We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Import Name Table

Blacksoulman
Blacksoulman asked
on
Medium Priority
591 Views
Last Modified: 2010-04-05
Ive been trying different ways of getting the import table with memory mapped files and mapandload() with imagervatova()

I just want some code that gets the import name table and all its function names WHILE the process is running.

Make sure you actually test it before posting.
Comment
Watch Question

GETTING FUNCTIONS OF DLL
How to get the list of functions exported by a Dll module.
Answer:


To get the list of functions exported by a Dll module you need to use the following functions.

MapAndLoad function in 'imagehlp.pas'.
ImageRvaToVa function in 'imagehlp.pas'.

You also need to define the following structures.
To find details about what the members of these structures mean visit the web page 'http://www.csn.ul.ie/~caolan/publink/winresdump/winresdump/doc/msdn_peeringpe.html'

const
IMAGE_SIZEOF_SHORT_NAME            = 8;
IMAGE_NUMBEROF_DIRECTORY_ENTRIES   = 16;

  IMAGE_DATA_DIRECTORY = packed record
    VirtualAddress  : DWORD;
    Size            : DWORD;
  PIMAGE_DATA_DIRECTORY = ^IMAGE_DATA_DIRECTORY;

IMAGE_SECTION_HEADER = packed record
    Name     : packed array [0..IMAGE_SIZEOF_SHORT_NAME-1] of Char;
    PhysicalAddress : DWORD; // or VirtualSize (union);
    VirtualAddress  : DWORD;
    SizeOfRawData   : DWORD;
    PointerToRawData : DWORD;
    PointerToRelocations : DWORD;
    PointerToLinenumbers : DWORD;
    NumberOfRelocations : WORD;
    NumberOfLinenumbers : WORD;
    Characteristics : DWORD;
  end;
  PIMAGE_SECTION_HEADER = ^IMAGE_SECTION_HEADER;

  IMAGE_OPTIONAL_HEADER = packed record
   { Standard fields. }
    Magic           : WORD;
    MajorLinkerVersion : Byte;
    MinorLinkerVersion : Byte;
    SizeOfCode      : DWORD;
    SizeOfInitializedData : DWORD;
    SizeOfUninitializedData : DWORD;
    AddressOfEntryPoint : DWORD;
    BaseOfCode      : DWORD;
    BaseOfData      : DWORD;
   { NT additional fields. }
    ImageBase       : DWORD;
    SectionAlignment : DWORD;
    FileAlignment   : DWORD;
    MajorOperatingSystemVersion : WORD;
    MinorOperatingSystemVersion : WORD;
    MajorImageVersion : WORD;
    MinorImageVersion : WORD;
    MajorSubsystemVersion : WORD;
    MinorSubsystemVersion : WORD;
    Reserved1       : DWORD;
    SizeOfImage     : DWORD;
    SizeOfHeaders   : DWORD;
    CheckSum        : DWORD;
    Subsystem       : WORD;
    DllCharacteristics : WORD;
    SizeOfStackReserve : DWORD;
    SizeOfStackCommit : DWORD;
    SizeOfHeapReserve : DWORD;
    SizeOfHeapCommit : DWORD;
    LoaderFlags     : DWORD;
    NumberOfRvaAndSizes : DWORD;
    DataDirectory: packed array[0..IMAGE_NUMBEROF_DIRECTORY_ENTRIES-1]                                            of IMAGE_DATA_DIRECTORY;
  end;
  PIMAGE_OPTIONAL_HEADER = ^IMAGE_OPTIONAL_HEADER;

IMAGE_FILE_HEADER = packed record
    Machine              : WORD;
    NumberOfSections     : WORD;
    TimeDateStamp        : DWORD;
    PointerToSymbolTable : DWORD;
    NumberOfSymbols      : DWORD;
    SizeOfOptionalHeader : WORD;
    Characteristics      : WORD;
  end;
  PIMAGE_FILE_HEADER = ^IMAGE_FILE_HEADER;

IMAGE_NT_HEADERS = packed record
  Signature       : DWORD;
  FileHeader      : IMAGE_FILE_HEADER;
  OptionalHeader  : IMAGE_OPTIONAL_HEADER;
end;
PIMAGE_NT_HEADERS = ^IMAGE_NT_HEADERS;

type LOADED_IMAGE = record
  ModuleName:pchar;//name of module
  hFile:thandle;//handle of file
  MappedAddress:pchar;// the base address of mapped file
  FileHeader:PIMAGE_NT_HEADERS;//The Header of the file.
  LastRvaSection:PIMAGE_SECTION_HEADER;
  NumberOfSections:integer;
  Sections:PIMAGE_SECTION_HEADER ;
  Characteristics:integer;
  fSystemImage:boolean;
  fDOSImage:boolean;
  Links:LIST_ENTRY;
  SizeOfImage:integer;
end;
PLOADED_IMAGE= ^LOADED_IMAGE;

