In the last issue of the Programming Journal I wrote about this prog which adds a password dialog to EXE files and how to add functions and DLLs to the import table of PE files. This essay deals with a completely different way to use all API functions you need in your packer/cryptor/whatever with no need to change the import table in any way. I'll show you how to search through the memory in order to locate Kernel32.dll and then parse the export section to get the API functions you want to use.
When an EXE file is executed, it's not (very) much more than a sub-call of Kernel32.dll (mostly of CreateProcessA). This means that at the start [esp] must contain the return offset to somewhere inside the Kernel32.dll and that is our starting point. Considered that we know a valid offset inside Kernel32.dll there must be a way to locate the beginning of this DLL and then we can easily parse for the PE header, the Exports section and all APIs we desire to use. And obviously there is one. Since Kernel32.dll is mapped to a certain offset which is aligned to 1000h we can parse back and look at all offsets which are aligned to 1000h and check for a MZ header.
