PEStuff Library Programmer's Reference

Overview  
  Introduction
  General Coding Information
Main functions  
  MapFile
  UnMapFile
  IsValidPE
  RvaToOffset
  OffsetToRva
Section related  
  GetNumberOfSections
  GetSectionValue
  GetOneSection
  AddSection
Import Table  
  CheckImportTable
  GetImportTableValues
  GetNumberOfImportedDlls
  GetImportDescriptor
  GetNumberOfFunctionsFromDll
  GetValuesfromDll
  AddImport
Export Table  
  CheckExportTable
  GetNumberOfExports
  GetNumberOfExportsByName
  GetExportTableValues
  GetExportTableValuesEx
  GetExportName
Appendix  
  For C Coders
  For Delphi Coders

 

 

 

 

 

 

 

 

 

 

 

 

 
















Introduction
PEStuff Library is a dll file which you can freely use in your own projects and which should help you when you're dealing with PE files. It contains several functions to get information from the Section Table, Import Table and Export Table or modify them.
Originally I've written this for myself cause I was tired of coding an "Getting Names from Import Table"- function for the tenth time.
I really hope you like this dll file and that it's easy to use along with this reference. If so I would appreciate if you drop me a line, mention my name in your application if you use it or tell me what needs to be improved! So have fun while coding!
Sunshine, September 2003


General Coding Information
This dll was coded in pure C with VC++ 5.0. One goal was to keep the filesize low and <10kb is not that bad, isn't it? I've have just tested it with VC++ and with Delphi 5 but because I used the stdcall calling-convention it should also work with Masm. But I really don't know if it works with VB (sorry!).

The basic concept of PEStuff is the following: Every file you want to work with must be mapped to memory with MapFile. The return value of this function is a pointer to the memory location of the file. It's important that you store this value in a variable cause you have to pass it as first argument in every function. Also you need this to release the file properly with UnMapFile if you've done your work.
"Why this?" you will ask.... Well this allows you to open more than one file at the same time and work with them!

Please read function explanations carefully. In some functions (for example GetOneSection ...) you pass an "empty" LPSTR variable cause it's going to receive a pointer to a null-terminated string. But in other functions (for example AddImport) LPSTR variable has to contain a pointer to a null-terminated string!


MapFile
The MapFile function maps a file to memory and returns the pointer to this memory location. It's always the first function you have to call.

  LPVOID MapFile(
  LPSTR
filename
);

Parameters:
filename : Points to a null-terminated string that specifies the file to open.

Return Values:
If the function succeeds, the return value is a valid pointer to the memory location of the file.
If the function fails, the return value is NULL.
Note: Most time the functions fails is due to the fact that the file to be opened is readonly. The file has to be writeable. (That does not mean Mapfile function changes the file!)


UnMapFile
The UnMapFile function unmaps a file and releases the memory. Call this function when you're finished the work with your mapped file.

  BOOL UnMapFile(
  
LPVOID pMapFile
);

Parameters:
pMapFile : Pointer to memory location of mapped file. It's the return value of MapFile.

Return Values:
If the function succeeds, the return value is TRUE. If the function fails, the return value is FALSE.


IsValidPE
The IsValidPE function checks if the mapped file is a valid Portable Executable file.

  BOOL IsValidPE(
 LPVOID
pMapFile
);

Parameters:
pMapFile : Pointer to memory location of mapped file. It's the return value of MapFile.

Return Values:
If the function succeeds, the return value is TRUE. If the function fails, the return value is FALSE.


RvaToOffset
The RvaToOffset calculates the file offset (raw offset) from the given relative address value.

DWORD RvaToOffset(
 LPVOID
pMapFile
 DWORD
Rva
);

 



Parameters:
pMapFile : Pointer to memory location of mapped file. It's the return value of MapFile.
Rva : the relative address to be converted

Return Values:
If the function succeeds, the return value is the calculated file offset. If the function fails, the return value is 0.
Note: If function fails, make sure you pass a valid Rva.


OffsetToRva
The OffsetToRva calculates the relative address from the given file offset.

 
DWORD OffsetToRva(
 LPVOID
pMapFile
 DWORD
Offset
);

Parameters:
pMapFile : Pointer to memory location of mapped file. It's the return value of MapFile.
Offset : the file offset to be converted

Return Values:
If the function succeeds, the return value is the calculated relative address. If the function fails, the return value is 0.
Note: If function fails, make sure you pass a valid file offset.


