I´m making a serie of functions analog to ntdll PE Functions that are found inside ntdll.dll, imagehlp.dll and dbghelp.dll.
RosAsm syntax. More functions at rosasm board. Feel free to port it to masm or fasm etc
;;
RtlImageDirectoryEntryToData
Obtains access to image-specific data.
This function locates a Directory Entry within the image header and returns either the virtual address or seek address of the
data the Directory describes.
This function has been superseded by the RtlImageDirectoryEntryToDataEx function.
Use RtlImageDirectoryEntryToDataEx to retrieve the section header.
Parameters:
BaseAddress [in]: A pointer to the base address of the image. THe 'MZ' signature.
MappedAsImage [in]: If this parameter is TRUE, the file is mapped by the system as an image. If the flag is FALSE, the file is mapped as a data file by the MapViewOfFile function.
DirectoryEntry [in]: The index number of the desired directory entry. This parameter can be one of the following values.
Equate Name Value Meaning
IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 Architecture-specific data
IMAGE_DIRECTORY_ENTRY_BASERELOC 5 Base relocation table
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 Bound import directory
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 COM descriptor table
IMAGE_DIRECTORY_ENTRY_DEBUG 6 Debug directory
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 Delay import table
IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 Exception directory
IMAGE_DIRECTORY_ENTRY_EXPORT 0 Export directory
IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 The relative virtual address of global pointer
IMAGE_DIRECTORY_ENTRY_IAT 12 Import address table
IMAGE_DIRECTORY_ENTRY_IMPORT 1 Import directory
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 Load configuration directory
IMAGE_DIRECTORY_ENTRY_RESOURCE 2 Resource directory
IMAGE_DIRECTORY_ENTRY_SECURITY 4 Security directory
IMAGE_DIRECTORY_ENTRY_TLS 9 Thread local storage directory
Size [out]: A pointer to a variable that receives the size of the data for the directory entry, in bytes.
Return value:
If the function succeeds, the return value is a pointer to the directory entry's data.
If the function fails, the return value is NULL. To retrieve extended error information, call GetLastError.
Remarks:
The ImageDirectoryEntryToData function is used to obtain access to image-specific data.
All DbgHelp functions, such as this one, are single threaded. Therefore, calls from more than one thread to this function
will likely result in unexpected behavior or memory corruption. To avoid this, you must synchronize all concurrent calls
from more than one thread to this function.
This function have the same functionality as the one existant inside ntdll and the function ImageDirectoryEntryToData from Dbghelp.dll
Example:
call RtlImageDirectoryEntryToData D@pFileData, &FALSE, &IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT, LoaderSize
Bibliography:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms680149(v=vs.85).aspx
http://www.wasm.ru/forum/viewtopic.php?id=28082
Author:
Gustavo Trigueiros (aka: Beyond2000! or Guga)
;;
Proc RtlImageDirectoryEntryToData:
Arguments @BaseAddress, @MappedAsImage, @Directory, @pSize
Uses ebx
mov ebx D@BaseAddress
Test_If bl 1
and ebx 0-02
mov D@MappedAsImage 0
Test_End
call RtlpImageNtHeader ebx
On eax = 0, ExitP
If W$eax+PeHeader.OptionalHeader.MagicDis = &IMAGE_NT_OPTIONAL_HDR32_MAGIC
call RtlpImageDirectoryEntryToData32 ebx, D@MappedAsImage, D@Directory, D@pSize, eax
Else_If W$eax+PeHeader.OptionalHeader.MagicDis = &IMAGE_NT_OPTIONAL_HDR64_MAGIC
call RtlpImageDirectoryEntryToData64 ebx, D@MappedAsImage, D@Directory, D@pSize, eax
Else
xor eax eax
End_If
EndP