Hi All,
i'm currently working on a program which dumps all the info about PE files to the screen.
i've already written one, but it reads the values straight out of thefile.
Now i'm trying to read the values after mapping the image into memory. unfortunately i can't figure out how to read specific structure members since the structure is a member of another structure as well.
I hope this makes sense :red
here's the deal:
i'm using a function (MapViewOfFile) which returns a pointer to the mapping. i've figured out how to read the IMAGE_DOS_HEADER
by doing:
assume eax:ptr IMAGE_DOS_HEADER
this allows me to access the members of the IMAGE_DOS_HEADER struct.
after this i do:
add eax,[eax].e_lfanew
assume eax:ptr IMAGE_NT_HEADERS
which allows me to access the members of the IMAGE_NT_HEADERS structure like
[eax].Signature
but this is as far as i get (thanks to iczelions tutorial i got at least this far :)).
the LOADED_IMAGE struct contains the following members:
Quote
typedef struct _LOADED_IMAGE {
PSTR ModuleName;
HANDLE hFile;
PUCHAR MappedAddress;
PIMAGE_NT_HEADERS32 FileHeader;
PIMAGE_SECTION_HEADER LastRvaSection;
ULONG NumberOfSections;
PIMAGE_SECTION_HEADER Sections;
ULONG Characteristics;
BOOLEAN fSystemImage;
BOOLEAN fDOSImage;
LIST_ENTRY Links;
ULONG SizeOfImage;
} LOADED_IMAGE,
*PLOADED_IMAGE;
accessing the members directly in the struct isn't that difficult, but accessing a member of let's say the IMAGE_SECTION_HEADER struct is my problem.
i hope i made my problem clear and i would be really grateful if someone could help me with it or point me to some document that can.
Thanks in advance :U