flat assembler
Message board for the users of flat assembler.

Index > Windows > hint in the _IMAGE_IMPORT_BY_NAME structure

Author
Thread Post new topic Reply to topic
Mikl___



Joined: 30 Dec 2014
Posts: 143
Location: Russian Federation, Irkutsk
Mikl___ 12 Apr 2017, 01:33
When importing the "by name" function, the _IMAGE_IMPORT_BY_NAME structure is used
Code:
struc _IMAGE_IMPORT_BY_NAME
{
     .Hint DW ?
     .Name_  DB ? DUP (?), 0; the name of the imported function, ASCIIZ string
     .Pad DB ($ and 1) DUP (0); the length of the line is aligned to an even boundary of another 0
}    

Hint ("MessageBoxA") = 0x1E2 = 482
Hint ("ExitProcess") = 0xBC = 188
Hint ("CreateWindowsExA") = 0x60 = 96
Hint ("DefWindowProcA") = 0x8E = 142
Hint ("GetMessageA") = 0x13C = 316
Hint is Hash("string") ?
1. What is hint for?
2. How is hint calculated?


Last edited by Mikl___ on 12 Apr 2017, 01:42; edited 1 time in total
Post 12 Apr 2017, 01:33
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20466
Location: In your JS exploiting you and your system
revolution 12 Apr 2017, 01:41
The hint is an index value used to quickly find the import name. It is just an incrementing number. If the hint is correct and the index points to the named function then the import is found quickly. If the hint is incorrect and doesn't point to the named function then a slower search by string is used to find the import.
Post 12 Apr 2017, 01:41
View user's profile Send private message Visit poster's website Reply with quote
Mikl___



Joined: 30 Dec 2014
Posts: 143
Location: Russian Federation, Irkutsk
Mikl___ 12 Apr 2017, 01:46
Hi, revolution!
Thank you very much for the quickest reply!
Post 12 Apr 2017, 01:46
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20466
Location: In your JS exploiting you and your system
revolution 12 Apr 2017, 01:51
So basically if you want faster DLL linking at program startup then use the correct hint value. Otherwise you can use random numbers for the hint and force the loader to use the slower string search algorithm. For programs with only a few imports most users won't notice any difference. But for larger programs with many thousands of imports there may be a perceived difference in load time.
Post 12 Apr 2017, 01:51
View user's profile Send private message Visit poster's website Reply with quote
Mikl___



Joined: 30 Dec 2014
Posts: 143
Location: Russian Federation, Irkutsk
Mikl___ 12 Apr 2017, 02:21
The BIND utility from the Win32 SDK fills the array FirstThunk by the addresses of the imported functions even before loading.
(Sorry for my bad english)
Post 12 Apr 2017, 02:21
View user's profile Send private message Visit poster's website Reply with quote
Mikl___



Joined: 30 Dec 2014
Posts: 143
Location: Russian Federation, Irkutsk
Mikl___ 12 Apr 2017, 10:28
I created bat-file
Code:
%masm64%\bin\dumpbin.exe /EXPORTS %windir%\System32\user32.dll /OUT:user32.txt    
content of the user32.txt
Code:
Dump of file user32.dll

File Type: DLL

  Section contains the following exports for USER32.dll

    00000000 characteristics
    4CE799CD time date stamp Sat Nov 20 17:50:05 2010
        0.00 version
        1500 ordinal base
        1003 number of functions
         830 number of names

    ordinal hint RVA      name

       1502    0 000083C0 ActivateKeyboardLayout
       1503    1 0002AD40 AddClipboardFormatListener
       1504    2 000235B8 AdjustWindowRect
       1505    3 00017CE4 AdjustWindowRectEx
       1506    4 0007F30C AlignRects
       1507    5 00042164 AllowForegroundActivation
       1508    6 00007D80 AllowSetForegroundWindow
       1509    7 0001BFF0 AnimateWindow
       1510    8 0007A810 AnyPopup
       1511    9 0007D85C AppendMenuA
       1512    A 000136F4 AppendMenuW
       1513    B 00041B04 ArrangeIconicWindows
       1514    C 0000D240 AttachThreadInput
        .....
       2040  20F 00042974 MenuWindowProcA
       2041  210 00042908 MenuWindowProcW
       2042  211 0001E6F0 MessageBeep
       2043  212 000712B8 MessageBoxA
       2044  213 00071370 MessageBoxExA
       2045  214 00071394 MessageBoxExW
       .....
       2340  33B 0002099C wsprintfW
       2341  33C 0007B430 wvsprintfA
       2342  33D 00020BFC wvsprintfW
       1500      0002B260 [NONAME]
       1501      0002AE80 [NONAME]
       1550      00076598 [NONAME]
       1551      00076640 [NONAME]
       1552      00076600 [NONAME]
       1553      00023D2C [NONAME]
       1554      00023DF8 [NONAME]
       1555      00076668 [NONAME]
       1556      00076698 [NONAME]
       2000      00006B80 [NONAME]
       2001      0006E738 [NONAME]
       2002      00023E78 [NONAME]
       2005      00003F00 [NONAME]
       2500      000405D0 [NONAME]
       2501      000405F4 [NONAME]
       2502      0004062C [NONAME]    

if (NameDLL == "user32.dll")
{if (Ordinal < 1500) Ordinal = hint + 1502
elseif (1501 < Ordinal < 1550) Ordinal = hint + 1504
elseif (1556 < Ordinal < 2000) Ordinal = hint + 1510
elseif (2002 < Ordinal < 2005) Ordinal = hint + 1513
elseif (2005 < Ordinal < 2500) Ordinal = hint + 1516}


Description:
Download
Filename: user32.zip
Filesize: 11.2 KB
Downloaded: 411 Time(s)

Post 12 Apr 2017, 10:28
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.