A typical win32 process consists of the executable module (*.exe) and
several dynamic link libraries (*.dll). Most of those dlls are system
libraries, some may be private libraries used only by this process.
Executable modules and dynamic link libraries share the same format, which
is named "PE" (for Portable Executable). Each PE file has a specific PE file
header, where things like imported and exported APIs are stored.
Some PE header structures are already defined in "windows.pas", but some
important structures and constants are missing there. So we'll declare them
here:
 |
const
CENEWHDR = $003C;
CEMAGIC = $5A4D;
CPEMAGIC = $4550;
type
TImageImportDirectory = packed record
HintNameArray : dword;
TimeDateStamp : dword;
ForwarderChain : dword;
Name_ : dword;
ThunkArray : dword;
end;
TImageExportDirectory = packed record
Characteristics : dword;
TimeDateStamp : dword;
MajorVersion : word;
MinorVersion : word;
Name_ : dword;
Base : dword;
NumberOfFunctions : integer;
NumberOfNames : integer;
AddressOfFunctions : dword;
AddressOfNames : dword;
AddressOfNameOrdinals : dword;
end;
PImageImportDirectory = ^TImageImportDirectory;
PImageExportDirectory = ^TImageExportDirectory;
|
|
The following functions give you easy access to some of the most important
structures of the PE image file header. Just enter the module handle
and you get back a direct pointer to the desired structure:
 |
function GetImageNtHeaders (module: dword) : PImageNtHeaders;
function GetImageImportDirectory (module: dword) : PImageImportDirectory;
function GetImageExportDirectory (module: dword) : PImageExportDirectory;
|
|
Now we move up a level and check out some functions, which parse the
mentioned structures for us to give us some specific information. First we
have "GetImageProcAddress". Most of the time it is equal to the well known
win32 API "GetProcAddress". But there are 2 important exceptions:
(1) IAT hooking often hooks GetProcAddress, too, and fakes the result.
(2) in win9x GetProcAddress refuses to work for ordinal kernel32 APIs.
Also we have the function "GetImageProcName", which is exactly the opposite
of GetProcAddress. There's no win32 API equivalent to that.
 |
function GetImageProcAddress (module: dword; const name : string; doubleCheck: boolean = false) : pointer; overload;
function GetImageProcAddress (module: dword; index : integer ) : pointer; overload;
function GetImageProcName (module: dword; proc: pointer) : string;
|
|
Let's suppose you have the address of a function and you want to know in
which module the code of this function resides. For this purpose you can
use "FindModule".
 |
function FindModule (addr : pointer;
var moduleHandle : dword;
var moduleName : string) : boolean;
|
|