Printing out the names of implicitly linked dll's from .idata section in a PE file

**juice** · 03-11-2012

I am trying to write a code which is supposed to print out the names of all the imported dll's in the exe by using the 'name' field of the IMAGE_IMPORT_DESCRIPTOR structure in the .idata section of the exe, but the program seems to be getting stuck in an infinite loop. Can someone please tell me how to get the names printed out correctly...

Code:

    #include<iostream>
    #include<Windows.h>
    #include<stdio.h>
    #include<WinNT.h>

    int main()
    {
        FILE *fp; 
        int i;

        if((fp = fopen("c:\\Linked List.exe","rb"))==NULL)
            std::cout<<"unable to open";


        IMAGE_DOS_HEADER imdh;
        fread(&imdh,sizeof(imdh),1,fp);
        fseek(fp,imdh.e_lfanew,0);

        IMAGE_NT_HEADERS imnth;
        fread(&imnth,sizeof(imnth),1,fp);

        IMAGE_SECTION_HEADER *pimsh;
        pimsh = (IMAGE_SECTION_HEADER *)malloc(sizeof(IMAGE_SECTION_HEADER) * imnth.FileHeader.NumberOfSections);

        long t;

        fread(pimsh,sizeof(IMAGE_SECTION_HEADER),imnth.FileHeader.NumberOfSections,fp);

        for(i=0;i<imnth.FileHeader.NumberOfSections;i++)
        {
            if(!strcmp((char *)pimsh->Name,".idata"))
                t = pimsh->PointerToRawData;
            pimsh++;
        }

        fseek(fp,t,0);

        IMAGE_IMPORT_DESCRIPTOR iid;
        char c;

        while(1)
        {
            fread(&iid,sizeof(iid),1,fp);

            if(iid.Characteristics == NULL)
                break;

            t = ftell(fp);

            fseek(fp,(long)iid.Name,0);

            while(c=fgetc(fp))
                printf("%c",c);
            printf("\n");

            fseek(fp,t,0);

        }
    }

**oogabooga** · 03-11-2012

The reason for the infinite loop is that you're not checking for EOF from fgetc(). If you print out iid.Name you'll see that it's past the end of the file (at least for the file I tested). It probably represents a virtual address in memory for use after the image has been mapped, not a file offset. There should be a number stored somewhere that you can subtract from it to get the file offset.

Get this tool, FileAlyzer. When installed, it adds a right-click menu item "Analyze with FileAlyzer". It shows the file in hex, lets you search for strings (right-click, pick "Scan for strings", then pick the Filenames tab at the right) and most helpfully for your needs, shows the MZ and PE headers and also the PE Imports, etc.

Using it I found that the strings you want exist at iid.Name - 74752 (0x12400). However, I can't see where that number is stored and I've already spent about 20 minutes playing around with it, so that's it for me!

Oh yeah, there's also this docx file describing the PE format.

**juice** · 03-11-2012

Originally Posted by oogabooga

Get this tool, FileAlyzer. When installed, it adds a right-click menu item "Analyze with FileAlyzer". It shows the file in hex, lets you search for strings (right-click, pick "Scan for strings", then pick the Filenames tab at the right) and most helpfully for your needs, shows the MZ and PE headers and also the PE Imports, etc.

Using it I found that the strings you want exist at iid.Name - 74752 (0x12400). However, I can't see where that number is stored

Thanks for the tip, I can carry on from here.

Thread: Printing out the names of implicitly linked dll's from .idata section in a PE file

Thread Tools

Search Thread

Display

Printing out the names of implicitly linked dll's from .idata section in a PE file

Similar Threads

Printing all the variable names in a program.

Adding directory/file names to a linked list

Threads, Linked Lists, Semaphores, Critical Section ...

was previously implicitly declared to return `int'

is there a way to write the file names in a folder in a text file?