Is there a way to verify that imported functions have the correct address (not patched)? If I use LoadLibrary/GetProcAddress, would I always get the same address as when I import the function using the import section? Of course I could check this myself but I don't have any assemblers on this comp.
Posted on 2003-03-17 03:50:18 by gliptic
Is there a way to verify that imported functions have the correct address (not patched)?
Not really, especially as pretty much all modules are relocatable, so you can never absolutely guarantee what the "correct" address is.


If I use LoadLibrary/GetProcAddress, would I always get the same address as when I import the function using the import section?
Depends on how (and if) the function was patched. You can patch the imports, the exports, or use the trampoline method. Trampolining does not affect the current actual address of the function, or the calculated address in your IAT.


Of course I could check this myself but I don't have any assemblers on this comp.
That's ok, a little more reading would have found you the answer, and having your question answered here has probably saved you at least a couple of hours. Now you owe those couple of hours to me :grin:
Posted on 2003-03-17 05:58:35 by sluggy
It's no use. Experienced computer hackers can and will break the protection, no matter how hard you try.
Posted on 2003-03-20 12:07:02 by Sephiroth3
Yeah yeah, but you can't blaim a man for trying.
Posted on 2003-03-20 13:28:16 by gliptic