News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

problem reading struct member from a child struct

Started by white scorpion, March 09, 2005, 10:04:01 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

white scorpion

March 09, 2005, 10:04:01 PM
Hi All,

i'm currently working on a program which dumps all the info about PE files to the screen.
i've already written one, but it reads the values straight out of thefile.

Now i'm trying to read the values after mapping the image into memory. unfortunately i can't figure out how to read specific structure members since the structure is a member of another structure as well.

I hope this makes sense  :red


here's the deal:

i'm using a function (MapViewOfFile) which returns a pointer to the mapping. i've figured out how to read the IMAGE_DOS_HEADER
by doing:
Code Select

assume eax:ptr IMAGE_DOS_HEADER

this allows me to access the members of the IMAGE_DOS_HEADER struct.

after this i do:
Code Select

add eax,[eax].e_lfanew
assume eax:ptr IMAGE_NT_HEADERS

which allows me to access the members of the IMAGE_NT_HEADERS structure like
Code Select

[eax].Signature


but this is as far as i get (thanks to iczelions tutorial i got at least this far :)).

the LOADED_IMAGE struct contains the following members:
Quote
typedef struct _LOADED_IMAGE {
  PSTR ModuleName;
  HANDLE hFile;
  PUCHAR MappedAddress;
  PIMAGE_NT_HEADERS32 FileHeader;
  PIMAGE_SECTION_HEADER LastRvaSection;
  ULONG NumberOfSections;
  PIMAGE_SECTION_HEADER Sections;
  ULONG Characteristics;
  BOOLEAN fSystemImage;
  BOOLEAN fDOSImage;
  LIST_ENTRY Links;
  ULONG SizeOfImage;
} LOADED_IMAGE,
*PLOADED_IMAGE;
accessing the members directly in the struct isn't that difficult, but accessing a member of let's say the IMAGE_SECTION_HEADER struct is my problem.

i hope i made my problem clear and i would be really grateful if someone could help me with it or point me to some document that can.


Thanks in advance  :U




Tedd

#1
March 10, 2005, 11:49:36 AM
I think you can do this:

mov eax,[eax].sections.somemember

BUT that will only work if sections was a structure nest inside the other structure.
In your case, it's actually a pointer to the structure. So once you have the pointer, you can use assume to cast it to the correct structure:

mov eax,[eax].sections
assume eax:ptr LOADED_IMAGE
.
.
No snowflake in an avalanche feels responsible.
Print
Go Up Pages1
User actions