It sounds like he wants reverse GetProcAddress. Like the sort of code "analysis" you find next to CALL instructions in OllyDbg.
I've been looking at doing this for adding details to
beaengine output and it goes like this:
- Subtract the CALL RVA back to the image base.
- Then subtract it back to the import library FirstThunk base address (remember there are two IAT arrays for each module, the file one and the one that is fixed up at runtime). Divide by the sizeof each element (DWORD) to make it into a 0...N index into the IAT array.
- Use that index to get the import name out of the library names array.
- Then the code builds an OllyDbg style "Library.Func" or "Library.#Ordinal" string for asm comment.
Code:
QString importFromRva( const PeFile *peFile, uint64_t addr )
{
if ( addr )
{
addr -= peFile->imageBase();
addr = addr;
for ( uint32_t lib = 0; lib < peFile->importLibraryCount(); ++lib )
{
PeFile::ImportLibrary library;
if ( !peFile->importLibrary(&library,lib) )
{
continue;
}
uint32_t offset = addr - library.;
offset /= sizeof(DWORD);
if ( offset < peFile->importAddressCount(&library) )
{
PeFile::ImportAddress address;
if ( peFile->importAddress(&address,&library,offset) )
{
if ( address.name )
{
return QString(library.name).toUpper() + QString(".") + QString(address.name);
}
else // by ordinal
{
return QString(library.name).toUpper() + QString(".#") + QString::number(address.ordinal,16);
}
}
}
}
}
return QString();
}