Where can one find a specification for the data structures representing a dll in memory?
https://stackoverflow.com/questions/381487
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Specifically I want to know what the data structure for the imports (idata) section looks like.
Solution
The DLL file format is the same as that of EXE files, the PE (portable executable) format. You can get a copy of the specification from Microsoft. You can also try Wotsit for general file-format information.
Windows provides the ImageHlp API for working with executable files. The LoadImage function looks like a good place to start.
You should also take a look at the "Portable Executable File Format" chapter of Undocumented Windows NT. It seems to describe how to use ImageHlp to get at various parts of a binary. I think the part you're most interested in is on the fourth page, which describes the IMAGE_DIRECTORY_ENTRY_IMPORT part of the PE file.
OTHER TIPS
It seems that I was mistaken - the structure of the PE file seems to be identical in memory.
One can use the structures defined in winnt.h to interpret the memory.
When looking at these structures, you have to remember that the offsets (or 'RVA's[1]) are little endian. I probably wouldn't have been as confused if I just pointed a program at the relevant memory rather than using a debugger.
[1] In microsoft speak.
