Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Categories

How to get the Exported/Imported function names from a DLL

Hey:

I am making a MFC program that explores the contents of an executable file (.exe or .dll), kind of "Dependency Walker". According to the info I have found about the PE file, the exported funtion names appear in the ".edata" section in the file. When I get the section names for the file, the ".edata" sections does not appears in the list, which makes me guess that this section does not actually exists in the file. So, how can I get the exported function names of the file, provided that the ".edata" does not exist in the .exe or .dll file? Thanks a lot for your help...John

Comments

  • edocecrousedocecrous Member Posts: 49
    Hi!

    First of all, the section names does not matter, it could be anything, because nothing reads it, or use it.

    Second, nearly any kind of data can be in any section, if the section is got the necessary read/write/execute privileges for that data type.
    /for example, you can put code in the .edata section, if you gave the section read/execute attributes/

    What you looking for is in the optional header (which is always there regardless of its name), and called directories. This is the last section of the PE header, and it's before the section headers.
    It starts with 'Number Of Directories' (usually at 00F4h in the file), it's a dword, telling how many directories follow. In Win 9x it must be 16, even if they are not used. On Win NT, could be less.
    After 'Number Of Directories' follow the directory entries, 2 dwords each, 16 in 9x, for example.
    The first dword is an RVA (Relative Virtual Address) of the data, the second is the size of the data. Each directory entry describes a different type of data, and number of the entry decides which type.
    The first is for the EXPORT table, the second is the IMPORT table, the third is for the RESOURCE table, and so on.

    This is an excerpt from a real .exe file:

    Offset
    ------
    00F4 00000010 Number Of Directories
    00F8 00000000 RVA Export Table
    00FC 00000000 Size Export Table
    0100 00001000 RVA Import Table
    0104 00000028 Size Import Table
    0108 00002000 RVA Resource Table
    010C 00000400 Size Resource Table
    .
    .
    .
    and so on.

    So this gives you the information, which important structures/data of the file are where... (in the memory)

    To figure out, which section the Export Table is, you have to look up this table, the first entry's first dword (RVA of Export Table), so you will know, where the Export table (will be) in the memory, when the file is loaded...
    Than, you have to go through the section headers, and check the RVA of the header. If the RVA of the Export Table is in the Range of the xxx section, than you have your section containing the Export Table.

    You do it this way:
    for example:
    The first section's RVA is 1000, the size of raw data is 200, than you know, if the Export Table is in this section, its RVA must be between 1000 and 1200. Now you check the RVA of the Export Table, it's 1000, so you have your section. But it is possible to have an RVA of 1050 for the Export Table, so it's still in the section, but starts at 50, not the beginning of the section, so don't assume, the Section and the Export table RVAs exactly match.

    For example, I wrote a program using machine code only (below assembly), and I used only 1 section, so all my export/import tables and the code are in the same section, at different offsets.

    The computer uses the Data Directories to find important structures, the sections only placeholders, an aid for modular programming...

    I hope I could help a little, and if you are good with MFC, (which I will not learn), and have spare time, we could team up, I can tell you from sound to graphics programing, (or wahatever you are interested) and you could write simple applications fast with MFC, so I don't have to kill 3 days with Win32/GDI to create a setup screen for my program, when you can do it in 3 minutes with MFC...
    (If you are a good programmer, this is a friendly invitation to join a group. If interested, drop me a mail at edocecrous@angelfire.com)

    Edocecrous
    (system/game programmer)

    ps.:I nearly forgot: If a the RVA and the SIZE for a Data Directory entry both 00000000, than there is no such data in the file. So if the first entry 0 than it has no Export Table, if the second, than it has no Import table, and so on.
  • Justin BibJustin Bib USAMember Posts: 0

    ________ | http://forcoder.org | free ebooks and video tutorials about \ Scratch, Visual Basic .NET, R, Assembly, C#, MATLAB, Java, Ruby, Python, PL/SQL, Delphi, Visual Basic, Swift, PHP, C++, JavaScript, Perl, C, Objective-C, Go Bash, Apex, ABAP, Hack, F#, Clojure, Scheme, Dart, Transact-SQL, VBScript, Lisp, D, Logo, ML, COBOL, Ada, Crystal, Awk, Fortran, Erlang, Prolog, Rust, Julia, Lua, SAS, LabVIEW, Alice, Kotlin, Scala, FoxPro \ _______

Sign In or Register to comment.