Hi
im playing arount with the Import Address Table and I found a strange behavior of GetProcAddress. When I receive the Address of an API-Function (for example MessageBoxA) using GetProcAddress, it differs from the Address stored in my IAT. OllyDbg call the one from the IAT "USER32.MessageBoxA" , the other one "Thunk to USER32.MessageBoxA" . Whats the difference between that Addresses, and what have I to mind when using them?
Thanks in advance and sorry for my bad english.
im playing arount with the Import Address Table and I found a strange behavior of GetProcAddress. When I receive the Address of an API-Function (for example MessageBoxA) using GetProcAddress, it differs from the Address stored in my IAT. OllyDbg call the one from the IAT "USER32.MessageBoxA" , the other one "Thunk to USER32.MessageBoxA" . Whats the difference between that Addresses, and what have I to mind when using them?
Thanks in advance and sorry for my bad english.
Afaik, the thunks are RVA to the original APIs offset. (APIs that are filled with the correct address by the PE loader when the application is loaded. )
I dont think so, because the thunk was returned by GetProcAddress, and i took the value from the IAT from memory after the file was loaded. And I can call both Addresses with the same (correct) result; I think that wouldn't be so if one of them is an RVA.
When you import code from a DLL, your call to MessageBox will actually be this:
the imp_messagebox is the address of the messagebox function in user32.dll, fixed up by the PE loader (note that on NT, DLLs can forward exports to other DLLs, so kernel32.heapalloc is ntdll.ntallocheap - or whatever).
GetProcAddress gets the address of the function, not a thunk.
call MessageBox_thunk
MessageBox_thunk:
jmp dword ptr [imp_messagebox]
the imp_messagebox is the address of the messagebox function in user32.dll, fixed up by the PE loader (note that on NT, DLLs can forward exports to other DLLs, so kernel32.heapalloc is ntdll.ntallocheap - or whatever).
GetProcAddress gets the address of the function, not a thunk.
OriginalFirstThunk
An RVA (32 bit) pointing to a 0-terminated array of RVAs to
IMAGE_THUNK_DATAs, each describing one imported function. The
array will never change.
FirstThunk
An RVA (32 bit) to a 0-terminated array of RVAs to
IMAGE_THUNK_DATAs, each describing one imported function. The
array is part of the import address table and will change.
you are right f0dder:
On NT systems,kernel32 forwards the HeapAlloc function to ntdll:
(a small research with the dumppe utility)
On NT systems,kernel32 forwards the HeapAlloc function to ntdll:
(a small research with the dumppe utility)
HeapAlloc (forwarded to NTDLL.RtlAllocateHeap)