What I mean by change, is can I move the import to my own data structure. Like:
_DATA SEGMENT
_imp__VirtualAlloc@16 dword ? ;the linker or whatever puts the entry address in this varible
_DATE ENDS
The linker always seems to put the imports after the exe in memory.
Thanks.
_DATA SEGMENT
_imp__VirtualAlloc@16 dword ? ;the linker or whatever puts the entry address in this varible
_DATE ENDS
The linker always seems to put the imports after the exe in memory.
Thanks.
Well, you can't really change the offsets of the API calls, they are addresses in the jump table. You can examine the jumptable entry however:
push MB_OK
push NULL
push OFFSET szText
push NULL
lea eax,MessageBox
call eax
push MB_OK
push NULL
push OFFSET szText
push NULL
lea eax,MessageBox
call eax
Oh, I think I misunderstood. You can't do your own import table, the link executable adds these to the file. You would have to rewrite the linker to do that.
Ahhhh, I figured it out!!
I interesting what happens here. My code starts at 0x401000. __imp__VirtualAlloc@16: is created at 0x402000, and foo is created at 0x403000. Apparently the linker will only allow imports in their own segment(section?).
Anyway, I was trying to find an easy way to call imported functions with call +index:
It looks like I can set the order of the imports, then using ASSUME, cast a structure to the top of the imports, then call by +name. Why? Just because and a little size optimization:
Yea. I built my own import table and saved 4 bytes per call.
I'm surprised that the import table went before the data section. I think its usually the other way around.
_DATA SEGMENT
foo FOO<>
__imp__VirtualAlloc@16:
_DATA ENDS
I interesting what happens here. My code starts at 0x401000. __imp__VirtualAlloc@16: is created at 0x402000, and foo is created at 0x403000. Apparently the linker will only allow imports in their own segment(section?).
Anyway, I was trying to find an easy way to call imported functions with call +index:
WAPI STRUC
VirtualAlloc FCALL@16 PTR ?
WAPI ENDS
ASSUME eax:ptr WAPI
_TEXT SEGMENT
mainCRTStartup label dword
lea ecx,_imp__VirtualAlloc@16
invoke [ecx].VirtualAlloc,0,0,0,0
.
.
It looks like I can set the order of the imports, then using ASSUME, cast a structure to the top of the imports, then call by +name. Why? Just because and a little size optimization:
00401003 8D 05 00 20 40 00 lea ecx,[__imp__VirtualAlloc@16 (402000h)]
invoke [ecx].VirtualAlloc,0,0,0,0
00401009 6A 00 push 0
0040100B 6A 00 push 0
0040100D 6A 00 push 0
0040100F 6A 00 push 0
00401011 FF 10 call dword ptr [ecx]
VS.
invoke FCALL@16 PTR _imp__VirtualAlloc@16,0,0,0,0
00401013 6A 00 push 0
00401015 6A 00 push 0
00401017 6A 00 push 0
00401019 6A 00 push 0
0040101B FF 15 00 20 40 00 call dword ptr [__imp__VirtualAlloc@16 (402000h)]
Yea. I built my own import table and saved 4 bytes per call.
I'm surprised that the import table went before the data section. I think its usually the other way around.
The standard way is produce smaller code (if I am not wrong) if you call the function more than once.
LOL. Almost sounds like you are making a joke.
I'm not a heavy optomizer. Just doing this way for fun.
Something interrest however. I'm not sure if this has any anti-RE value. I should make an exe and see if Olly can handle it.
IF you declare the imports in a .data section, the imports go BEFORE your stactic data. I'm pretty sure it work the same for a .data? section. Its late, time to sleep soon.
I'm not a heavy optomizer. Just doing this way for fun.
Something interrest however. I'm not sure if this has any anti-RE value. I should make an exe and see if Olly can handle it.
IF you declare the imports in a .data section, the imports go BEFORE your stactic data. I'm pretty sure it work the same for a .data? section. Its late, time to sleep soon.
What I mean by change, is can I move the import to my own data structure. Like:
_DATA SEGMENT
_imp__VirtualAlloc@16 dword ? ;the linker or whatever puts the entry address in this varible
_DATE ENDS
The linker always seems to put the imports after the exe in memory.
Thanks.
Try to use EliASM technology, macros iLEA (gives address of import field in import dir of your PE) and iMOV (gives contents (address of API) of import field in import dir of your PE), more in flexible.txt file. Maybe it will bring you some inspiration :)
Hello, Coder!