Skip to content

Import Directory

Jump to bottom
AFP edited this page Jun 24, 2022 · 1 revision

How to get access of Import Directory?

After initialize the PE class, you can access the GetImageImportDirectory method to access the Export Directory.

See the below example:

#include <iostream>
#include <POEX.h> // include POEX header

int main()
{
    auto pe = POEX::PE(L"1.exe");

    // Access to Image Import Directory
    auto id = pe.GetImageImportDirectory();

    // Access to ImportLookupTable field
    std::cout << "Import Lookup Table: " << "0x" << std::hex << << id.ImportLookupTable() << std::endl;

    // Change ImportLookupTable field
    id.ImportLookupTable(10422);

    // Print ImportLookupTable field to see the change
    std::cout << "Import Lookup Table: " << id.ImportLookupTable() << std::endl;

    return 0;
}

Hot to find imported function?

You can use the GetImportedFunctions method in ImageImportDirectory object.

See the below example:

#include <iostream>
#include <POEX.h> // include POEX header

int main()
{
    auto pe = POEX::PE(L"1.dll");

    // Access to Image Import Directory
    auto id = pe.GetImageImportDirectory();

    // Access to Imported Function
    auto ifs = id.GetImportedFunctions();

    // Print some info about imported functions
    for (auto ef : ifs)
    {
        std::cout << "DLL name: " << ef.Dll << std::endl;
        std::cout << "function name: " << ef.Name << std::endl;
        std::cout << "Hint: " << ef.Hint << std::endl;
        std::cout << "IAT Offset: " << ef.IATOffset << std::endl << std::endl;
    }
    return 0;
}

List all available method in ImageImportDirectory 

auto ImportLookupTable() const ->unsigned int;
auto ImportLookupTable(const unsigned int& importLookupTable)->void;

auto TimeDateStamp() const ->unsigned int;
auto TimeDateStamp(const unsigned int& timeDateStamp)->void;

auto ForwarderChain() const ->unsigned int;
auto ForwarderChain(const unsigned int& forwarderChain)->void;

auto Name() const ->unsigned int;
auto Name(const unsigned int& name)->void;

auto ImportAddressTable() const ->unsigned int;
auto ImportAddressTable(const unsigned int& importAddressTable)->void;

auto GetImportedFunctions()->std::vector<ImportFunction>;

List of all field access in ImportFunction struct

std::string Name;
std::string Dll;
unsigned short Hint;
unsigned int IATOffset;
Clone this wiki locally