Hi,
Some time ago I started playing with PE files. I tried to modify the import descriptors. I wrote a simple app which copies import data to a separated section. I encountered a problem with bound imports.

I tried to unbind an executable. I removed the bound data, copied rva's from OriginalFirstThunk to FirstThunk zeroed the OriginalFirstThunk, TimeDateStamp and ForwarderChain.

However when I try to run the app after the modification I get an error 0xC0000005 the app has not been initialized correctly. I'm trying to figure it out by myself but have no idea what I've done wrong.

Any help would be really appriciated.
In an attachment there is a source code of the app which I wrote, the file I used for testing and a modified version of a testing file (the one which I tried to unbind).

Thanks,
xarti

bound imports can be mostly ignored.
zero each TimeDateStamp in each PIMAGE_IMPORT_DESCRIPTOR
zero the VirtualAddress and Size of the PIMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT]

I'm guessing you have bigger problems

For #AV transmitted(in xcptrecord) address where the exception occurred, the offset of the segment to which access has occurred and the type of access(R/W). The context contains the state of the thread at the time of the exception. This information is sufficient to identify the exceptions. Download the debug symbols and find a place in the loader where the exception occurred.

I found out that I recieved access violation error during LdrpSnapIAT. What I read is that this function should change the access rights of a page to PAGE_READWRITE.

I realised that I moved the IID's to new section leaving the IAT in a code section. After making code section writable the problem is gone.

Is it possible that LdrpSnapIAT only changes the access rights of a page containting IID's neverminding the place where IAT is?

P.S.
I know that having import descriptors and IAT in two different sections is rather unusuall situation in normal application