Module Stuff

A typical win32 process consists of the executable module (*.exe) and several dynamic link libraries (*.dll). Most of those dlls are system libraries, some may be private libraries used only by this process.

Executable modules and dynamic link libraries share the same format, which is named "PE" (for Portable Executable). Each PE file has a specific PE file header, where things like imported and exported APIs are stored.

Some PE header structures are already defined in "windows.pas", but some important structures and constants are missing there. So we'll declare them here:

  // PE header constants
  CENEWHDR = $003C;  // offset of new EXE header
  CEMAGIC  = $5A4D;  // old EXE magic id:  'MZ'
  CPEMAGIC = $4550;  // NT portable executable

  // directory structure for imported APIs
  TImageImportDirectory = packed record
    HintNameArray         : dword;
    TimeDateStamp         : dword;
    ForwarderChain        : dword;
    Name_                 : dword;
    ThunkArray            : dword;
  // directory structure for exported APIs
  TImageExportDirectory = packed record
    Characteristics       : dword;
    TimeDateStamp         : dword;
    MajorVersion          : word;
    MinorVersion          : word;
    Name_                 : dword;
    Base                  : dword;
    NumberOfFunctions     : integer;
    NumberOfNames         : integer;
    AddressOfFunctions    : dword;
    AddressOfNames        : dword;
    AddressOfNameOrdinals : dword;
  PImageImportDirectory = ^TImageImportDirectory;
  PImageExportDirectory = ^TImageExportDirectory;

The following functions give you easy access to some of the most important structures of the PE image file header. Just enter the module handle and you get back a direct pointer to the desired structure:

function GetImageNtHeaders       (module: dword) : PImageNtHeaders;
function GetImageImportDirectory (module: dword) : PImageImportDirectory;
function GetImageExportDirectory (module: dword) : PImageExportDirectory;

Now we move up a level and check out some functions, which parse the mentioned structures for us to give us some specific information. First we have "GetImageProcAddress". Most of the time it is equal to the well known win32 API "GetProcAddress". But there are 2 important exceptions:

(1) IAT hooking often hooks GetProcAddress, too, and fakes the result.
(2) in win9x GetProcAddress refuses to work for ordinal kernel32 APIs.

Also we have the function "GetImageProcName", which is exactly the opposite of GetProcAddress. There's no win32 API equivalent to that.

function GetImageProcAddress (module: dword; const name : string; doubleCheck: boolean = false) : pointer; overload;
function GetImageProcAddress (module: dword; index      : integer                             ) : pointer; overload;

function GetImageProcName (module: dword; proc: pointer) : string;

Let's suppose you have the address of a function and you want to know in which module the code of this function resides. For this purpose you can use "FindModule".

function FindModule (addr             : pointer;
                     var moduleHandle : dword;
                     var moduleName   : string) : boolean;