_GlobalMemoryStatus dw 0
db 'GlobalMemoryStatus',0
There is similar program out there, for example, this importsort Python program :
importsort
This is a tool that I use to group imports from Windows binaries. Sometimes, you have a gigantic folder full of executables, and you want to figure out what you should look at first. importsort will iterate over all of the files in a directory, and create a list containing the DLL name, the function imported, and the file that imported that function. You can use it to analyze possible behavior, such as network functionality or registry key manipulation etc.
The initial version of this tool used radare2 or rizin for parsing PE files. The new version relies on the pefile library. Install with python3 -m pip install pefile. This newer version is much faster, and less error prone than the previous version.
His is using pefile library, I plan to read the import table byte by byte myself, it is similar to a PEDump program, just that this project is only focus on import table.
I know can read Data Directories in Optional Header for Import Table RVA (the address of import table), so theorectically it can be done.
But the question is, is it worth my effort? Will anyone use this program (PE import table dumper).
I can make use of my existing EXE parser.