Specifically I want to know what the data structure for the imports (idata) section looks like.
views:
63answers:
2
+2
A:
The DLL file format is the same as that of EXE files, the PE (portable executable) format. You can get a copy of the specification from Microsoft. You can also try Wotsit for general file-format information.
Windows provides the ImageHlp API for working with executable files. The LoadImage function looks like a good place to start.
You should also take a look at the "Portable Executable File Format" chapter of Undocumented Windows NT. It seems to describe how to use ImageHlp to get at various parts of a binary. I think the part you're most interested in is on the fourth page, which describes the IMAGE_DIRECTORY_ENTRY_IMPORT part of the PE file.
Rob Kennedy
2008-12-20 04:02:17
Hi thanks for your reply. I've looked at this spec but it definitely seemed as though the on disc structure differed from that in memory (though I may be mistaken). You can definitely see that the idata section contains two lists - one of function ptrs and one of function names.
2008-12-20 23:43:59
Read the links I gave you, especially Undocumented Windows. It explains how ImageHlp will help you do the disk-to-memory mappings.
Rob Kennedy
2008-12-21 03:32:59
A:
It seems that I was mistaken - the structure of the PE file seems to be identical in memory.
One can use the structures defined in winnt.h to interpret the memory.
When looking at these structures, you have to remember that the offsets (or 'RVA's[1]) are little endian. I probably wouldn't have been as confused if I just pointed a program at the relevant memory rather than using a debugger.
[1] In microsoft speak.