MayDay SoS

[HellOfMice]

I need a big help I don't understand anything.
I have found in which section the EXPORT DIRECTORY is I have found at which offset into the section the directory is. I am stopped here, I don't know how to get datas. I join an image with the sqlite3.dll datas. Even when using pope that do not help me many more.


Thank you to help me


PhR

[TimoVJL]

An old test code:

Code: [Select]

#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <stdio.h>

int ProcessFile(HWND hWnd, PBYTE pMem);

int main(int argc, char **argv)
{
HANDLE hFile, hMapping;
VOID *pMem;
HWND hWnd = 0;

if (argc < 2) {
printf("Usage: PEExp2Def.exe <file>\n");
return 1;
}

hFile = CreateFile(argv[1], GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
if (hFile != INVALID_HANDLE_VALUE)
{
hMapping = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL);
if (hMapping)
{
pMem = MapViewOfFile(hMapping, FILE_MAP_READ, 0, 0, 0);
if (pMem)
{
ProcessFile(hWnd, pMem);
UnmapViewOfFile(pMem);
} else
printf("File open error");
CloseHandle(hMapping);
} else
printf("FileMapping error");
CloseHandle(hFile);
}
else
printf("File open error");
return 0;
}

int ProcessFile(HWND hWnd, PBYTE pMem)
{
PIMAGE_DOS_HEADER pDosHdr;
PIMAGE_NT_HEADERS32 pNTHeader32;
PIMAGE_NT_HEADERS64 pNTHeader64;
PIMAGE_EXPORT_DIRECTORY pExportDir;
PIMAGE_SECTION_HEADER pSectionHdr;
PCHAR pChar;
DWORD nSections, dwRVAdr, nCnt, nNames, *pNames, nBase;
WORD *pOrd;
INT iDelta;

pDosHdr = (PIMAGE_DOS_HEADER)pMem;
if (pDosHdr->e_magic != IMAGE_DOS_SIGNATURE)
return 1;
pNTHeader32 = (PIMAGE_NT_HEADERS32)(pMem+pDosHdr->e_lfanew);
pNTHeader64 = (PIMAGE_NT_HEADERS64)pNTHeader32;
BOOL bIs64Bit = ( pNTHeader32->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC );
nSections = pNTHeader32->FileHeader.NumberOfSections;
if (bIs64Bit) {
pSectionHdr = (PIMAGE_SECTION_HEADER)(pNTHeader64+1);
dwRVAdr = (DWORD)pNTHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
} else {
pSectionHdr = (PIMAGE_SECTION_HEADER)(pNTHeader32+1);
dwRVAdr = (DWORD)pNTHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
}
if (!dwRVAdr) return 2;
for (nCnt = 0; nCnt < nSections; nCnt++) {
if (pSectionHdr->VirtualAddress <= dwRVAdr &&
pSectionHdr->VirtualAddress + pSectionHdr->SizeOfRawData > dwRVAdr) break;
pSectionHdr++;
}
if (nCnt >= nSections) return 3;
iDelta = (INT) (pSectionHdr->VirtualAddress - pSectionHdr->PointerToRawData);
pExportDir = (PIMAGE_EXPORT_DIRECTORY)(pMem + dwRVAdr - iDelta);
nNames = pExportDir->NumberOfNames;
nBase = pExportDir->Base;
pNames = (PDWORD)(pMem + (DWORD)pExportDir->AddressOfNames - iDelta);
pOrd = (PWORD)(pMem + (DWORD)pExportDir->AddressOfNameOrdinals - iDelta);

pChar = (PCHAR)(pMem + pExportDir->Name - iDelta);
printf("LIBRARY %s\n", pChar);
printf("EXPORTS\n");
for (nCnt = 0; nCnt < nNames; nCnt++) {
//pChar = pChar + lstrlen(pChar) + 1;
//printf("%s\n", pChar);
pChar = (PCHAR)(pMem + *pNames++ - iDelta);
//printf("%s @%d\n", pChar, nBase+*pOrd++);
printf("%s\n", pChar);
}
return 0;
}


[HellOfMice]

Thank Timo, I always looked at it for import section.
It is crazy, I just have to find the good structure name to put on the datas

[Vortex]

Hi Philippe,

You can find Iczelion's PE \ Portable Executable Tutorials on the net.