I need to make a small application to modify an exe file (any exe) by replacing an imported function address (in Import Address Table section) with another function address (i have created) so the Question is : how to use C# to parse an exe (pe) and find the address of Import Address Table to alter an imported function address ?
i found this method on CodeProject
note : i dont know how to work with pe in c#
thanks for help .
i dont know how to work with pe in c#
This is the issue you'll want to address :)
A PE is just a file. Microsoft has a pretty good document that describes its format on their web site. You may have to register in order to be able to download it. It's called the Microsoft Portable Executable and Common Object File Format Specification.
http://www.microsoft.com/whdc/system/platform/firmware/pecoff.mspx
If you're going to replace a function, presumably that function is in memory, so you're modifying the image in memory, not the actual PE. Luckily the format of the PE in memory is conceptually the same as it is on disk - now, you just deal with memory offsets rather than file offsets.
Redirecting an import address table (IAT) function is conceptually easy. This should get you going:
1) Locate the pointer to the PE header within the file header, which is the very beginning of the image.
2) Locate the pointer to the IAT within the PE header.
3) Iterate over the entries in the IAT until you find the name of the function you wish to redirect.
4) Unprotect the function pointer location for your desired IAT entry with VirtualProtect since it usually sits in a write-protected section.
5) Write in your own proc pointer on top of what was previously there.
6) Restore the previous protection (might not actually be necessary)
7) Done.