GetNumberOfSections
The GetNumberOfSections function returns the number of sections in the file.

  DWORD GetNumberOfSections(
 LPVOID
pMapFile
);

Parameters:
pMapFile : Pointer to memory location of mapped file. It's the return value of MapFile.

Return Values:
If the function succeeds, the return value is number of sections in the file. If the function fails, the return value is 0.


GetSectionValue
The GetSectionValue function returns the requested value of the specified section.

  DWORD GetSectionValue(
 LPVOID
pMapFile
 INT
section
 INT
value
);

Parameters:
pMapFile : Pointer to memory location of mapped file. It's the return value of MapFile.
section : Number from which section to get requested value. 1 = first section, 2 = second section... GetNumberOfSections = last section.
value : Specifies which value should be returned:

  1 Virtual Address
  2 Virtual Size
  3 SizeofRawData (Raw Size)
  4 PointerToRawData (Raw Offset)
  5 Characteristics
  6 PointerToRelocations
  7 PointerToLineNumbers
  8 NumberOfRelocations
  9 NumberOfLinenumbers

Return Values:
If the function succeeds, the return value is the requested value.. If the function fails, the return value is 0xFFFFFF (-1).


GetOneSection
The GetOneSection function returns all values of the specified section.

 

BOOL GetSectionValue(
 LPVOID
pMapFile
 INT
section
 LPSTR
secname
 PDWORD VirtualAddress
 PDWORD VirtualSize
 PDWORD RawSize
 PDWORD RawOffset
 PDWORD Characteristics
);

Parameters:
pMapFile : Pointer to memory location of mapped file. It's the return value of MapFile.
section : Specifies from which section to get requested values. 1 = first section, 2 = second section... GetNumberOfSections = last section.
secname : variable which receives the section name.
VirtualAddress: Pointer to variable which receives the virtual address.
VirtualSize: Pointer to variable which receives the virtual size.
RawSize: Pointer to variable which receives the raw size.
Characteristics: Pointer to variable which receives the characteristics.

Return Values:
If the function succeeds, the return value is TRUE. If the function fails, the return value is FALSE.


AddSection
The AddSection function adds a new zeropadded section to the file.

 

INT AddSection(
 LPVOID
pMapFile
 LPSTR
secname
 DWORD
size
);

Parameters:
pMapFile : Pointer to memory location of mapped file. It's the return value of MapFile.
secname : Specifies the name of the new section.
size : Specifies the size of the new section.

Return Values:

If the function succeeds, the return value is 1. If the functions fails, the return value is one of the following values:

  2 No place in PE Header to add section information
  3 Something went wrong with the filemapping
  4 Opening file failed
  5 Writing to file failed
  6 Memory could not be flushed to file.


CheckImportTable
The CheckImportTable function checks if file has an Import Table.

 

BOOL CheckImportTable(
 LPVOID
pMapFile
);


Parameters:

pMapFile : Pointer to memory location of mapped file. It's the return value of MapFile.

Return Values:
If the function succeeds, the return value is TRUE. If the function fails, the return value is FALSE.



GetImportTableValues
The GetImportTableValues returns three basic Import Table values.

 

BOOL GetImportTableValues(
 LPVOID
pMapFile
 PDWORD
Size
 PDWORD
Rva
 PDWORD
Offset
);

Parameters:
pMapFile : Pointer to memory location of mapped file. It's the return value of MapFile.
Size : Points to a DWORD variable that receives the size of the Import Table.
Rva: Points to a DWORD variable that receives the relative address of the Import Table.
Offset: Points to a DWORD variable that receives the file offset of the Import Table.

Return Values:
If the function succeeds, the return value is TRUE. If the function fails, the return value is FALSE.


GetNumberOfImportedDlls
The GetNumberOfImportedDlls returns the number of dlls which are used by the file (in other words: which are listed in the Import Table).

 

INT GetNumberOfImportedDlls(
 LPVOID
pMapFile
);

Parameters:
pMapFile : Pointer to memory location of mapped file. It's the return value of MapFile.

Return Values:
If the function succeeds, the return value is the number of dlls in the Import Table. If the function fails, the return value is 0 (zero).


