shifat627

View import table of pe in C

Feb 22nd, 2017
989
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #include<windows.h>
  2. #include<stdio.h>
  3. #include<dbghelp.h>
  4.  
  5. DWORD get_thunk(PIMAGE_IMPORT_DESCRIPTOR im)
  6. {
  7.     if(im->OriginalFirstThunk==0)
  8.     return im->FirstThunk;
  9.     else
  10.     return im->OriginalFirstThunk;
  11. }
  12.  
  13. int main(int i,char *a[])
  14. {
  15.     HANDLE file,file_map;
  16.     LPVOID base;
  17.     PIMAGE_DOS_HEADER dos;
  18.     PIMAGE_NT_HEADERS nt;
  19.     PIMAGE_SECTION_HEADER sec;
  20.     PIMAGE_IMPORT_DESCRIPTOR import;
  21.     PIMAGE_THUNK_DATA thunk;
  22.     PIMAGE_IMPORT_BY_NAME f;
  23.     LPSTR dll_name,func_name;
  24.    
  25.    
  26.     if(i!=2)
  27.     {
  28.         printf("Usage: %s <PE>\n",a[0]);
  29.         return 0;
  30.     }
  31.    
  32.     file=CreateFileA(a[1],GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
  33.     if(file==NULL)
  34.     {
  35.         printf("Failed to open file");
  36.         return 0;
  37.     }
  38.    
  39.     file_map=CreateFileMappingA(file,NULL,PAGE_READONLY,0,0,NULL);
  40.     if(file_map==NULL)
  41.     {
  42.         printf("CreateFileMappingA() Failed");
  43.         return 0;
  44.     }
  45.    
  46.     base=MapViewOfFile(file_map,FILE_MAP_READ,0,0,0);
  47.     if(base==NULL)
  48.     {
  49.         printf("MapViewOfFile() Failed");
  50.         return 0;
  51.     }
  52.    
  53.     dos=(PIMAGE_DOS_HEADER)base;
  54.     if(dos->e_magic!=23117)
  55.     {
  56.         printf("Invalid PE");
  57.         return 0;
  58.     }
  59.    
  60.     nt=base+dos->e_lfanew;
  61.    
  62.     if(nt->Signature!=IMAGE_NT_SIGNATURE)
  63.     {
  64.         printf("Invalid PE");
  65.         return 0;
  66.     }
  67.    
  68.     if(nt->OptionalHeader.Magic!=IMAGE_NT_OPTIONAL_HDR64_MAGIC) //for 32bit , use IMAGE_NT_OPTIONAL_HDR32_MAGIC
  69.     {
  70.         printf("This is not 64 bit PE");
  71.         return 0;  
  72.     }  
  73.    
  74.     sec=(PIMAGE_SECTION_HEADER)((LPVOID)nt+24+nt->FileHeader.SizeOfOptionalHeader); //this is use less. I just showed how to enter section header
  75.    
  76.     if(nt->OptionalHeader.DataDirectory[1].VirtualAddress==0)
  77.     {
  78.         printf("There is no import table in this PE");
  79.         return 0;
  80.     }
  81.    
  82.     import=(PIMAGE_IMPORT_DESCRIPTOR)ImageRvaToVa(nt,base,nt->OptionalHeader.DataDirectory[1].VirtualAddress,NULL);
  83.    
  84.     while(import->Name!=0)
  85.     {
  86.         dll_name=(LPSTR)ImageRvaToVa(nt,base,import->Name,NULL);
  87.         printf("\t\tDll Name: %s\n",dll_name);
  88.         thunk=(PIMAGE_THUNK_DATA)ImageRvaToVa(nt,base,get_thunk(import),NULL);
  89.         i=0;
  90.         while(thunk->u1.AddressOfData!=0)
  91.         {
  92.             i++;
  93.             if(thunk->u1.Ordinal & IMAGE_ORDINAL_FLAG)
  94.             {
  95.                 printf("%d. Unknown Function - Function ordinal: %#x\n",i,IMAGE_ORDINAL(thunk->u1.Ordinal));
  96.             }
  97.             else
  98.             {
  99.                 f=(PIMAGE_IMPORT_BY_NAME)ImageRvaToVa(nt,base,thunk->u1.AddressOfData,NULL);
  100.                 func_name=(LPSTR)f->Name;
  101.                 printf("%d. %s\n",i,func_name);
  102.             }
  103.             thunk++;
  104.         }
  105.         import++;
  106.     }
  107.    
  108.     return 0;
  109. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×