Index
> Windows > PE Import Section |
| Author |
|
|
okasvi 23 May 2006, 23:00
This is what I use and it has always worked. |:
If you count members of struct inside union separately you get 6 members Code:
struct IMAGE_IMPORT_DESCRIPTOR
union
Characteristics rd 1
OriginalFirstThunk rd 1
ends
TimeDateStamp rd 1
ForwarderChain rd 1
Name1 rd 1
FirstThunk rd 1
ends
|
|||
23 May 2006, 23:00 |
|
|
KRA 24 May 2006, 05:42
since OriginalFirstThunk and Characteristics are defined in a union they share the name memory location thus you only have five members.
|
|||
|
24 May 2006, 05:42 |
|
|
Quantum 24 May 2006, 14:49
The first member should point to another lookup table (identical to kernel_table). And there's another minor bug: every pointee referenced from this table should be aligned on an even address.
Code: data import
dd RVA kernel32_lookup,0,0,RVA kernel32_name,RVA kernel32_table
dd 0,0,0,0,0
end data
kernel32_table:
ExitProcess dd RVA _ExitProcess
dd 0
; This is the missing table:
kernel32_lookup:
dd RVA _ExitProcess
dd 0
kernel32_name db 'KERNEL32.DLL',0
align 2 ; <- alignment is required!
_ExitProcess dw 0
db 'ExitProcess',0 |
|||
|
24 May 2006, 14:49 |
|
|
Marikallees 24 May 2006, 15:32
Quote: The first member should point to another lookup table (identical to kernel_table). Does a unique table need to be defined identically, or can the same table be used? Code: dd rva kernel_table,0,0,rva kernel_name,rva kernel_table I don't see why 0 is an accepted value when an RVA is expected. Is 0 a valid RVA? It seems like, if the first field is 0, the last field is being used as the lookup table and at binding both the first and last fields refer to the same table. Quote: align 2 ; <- alignment is required! What kind of problems would I expect if it's not aligned? Also, my PE specification (using a different one now, from Microsoft) doesn't mention alignment for the DLL name field. It talks about padding for the hint/name table entries. So wouldn't the fixed code look more like this? Code: section '.idata' import data readable writeable dd rva kernel_lookup,0,0,rva kernel_name,rva kernel_table dd 0,0,0,0,0 kernel_table: ExitProcess dd rva _ExitProcess CreateFile dd rva _CreateFileA ... dd 0 kernel_lookup: dd rva _ExitProcess dd rva _CreateFileA ... dd 0 kernel_name db 'KERNEL32.DLL',0 _ExitProcess dw 0 db 'ExitProcess',0 align 2 _CreateFileA dw 0 db 'CreateFileA',0 align 2 ... One more thing. Would the last entry in the list need to be aligned as well?  I haven't worked with code alignment yet, does align 2 mean that the next code is aligned to an even boundary as your code suggests, or does it simply pad with 2 NOP instructions? I'm pretty sure it's the first one, but I need to make sure before I break something. |
|||
|
24 May 2006, 15:32 |
|
|
Quantum 24 May 2006, 21:46
Quote:
I'm not sure about this. I guess it won't work in some special cases (maybe DLL binding...) MS linker generates both tables for a reason. Quote:
Usually a 0 RVA means no entry. This applies to relocation tables, resources, etc. Quote:
And who's gonna align _ExitProcess, huh? The DLL name is aligned, because it follows an array of doubleword values (the lookup tables). Quote:
No problems at all, but it's a bit faster when aligned. It's always better to follow the rules, IMHO. Quote:
Yes |
|||
|
24 May 2006, 21:46 |
|
< Last Thread | Next Thread > |
Forum Rules:
|