flat assembler - DLL import by ordinals

Index > Windows > DLL import by ordinals - is it safe ?

Author

Thread

IronFelix

Joined: 09 Dec 2004
Posts: 141
Location: Russia, Murmansk region

IronFelix 21 Apr 2009, 15:09

Hi all!
Please tell me, is it safe to import system DLL's functions by ordinals instead of names? Do that ordinals got changed between DLL's releases or not? I'm asking because with ordinals import table will be definitly smaller rather than with names.

Thanks.

_________________
Flat Assembler is the best!

21 Apr 2009, 15:09

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20627
Location: In your JS exploiting you and your system

revolution 21 Apr 2009, 17:12

Not safe. Don't waste your time trying it, MS don't support or guarantee the stability of the ordinals.

21 Apr 2009, 17:12

IronFelix

Joined: 09 Dec 2004
Posts: 141
Location: Russia, Murmansk region

IronFelix 22 Apr 2009, 06:52

Thank you, revolution. So, ordinals are for applications "inner" use only? Does any application have DLLs with fixed ordinals?

22 Apr 2009, 06:52

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20627
Location: In your JS exploiting you and your system

revolution 22 Apr 2009, 08:19

IronFelix wrote:

So, ordinals are for applications "inner" use only?

I guess so. Unless you feel like restricting your app to only one patch level of Windows.

IronFelix wrote:

Does any application have DLLs with fixed ordinals?

I'm sure there are some. Most probably when people/companies think that obfuscation is a good idea or in a situation where faster launching is a must have.

22 Apr 2009, 08:19

pal

Joined: 26 Aug 2008
Posts: 227

pal 22 Apr 2009, 09:48

If you mean ordinal numbers, which I assume you do, there are some hidden Windows APIs which you can only call by using ordinal numbers, you also have to try to figure out what each API does and what parameters it takes. MS does not like you using these, they're meant to be better/faster than the standard APIs so that Windows performs better/faster than your application.

22 Apr 2009, 09:48

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20627
Location: In your JS exploiting you and your system

revolution 22 Apr 2009, 10:30

pal wrote:

If you mean ordinal numbers, which I assume you do, there are some hidden Windows APIs which you can only call by using ordinal numbers, you also have to try to figure out what each API does and what parameters it takes. MS does not like you using these, they're meant to be better/faster than the standard APIs so that Windows performs better/faster than your application.

[wiki]citation needed[/wiki].

Any conspiracy theorists around here?

22 Apr 2009, 10:30

pal

Joined: 26 Aug 2008
Posts: 227

pal 22 Apr 2009, 11:58

I was gonna ask for some citation from anyone.

Code:

http://www.thevbzone.com/secrets.htm#Hidden

VB API declarations for a few hidden ones.

Code:

http://www.inlumineconsulting.com:8080/website/nt.sekrits.html

More to do with NT APIs than anything else.

22 Apr 2009, 11:58

Goplat

Joined: 15 Sep 2006
Posts: 181

Goplat 22 Apr 2009, 14:35

Most DLLs have the ordinal numbers change every version, but there are actually a few where the ordinal numbers are stable. wsock32.dll is one example.

22 Apr 2009, 14:35

pete

Joined: 20 Apr 2009
Posts: 110

pete 22 Apr 2009, 15:02

Interesting links, thanks pal!

22 Apr 2009, 15:02

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum