Klingt für mich eigentlich korrekt was du machst
Hier mal ein Auszug aus einem C-Programm von mir, was über die Imports iteriert und beim Fund einer übergebenen Adresse den Namen ausgibt:
Code:
if (ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress)
{
PIMAGE_IMPORT_DESCRIPTOR descriptor =
(PIMAGE_IMPORT_DESCRIPTOR)((uint8_t*)moduleHandle +
ntHeaders->OptionalHeader.DataDirectory[
IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
while (descriptor->OriginalFirstThunk)
{
const char* moduleName = (char*)((uint8_t*)moduleHandle + descriptor->Name);
PIMAGE_THUNK_DATA originalThunk =
(PIMAGE_THUNK_DATA)((uint8_t*)moduleHandle + descriptor->OriginalFirstThunk);
PIMAGE_THUNK_DATA thunk =
(PIMAGE_THUNK_DATA)((uint8_t*)moduleHandle + descriptor->FirstThunk);
while (originalThunk->u1.ForwarderString)
{
if (!(originalThunk->u1.Ordinal & 0x80000000))
{
if (address == (uintptr_t)&thunk->u1.Function)
{
PIMAGE_IMPORT_BY_NAME import = (PIMAGE_IMPORT_BY_NAME)
((uint8_t*)moduleHandle + originalThunk->u1.AddressOfData);
printf("%s%s", moduleName, import->Name);
return;
}
}
++originalThunk;
++thunk;
}
++descriptor;
}
}