Specifically I want to know what the data structure for the imports (idata) section looks like.
views:
63answers:
2The DLL file format is the same as that of EXE files, the PE (portable executable) format. You can get a copy of the specification from Microsoft. You can also try Wotsit for general file-format information.
Windows provides the ImageHlp API for working with executable files. The LoadImage
function looks like a good place to start.
You should also take a look at the "Portable Executable File Format" chapter of Undocumented Windows NT. It seems to describe how to use ImageHlp to get at various parts of a binary. I think the part you're most interested in is on the fourth page, which describes the IMAGE_DIRECTORY_ENTRY_IMPORT
part of the PE file.
It seems that I was mistaken - the structure of the PE file seems to be identical in memory.
One can use the structures defined in winnt.h to interpret the memory.
When looking at these structures, you have to remember that the offsets (or 'RVA's[1]) are little endian. I probably wouldn't have been as confused if I just pointed a program at the relevant memory rather than using a debugger.
[1] In microsoft speak.