I’m trying to write an exe packer for windows. I’ve got some of the basics worked out so far. The part I’m up to though is reading the “BOUND IMPORT Directory Table” (or .idata section?), basically the section of the PE file that contains the list of DLLs that the loader needs to import.
I’m wondering what the best way to either:
[A] find out where the IAT is (because running PEView against a few different .exe’s seems to show that this list can be contained in multiple different places) and then read the list
OR
[B] Just find a way to directly read the list of DLLs that an exe needs to import.
Is there a way of doing this? Is there any further reading people can recommend on where the IAT should be and how does one read it?
Yes, you can find the IAT by wading through the executable’s headers. Look in
winnt.hfor the header declarations.For an excellent breakdown of how to find information in the headers, see Matt Pietrek’s series in MSDN Magazine, “An In-Depth Look into the Win32 Portable Executable File Format”, Parts I and II.
You can also obtain the actual Microsoft PE specification from here.
TL;DR: Basically the sequence of lookups is as follows:
IMAGE_DOS_HEADERstructure.e_lfanewfield to get to theIMAGE_NT_HEADERSstructure.OptionalHeaderto get to theIMAGE_OPTIONAL_HEADERstructure (despite its name, it’s no longer optional).DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]to an array ofIMAGE_IMPORT_DESCRIPTORstructures. There’s one entry per imported DLL. The last entry in this array will be zeroed out.Namefield in each entry is an RVA that points to the DLL’s name. TheFirstThunkfield is an RVA that points to that DLL’s IAT, which is an array ofIMAGE_THUNK_DATAstructures.