Replacing the Import Table in PE file by standart LoadLibrary...

Question

Hello.

I have an executable (PE) file that load a dll file as represented in the Import table... let say: PEFile.exe Modules.dll

my question is how can i remove Modules.dll's import_descriptor from the imports and do its work by loadLibrary without the rely on the import table and without destroy the file???...

My bigger problem his i could not understand exactly how the Import thing works... after the loader read the information he needs to do the import's thing, i believe he use the LoadLibrary, GetProcAddress APIs... but i couldn't understated what he doing with the pointers he get... he putting them somewhere in memory... and then what just call them?!?

all the papers i found in the net explain the structure of the import table, but i didn't found a paper that explain how it is really work and get used...

i hope you cold understand my Gibberish English...

Thank you!

Answer 1

Well, you will need code that can do PE file surgery.

You can investigate this library. I've never used it myself. The code I wrote for this purpose years ago is not available.

For the specific matter at hand, most likely you can remove the import table entry. Post-editing the object code, on the other hand, to call LoadLibrary, and then use the results would be a major feat of manual reassembly. Unless you have a good deal of expertise with assembly-level programming and all the calling conventions I wouldn't recommend it.