pe-parse
pe-parse copied to clipboard
trailofbits
Extract delay-loaded libraries from import table
First
Thanks for your good library for parsing PE files. We use your library for extract dependencies of executable application on CQtDeployer project.
Trouble
Windows use the delay-loaded technology for load dependencies. And it is very likely that these libraries are not visible when parsing the import table.
In the Micrasoft documentation site has a instruction of extracting delay-load libraries but they use system functions.
Question
How to extract delay load libraries uses your Library?.
Thank you for the kind words!
It should be possible to support delay-loaded imports (from a quick glance, they look like Windows' version of late/lazy bound symbols), but I can't offer you an exact timeline on when I (or someone else) will get around to implementing support for them.
I'm going to tag this with a few things; someone from the community may pick it up.
Just dumping this here for more context:
To do this, pe-parse will need to jump through the following hoops:
- Check for the delay import descriptor (offset 200/216) in the optional header data directories
- Parse the delay-load directory table (source)
- Use the information from the delay-load directory table to actually parse the delay-load import section (
.didata), which is formatted identically to the normal import section (.idata)
The fact that the delay-load imports are stored in .didata appears to be an implementation detail, so we can't rely on that. We need to go through the data directory descriptor manually.