X:\>objdump -p 979536.exe 979536.exe: file format pei-x86-64 Characteristics 0x27 relocations stripped executable line numbers stripped large address aware Time/Date Thu Jul 05 21:33:01 2012 Magic 020b (PE32+) MajorLinkerVersion 2 MinorLinkerVersion 21 SizeOfCode 00002200 SizeOfInitializedData 00001400 SizeOfUninitializedData 00000a00 AddressOfEntryPoint 00000000000014e0 BaseOfCode 0000000000001000 ImageBase 0000000000400000 SectionAlignment 0000000000001000 FileAlignment 0000000000000200 MajorOSystemVersion 4 MinorOSystemVersion 0 MajorImageVersion 0 MinorImageVersion 0 MajorSubsystemVersion 5 MinorSubsystemVersion 2 Win32Version 00000000 SizeOfImage 00022000 SizeOfHeaders 00000600 CheckSum 000268cb Subsystem 00000003 (Windows CUI) DllCharacteristics 00000000 SizeOfStackReserve 0000000000200000 SizeOfStackCommit 0000000000001000 SizeOfHeapReserve 0000000000100000 SizeOfHeapCommit 0000000000001000 LoaderFlags 00000000 NumberOfRvaAndSizes 00000010 The Data Directory Entry 0 0000000000000000 00000000 Export Directory [.edata (or where ever we fou nd it)] Entry 1 0000000000007000 0000082c Import Directory [parts of .idata] Entry 2 0000000000000000 00000000 Resource Directory [.rsrc] Entry 3 0000000000000000 00000000 Exception Directory [.pdata] Entry 4 0000000000000000 00000000 Security Directory Entry 5 0000000000000000 00000000 Base Relocation Directory [.reloc] Entry 6 0000000000000000 00000000 Debug Directory Entry 7 0000000000000000 00000000 Description Directory Entry 8 0000000000000000 00000000 Special Directory Entry 9 0000000000009000 00000028 Thread Storage Directory [.tls] Entry a 0000000000000000 00000000 Load Configuration Directory Entry b 0000000000000000 00000000 Bound Import Directory Entry c 0000000000007204 000001c8 Import Address Table Directory Entry d 0000000000000000 00000000 Delay Import Directory Entry e 0000000000000000 00000000 CLR Runtime Header Entry f 0000000000000000 00000000 Reserved There is an import table in .idata at 0x407000 The Import Tables (interpreted .idata section contents) vma: Hint Time Forward DLL First Table Stamp Chain Name Thunk 00007000 0000703c 00000000 00000000 0000779c 00007204 DLL Name: KERNEL32.dll vma: Hint/Ord Member-Name Bound-To 73cc 134 DeleteCriticalSection 73e4 157 EnterCriticalSection 73fc 327 GetCurrentProcess 7410 328 GetCurrentProcessId 7426 331 GetCurrentThreadId 743c 373 GetLastError 744c 387 GetModuleHandleA 7460 420 GetProcAddress 7472 443 GetStartupInfoA 7484 462 GetSystemTimeAsFileTime 749e 483 GetTickCount 74ae 551 InitializeCriticalSection 74ca 591 LeaveCriticalSection 74e2 595 LoadLibraryW 74f2 673 QueryPerformanceCounter 750c 721 RtlAddFunctionTable 7522 722 RtlCaptureContext 7536 729 RtlLookupFunctionEntry 7550 736 RtlVirtualUnwind 7564 850 SetUnhandledExceptionFilter 7582 862 Sleep 758a 870 TerminateProcess 759e 877 TlsGetValue 75ac 886 UnhandledExceptionFilter 75c8 910 VirtualProtect 75da 912 VirtualQuery 00007014 00007114 00000000 00000000 00007820 000072dc DLL Name: msvcrt.dll vma: Hint/Ord Member-Name Bound-To 75ea 78 __dllonexit 75f8 81 __getmainargs 7608 82 __initenv 7614 83 __iob_func 7622 90 __lconv_init 7632 96 __set_app_type 7644 98 __setusermatherr 7658 114 _acmdln 7662 121 _amsg_exit 7670 139 _cexit 767a 231 _fmode 7684 297 _initterm 7690 400 _lock 7698 564 _onexit 76a2 653 _stat64 76ac 732 _unlock 76b6 932 abort 76be 946 calloc 76c8 956 exit 76d0 971 fprintf 76da 978 free 76e2 989 fwrite 76ec 1034 malloc 76f6 1042 memcpy 7700 1050 printf 770a 1072 signal 7714 1092 strlen 771e 1095 strncmp 7728 1127 vfprintf 00007028 00000000 00000000 00000000 00000000 00000000 X:\>