flat assembler
Message board for the users of flat assembler.

Index > Windows > Get Imported Functions' names

Author
Thread Post new topic Reply to topic
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
I wrote this program which just shows it's import table size and virtual address.


Virtual Size = 102\00000066h
Virtual Address = 8192\00002000h


How can I get the names of the functions i Imported ?

I know they are

Function Name Ordial
----------------------------
MessageBoxA 8268
wsprintfA 8282


But I don't know the relative address of the names to be read.

Some one help me please. Here's the code
Code:
format pe gui 4.0

include 'win32ax.inc'

entry main

section '.txt' code readable executable writeable

struct DATA
       va   dd ?
       size dd ?
ends

struct IMAGE_IMPORT_DESCRIPTOR
    union
        Characteristics    dd ?            ; 0 for terminating null import descriptor
        OriginalFirstThunk dd ?         ; RVA to original unbound IAT (PIMAGE_THUNK_DATA)
    ends
       TimeDateStamp       dd ?           ; 0 if not bound,
                                            ; -1 if bound, and real date\time stamp
                                            ;     in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
                                            ; O.W. date/time stamp of DLL bound to (Old BIND)

    ForwarderChain dd ?                ; -1 if no forwarders
    Name           dd ?
    FirstThunk     dd ?                ; RVA to IAT (if bound this IAT has actual addresses)
 ends


_t db 255 dup(0),0

dataDir DATA
id      IMAGE_IMPORT_DESCRIPTOR

proc main
     pushad

       push dword[00400100h]
       pop  dword[dataDir+0*4] ; Address

       push dword[00400104h]
       pop  dword[dataDir+1*4] ; Size

       cinvoke wsprintf,_t,'virtual size: 0x%p, virtual address: 0x%p',[dataDir.size],[dataDir.va]
       invoke MessageBox,0,_t,'My Optional Section--Import Table',MB_OK
       ;;;How can I read the location of the names, relative to the address 00400000h ?
      popad

     ret
endp

section '.idata' import data readable

library user32,'user32.dll',kernel32,'kernel32.dll'

include 'api/user32.inc'
include 'api/kernel32.inc'
    
Post 29 Jun 2011, 23:38
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
typedef
I was playing with something like that.. Check this out and try yourself. (I guess you want something like this ^^)
Code:
     mov edx,[peh]
     mov ebx,[edx+0x80]
     add ebx,[nBase]
     virtual at ebx
     iides IMAGE_IMPORT_DESCRIPTOR
     end virtual
fill:
     mov esi,[iides.Name_]
     add esi,[nBase]
     invoke LoadLibrary,esi
     mov [DllHandle],eax
     mov edx,[iides.OriginalFirstThunk]
     add edx,[nBase]
     xor eax,eax
findapi:
     mov ecx,[edx]
     test ecx,ecx
     jz @f
     mov esi,[edx]
     add esi,2
     add esi,[nBase]
     push edx
     push eax
     invoke GetProcAddress,[DllHandle],esi
     mov [apiaddr],eax
     pop eax
     pop edx
     mov ecx,[iides.FirstThunk]
     add ecx,[nBase]
     mov edi,[apiaddr]
     mov [ecx+eax*4],edi
     add edx,4
     inc eax
     jmp findapi    

peh = PE Header
nBase = Base Address of Executable
As I remember, it gets imports from file with names and then VAs. I don't have time now, I'll write later for ya if this won't help ^^
Post 30 Jun 2011, 02:42
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
Thank you. Overflowz.

I was just not sure whether the address was ever relative to ImageBase.

Now I get it. Thanks.

I'm just doing it a different way. I'll post it when It is done.


Thanks Very Happy
Post 30 Jun 2011, 04:51
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.