I often hear talking of thunks .... expecially releated to pe files. What are thunks???

yaa
Posted on 2004-01-09 18:34:04 by yaa
hmm before I started studying PE files I had never heard of this word before.
a thunk isn't an address it is something that can be used to calculate an address such as a pointer to the IMAGE_IMPORT_BY_NAME. Literally any value that is intended to be used to calculate an address can be considered a thunk.
Posted on 2004-01-09 18:42:12 by ENF
I knew the word thunk related to the operation of converting between a segmented memory address space and a flat address space ... but when talking about pe files I don't see how this could get in ...


yaa
Posted on 2004-01-09 19:10:37 by yaa

I often hear talking of thunks .... expecially releated to pe files. What are thunks???

yaa


Technically, a "thunk" is a piece of code to execute and its execution environment, all encasulated into one object. The term existed *long* before Microsoft and PE files. Thunks were used, for example, to pass objects by name in Algol-68 and other languages (HLA, for example, supports these types of thunks).

From the Microsoft point of view, the "execution environment" includes 16-bit vs. 32-bit segmentation models.

Think of a thunk as a pointer to a procedure along with some extra information to set up memory management when that procedure gets called. (e.g., in HLA, thunks contain a pointer to some code to execute and a pointer to an activation record containing that procedure's variables).

You can read more about HLA's thunks (which use the generic definition) here:
http://webster.cs.ucr.edu/Page_AoAWin/PDFs/Thunks.pdf

Check out MSDN for those things that Microsoft calls thunks.
Cheers,
Randy Hyde
Posted on 2004-01-09 21:07:02 by rhyde
It is also the sound my head makes when you pop it with your thumb and mid-finger.
Posted on 2004-01-10 01:52:27 by drarem
Randall Hyde,

he wanted to know what are Thunk in the PE Header: OriginalFirstThunk / FirstThunk ;)
Posted on 2004-01-10 02:37:48 by wizzra
I've seen articles talk of thunk even to indicate the jump table that some compilers generate to call API functions.

In 32-bit environments, the linker generates a thunk of which it does know the address. The thunk looks like:

0x40000000: jmp DWORD PTR __imp_func1

Here __imp_func1 is the address for func1's slot in the import address table of the .EXE file. All the addresses are thus known to the linker. The loader only has to update the .EXE file's import address table at load time for everything to work correctly.

Therefore, using __declspec(dllimport) is better because if the linker does not generate a thunk if it is not required


Still, I can't understand what the word thunk means also in relation to its use in the description of the pe format.

yaa
Posted on 2004-01-10 05:21:29 by yaa
Do take a look at iczelion's tutorials on PE. hmm or more specifically this http://spiff.tripnet.se/~iczelion/pe-tut6.html
Posted on 2004-01-10 05:39:47 by roticv

Randall Hyde,

he wanted to know what are Thunk in the PE Header: OriginalFirstThunk / FirstThunk ;)


Hence the last line in my post.
However, I *really* hate to see people thinking that Microsoft's definition is *the* definition of a thunk, hence my post.

Just a bit of enlightenment.
Cheers,
Randy Hyde
Posted on 2004-01-10 17:10:42 by rhyde