GetImportDescriptor
The GetImportDescriptor returns all values of the specified descriptor (dll).

 

BOOL GetImportDescriptor(
 LPVOID
pMapFile
 INT
whichdesc
 LPSTR dllname
 PDWORD OriFirstThunk
 PDWORD TimeDateStamp
 PDWORD ForwarderChain
 PDWORD DllNameRVA
 PDWORD FirstThunk

);

Parameters:
pMapFile : Pointer to memory location of mapped file. It's the return value of MapFile.
whichdesc : Specifies from which import (=dll) to receive values. 1 = first import, 2 = second import... GetNumberOfImportedDlls = last import.
dllname : Pointer to a variable which receives the dll name.
OriFirstThunk : Pointer to a variable which receives the OriginalFirstThunk value.

TimeDateStamp : Pointer to a variable which receives the TimeDateStamp value.

ForwarderChain : Pointer to a variable which receives the ForwarderChain value.
DllNameRVA : Pointer to a variable which receives the RVA to the name of the DLL.
FirstThunk : Pointer to a variable which receives the FirstThunk value.

Return Values:
If the function succeeds, the return value is TRUE. If the function fails, the return value is FALSE.


GetNumberOfFunctionsFromDll
The GetNumberOfFunctionsFromDll function returns the number of functions imported from the specified dll.

 

INT GetNumberOfFunctionsFromDll(
 LPVOID
pMapFile
 INT
whichdll
);

Parameters:
pMapFile : Pointer to memory location of mapped file. It's the return value of MapFile.
whichdll : Specifies the dll from which the number of imported functions should be returned.
1 = first import, 2 = second import... GetNumberOfImportedDlls = last import.

Return Values:
If the function succeeds, the return value is the number of functions the specified dll imports. If the functions fails, the return value is 0xFFFFFF (-1).


GetValuesfromDll
The GetValuesfromDll function returns all values of the specified dll.

 

BOOL GetValuesfromDll(
 LPVOID
pMapFile
 INT
whichdll
 INT
whichfunc
 PDWORD
ThunkRVA
 PDWORD
ThunkOffset
 PDWORD
ThunkValue
 PDWORD
Hint
 LPSTR
ThunkApiName
);

Parameters:
pMapFile : Pointer to memory location of mapped file. It's the return value of MapFile.
whichdll : Specifies the dll from which the number of imported functions should be returned.
1 = first import, 2 = second import... GetNumberOfImportedDlls = last import.
whichfunc : Specifies from which function of the specified dll to get the values. 1 = first function, 2 = second function... GetNumberOfFunctionsFromDll = last function.
ThunkRva : Pointer to a variable which receives the Rva to an IMAGE_IMPORT_BY_NAME/IMAGE_IMPORT_BY_ORDINAL.
ThunkOffset : Pointer to a variable which receives the file offset to
an IMAGE_IMPORT_BY_NAME/IMAGE_IMPORT_BY_ORDINAL.
ThunkValue : Pointer to a variable which receives the value ThunkRva/ThunkOffset is pointing to.
Hint : Pointer to a variable which receives the hint value (the index into the export table of the DLL the function resides in).
ThunkApiName : Pointer to a variable which receives the name of the import function
.

Return Values:
If the function succeeds, the return value is TRUE. If the function fails, the return value is FALSE.


AddImport
The AddImport function adds a new Image Import Descriptor to the Import Table (a new dll with one Import). A new section is added to the file where the new Import Table is stored in. Only one dll with only one new function can be added at one time.

 

INT AddImport(
 LPVOID
pMapFile
 LPSTR
secname
 LPSTR dllname
 LPSTR funcname

);

Parameters:
pMapFile : Pointer to memory location of mapped file. It's the return value of MapFile.
secname : Points to a null-terminated string that specifies the name of the new section where the Import Table will reside in.
dllname : Points to a null-ter
minated string that specifies the name of dll from which a function is added to the Import Table.
funcname : Points to a null-ter
minated string that specifies the name of the import function to be added.

Return Values:
If the function succeeds, the return value is
1. If the functions fails, the return value is one of the following values:

  2 Could not allocate memory
  3 No place in PE Header to add section information
  4 Reading from file failed
  5 Writing to file failed
  6 Opening file failed


CheckExportTable
The CheckExportTable function checks if file has an Export Table.

