I'm writing a program that only uses data section becuase I modify the code at run time.
Interestingly, with no code section, the loader put the imports at the start of the exe. Just like a real exe:
code - imports - data.
Now this is whats weird for me....
Usually the imports get loaded alphabetically A's at the lowest address. In my exe it is kinda random for some reason.
So what determins order?
My program patchs the program codes API calls with no jump table. Being able to know the order loaded would help. Right now I have a work around data structure that store the address to modify and an index to what address the relitive call should be patched to.
I found a low tech way to modify calls without having to scan the entire code.
Thanks.
Interestingly, with no code section, the loader put the imports at the start of the exe. Just like a real exe:
code - imports - data.
Now this is whats weird for me....
Usually the imports get loaded alphabetically A's at the lowest address. In my exe it is kinda random for some reason.
__imp__CreateFileA@28:
00401000 0F C1 E6 xadd esi,esp
00401003 77 db 77h
__imp__ExitProcess@4:
00401004 1C 68 sbb al,68h
00401006 E7 77 out 77h,eax
__imp__VirtualAlloc@16:
00401008 04 E7 add al,0E7h
0040100A E6 77 out 77h,al
__imp__Beep@8:
0040100C D1 D4 rcl esp,1
0040100E E5 77 in eax,77h
KERNEL32_NULL_THUNK_DATA:
So what determins order?
My program patchs the program codes API calls with no jump table. Being able to know the order loaded would help. Right now I have a work around data structure that store the address to modify and an index to what address the relitive call should be patched to.
I found a low tech way to modify calls without having to scan the entire code.
Thanks.
The import section is in no way required to be sorted (thus masm doesn't do this), only the export section is required sorted. (if you really want a sorted import section, use fasm and construct it yourself (i have a macro around here somewhere that does just that for you)
Thanks for the info. To bad MASM does not allow that.
It does however give me the ability to specify with call get optimized and which don't.
Does anyone know a good way to get the base of the all the Imports?(The highest address)
I'm doing this right now:
mov eax,_imp__Beep@8
Very Implementation dependant.
I also got this question:
I have 2 QWORD size fields(conceptually). I there any way to autosize MAPITEMNUM depending on how much data is in my segment? I think I should mess with $ now.
Thanks.
It does however give me the ability to specify with call get optimized and which don't.
Does anyone know a good way to get the base of the all the Imports?(The highest address)
I'm doing this right now:
mov eax,_imp__Beep@8
Very Implementation dependant.
I also got this question:
_DATA SEGMENT
align 16
[COLOR=red]MAPITEMNUM=2[/COLOR]
MAPITEMSIZE=8
MAP label dword
MAPSIZE=MAPITEMSIZE*MAPITEMNUM
Beep_1 dd offset .1_Beep-1
TARGET label dword
dd 0
ExitProcess_1 dd offset .1_ExitProcess-1
dd 8
_DATA ENDS
I have 2 QWORD size fields(conceptually). I there any way to autosize MAPITEMNUM depending on how much data is in my segment? I think I should mess with $ now.
Thanks.
Look for the IAT entry in the PE header directories