here is the code

unit Unit1;

interface

uses
  Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs,
  StdCtrls, Menus,structures,imagehlp;

type
  TForm1 = class(TForm)
    ListBox1: TListBox;
    MainMenu1: TMainMenu;
    File1: TMenuItem;
    Open1: TMenuItem;
    OpenDialog1: TOpenDialog;
    ListBox2: TListBox;
    procedure Open1Click(Sender: TObject);
  private
  public
   procedure DLLFuncstoList(fname:string;alistbox:tlistbox);
  end;

var
  Form1: TForm1;
implementation

{$R *.DFM}


procedure TForm1.DLLFuncstoList(fname:string;alistbox:tlistbox);
var
  fih:LOADED_IMAGE;
  pexpdir:PIMAGE_EXPORT_DIRECTORY;
  pexpnames:pdword;//pointer to list of exported fucntions
  pt1:PImageSectionHeader;
  i:integer;
  exportedfuncname:pchar;//exported function name
begin
   alistbox.items.clear;
   pt1:=nil;
   MapAndLoad(pchar(fname),pchar('#0'),@fih,true,true);//load the  
                                                 file into memory.
   pExpDir:=PIMAGE_EXPORT_DIRECTORY(fih.FileHeader.OptionalHeader.
                                    DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
   pExpDir:=PIMAGE_EXPORT_DIRECTORY(ImageRvaToVa
         (fih.FileHeader,fih.MappedAddress,DWORD(pExpDir),pt1));
   pExpNames:= pExpDir.pAddressOfNames;
   pExpNames:=PDWORD(ImageRvaToVa
       (fih.FileHeader,fih.MappedAddress,dword(pExpNames),pt1));
   pt1:=nil;
   for i:=0 to pexpdir.NumberOfNames-1 do
    begin
     exportedfuncname:=pchar(ImageRvaToVa  
       (fih.FileHeader,fih.MappedAddress,dword(pExpNames^),pt1));
     alistbox.items.add(exportedfuncname);
     inc(pexpnames);
    end;
   UnMapAndLoad(@fih);//Un load the mapped file  from memory.
end;

procedure TForm1.Open1Click(Sender: TObject);
var
begin
if opendialog1.execute = true then
  begin
   DLLFuncstoList(opendialog1.filename,listbox1);
  end;
end;


end.
 


Comments to this article
Write a new comment
 
Avoid General protection faults
    Florin Oltean (Sep 13 2000 8:53AM)

You shold better do something like :
if not MapAndLoad(pchar(fname),pchar('#0'),@fih,true,true) then Exit;

because if the call fails you will get a pretty nice GPF.
Respond

 
missing structure
    Florin Oltean (Sep 13 2000 8:32AM)

Your code is not running because you forgot to publish this structure :

IMAGE_EXPORT_DIRECTORY = packed record
  Characteristics : DWORD;
  TimeDateStamp   : DWORD;
  MajorVersion    : WORD;
  MinorVersion    : WORD;
  Name : DWORD;            
  Base : DWORD;
  NumberOfFunctions     : DWORD;
  NumberOfNames         : DWORD;
  pAddressOfFunctions   : PDWORD;
  pAddressOfNames       : PDWORD;
  pAddressOfNameOrdinals: PWORD;
end;
PIMAGE_EXPORT_DIRECTORY = ^IMAGE_EXPORT_DIRECTORY;
Respond

 
suggestions
    Andreas Schmidt (Aug 24 2000 3:20AM)

please separate the opendialog from the main procedure.

Put the core of Open1Click in a own procedure:

procedure DLLFuncsToListbox(filename:TFilename; lb:TListBox);
begin
...
end;


procedure TForm1.Open1Click(Sender: TObject);
begin
  if opendialog1.execute = true then
  begin
     listbox1.items.clear;
     DLLFuncsToListbox(opendialog1.filename, listbox1);
  end;
end;

Author

Commented:
ok look at the title... "Import Name Table"  The INT is different from the exports

I can get examples of the ent anywhere on google.  And once again, for those who are going to try and answer this question, make sure you actually test the code you are going to submit.
Hey Blacksoulman,

You might get a few people too help you out if you don't come across so beligerent.

Im listening to see how many people jump on this one.....

SHane
The question is if you can read another EXE at all while it is running.
If so you may use the PEViewer example of the Jedi Code Library.
Software Engineer, Advisory
CERTIFIED EXPERT
Top Expert 2005
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview

Author

Commented:
i was actually asking to just get the import function names.  I heard the PE loader patches the Import Name Table with Virtual addresses(IAT) and that you had to convert them.
Eh anyway all i needed was this nifty function:

function NextFunctionName(lpName: PChar): PChar;
begin

  result:=StrEnd(lpName);
  while (result^ = #0) do Inc(result);

end;

Once again, thanks.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.