How to find the offset of the Import Section in a PE32 file?

Question

I have been trying to figure this out for hours but I cannot seem to get it. I have been trying to find the information in the Microsoft Documentation, but I'm overwhelmed by the amount of information. My question is: How is one supposed to find the offset of the Import Section within a PE32 file? I don't mean when the the file is loaded into memory, I mean when it's on disk. Should I be looking inside of the Object Table? Another question, does the object table outline the sections that come immediately after it?

Thank you for your time.

Answer 1

Take a look at PeDump. With this tool (with source code provided), you can see how it works.

Answer 2

It's been quite a while since I went digging around in PE files, but . . .

If I'm reading the documentation correctly, the section table immediately follows the headers. You can position directly to the section table by calculating the size of the headers.

Each section table entry is 40 bytes long (see page 25 of the doc). The first field is an 8-byte name. I assume you can get the imports section name from that. At offset 20 in the record is a pointer to the raw data. That is described as "The file pointer to the first page of the section within the COFF file". The field at offset 16 gives the size.

So you should be able to position to the section table, then read each section header sequentially to find the import address table, and then get the pointer to the raw data.