Exe Imports dll ordinal number to DLL export function name comparison?

Question

While loading any .exe into my command line program. I get this output: http://www.privatepaste.com/22dc18e88d/output

As you can see from the output. I get 21 imported dlls.

It imports wsock32.dll as I continue to parse the information in the pe file format of the command line arguments .exe. I see:

wsock32.dll imports are all ordinal numbers. Seen by the 80000000 flag. Strip all those away and you get:

[Import_By_Ordinal]: 00000016 
[Import_By_Ordinal]: 00000003 
[Import_By_Ordinal]: 00000073 
[Import_By_Ordinal]: 00000017 
[Import_By_Ordinal]: 00000015 
[Import_By_Ordinal]: 0000000B 
[Import_By_Ordinal]: 00000014 
[Import_By_Ordinal]: 0000000E 
[Import_By_Ordinal]: 0000000A 
[Import_By_Ordinal]: 00000034 
[Import_By_Ordinal]: 00000011 
[Import_By_Ordinal]: 00000013 
[Import_By_Ordinal]: 00000010 
[Import_By_Ordinal]: 00000009 
[Import_By_Ordinal]: 00000002 
[Import_By_Ordinal]: 00000008 
[Import_By_Ordinal]: 0000006F 
[Import_By_Ordinal]: 00000097 
[Import_By_Ordinal]: 00000012 
[Import_By_Ordinal]: 00000004 
[Import_By_Ordinal]: 0000000F 
[Import_By_Ordinal]: 0000000C

Now this information is seen by parsing the EXE's pe file format. Obviously we won't be able to get the names of those functions.

If I wanted to look at 00000016 ordinal I would have to use dumpbin or cff explorer and then load up wsock32.dll and look at its exports to find out what function is related to 00000016.

I don't want to do that. I would like a c or c++ way of taking 00000016 and somehow opening wsock32.dll and comparing its export table to the ordinal I acquired from the exe.

Currently this is how I'm getting the ordinals:

// Start Iterating Tables
nFunctions = 0 ;
nOrdinalFunctions = 0 ; 
while( (*thunkINT).u1.AddressOfData != 0 ) /* AddressOfData holds RVA
                                              to INT with the imported API name */
{
    /* Each IMAGE_THUNK_DATA structures are indicated by zero values when
       you reach the end */
    // If the high bit isn't set, the IMAGE_THUNK_ DATA value is an RVA to the IMAGE_IMPORT_BY_NAME.
    if( !( thunkINT->u1.AddressOfData & IMAGE_ORDINAL_FLAG ) )
    {
        nameData = (PIMAGE_IMPORT_BY_NAME)( (*thunkINT).u1.AddressOfData );
        nameData = (PIMAGE_IMPORT_BY_NAME)rvaToPtr( (DWORD)nameData,
                                                    peHeader,
                                                    (DWORD)baseAddress );
        printf( "\t%s", (*nameData).Name );
        printf( "\n" );
    }
    // Check OriginalFirstThunk ordinal and see if flag is set
    // if flag is set, function is called by ordinal number. ( import by ordinal )
    if( ( (*thunkINT).u1.Ordinal & IMAGE_ORDINAL_FLAG ) )
    {
        printf( " [Import_By_Ordinal]:\t" );
        printf( "\taddress: %08X", thunkINT->u1.Ordinal );
        printf( "\n" );
        nOrdinalFunctions++ ;
    }
    thunkINT++;
    thunkIAT++;
    nFunctions++;

} // End of while loop

So, Im wanting to know while parsing the EXE'S IMPORTS... is there a way to match the IMPORT ORDINAL, TO THE DLL EXPORT ORDINAL? AND FIND THE FUNCTION NAME FOR THE ORDINAL?

I would like a c or c++ way of doing this.

Thanks if there is someone out there with the knowledge I'm looking for. As this stuff is very complex and what I'm trying to do isn't widely known to a lot of people.

I hope someone can help...

Thanks...

Answer 1

The Windows API apparently doesn't have a function to perform this translation. It doesn't even have an API to list the exports of a library, although that should be possible with relative ease. Perhaps you could try modifying that code to extract a mapping from ordinal to name.