Search code examples
javaportable-executabledisassembly

How to get DLLs, function names, and addresses from the Import Table with PortEx?

I'm using the PortEx Java library for PE32 parsing with the Capstone disassembler, and I'd like to be able to have the disassembly replace the appropriate call 0x404040 lines to be something like call SomeDLL:TheFunc. To do this, I need the imports from the Import Table. I am able to get the DLL name and function, but the address reported by PortEx is way off, ex: 0x32E8 vs. 0x402004 as reported by the pefile Python module. I have tried looking at some of the offsets as part of the ImportSection, ImportDLL, and NameImport classes in PortEx, but it doesn't get close. The Any thoughts?

import com.github.katjahahn.parser.*;
public class ImportsExtractor {
    public static Map<Integer,String> extract(PEData exe) throws IOException {
        Map<Integer,String> importList = new HashMap<>();

        SectionLoader loader = new SectionLoader(exe);
        ImportSection idata = loader.loadImportSection();
        List<ImportDLL> imports = idata.getImports();
        for(ImportDLL dll : imports) {
            for(NameImport nameImport : dll.getNameImports()) {
                long addr = nameImport.getRVA(); // Some offset needed?
                System.out.format("0x%X\t%s:%s%n", addr, dll.getName(), nameImport.getName());
                importList.put((int)addr, dll.getName() + ":" + nameImport.getName());
            }
        }
        return importList;
    }
}

I'd like to be able to grab the address from a line of assembly, see if it's in importList, and if so, replace the address with the value in importList.

Solution

  • From the author:

    public static Map<Integer,String> extract(PEData exe) throws IOException {
    Map<Integer,String> importList = new HashMap<>();

    SectionLoader loader = new SectionLoader(exe);
    ImportSection idata = loader.loadImportSection();
    List<ImportDLL> imports = idata.getImports();
    for(ImportDLL dll : imports) {
        for(NameImport nameImport : dll.getNameImports()) {
            long iat = nameImport
                    .getDirEntryValue(DirectoryEntryKey.I_ADDR_TABLE_RVA);
            long ilt = nameImport
                    .getDirEntryValue(DirectoryEntryKey.I_LOOKUP_TABLE_RVA);
            long imageBase = exe.getOptionalHeader().get(
                    WindowsEntryKey.IMAGE_BASE);
            long addr = nameImport.getRVA() + imageBase;
            if(ilt != 0) addr = addr - ilt + iat;
            System.out.format("0x%X\t%s:%s%n", addr, dll.getName(), nameImport.getName());
            importList.put((int)addr, dll.getName() + ":" + nameImport.getName());
        }
    }

    return importList;
}