View import table of pe in C

1. #include<windows.h>
2. #include<stdio.h>
3. #include<dbghelp.h>
4.  
5. DWORD get_thunk(PIMAGE_IMPORT_DESCRIPTOR im)
6. {
7.     if(im->OriginalFirstThunk==0)
8.     return im->FirstThunk;
9.     else
10.     return im->OriginalFirstThunk;
11. }
12.  
13. int main(int i,char *a[])
14. {
15.     HANDLE file,file_map;
16.     LPVOID base;
17.     PIMAGE_DOS_HEADER dos;
18.     PIMAGE_NT_HEADERS nt;
19.     PIMAGE_SECTION_HEADER sec;
20.     PIMAGE_IMPORT_DESCRIPTOR import;
21.     PIMAGE_THUNK_DATA thunk;
22.     PIMAGE_IMPORT_BY_NAME f;
23.     LPSTR dll_name,func_name;
24.    
25.    
26.     if(i!=2)
27.     {
28.         printf("Usage: %s <PE>\n",a[0]);
29.         return 0;
30.     }
31.    
32.     file=CreateFileA(a[1],GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
33.     if(file==NULL)
34.     {
35.         printf("Failed to open file");
36.         return 0;
37.     }
38.    
39.     file_map=CreateFileMappingA(file,NULL,PAGE_READONLY,0,0,NULL);
40.     if(file_map==NULL)
41.     {
42.         printf("CreateFileMappingA() Failed");
43.         return 0;
44.     }
45.    
46.     base=MapViewOfFile(file_map,FILE_MAP_READ,0,0,0);
47.     if(base==NULL)
48.     {
49.         printf("MapViewOfFile() Failed");
50.         return 0;
51.     }
52.    
53.     dos=(PIMAGE_DOS_HEADER)base;
54.     if(dos->e_magic!=23117)
55.     {
56.         printf("Invalid PE");
57.         return 0;
58.     }
59.    
60.     nt=base+dos->e_lfanew;
61.    
62.     if(nt->Signature!=IMAGE_NT_SIGNATURE)
63.     {
64.         printf("Invalid PE");
65.         return 0;
66.     }
67.    
68.     if(nt->OptionalHeader.Magic!=IMAGE_NT_OPTIONAL_HDR64_MAGIC) //for 32bit , use IMAGE_NT_OPTIONAL_HDR32_MAGIC
69.     {
70.         printf("This is not 64 bit PE");
71.         return 0;  
72.     }  
73.    
74.     sec=(PIMAGE_SECTION_HEADER)((LPVOID)nt+24+nt->FileHeader.SizeOfOptionalHeader); //this is use less. I just showed how to enter section header
75.    
76.     if(nt->OptionalHeader.DataDirectory[1].VirtualAddress==0)
77.     {
78.         printf("There is no import table in this PE");
79.         return 0;
80.     }
81.    
82.     import=(PIMAGE_IMPORT_DESCRIPTOR)ImageRvaToVa(nt,base,nt->OptionalHeader.DataDirectory[1].VirtualAddress,NULL);
83.    
84.     while(import->Name!=0)
85.     {
86.         dll_name=(LPSTR)ImageRvaToVa(nt,base,import->Name,NULL);
87.         printf("\t\tDll Name: %s\n",dll_name);
88.         thunk=(PIMAGE_THUNK_DATA)ImageRvaToVa(nt,base,get_thunk(import),NULL);
89.         i=0;
90.         while(thunk->u1.AddressOfData!=0)
91.         {
92.             i++;
93.             if(thunk->u1.Ordinal & IMAGE_ORDINAL_FLAG)
94.             {
95.                 printf("%d. Unknown Function - Function ordinal: %#x\n",i,IMAGE_ORDINAL(thunk->u1.Ordinal));
96.             }
97.             else
98.             {
99.                 f=(PIMAGE_IMPORT_BY_NAME)ImageRvaToVa(nt,base,thunk->u1.AddressOfData,NULL);
100.                 func_name=(LPSTR)f->Name;
101.                 printf("%d. %s\n",i,func_name);
102.             }
103.             thunk++;
104.         }
105.         import++;
106.     }
107.    
108.     return 0;
109. }