 

BOOL CheckExportTable(
 LPVOID
pMapFile
);


Parameters:

pMapFile : Pointer to memory location of mapped file. It's the return value of MapFile.

Return Values:
If the function succeeds, the return value is TRUE. If the function fails, the return value is FALSE.


GetNumberOfExports
The GetNumberOfExports returns the number of functions the file exports.

 

INT GetNumberOfExports(
 LPVOID
pMapFile
);

Parameters:
pMapFile : Pointer to memory location of mapped file. It's the return value of MapFile.

Return Values:
If the function succeeds, the return value is the number of functions the file exports. If the function fails, the return value is -1.


GetNumberOfExportsByName
The GetNumberOfExportsByName returns the number of functions the file exports by name.

 

INT GetNumberOfExportsByName(
 LPVOID
pMapFile
);

Parameters:
pMapFile : Pointer to memory location of mapped file. It's the return value of MapFile.

Return Values:
If the function succeeds, the return value is the number of functions the file exports by name. If the function fails, the return value is -1.

Note: To get the number of functions exported by ordinal, just substract return values from GetNumberOfExports and GetNumberOfExportsByName.


GetExportTableValues
The GetExportTableValues returns three basic Export Table values.

 

BOOL GetExportTableValues(
 LPVOID
pMapFile
 PDWORD
Size
 PDWORD
Rva
 PDWORD
Offset
);

Parameters:
pMapFile : Pointer to memory location of mapped file. It's the return value of MapFile.
Size : Points to a DWORD variable that receives the size of the Export Table.
Rva: Points to a DWORD variable that receives the relative address of the Export Table.
Offset: Points to a DWORD variable that receives the file offset of the Export Table.

Return Values:
If the function succeeds, the return value is TRUE. If the function fails, the return value is FALSE.


GetExportTableValuesEx
The GetExportTableValuesEx returns a filled PIMAGE_EXPORT_DIRECTORY structure.

 

BOOL GetExportTableValuesEx(
 LPVOID
pMapFile
 PIMAGE_EXPORT_DIRECTORY
IED
);

Parameters:
pMapFile : Pointer to memory location of mapped file. It's the return value of MapFile.
IED : Points to a IMAGE_EXPORT_DIRECTORY structure.

Return Values:
If the function succeeds, the return value is TRUE. If the function fails, the return value is FALSE.


Note : In fact the IED parameter must be a pointer to some allocated memory. Here's an example in C how to use it (assume pMap is a valid pointer to mapped file):

 

LPVOID IED;
PIMAGE_EXPORT_DIRECTORY pIED;
// allocate memory; IED points to memory
IED = LocalAlloc(LMEM_FIXED, sizeof(IMAGE_EXPORT_DIRECTORY));
// call function, pass IED as PIMAGE_EXPORT_DIRECTORY
GetExportTableValuesEx(pMap, (PIMAGE_EXPORT_DIRECTORY)IED);
// assume pIED points to export structure
pIED = (PIMAGE_EXPORT_DIRECTORY)IED;

Now you can access the structure (e.g pIED->TimeDateStamp...)



GetExportName
The GetExportName returns an export name specified by index value.

 

LPSTR GetExportName(
 LPVOID
pMapFile
 INT
index
);


Parameters:

pMapFile : Pointer to memory location of mapped file. It's the return value of MapFile.
index : Specifies which name to return. 0 = first export name in Export Table, 1 = second name... (GetNumberOfExportsByName - 1)
= last export name

Return Values:

If the function succeeds, the return value
is the requested export name. If the function fails, the return value is 0 (zero).


Appendix

For C Coders
Forward declarations of all functions:

typedef LPVOID (CALLBACK* _MapFile)(LPSTR file);
typedef BOOL   (CALLBACK* _UnMapFile)(LPVOID pMap);
typedef BOOL   (CALLBACK* _IsValidPE)(LPVOID pMap);
typedef DWORD  (CALLBACK* _OffsetToRva)(LPVOID pMapOri, DWORD Offset);
typedef DWORD  (CALLBACK* _RvaToOffset)(LPVOID pMapOri, DWORD Rva);

