I found something out quite awhile ago, then I forgot it over time. Then I strained my brain for a few hours trying to remember what I did.

The are several thread here about how to remove the jump table when calling windows api. But I noticed when I wrote my own code and had multiple files, the would be a jump table for functions in other files. Then a linker bug(my code was a little 'odd'), brought me to turning off /INCREMENTAL linking. I noticed shortly thereafter that I do not have a jump table for my own procs included from other files. I just got an E8 call straight to the proc.

MSDN:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vccore98/HTML/_core_.2f.incremental.asp

An incrementally linked program is functionally equivalent to a program that is nonincrementally linked. However, because it is prepared for subsequent incremental links, an incrementally linked executable (.EXE) file or dynamic-link library (DLL):

Is larger than a nonincrementally linked program because of padding of code and data. (Padding allows the linker to increase the size of functions and data without recreating the .EXE file.)

May contain jump thunks to handle relocation of functions to new addresses.


I hope this is helpful to someone. I stumbled on to this one, and learned some more about the tools....

Note: This does not remove the IAT from calls to the Win APIs etc. Just the included files in your program.
Posted on 2003-03-14 13:58:27 by ThoughtCriminal
It could be a dead link or they killed it. With IE it say UN-bla...bla...bla. Maybe it worked for other i don't know.
Posted on 2003-03-14 18:48:17 by cmax

It could be a dead link or they killed it. With IE it say UN-bla...bla...bla. Maybe it worked for other i don't know.


I fixed the link.
Posted on 2003-03-14 19:21:39 by bazik
ThoughtCriminal,

In MASM, use the alternate set of include file that you can create with the utility L2EXTIA.EXE that comes with MASM32.

The lookup table at the end of the EXE/DLL file will not be there any longer as you get direct calls to API function that way.

Regards,

hutch@movsd.com
Posted on 2003-03-15 01:29:58 by hutch--

ThoughtCriminal,

In MASM, use the alternate set of include file that you can create with the utility L2EXTIA.EXE that comes with MASM32.

The lookup table at the end of the EXE/DLL file will not be there any longer as you get direct calls to API function that way.

Regards,

hutch@movsd.com


Direct calls? You mean E8.... calls? I changed the calls to function pointers, FF... calls. Please let me know which it is , thanks.





Note:If you are wonder why I was linking with /INCREMENTAL, I use VSNET as my IDE and /INCREMENTAL is selected by default.
Posted on 2003-03-15 04:49:06 by ThoughtCriminal
E8 calls aren't possible due to the nature of the PE import table. The arrays of FirstThunk's for each DLL which are part of the import table will at load time be replaced by the function addresses. There's no way to automatically adjust all the E8 calls in your program to the new addresses. The includes Hutch is talking about will create indirect FF calls.

Thomas
Posted on 2003-03-15 06:29:25 by Thomas
Thanks Thomas.

I would have been very surprised if Hutch got it to generate E8 calls for the very reasons you gave :grin:

But Hutch sometimes does surprising things.


I doing the same thing as Hutch, but by my own method.
Posted on 2003-03-15 07:10:47 by ThoughtCriminal
I have probably used the term in a different manner, if yo use the EXTERNDEF format include files that are made with L2EXTIA.EXE, you get the call inline in the code, not as a jump to the table at the end of the EXE file. Protected mode addressing does not allow absolute addressing so you will not find that mnemonic in 32 bit windows code in ring3.

Regards,

hutch@movsd.com
Posted on 2003-03-15 18:11:47 by hutch--