I'm trying to write an exe packer for windows. I've got some of the basics worked out so far. The part I'm up to though is reading the "BOUND IMPORT Directory Table" (or .idata section?), basically the section of the PE file that contains the list of DLLs that the loader needs to import.
I'm wondering what the best way to either:
[A] find out where the IAT is (because running PEView against a few different .exe's seems to show that this list can be contained in multiple different places) and then read the list
OR
[B] Just find a way to directly read the list of DLLs that an exe needs to import.
Is there a way of doing this? Is there any further reading people can recommend on where the IAT should be and how does one read it?
Yes, you can find the IAT by wading through the executable's headers. Look in winnt.h for the header declarations.
For an excellent breakdown of how to find information in the headers, see Matt Pietrek's series in MSDN Magazine, "An In-Depth Look into the Win32 Portable Executable File Format", Parts I and II.
You can also obtain the actual Microsoft PE specification from here.
TL;DR: Basically the sequence of lookups is as follows:
IMAGE_DOS_HEADER structure.e_lfanew field to get to the IMAGE_NT_HEADERS structure.OptionalHeader to get to the IMAGE_OPTIONAL_HEADER structure (despite its name, it's no longer optional).DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT] to an array of IMAGE_IMPORT_DESCRIPTOR structures. There's one entry per imported DLL. The last entry in this array will be zeroed out.Name field in each entry is an RVA that points to the DLL's name. The FirstThunk field is an RVA that points to that DLL's IAT, which is an array of IMAGE_THUNK_DATA structures.