flat assembler
Message board for the users of flat assembler.

Index > Windows > Question regarding the IAT

Author
Thread Post new topic Reply to topic
Icefex



Joined: 11 Feb 2009
Posts: 17
Icefex 11 Sep 2009, 19:07
When call [MessageBoxA] gets assembled does it point directly to the corresponding entry in the Import Address Table (i mean the address which points before loading to the same as the entry in the Import Lookup Table)? And are these addresses RVAs or absolute?
Post 11 Sep 2009, 19:07
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20449
Location: In your JS exploiting you and your system
revolution 11 Sep 2009, 22:10
It depends upon how you format your IAT. If you use the standard fasm header macros then the call will take the MessageBox address directly from the IAT entry. The IAT entry is initialised by the Windows loader and at runtime the address is absolute.
Post 11 Sep 2009, 22:10
View user's profile Send private message Visit poster's website Reply with quote
Icefex



Joined: 11 Feb 2009
Posts: 17
Icefex 12 Sep 2009, 05:30
I'm aware of it how it is after loading but how is it just in the binary image? I wanted to know if the address after the call is an RVA or not.
Post 12 Sep 2009, 05:30
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20449
Location: In your JS exploiting you and your system
revolution 12 Sep 2009, 05:39
TFM wrote:
CALL r/m32 - Call near, absolute indirect, address given in r/m32.
Post 12 Sep 2009, 05:39
View user's profile Send private message Visit poster's website Reply with quote
Icefex



Joined: 11 Feb 2009
Posts: 17
Icefex 12 Sep 2009, 16:42
Sorry to be annoying but this address then points to the entry in the IAT which contains after loading the address of the function and the address of the call points absolute in means of the executable image in memory and not whole memory?
Post 12 Sep 2009, 16:42
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 12 Sep 2009, 19:51
it is RVA of 2byte ordinal, followed by ASCIIZ string name of function (eg. FirstThunk array in binary is identical to OriginalFirstThunk array)
Post 12 Sep 2009, 19:51
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Icefex



Joined: 11 Feb 2009
Posts: 17
Icefex 12 Sep 2009, 20:16
Okay, I'm trying to make it more clear:

call [MessageBoxA] after assembly -> FF 25 00 00 00 00
where does 00000000 point? Does it point to the entry in the IAT which contains the address of the function after loading the pe? And if, is this address (the 00000000) absolute to the whole memory or only the image in memory? (I know that the entry in the IAT after loading is containing the function address)
Post 12 Sep 2009, 20:16
View user's profile Send private message Reply with quote
Fanael



Joined: 03 Jul 2009
Posts: 168
Fanael 12 Sep 2009, 20:38
00000000 is null pointer and is ALWAYS invalid. Probably your code contains errors, or you're compiling to COFF, then that address will be updated by the linker.
Post 12 Sep 2009, 20:38
View user's profile Send private message Reply with quote
Icefex



Joined: 11 Feb 2009
Posts: 17
Icefex 13 Sep 2009, 04:58
Meh. That pointer was just to show what i wanna know. My files compile and run fine...
Okay here is what I wanna do:

I'm trying to make a program which removes the .idata section. It first searches for all addresses which are called by the program and stores them in an array, then goes through the code, searches for the opcodes FF 25 and FF 15, looks up the address in the previously generated table and if it matches it replaces it with an identifier for the dll and an function hash. And then patches a new section to the exe and removes the .idata.
Okay and my only problem in this to verify the function calls.
Post 13 Sep 2009, 04:58
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20449
Location: In your JS exploiting you and your system
revolution 13 Sep 2009, 05:11
Have a look at the file "PEDEMO.ASM" in the "examples\pedemo\" folder of the download zip.
Code:
...
  call    [MessageBoxA]
...
    MessageBoxA dd RVA _MessageBoxA
...
  _MessageBoxA dw 0
    db 'MessageBoxA',0    
That is all there is to the IAT.
Post 13 Sep 2009, 05:11
View user's profile Send private message Visit poster's website Reply with quote
Icefex



Joined: 11 Feb 2009
Posts: 17
Icefex 13 Sep 2009, 06:12
Okay, then it's an RVA, thanks...
Post 13 Sep 2009, 06:12
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 13 Sep 2009, 13:10
Icefex wrote:
Okay, then it's an RVA, thanks...

As I said in 5 posts ago Smile

But note that there are other common ways of calling API used by compilers:

Code:
call MessageBoxA
...
mov esi, MessageBoxA
call esi
...
MessageBoxA: jmp [__imp__MessageBoxA]
...
__imp__MessageBoxA dd rva MessageBoxA_thunk
...
MessageBoxA_thunk: 
  dw 0
  db "MessageBoxA", 0    
Post 13 Sep 2009, 13:10
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Icefex



Joined: 11 Feb 2009
Posts: 17
Icefex 13 Sep 2009, 13:13
Yes I know, so called jumppads, but they are not my problem. I also got the source of a pe loader of a friend so I think I have enough info to do it now.
Post 13 Sep 2009, 13:13
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 13 Sep 2009, 15:21
Also note the loading of API address to register for multiple calls. That is common as well.
Post 13 Sep 2009, 15:21
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.