typedef int
   (CALLBACK* _GetNumberOfSections)(LPVOID pMap);
typedef BOOL   (CALLBACK* _GetOneSection)(LPVOID pMap,int whichSection, char* secname,
                                          DWORD *VirtualAddress, DWORD *VirtualSize,
                                          DWORD *RawSize, DWORD *RawOffset, DWORD *Characteristics);
typedef DWORD  (CALLBACK* _GetSectionValue)(LPVOID pMap,int whichSection, int whatvalue);
typedef int    (CALLBACK* _AddSection)(LPVOID pMap,LPSTR secname, DWORD RawSize);

typedef BOOL
  (CALLBACK* _CheckImportTable)(LPVOID pMap);
typedef BOOL   (CALLBACK* _GetImportTableValues)(LPVOID pMap, DWORD *Size, DWORD *RVA, DWORD *Offset);
typedef int    (CALLBACK* _GetNumberOfImportedDlls)(LPVOID pMap);
typedef BOOL   (CALLBACK* _GetImportDescriptor)(LPVOID pMap, int whichImpDes, LPSTR *dllname,
                                                DWORD *OriFirstThunk, DWORD *TimeDateStamp,
                                                DWORD *ForwarderChain, DWORD *DllNameRVA, DWORD *FirstThunk);

typedef int    (CALLBACK* _GetNumberOfFunctionsFromDll)(LPVOID pMap, int whichDll);
typedef BOOL   (CALLBACK* _GetValuesfromDll)(LPVOID pMap, int whichDll, int whichfunc,
                                             DWORD *ThunkRva, DWORD *ThunkOffset,
                                             DWORD *ThunkValue, DWORD *Hint, LPSTR *ThunkApiName);
typedef int    (CALLBACK* _AddImport)(LPVOID pMap, LPSTR secname,LPSTR dllname, LPSTR funcname);

typedef BOOL
  (CALLBACK* _CheckExportTable)(LPVOID pMap);
typedef int    (CALLBACK* _GetNumberOfExports)(LPVOID pMap);
typedef int    (CALLBACK* _GetNumberOfExportsByName)(LPVOID pMap);
typedef BOOL   (CALLBACK* _GetExportTableValues)(LPVOID pMap, DWORD *Size, DWORD *RVA, DWORD *Offset);
typedef BOOL   (CALLBACK* _GetExportTableValuesEx)(LPVOID pMap, PIMAGE_EXPORT_DIRECTORY IED);
typedef LPSTR  (CALLBACK* _GetExportName)(LPVOID pMap, int index);

Variables:

_MapFile MapFile;
_UnMapFile UnMapFile;
_IsValidPE IsValidPE;
_OffsetToRva OffsetToRva;
_RvaToOffset RvaToOffset;
_GetNumberOfSections GetNumberOfSections;
_GetOneSection GetOneSection;
_GetSectionValue GetSectionValue;
_AddSection AddSection;
_CheckImportTable CheckImportTable;
_GetImportTableValues GetImportTableValues;
_GetNumberOfImportedDlls GetNumberOfImportedDlls;
_GetImportDescriptor GetImportDescriptor;
_GetNumberOfFunctionsFromDll GetNumberOfFunctionsFromDll;
_GetValuesfromDll GetValuesfromDll;
_AddImport AddImport;
_CheckExportTable CheckExportTable;
_GetNumberOfExports GetNumberOfExports;
_GetNumberOfExportsByName GetNumberOfExportsByName;
_GetExportTableValues GetExportTableValues;
_GetExportTableValuesEx GetExportTableValuesEx;
_GetExportName GetExportName;

Example how to load dll and all functions:

HINSTANCE hdll = LoadLibrary("PeStuff.dll");
if (hdll == NULL)
{
  MessageBox(0, "Could not load library PeStuff.dll","Error",MB_ICONSTOP);
  return 0;
}

MapFile = (_MapFile)GetProcAddress(hdll,"MapFile");
UnMapFile = (_UnMapFile)GetProcAddress(hdll,"UnMapFile");
IsValidPE = (_IsValidPE)GetProcAddress(hdll,"IsValidPE");

OffsetToRva = (_OffsetToRva)GetProcAddress(hdll,"OffsetToRva");
RvaToOffset = (_RvaToOffset)GetProcAddress(hdll,"RvaToOffset");

GetNumberOfSections = (_GetNumberOfSections)GetProcAddress(hdll,"GetNumberOfSections");
GetOneSection = (_GetOneSection)GetProcAddress(hdll,"GetOneSection");
GetSectionValue = (_GetSectionValue)GetProcAddress(hdll, "GetSectionValue");
AddSection =(_AddSection)GetProcAddress(hdll,"AddSection");

CheckImportTable = (_CheckImportTable)GetProcAddress(hdll,"CheckImportTable");
GetImportTableValues = (_GetImportTableValues)GetProcAddress(hdll,"GetImportTableValues");
GetNumberOfImportedDlls =(_GetNumberOfImportedDlls)GetProcAddress(hdll,"GetNumberOfImportedDlls");
GetImportDescriptor =(_GetImportDescriptor)GetProcAddress(hdll,"GetImportDescriptor");
GetNumberOfFunctionsFromDll =(_GetNumberOfFunctionsFromDll)GetProcAddress(hdll,"GetNumberOfFunctionsFromDll");
GetValuesfromDll = (_GetValuesfromDll)GetProcAddress(hdll,"GetValuesfromDll");
AddImport =(_AddImport)GetProcAddress(hdll,"AddImport");

CheckExportTable = (_CheckExportTable)GetProcAddress(hdll,"CheckExportTable");
GetNumberOfExports = (_GetNumberOfExports)GetProcAddress(hdll,"GetNumberOfExports");
GetNumberOfExportsByName = (_GetNumberOfExportsByName)GetProcAddress(hdll,"GetNumberOfExportsByName");
GetExportTableValues = (_GetExportTableValues)GetProcAddress(hdll,"GetExportTableValues");
GetExportTableValuesEx = (_GetExportTableValuesEx)GetProcAddress(hdll,"GetExportTableValuesEx");
GetExportName =(_GetExportName)GetProcAddress(hdll,"GetExportName");

When closing your prog, I suggest some cleaning-up like...

if (pMap != NULL) // is a file mapped
{
   if (UnMapFile(pMap) == FALSE) // try unmmaping it
   MessageBox(hwnd, "Unmapping failed!", "Error", MB_OK);

}

// finally unload dll file
FreeLibrary(hdll);


For Delphi Coders
Forward declarations of all functions:

type
TMapFile = function (pMap : pchar) : Pointer; stdcall;
TUnMapFile = function (pMap : pointer) : BOOL; stdcall;
TIsValidPE = function (pMap : Pointer) : BOOL; stdcall;
T
OffsetToRva = function (pMap : Pointer; Offset : DWORD) : DWORD; stdcall;
TRvaToOffset = function (pMap : Pointer; Rva : DWORD) : DWORD; stdcall;

TGetNumberOfSections = function (pMap : Pointer) : INTEGER; stdcall;
TGetSectionValue = function (pMap : Pointer; whichsec : INTEGER; whatvalue :INTEGER;
                             var ReturnValue : DWORD) : DWORD; stdcall;
TGetOneSection = function (pMap : Pointer; whichsec : INTEGER; var secname : pchar;
                           var VirtualAddress : DWORD; var VirtualSize : DWORD;
                           var RawSize : DWORD; var RawOffset : DWORD;
                           var Characteristics : DWORD) : BOOL; stdcall;
TAddSection = function (pMap : Pointer; secname : pchar; RawSize : DWORD) : INTEGER; stdcall;

TCheckImportTable = function (pMap : Pointer) : BOOL; stdcall;
TGetImportTableValues = function (pMap : Pointer; var Size : DWORD;
                                  var RVA : DWORD; var Offset : DWORD) : BOOL; stdcall;
TGetNumberOfImportedDlls = function (pMap : Pointer) : INTEGER; stdcall;
TGetImportDescriptor = function (pMap : Pointer; index : INTEGER; var dllname : pchar;
                                 var OriginalFirstThunk : DWORD; var TimeDateStamp : DWORD;
                                 var ForwarderChain : DWORD; var DllNameRva : DWORD;
                                 var FirstThunk : DWORD) : BOOL; stdcall;
TGetNumberOfFunctionsFromDll = function (pMap : Pointer; index : INTEGER) : INTEGER; stdcall;
TGetValuesfromDll = function (pMap : Pointer; indexdll : INTEGER; indexfunc : INTEGER; var ThunkRva : DWORD;
                              var ThunkOffset : DWORD; var ThunkValue : DWORD; var Hint : DWORD;
                              var ThunkApiName : pchar) : BOOL; stdcall;
TAddImport = function (pMap : Pointer; secname : pchar; dllname : pchar; funcname : pchar) : INTEGER; stdcall;

