I am trying to write Dumpbin in kernel mode. So naturally, I traverse
the import and export tables of loaded PE images (the loaded module
list). On a single processor machine, this works like a charm - the
Optional Headers line up, i get the data directory entry that i want
and presto.
However on a multiprocessor cpu it does not work with some system
files. The Optional Header lines itself up correctly, and for the
most part the data directory entries (seem to) line up - however the
import table entry points to the wrong spot! it points to NULL (00 00
00 00 … etc) memory. Does anyone know why (it appears at least that
only the import table -) Data Directory Entry 1 does not have the
correct RVA? any ideas? How can the DataDirectoryEntry for the import
table point to null? does the loader allow this? whats going on?
[DataDirectoryEntry] SingleProcessorKern MultiProcessorKern
0 - Export Table B9D80, size(7875) BDB40, size(7875)
1 - Import Table D8596, size(28) DC96E, size(28)
DC96E -> is ‘supposed’ to be the RVA to the import table, after
converting to an address - it points to ‘zeroed’ memory.
Any help would be great thanks, any ideas?
Shane Parrish,
System Exposure