Printing out the names of implicitly linked dll's from .idata section in a portable executable

Question

I am trying to write a code which is supposed to print out the names of all the imported dll\'s in the exe by using the \'name\' field of the IMAGE_IMPORT_DESCRIPTOR structure i

Answer 1

There are several problems.

• You can't assume the import section is called ".idata". You should locate the imports using IMAGE_OPTIONAL_HEADER.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].

• Most offsets within a PE file are Relative Virtual Addresses (RVAs), not file offsets. To convert an RVA to an offset you need to determine which section the virtual address is in, then calculate an offset based on where the section is in the file. Specifically, the IMAGE_IMPORT_DESCRIPTOR.Name field contains an RVA, not a file offset.

• Your code will be much simpler (and quicker) if you use a memory-mapped file rather than file I/O.

This MSDN article explains RVAs, the data directory, etc. It also includes pedump, an application with full source code for dumping PE files, which is a useful reference.