TCheckExportTable = function (pMap : Pointer) : BOOL; stdcall;
T
GetNumberOfExports = function (pMap : Pointer) : INTEGER; stdcall;
T
GetNumberOfExportsByName = function (pMap : Pointer) : INTEGER; stdcall;
TGetExportTableValues = function (pMap : Pointer; var Size : DWORD; var RVA : DWORD;
                                  var Offset : DWORD) : BOOL : stdcall;

TGetExportTableValuesEx = function (pMap : Pointer; IED : PIMAGE_EXPORT_DIRECTORY) : BOOL; stdcall;
TGetExportName = function (pMap : Pointer; index : INTEGER) : pchar; stdcall;

var
MapFile : TMapFile;
UnMapFile : TUnMapFile;
IsValidPE : TIsValidPE;
OffsetToRva : TOffsetToRva;
RvaToOffset : TRvaToOffset;
GetNumberOfSections : TGetNumberOfSections;
GetSectionValue : TGetSectionValue;
GetOneSection : TGetOneSection;
AddSection : TAddSection;
CheckImportTable : TCheckImportTable;
GetImportTableValues : TGetImportTableValues;
GetNumberOfImportedDlls : TGetNumberOfImportedDlls;
GetImportDescriptor : TGetImportDescriptor;
GetNumberOfFunctionsFromDll : TGetNumberOfFunctionsFromDll;
GetValuesfromDll : TGetValuesfromDll;
AddImport : TAddImport;
CheckExportTable : TCheckExportTable;
GetNumberOfExports: TGetNumberOfExports;
GetNumberOfExportsByName : TGetNumberOfExportsByName;
GetExportTableValues : TGetExportTableValues;
GetExportTableValuesEx : TGetExportTableValuesEx;
GetExportName : TGetExportName;

Example how to load dll and all functions (hdll declared as THANDLE):

hDll := LoadLibrary('PEStuff.dll');
if hDll = 0 then
begin
  MessageBox(0, 'Could not load PEStuff.dll! Bye...', 'PEStuff.dll not found',MB_ICONSTOP);
  exit;
end;

@MapFile := GetProcAddress(hDll, 'MapFile');
@UnMapFile := GetProcAddress(hDll, 'UnMapFile');
@IsValidPE := GetProcAddress(hDll, 'IsValidPE');
@
OffsetToRva := GetProcAddress(hDll, 'OffsetToRva');
@RvaToOffset := GetProcAddress(hDll, 'RvaToOffset');

@GetNumberOfSections := GetProcAddress(hDll, 'GetNumberOfSections');
@GetSectionValue := GetProcAddress(hDll, 'GetSectionValue');
@GetOneSection := GetProcAddress(hDll, 'GetOneSection');
@AddSection := GetProcAddress(hDll, 'AddSection');

@CheckImportTable := GetProcAddress(hDll, 'CheckImportTable');
@GetImportTableValues := GetProcAddress(hDll, 'GetImportTableValues');
@GetNumberOfImportedDlls := GetProcAddress(hDll, 'GetNumberOfImportedDlls');
@GetImportDescriptor := GetProcAddress(hDll, 'GetImportDescriptor');
@GetNumberOfFunctionsFromDll := GetProcAddress(hDll, 'GetNumberOfFunctionsFromDll');
@GetValuesfromDll := GetProcAddress(hDll, 'GetValuesfromDll');
@AddImport := GetProcAddress(hDll, 'AddImport');

@CheckExportTable := GetProcAddress(hDll, 'CheckExportTable');
@GetNumberOfExports := GetProcAddress(hDll, 'GetNumberOfExports');
@GetNumberOfExportsByName := GetProcAddress(hDll, 'GetNumberOfExportsByName');
@GetExportTableValues := GetProcAddress(hDll, 'GetExportTableValues');
@GetExportTableValuesEx := GetProcAddress(hDll, 'GetExportTableValuesEx');
@GetExportName := GetProcAddress(hDll, 'GetExportName');

When you're finished, clean up...

// if a file is opened, unmap it correctly
if hFileMap <> nil then UnMapFile(hFileMap);
// unload dll
FreeLibrary(hDll);


Sunshine, October 2003
www.sunshine2k.de