One problem on printing the symbols of import table information

[Michael]

Hi, everyone,

I write the following code by using pefile to wish get all the imported symbols by an binary file, but I came across a wired situation:

=============

def parsePE(pe_file_path):

    pe = pefile.PE(pe_file_path, fast_load=False)

    imp_cnt = 0

    # listing the imported symbols: DIRECTORY_ENTRY_IMPORT, DIRECTORY_ENTRY_DELAY_IMPORT

    if hasattr(pe, 'DIRECTORY_ENTRY_IMPORT'):

        for entry in pe.DIRECTORY_ENTRY_IMPORT:

            print entry.dll

            imp_cnt += len(entry.imports)

            for imp in entry.imports:

                print '\t', hex(imp.address), imp.name, imp.ordinal, entry.dll

        print "imp_cnt: ", imp_cnt

=============

The following is part of my results(which contain the wrong parts):

=============

ole32.dll

0x10494650 OleDuplicateData None ole32.dll

0x10494654 CoUninitialize None ole32.dll

0x10494658 CoInitializeEx None ole32.dll

0x1049465c StringFromCLSID None ole32.dll

0x10494660 OleUninitialize None ole32.dll

0x10494664 OleInitialize None ole32.dll

0x10494668 OleFlushClipboard None ole32.dll

0x1049466c CoTaskMemFree None ole32.dll

0x10494670 DoDragDrop None ole32.dll

0x10494674 CoCreateInstance None ole32.dll

0x10494678 ReleaseStgMedium None ole32.dll

0x1049467c OleGetClipboard None ole32.dll

0x10494680 RegisterDragDrop None ole32.dll

0x10494684 RevokeDragDrop None ole32.dll

0x10494688 OleSetClipboard None ole32.dll

OLEAUT32.dll

0x10493f0c None 6 OLEAUT32.dll

0x10493f10 None 2 OLEAUT32.dll

0x10493f14 None 7 OLEAUT32.dll

0x10493f18 None 4 OLEAUT32.dll

0x10493f1c None 9 OLEAUT32.dll

0x10493f20 None 185 OLEAUT32.dll

0x10493f24 None 21 OLEAUT32.dll

0x10493f28 None 20 OLEAUT32.dll

0x10493f2c None 19 OLEAUT32.dll

0x10493f30 None 22 OLEAUT32.dll

0x10493f34 None 16 OLEAUT32.dll

0x10493f38 None 411 OLEAUT32.dll

=============

As you can see, for the symbols associated with ordinal, my code just didnot print the symbol name, instead a non value; but for the symbols without associated ordinal, the result is right, it can print address, name, and the dll file name.

Anyone can give me some suggestions for this? Did I miss some points here?

Thanks in advance!

[Michael]

Hi, Everyone

A good new to this question after I searched in this group, and luckily I found that Romain already give an solution to my question, and now I can get all function names imported by ordinals.

But unfortunately after detailed investigation, I noticed that his solution is not a complete solution.

Because it currently just work for pe.DIRECTORY_ENTRY_IMPORT , and it still cannot work for delay import table [which is pe.DIRECTORY_ENTRY_DELAY_IMPORT], and I tried to revise pefile python code [parse_delay_import_directory function and parse_imports function ] to implement it but failed with dead looping seemingly, because the code seems to enter into an infinite loop.

Currently I got the following results: OLEAUT32.dll is belong to DIRECTORY_ENTRY_IMPORT and WS2_32.dll is belong to DIRECTORY_ENTRY_DELAY_IMPORT.

OLEAUT32.dll

0x10493f0c SysFreeString 6 OLEAUT32.dll

0x10493f10 SysAllocString 2 OLEAUT32.dll

0x10493f14 SysStringLen 7 OLEAUT32.dll

0x10493f18 SysAllocStringLen 4 OLEAUT32.dll

0x10493f1c VariantClear 9 OLEAUT32.dll

0x10493f20 VariantTimeToSystemTime 185 OLEAUT32.dll

0x10493f24 SafeArrayLock 21 OLEAUT32.dll

0x10493f28 SafeArrayGetLBound 20 OLEAUT32.dll

0x10493f2c SafeArrayGetUBound 19 OLEAUT32.dll

0x10493f30 SafeArrayUnlock 22 OLEAUT32.dll

0x10493f34 SafeArrayDestroy 16 OLEAUT32.dll

0x10493f38 SafeArrayCreateVector 411 OLEAUT32.dll

WS2_32.dll

0x1052b548 None 271075289 8 WS2_32.dll

0x1052b54c None 271075262 9 WS2_32.dll

0x1052b550 getaddrinfo 271075309 None WS2_32.dll

0x1052b554 None 271075299 57 WS2_32.dll

0x1052b558 None 273211143 14 WS2_32.dll

0x1052b55c freeaddrinfo 271075319 None WS2_32.dll

0x1052b560 None 273211153 15 WS2_32.dll

Obviously the existent solution just did not work for the delayed import table, such as WS2_32.dll.

And for my purpose, I would have to parse the WS2_32.dll again to get its export table then matching with the ordinal number.

Here, I just want to point to this problem, and hope that there is an solution, which like IDAPro.

Thanks in advance!

Michael