Understanding PE Parsing for Reverse Engineers Part 3 - Data Directory and Imports (Patreon)

This is the third in a four-part series on PE parsing from a reverse engineering perspective. In this tutorial we explore parsing the PE import table. We also introduce a new structure PE_BASE to help with marking up pseudocode in IDA.

Code References

The following are links to the code that was used in the tutorial. These are handy to keep as references as they have the structures and patterns that can be used in IDA when marking up pseudocode.

• pebase.h
• ShellcodeImports.cpp

Further Reading

• PE file diagram from Corkami
• An In-Depth Look into the Win32 Portable Executable File Format (Inside Windows)
• An In-Depth Look into the Win32 Portable Executable File Format Part 2 (Inside Windows)
• Example PE parsing from iredteam
• VERGILIUS
• GetModuleHandle translation to base address (Stack Overflow)
• _IMAGE_DATA_DIRECTORY

Hands-On Example

Attached to this post is the compiled example from the tutorial (64-bit) and a 32-bit version of the same example. See if you can replicate the pseudocode markup from the tutorial with both samples.